Acess Lists and OSPF

8/4/2019 Acess Lists and OSPF

1/14

Acess lists and OSPF

Contents1. Access lists and OSPF routing

2. Network topology

3. Router initial configurations

4. Additional notes4.1. Default route problem

4.1.1. Solution

4.2. After effect

4.3. What if testing5. Loopback interfaces in OSPF

Access lists and OSPF routing

You may wonder what do OSPF and access lists have in common. Yet in this scenario OSPF instances are

used instead of access lists. Just read on. In our network we have several big customers with offices spread

across the country. All are configured with private addresses and use some services common for all clients (iptelephony, http servers, database and application servers) including Internet. Requirements state, that no

customer should be able to access other customers' network. This requirement is enforced through access

control lists. With constant changes in customers' private networks the maintenance of such lists is a tedious

task. First, they must be configured on all customer premise devices individually. There is no template to fit

for the whole network. With time ACLs grow quite lengthy. If updates are necessary all configurations must be

updated. The process is pruned to human errors.We are running OSPF as routing protocol and my idea is to isolate big customers in separate OSPF instances.

In this way, a customer by default will have access only to its own network. Unlike EIGRP no more than one

OSPF process can be started on a router. Address space of one customer will be advertised only in customer's

own OSPF instance. If we have two customers, we configure two OSPF instances on ISP router. For example

OSPF 1 and OSPF 2. Having that in mind I created the following example (see the picture for details):

r-A is the ISP core router, r-B and r-C are two customer routers, that should have no access to each others'local networks. All networks belong to OSPF area 0.

Network topology
http://www.mreji.eu/content/acess-lists-and-ospf#listshttp://www.mreji.eu/content/acess-lists-and-ospf#listshttp://www.mreji.eu/content/acess-lists-and-ospf#topologyhttp://www.mreji.eu/content/acess-lists-and-ospf#topologyhttp://www.mreji.eu/content/acess-lists-and-ospf#initialhttp://www.mreji.eu/content/acess-lists-and-ospf#initialhttp://www.mreji.eu/content/acess-lists-and-ospf#noteshttp://www.mreji.eu/content/acess-lists-and-ospf#noteshttp://www.mreji.eu/content/acess-lists-and-ospf#problemhttp://www.mreji.eu/content/acess-lists-and-ospf#problemhttp://www.mreji.eu/content/acess-lists-and-ospf#solutionhttp://www.mreji.eu/content/acess-lists-and-ospf#solutionhttp://www.mreji.eu/content/acess-lists-and-ospf#afterhttp://www.mreji.eu/content/acess-lists-and-ospf#afterhttp://www.mreji.eu/content/acess-lists-and-ospf#testinghttp://www.mreji.eu/content/acess-lists-and-ospf#testinghttp://www.mreji.eu/content/acess-lists-and-ospf#loopbackhttp://www.mreji.eu/content/acess-lists-and-ospf#loopbackhttp://www.mreji.eu/content/acess-lists-and-ospf#loopbackhttp://www.mreji.eu/content/acess-lists-and-ospf#testinghttp://www.mreji.eu/content/acess-lists-and-ospf#afterhttp://www.mreji.eu/content/acess-lists-and-ospf#solutionhttp://www.mreji.eu/content/acess-lists-and-ospf#problemhttp://www.mreji.eu/content/acess-lists-and-ospf#noteshttp://www.mreji.eu/content/acess-lists-and-ospf#initialhttp://www.mreji.eu/content/acess-lists-and-ospf#topologyhttp://www.mreji.eu/content/acess-lists-and-ospf#lists


2/14

Router initial configurations

Below are the initial router configurations as per network diagram.

Router r-B

r-B#sh runBuilding configuration...

Current configuration : 864 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r-B!!memory-size iomem 15ip subnet-zero!!!call rsvp-sync!


3/14

!!!!fax interface-type fax-mailmta receive maximum-recipients 0

!!!interface Loopback0ip address 10.0.0.2 255.255.255.255

!interface Loopback1ip address 10.10.0.1 255.255.255.0


!interface FastEthernet0/0description to r-A

ip address 10.0.1.2 255.255.255.252duplex autospeed auto

!interface FastEthernet0/1no ip addressshutdownduplex autospeed auto

!router ospf 1router-id 10.0.0.2log-adjacency-changes

network 10.0.1.0 0.0.0.3 area 0network 10.10.0.0 0.0.255.255 area 0!ip classlessip http server!!dial-peer cor custom!!!!line con 0line aux 0

line vty 0 4login

!end


4/14

Router r-C

r-C#sh runBuilding configuration...

