Re: ospfd.conf question
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> I'm trying to do something that should be simple with ospfd from a snapshot
> from last week.
>
> I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> connect a single subnet to the corporate network. Corporate wans to move
> from rip to ospf. I'v set up the following ospfd.conf file:
>
>
> # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
>
> # macros
> # password="secret"
>
> # global configuration
> router-id 170.85.113.111
> # fib-update no
> # spf-delay 1
> # spf-holdtime 5
>
> # auth-key $password
> # auth-type none
> # hello-interval 10
> # metric 10
> # retransmit-interval 5
> # router-dead-time 40
> # router-priority 1
> # transmit-delay 1
>
> # areas
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> }
>
>
> fxp0 is the "external" interface. The CARP interface is fxp1, and the
> "internal" interface is fxp2. Presently I have pf off.
>
> When I start ospfd I get the routes advertised by corporate, but they don't
> see my route.
>
> What am I doing wrong?
>
You're not advertising any routes with this setup. "redistribute static"
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Side note: auth-type none is OK for testing but auth-type crypt should be
considered production.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > I'm trying to do something that should be simple with ospfd from a snapshot
> > from last week.
> >
> > I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> > connect a single subnet to the corporate network. Corporate wans to move
> > from rip to ospf. I'v set up the following ospfd.conf file:
> >
> >
> > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> >
> > # macros
> > # password="secret"
> >
> > # global configuration
> > router-id 170.85.113.111
> > # fib-update no
> > # spf-delay 1
> > # spf-holdtime 5
> >
> > # auth-key $password
> > # auth-type none
> > # hello-interval 10
> > # metric 10
> > # retransmit-interval 5
> > # router-dead-time 40
> > # router-priority 1
> > # transmit-delay 1
> >
> > # areas
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > }
> >
> >
> > fxp0 is the "external" interface. The CARP interface is fxp1, and the
> > "internal" interface is fxp2. Presently I have pf off.
> >
> > When I start ospfd I get the routes advertised by corporate, but they don't
> > see my route.
> >
> > What am I doing wrong?
> >
>
> You're not advertising any routes with this setup. "redistribute static"
> is probably what you are looking for.
> Another option would be to use passive interfaces like
>
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface fxp2 {
> passive
> }
> interface carp0 {
> passive
> }
> }
Could you explain what passive means in this context, please?
>
> Side note: auth-type none is OK for testing but auth-type crypt should be
> considered production.
>
While I agree completly, it's out of my control. This is what corporate is
using :-(
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > I'm trying to do something that should be simple with ospfd from a snapshot
> > from last week.
> >
> > I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> > connect a single subnet to the corporate network. Corporate wans to move
> > from rip to ospf. I'v set up the following ospfd.conf file:
> >
> >
> > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> >
> > # macros
> > # password="secret"
> >
> > # global configuration
> > router-id 170.85.113.111
> > # fib-update no
> > # spf-delay 1
> > # spf-holdtime 5
> >
> > # auth-key $password
> > # auth-type none
> > # hello-interval 10
> > # metric 10
> > # retransmit-interval 5
> > # router-dead-time 40
> > # router-priority 1
> > # transmit-delay 1
> >
> > # areas
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > }
> >
> >
> > fxp0 is the "external" interface. The CARP interface is fxp1, and the
> > "internal" interface is fxp2. Presently I have pf off.
> >
> > When I start ospfd I get the routes advertised by corporate, but they don't
> > see my route.
> >
> > What am I doing wrong?
> >
>
> You're not advertising any routes with this setup. "redistribute static"
> is probably what you are looking for.
