Hi, I thought about it too, so one option is to split two internal legs into two different “protocols” inside BIRD cfg and filters will work as expected?
------------------------------------------ Служба поддержки серверов Группа сетевого администрирования ДПП.УТП.СПС АО «ПФ «СКБ-Контур», dc-...@skbkontur.ru<mailto:dc-...@skbkontur.ru> Тел. +7 (343) 344-11-50 доб. 75352 From: gr...@highloadlab.com [mailto:gr...@highloadlab.com] On Behalf Of Alexander Zubkov Sent: Tuesday, October 10, 2017 2:59 PM To: Войнович Андрей Александрович <andr...@skbkontur.ru> Cc: bird-users@network.cz Subject: Re: OSPF routes not filtered Hi. If I understand correctly, import/export filters are not applied to OSPF internals - LSDB announces, etc. They are applied to prefixes imported into OSPF protocol from router and exported from it to its table. On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <andr...@skbkontur.ru<mailto:andr...@skbkontur.ru>> wrote: Hi all! I am facing strange problem with OSPF – my router has 2 Phy links and 4 VLAN links to two different routers: Phy 1 Vlan 1400 internal link to R1 Phy 1 Vlan 1401 external link to R1 Phy 2 Vlan 1402 internal link to R2 Phy 2 Vlan 1403 external link to R2 R1 and R2 has direct connection and are OSPF neighbors in Area 0. So I am trying to achieve ECMP load balancing and fault tolerance. Linux box addresses: lo inet 99.99.99.99 enp1s0f0.1402 inet 10.16.0.10/30<http://10.16.0.10/30> brd 10.16.0.11 enp1s0f0.1403 inet 10.16.0.14/30<http://10.16.0.14/30> brd 10.16.0.15 enp1s0f1.1400 inet 10.16.0.2/30<http://10.16.0.2/30> brd 10.16.0.3 enp1s0f1.1401 inet 10.16.0.6/30<http://10.16.0.6/30> brd 10.16.0.7 Linux box BIRD cfg: router id 99.99.99.99; filter deny_default { if net = 0.0.0.0/0<http://0.0.0.0/0> then reject; else accept; } filter permit_white { if net ~ [ 99.99.99.99/32<http://99.99.99.99/32> ] then accept; else reject; } filter change_src { if net = 0.0.0.0/0<http://0.0.0.0/0> then { krt_prefsrc = 99.99.99.99; accept; } else accept; } filter deny_all { reject; } protocol kernel { scan time 20; import all; export filter change_src; } protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol direct { interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401, enp1s0f0.1403", "lo"; } protocol ospf Internal { rfc1583compat yes; import filter deny_default; export filter deny_all; area 0.0.0.20 { interface "enp1s0f1.1400" { type pointopoint; }; interface "enp1s0f0.1402" { type pointopoint; }; }; } protocol ospf External { rfc1583compat yes; import all; export filter permit_white; area 100.0.0.0 { interface "enp1s0f1.1401" { type pointopoint; }; interface "enp1s0f0.1403" { type pointopoint; }; }; } When I enable only one Phy link, everything works fine and as expected: R1# sh ip ro next-hop 10.16.0.2 10.16.0.2/32<http://10.16.0.2/32>, ubest/mbest: 1/0, attached *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am 10.16.0.8/30<http://10.16.0.8/30>, ubest/mbest: 1/0 *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra R2# sh ip ro next-hop 10.16.0.10 <nothing, as expected, link disabled> But when I enable second Phy link, I see following: R1# sh ip ro next-hop 10.16.0.2 0.0.0.0/0<http://0.0.0.0/0>, ubest/mbest: 1/0 via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2 10.1.1.44/30<http://10.1.1.44/30>, ubest/mbest: 1/0 *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra 10.1.1.224/30<http://10.1.1.224/30>, ubest/mbest: 1/0 *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra 10.16.0.2/32<http://10.16.0.2/32>, ubest/mbest: 1/0, attached *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am 10.16.0.8/30<http://10.16.0.8/30>, ubest/mbest: 1/0 *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra R2# sh ip ro next-hop 10.16.0.10 0.0.0.0/0<http://0.0.0.0/0>, ubest/mbest: 1/0 via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2 10.1.1.60/30<http://10.1.1.60/30>, ubest/mbest: 1/0 *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra 10.1.1.216/30<http://10.1.1.216/30>, ubest/mbest: 1/0 *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra 10.16.0.0/30<http://10.16.0.0/30>, ubest/mbest: 1/0 *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra 10.16.0.10/32<http://10.16.0.10/32>, ubest/mbest: 1/0, attached *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am So on linux box intafaces vlan1400 and vlan 1402 are in the same area and it is expected that they will have idaentical lsdbs and will send all the LSA they receive via all interfaces in the same area, so saying simply - whey will interchange routes. But in BIRD cfg I apply filters to avoid doing it, however routes are not filtered, and even default route received Am I missing something? Thanks.