Current configuration : 804 bytes!

version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r-C!!ip subnet-zero!!!call rsvp-sync

!!!!!fax interface-type fax-mailmta receive maximum-recipients 0!!!interface Loopback0ip address 10.0.0.3 255.255.255.255

!interface Loopback1

ip address 10.20.0.1 255.255.255.0!interface Loopback2ip address 10.20.1.1 255.255.255.0

!interface FastEthernet0/0description to r-Aip address 10.0.2.2 255.255.255.252duplex autospeed auto

!interface FastEthernet0/1no ip address

shutdownduplex autospeed auto

!router ospf 1router-id 10.0.0.3log-adjacency-changesnetwork 10.0.0.0 0.255.255.255 area 0

!ip classless


5/14

ip http server!!dial-peer cor custom!!

!!line con 0line aux 0line vty 0 4!End

Router r-A

r-A#sh run

Building configuration...

Current configuration : 1096 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r-A!!ip subnet-zero

!!!call rsvp-sync!!!!!fax interface-type fax-mailmta receive maximum-recipients 0!!!

interface Loopback0ip address 10.0.0.1 255.255.255.255



!


6/14

interface FastEthernet0/0description to r-Bip address 10.0.1.1 255.255.255.252duplex autospeed auto

!

interface FastEthernet0/1description to r-Cip address 10.0.2.1 255.255.255.252duplex autospeed auto

!router ospf 1router-id 10.0.0.1log-adjacency-changesnetwork 10.0.1.0 0.0.0.3 area 0network 10.10.0.0 0.0.255.255 area 0default-information originate always

!router ospf 2

log-adjacency-changesnetwork 10.0.2.0 0.0.0.3 area 0network 10.20.0.0 0.0.255.255 area 0default-information originate always

!ip classlessip http server!!dial-peer cor custom!!!

!line con 0line aux 0line vty 0 4login

!End

Additional notesr-A is running two OSPF instances and is advertising a default route. The default route represents all Internetroutes. We should provide Internet access for all customers. OSPF 1 is running between r-A and r-B for

10.0.1.0/30 and 10.10.0.0/16 subnets. These are the subnets allocated to customer A. Another OSPF instance

OSPF 2 is running between r-A and r-C for 10.0.2.0/30 and 10.20.0.0/16 subnets. These are the subnetsallocated to customer B. r-A has three loopback interfaces. Loopback0 is used as a router id, loopback1 and

loopback2 represent subnets for common network services services respectively 10.30.0.0/24 and 10.30.1.0/24.


7/14

r-B and r-C loopback interface assignment is similar. Loopback0 is router id and loopback1 and loopback2

represent local customer networks. Now let's checkr-A routing table:

r-A

r-A#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 10 subnets, 3 masksO 10.10.1.1/32 [110/2] via 10.0.1.2, 00:00:33, FastEthernet0/0O 10.10.0.1/32 [110/2] via 10.0.1.2, 00:00:33, FastEthernet0/0C 10.0.2.0/30 is directly connected, FastEthernet0/1

O 10.0.0.3/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1C 10.0.1.0/30 is directly connected, FastEthernet0/0C 10.0.0.1/32 is directly connected, Loopback0C 10.30.0.0/24 is directly connected, Loopback1C 10.30.1.0/24 is directly connected, Loopback2O 10.20.1.1/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1O 10.20.0.1/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1

We see that r-A knows all subnets. Let's checkr-B routing table:

r-B

r-B#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routo - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 3 masksC 10.10.0.0/24 is directly connected, Loopback1

C 10.10.1.0/24 is directly connected, Loopback2C 10.0.0.2/32 is directly connected, Loopback0C 10.0.1.0/30 is directly connected, FastEthernet0/0O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:01:40, FastEthernet0/0

r-B knows about its connected networks and a default route. That's what we need - access only to customer Anetworks. Let' checkr-C routing table:


8/14

r-C

r-C#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-ia - IS-IS inter area, * - candidate default, U - per-user static roo - ODR, P - periodic downloaded static route


10.0.0.0/8 is variably subnetted, 4 subnets, 3 masksC 10.0.2.0/30 is directly connected, FastEthernet0/0C 10.0.0.3/32 is directly connected, Loopback0C 10.20.0.0/24 is directly connected, Loopback1C 10.20.1.0/24 is directly connected, Loopback2O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:01:40, FastEthernet0/0

As expected r-C knows about its connected networks and a default route. So far so good.

