Acess lists and OSPF

Contents
1. Access lists and OSPF routing 2. Network topology 3. Router initial configurations 4. Additional notes 4.1. Default route problem 4.1.1. Solution 4.2. After effect 4.3. What if testing 5. Loopback interfaces in OSPF

Access lists and OSPF routing

You may wonder what do OSPF and access lists have in common. Yet in this scenario OSPF instances are used instead of access lists. Just read on. In our network we have several big customers with offices spread across the country. All are configured with private addresses and use some services common for all clients (ip telephony, http servers, database and application servers) including Internet. Requirements state, that no customer should be able to access other customers' network. This requirement is enforced through access control lists. With constant changes in customers' private networks the maintenance of such lists is a tedious task. First, they must be configured on all customer premise devices individually. There is no template to fit for the whole network. With time ACLs grow quite lengthy. If updates are necessary all configurations must be updated. The process is pruned to human errors. We are running OSPF as routing protocol and my idea is to isolate big customers in separate OSPF instances. In this way, a customer by default will have access only to its own network. Unlike EIGRP no more than one OSPF process can be started on a router. Address space of one customer will be advertised only in customer's own OSPF instance. If we have two customers, we configure two OSPF instances on ISP router. For example OSPF 1 and OSPF 2. Having that in mind I created the following example (see the picture for details): r-A is the ISP core router, r-B and r-C are two customer routers, that should have no access to each others' local networks. All networks belong to OSPF area 0.

Network topology

Router initial configurations

Below are the initial router configurations as per network diagram.

Router r-B
r-B#sh run Building configuration... Current configuration : 864 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r-B ! ! memory-size iomem 15 ip subnet-zero ! ! ! call rsvp-sync !

! ! ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! ! interface Loopback0 ip address 10.0.0.2 255.255.255.255 ! interface Loopback1 ip address 10.10.0.1 255.255.255.0 ! interface Loopback2 ip address 10.10.1.1 255.255.255.0 ! interface FastEthernet0/0 description to r-A ip address 10.0.1.2 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 router-id 10.0.0.2 log-adjacency-changes network 10.0.1.0 0.0.0.3 area 0 network 10.10.0.0 0.0.255.255 area 0 ! ip classless ip http server ! ! dial-peer cor custom ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! end

Router r-C
r-C#sh run Building configuration... Current configuration : 804 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r-C ! ! ip subnet-zero ! ! ! call rsvp-sync ! ! ! ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! ! interface Loopback0 ip address 10.0.0.3 255.255.255.255 ! interface Loopback1 ip address 10.20.0.1 255.255.255.0 ! interface Loopback2 ip address 10.20.1.1 255.255.255.0 ! interface FastEthernet0/0 description to r-A ip address 10.0.2.2 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 router-id 10.0.0.3 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! ip classless

ip http server ! ! dial-peer cor custom ! ! ! ! line con 0 line aux 0 line vty 0 4 ! End

Router r-A
r-A#sh run Building configuration... Current configuration : 1096 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r-A ! ! ip subnet-zero ! ! ! call rsvp-sync ! ! ! ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! interface Loopback1 ip address 10.30.0.1 255.255.255.0 ! interface Loopback2 ip address 10.30.1.1 255.255.255.0 !

interface FastEthernet0/0 description to r-B ip address 10.0.1.1 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 description to r-C ip address 10.0.2.1 255.255.255.252 duplex auto speed auto ! router ospf 1 router-id 10.0.0.1 log-adjacency-changes network 10.0.1.0 0.0.0.3 area 0 network 10.10.0.0 0.0.255.255 area 0 default-information originate always ! router ospf 2 log-adjacency-changes network 10.0.2.0 0.0.0.3 area 0 network 10.20.0.0 0.0.255.255 area 0 default-information originate always ! ip classless ip http server ! ! dial-peer cor custom ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! End

Additional notes
r-A is running two OSPF instances and is advertising a default route. The default route represents all Internet routes. We should provide Internet access for all customers. OSPF 1 is running between r-A and r-B for 10.0.1.0/30 and 10.10.0.0/16 subnets. These are the subnets allocated to customer A. Another OSPF instance OSPF 2 is running between r-A and r-C for 10.0.2.0/30 and 10.20.0.0/16 subnets. These are the subnets allocated to customer B. r-A has three loopback interfaces. Loopback0 is used as a router id, loopback1 and loopback2 represent subnets for common network services services respectively 10.30.0.0/24 and 10.30.1.0/24.

