Pages

2/21/2020

Multiple mutual redistribution OSPF<>BGP config

Below are router configuration fragments for redistribution between OSPF network and BGP network.


PRI-P2P

!
router ospf 1
 router-id 10.35.1.254
 area 0 authentication
 redistribute bgp 65210 subnets route-map B2O-IN
 network 10.35.1.96 0.0.0.7 area 0
 network 10.35.1.104 0.0.0.7 area 0
 network 192.168.249.254 0.0.0.0 area 0
!
router bgp 65210
 bgp log-neighbor-changes
 network 10.35.1.252 mask 255.255.255.252
 network 192.168.249.254 mask 255.255.255.255
 redistribute ospf 1 route-map O2B-OUT
 neighbor 10.35.1.253 remote-as 65211
 neighbor 10.35.1.253 password 7 xxxxxxxxxxxxxxxx
 neighbor 10.35.1.253 send-community
 neighbor 10.35.1.253 soft-reconfiguration inbound
 neighbor 10.35.1.253 route-map P2P-IN in
 neighbor 10.35.1.253 route-map P2P-OUT out
!
!IP Ranges on BGP network side.  
!
ip prefix-list B2O seq 10 permit 97.0.0.0/11 ge 16
ip prefix-list B2O seq 20 permit 10.64.0.0/11 ge 12
ip prefix-list B2O seq 30 permit 192.168.97.0/24 ge 29
!
!IP Ranges on OSPF network side
!
ip prefix-list O2B seq 10 permit 192.168.249.254/32
ip prefix-list O2B seq 20 permit 10.0.0.0/10 ge 11
ip prefix-list O2B seq 30 permit 10.96.0.0/11 ge 12
ip prefix-list O2B seq 40 permit 10.128.0.0/9 ge 10
!
!Inbound filter - only accept advertisements of networks to be distributed.
!
ip prefix-list P2P-IN-LIST seq 5 deny 0.0.0.0/0
ip prefix-list P2P-IN-LIST seq 10 permit 97.0.0.0/11 ge 16
ip prefix-list P2P-IN-LIST seq 20 permit 10.64.0.0/11 ge 12
ip prefix-list P2P-IN-LIST seq 30 permit 192.168.97.0/24 ge 29
!
!Outbound filter - do not advertise DMVPN endpoint IPs, do not advertise default, permit anything else.
!
ip prefix-list P2P-OUT-LIST seq 10 deny 192.168.255.0/24 ge 25
ip prefix-list P2P-OUT-LIST seq 15 deny 0.0.0.0/0
ip prefix-list P2P-OUT-LIST seq 20 permit 0.0.0.0/0 le 32
!
!
!
route-map B2O-IN deny 5
 match community 400  <== do not distribute BGP routes that have already been distributed.
!
route-map B2O-IN permit 7
 set tag 300   <== tag traffic that will be distributed into OSPF.

!

!
route-map B2O-IN permit 10
 match ip address prefix-list B2O
!
!
!Inbound filter - do not accept advertisements that this router will not redistribute.

!

!
route-map P2P-IN deny 5
 match community 400
!
route-map P2P-IN permit 10
 match ip address prefix-list P2P-IN-LIST
!
route-map P2P-OUT permit 10
 match ip address prefix-list P2P-OUT-LIST
!
route-map O2B-OUT deny 5
 match tag 300
!
route-map O2B-OUT permit 7
 set community 400
!
route-map O2B-OUT permit 10
 match ip address prefix-list O2B
!

PH-L3

!
router ospf 1
 router-id 172.17.1.20
 log-adjacency-changes
 area 0 authentication
 redistribute bgp 65020 metric-type 1 subnets route-map B2O-IN
 network 10.35.244.0 0.0.0.3 area 0
 network 172.17.1.0 0.0.0.255 area 0
!
router bgp 65020
 no synchronization
 bgp router-id 10.35.1.241
 bgp log-neighbor-changes
 network 10.35.1.40 mask 255.255.255.252
 network 192.168.255.20 mask 255.255.255.255
 redistribute ospf 1 route-map O2B-OUT
 neighbor 10.35.1.42 remote-as 10
 neighbor 10.35.1.42 send-community
 neighbor 10.35.1.42 soft-reconfiguration inbound
 neighbor 10.35.1.42 route-map CORE-IN in
 neighbor 10.35.1.42 route-map B2O-DENY out
 neighbor 10.35.1.245 remote-as 3549
 neighbor 10.35.1.245 password 7 XXXXXXXXXXXXXXXXXXX
 neighbor 10.35.1.245 route-map MPLS-FILTER-OUT out
 no auto-summary
!
ip prefix-list B2O seq 10 permit 97.0.0.0/11 ge 16
ip prefix-list B2O seq 90 permit 192.168.97.0/24 ge 29
ip prefix-list B2O seq 100 permit 10.64.0.0/11 ge 12
!
ip prefix-list B2O-DENY seq 10 deny 192.168.255.0/24 ge 25
ip prefix-list B2O-DENY seq 15 deny 0.0.0.0/0
ip prefix-list B2O-DENY seq 20 permit 0.0.0.0/0 le 32
!
ip prefix-list B2O-DENY2 seq 10 permit 192.168.255.0/24 ge 25
ip prefix-list B2O-DENY2 seq 20 permit 0.0.0.0/0
!
ip prefix-list MPLS-OUT seq 10 permit 192.168.255.0/24 ge 25
!
ip prefix-list O2B seq 10 permit 10.10.0.0/16
ip prefix-list O2B seq 20 permit 10.1.0.0/16
ip prefix-list O2B seq 30 permit 10.6.1.0/24
!
!
!
!
route-map B2O-DENY permit 10
 match ip address prefix-list B2O-DENY
!
route-map B2O-IN deny 5
 match community 400
!
route-map B2O-IN deny 6
 match ip address prefix-list B2O-DENY2
!
route-map B2O-IN permit 7
 set tag 300
!
route-map B2O-IN permit 10
 match ip address prefix-list B2O
!
route-map CORE-IN deny 5
 match community 400
!
route-map CORE-IN permit 10
 match ip address prefix-list B2O
!
route-map MPLS-FILTER-OUT deny 10
 match community 400
!
route-map MPLS-FILTER-OUT deny 20
 match ip address prefix-list B2O
!
route-map MPLS-FILTER-OUT permit 30
 match ip address prefix-list MPLS-OUT
!
route-map O2B-OUT deny 5
 match tag 300
!
route-map O2B-OUT permit 7
 set community 400
!
route-map O2B-OUT permit 10
 match ip address prefix-list O2B
!
route-map DENY-OUT deny 5
 match community 400
!