Default route problem

Let's try to ping from r-B one ofr-C's loopback interfaces:

r-B

r-B#ping 10.20.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 216/260/288 msr-B#ping 10.30.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 96/135/172 ms

Both pings succeed. Why? This is because of the default route. If destination subnet is not in routing table and

we are sure that 10.20.0.0/24 is not in r-B's routing table, the packet is routed to the gateway of last resort, e.g.

r-A. But r-A has a route to 10.20.0/24 network and sends the packet appropriately. The packet reaches r-C and

the process is repeated.

Solution


9/14

The problem is easily fixed. I'm going to install a summary route for the 10.0.0.0/8 subnet pointing to the null

interface. All packets destined to 10.0.0.0/8 with no more specific route will be dropped. Let's do it on r-B:

r-B(config)#ip route 10.0.0.0 255.0.0.0 null 0r-B(config)#exitr-B#

00:17:59: %SYS-5-CONFIG_I: Configured from console by console

And check the routing table:

r-B


D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


10.0.0.0/8 is variably subnetted, 5 subnets, 4 masksC 10.10.0.0/24 is directly connected, Loopback1C 10.10.1.0/24 is directly connected, Loopback2C 10.0.0.2/32 is directly connected, Loopback0S 10.0.0.0/8 is directly connected, Null0C 10.0.1.0/30 is directly connected, FastEthernet0/0O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:07:54, FastEthernet0/0

We see the route is installed. Let's try to ping again:

r-B

r-B#ping 10.20.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)r-B#ping 10.30.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds:

.....Success rate is 0 percent (0/5)

This time ping is unsuccessful. To finish the job let's configure r-C as well:

r-C#conf tEnter configuration commands, one per line. End with CNTL/Z.r-C(config)#ip route 10.0.0.0 255.0.0.0 null0


10/14

r-C(config)#exit00:19:18: %SYS-5-CONFIG_I: Configured from console by console

And check connectivity from r-C:

r-Cr-C#ping 10.10.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)r-C#ping 10.30.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

After effect

OK. One minor problem arises. With the newly installed route we've lost connectivity to 10.30.0.1, our

customers' common services. We have two options. We can advertise network 10.30.0.0/24 under OSPF 1 and

OSPF 2 instance on r-A or redistribute it as an external connected route. I've tested both of them and they are

working. The choice is yours. Here I redistribute it as an external route:

r-A(config)#router ospf 1r-A(config-router)#redistribute connected subnetsr-A(config-router)#exitr-A(config)#exitr-A#00:23:24: %SYS-5-CONFIG_I: Configured from console by console

Let's checkr-B routing table:

r-B





11/14

10.0.0.0/8 is variably subnetted, 9 subnets, 4 masksC 10.10.0.0/24 is directly connected, Loopback1C 10.10.1.0/24 is directly connected, Loopback2O E2 10.0.2.0/30 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0C 10.0.0.2/32 is directly connected, Loopback0S 10.0.0.0/8 is directly connected, Null0

O E2 10.0.0.1/32 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0C 10.0.1.0/30 is directly connected, FastEthernet0/0O E2 10.30.0.0/24 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0O E2 10.30.1.0/24 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:10:02, FastEthernet0/0

Loopback1 and Loopback2 subnets appear as E2 routes. Because I want only 10.30.0.0/24 network to bereachable I'll filter the other:

r-A(config)#access-list 30 permit 10.30.0.0 0.0.0.255r-A(config)#router ospf 1r-A(config-router)#distribute-list 30 out connected

And checkr-B routing table once again:

r-B




10.0.0.0/8 is variably subnetted, 6 subnets, 4 masksC 10.10.0.0/24 is directly connected, Loopback1C 10.10.1.0/24 is directly connected, Loopback2C 10.0.0.2/32 is directly connected, Loopback0S 10.0.0.0/8 is directly connected, Null0C 10.0.1.0/30 is directly connected, FastEthernet0/0O E2 10.30.0.0/24 [110/20] via 10.0.1.1, 00:31:27, FastEthernet0/0O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:41:22, FastEthernet0/0

Only 10.30.0.0/24 network is present.

What if testing

And take one step further. If for some reason, we want one customer to access other customer's network?


