CCIE Ep. 14 H3LL0 SS4.0.0.5.lsdb
Hey There, CC1E 0x00 is on this side once again. Today, sharing some points of OSPFv2.
The intent of this and others article in my profile is not to be formal. Instead, be more one resource for those who wanna learn about network topics and the CCIE Enterprise Infrastructure lab blueprint.
I strongly recommend visiting and reading formal sources like RFC2328 OSPF Version 2, OSPF Anatomy of an Internet Routing protocol By John T. Moy, and some Cisco Press books.
Previously, I have written about BGP and EIGRP. I won't do the same for RIP, RIPv2, and RIPng. But in my opinion, It is extremely important to know the RIP and its flaws to comprehend other routing protocols.
OSPF standards for Open shortest Protocol First. It is a link-state routing protocol underclass called IGP (Interior Gateway Protocol).
At the moment, there are two versions of the OSPF. OSPFv2 is described in RFC 2328 and OSPFv3 in RFC 5340 and provides support to IPv6 and IPv4 address families.
Note, be aware that OSPF is a huge protocol with a lot of Information including tables, massages, network type, database, interface states, packet processing, router classifications, status, packets so on. in the heard of OSPF runs the Dijkstra SPF.
Forming OSPF neighborship
Both neighbor relationship and adjacency are used when speaking about OSPF adjacency. However, Neighbors means when one ospf speaker heard each other and Adjacency means Sync the Link State database between OSPF speakers.
OSPF Packets
Type 1 — Hello
Used to Discovery and maintenance OSPF neighbors. Also, used to elect DR and BDR on the Multiaccess network.
Type 2 DBD — Data Base Description
used to exchange LS DataBase in a short view.
Type 3 L SR — Link State Request
Used to request LSA to sync DB with its neighbor
Type 4 LSU — Link state Update
Send LSA requested by least LSR by Its neighbor
Type 5 LSAck — Link State Acknowledgement
Used to ACK (confirm) LSA message received from Its neighbor.
Neighbor Status
Down- Before Receiving or sending any hello packets.
Attempt- Only appears on NMBA network when have to manually set neighbor IP address.
Init -Start sending Hello packets to 224.0.0.5. If received, any unicast hello that contains Its ROUTER ID in the neighbor list, Init stated is concluded and move on to next stage, Two way.
Two-Way- Bidirectional communications establishment and DR/BDR role are defined on Multi-access network.
Exstart- Master and Slave role as temporary defined.
Exchange- Database Descriptions messages are exchanged and managed by the Master router (Higher router-id).
Loading- To sync the Database between routers, LSR, LSU, and LSAck are exchanged.
Full- Adjacency reaches full sync and router as exactly same LSDB.
Neighborship requirements
To routers became neighbors and reach full adjacency some parameters exchanges in hello packets must match:
- Hello and Dead time;
- Area ID;
- Especial area flag (stub) is a special area;
- Authentication string (Autype 0 (NULL), Autype 1 (plain text), Autype 2 (md5 or SHA);
- Authentication Type;
- Be in the same subnet;
- IP MTU value
OSPF Areas types
Backbone area — Backbone area has an ID of 0.0.0.0. In OSPF multi areas, all other areas must be directly connected to the backbone area. In other words, traffic inter-area must pass through area 0.
Regular Area — Any other areas that aren’t backbone or a special area like stubby or NSSA.
Stub Area- The special area, which replaces all LSA Type external by one default route (generated by ABR). Originally, the Stub area was used to decrease CPU/memory consumption in "small routers" which have just one upstream link.
Totally stub area- Similar to Stub area but also remove any LSA type 3(interarea),4 (summary), 5 (external). Any Inter-area communications are achieved by using one default route.
Not So Stubby area (NSSA)- Not So stubby area goes in the same way as the tub area by allowing an ASBR router inside this special area. Inside NSSA, an external router a generated by ASBR using LSA Type 7 (AS External LSA). Those same routes when propagated to the backbone area are translated to LSA type 5 and also generate LSA Type 4.