> Another option would be to use passive interfaces like
>
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface fxp2 {
> passive
> }
> interface carp0 {
> passive
> }
> }
>
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password="secret"
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
And when I start up the ospfd executbale now I get:
Script started on Mon Oct 17 10:38:04 2005
phfw1# ospfd -d
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event UP resulted in action START and changing state for interface
carp0 from DOWN to WAITING
start_spf_timer: IDLE -> DELAY
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
spf_calc: calculation started, area ID 0.0.0.120
spf_calc: calculation ended, area ID 0.0.0.120
spf_start_holdtimer: DELAY -> HOLD
spf_timer: state HOLD -> IDLE
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
if_act_elect: interface carp0 old dr none new dr 170.85.113.99, old bdr none
new bdr none
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event WAITTIMER resulted in action ELECT and changing state for
interface carp0 from WAITING to DR
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and
changing state for neighbor ID 170.85.115.1 from DOWN to INIT
nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for
neighbor ID 170.85.115.1 from INIT to EXSTART
if_act_elect: interface carp0 old dr 170.85.113.99 new dr 170.85.113.98, old
bdr none new bdr 170.85.113.99
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for
interface carp0 from DR to BACKUP
nbr_fsm: event NEGOTIATION_DONE resulted in action SNAPSHOT and changing state
for neighbor ID 170.85.115.1 from EXSTART to SNAPSHOT
nbr_fsm: event SNAPSHOT_DONE resulted in action
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
> On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > > I'm trying to do something that should be simple with ospfd from a
> > > snapshot
> > > from last week.
> > >
> > > I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> > > connect a single subnet to the corporate network. Corporate wans to move
> > > from rip to ospf. I'v set up the following ospfd.conf file:
> > >
> > >
> > > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> > >
> > > # macros
> > > # password="secret"
> > >
> > > # global configuration
> > > router-id 170.85.113.111
> > > # fib-update no
> > > # spf-delay 1
> > > # spf-holdtime 5
> > >
> > > # auth-key $password
> > > # auth-type none
> > > # hello-interval 10
> > > # metric 10
> > > # retransmit-interval 5
> > > # router-dead-time 40
> > > # router-priority 1
> > > # transmit-delay 1
> > >
> > > # areas
> > > area 0.0.0.120 {
> > > interface fxp0 {
> > > auth-type none
> > > }
> > > }
> > >
> > >
> > > fxp0 is the "external" interface. The CARP interface is fxp1, and the
> > > "internal" interface is fxp2. Presently I have pf off.
> > >
> > > When I start ospfd I get the routes advertised by corporate, but they
> > > don't
> > > see my route.
> > >
> > > What am I doing wrong?
> > >
> >
> > You're not advertising any routes with this setup. "redistribute static"
> > is probably what you are looking for.
> > Another option would be to use passive interfaces like
> >
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > interface fxp2 {
> > passive
> > }
> > interface carp0 {
> > passive
> > }
> > }
>
> Could you explain what passive means in this context, please?
>
It's in the man page:
passive
Prevent transmission and reception of OSPF packets on this inter-
face.
The interface is still considered part of OSPF and therefor a stub network
LSA is redistributed but no OSPF traffic is done on that interface. This
is nice to add some directly connected interfaces or loopbacks instead of
using redistribute connected.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote:
> On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
> > On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > > > I'm trying to do something that should be simple with ospfd from a
> > > > snapshot
> > > > from last week.
> > > >
> > > > I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> > > > connect a single subnet to the corporate network. Corporate wans to move
> > > > from rip to ospf. I'v set up the following ospfd.conf file:
> > > >
> > > >
> > > > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> > > >
> > > > # macros
> > > > # password="secret"
> > > >
> > > > # global configuration
> > > > router-id 170.85.113.111
> > > > # fib-update no
> > > > # spf-delay 1
> > > > # spf-holdtime 5
> > > >
> > > > # auth-key $password
> > > > # auth-type none
> > > > # hello-interval 10
> > > > # metric 10
> > > > # retransmit-interval 5
> > > > # router-dead-time 40
> > > > # router-priority 1
> > > > # transmit-delay 1
> > > >
> > > > # areas
> > > > area 0.0.0.120 {
> > > > interface fxp0 {
> > > > auth-type none
> > > > }
> > > > }
> > > >
> > > >
> > > > fxp0 is the "external" interface. The CARP interface is fxp1, and the
> > > > "internal" interface is fxp2. Presently I have pf off.
