[FROG] Configuring OSPF routing with not propagating docker routes

Taavi Ansper taavi.ansper at cyber.ee
Wed May 22 11:40:59 UTC 2024 

Hi

Thanks for the answer.


# Router OSPF configuration
router ospf
    network 0.0.0.0/0 area 0.0.0.0
    area 0.0.0.0 range 172.16.0.0/12 not-advertise
    distribute-list docker-filter out
    passive-interface default
    ospf router-id A.B.C.D
!
# Network where this configuration is used.
network enX0
!
# Interface options for interface found by ansible.
interface enX0
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 REDACTED
    ip ospf priority 0
    no ip ospf passive
!
# Access List options.
access-list docker-filter deny 172.16.0.0/12


I have the following options set, but it still seems to propagate the 
docker routings... I will try it again later on all the faulty hosts.

----
Taavi Ansper
taavi.ansper at cyber.ee

On 22.05.24 14:25, Acee Lindem wrote:
> Hi Taavi,
>
> I’m not sure what you are asking. If you want to form OSPF adjacencies 
> on a network. the connecting interface cannot
> be passive as this solely advertises interface prefix in the 
> Router-LSA - OSPF isn’t active on the interface.
> You can override the “default passive-interface” on an individual 
> interface with the “no ip ospf passive”
> command on that interface.
>
> For example:
>
> interface r3-eth0
>  ip address 10.1.5.3/24
>  ip ospf dead-interval 30
>  ip ospf hello-interval 1
>  no ip ospf passive
> exit
> !
> interface r3-eth1
>  ip address 10.1.6.3/24
>  ip ospf dead-interval 30
>  ip ospf hello-interval 1
>  no ip ospf passive
> exit
> !
> interface r1-eth0
>  no ip ospf passive
> exit
> !
> router ospf
>  ospf router-id 3.3.3.3
>  passive-interface default
>  network 10.1.5.0/24 area 0
>  network 10.1.6.0/24 area 1
>  distance 20
> exit
>
> r3# show ip ospf neighbor
>
> Neighbor ID     Pri State           Up Time         Dead Time Address 
>         Interface                        RXmtL RqstL DBsmL
> 2.2.2.2           1 Full/Backup     3m34s 29.414s 10.1.5.2       
>  r3-eth0:10.1.5.3                     0     0     0
> 2.2.2.2           1 Full/Backup     3m26s 29.414s 10.1.6.2       
>  r3-eth1:10.1.6.3                     0     0     0
>
>
> Hope this helps,
> Acee
>
>
>> On May 22, 2024, at 04:18, Taavi Ansper via frog 
>> <frog at lists.frrouting.org> wrote:
>>
>>
>> *From: *Taavi Ansper <taavi.ansper at cyber.ee>
>> *Subject: **Configuring OSPF routing with not propagating docker routes*
>> *Date: *May 22, 2024 at 04:18:15 EDT
>> *To: *frog at lists.frrouting.org
>>
>>
>> Hi
>>
>> (I also posted in the slack channel, sorry for cross-posting, don't 
>> know which one would be more active...)
>>
>> I am having a problem, where I have a core network, where I have a 
>> bunch of servers, but this network has two gateways, one for outbound 
>> connections on the same site and the second for an ipsec tunnel to 
>> another site, so if the local connection fails, it will route through 
>> the ipsec tunnel via the remote site.I have a problem with docker 
>> networks in this routing. As some of the hosts propagate these routes 
>> to other hosts and so If there is communication between a docker 
>> container and the host networking it tries to route through the 
>> network. This is the |frr.conf| file that is injected to the hosts. 
>> The RIP is legacy conf, as we moved from RIP to OSPF. As you can see 
>> we only have a single area, as we have a router on a stick topology, 
>> so we don't really need many areas. Currently the gitlab-test host 
>> cannot connect to the ospf network, because of the |passive-interface 
>> default| option, if I remove it, then it connects to the ospf area 
>> and now the docker routing also comes from other hosts.
>>
>> # Ansible managed # default to using syslog. 
>> /etc/rsyslog.d/45-frr.conf places the log in # /var/log/frr/frr.log # 
>> # Note: # FRR's configuration shell, vtysh, dynamically edits the 
>> live, in-memory # configuration while FRR is running. When 
>> instructed, vtysh will persist the # live configuration to this file, 
>> overwriting its contents. If you want to # avoid this, you can edit 
>> this file manually before starting FRR, or instruct # vtysh to write 
>> configuration to a different file. log syslog informational hostname 
>> gitlab-test password REDACTED enable password REDACTED # Router RIP 
>> configuration router rip distance 66 network 0.0.0.0/0 
>> passive-interface default ! # Router OSPF configuration router ospf 
>> network 0.0.0.0/0 area 0.0.0.0 passive-interface default ospf 
>> router-id 10.0.8.43 ! # Network where this configuration is used. 
>> network enX0 ! # Interface options for interface found by ansible. 
>> interface enX0 ip ospf authentication message-digest ip ospf 
>> message-digest-key 1 md5 REDACTED ip ospf priority 0 !
>>
>>
>> Can the host actually join the OSPF area if the passive-interface 
>> default is enabled?
>>
>> For example these routings are present that I do not want if I remove 
>> the passive-interface default and restart the frr.service:
>>
>> O 172.17.0.0/16 [110/10] is directly connected, docker0, weight 1, 
>> 00:01:06 O 172.18.0.0/16 [110/10] is directly connected, 
>> br-236817c46761, weight 1, 00:01:06 O>* 172.18.0.0/24 [110/20] via 
>> 192.168.2.25, enX0, weight 1, 00:00:46 O>* 172.19.0.0/16 [110/20] via 
>> 192.168.2.17, enX0, weight 1, 00:00:46 * via 192.168.2.44, enX0, 
>> weight 1, 00:00:46 Best regards
>>
>> -- 
>> ----
>> Taavi Ansper
>> taavi.ansper at cyber.ee
>>
>>
>>
>>
>> _______________________________________________
>> frog mailing list
>> frog at lists.frrouting.org
>> https://lists.frrouting.org/listinfo/frog
>

More information about the frog mailing list