My CCIE Studies

Sunday, May 4, 2014

OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs.

Lessons Learned:

OSPF Filtering Overview

OSPF is an link-state routing protocol

-To calculate identical SPTs everyone must have the same input to the SPF (The LSDB)

-Implies that filtering cannot be configured within an area

Inter-are filtering through

-Stub areas

-LSA 3 Filter

--------------------------------

Used to control the specific LSA types that are allowed to pass through certain areas, or in the case of LSA 3s the specific routes that are allowed to pass through certain areas.

The issue with OSPF and filtering, is that everyone in the area needs to have the same copy of the LSDB. In order to get the same result of the SPT (shortest path tree). This mean that we cannot do filtering within the area but we can between areas as long as everyone inside the Link-state area has the same copy of the DB.

Stub Areas are one feature that can be used to accomplish this type of filtering.

OSPF Stub Areas.

Stub areas used to limit type of LSAs allowed to enter an area.

--Intra Area routes (O)

---LSA 1 & 2 (LSA1 = Router LSA / All links in an area | LSA2 = Network, generated by the DR)

-Inter Area routes (O IA)

---LSA 3& 4 (LSA 3 = the summary of the routing info – moving intra to inter are a routes | LSA 4 = is the inter area reachability for the ASBR )

-External routes (E1 & E2)

---LSA 5 - (Generated by redistribution into OSPF)

-NSSA external routes (N1 & N2)

---LSA 7 (NSSA area routes )

All routers in the must agree on the Stub flag. When doing the Stub area configuration.

So either the area is a normal area an external area or it is an NSSA.

Note: Stub areas are not used to filter on a per-route basis but on a per link state type basis.

OSPF Stub:

Stub Area –

Removes external routes (LSA 5)

Removes ASBR advertisement (LSA4)

ABR originates Inter-area default route (LSA 3)

Ebanbled on all routers in the area

#Area (area) stub

Note: the overall goal for the Stub areas type, is to inject a default route into them for external information. This will limit the routes and simply add a default route to the area.

Best used when the ABR is the only physical path to the Area.

The only time when you might not want to do this is when there are multiple exit points out of the area. By removing the area types, it will give them less visibly into diverse paths.

Topology:

----------------

Configuration -

For this – I will configure area 10 as a Stub area, this means I will need to configure everyone in the area as a Stub…..

So from this Topology I will need to configure R4, R6, R1 and R2 as Stub routers.

R6(config-router)#area 10 stub

R6(config-router)#

*Mar 1 00:09:03.615: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R6(config-router)#

================

R4(config-router)#area 10 stub

R4(config-router)# *Mar 1 00:09:54.287: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

*Mar 1 00:09:54.291: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset

R4(config-router)#

*Mar 1 00:09:57.039: %OSPF-5-ADJCHG: Process 10, Nbr 6.6.6.6 on FastEthernet1/0 from LOADING to FULL, Loading Done

R4(config-router)#

================

R2(config-router)#area 10 stub

*Mar 1 00:11:24.051: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done

R2(config-router)#

================

R2(config-router)#area 10 stub

R2(config-router)#

*Mar 1 00:11:24.051: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done

R2(config-router)#

================

Note: we lose the ADJ because we have to do new flooding of LSAs.

We can now see that we will still have our O routes and our O IA routes but we will not have our E1 or E2 routes.

We will now have a default route that the ABR will be generating to the Stub area:

O*IA 0.0.0.0/0 [110/2] via 10.1.24.2, 00:01:33, FastEthernet0/0

[110/2] via 10.1.14.1, 00:01:33, FastEthernet0/1

R4#

This should not change to forwarding path, the only difference is the now when we show an IP OSPF Database there should no longer be any TYPE 5 LSAs.

R4#sh ip ospf database

OSPF Router with ID (4.4.4.4) (Process ID 10)

Router Link States (Area 10)

