On 27 May 2016, at 18:14, Angel <[email protected]> wrote: > We have two fullrouting bgp carriers, some bgp members and some ospf members. > > To isolate OSPF members we want to use kernel fibs. But we do not understand > how it works. > What we need is a diferent table for each ospf member, so for example > ospf1member will use carrier1 routes, and ospf2member will use carrier2 > routes.
Are you trying to get the OSPF members to talk to each other, or are you trying to get the OSPF members not to talk to each other? Within any one given OSPF process, all OSPF speakers should receive the same set of link states (what OSPF advertises) [1]. Filtering link states will not work as the protocol assumes the link state database is the same everywhere. Moreover link states are not routes. You can in theory filter link states between the OSPF RIB and the kernel FIB without breaking the OSPF process, but it is likely to break forwarding unless you are careful. So, within one OSPF process in general you will have no filtering (none of link states, and probably none of routes). You can filter how you wish between OSPF processes (each being a protocol within bird). You should ensure (ospf authentication is a good way to do this) the processes don't talk to each other and accidentally join. I *think* what you are trying to do is run one IGP (OSPF) with one upstream BGP speaker, and a completely separate IGP (a different OSPF process) with another BGP speaker, and have these talk to two kernel FIBs, rather like 2 separate VRFs on Cisco. Not only do you need to inject OSPF routes from each process into a different kernel FIB, but you are are also running 2 OSPF processes on the same interface and need to have both interfaces deal with it, but also (and here's the killer) you need some way to get inbound traffic to route using the correct kernel FIB. That's going to be really hard (funkiness with ToS bits aside). Instead, you want to make subinterfaces / VLAN interfaces / whatever for each process, and attach those to each kernel routing table. Then run only one OSPF process on each interface. Authentication is still a good idea. Whenever I've done this I've run bird in a separate network container (unshare -n) but with separate interfaces, and separate FIBs, this should theoretically work. [1] - An oversimplification in stub areas and NSSA but ignore that complication for now as they are nothing to do with what you are asking. -- Alex Bligh
