ospfd.conf question
I'm trying to do something that should be simple with ospfd from a snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they don't
see my route.
What am I doing wrong?
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Side note: auth-type none is OK for testing but auth-type crypt should be
considered production.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Could you explain what passive means in this context, please?
Side note: auth-type none is OK for testing but auth-type crypt should be
considered production.
While I agree completly, it's out of my control. This is what corporate is
using :-(
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
And when I start up the ospfd executbale now I get:
Script started on Mon Oct 17 10:38:04 2005
phfw1# ospfd -d
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event UP resulted in action START and changing state for interface
carp0 from DOWN to WAITING
start_spf_timer: IDLE - DELAY
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
spf_calc: calculation started, area ID 0.0.0.120
spf_calc: calculation ended, area ID 0.0.0.120
spf_start_holdtimer: DELAY - HOLD
spf_timer: state HOLD - IDLE
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
if_act_elect: interface carp0 old dr none new dr 170.85.113.99, old bdr none
new bdr none
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event WAITTIMER resulted in action ELECT and changing state for
interface carp0 from WAITING to DR
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and
changing state for neighbor ID 170.85.115.1 from DOWN to INIT
nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for
neighbor ID 170.85.115.1 from INIT to EXSTART
if_act_elect: interface carp0 old dr 170.85.113.99 new dr 170.85.113.98, old
bdr none new bdr 170.85.113.99
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event NEIGHBORCHANGE resulted in action ELECT and changing state for
interface carp0 from DR to BACKUP
nbr_fsm: event NEGOTIATION_DONE resulted in action SNAPSHOT and changing state
for neighbor ID 170.85.115.1 from EXSTART to SNAPSHOT
nbr_fsm: event SNAPSHOT_DONE resulted in action SNAPSHOT_DONE and changing
state for neighbor ID 170.85.115.1 from SNAPSHOT to EXCHANGE
recv_db_description: dupe
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a
snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they
don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Could you explain what passive means in this context, please?
It's in the man page:
passive
Prevent transmission and reception of OSPF packets on this inter-
face.
The interface is still considered part of OSPF and therefor a stub network
LSA is redistributed but no OSPF traffic is done on that interface. This
is nice to add some directly connected interfaces or loopbacks instead of
using redistribute connected.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a
snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they
don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Could you explain what passive means in this context, please?
It's in the man page:
passive
Prevent transmission and reception of OSPF packets on this inter-
face.
The interface is still considered part of OSPF and therefor a stub network
LSA is redistributed but no OSPF traffic is done on that interface. This
is nice to add some directly connected interfaces or loopbacks instead of
using redistribute connected.
Thanks.
So, in my case by not listing the pfsync interface (which is fxp1) in the
ospfd.conf file at all. Neither will it be advertised, nor will traffic be
sent over it, right?
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# global configuration
router-id 170.85.113.111
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
config stripped a bit
And when I start up the ospfd executbale now I get:
Script started on Mon Oct 17 10:38:04 2005
phfw1# ospfd -d
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface carp0
if_fsm: event UP resulted in action START and changing state for interface
carp0 from DOWN to WAITING
start_spf_timer: IDLE - DELAY
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
spf_calc: calculation started, area ID 0.0.0.120
spf_calc: calculation ended, area ID 0.0.0.120
spf_start_holdtimer: DELAY - HOLD
spf_timer: state HOLD - IDLE
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
recv_packet: invalid checksum, interface carp0
recv_packet: authentication error, interface carp0
...
That is not the config you pasted before. You are running OSPF
over carp here. This is nuts and will not work. You can not run any kind
of routing protocol over carp without major issues! If you have two
routers in front of a common network use carp towards that network and
OSPF to connect the two routers to the backbone.
If one router fails ospf will take care and adjust the routing table.
Currently I think you need to use redistribute static for that setup or
wait a couple of days till I fixed something.
phfw1# op ospfd -d
startup
orig_rtr_lsa: area 0.0.0.120
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: stub net, interface fxp2
orig_rtr_lsa: stub net, interface fxp0
if_fsm: event UP resulted in action START and changing state for interface
fxp0 from DOWN to WAITING
start_spf_timer: IDLE - DELAY
nbr_fsm: event HELLO_RECEIVED resulted in action START_INACTIVITY_TIMER and
changing state for neighbor ID 170.85.115.1 from DOWN to INIT
nbr_fsm: event 2_WAY_RECEIVED resulted in action EVAL and changing state for
neighbor ID 170.85.115.1 from INIT to 2-WAY
if_fsm: event NEIGHBORCHANGE resulted in action NOTHING and changing state
for interface fxp0 from WAITING to WAITING
recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
spf_calc: calculation started, area ID 0.0.0.120
spf_calc: calculation ended, area ID 0.0.0.120
spf_start_holdtimer: DELAY - HOLD
recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
spf_timer: state HOLD - IDLE
recv_db_description: packet ignored in state 2-WAY, neighbor ID 170.85.115.1
recv_packet: packet sent to wrong address 170.85.113.99, interface fxp0
I bet 170.85.113.99 is the carp IP.