Link ID ADV Router Age Seq# Checksum Link count

1.1.1.1 1.1.1.1 275 0x80000004 0x0010AF 2

2.2.2.2 2.2.2.2 265 0x80000004 0x00CCA3 3

4.4.4.4 4.4.4.4 264 0x80000009 0x0028A2 4

6.6.6.6 6.6.6.6 354 0x80000005 0x0098BD 2

Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

10.1.14.4 4.4.4.4 270 0x80000003 0x00AA4E

10.1.24.4 4.4.4.4 259 0x80000003 0x006E7C

10.1.46.6 6.6.6.6 354 0x80000001 0x00D7E4

Summary Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

0.0.0.0 1.1.1.1 285 0x80000001 0x0093A6

0.0.0.0 2.2.2.2 269 0x80000001 0x0075C0

1.1.1.0 1.1.1.1 285 0x80000002 0x006DC8

1.1.1.0 2.2.2.2 271 0x80000002 0x0063CC

3.3.3.0 1.1.1.1 287 0x80000002 0x002FFF

3.3.3.0 2.2.2.2 271 0x80000002 0x00111A

30.30.30.0 1.1.1.1 287 0x80000002 0x005F7E

30.30.30.0 2.2.2.2 271 0x80000002 0x004198

172.16.13.0 1.1.1.1 287 0x80000002 0x007CF2

172.16.13.0 2.2.2.2 271 0x80000002 0x006802

192.168.23.0 1.1.1.1 287 0x80000002 0x00EBCB

192.168.23.0 2.2.2.2 271 0x80000002 0x00C3F0

R4#

========================

Also – we should note that we now have the 0.0.0.0 routes generated by the ABRs. This is the default route that the ABR is advertising,

OSPF Stub –

Totally Stubby Area

-removes External routes (LSA 5)

-Removes ASBR advertisements (LSA 4)

-Removes Inter-area default route (LSA 3)

Stub enabled on all routes in the area

#Area (Area) stub

Totally Stubby enabled in the ABR9s) of the area

# area (area) stub no-summary

========================

This will replace all the E 1 & 2 routes and even the LSA 3 routes and simply generate a default-route into the area.

So on R1 and R2 – we will need to change the stub area config and add the “no-summary” command.

R1(config)#router ospf 10

R1(config-router)#area 10 stub no-summary

------------------------------------------------------

R2(config-router)#area 10 stub no-summary

Now from the database –

R4#sh ip ospf database

OSPF Router with ID (4.4.4.4) (Process ID 10)

Router Link States (Area 10)

Link ID ADV Router Age Seq# Checksum Link count

1.1.1.1 1.1.1.1 1002 0x80000004 0x0010AF 2

2.2.2.2 2.2.2.2 991 0x80000004 0x00CCA3 3

4.4.4.4 4.4.4.4 990 0x80000009 0x0028A2 4

6.6.6.6 6.6.6.6 1081 0x80000005 0x0098BD 2

Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

10.1.14.4 4.4.4.4 997 0x80000003 0x00AA4E

10.1.24.4 4.4.4.4 986 0x80000003 0x006E7C

10.1.46.6 6.6.6.6 1081 0x80000001 0x00D7E4

Summary Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

0.0.0.0 1.1.1.1 73 0x80000002 0x0091A7

0.0.0.0 2.2.2.2 34 0x80000002 0x0073C1

R4#

The size of the DB is reduced and we now have only zero routes for form the ABRs. The only routes we should have are from routes within our own area.

The potential issues we could run into with the Stub area or the Totally stubby area. Is that since we’re filtering out the type 5 externals. It would not be valid to have a stub area that has other external information being redistributed into it.

Example, is if the stub area had other IGP routes being learned – EIGRP for example – These would not be allowed to be redistributed into the area because are 10 will disallow and external routes into the database.

This is where the Not-so-Stubby Area (NSSA) comes is.

NSSA

-allows NSSA external generation (LSA 7)

-Removes External routes (LSA 5)

- Removes ASBR Advertisements (LSA 4)

All routers must agree on the NSSA

# area (area) NSSA (Will appear in routing table as N1 or N2 routes)

ABR does not originate and default automatically

-Can be configured to generate LSA 7 default

#area (area) nssa default-information-originate

Once again all routers in the area will need to be configured as NSSA stub routers.

Now if I show the Ip ospf database - should no longer have any type 5 LSAa but I will have the type 7

R7#sh ip ospf database

OSPF Router with ID (19.19.19.7) (Process ID 10)

Router Link States (Area 10)

Link ID ADV Router Age Seq# Checksum Link count

1.1.1.1 1.1.1.1 1009 0x80000002 0x0014AD 2

2.2.2.2 2.2.2.2 1009 0x80000002 0x00D0A1 3

4.4.4.4 4.4.4.4 238 0x80000006 0x001006 4

6.6.6.6 6.6.6.6 226 0x80000006 0x00F7E8 3

19.19.19.7 19.19.19.7 225 0x80000005 0x00DF1C 1

Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

10.1.67.7 19.19.19.7 225 0x80000001 0x00D570

Summary Net Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

0.0.0.0 1.1.1.1 1050 0x80000001 0x0093A6

0.0.0.0 2.2.2.2 1049 0x80000001 0x0075C0

1.1.1.0 1.1.1.1 1045 0x80000001 0x006FC7

1.1.1.0 2.2.2.2 1004 0x80000001 0x0065CB

3.3.3.0 1.1.1.1 1007 0x80000001 0x0031FE

3.3.3.0 2.2.2.2 1006 0x80000001 0x001319

30.30.30.0 1.1.1.1 1007 0x80000001 0x00617D

30.30.30.0 2.2.2.2 1006 0x80000001 0x004397

172.16.13.0 1.1.1.1 1047 0x80000001 0x007EF1

172.16.13.0 2.2.2.2 1006 0x80000001 0x006A01

192.168.23.0 1.1.1.1 1007 0x80000001 0x00EDCA

192.168.23.0 2.2.2.2 1046 0x80000001 0x00C5EF

Type-7 AS External Link States (Area 10)

