Routing

Expand all | Collapse all

How to forcibly remove a single OSPF route

  • 1.  How to forcibly remove a single OSPF route

    Posted 12-15-2017 08:16

    Hi all,

     

    So from my understanding of OSPF if a route to a network is found via OSPF and is in the routing table, in order for that route to be removed from the routing table the path to that network has to be cut off completely, by shutting down interfaces, or physically disconnecting cables etc.

     

    However, what if that particular route is discovered via a VLAN interface where other networks are also accessible via OSPF and so I can't shutdown that interface to remove the said path from the OSPF routing table. For example if I run the command:

    show ospf route

     

    and get these results:

     

    172.16.58.0/22     Intra Network    IP            2 vlan.3        172.16.23.254
    172.16.60.0/22     Intra Network    IP            2 vlan.3        172.16.23.254
    172.16.64.0/20     Intra Network    IP            2 vlan.3        172.16.23.254
    172.16.64.0/22     Ext2  Network    IP            0 vlan.3        172.16.23.254
    172.16.101.0/24    Intra Network    IP            2 vlan.3        172.16.23.254

     

    As you can see the problem i'm facing is that there are two networks with addressing scheme of 172.16.64.0 (although with different masks). This looks like there are two conflicting subnetworks and would cause anything trying to access them to be unsuccessful.

     

    So what if I wanted to remove one of them to get rid of this potential conflict?

     

    So far I have only found the command:

     

    clear ospf database

     

    which appears to clear the whole database, which I don't think would be wise.

     

    Any thoughts or suggestions... am I missing something completely obvious?



  • 2.  RE: How to forcibly remove a single OSPF route

    Posted 12-15-2017 10:19

    Hello,

     

    You have same OSPF neighbor for both routes so Your problem with traffic blackholing is very much likely NOT on this router.

    You could "remove" 172.16.64.0/22 but only from routing table on this router - 172.16.64.0/22 is Ext2 & You could use OSPF "import" policy to block installation of172.16.64.0/22 in route table on this router.

    You cannot "remove" 172.16.64.0/22 ifrom OSPF LSDB on this router.

     BUT - Your neighbor 172.16.23.254 would still get the traffic for 172.16.64.0/22 because 172.16.64.0/20 also covers 172.16.64.0/22, and Your blackholing problem is likely to remain.

    You cannot "remove" 172.16.64.0/20 Intra Network route without resorting to tricks with routing-instances and mutual redistribution.

    Your best bet is to find a router where 172.16.64.0/20 and 172.16.64.0/22 are parting their ways/going in different directions and do the changes there.

    HTH

    Thx
    Alex



  • 3.  RE: How to forcibly remove a single OSPF route

    Posted 12-15-2017 10:56

    Do you see an issue or do you think it's an issue because the first three octets are the same?

     

    "This looks like there are two conflicting subnetworks and would cause anything trying to access them to be unsuccessful." That's not true. There's actually no issue on this router since they both point to the same next hop. There MIGHT be an issue further downstream where those two routes take different directions, but it could have been configured that way on purpose.  You may want to figure out the reasoning behind the two advertisements, before trying to find a solution to a problem that may not exist.



  • 4.  RE: How to forcibly remove a single OSPF route

    Posted 12-18-2017 01:44

    Thanks for the replies,

    Ok, so I put that output as an example but you quite rightly pointed out that the routes point to the same next hop, which in itself would not be a problem. I originally found this "potential" issue on the main core switch/router and the output I put above was from a neighbouring "edge" switch (sorry about that). 

    In this case where I really think there is an issue on the gateway core switch where the two networks are parting ways... here's the output from the core switch/router:

     

    172.16.51.0/26 Ext2 Network IP 0 vlan.5 172.16.2.149
    172.16.54.0/23 Intra Network IP 1 vlan.11
    172.16.56.0/23 Intra Network IP 1 vlan.12
    172.16.58.0/23 Intra Network IP 1 vlan.13
    172.16.60.0/22 Intra Network IP 1 vlan.15
    172.16.64.0/20 Intra Network IP 1 vlan.19
    172.16.64.0/22 Ext2 Network IP 0 vlan.5 172.16.2.149

     

    so the next hop Ext2 (172.16.2.149) addresses are to the outside world.

    - I need 172.16.64.0/20 to be accessible.

    - I think there's an issue with conflicting network paths because of the 172.16.64.0/22 also in the routing table. I have endeavoured as much as possible to find out what this network is for (I also checked to see if any hosts are up on this subnet using the NMAP tool) and it just seems to be a "stale" route to a network that's not in use anymore. 

    - Therefore I want to remove 172.16.64.0/22, but not sure how to do it without affecting the path to the other network also on interface vlan.5, i.e. 172.16.51.0/26, among others which are definitely in use and needed.

     

     

    aarseniev... thanks also for the tip on OSPF import policy, I will look into this further. I'm presuming this is the only way to achieve what I want?