r-B and r-C loopback interface assignment is similar. Loopback0 is router id and loopback1 and loopback2 represent local customer networks. Now let's check r-A routing table:

r-A
r-A#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set O O C O C C C C O O 10.0.0.0/8 is variably subnetted, 10 subnets, 3 masks 10.10.1.1/32 [110/2] via 10.0.1.2, 00:00:33, FastEthernet0/0 10.10.0.1/32 [110/2] via 10.0.1.2, 00:00:33, FastEthernet0/0 10.0.2.0/30 is directly connected, FastEthernet0/1 10.0.0.3/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1 10.0.1.0/30 is directly connected, FastEthernet0/0 10.0.0.1/32 is directly connected, Loopback0 10.30.0.0/24 is directly connected, Loopback1 10.30.1.0/24 is directly connected, Loopback2 10.20.1.1/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1 10.20.0.1/32 [110/2] via 10.0.2.2, 00:01:03, FastEthernet0/1

We see that r-A knows all subnets. Let's check r-B routing table:

r-B
r-B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static rout o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks C 10.10.0.0/24 is directly connected, Loopback1 C 10.10.1.0/24 is directly connected, Loopback2 C 10.0.0.2/32 is directly connected, Loopback0 C 10.0.1.0/30 is directly connected, FastEthernet0/0 O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:01:40, FastEthernet0/0

r-B knows about its connected networks and a default route. That's what we need - access only to customer A networks. Let' check r-C routing table:

r-C
r-C#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS levelia - IS-IS inter area, * - candidate default, U - per-user static ro o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.2.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks C 10.0.2.0/30 is directly connected, FastEthernet0/0 C 10.0.0.3/32 is directly connected, Loopback0 C 10.20.0.0/24 is directly connected, Loopback1 C 10.20.1.0/24 is directly connected, Loopback2 O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:01:40, FastEthernet0/0

As expected r-C knows about its connected networks and a default route. So far so good.

Default route problem

Let's try to ping from r-B one of r-C's loopback interfaces:

r-B
r-B#ping 10.20.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 216/260/288 ms r-B#ping 10.30.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/135/172 ms

Both pings succeed. Why? This is because of the default route. If destination subnet is not in routing table and we are sure that 10.20.0.0/24 is not in r-B's routing table, the packet is routed to the gateway of last resort, e.g. r-A. But r-A has a route to 10.20.0/24 network and sends the packet appropriately. The packet reaches r-C and the process is repeated.

Solution

The problem is easily fixed. I'm going to install a summary route for the 10.0.0.0/8 subnet pointing to the null interface. All packets destined to 10.0.0.0/8 with no more specific route will be dropped. Let's do it on r-B: r-B(config)#ip route 10.0.0.0 255.0.0.0 null 0 r-B(config)#exit r-B# 00:17:59: %SYS-5-CONFIG_I: Configured from console by console And check the routing table:

r-B
r-B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks C 10.10.0.0/24 is directly connected, Loopback1 C 10.10.1.0/24 is directly connected, Loopback2 C 10.0.0.2/32 is directly connected, Loopback0 S 10.0.0.0/8 is directly connected, Null0 C 10.0.1.0/30 is directly connected, FastEthernet0/0 O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:07:54, FastEthernet0/0

We see the route is installed. Let's try to ping again:

r-B
r-B#ping 10.20.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.20.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) r-B#ping 10.30.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

This time ping is unsuccessful. To finish the job let's configure r-C as well: r-C#conf t Enter configuration commands, one per line. End with CNTL/Z. r-C(config)#ip route 10.0.0.0 255.0.0.0 null0

r-C(config)#exit 00:19:18: %SYS-5-CONFIG_I: Configured from console by console And check connectivity from r-C:

r-C
r-C#ping 10.10.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) r-C#ping 10.30.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.30.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

After effect
OK. One minor problem arises. With the newly installed route we've lost connectivity to 10.30.0.1, our customers' common services. We have two options. We can advertise network 10.30.0.0/24 under OSPF 1 and OSPF 2 instance on r-A or redistribute it as an external connected route. I've tested both of them and they are working. The choice is yours. Here I redistribute it as an external route: r-A(config)#router ospf 1 r-A(config-router)#redistribute connected subnets r-A(config-router)#exit r-A(config)#exit r-A# 00:23:24: %SYS-5-CONFIG_I: Configured from console by console Let's check r-B routing table:

r-B
r-B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks C 10.10.0.0/24 is directly connected, Loopback1 C 10.10.1.0/24 is directly connected, Loopback2 O E2 10.0.2.0/30 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0 C 10.0.0.2/32 is directly connected, Loopback0 S 10.0.0.0/8 is directly connected, Null0 O E2 10.0.0.1/32 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0 C 10.0.1.0/30 is directly connected, FastEthernet0/0 O E2 10.30.0.0/24 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0 O E2 10.30.1.0/24 [110/20] via 10.0.1.1, 00:00:07, FastEthernet0/0 O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:10:02, FastEthernet0/0

Loopback1 and Loopback2 subnets appear as E2 routes. Because I want only 10.30.0.0/24 network to be reachable I'll filter the other: r-A(config)#access-list 30 permit 10.30.0.0 0.0.0.255 r-A(config)#router ospf 1 r-A(config-router)#distribute-list 30 out connected And check r-B routing table once again:

r-B
r-B#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 6 subnets, 4 masks C 10.10.0.0/24 is directly connected, Loopback1 C 10.10.1.0/24 is directly connected, Loopback2 C 10.0.0.2/32 is directly connected, Loopback0 S 10.0.0.0/8 is directly connected, Null0 C 10.0.1.0/30 is directly connected, FastEthernet0/0 O E2 10.30.0.0/24 [110/20] via 10.0.1.1, 00:31:27, FastEthernet0/0 O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:41:22, FastEthernet0/0

Only 10.30.0.0/24 network is present.