17.17.17.0 19.19.19.7 334 0x80000001 0x00408D 0

18.18.18.0 19.19.19.7 334 0x80000001 0x001CAE 0

19.19.19.0 19.19.19.7 334 0x80000001 0x00F7CF 0

R7#

Note the ABR now does not originate the default. We can configure it to – but it will not do this automatically. # area (area) nssa default-information-originate

R1(config-router)#area 10 nssa default-information-originate

R1(config-router)#^Z

R2(config-router)#area 10 nssa default-information-originate

O*N2 0.0.0.0/0 [110/1] via 10.1.24.2, 00:00:13, FastEthernet0/0

[110/1] via 10.1.14.1, 00:00:13, FastEthernet0/1

R4#

---------------------------------------

Note: remember the path selection of OSPF.

Also if we we’re to go to a router insde another are – area 0 – we should se the NS1 or 2 route show as an E1 or 2 route.

R1#sh ip route

Gateway of last resort is not set

17.0.0.0/24 is subnetted, 1 subnets

O E2 17.17.17.0 [110/20] via 10.1.14.4, 00:06:30, FastEthernet0/1

O E2 18.18.18.0 [110/20] via 10.1.14.4, 00:06:30, FastEthernet0/1

This is because it does not know the other area is a NSSA area.

Not so totally stubby area:

Not-so-totally stubby area

-allows NSSA External generation

-Removes External routes (LSA5)

-Removes ASBR advertisements (LSA 4 )

_removes Inter-area default route (LSA3)

NSSA enabled on all routers in area

#area (area )nssa

Totally Stubby enabled on ABR(s) of the are

# area (area nssa no-summary

OSPF Summarization

Lessons Learned:

OSPF Summarization

All devices within the same area must have the same LSDB

Implies summarization can occur.

-Between Areas

---#area (Source Area) range (address) (mask)

During redistribution

---#summary-address (Address) (mask)

Automatically generates discard route

-disabled with # no discard route (internal | external )

Can be used for TE via longest match routing

--------------------------------------------------------------------------------

Since OSPF is a link state protocol – all routers within the same are have to have the same link state DB.

For summarization there are two different types

Inter-area summary – for summary of LSA type 3 which is the network summary LSA

This is implemented with the area-range command on the area border router.

Summary routes as they go into Area 0 or into another non-transit area.

External Summary – redistribution at the ASBR with the summary-address command.

Note: in a Not so stubby area – the ABR can summarize type 7 information as it is being generated as type 5. This technically counts as a redistribution form the type 7 LSA into the type 5 LSA.

Technical there’s only two places you can do this - On the ASBR – with the “summary-address command” or ABR – with the “area range: command .

Regardless of what type of summary we generate - Just like EIGRP or BGP.

The process will automatically generate the discard route. the discard route is the match for the summary that is pointing to Null 0.

Note: The idea behind the discard route is that if we lose one of the subnets that makeup the summary and we receive packets that are going to one of those destinations, we’re going to drop them locally instead of forwarding them on to a shorter match, like a default route.

This would then mean if we did want to use default routing for subnets that are inside one of our summaries, we would have to remove the Null route with the

# no discard route (internal | external ) command - under the OSPF process.

Summarization can also be used for Traffic Engineering based on the longest match principal.

Regardless of what the distance is or the metric is to a particular destination, the router will always choose the path that has the most BITs in common with the destination. – the longest match.

This means if we we’re to summarize the destination on multiple ABR’s or ASBR’s – whichever one is advertising the longer match would be the one that is preferred for the destinations.

Traffic engineering –

Topology:

============

Router 4 has a local route of 4.4.4.0 –

From the database on R3 you can see that I have two paths to that route – over R2 and R1.

R3#sh ip ospf database summary 4.4.4.0

OSPF Router with ID (3.3.3.3) (Process ID 10)

Summary Net Link States (Area 0)

Routing Bit Set on this LSA

LS age: 312

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 4.4.4.0 (summary Network Number)

Advertising Router: 1.1.1.1

LS Seq Number: 80000002

Checksum: 0xEC3D

Length: 28

Network Mask: /24

TOS: 0 Metric: 2

Routing Bit Set on this LSA

LS age: 283

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 4.4.4.0 (summary Network Number)

Advertising Router: 2.2.2.2

LS Seq Number: 80000002

Checksum: 0xCE57

Length: 28

Network Mask: /24

TOS: 0 Metric: 2

OSPF Router with ID (30.30.30.3) (Process ID 50)

R3#

We can also see most of – if not all – the traffic is currenlt ygoing over R2’s FastEthernet0/1 interface.