...
I;ve confirmes with ethreal that the invalid chcksum errors are indeed
invalid checksums being sent by the router that I'm exchanging routes with.
Iiick!
But if I chage the interfaces to carp0, and carp1, which are respectively
the outside, and inside carp interfaces for this amchine, things don't
work even this well:
As I said before don't run ospf over carp. It will not work. You can use
it fot the inside network but not for the one connected to the backbone.
At this point in time I'm not even receiving the routes my neighber router
is sending.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# global configuration
router-id 170.85.113.111
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
config stripped a bit
That is not the config you pasted before. You are running OSPF
over carp here. This is nuts and will not work. You can not run any kind
of routing protocol over carp without major issues! If you have two
routers in front of a common network use carp towards that network and
OSPF to connect the two routers to the backbone.
If one router fails ospf will take care and adjust the routing table.
Currently I think you need to use redistribute static for that setup or
wait a couple of days till I fixed something.
Ah, in retrospect this makes sense. So the externa; interfaces on these 2
machines don't need carp ata all. But I will still need it on the insid
as the machines on the internal network just have static routes in them.
So. I guess the gateway machines should each advertise their real
interfaces in the ospfd.conf file? Or should that be their carp interface?
I bet 170.85.113.99 is the carp IP.
It is.
...
I;ve confirmes with ethreal that the invalid chcksum errors are indeed
invalid checksums being sent by the router that I'm exchanging routes with.
Iiick!
Agreed!
But if I chage the interfaces to carp0, and carp1, which are respectively
the outside, and inside carp interfaces for this amchine, things don't
work even this well:
As I said before don't run ospf over carp. It will not work. You can use
it fot the inside network but not for the one connected to the backbone.
So, my ospfd.conf file should look like this?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
auth-type none
passive
}
}
Or would this be better?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
The external interface is fxp0, and the internal one is fxp2. The
internal carp is carp1, and the outside one (carp0) will go away.
Thanks very much for taking the time to educate me on this.
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 11:25:30AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 05:16:20PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 10:35:07AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
I'm trying to do something that should be simple with ospfd from a
snapshot
from last week.
I have a pair of carp's firewall/gatway boxes (3.7 machines) and they
connect a single subnet to the corporate network. Corporate wans to
move
from rip to ospf. I'v set up the following ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
# password=secret
# global configuration
router-id 170.85.113.111
# fib-update no
# spf-delay 1
# spf-holdtime 5
# auth-key $password
# auth-type none
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
}
fxp0 is the external interface. The CARP interface is fxp1, and the
internal interface is fxp2. Presently I have pf off.
When I start ospfd I get the routes advertised by corporate, but they
don't
see my route.
What am I doing wrong?
You're not advertising any routes with this setup. redistribute static
is probably what you are looking for.
Another option would be to use passive interfaces like
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
passive
}
interface carp0 {
passive
}
}
Could you explain what passive means in this context, please?
It's in the man page:
passive
Prevent transmission and reception of OSPF packets on this
inter-
face.
The interface is still considered part of OSPF and therefor a stub network
LSA is redistributed but no OSPF traffic is done on that interface. This
is nice to add some directly connected interfaces or loopbacks instead of
using redistribute connected.
Thanks.
So, in my case by not listing the pfsync interface (which is fxp1) in the
ospfd.conf file at all. Neither will it be advertised, nor will traffic be
sent over it, right?
Yes.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote:
On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# global configuration
router-id 170.85.113.111
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
config stripped a bit
That is not the config you pasted before. You are running OSPF
over carp here. This is nuts and will not work. You can not run any kind
of routing protocol over carp without major issues! If you have two
routers in front of a common network use carp towards that network and
OSPF to connect the two routers to the backbone.
If one router fails ospf will take care and adjust the routing table.
Currently I think you need to use redistribute static for that setup or
wait a couple of days till I fixed something.
Ah, in retrospect this makes sense. So the externa; interfaces on these 2
machines don't need carp ata all. But I will still need it on the insid
as the machines on the internal network just have static routes in them.
So. I guess the gateway machines should each advertise their real
interfaces in the ospfd.conf file? Or should that be their carp interface?
Currently it does not matter because the result is the same. In near
future the state of the interface should be considered before announcing
it -- this is done for redistribute connected but not for stub networks.
If both routers announce the same network with the same metric it is not
fully defined how traffic will flow. In case of ciscos it will do per flow
round robin over the two routers and this may cause some issues. So to fix
this issue you should add an additional metric 50 or so to the internal
interface on the backup router. Like:
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
passive
metric 50
}
}
In that case the backup is less preferred and so routing will be directed
directly to the master. This helps especially pfsync.