  • 5.  RE: How to forcibly remove a single OSPF route

    Posted 12-19-2017 04:55

    Update....

     

    I have looked into OSPF import policy and haven't noticed any difference. So on the router with IP 172.16.23.254 where the possible routing blackhole exists I applied the following commands:

     

    set protocols ospf import filter_routes
    set policy-options policy-statement filter_routes from route-filter 172.16.64.0/22 exact
    set policy-options policy-statement filter_routes then reject

    commited the change and ran "show policy-options" command with the following output:

     

    policy-statement filter_routes {
        from {
            route-filter 10.16.64.0/22 exact;
        }
        then reject;
    }

    The route is still in the routing table and I have waited well over an hour in case it needs to be refreshed. 

     

    The "show route" and "show ospf route" commands indicated the route is still there and (i think) active.

     

    Should the route no longer appear in the routing table after applying the import policy?

    Have I missed something else?

     

    Any further suggestions would be greatly appreciated.

     

     

     

     



  • 6.  RE: How to forcibly remove a single OSPF route

     
    Posted 12-19-2017 11:17

    Hi Folks,

    Please find some pointers with the import policy for ospf; post applying policy route will no more be there in the routing table, however it will be still present in the ospf database,

     

    Hostname: re0_re0

    Model: mx240

    Junos: 16.1R4.7

     

    lab@re0_re0:r1> show ospf route extern 

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1

     

     

     lab@re0_re0:r1> show ospf database area 0 external extensive   

        OSPF AS SCOPE link state database

     Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len

    Extern   172.168.1.0      192.168.1.100    0x80000001   847  0x22 0xdbb1  36

      mask 255.255.255.0

      Topology default (ID 0)

        Type: 2, Metric: 0, Fwd addr: 0.0.0.0, Tag: 0.0.0.0

      Aging timer 00:45:52

      Installed 00:13:57 ago, expires in 00:45:53, sent 00:13:47 ago

      Last changed 00:13:57 ago, Change count: 1

     

    lab@re0_re0:r1> show ospf route                                

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    192.168.1.100      Intra AS BR      IP            1 ge-0/0/1.1    1.1.1.1

    192.168.1.102      Intra Router     IP            1 ge-0/0/0.12   1.1.12.2

    192.168.1.103      Intra Router     IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.104      Intra Area BR    IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.105      Intra Area BR    IP            3 ge-0/0/0.12   1.1.12.2

    192.168.1.107      Intra Area BR    IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.110      Intra Router     IP            1 ge-0/0/0.110  1.1.110.1

    1.1.1.0/30         Intra Network    IP            1 ge-0/0/1.1

    1.1.12.0/30        Intra Network    IP            1 ge-0/0/0.12

    1.1.23.0/30        Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    1.1.24.0/30        Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    1.1.27.0/30        Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    1.1.35.0/30        Intra Network    IP            3 ge-0/0/0.12   1.1.12.2

    1.1.43.0/30        Intra Network    IP            3 ge-0/0/0.12   1.1.12.2

    1.1.56.0/30        Inter Network    IP            4 ge-0/0/0.12   1.1.12.2

    1.1.73.0/30        Intra Network    IP            3 ge-0/0/0.12   1.1.12.2

    1.1.78.0/30        Inter Network    IP            3 ge-0/0/0.12   1.1.12.2

    1.1.89.0/30        Inter Network    IP            4 ge-0/0/0.12   1.1.12.2

    1.1.110.0/30       Intra Network    IP            1 ge-0/0/0.110

    1.1.114.0/30       Inter Network    IP            3 ge-0/0/0.12   1.1.12.2

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1 ///// interested prefix

    192.168.1.100/32   Intra Network    IP            1 ge-0/0/1.1    1.1.1.1

    192.168.1.101/32   Intra Network    IP            0 lo0.101

    192.168.1.102/32   Intra Network    IP            1 ge-0/0/0.12   1.1.12.2

    192.168.1.103/32   Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.104/32   Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.105/32   Inter Network    IP            3 ge-0/0/0.12   1.1.12.2

    192.168.1.107/32   Intra Network    IP            2 ge-0/0/0.12   1.1.12.2

    192.168.1.108/32   Inter Network    IP            3 ge-0/0/0.12   1.1.12.2

    192.168.1.110/32   Intra Network    IP            1 ge-0/0/0.110  1.1.110.1

    192.168.1.111/32   Inter Network    IP            3 ge-0/0/0.12   1.1.12.2

     

    lab@re0_re0:r1> show ospf route extern extensive

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1

      area 0.0.0.0, origin 192.168.1.100, priority medium

     

    lab@re0_re0:r1> show ospf route extern extensive   

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1

      area 0.0.0.0, origin 192.168.1.100, priority low

     

    lab@re0_re0:r1> show route 172.168.1.0/24                                 

     

    lab@re0_re0:r1> edit

    Entering configuration mode

     

    [edit]

    lab@re0_re0:r1# deactivate protocols ospf import

     