R3#sh ip route | i IA

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

O IA 2.2.2.0 [110/2] via 192.168.23.2, 00:44:28, FastEthernet0/1

O IA 4.4.4.0 [110/3] via 192.168.23.2, 00:44:28, FastEthernet0/1

O IA 4.4.5.0 [110/3] via 192.168.23.2, 00:00:53, FastEthernet0/1

O IA 4.4.7.0 [110/3] via 192.168.23.2, 00:00:43, FastEthernet0/1

O IA 20.20.20.0 [110/2] via 192.168.23.2, 00:44:28, FastEthernet0/1

O IA 10.1.14.0 [110/2] via 172.16.13.1, 00:44:28, FastEthernet0/0

O IA 10.1.24.0 [110/2] via 192.168.23.2, 00:44:28, FastEthernet0/1

O IA 11.11.11.0 [110/2] via 172.16.13.1, 00:44:28, FastEthernet0/0

R3#

I want to force all 4.4.5.4 traffic to go over R3. The rest to still go over R2.

Note: The problem with using an IGP, to implement traffic engineering is that we cannot make changes on a per prefix basis. In BGP this not true. In OSPF there’s no way to say match a certain prefix and change the cost. If we change th cost on the interface it will inherently change the cost for any route that is using that interface.

Instead the next best path is to use the longest match for TE.

So on R2 can use a summary range for the summary address and then on R3 use a more specific longer match for the / 24 routes.

External Summarization:

This is going to be on a ASBR that is doing redistribution, when we’re generating either an External 1 or 2, or and N1 or N2 route. The N routes – are if we’re inside a not so stubby area.

Example:

From the topology – I have a redist router that is redist EIGRP into OSPF.

router ospf 10

router-id 192.168.33.10

log-adjacency-changes

redistribute eigrp 10 subnets

network 192.168.33.0 0.0.0.255 area 0

This now means that R3 will be generating a type 5 LSA or the External LSA describing the EIGRP subnets.

R3#sh ip route ospf

O E2 150.5.5.0 [110/20] via 192.168.33.10, 00:02:53, FastEthernet1/0

O E2 150.5.50.0 [110/20] via 192.168.33.10, 00:02:53, FastEthernet1/0

R3#

To verify the redistribution is actually working we can look at the # Sh ip ospf database, and look for Type 5 External routes. And we are.

This is the external LSA for the EIGRP destinations. These are either the E1 or E2 routers.

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

150.5.5.0 192.168.33.10 371 0x80000001 0x009ECC 0

150.5.50.0 192.168.33.10 371 0x80000001 0x00AD90 0

OSPF Router with ID (30.30.30.3) (Process ID 50)

You can read this like this:

192.168.33.10 is the origination router of the 150.5.x.x (eigrp routes) 150.5 .x.x are the xatual prefixes.

R3# sh ip ospf database external 150.5.5.0

OSPF Router with ID (3.3.3.3) (Process ID 10)

Type-5 AS External Link States

Routing Bit Set on this LSA

LS age: 604

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 150.5.5.0 (External Network Number )

Advertising Router: 192.168.33.10 –Advertising router

LS Seq Number: 80000001

Checksum: 0x9ECC

Length: 36

Network Mask: /24

Metric Type: 2 (Larger than any link state path) – Metric type is 2 – means an E2 route (bt default)

TOS: 0

Metric: 20 - Default metric for redistribution

Forward Address: 0.0.0.0 – This mean that for anyone in my area that wants to route to this destination – thy should route the same path that they use to reach my router-ID (192.168.33.10)

External Route Tag: 0

OSPF Router with ID (30.30.30.3) (Process ID 50)

R3#

From Router 4 ‘s perspective

R4#sh ip route 150.5.5.0

Routing entry for 150.5.5.0/24

Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 3 –Metric of 20, external route - the forward metric is the Intra-area SPF cost that the local router is using the reach the ASBR

Last update from 10.1.24.2 on FastEthernet0/0, 00:14:16 ago

Routing Descriptor Blocks:

10.1.24.2, from 192.168.33.10, 00:14:16 ago, via FastEthernet0/0

Route metric is 20, traffic share count is 1

* 10.1.14.1, from 192.168.33.10, 00:14:16 ago, via FastEthernet0/1 – learned from

Route metric is 20, traffic share count is 1

Note: if I have two paths to the destination we would use the forward metric to look at what was the best path to the ASBR. The forward metric is the cost inside the local area.

The LSA 5 will basically go everywhere in the OSPF area.

Note: now that we have the Type 5 LSA- is we don’t have an entry in the local DB about the ASB for that prefix – we will use the LSA type 4 – This assumes that the SPT has reachability to the ABR for the external route and it will forward them to ABR (1.1.1.1 or 2.2.2.2) and assume they can reach the destination.