Totally Not So Stubby- This special area does not allow LSAs type 3 (summary), 4 (Summary ASBR)e 5 (external). But allow redistribution by ASBR (LSA Type 7). Also will need a default route for all inter-area traffic flow.
Link State Advertisement — LSA
OSPF hierarchic could include a few areas as a backbone, Regular, and special areas as mentioned previously.
Each OSPF speaker has a totally view of the topology (the area in which it's in) based on Link State DataBase. This DB could include many LSA based on areas and network type.
LSA Type 1, Router- Basically describes the router itself. Router's links and its costs, and its neighbors. Intra-area LSA
LSA Type 2, Network- LSA generated by DR on Multi-access networks. LSA ID identifies/describes the link multi-access and ADV Router means ROUTER ID of DR on the segment/link. Intra-area LSA
LSA Type 3, Network- LSA ID (Network IP) of one area to be reached in others areas has to be translated to LSA type 3. What I mean is, that ABR has to translate LSA type 1 & 2 to type 3 before propagating it to area 0 and then be propagated in other areas. LSA Type 3 is the secret to Inter-area routing of the OSPF.
LSA Type 4, Summary ASBR- Describes ADV Router ID (ABR) Which can be used to reach ASBR in other areas. Useful for a router in other areas than ASBR.
LSA Type 5, External- LSA ID describes redistributed routes and ADV ROUTER the router ID of the ASBR. Types of External router:
- External type 1 (E1), N1 (NSSA, Type LSA 7)- Total costs of the path are used. I mean, Internal + external cost;
- External type 2 (E2), N2 (N SSA, Type LSA 7)- Just external costs. Default or customized cost is used.
LSA Type 6, Group Membership- Used for Multicast application. Not supported by Cisco.
LSA Type 7, AS External link- Describes external route on NSSA or Totally NSSA areas.
LSA Type 10 and 11- Used in MPLS TE Applications
Hands-on and capture packet analysis
Disclaimer, to configurations and analysis, will be used topology proposal created by Leonardo Furtado. Which could be found here.
Neighbortship analysis — Simple OSPF configuration beetween P2 and R2-A1.
Checking Hello packets
OSPF like EIGRP uses IP as its transport protocol, identified by protocol number 89. Also, note destination address using an address in scope local link (244.0.0.0/24) and TTL 1.
Note, field values described in neighbor requirements have to match.
!ROUTER R2-A1
router OSPF1
router-id 10.255.1.2
network 0.0.0.0 255.255.255.255 area 1.1.1.1
!ROUTER P2
router ospf 1
router-id 10.255.1.4
!
interface Ethernet0/0
ip address 10.0.1.18 255.255.255.252
ip ospf 1 area 1.1.1.1
!
interface Ethernet0/2
ip address 10.0.1.10 255.255.255.252
ip ospf 1 area 1.1.1.1By default, Ethernet link is by default network type broadcast. As we can see using debug output, DR/BDR election occurs.
DR and DBR order election:
Higher Priority ( Value 1 by default)
Higher router-ID
In this case, router-id 10.255.1.2 becomes the DR because I had previously made configuration and then shutdown and no shutdown of the P2`s ether0/0. BDR took the role of BR meanwhile.