What if testing
And take one step further. If for some reason, we want one customer to access other customer's network?

We shall redistribute between OSPF instances on r-A. I'm going to redistribute all networks which defeats the purpose of our scenario but distribute lists or route maps can be used as we did shortly above. Let's configure r-A: r-A(config)#router ospf 2 r-A(config-router)#redistribute ospf 1 subnets And check new routers in r-C routing table:

r-C
r-C#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.2.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks O E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0 O E2 10.10.0.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0 C 10.0.2.0/30 is directly connected, FastEthernet0/0 C 10.0.0.3/32 is directly connected, Loopback0 S 10.0.0.0/8 is directly connected, Null0 C 10.20.0.0/24 is directly connected, Loopback1 C 10.20.1.0/24 is directly connected, Loopback2 O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:46:31, FastEthernet0/0

All networks form r-B have arrived. So let's try to ping them:

r-C
r-C#ping 10.10.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Unsuccessful. What is the reason? If we trace the packet we'll see that it reaches r-B, but cannot find its way back. That is the problem. If we want to connect customers both should have routes to each other. ICMP packets from r-C arrive with source address of 10.0.2.2 which is r-C nearest interface to 10.10.10.0.1 destination. r-B does not have a route for 10.0.2.0/30 subnet and packets are matched by the 10.0.0.0/8 summary route and dropped. On r-A we have to redistribute the connected 10.0.2.0/30 subnet in OSPF 1 instance. This is one way. I'm going to do just the opposite. I'll make r-C a member of the 10.30.0.0/24 network (common customer network services). r-B has a route for this subnet. In real life it is very unlikely but for testing purposes is highly educational. Let's configure r-C:

r-C#conf t Enter configuration commands, one per line. End with CNTL/Z. r-C(config)#int loopback3 r-C(config-if)#ip address 10.30.0.2 255.255.255.0 r-C(config-if)#exit r-C(config)#exit 01:11:48: %SYS-5-CONFIG_I: Configured from console by console Do a connectivity test with the new source address:

r-C
r-C#ping 10.10.0.1 source 10.30.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds: Packet sent with a source address of 10.30.0.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 192/235/264 ms

Loopback interfaces in OSPF

At last I'd like to say something about loopback interfaces in OSPF. The loopback interface represents a special network type that is only seen on loopback interfaces. We cannot manually change network type to be a loopback. If we check it with sh ip ospf interface, the loopback interface is treated as stub host:

r-B
r-B#sh ip ospf interface loopback 2 Loopback2 is up, line protocol is up Internet Address 10.10.1.1/24, Area 0 Process ID 1, Router ID 10.0.0.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host

That's why in routing table it is entered as a /32 route. Below is presented a part of the r-C routing table:

r-C
r-C#sh ip route 10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks O E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0 O E2 10.10.0.1/32 [110/2] via 10.0.2.1, 00:00:31, FastEthernet0/0

We can however change the default network type on a loopback interface just like a normal interface. Now we can get our loopback interface advertised as a /24 instead of a /32 route. r-B#conf t Enter configuration commands, one per line. End wit r-B(config)#int loopback 1 r-B(config-if)#ip ospf network point-to-point

r-B
r-B#sh ip ospf interface loopback 1 Loopback1 is up, line protocol is up Internet Address 10.10.0.1/24, Area 0 Process ID 1, Router ID 10.0.0.2, Network Type POINT_TO_POINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s)

And if we check r-C routing table:

r-C
r-C#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.0.2.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks O E2 10.10.0.0/24 [110/2] via 10.0.2.1, 00:00:47, FastEthernet0/0 O E2 10.10.1.1/32 [110/2] via 10.0.2.1, 00:11:08, FastEthernet0/0 C 10.0.2.0/30 is directly connected, FastEthernet0/0 C 10.0.0.3/32 is directly connected, Loopback0 S 10.0.0.0/8 is directly connected, Null0 C 10.20.0.0/24 is directly connected, Loopback1 C 10.20.1.0/24 is directly connected, Loopback2 O*E2 0.0.0.0/0 [110/1] via 10.0.2.1, 00:57:08, FastEthernet0/0

The change is reflected. r-B's loopback1 interface is advertised as a /24 route while loopback2 interface is still advertised as a host route.