As I said before don't run ospf over carp. It will not work. You can use
it fot the inside network but not for the one connected to the backbone.
So, my ospfd.conf file should look like this?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
auth-type none
passive
}
}
Or would this be better?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
The external interface is fxp0, and the internal one is fxp2. The
internal carp is carp1, and the outside one (carp0) will go away.
I would use the carp1 interface. As soon as we make stub network
announcements dependent of the link state fail over will be more smooth
and will also track some cases that are currently unhandled.
Thanks very much for taking the time to educate me on this.
--
:wq Claudio
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote:
On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 10:57:41AM -0400, stan wrote:
On Mon, Oct 17, 2005 at 04:12:48PM +0159, Claudio Jeker wrote:
On Mon, Oct 17, 2005 at 09:39:01AM -0400, stan wrote:
Hmm, that seems to have gotten me close. Here's the new ospfd.conf file:
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# global configuration
router-id 170.85.113.111
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
config stripped a bit
That is not the config you pasted before. You are running OSPF
over carp here. This is nuts and will not work. You can not run any kind
of routing protocol over carp without major issues! If you have two
routers in front of a common network use carp towards that network and
OSPF to connect the two routers to the backbone.
If one router fails ospf will take care and adjust the routing table.
Currently I think you need to use redistribute static for that setup or
wait a couple of days till I fixed something.
Ah, in retrospect this makes sense. So the externa; interfaces on these 2
machines don't need carp ata all. But I will still need it on the insid
as the machines on the internal network just have static routes in them.
So. I guess the gateway machines should each advertise their real
interfaces in the ospfd.conf file? Or should that be their carp interface?
Currently it does not matter because the result is the same. In near
future the state of the interface should be considered before announcing
it -- this is done for redistribute connected but not for stub networks.
If both routers announce the same network with the same metric it is not
fully defined how traffic will flow. In case of ciscos it will do per flow
round robin over the two routers and this may cause some issues. So to fix
this issue you should add an additional metric 50 or so to the internal
interface on the backup router. Like:
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
passive
metric 50
}
}
In that case the backup is less preferred and so routing will be directed
directly to the master. This helps especially pfsync.
Yes, I was trying to think that part through. This makes sense. Thanks.
As I said before don't run ospf over carp. It will not work. You can use
it fot the inside network but not for the one connected to the backbone.
So, my ospfd.conf file should look like this?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface carp1 {
auth-type none
passive
}
}
Or would this be better?
# areas
area 0.0.0.120 {
interface fxp0 {
auth-type none
}
interface fxp2 {
auth-type none
passive
}
}
The external interface is fxp0, and the internal one is fxp2. The
internal carp is carp1, and the outside one (carp0) will go away.
I would use the carp1 interface. As soon as we make stub network
announcements dependent of the link state fail over will be more smooth
and will also track some cases that are currently unhandled.
ne more question if I might. please.
Now I get this startup message:
phfw1# ospfd -d
startup
rde: new announced net 0.0.0.0/0
rde: new announced net 170.85.106.128/25
rde: new announced net 170.85.106.143/32
rde: new announced net 170.85.113.0/25
rde: new announced net 170.85.113.99/32
rde: new announced net 192.168.254.0/24
orig_rtr_lsa: area 0.0.0.120
orig_rtr_lsa: stub net, interface carp1
orig_rtr_lsa: stub net, interface fxp0
Just to confirm I should not be announcing the 192.x network even though I
see this message, right?
--
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong
Terror
- New York Times 9/3/1967
Re: ospfd.conf question
On Mon, Oct 17, 2005 at 12:56:33PM -0400, stan wrote: On Mon, Oct 17, 2005 at 06:38:26PM +0200, Claudio Jeker wrote: On Mon, Oct 17, 2005 at 12:00:38PM -0400, stan wrote: On Mon, Oct 17, 2005 at 05:41:20PM +0200, Claudio Jeker wrote: ... ne more question if I might. please. Now I get this startup message: phfw1# ospfd -d startup rde: new announced net 0.0.0.0/0 rde: new announced net 170.85.106.128/25 rde: new announced net 170.85.106.143/32 rde: new announced net 170.85.113.0/25 rde: new announced net 170.85.113.99/32 rde: new announced net 192.168.254.0/24 orig_rtr_lsa: area 0.0.0.120 orig_rtr_lsa: stub net, interface carp1 orig_rtr_lsa: stub net, interface fxp0 Just to confirm I should not be announcing the 192.x network even though I see this message, right? The message is a bit missleading. It acctually means that the following networks have been added to the list of candidates for redistribute (connected|static|default). You can verify with ospfctl show database self-originated and ospfctl show database router to show which networks you announce. -- :wq Claudio