Type 4 LSA’s

Summary ASB Link States (Area 10)

Link ID ADV Router Age Seq# Checksum

192.168.33.10 1.1.1.1 1400 0x80000001 0x00EEB2

192.168.33.10 2.2.2.2 1400 0x80000001 0x00D0CC

Key – Is you want to apply Traffic Engineering the External destinations you do need to take into account the transit path along the way - not just the redistribution metric. The only case that the redistribution metric will not matter, is if there are multiple ASBR’s originating the same route.

So – if I wanted to summarize the 150.5.x.x router to a /16 on the ABR is could simply add the sum address to the process on the ABR.

R3(config)#router ospf 10

R3(config-router)#summary-address 150.5.0.0 255.255.0.0

Then Sh ip route for Null – I should see the summary address is routed to Null0 and the summary command created the Null route.

REDIST-R1#sh ip route | i Null

O 150.5.0.0/16 is a summary, 00:00:09, Null0

Thursday, May 1, 2014

OSPF Authentication

Lessons Learned:

OSPF supports 3 types of authentication

-0 = Null

-1 = Clear Text

-2 = MD5

Can be enabled

-On all links in the area

-On a per link basis

Key – is always applied at the link level

-Virtual-Links are Area0 interfaces

---------------------------------------------------

From a packet level format, there’s no difference in the authentication types whether you have it enabled globally or directly at the interface level.

The only difference is if it’s enable under the process it’s going to automatically apply to any interface within that area.

Ex: Area 0 Authentication – every link in that area is going to have type 1 applied to it.

Would be the same as going to each interface and saying “ip ospf authentication”.

We can verify this by running the “ip ospf interface “ – will show what type of auth is configured.

For the password – doesn’t matter what type – it’s going to always be configure at the link level.

Note: A Virtual-Link is an area 0 interface.

If doing auth in all interfaces in Area 0 – it means a Virtual link will inherit the auth.

As long as the neighbors agree on what the authentication is – you can actually us a null for the password.

As long as the end result matches the result is successful and you can form an ADJ

Clear text Authentication:

--------------------------------

Note: this ca be enabled either under the process or the interface.

First let’s look at the interface prior to configuring any auth.

R1#sh ip ospf interface fa0/0

FastEthernet0/0 is up, line protocol is up

Internet Address 192.168.12.1/24, Area 0

Process ID 10, Router ID 192.168.13.1, Network Type BROADCAST, Cost: 10

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 192.168.13.1, Interface address 192.168.12.1

Backup Designated router (ID) 192.168.23.2, Interface address 192.168.12.2

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:07

Supports Link-local Signaling (LLS)

Index 2/2, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 0, maximum is 1

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 192.168.23.2 (Backup Designated Router)

Suppress hello for 0 neighbor(s)

R1#

Let’s turn on Clear text under the process;

R1(config-router)#area 0 authentication

Now let’s debug the ADJ on the other end of the link. We will see that any new update coming in from the neighbor – will be discard because there’s a mismatch in the Authentication type:

Output:

*Mar 1 00:17:22.567: OSPF: Rcv pkt from 192.168.12.1, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 1, we use type 0

This says locally I use type 0 – which is Null – and the neighbor uses Type1 auth which is clear text. This is not a mismatch in the password. It’s a mismatch in the type of authentication.

Not at the link level of the local router is we configured “ip ospf Authentication”. This is tuning the process on. Even though we don’t have a password configured – they neighbors are now doing clear text authentication with no key.

Output:

The ADJ now forms

R2#

*Mar 1 00:23:32.011: %OSPF-5-ADJCHG: Process 10, Nbr 192.168.13.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

R2#

Also from a sh ip ospf int fa0/0 – we can now see that simple password Auth is enabled.

R2#sh ip ospf interface fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up

Internet Address 192.168.12.2/24, Area 0

Process ID 10, Router ID 192.168.23.2, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 192.168.23.2, Interface address 192.168.12.2

Backup Designated router (ID) 192.168.13.1, Interface address 192.168.12.1

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:05

Supports Link-local Signaling (LLS)

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 4 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 192.168.13.1 (Backup Designated Router)

Suppress hello for 0 neighbor(s)

Simple password authentication enabled

If we want to add a key value we can change the auth type on the link level of both neighbors.

EX: R2(config-if)#ip ospf authentication-key CISCO

Note: Be careful because most Cisco IOS versions will take white spaces as passwords.

For MD5 Authentication –

The config is essentially going to be the same –

Ex: under the link -

R1(config-if)#ip ospf authentication message-digest

R1(config-if)#ip ospf message-digest-key 10 md5 CISCO123

Note: Just link in EIGRP the Key # does have to match because it’s part of the update.

Interface verification

R2#sh ip ospf interface fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up

Internet Address 192.168.12.2/24, Area 0

Process ID 10, Router ID 192.168.23.2, Network Type BROADCAST, Cost: 1

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 192.168.23.2, Interface address 192.168.12.2

Backup Designated router (ID) 192.168.13.1, Interface address 192.168.12.1

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:01

Supports Link-local Signaling (LLS)

Index 1/1, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 4 msec, maximum is 4 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 192.168.13.1 (Backup Designated Router)

Suppress hello for 0 neighbor(s)

Message digest authentication enabled

Youngest key id is 10

Wednesday, April 30, 2014

OSPF Convergence Timers:

Lessons Learned:

-----------------------

Convergence Timers

Convergence based on hello and dead timer

-Suports sub-second timers

Different timers for different network types

-#Sh ip ospf Interface

Changing hello time automatically adjusts dead time

-# ip ospf hello-interval

-# ip ospf dead-interval

The OSPF timers are mainly going to be based on how long before we can detect the neighbor is down, then how long until we can flood the LSU and then run the SPF.

One problem we can run into is if the layer two link status to the neighbor is not a good indication of the connectivity - we would then need to reply on the layer 3 timers to figure out if they're down.

The other issue we run into if we have a switch in the middle is we don't have a direct link to the line protocol status of the other link side because of the layer two path.

Ideally - before implementing OSPF, we would want to implement some sort of mechanism that can keep track of the layer 2 status end to end of the neighbors. Typically BFD - bidirectional forward direction is used for this.

This will enable an additional keep alive on the Ethernet link between tow neighbors.

Ospf Timers - by default

FastEthernet0/0 is up, line protocol is up

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 -- By default it will take up 40 seconds to find out if the neighbor is down.

Note: Also if we lower the timers it's very process or intensive for the control plane.

If we wanted to change the hello -interval we can do the under the interface.

Example:

We can under the interface -

R5(config)#interface fa0/0

R5(config-if)#ip ospf hello-interval ?

<1-65535> Seconds

to say one second.

We can also change the dead-interval to minimal - which will by default change the hell-timers to one second.

R5(config-if)#ip ospf dead-interval minimal

R5(config-if)#ip ospf dead-interval minimal hello-multiplier ?

<3-20> Number of Hellos sent within 1 second

The dead interval minimal will change the hello timer to one second, the hello-multiplier - is how many hellos in time will we send within the second.

Sh ip OSPF interface will show what the timer will be on the link. This is also negotiated during the adjacency so bot sides do need to agree to form the ADJ.

OSPF Path Selection

Lessons Learned:

-----------------------------------------------------

OSPF Path Selection

Once databases are synchronized, path selection begins.

Each router’s LSAs include a “cost” attribute for each described link

Best path to that link is the lowest end-to-end cost

Cisco’s implementation uses bandwidth based cost, But per RFC it is arbitrary.

--default cisco cost = 100Mbps / Link bandwidth

--reference bandwidth can be modified to accommodate higher speeds links (e.g Gigabit Ethernet)

This is with the reference bandwidth command under the process.

-----------------------------------------------------

OSPF Path Selection Order:

Per RFC, OSPF path selection state machine prefers….

-intra area routes (O) – Will always choose these routes over all others, despite the cost of the link.

-Inter area routes (O IA)

-External Tyoe 1 (E1)

-External Type 2 (E2)

-NSSA Type 1 (N1)

-NSSA Type 2 (N2)

Cannot be modified with metric or distance – because we need to make sure all the devices come up with the same

Shorten path tree based on the link state database.

Note we will still use the longest match in the routing table to figure out where the traffic is going to go. If there is equal longest matches – one intra and one Inter area routes, OSPF will still always choose the Intra area. Regardless of metric or distance.

Path selection Topology:

-------------------------------------

# Sh ip ospf int bri

R2#sh ip ospf interface brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C

Gi0/0 10 0 192.168.24.2/24 1 DR 1/1

Fa1/0 10 0 192.168.12.2/24 1 BDR 1/1

Fa1/1 10 5 10.1.5.2/24 1 DR 1/1

R2#

We see here that I have 3 interfaces running OSPF. We can also see that int FA1/1 is in Are 5.

This means that R2 is not an area border router. It should now be generating two separate router LSA’s.

One for area 5 and one for are 0.

Additionally any routes that are leaned in the are 5 links – those routes will be sent into Area 0 using the LSA Type 3 or Network summary LSA. This is considered a summary because we’re not summarizing the NLRI – the actual prefixes – we are summarizing the topology information.

So when we do Intra area lookups, we’re going the run SPF for the destination. For Inter area lookups, between the area’s. we will use the OSPF cost derived to the are border router PLUS whatever values they are reporting in with the summary LSA.

Now let’s look at the Database.