> > > >
> > > > When I start ospfd I get the routes advertised by corporate, but they
> > > > don't
> > > > see my route.
> > > >
> > > > What am I doing wrong?
> > > >
> > >
> > > You're not advertising any routes with this setup. "redistribute static"
> > > is probably what you are looking for.
> > > Another option would be to use passive interfaces like
> > >
> > > area 0.0.0.120 {
> > > interface fxp0 {
> > > auth-type none
> > > }
> > > interface fxp2 {
> > > passive
> > > }
> > > interface carp0 {
> > > passive
> > > }
> > > }
> >
> > Could you explain what passive means in this context, please?
> >
>
> It's in the man page:
> passive
> Prevent transmission and reception of OSPF packets on this inter-
> face.
>
> The interface is still considered part of OSPF and therefor a stub network
> LSA is redistributed but no OSPF traffic is done on that interface. This
> is nice to add some directly connected interfaces or loopbacks instead of
> using redistribute connected.
Thanks.
So, in my case by not listing the pfsync interface (which is fxp1) in the
ospfd.conf file at all. Neither will it be advertised, nor will traffic be
sent over it, right?
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
> On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
>
> Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
>
>
> # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
>
> # global configuration
> router-id 170.85.113.111
>
> # areas
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface fxp2 {
> auth-type none
> passive
> }
> }
>
> And when I start up the ospfd executbale now I get:
>
>
> Script started on Mon Oct 17 10:38:04 2005
> phfw1# ospfd -d
> startup
> rde: new announced net 0.0.0.0/0
> rde: new announced net 170.85.106.128/25
> rde: new announced net 170.85.106.143/32
> rde: new announced net 170.85.113.0/25
> rde: new announced net 170.85.113.99/32
> rde: new announced net 192.168.254.0/24
> orig_rtr_lsa: area 0.0.0.120
> orig_rtr_lsa: stub net, interface carp1
> orig_rtr_lsa: stub net, interface carp0
> if_fsm: event UP resulted in action START and changing state for interface
> carp0 from DOWN to WAITING
> start_spf_timer: IDLE -> DELAY
> recv_packet: invalid checksum, interface carp0
> recv_packet: authentication error, interface carp0
> spf_calc: calculation started, area ID 0.0.0.120
> spf_calc: calculation ended, area ID 0.0.0.120
> spf_start_holdtimer: DELAY -> HOLD
> spf_timer: state HOLD -> IDLE
> recv_packet: invalid checksum, interface carp0
> recv_packet: authentication error, interface carp0
> recv_packet: invalid checksum, interface carp0
> recv_packet: authentication error, interface carp0
> recv_packet: invalid checksum, interface carp0
> recv_packet: authentication error, interface carp0
...
That is not the config you pasted before. You are running OSPF
over carp here. This is nuts and will not work. You can not run any kind
of routing protocol over carp without major issues! If you have two
routers in front of a common network use carp towards that network and
OSPF to connect the two routers to the backbone.
If one router fails ospf will take care and adjust the routing table.
Currently I think you need to use "redistribute static" for that setup or
wait a couple of days till I fixed something.
> phfw1# op ospfd -d
> startup
> orig_rtr_lsa: area 0.0.0.120
> rde: new announced net 0.0.0.0/0
> rde: new announced net 170.85.106.128/25
> rde: new announced net 170.85.106.143/32
> rde: new announced net 170.85.113.0/25
> rde: new announced net 170.85.113.99/32
> rde: new announced net 192.168.254.0/24
> orig_rtr_lsa: stub net, interface fxp2
> orig_rtr_lsa: stub net, interface fxp0
> if_fsm: event UP resulted in action START and changing state for interface
> fxp0 from DOWN to WAITING
> start_spf_timer: IDLE -> DELAY
> nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and
> changing state for neighbor ID 170.85.115.1 from DOWN to INIT
> nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for
> neighbor ID 170.85.115.1 from INIT to 2-WAY
> if_fsm: event NEIGHBORCHANGE resulted in action NOTHING and changing state
> for interface fxp0 from WAITING to WAITING
> recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
> spf_calc: calculation started, area ID 0.0.0.120
> spf_calc: calculation ended, area ID 0.0.0.120
> spf_start_holdtimer: DELAY -> HOLD
> recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
> spf_timer: state HOLD -> IDLE
> recv_db_description: packet ignored in state 2-WAY, neighbor ID 170.85.115.1
> recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
I bet 170.85.113.99 is the carp IP.
