Forum Discussion

Paedrig_69869's avatar
Paedrig_69869
Icon for Nimbostratus rankNimbostratus
Sep 21, 2016

OSPF redistribute kernel uses 127.1.1.1 forward address

Hi All,

We are trying to advertise a virtual address into OSPF using the following imish config

router ospf 24
 auto-cost reference-bandwidth 40000
 bfd all-interfaces
 redistribute kernel metric 1000 metric-type 1 tag 155
 area 10.2.0.0 authentication message-digest
 area 10.2.0.0 nssa
 network 0.0.0.0/0 area 10.2.0.0

The problem we are seeing is that area 0.0.0.0 on our core switches are not installing the routes in the RIB even though it shows up in the OSPF database.

switch3 show ip route 10.2.6.20 vrf TEST
IP Route Table for VRF "TEST"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%' in via output denotes VRF 

Route not found

The fact that it shows up as external means the type 7 LSA are being translated to type 5 LSAs correctly

switch3 show ip ospf database external 10.2.6.20 vrf TEST
        OSPF Router with ID (10.8.1.3) (Process ID TEST VRF TEST)

                Type-5 AS External Link States

Link ID         ADV Router      Age        Seq       Checksum Tag
10.2.6.20   10.3.1.13     246        0x80000017 0x6f76    155
10.2.6.20   10.3.1.14     1379       0x80000016 0x6b7a    155
10.2.6.20   10.4.1.13     262        0x80000016 0x697c    155
10.2.6.20   10.4.1.14     1696       0x80000015 0x6580    155

However it seems that the forward address used (tmm0) is not reachable and that is why it doesn't show up in the RIB.

switch3 show ip ospf database external 10.2.6.20 detail vrf TEST
        OSPF Router with ID (10.8.1.3) (Process ID TEST VRF TEST)

                Type-5 AS External Link States

   LS age: 317
   Options: 0x2 (No TOS-capability, No DC)
   LS Type: Type-5 AS-External
   Link State ID: 10.2.6.20 (Network address)
   Advertising Router: 10.3.1.13
   LS Seq Number: 0x80000017
   Checksum: 0x6f76
   Length: 36
   Network Mask: /32
         Metric Type: 1 (Same units as link state path)
         TOS: 0
         Metric: 1000
         Forward Address: **127.1.1.1**
         External Route Tag: 155

Additionally our spine switches see the F5 continuously advertising 127.1.1.0/24 and determine it to be bogus
2016 Aug 26 21:44:13.034 switch13 %URIB-5-BOGUS_PREFIX:  urib [29034] (TEST-base) "ospf-TEST" tried to add 127.1.1.0/24

Is there a way to change this so redistributed kernel routes can have a forward address of a self/floating IP? Is there some other configuration that I have missed? Thanks in advance.
  • Fred_Wittenberg's avatar
    Fred_Wittenberg
    Historic F5 Account

    Just out of curiosity have you tried apply a route-map to filter outbound advertisements so that only the intended self/floating IP's are advertised? Not sure where the 127 address is coming from without seeing your entire config but this would be a quick way to prevent it from being advertised.

     

    • Paedrig_69869's avatar
      Paedrig_69869
      Icon for Nimbostratus rankNimbostratus

      Thanks Fred, some testing has indicated that redistributing kernel routes with a route map that sets the next hop IP does change the behavior of the forward address.

       

      I would imagine that using this in conjunction with a prefix list would allow only the desired addresses to be advertised though we haven't tested to this extent yet.

       

      If there are specific things about our config that you think would be worth verifying please let me know and I'll see if I can post them.

       

    • Fred_Wittenberg's avatar
      Fred_Wittenberg
      Historic F5 Account

      Hi Paedrig, correct - you wouldn't necessarily need to set the next-hop however, simply filtering the outbound advertisement should work as intended. You can use both next-hop and the outbound filter in combination for the desired effect. Also, I would suggest as a best practice to filter inbound out the adjacent router, this would prevent any error advertisements in both directions.

       

      Something like this should do the trick:

       

      redistribute kernel route-map virtual-addresses-out

       

      access-list virtual-addresses permit x.x.x.x/xx

       

      route-map virtual-addresses-out permit 10 match ip address virtual-addresses

       

      If you want to upload you config to iHealth and/or open a case I'd be happy to take a look at your config.