ospfd.conf question
I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Side note: auth-type none is OK for testing but auth-type crypt should be considered production. -- :wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Could you explain what passive means in this context, please? Side note: auth-type none is OK for testing but auth-type crypt should be considered production. While I agree completly, it's out of my control. This is what corporate is using :-( -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Hmm, that seems to have gotten me close. Here's the new ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } And when I start up the ospfd executbale now I get: Script started on Mon Oct 17 10:38:04 2005 phfw1# ospfd -d startup rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 if_fsm: event UP resulted in action START and changing state for interface carp0 from DOWN to WAITING start_spf_timer: IDLE - DELAY recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 spf_calc: calculation started, area ID 0.0.0.120 spf_calc: calculation ended, area ID 0.0.0.120 spf_start_holdtimer: DELAY - HOLD spf_timer: state HOLD - IDLE recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 if_act_elect: interface carp0 old dr none new dr 170.85.113.99, old bdr none new bdr none orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 if_fsm: event WAITTIMER resulted in action ELECT and changing state for interface carp0 from WAITING to DR recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and changing state for neighbor ID 170.85.115.1 from DOWN to INIT nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for neighbor ID 170.85.115.1 from INIT to EXSTART if_act_elect: interface carp0 old dr 170.85.113.99 new dr 170.85.113.98, old bdr none new bdr 170.85.113.99 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for interface carp0 from DR to BACKUP nbr_fsm: event NEGOTIATION_DONE resulted in action SNAPSHOT and changing state for neighbor ID 170.85.115.1 from EXSTART to SNAPSHOT nbr_fsm: event SNAPSHOT_DONE resulted in action SNAPSHOT_DONE and changing state for neighbor ID 170.85.115.1 from SNAPSHOT to EXCHANGE recv_db_description: dupe
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Could you explain what passive means in this context, please? It's in the man page: passive Prevent transmission and reception of OSPF packets on this inter- face. The interface is still considered part of OSPF and therefor a stub network LSA is redistributed but no OSPF traffic is done on that interface. This is nice to add some directly connected interfaces or loopbacks instead of using redistribute connected. -- :wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Could you explain what passive means in this context, please? It's in the man page: passive Prevent transmission and reception of OSPF packets on this inter- face. The interface is still considered part of OSPF and therefor a stub network LSA is redistributed but no OSPF traffic is done on that interface. This is nice to add some directly connected interfaces or loopbacks instead of using redistribute connected. Thanks. So, in my case by not listing the pfsync interface (which is fxp1) in the ospfd.conf file at all. Neither will it be advertised, nor will traffic be sent over it, right? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: Hmm, that seems to have gotten me close. Here's the new ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # global configuration router-id 170.85.113.111 # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } config stripped a bit And when I start up the ospfd executbale now I get: Script started on Mon Oct 17 10:38:04 2005 phfw1# ospfd -d startup rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface carp0 if_fsm: event UP resulted in action START and changing state for interface carp0 from DOWN to WAITING start_spf_timer: IDLE - DELAY recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 spf_calc: calculation started, area ID 0.0.0.120 spf_calc: calculation ended, area ID 0.0.0.120 spf_start_holdtimer: DELAY - HOLD spf_timer: state HOLD - IDLE recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 recv_packet: invalid checksum, interface carp0 recv_packet: authentication error, interface carp0 ... That is not the config you pasted before. You are running OSPF over carp here. This is nuts and will not work. You can not run any kind of routing protocol over carp without major issues! If you have two routers in front of a common network use carp towards that network and OSPF to connect the two routers to the backbone. If one router fails ospf will take care and adjust the routing table. Currently I think you need to use redistribute static for that setup or wait a couple of days till I fixed something. phfw1# op ospfd -d startup orig_rtr_lsa: area 0.0.0.120 rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: stub net, interface fxp2 orig_rtr_lsa: stub net, interface fxp0 if_fsm: event UP resulted in action START and changing state for interface fxp0 from DOWN to WAITING start_spf_timer: IDLE - DELAY nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and changing state for neighbor ID 170.85.115.1 from DOWN to INIT nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for neighbor ID 170.85.115.1 from INIT to 2-WAY if_fsm: event NEIGHBORCHANGE resulted in action NOTHING and changing state for interface fxp0 from WAITING to WAITING recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0 spf_calc: calculation started, area ID 0.0.0.120 spf_calc: calculation ended, area ID 0.0.0.120 spf_start_holdtimer: DELAY - HOLD recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0 spf_timer: state HOLD - IDLE recv_db_description: packet ignored in state 2-WAY, neighbor ID 170.85.115.1 recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0 I bet 170.85.113.99 is the carp IP. ... I;ve confirmes with ethreal that the invalid chcksum errors are indeed invalid checksums being sent by the router that I'm exchanging routes with. Iiick! But if I chage the interfaces to carp0, and carp1, which are respectively the outside, and inside carp interfaces for this amchine, things don't work even this well: As I said before don't run ospf over carp. It will not work. You can use it fot the inside network but not for the one connected to the backbone. At this point in time I'm not even receiving the routes my neighber router is sending. -- :wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: Hmm, that seems to have gotten me close. Here's the new ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # global configuration router-id 170.85.113.111 # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } config stripped a bit That is not the config you pasted before. You are running OSPF over carp here. This is nuts and will not work. You can not run any kind of routing protocol over carp without major issues! If you have two routers in front of a common network use carp towards that network and OSPF to connect the two routers to the backbone. If one router fails ospf will take care and adjust the routing table. Currently I think you need to use redistribute static for that setup or wait a couple of days till I fixed something. Ah, in retrospect this makes sense. So the externa; interfaces on these 2 machines don't need carp ata all. But I will still need it on the insid as the machines on the internal network just have static routes in them. So. I guess the gateway machines should each advertise their real interfaces in the ospfd.conf file? Or should that be their carp interface? I bet 170.85.113.99 is the carp IP. It is. ... I;ve confirmes with ethreal that the invalid chcksum errors are indeed invalid checksums being sent by the router that I'm exchanging routes with. Iiick! Agreed! But if I chage the interfaces to carp0, and carp1, which are respectively the outside, and inside carp interfaces for this amchine, things don't work even this well: As I said before don't run ospf over carp. It will not work. You can use it fot the inside network but not for the one connected to the backbone. So, my ospfd.conf file should look like this? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface carp1 { auth-type none passive } } Or would this be better? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } The external interface is fxp0, and the internal one is fxp2. The internal carp is carp1, and the outside one (carp0) will go away. Thanks very much for taking the time to educate me on this. -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 11:25:30AM -0400, stan wrote: On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: I'm trying to do something that should be simple with ospfd from a snapshot from last week. I have a pair of carp's firewall/gatway boxes (3.7 machines) and they connect a single subnet to the corporate network. Corporate wans to move from rip to ospf. I'v set up the following ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # macros # password=secret # global configuration router-id 170.85.113.111 # fib-update no # spf-delay 1 # spf-holdtime 5 # auth-key $password # auth-type none # hello-interval 10 # metric 10 # retransmit-interval 5 # router-dead-time 40 # router-priority 1 # transmit-delay 1 # areas area 0.0.0.120 { interface fxp0 { auth-type none } } fxp0 is the external interface. The CARP interface is fxp1, and the internal interface is fxp2. Presently I have pf off. When I start ospfd I get the routes advertised by corporate, but they don't see my route. What am I doing wrong? You're not advertising any routes with this setup. redistribute static is probably what you are looking for. Another option would be to use passive interfaces like area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { passive } interface carp0 { passive } } Could you explain what passive means in this context, please? It's in the man page: passive Prevent transmission and reception of OSPF packets on this inter- face. The interface is still considered part of OSPF and therefor a stub network LSA is redistributed but no OSPF traffic is done on that interface. This is nice to add some directly connected interfaces or loopbacks instead of using redistribute connected. Thanks. So, in my case by not listing the pfsync interface (which is fxp1) in the ospfd.conf file at all. Neither will it be advertised, nor will traffic be sent over it, right? Yes. -- :wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote: On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: Hmm, that seems to have gotten me close. Here's the new ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # global configuration router-id 170.85.113.111 # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } config stripped a bit That is not the config you pasted before. You are running OSPF over carp here. This is nuts and will not work. You can not run any kind of routing protocol over carp without major issues! If you have two routers in front of a common network use carp towards that network and OSPF to connect the two routers to the backbone. If one router fails ospf will take care and adjust the routing table. Currently I think you need to use redistribute static for that setup or wait a couple of days till I fixed something. Ah, in retrospect this makes sense. So the externa; interfaces on these 2 machines don't