...
> I;ve confirmes with ethreal that the "invalid chcksum" errors are indeed
> invalid checksums being sent by the router that I'm exchanging routes with.
>
Iiick!
> But if I chage the interfaces to carp0, and carp1, which are respectively
> the "outside", and "inside" carp interfaces for this amchine, things don't
> work even this well:
>
As I said before don't run ospf over carp. It will not work. You can use
it fot the inside network but not for the one connected to the backbone.
> At this point in time I'm not even receiving the routes my neighber router
> is sending.
>
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
> On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
> > On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
>
> >
> > Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
> >
> >
> > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> >
> > # global configuration
> > router-id 170.85.113.111
> >
> > # areas
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > interface fxp2 {
> > auth-type none
> > passive
> > }
> > }
> >
>
>
>
>
> That is not the config you pasted before. You are running OSPF
> over carp here. This is nuts and will not work. You can not run any kind
> of routing protocol over carp without major issues! If you have two
> routers in front of a common network use carp towards that network and
> OSPF to connect the two routers to the backbone.
> If one router fails ospf will take care and adjust the routing table.
> Currently I think you need to use "redistribute static" for that setup or
> wait a couple of days till I fixed something.
Ah, in retrospect this makes sense. So the "externa;" interfaces on these 2
machines don't need carp ata all. But I will still need it on the "insid"
as the machines on the internal network just have static routes in them.
So. I guess the gateway machines should each advertise their "real"
interfaces in the ospfd.conf file? Or should that be their carp interface?
>
> I bet 170.85.113.99 is the carp IP.
It is.
>
> ...
>
> > I;ve confirmes with ethreal that the "invalid chcksum" errors are indeed
> > invalid checksums being sent by the router that I'm exchanging routes with.
> >
>
> Iiick!
Agreed!
>
> > But if I chage the interfaces to carp0, and carp1, which are respectively
> > the "outside", and "inside" carp interfaces for this amchine, things don't
> > work even this well:
> >
>
> As I said before don't run ospf over carp. It will not work. You can use
> it fot the inside network but not for the one connected to the backbone.
>
So, my ospfd.conf file should look like this?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
auth-type none
passive
}
}
Or would this be better?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
The "external" interface is fxp0, and the internal one is fxp2. The
internal carp is carp1, and the outside one (carp0) will go away.
Thanks very much for taking the time to educate me on this.
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 11:25:30AM -0400, stan wrote:
> On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote:
> > On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
> > > On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > > > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > > > > I'm trying to do something that should be simple with ospfd from a
> > > > > snapshot
> > > > > from last week.
> > > > >
> > > > > I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
> > > > > connect a single subnet to the corporate network. Corporate wans to
> > > > > move
> > > > > from rip to ospf. I'v set up the following ospfd.conf file:
> > > > >
> > > > >
> > > > > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> > > > >
> > > > > # macros
> > > > > # password="secret"
> > > > >
> > > > > # global configuration
> > > > > router-id 170.85.113.111
> > > > > # fib-update no
> > > > > # spf-delay 1
> > > > > # spf-holdtime 5
> > > > >
> > > > > # auth-key $password
> > > > > # auth-type none
> > > > > # hello-interval 10
> > > > > # metric 10
> > > > > # retransmit-interval 5
> > > > > # router-dead-time 40
> > > > > # router-priority 1
> > > > > # transmit-delay 1
> > > > >
> > > > > # areas
> > > > > area 0.0.0.120 {
> > > > > interface fxp0 {
> > > > > auth-type none
> > > > > }
> > > > > }
> > > > >
> > > > >
> > > > > fxp0 is the "external" interface. The CARP interface is fxp1, and the
> > > > > "internal" interface is fxp2. Presently I have pf off.