*Aug 10 18:05:57.053: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Aug 10 18:05:58.053: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
*Aug 10 18:05:58.054: OSPF-1 ADJ Et0/0: Route adjust notification: UP/UP
*Aug 10 18:05:58.837: %SYS-5-CONFIG_I: Configured from console by console
*Aug 10 18:06:40.867: OSPF-1 ADJ Et0/0: Interface going Up----> 2WAY state*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: 2 Way Communication to 10.255.1.2, state 2WAY
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Backup seen event before WAIT timer
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: DR/BDR election
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Elect BDR 10.255.1.4
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Elect DR 10.255.1.2
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Elect BDR 10.255.1.4
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Elect DR 10.255.1.2
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: DR: 10.255.1.2 (Id)
BDR: 10.255.1.4 (Id)
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Nbr 10.255.1.2: Prepare dbase exchange
*Aug 10 18:06:40.868: OSPF-1 ADJ Et0/0: Send DBD to 10.255.1.2 seq 0x579 opt 0x52 flag 0x7 len 32
*Aug 10 18:06:45.392: OSPF-1 ADJ Et0/0: Send DBD to 10.255.1.2 seq 0x579 opt 0x52 flag 0x7 len 32
*Aug 10 18:06:45.392: OSPF-1 ADJ Et0/0: Retransmitting DBD to 10.255.1.2 [1]
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Rcv DBD from 10.255.1.2 -----> ExSTART state, defining MASTER and SLAVEseq 0x5F0 opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: First DBD and we are not SLAVE
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Rcv DBD from 10.255.1.2 seq 0x579 opt 0x52 flag 0x2 len 52 mtu 1500 state EXSTART
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: NBR Negotiation Done. We are the MASTER
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Nbr 10.255.1.2: Summary list built, size 1----> EXCHANGE state, sending Data base description*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Send DBD to 10.255.1.2 seq 0x57A opt 0x52 flag 0x1 len 52
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Rcv LS REQ from 10.255.1.2 length 36 LSA count 1
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Send LS UPD to 10.0.1.17 length 76 LSA count 1
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Rcv DBD from 10.255.1.2 seq 0x57A opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Exchange Done with 10.255.1.2----> LSUpdate and LSRequest*Aug 10 18:06:45.393: OSPF-1 ADJ Et0/0: Send LS REQ to 10.255.1.2 length 36 LSA count 1
*Aug 10 18:06:45.394: OSPF-1 ADJ Et0/0: Rcv LS UPD from 10.255.1.2 length 136 LSA count 1-----> ADJ state Full*Aug 10 18:06:45.394: OSPF-1 ADJ Et0/0: Synchronized with 10.255.1.2, state FULL
*Aug 10 18:06:45.394: %OSPF-5-ADJCHG: Process 1, Nbr 10.255.1.2 on Ethernet0/0 from LOADING to FULL, Loading Done
*Aug 10 18:06:47.930: OSPF-1 ADJ Et0/0: Neighbor change event
*Aug 10 18:06:47.930: OSPF-1 ADJ Et0/0: DR/BDR election
*Aug 10 18:06:47.930: OSPF-1 ADJ Et0/0: Elect BDR 10.255.1.4
*Aug 10 18:06:47.930: OSPF-1 ADJ Et0/0: Elect DR 10.255.1.2
*Aug 10 18:06:47.930: OSPF-1 ADJ Et0/0: DR: 10.255.1.2 (Id) BDR: 10.255.1.4 (Id)
P2# BDR: none
P2#
*Aug 10 18:07:25.400: OSPF-1 ADJ Et0/0: Nbr 10.255.1.2: Clean-up dbase exchange
Broadcast network also generates LSA type 2 (NETWORK, by DR). Instead of area 5.5.5.5 links among R2-A5, R3-A5, R4-A5 and R5-A5 all others will be network type pont-to-point to quick convergence and decrease Link Statedatabasee size.
!ROUTER R2-A1
interface range eth0/0-2, lo0-2, lo10
ip ospf network point-to-point!ROUTER P2
router ospf 1
router-id 10.255.1.4
!
interface Ethernet0/0
ip address 10.0.1.18 255.255.255.252
ip ospf 1 area 1.1.1.1
ip ospf network point-to-point!
interface Ethernet0/2
ip address 10.0.1.10 255.255.255.252
ip ospf 1 area 1.1.1.1
ip ospf network point-to-point
PASSIVE INTERFACE
Passive interface feature preventssendingd and processthe hello packet on the link. Recommend configure passive on lan downstream interface or any other interface where there is no neighbor.
R1-A1#show run | sec router ospf 1
router ospf 1
router-id 10.255.1.1
auto-cost reference-bandwidth 1000
prefix-suppression
passive-interface Loopback0
network 0.0.0.0 255.255.255.255 area 1.1.1.1
bfd all-interfacesOSPF Multiarea
OSPF Multi-area implies two-levea l hierarchy. I mean, there's backbone area and regular or special areas have to be connected directly to the backbone area. Take a look at topology.