need carp ata all. But I will still need it on the insid as the machines on the internal network just have static routes in them. So. I guess the gateway machines should each advertise their real interfaces in the ospfd.conf file? Or should that be their carp interface? Currently it does not matter because the result is the same. In near future the state of the interface should be considered before announcing it -- this is done for redistribute connected but not for stub networks. If both routers announce the same network with the same metric it is not fully defined how traffic will flow. In case of ciscos it will do per flow round robin over the two routers and this may cause some issues. So to fix this issue you should add an additional metric 50 or so to the internal interface on the backup router. Like: area 0.0.0.120 { interface fxp0 { auth-type none } interface carp1 { passive metric 50 } } In that case the backup is less preferred and so routing will be directed directly to the master. This helps especially pfsync. As I said before don't run ospf over carp. It will not work. You can use it fot the inside network but not for the one connected to the backbone. So, my ospfd.conf file should look like this? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface carp1 { auth-type none passive } } Or would this be better? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } The external interface is fxp0, and the internal one is fxp2. The internal carp is carp1, and the outside one (carp0) will go away. I would use the carp1 interface. As soon as we make stub network announcements dependent of the link state fail over will be more smooth and will also track some cases that are currently unhandled. Thanks very much for taking the time to educate me on this. -- :wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote: On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote: On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote: Hmm, that seems to have gotten me close. Here's the new ospfd.conf file: # $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $ # global configuration router-id 170.85.113.111 # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } config stripped a bit That is not the config you pasted before. You are running OSPF over carp here. This is nuts and will not work. You can not run any kind of routing protocol over carp without major issues! If you have two routers in front of a common network use carp towards that network and OSPF to connect the two routers to the backbone. If one router fails ospf will take care and adjust the routing table. Currently I think you need to use redistribute static for that setup or wait a couple of days till I fixed something. Ah, in retrospect this makes sense. So the externa; interfaces on these 2 machines don't need carp ata all. But I will still need it on the insid as the machines on the internal network just have static routes in them. So. I guess the gateway machines should each advertise their real interfaces in the ospfd.conf file? Or should that be their carp interface? Currently it does not matter because the result is the same. In near future the state of the interface should be considered before announcing it -- this is done for redistribute connected but not for stub networks. If both routers announce the same network with the same metric it is not fully defined how traffic will flow. In case of ciscos it will do per flow round robin over the two routers and this may cause some issues. So to fix this issue you should add an additional metric 50 or so to the internal interface on the backup router. Like: area 0.0.0.120 { interface fxp0 { auth-type none } interface carp1 { passive metric 50 } } In that case the backup is less preferred and so routing will be directed directly to the master. This helps especially pfsync. Yes, I was trying to think that part through. This makes sense. Thanks. As I said before don't run ospf over carp. It will not work. You can use it fot the inside network but not for the one connected to the backbone. So, my ospfd.conf file should look like this? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface carp1 { auth-type none passive } } Or would this be better? # areas area 0.0.0.120 { interface fxp0 { auth-type none } interface fxp2 { auth-type none passive } } The external interface is fxp0, and the internal one is fxp2. The internal carp is carp1, and the outside one (carp0) will go away. I would use the carp1 interface. As soon as we make stub network announcements dependent of the link state fail over will be more smooth and will also track some cases that are currently unhandled. ne more question if I might. please. Now I get this startup message: phfw1# ospfd -d startup rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface fxp0 Just to confirm I should not be announcing the 192.x network even though I see this message, right? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:56:33PM -0400, stan wrote: On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote: On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: ... ne more question if I might. please. Now I get this startup message: phfw1# ospfd -d startup rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface fxp0 Just to confirm I should not be announcing the 192.x network even though I see this message, right? The message is a bit missleading. It acctually means that the following networks have been added to the list of candidates for redistribute (connected|static|default). You can verify with ospfctl show database self-originated and ospfctl show database router to show which networks you announce. -- :wq Claudio