> > > > >
> > > > > When I start ospfd I get the routes advertised by corporate, but they
> > > > > don't
> > > > > see my route.
> > > > >
> > > > > What am I doing wrong?
> > > > >
> > > >
> > > > You're not advertising any routes with this setup. "redistribute static"
> > > > is probably what you are looking for.
> > > > Another option would be to use passive interfaces like
> > > >
> > > > area 0.0.0.120 {
> > > > interface fxp0 {
> > > > auth-type none
> > > > }
> > > > interface fxp2 {
> > > > passive
> > > > }
> > > > interface carp0 {
> > > > passive
> > > > }
> > > > }
> > >
> > > Could you explain what passive means in this context, please?
> > >
> >
> > It's in the man page:
> > passive
> > Prevent transmission and reception of OSPF packets on this
> > inter-
> > face.
> >
> > The interface is still considered part of OSPF and therefor a stub network
> > LSA is redistributed but no OSPF traffic is done on that interface. This
> > is nice to add some directly connected interfaces or loopbacks instead of
> > using redistribute connected.
>
> Thanks.
>
> So, in my case by not listing the pfsync interface (which is fxp1) in the
> ospfd.conf file at all. Neither will it be advertised, nor will traffic be
> sent over it, right?
>
Yes.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote:
> On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
> > On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
> > > On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > > > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> >
> > >
> > > Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
> > >
> > >
> > > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> > >
> > > # global configuration
> > > router-id 170.85.113.111
> > >
> > > # areas
> > > area 0.0.0.120 {
> > > interface fxp0 {
> > > auth-type none
> > > }
> > > interface fxp2 {
> > > auth-type none
> > > passive
> > > }
> > > }
> > >
> >
> >
> >
> >
> > That is not the config you pasted before. You are running OSPF
> > over carp here. This is nuts and will not work. You can not run any kind
> > of routing protocol over carp without major issues! If you have two
> > routers in front of a common network use carp towards that network and
> > OSPF to connect the two routers to the backbone.
> > If one router fails ospf will take care and adjust the routing table.
> > Currently I think you need to use "redistribute static" for that setup or
> > wait a couple of days till I fixed something.
>
> Ah, in retrospect this makes sense. So the "externa;" interfaces on these 2
> machines don't need carp ata all. But I will still need it on the "insid"
> as the machines on the internal network just have static routes in them.
> So. I guess the gateway machines should each advertise their "real"
> interfaces in the ospfd.conf file? Or should that be their carp interface?
>
Currently it does not matter because the result is the same. In near
future the state of the interface should be considered before announcing
it -- this is done for redistribute connected but not for stub networks.
If both routers announce the same network with the same metric it is not
fully defined how traffic will flow. In case of ciscos it will do per flow
round robin over the two routers and this may cause some issues. So to fix
this issue you should add an additional metric 50 or so to the internal
interface on the backup router. Like:
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
passive
metric 50
}
}
In that case the backup is less preferred and so routing will be directed
directly to the master. This helps especially pfsync.
> >
> > As I said before don't run ospf over carp. It will not work. You can use
> > it fot the inside network but not for the one connected to the backbone.
> >
>
> So, my ospfd.conf file should look like this?
>
>
> # areas
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface carp1 {
> auth-type none
> passive
> }
> }
>
> Or would this be better?
>
> # areas
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface fxp2 {
> auth-type none
> passive
> }
> }
>
> The "external" interface is fxp0, and the internal one is fxp2. The
> internal carp is carp1, and the outside one (carp0) will go away.
>
I would use the carp1 interface. As soon as we make stub network
announcements dependent of the link state fail over will be more smooth
and will also track some cases that are currently unhandled.
> Thanks very much for taking the time to educate me on this.