==============

R2#sh ip ospf database

OSPF Router with ID (192.168.24.2) (Process ID 10) – For the part we can see all the routers in Area 0 and their respective links in area 0

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

10.1.11.1 10.1.11.1 434 0x80000009 0x0006E4 3

192.168.24.2 192.168.24.2 374 0x80000009 0x0021E5 3

192.168.34.3 192.168.34.3 426 0x80000008 0x00666E 3

192.168.34.4 192.168.34.4 366 0x80000007 0x00227C 4

Net Link States (Area 0) If we did not see this link state – it would mean that there is no designated router on these segments (ex: all P2P links) These are the DR’s.

Link ID ADV Router Age Seq# Checksum

192.168.12.1 10.1.11.1 470 0x80000001 0x00EA27

192.168.13.1 10.1.11.1 434 0x80000001 0x007095

192.168.24.2 192.168.24.2 374 0x80000001 0x00AB74

Summary Net Link States (Area 0) – These are the Inter area routes that are generated by the Area Border routers. These are the LSA type 3’s – they are used to describe the Inter are routes.

Link ID ADV Router Age Seq# Checksum

6.6.6.0 192.168.34.4 218 0x80000003 0x00ADE9

7.7.7.0 192.168.34.3 141 0x80000001 0x00EDA0

10.1.5.0 192.168.24.2 459 0x80000003 0x00099D

10.1.6.0 192.168.34.4 366 0x80000002 0x00ADEC

10.1.7.0 192.168.34.3 425 0x80000003 0x00018F

Router Link States (Area 5)

Link ID ADV Router Age Seq# Checksum Link count

10.1.5.5 10.1.5.5 207 0x80000008 0x00D307 1

192.168.24.2 192.168.24.2 323 0x80000004 0x00C043 1

Net Link States (Area 5)

Link ID ADV Router Age Seq# Checksum

10.1.5.2 192.168.24.2 323 0x80000001 0x007E8D

Summary Net Link States (Area 5)

Link ID ADV Router Age Seq# Checksum

1.1.1.0 192.168.24.2 465 0x80000001 0x00B8FB

2.2.2.0 192.168.24.2 465 0x80000001 0x008A28

4.4.4.0 192.168.24.2 355 0x80000003 0x004861

6.6.6.0 192.168.24.2 220 0x80000001 0x000E96

7.7.7.0 192.168.24.2 135 0x80000001 0x00A8E5

10.1.6.0 192.168.24.2 355 0x80000003 0x00089C

10.1.7.0 192.168.24.2 415 0x80000003 0x00BBD4

192.168.12.0 192.168.24.2 466 0x80000001 0x009CA6

192.168.13.0 192.168.24.2 466 0x80000001 0x00F542

192.168.24.0 192.168.24.2 466 0x80000001 0x00181F

192.168.34.0 192.168.24.2 361 0x80000003 0x0028C2

R2#

So when a router wants to get to an Inter area route - it will basically look in the database. Ex: the router will

Do a #sh ip ospf database summary 6.6.6.0 –

R2#sh ip ospf database summary 6.6.6.6

OSPF Router with ID (192.168.24.2) (Process ID 10)

R2#sh ip ospf database summary 6.6.6.0

OSPF Router with ID (192.168.24.2) (Process ID 10)

Summary Net Link States (Area 0)

Note: we can see this route is being advertised by two routers R4 and R2.

Routing Bit Set on this LSA

LS age: 569

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 6.6.6.0 (summary Network Number)

Advertising Router: 192.168.34.4 – Says’ this route is being originated by this router (R4)

LS Seq Number: 80000003

Checksum: 0xADE9

Length: 28

Network Mask: /24

TOS: 0 Metric: 2 - this route has a metric of 2 to reach the destination

Summary Net Link States (Area 5)

LS age: 570

Options: (No TOS-capability, DC, Upward)

LS Type: Summary Links(Network)

Link State ID: 6.6.6.0 (summary Network Number)

Advertising Router: 192.168.24.2 Says’ this route is being originated by this router (R2)

LS Seq Number: 80000001

Checksum: 0xE96

Length: 28

Network Mask: /24

TOS: 0 Metric: 3 this route has a metric of 3 to reach the destination

Based on this output we can’t determine which path we’re going to choose. We will then need to look at what is the SPF cost inside out own area in order to reach the ABR’s.

S we would look at our SFP cost to reach these routers then add that the metric these routers are advertising. This would be the total cost that would what get installed in the routing table.

