Using zebra for OSPF whithin consume.net

OSPF Theory

http://relcom.net/CURS/OSPF/1.html

Getting zebra

Unfortunatly zebra is buggy, and to get a working version you need to grab it from cvs, and then apply a couple of patches.

Getting zebra from cvs

More details on the zebra website here.

% CVSROOT=":pserver:anoncvs@anoncvs.zebra.org:/cvsroot"
% export CVSROOT
% cvs login					(the password is anoncvs)
% cvs checkout -D "2002-03-29 17:00" zebra

The date in the checkout line above is important - it's the date this doc was written, so if zebra changes in the future, (as it's lickley to) this doc won't become incorrect.

Patching

You need two patches:

Applying the patches

% cd zebra			(this dir should contain README, NEWS, configure etc...)
% patch < path/to/zebra.rib.c.patch
% cd ospfd
% patch < path/to/ospf_packet.c.patch

Easy ;-)

Configuring

% ./configure --disable-ipv6

N.B. we're not yet using ipv6 whithin consume, so i like to disable it as it's just another thing to go wrong, but you can leave it enabled if you like...

Compiling

% gmake			(or just 'make' if 'make' is gnu make on your system).

Installing

% su
# gmake install

Configuring zebra

Boot strapping zebra and ospfd

Zebra

Grab zebra.conf and ospfd.conf, copy them to /usr/local/etc.

Now start zebra:

# /usr/local/sbin/zebra -dl

And connect to the zebra daemon:

# telnet localhost zebra

If you can't connect then check /var/log/zebra.log to see if it has any excuses.

The default password is 'fish', now we are going to change it.

First we put zebra in 'enable' mode (this is a lot like suing to root).

zebra> enable 

Yup, the password is fish again. The prompt should change to a # after you've typed it. (you should see something like this):

zebra> enable
Password: 
zebra#

Now we need to tell zebra we're going to configure it, so type:

zebra# configure terminal

At this point it's probably helpful to point out that zebra supports command line editing, tab completion, and command history...

If your offered multiple choices when you hit tab you can type '?' to get brief help on the commands available.

Your screen should look something like this:

zebra# configure terminal 
zebra(config)#

First things first, lets change those passwords

zebra(config)# 
zebra(config)# password <passwd>
zebra(config)# enable password <passwd>

Ok, lets check the changes we made, first, type exit to get out of configure mode, then:

zebra# show running-config

You can abrieviate it to sh run if you like.

You can now page through the config file, now with new encrypted passwords!

You'll also notice something else - remember all those comments that where in the config file? Well zebra ignores them, and they will dissapear... (yes, this does suck).

Press space to page through the end of the config file

Now we'd better change the hostname to the hostname (or nodename) of this box. This will help if you ever cut and paste stuff from zebra to show other people for debuging reasons, or if you have multiple machines.

Enter config mode as we did before and then type:

zebra(config)# hostname <yourhostname>
<yourhostname>(config)#

As you can see the prompt changes to the hostname you just set

Saving your changes

This is important! if you forget to do this all your changes will be lost

in enable mode type copy running-config startup-config, you should see something like this:

<yourhostname># copy running-config startup-config 
Configuration saved to /usr/local/etc/zebra.conf
<yourhostname>#

copy running-config startup-config can be, (and usually is), abbreviated to cop run sta. Say it out load in any pub and anyone who's ever been anywhere near a cisco will look around them in surprise and alarm.

Seriously tho, this is the most common cause of problems with zebra and cisco IOS, you forget to save the config, the box gets rebooted later (weeks? months?) and it dosn't work.

So as you lie awake in bed tonight repeat cop run sta to yourself 50 times. One day you may even thank me for it.

On another note (unless your configureing static routes) you'll probably never need to touch zebra again.

ospfd

Ok, run ospfd:

# /usr/local/sbin/ospfd -d

and connect to it:

% telnet localhost ospfd

Now log in as you did with zebra, and change the passwords and the hostname.

list interfaces
choose which ones to use
enable ospf
router-id
redistribute connected route-map just-10
passive-interface unused interfaces
add a 'description' to the interfaces you plan to use.
add a 'cost' to the interfaces you plan to use.
generate a md5 'key' (just 8 hex digits).
then, in the 'router ospf' section:
network base/mask area 0
now exit out of config mode
'sh ip ospf neighbor'
'sh ip ospf database'
run a packet sniffer to check
'terminal moniter' to get logging to your terminal
'no terminal moniter' to switch it off.
fiddle.