    [edit]

    lab@re0_re0:r1# commit and-quit

    ^[[A^[[Acommit complete

    Exiting configuration mode

     

    lab@re0_re0:r1> show route 172.168.1.0/24   

     

    inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    172.168.1.0/24     *[OSPF/150] 00:00:02, metric 0, tag 0

                        > to 1.1.1.1 via ge-0/0/1.1

     

    lab@re0_re0:r1> edit

    Entering configuration mode

     

    [edit]

    lab@re0_re0:r1# activate protocols ospf import     

     

    [edit]

    lab@re0_re0:r1# commit and-quit

    ^[[A^[[Acommit complete

    Exiting configuration mode

     

    lab@re0_re0:r1> show route 172.168.1.0/24   

     

    lab@re0_re0:r1> show ospf route 172.168.1.0/24

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1

     

    lab@re0_re0:r1> show ospf route 172.168.1.0/24 extensive

    Topology default Route Table:

     

    Prefix             Path  Route      NH       Metric NextHop       Nexthop     

                       Type  Type       Type            Interface     Address/LSP

    172.168.1.0/24     Ext2  Network    IP            0 ge-0/0/1.1    1.1.1.1

      area 0.0.0.0, origin 192.168.1.100, priority low

     

    lab@re0_re0:r1> show configuration policy-options policy-statement ospf

    term 1 {

        from {

            protocol ospf;

            external;

            route-filter 172.168.1.0/24 exact;

        }

        then reject;

    }

     

    lab@re0_re0:r1> show configuration protocols ospf  

    traffic-engineering;

    import ospf;

    area 0.0.0.1 {

        interface lo0.101;

        interface ge-0/0/1.1 {

            interface-type p2p;

        }

    }

    area 0.0.0.0 {

        interface ge-0/0/0.12 {

            interface-type p2p;

        }

    }

    area 0.0.0.3 {

        nssa;

        interface ge-0/0/0.110 {

            interface-type p2p;

        }

    }

     

    lab@re0_re0:r1>



  • 7.  RE: How to forcibly remove a single OSPF route

     
    Posted 12-19-2017 19:08

    Also, something to keep in mind...

     

    OSPF import policy allows you to prevent external routes from being added to the routing tables of OSPF neighbors. The import policy does not impact the OSPF database. This means that the import policy has no impact on the link-state advertisements. The filtering is done only on external routes in OSPF. The intra-area and interarea routes are not considered for filtering. The default action is to accept the route when the route does not match the policy.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/ospf-import-routing-policy-configuring.html

     



  • 8.  RE: How to forcibly remove a single OSPF route

    Posted 12-20-2017 13:05

    Having the two routes there would have this behavior:

    - Any traffic destined for 172.16.64.0-67.255 will go to vlan.5

    - Any traffic destined for 172.16.68.0-79.255 will go to vlan.19

     

    Now if this is not the desired behavior and you want all traffic destined for 172.168.64.0-79.255 to go to vlan.19, then find the ASBR and remove 172.16.64.0/22 from the export policy.



  • 9.  RE: How to forcibly remove a single OSPF route

    Posted 12-21-2017 03:25

    So if i was to ping host address 172.16.64.1 for example how would the router know which vlan interface to send the traffic out of? One route is external and the other is intra-area. Doesn't routing work by prioritising the most specific path first, which is exactly what it was doing when I did a traceroute to the host address, i.e. it took the external /22 path and not the desired internal /20.

     

    Anyway, after further digging and investigating I managed to access the ASBR and remove that /22 route, which has resolved this specific issue (and thank you all for pointing me in the right direction).

     

    However I have been left with a different issue now. I am still unable to ping a test host on the 172.16.64.0/20 subnet from a different subnet. These are the troubleshooting steps I took:

     

    - ping from the gateway address of 172.16.79.254/20 to 172.16.64.1 (test host) - successful

    - ping from host 172.16.64.1 to a test host on a different subnet and vlan 172.16.32.1/23 - successful

    - ping within router with source address 172.16.23.254 to svi address of 172.16.79.254 (vlan.19) - successful

    - ping from host 172.16.32.1/23 to 172.16.64.1/20 - unsuccessful

    - ping within router with source address 172.16.23.254 to host 172.16.64.1 - unsuccessful

    - I checked that a route to subnet 172.16.64.0/20 exists in the routing table, which of course is a direct route, but it also exists in the ospf table.

     

    I'm stumped by this, the host 172.16.64.1 is clearly up because I can ping it from within it's subnet. There is a path back because this same host can ping to a different subnet. The router can ping the gateway address of 172.16.79.254, but just not this host on the subnet. I should point out that this host is on a VM in a local data centre.

     

    Also, sorry if this is off topic, I can start a new topic for this.



  • 10.  RE: How to forcibly remove a single OSPF route

     
    Posted 12-21-2017 17:37

    If this an SRX in flow mode which would indicate the need for a security policy update from zone to zone in the direction the ping is not working.