[FROG] Configuring OSPF routing with not propagating docker routes

Acee Lindem acee.lindem at gmail.com
Wed May 22 11:25:41 UTC 2024 

Hi Taavi, 

I’m not sure what you are asking. If you want to form OSPF adjacencies on a network. the connecting interface cannot 
be passive as this solely advertises interface prefix in the Router-LSA - OSPF isn’t active on the interface. 
You can override the “default passive-interface” on an individual interface with the “no ip ospf passive” 
command on that interface. 

For example: 

interface r3-eth0
 ip address 10.1.5.3/24
 ip ospf dead-interval 30
 ip ospf hello-interval 1
 no ip ospf passive
exit
!
interface r3-eth1
 ip address 10.1.6.3/24
 ip ospf dead-interval 30
 ip ospf hello-interval 1
 no ip ospf passive
exit
!
interface r1-eth0
 no ip ospf passive
exit
!
router ospf
 ospf router-id 3.3.3.3
 passive-interface default
 network 10.1.5.0/24 area 0
 network 10.1.6.0/24 area 1
 distance 20
exit

r3# show ip ospf neighbor

Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
2.2.2.2           1 Full/Backup     3m34s             29.414s 10.1.5.2        r3-eth0:10.1.5.3                     0     0     0
2.2.2.2           1 Full/Backup     3m26s             29.414s 10.1.6.2        r3-eth1:10.1.6.3                     0     0     0


Hope this helps,
Acee


> On May 22, 2024, at 04:18, Taavi Ansper via frog <frog at lists.frrouting.org> wrote:
> 
> 
> From: Taavi Ansper <taavi.ansper at cyber.ee>
> Subject: Configuring OSPF routing with not propagating docker routes
> Date: May 22, 2024 at 04:18:15 EDT
> To: frog at lists.frrouting.org
> 
> 
> Hi
> 
> (I also posted in the slack channel, sorry for cross-posting, don't know which one would be more active...)
> 
> I am having a problem, where I have a core network, where I have a bunch of servers, but this network has two gateways, one for outbound connections on the same site and the second for an ipsec tunnel to another site, so if the local connection fails, it will route through the ipsec tunnel via the remote site.I have a problem with docker networks in this routing. As some of the hosts propagate these routes to other hosts and so If there is communication between a docker container and the host networking it tries to route through the network. This is the |frr.conf| file that is injected to the hosts. The RIP is legacy conf, as we moved from RIP to OSPF. As you can see we only have a single area, as we have a router on a stick topology, so we don't really need many areas. Currently the gitlab-test host cannot connect to the ospf network, because of the |passive-interface default| option, if I remove it, then it connects to the ospf area and now the docker routing also comes from other hosts.
> 
> # Ansible managed # default to using syslog. /etc/rsyslog.d/45-frr.conf places the log in # /var/log/frr/frr.log # # Note: # FRR's configuration shell, vtysh, dynamically edits the live, in-memory # configuration while FRR is running. When instructed, vtysh will persist the # live configuration to this file, overwriting its contents. If you want to # avoid this, you can edit this file manually before starting FRR, or instruct # vtysh to write configuration to a different file. log syslog informational hostname gitlab-test password REDACTED enable password REDACTED # Router RIP configuration router rip distance 66 network 0.0.0.0/0 passive-interface default ! # Router OSPF configuration router ospf network 0.0.0.0/0 area 0.0.0.0 passive-interface default ospf router-id 10.0.8.43 ! # Network where this configuration is used. network enX0 ! # Interface options for interface found by ansible. interface enX0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 REDACTED ip ospf priority 0 !
> 
> 
> Can the host actually join the OSPF area if the passive-interface default is enabled?
> 
> For example these routings are present that I do not want if I remove the passive-interface default and restart the frr.service:
> 
> O 172.17.0.0/16 [110/10] is directly connected, docker0, weight 1, 00:01:06 O 172.18.0.0/16 [110/10] is directly connected, br-236817c46761, weight 1, 00:01:06 O>* 172.18.0.0/24 [110/20] via 192.168.2.25, enX0, weight 1, 00:00:46 O>* 172.19.0.0/16 [110/20] via 192.168.2.17, enX0, weight 1, 00:00:46 * via 192.168.2.44, enX0, weight 1, 00:00:46 Best regards
> 
> -- 
> ----
> Taavi Ansper
> taavi.ansper at cyber.ee
> 
> 
> 
> 
> _______________________________________________
> frog mailing list
> frog at lists.frrouting.org
> https://lists.frrouting.org/listinfo/frog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20240522/953aaa4b/attachment.htm>

More information about the frog mailing list