How NOT to back-out from BGP redistribution into OSPF

Recently I learned the hard way how not to back-out from a DUAL ISP optimization project that included BGP redistribution into OSPF with prefix-list filtering.

At one of the large regional offices there are two internet routers (router-A and router-B) that peer with the two distinct ISPs (ISP-A and ISP-B) and learn the entire BGP table from both. Currently we prefer one of these carrier circuits (ISP-B) for outbound traffic which causes the other to ultimately sit idle. This is not efficient use of resources.

Goal: allow the internal network to have 2 equal cost paths to the internet via router-A and router-B.

This can be accomplished by redistributing a default route to the firewall sitting at the edge of the network. The internal network is running OSPF.

I could have accomplished the end goal by other means but there were already settings in place that dictated this direction. So I went with it.

1. create prefix-list that will match exactly what I want to allow
2. create the route-map that will match the prefix-list
3. redistribute BGP with the safety net of the route-map that matches the prefix-list

router-A(config)#ip prefix-list JUST-DEFAULT-PREFIX permit 0.0.0.0/0
!
router-A(config)#route-map JUST-DEFAULT permit 10
router-A(config-route-map)#match ip address prefix-list JUST-DEFAULT-PREFIX
router-A(config-route-map)#exi
!
!
router-A(config)#
router-A(config)#router ospf 1
router-A(config-router)#router-id 1.1.1.1
router-A(config-router)#redistribute bgp 1234 route-map JUST-DEFAULT subnets
!
router-A(config-router)#network 1.1.1.1 0.0.0.0 area 1
router-A(config-router)#end
router-A#
*May 20 09:27:02.066: %SYS-5-CONFIG_I: Configured from console by console
router-A#sho run | sec ospf
router ospf 1
 router-id 1.1.1.1
 redistribute bgp 1234 subnets route-map JUST-DEFAULT
 network 1.1.1.1 0.0.0.0 area 1
!

- At this stage I have achieved the outcome of redistributing only the default route into OSPF area 1. I followed up with similar configs for router-B (left out for brevity).

All is well........ not really. I have only learnt one default route because router-B is setting its local preference to 200 which makes it the only default route in the area. I need to go back and fix that so I want to be safe and back-out my configurations just in case I mess things up.

So here goes!


router-A#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router-A(config)#router ospf 1
router-A(config-router)#no redistribute bgp 1234 subnets route-map JUST-DEFAULT      
router-A(config-router)#end
router-A#sho run
*May 20 09:27:27.880: %SYS-5-CONFIG_I: Configured from console by console
router-A#sho run | sec ospf
router ospf 1
 router-id 1.1.1.1
 redistribute bgp 1234 subnets
 network 1.1.1.1 0.0.0.0 area 1
router-A#


Look closely at the running configuration relevant to OSPF. There is still a redistribute command, but it does not have the safety net of a route-map, prefix-list, or even an umbrella for the rain.. And it was raining BGP prefixes...

The entire network came crashing down. Every L3 device participating in OSPF got it's memory and CPU bludgeoned by a massive influx of the entire internet routing table. I've just brought down the entire global network! It was like a tsunami!

I've just redistributed the entire BGP table into OSPF.


Lessons learnt:

Do not redistribute BGP into OSPF if not entirely necessary. And if you have to, you can use other methods like a distribute-list.

If you want to backout from an BGP to OSPF redistribution, you only need to specify the 'no redistribute bgp AS'. This is so because the CLI would think that you mean to remove the supplementary config as opposed to anything else if you do anything else... To my outrage!


-Jason

Site To Site VPN + PAT

There may be occasions when you have offices that are geographically separated. For example, one office is in Ontario, Canada, and another office is located in Sydney, Australia. You may also have the need for both offices to share data and services privately and securely. This can  be achieved by setting up what is known as a site-to-site virtual private network (VPN) between both locations, using the internet as a medium.

Using a VPN between both locations provides the simple benefit of being able to access data and services on your private networks, while encrypting that traffic to preserve its authenticity as it moves from one location to the other.

There are many other options available to achieve this result, yet using the omnipresent internet connection provided by the ISPs in the different geographies provides a more cost effective solution.

Setting up NAT for a small office - very easy!

NAT is known as the technology that is helping IPv4 hold on for dear life. It works by translating private IP addresses to internet routable addresses since private IP addresses are not routable on the internet. IPv4 has three classes of private IP addresses and you can find more detail about them in RFC 1918. These private IPv4 addresses are typically used for internal devices like your Servers, PCs, Laptops, Tablets, Cell Phone, Printers, etc.. For these devices to access the internet they will have to be translated to routable addresses for processing on the internet.

Computer Networking and the CCNA

Computer networking is a very wholesome endeavor as almost every organization, including homes, have some sort of computer networking in use. Computer networking allows for collaboration by sharing documents, pictures, videos, and other media that can be for profit, education, entertainment, fun, and anything in-between.

My Network Story ... part 2

Here goes.... this was hard to publish!

I couldn't get enough of Commandos and wanted a computer at home for myself. Back then there was no concept of the internet and the computer I started out with was brutally slain by my own hands which meant I could only play Commandos when I went to school. Yeah, being captain of the chess team, practicing the high jump, and training for the Dacosta cup team, studying for A level Math, Physics, Technical Drawing, and the General Paper, I would still find time to play my Commandos...did I love me some army tactics or what.

IPv6 - It is Upon Us

World IPv6 day is June 6, 2012. On this day, ISPs, web hosters, some major web sites, and some major organizations will turn on IPv6 and leave it on indefinitely. This will be a ground breaking day for IPv6 and the major shift from IPv4 ..... maybe we are staring down the millennium bug all over again.. or maybe we are about to really unleash the power of the internet.

IPv6 is much like doctors developing a new cure. Think about it, when's the last time you've heard of a cure for anything? People still get the common cold and some are fashion deprived..... couldn't one of these many doctors find a cure for one of these things... I have nothing against doctors... I digress!

IPv6 will firstly cure the lack of addresses we've been encountering with IPv4. The internet will now be a truly globalized landscape where every device will have an IP address that is routable.

The best part is IPv6 has a bigger round number that IPv4!

Your Personal Tracking Service ... part 2

MAKING A CALL.. This is how the system works.......

Two people on a phone call create an end to end connection that works much like two computers sharing data. Between them, exists a network of routers and switches that use a host of protocols and services that facilitate the transaction. From a networking standpoint, a cell phone operates in a similar fashion, so we can look at a few simple scenarios that illustrate this: