Controlling routing updates in OSPF

SonicOS 5.6 (still in beta at time of writing) has the ability to tunnel dynamic routing protocols over IPSec tunnels. Similar to the way Cisco does this by tunneling dynamic routing updates through GRE, then in turn tunneling the resulting packets through the IPSec tunnel.

In preperation for trying out this new SonicOS feature, I cracked open GNS3 and tried to simulate what would be happening. First things first… it’s important to note that SonicOS actually only supports dynamic routing over route-based VPNs. That is, a virtual interface is created to represent the point-to-point IPSec connection. For routing purposes, this virtual tunnel interface is “borrowing” an IP from an admin chosen interface.

This concept is exactly the same as cisco’s ïp unnumbered”. So we have the basis for our simulation. To make the simulation easier and get rid of stuff that can go wrong, let’s forget about the IPSec tunnel and focus purely on the OSPF part. I setup the below:

In this case, UKTL is the hub, with two spokes. They are interconnected using a serial connection, this serves our purposes of simulating an IPSec point to point connection. Imagine the serial connections are our IPSec VPN tunnels configured on the WAN. All the serial interfaces are not configired with an IP directly, instead, we use the ip unnumbered command to force s0/0 and s0/1 to borrow the IP of lo0 in R3. We have a similar setup on R4 and R5. You can see the effect of the ip unnumbered with the sh ip int br command:

UKTL#sh ip int br
Interface                  IP-Address      OK?     Method  Status                Protocol
Serial0/0              YES          TFTP   up                         up
Serial0/1              YES           TFTP   up                         up
Loopback0                 YES         manual up                         up
Loopback1              YES    manual up                         up
Loopback2              YES    manual up                         up

Note how s0/0 shares the IP of lo1 while s0/1 shares the IP of lo2. There are similar setups on spoke_A and spoke_B. Why would we need to do this? Well its a good question. Saving IP address space is a good reason, and having to keep track of less IPs is another plus.

Now we go about configuring UKTL’s OSPF process to share the two networks on its LAN:

router ospf 1

network area 0
network area 0

Similarly this mut be done on spoke_A and spoke_B. In this example I’m keeping everything in the same area to simplify the ezersize. If everything goes well you should see the OSPF adjancencies form on UKTL:

UKTL#sh ip ospf neighbor
Neighbor ID          Pri   State           Dead Time           Address         Interface     0    FULL/  –        00:00:38   Serial0/1                    0     FULL/  –        00:00:37   Serial0/0

We’re not too concerned with router ID here, since these are point to point network, DR and BDR dont exist. So at this point we should see the routing tables updated with some OSPF routes. For example of UKTL:

Gateway of last resort is not set is subnetted, 1 subnets
C is directly connected, Loopback0 is subnetted, 1 subnets
O [110/65] via, 00:03:11, Serial0/1 is subnetted, 2 subnets
C is directly connected, Loopback2
C is directly connected, Loopback1
O [110/65] via, 00:03:11, Serial0/0

Not too bad, we see the two spoke network visible via OSPF.  Similarly we see from Spoke_B that we can reach both Spoke_A and the UKTL:

Gateway of last resort is not set is subnetted, 1 subnets
C is directly connected, Loopback0 is subnetted, 1 subnets
O [110/129] via, 00:04:04, Serial0/0 is subnetted, 2 subnets
O [110/65] via, 00:04:04, Serial0/0
O [110/65] via, 00:04:04, Serial0/0
C is directly connected, FastEthernet1/0

Now comes the interesting part. Lets say that we want to distribute an internal network ( /24) from an internal network on Spoke_B_INT. And to make it interesting lets say that we wont to only distribute that one network, but not the other network.

First of all we see that on spoke_B router we have static routes for both these networks: is subnetted, 1 subnets
S is directly connected, FastEthernet1/0 is subnetted, 1 subnets
S is directly connected, FastEthernet1/

Now, we need to redistribute the first static route to the OSPF area, but not the other. How to? The answer is in the nifty ditribution lists. Distribution lists can control routing updates based on route-maps (which are in themselves extremely flexible) or simple access lists. Our first step is going to be defining an access-list that permits the network but not the network:

access-list 2 permit
access-list 2 deny   any

Then we go back into the OSPF router mode and type:

spoke_B(config-router)#redistribute static subnets
spoke_B(config-router)#distribute-list 2 out static

Simple huh? The first line instructs OSPF to redistribute static lists. In the second line, the distribute list permits only static routes matchin access list 2 to go out. We confirm this by checking the routing table on UKTL, we should see a single E2 (external route):

Gateway of last resort is not set is subnetted, 1 subnets
C is directly connected, Loopback0 is subnetted, 1 subnets
O E2 [110/20] via, 00:00:45, Serial0/0 is subnetted, 1 subnets
O [110/65] via, 00:00:50, Serial0/1 is subnetted, 2 subnets
C is directly connected, Loopback2
C is directly connected, Loopback1
O [110/65] via, 00:00:50, Serial0/

See the single O E2 route? Further confirmation is done by running the sh ip protocols on spoke_B:

spoke_B#sh ip protocols
Routing Protocol is “ospf 1”
Outgoing update filter list for all interfaces is not set
Redistributed static filtered by 2

The last line shows the redistributed static lists are filtered. All done!!

Note : Dont forget to redistribute static subnets in the first place. You cannot filter unless you are redistributing the routes in the first place 🙂

Update : I ran across a similar and useful article from Packetlife…. grab it here

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.