>
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote:
> On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote:
> > On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
> > > On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
> > > > On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
> > > > > On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
> > >
> > > >
> > > > Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
> > > >
> > > >
> > > > # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
> > > >
> > > > # global configuration
> > > > router-id 170.85.113.111
> > > >
> > > > # areas
> > > > area 0.0.0.120 {
> > > > interface fxp0 {
> > > > auth-type none
> > > > }
> > > > interface fxp2 {
> > > > auth-type none
> > > > passive
> > > > }
> > > > }
> > > >
> > >
> > >
> > >
> > >
> > > That is not the config you pasted before. You are running OSPF
> > > over carp here. This is nuts and will not work. You can not run any kind
> > > of routing protocol over carp without major issues! If you have two
> > > routers in front of a common network use carp towards that network and
> > > OSPF to connect the two routers to the backbone.
> > > If one router fails ospf will take care and adjust the routing table.
> > > Currently I think you need to use "redistribute static" for that setup or
> > > wait a couple of days till I fixed something.
> >
> > Ah, in retrospect this makes sense. So the "externa;" interfaces on these 2
> > machines don't need carp ata all. But I will still need it on the "insid"
> > as the machines on the internal network just have static routes in them.
> > So. I guess the gateway machines should each advertise their "real"
> > interfaces in the ospfd.conf file? Or should that be their carp interface?
> >
>
> Currently it does not matter because the result is the same. In near
> future the state of the interface should be considered before announcing
> it -- this is done for redistribute connected but not for stub networks.
> If both routers announce the same network with the same metric it is not
> fully defined how traffic will flow. In case of ciscos it will do per flow
> round robin over the two routers and this may cause some issues. So to fix
> this issue you should add an additional metric 50 or so to the internal
> interface on the backup router. Like:
>
> area 0.0.0.120 {
> interface fxp0 {
> auth-type none
> }
> interface carp1 {
> passive
> metric 50
> }
> }
>
> In that case the backup is less preferred and so routing will be directed
> directly to the master. This helps especially pfsync.
Yes, I was trying to think that part through. This makes sense. Thanks.
>
> > >
> > > As I said before don't run ospf over carp. It will not work. You can use
> > > it fot the inside network but not for the one connected to the backbone.
> > >
> >
> > So, my ospfd.conf file should look like this?
> >
> >
> > # areas
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > interface carp1 {
> > auth-type none
> > passive
> > }
> > }
> >
> > Or would this be better?
> >
> > # areas
> > area 0.0.0.120 {
> > interface fxp0 {
> > auth-type none
> > }
> > interface fxp2 {
> > auth-type none
> > passive
> > }
> > }
> >
> > The "external" interface is fxp0, and the internal one is fxp2. The
> > internal carp is carp1, and the outside one (carp0) will go away.
> >
>
> I would use the carp1 interface. As soon as we make stub network
> announcements dependent of the link state fail over will be more smooth
> and will also track some cases that are currently unhandled.
>
ne more question if I might. please.
Now I get this startup message:
phfw1# ospfd -d
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface fxp0
Just to confirm I should not be announcing the 192.x network even though I
see this message, right?
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:56:33PM -0400, stan wrote: > On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote: > > On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote: > > > On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: ... > ne more question if I might. please. > > Now I get this startup message: > > phfw1# ospfd -d > startup > rde: new announced net 0.0.0.0/0 > rde: new announced net 170.85.106.128/25 > rde: new announced net 170.85.106.143/32 > rde: new announced net 170.85.113.0/25 > rde: new announced net 170.85.113.99/32 > rde: new announced net 192.168.254.0/24 > orig_rtr_lsa: area 0.0.0.120 > orig_rtr_lsa: stub net, interface carp1 > orig_rtr_lsa: stub net, interface fxp0 > > Just to confirm I should not be announcing the 192.x network even though I > see this message, right? > The message is a bit missleading. It acctually means that the following networks have been added to the list of candidates for "redistribute (connected|static|default)". You can verify with "ospfctl show database self-originated" and "ospfctl show database router" to show which networks you announce. -- :wq Claudio