12/14

We shall redistribute between OSPF instances on r-A. I'm going to redistribute all networks which defeats the

purpose of our scenario but distribute lists or route maps can be used as we did shortly above. Let's configurer-A:

r-A(config)#router ospf 2r-A(config-router)#redistribute ospf 1 subnets

And check new routers in r-C routing table:

r-C




10.0.0.0/8 is variably subnetted, 7 subnets, 4 masksO E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0O E2 10.10.0.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0C 10.0.2.0/30 is directly connected, FastEthernet0/0C 10.0.0.3/32 is directly connected, Loopback0S 10.0.0.0/8 is directly connected, Null0C 10.20.0.0/24 is directly connected, Loopback1C 10.20.1.0/24 is directly connected, Loopback2O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:46:31, FastEthernet0/0

All networks form r-B have arrived. So let's try to ping them:

r-C

r-C#ping 10.10.0.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Unsuccessful. What is the reason? If we trace the packet we'll see that it reaches r-B, but cannot find its wayback. That is the problem. If we want to connect customers both should have routes to each other. ICMP

packets from r-C arrive with source address of 10.0.2.2 which is r-C nearest interface to 10.10.10.0.1

destination. r-B does not have a route for 10.0.2.0/30 subnet and packets are matched by the 10.0.0.0/8

summary route and dropped. On r-A we have to redistribute the connected 10.0.2.0/30 subnet in OSPF 1

instance.

This is one way. I'm going to do just the opposite. I'll make r-C a member of the 10.30.0.0/24 network

(common customer network services). r-B has a route for this subnet. In real life it is very unlikely but for

testing purposes is highly educational. Let's configure r-C:


13/14

r-C#conf tEnter configuration commands, one per line. End with CNTL/Z.r-C(config)#int loopback3r-C(config-if)#ip address 10.30.0.2 255.255.255.0r-C(config-if)#exitr-C(config)#exit

01:11:48: %SYS-5-CONFIG_I: Configured from console by console

Do a connectivity test with the new source address:

r-C

r-C#ping 10.10.0.1 source 10.30.0.2

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:Packet sent with a source address of 10.30.0.2!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 192/235/264 ms

Loopback interfaces in OSPF

At last I'd like to say something about loopback interfaces in OSPF. The loopback interface represents a

special network type that is only seen on loopback interfaces. We cannot manually change network type to be a

loopback. If we check it with sh ip ospf interface, the loopback interface is treated as stub host:

r-B

r-B#sh ip ospf interface loopback 2Loopback2 is up, line protocol is up

Internet Address 10.10.1.1/24, Area 0Process ID 1, Router ID 10.0.0.2, Network Type LOOPBACK, Cost: 1Loopback interface is treated as a stub Host

That's why in routing table it is entered as a /32 route. Below is presented a part of the r-C routing table:

r-C

r-C#sh ip route10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks

O E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0O E2 10.10.0.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0

We can however change the default network type on a loopback interface just like a normal interface. Now we

can get our loopback interface advertised as a /24 instead of a /32 route.

r-B#conf tEnter configuration commands, one per line. End witr-B(config)#int loopback 1r-B(config-if)#ip ospf network point-to-point


14/14

r-B

r-B#sh ip ospf interface loopback 1Loopback1 is up, line protocol is up

Internet Address 10.10.0.1/24, Area 0Process ID 1, Router ID 10.0.0.2, Network Type POINT_TO_POINT, Cost: 1Transmit Delay is 1 sec, State POINT_TO_POINT,Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5Index 2/2, flood queue length 0Next 0x0(0)/0x0(0)Last flood scan length is 0, maximum is 0Last flood scan time is 0 msec, maximum is 0 msecNeighbor Count is 0, Adjacent neighbor count is 0Suppress hello for 0 neighbor(s)

And if we checkr-C routing table:

r-C




10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks

O E2 10.10.0.0/24 [110/2] via 10.0.2.1, 00:00:47, FastEthernet0/0O E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:11:08, FastEthernet0/0C 10.0.2.0/30 is directly connected, FastEthernet0/0C 10.0.0.3/32 is directly connected, Loopback0S 10.0.0.0/8 is directly connected, Null0C 10.20.0.0/24 is directly connected, Loopback1C 10.20.1.0/24 is directly connected, Loopback2O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:57:08, FastEthernet0/0

The change is reflected. r-B's loopback1 interface is advertised as a /24 route while loopback2 interface is still

advertised as a host route.

Date post:	07-Apr-2018
Category:	Documents
Upload:	huynh-ba-thanh
View:	225 times
Download:	0 times

Acess Lists and OSPF

Documents