Commented config files

zebra.conf

!
! comments are lines starting with '!'
!
! Pretty simple - this machines hostname, used in the prompt...
!
hostname mostly
! encrypted passwords end up on the two lines below
password 8 [passwd]
enable password 8 [passwd]
!
! Log files.
!
log file /var/log/zebra.log
log record-priority
!
! This gives us command line completion and command history.
!
service advanced-vty
!
! Encrypt the passwords in this file, nice ;-)
!
service password-encryption
!
! These two give us a bit more logging, switch them off if you like.
!
debug zebra events
debug zebra kernel
!
!
! List of the interfaces on this machine.
! Note that zebra it's self does nothing with this list, so just ignore it.
!
interface le0
!
interface lo0
!
interface gre0
!
interface gre1
!
interface gre2
!
!
!
! Ok, this bit is critical for *BSD machines.
!
! The way that the linux and BSD ip stacks handle multicast is different.
! The BSD's need a route to the multicast destinaton before they will send
! any packets.
!
! zebra dosn't know that it needs to add the routes it's self, so we add them as static routed
! pointing at5 the loopback interface (127.0.0.1)
!
!
! OSPF-ALL.MCAST.NET
ip route 224.0.0.5/32 127.0.0.1
!
! OSPF-DSIG.MCAST.NET
ip route 224.0.0.6/32 127.0.0.1
!
! RIP2-ROUTERS.MCAST.NET (ok, so we don't use rip, but we might as well have it here).
ip route 224.0.0.9/32 127.0.0.1
!
! Ok, this is important!
!
! The lines below define an access list called 'term' that only allows packets from
! 127.0.0.1 (i.e. the local machine), We use this to limit access to zebra it's self
! to the local machine.
!
! This means that zebra can only be reconfigured from the box it's running on.
!
! (i think the 'deny any' line is redundant - there is an explicit one at
! the end of any access-list)
!
access-list term permit 127.0.0.1/32
access-list term deny any
!
! Here we apply the access list we just defined to the 'vty line' - now we
! can only log in from the bpox zebra is running on.
!
line vty
 access-class term
!
! Thats it!
!

ospfd.conf

!
! All the same as zebra.conf
!
hostname mostly
password 8 [passwd]
enable password 8 [passwd]
log file /var/log/ospfd.log
log record-priority
service advanced-vty
service password-encryption
!
! ok, this time we can actually do stuff with the 'interface statements'
!
interface le0
!
interface lo0
!
! This has all the options turned on that your lickley to see:
!
! description is just a textual description, i.e. documentation...
!
! 'ip ospf network point-to-point' tels ospfd that this is a point to point link
! ospfd will set this for you, so just ignore it.
!
! 'ip ospf authentication message-digest' says we want to use md5 authentication
!
! 'ip ospf message-digest-key 1 md5 ' and this says what password to use.
!
! finally we come to 'cost' this is probably the most important setting there is,
! cos it's what ospf uses to choose what path to take whan it has more than one
! path to choose from.
!
! high cost means a worse link.
!
! It can be from 1 to 65535
!
! At the moment we are using 100 for ip over ip tunnels, and 50 for wireless links.
!
interface gre0
 description tunnel to fish 
 ip ospf network point-to-point
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 [passwd]
 ip ospf cost 100
!
! And here is another link
!
interface gre1
 description tunnel to wlan.dekspc
 ip ospf network point-to-point
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 [passwd]
 ip ospf cost 100
!
interface gre2
 ip ospf network point-to-point
!
!
! ok, this is where the action is!
!
! first of all we have the router-id - this is a 32 bit number that
! uniquely identifies each router on the network. It's best to set
! this to an ip from your allocation that this router is using.
!
! then we have the 'redistribute connected' line - this is *absolutly* *critical*
!
! It does two things:
!
! Firstly it tells ospf to tell other routers about networks that thios router is
! directly connected to, (hence the 'connected' bit).
!
! and secondly it applys the route-map called 'just-10' to any routes we might
! want to export to other routers.
!
! it's this route map that prevents us from massivly damaging things. It is
! *absolutly* *critical* that you don't remove it.
!
! What is does is to only allow us to export routes in the 10.0.0.0/8 network.
!
! Yes, it is possible for people who peer with consume to export other networks,
! but right now it has the possiblity to screw things up mightly.
!
! So right now while we testing and playing with stuff, don't try it, Please. ;-)
!
!
! it's also *absolutly* *critical* that you don't try to export a default route. (yet).
!
!
! moving on....
!
! 'passive-interface' means 'don't do ospf on this interface' if you have
! interfaces that arn't on a network with any other routers, then use
! 'passive-interfce' to switch ospf off on that interface, it will make
! things a bit more secure.
!
! It's very important that you do this on any interfaces you might share with
! your isp. It's possible that they will have forgotten to switch ospf off on
! there customer facing interfaces, and not used any form of authentaction.
!
! If you start exporting consume routes to an isp by accident we won't be
! populer, and there is a good change that you will mess up there network
! and consume's (cos they may be using 10/8 in too). (you'll probably be
! accused of hacking despite it being partially the isp's fault for not
! securing there network).
!
! 
! and finally 'network' is the net/mask of the interfaces you want to use to
! do ospf with.
!
! For some wacky reason the stuff you put after the 'network' statement for
! point-to-point links has the be the ip of the other end of the link /32.
!
! 'area 0' is the ospf area to use. Everything is in area 0 for the moment,
! don't worry about it.
!
router ospf
 ospf router-id 10.1.12.34
 redistribute connected route-map just-10
 passive-interface le0
 network 10.1.12.33/32 area 0
 network 10.1.12.38/32 area 0
!
! This access-list only allows ip's and nets whithin 10.0.0.0/8
!
access-list net-10 permit 10.0.0.0/8
!
! Same as we did with zebra.conf
!
access-list term permit 127.0.0.1/32
access-list term deny any
!
! This route map uses the 'net-10' access-list to only allow routes whithin
! 10.0.0.0/8
!
! (the 10 in 'permit 10' is just a rule number, it's a coincidence that
! it's the same as the net your filtering).
!
route-map just-10 permit 10
 match ip address net-10
!
! Same as we did with zebra.conf
!
line vty
 access-class term
!