at 09:13 0 comments
Labels: , ,

Multiple Mutual Redistribution OSPF <> BGP

Nearing the close of a big project.  Connectivity for two nearly equal sized networks:
First is OSPF overlay on dual service provider MPLS WANs advertising a single IP via BGP.  These IP's are used to establish DMVPN connectivity to hub sites.
The other has a very simplified remote office with just a couple VLANs defaulting to a core switch.  That core switch is a BGP neighbor with the single MPLS service provider router. 

Design Goals

1.     Add point to point connection between new routers PRI-P2P and PH-P2P
2.     Add MPLS to Philadelphia site connected to new router PH-L3
3.     Route user traffic primarily over MPLS
4.     Use point to point connection for communication between specific datacenter systems with policy routing.
5.     If MPLS path fails, user traffic should be routed over point to point circuit automatically.
6.     Redistribute OSPF into BGP on:  PRI-P2P & PH-L3.
7.     Redistribute BGP into OSPF on:  PRI-P2P & PH-L3.
8.     Do not redistribute BGP into OSPF for subnets only used for DMVPN.
9.     Prevent redistribution from creating routing loops.  That is, do not allow redistribution of routes that have been redistributed already by the same or another router.
10.  Avoid asynchronous routes between hosts
11.  Do not redistribute default routes

Things I have learned

I have a fair amount of experience but have never done much redistribution.  I had to learn a lot in order to make this work.  I got help from vendor(s) and colleagues.  Did a lot of googling and reading.  The following is an unorganized list of things that I noticed or that helped me once I realized them.
  • Route redistribution might be better called route import because redistribution into a routing protocol is done in the configuration of the protocol intended to receive routes.  That is, ospf configuration would be added to redistribute "into OSPF".
  • Route redistribution does not put routes into the routing table on the router doing the redistribution.
  • Redistribution isn't really the hard part.  It is about figuring out the routing protocols for troubleshooting and manipulating them to avoid loops and so forth.
    • Route filtering
    • Route tagging
    • In addition to routing table, there will be a database of potential routes--only one of which will go into the routing table.  (show ip bgp)
    • Metric
    • I also assume that redistribution behavior has different rules/behaviors according to what routing protocol is pulling in the routes.
    • BGP commands to show route advertisements sent and received
    • timer adjustments.
  • I cannot found an example on internet of mutual redistribution between OSPF & BGP.
  • BGP doesn't have TAGs.  Uses COMMUNITY.  But the idea is the same.
  • Everything seems to work as desired when a state is achieved where, on the router doing redistribution, the routing table holds OSPF routes for all the "native" OSPF locations and BGP routes for all the "native" BGP routes.
  • To prevent routing loops and achieve the state described above it is important to filter route advertisements in/out in addition to applying tagging to the redistribution config.
  • Use traffic steering to determine primary paths.  i.e. OSPF cost & BGP path length.  Remember that OSPF cost required to make this happen could affect the overall design of the network if costs are involved and some existing OSPF configuration may need adjusted on existing more routers.  In TS case, a bigger OSPF cost is needed for sites that are manually configured with higher cost to prefer the TW path.
  • The routes for the BGP MPLS IP's used for DMVPN must not get into the "overlay" routing table.  That is, if BGP routes for the loopbacks used to establish the DMVPN tunnels get into OSPF then OSPF stops working.  "mid-chain attempting to stack…."
  • BGP
show ip bgp neighbors [IP of neighbor] advertised-routes
show ip bgp neighbors [IP of neighbor] received-routes
show ip bgp
at 08:59 0 comments
Labels: , ,

Google Chrome QUIC Protocol

UDP/443

Noticed a lot of UDP/443 traffic?

Check out this article about QUIC experimental protocol that Google is using.


Interesting Chrome hacks:
Chrome Flags

net-internals
at 08:35 0 comments
Subscribe to: Posts (Atom)