So from each advertising router:

R2#sh ip route 6.6.6.0

Routing entry for 6.6.6.0/24

Known via "ospf 10", distance 110, metric 3, type inter area – R2 is using a metric of “3”

Last update from 192.168.24.4 on GigabitEthernet0/0, 00:18:34 ago

Routing Descriptor Blocks:

* 192.168.24.4, from 192.168.34.4, 00:18:34 ago, via GigabitEthernet0/0

Route metric is 3, traffic share count is 1

------------------------------------------------------------------------------------------------

R4#sh ip route 6.6.6.0

Routing entry for 6.6.6.0/24

Known via "ospf 10", distance 110, metric 2, type intra area R4 is using a metric of “2”

Last update from 10.1.6.6 on FastEthernet2/0, 00:19:37 ago

Routing Descriptor Blocks:

* 10.1.6.6, from 10.1.6.6, 00:19:37 ago, via FastEthernet2/0

Route metric is 2, traffic share count is 1

Note: So to truly figure out the cost to the route we need to add the cost of the advertising router and the summary cost.

Traffic Engineering –

If we wanted to them modify the path section – we could change the value the ABR is reporting in. Or we can change the local SPF cost in order to reach them. Again whatever is the lowest end-to-end cost will be the path.

Summary – the inter area lookups, the routers DO NOT know what’s going on in the topology beyond the ABR.

This adds to the stability of OSPF because the intra are feature will determine the flooding domain. So for example,

If there’s a change in one of the other areas’ the local area doesn't need to do anything, it just needs to know about the new Inter area metric. Etc.

Modifying OSPF Path Selection:

OSPF uses bandwidth based cost

--COST = Reference _ BW / Interface BW – if we change the bandwidth, it will change the cost.

The only issue is the Bandwidth statement can affect other operations in the network.

Cost can be modified with

-interface bandwidth

-Interface ip ospf cost - would be the best way to change the cost.

-Process auto-cost - This will change the reference bandwidth, EX; i the REF bandwidth is 100Mbps and th einterface bandwidth is 100Mbps a second. The result would be a cost of 1.

Process neighbor (address) cost

More examples: lets say we want to change the cost of a 10Gig link. The Cost of that link will be a cost of 5.

You can use the Show commands on the router to help figure this out. Or remember the formula of how OSPF does the calculation. #Cost = reference

BW / Interface BW. This is why the default 100 Mbps OSPF cost and a 100MB link are a cost of =1.

Ex: if I were to go to my router 4 in the topology and change the bandwidth on my FastEthernet2/0 Link to 10 GB - and we can see the result of the cost is.

R4(config)#interface fastEthernet 2/0

R4(config-if)#bandwidth 10000000

R4#sh ip ospf interface fa2/0 | in Cost

Process ID 10, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 1

The Cost value is set at one. That is because anytime we go over 100Mbps everything is going to be a cost of 1.

So we would then need to go under the OSPF process and cahge the auto-cost reference bandwidth.

EX:

R4(config)#router ospf 10

R4(config-router)#au

R4(config-router)#auto-cost re

R4(config-router)#auto-cost reference-bandwidth ?

<1-4294967> The reference bandwidth in terms of Mbits per second

R4(config-router)#auto-cost reference-bandwidth 4294967 - I set this to the maximum to see what the new cost of the link would be --

R4#sh ip ospf interface fa2/0 | in Cost

Process ID 10, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 429

R4#

So if i want the cost the link to be "5", I will need to change / find the auto-cost ref bandwidth.

By trial and error a ref bandwicth of 50000 set the cost of the link to "5"

R4(config)#router ospf 10

R4(config-router)#auto-cost reference-bandwidth 50000

R4#sh ip ospf interface fa2/0 | in Cost

Process ID 10, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 5

R4#

Note: if you change the auto cost - you will need to change it everywhere of you will have errors in the calculation. Typically in today's network you would want to change the auto-cost ref, because otherwise anything over 100Mb will be a cost of 1.

FastEthernet2/0 is up, line protocol is up

Internet Address 10.1.6.4/24, Area 6

Process ID 10, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 5 - We can see the link i changes has thecost we wanted of 5

Serial1/0 is up, line protocol is up

Internet Address 192.168.34.4/24, Area 0

Process ID 10, Router ID 4.4.4.4, Network Type POINT_TO_POINT, Cost: 32383 - But because we didn't change the reference bandwidth everywhere we can see the cost of the other links has dramatically changed.

GigabitEthernet0/0 is up, line protocol is up

Internet Address 192.168.24.4/24, Area 0

Process ID 10, Router ID 4.4.4.4, Network Type BROADCAST, Cost: 50

Note: if bandwidth is Kilobits. a bandwidth - so 2000 would equal a 2MB connection.

The more 0's we ad the higher the BANDWIDTH

EX:

2000 - 2 mb

20000 - 20 mb

200000 - 200 mb

2000000 - 2 GB

20000000 - 20 GB

Compared to EIGRP the patch selections straight forward. We simply add the cost value on a hop-by-hop basis

Note: Remember though, if its a different type of router there's no was we can change that. EX:

Intra area Vs Inter area. the "O" or intra will always win over the "O IA" routes.