OSPFv2 also defines classifications of routers
- Internal Routers - All links of this router are just in one area;
- Area Border routers - Links attached to multiples area, two or more;
- Area border router - Least one link attached to backbone area;
- AS boundary router (ASBR)- Router that connect to other routing domain. Basically, where redistribution aisdone.
For example, let's take a look at P1’s
- Interface attached in two areas (backbone and 1.1.1.1)
P1#show ip ospf interface briefInterface PID Area IP Address/Mask Cost State Nbrs F/C
Et0/1 1 0.0.0.0 10.0.0.5/30 10 P2P 1/1
Et0/3 1 0.0.0.0 10.0.0.1/30 10 P2P 1/1
Et1/0 1 0.0.0.0 10.0.0.9/30 10 P2P 1/1
Et0/0 1 1.1.1.1 10.0.1.6/30 10 P2P 1/1
Et0/2 1 1.1.1.1 10.0.1.14/30 10 P2P 1/1P1#show ip ospf | include Area [B1]|It is It is an area border router
Area BACKBONE(0.0.0.0)
Area 1.1.1.1-----> R1-A1, How to check who is and if is there any ABR or ASBRR1-A1#show ip ospf border-routersOSPF Router with ID (10.255.1.1) (Process ID 1)Base Topology (MTID 0)Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area routei 10.255.1.3 [10] via 10.0.1.6, Ethernet0/0, ABR, Area 1.1.1.1, SPF 7
i 10.255.1.4 [10] via 10.0.1.10, Ethernet0/2, ABR, Area 1.1.1.1, SPF 7
LSA Type 3, Summary
LSA Type 1 (router) and LSA Type 2 (network)don’tt pass to another area. I mean, LSA type 1 & 2 from area 0.0.0.0 don't go to area 1.1.1.1 vice versa.
To allow inter area routing, ABR ssummarizesLSA type 1 & 2 and LSA type 3 into the target area.
R1-A1's RIB
O IA means inter-area networks
Only Area backbone and 1.1.1.1 was already configured.
STUB/NSSA AREA
Stub and NSSA area were a solution to allow small routers with low CPU and memory resources run OSPF. Before configuring the STUB/NSSA area, I right back to the lab and configure all as a regular area, and check the OSPF Database.
Now, Think about that routers in Areas 2, 3, and 5 are all old or low-cost routers. Currentl,y Database is a kind of large for them.
R3-A4#show ip ospf databaseOSPF Router with ID (10.255.1.16) (Process ID 1)Router Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum Link count
10.255.1.14 10.255.1.14 107 0x80000002 0x00B8C3 3
10.255.1.15 10.255.1.15 65 0x80000002 0x001711 4
10.255.1.16 10.255.1.16 18 0x80000002 0x0084A9 5
R3-A4#
R3-A4#show ip ospf databaseOSPF Router with ID (10.255.1.16) (Process ID 1)Router Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum Link count
10.255.1.5 10.255.1.5 7 0x80000001 0x00318B 2
10.255.1.14 10.255.1.14 6 0x80000003 0x00063D 4
10.255.1.15 10.255.1.15 100 0x80000002 0x001711 4
10.255.1.16 10.255.1.16 53 0x80000002 0x0084A9 5Summary Net Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum
10.2.6.1 10.255.1.5 3 0x80000001 0x00F50F
10.255.1.8 10.255.1.5 3 0x80000001 0x009A74
10.255.1.9 10.255.1.5 3 0x80000001 0x00F40FType-5 AS External Link StatesLink ID ADV Router Age Seq# Checksum Tag
10.255.1.10 10.255.1.10 811 0x80000001 0x00581E 0
10.255.1.13 10.255.1.13 740 0x80000001 0x002848 0
192.168.1.0 10.255.1.10 811 0x80000001 0x008D93 0
192.168.2.0 10.255.1.10 811 0x80000001 0x00829D 0
192.168.3.0 10.255.1.10 811 0x80000001 0x0077A7 0
R3-A4#show ip ospf databaseOSPF Router with ID (10.255.1.16) (Process ID 1)Router Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum Link count
10.255.1.5 10.255.1.5 10 0x80000001 0x00318B 2
10.255.1.14 10.255.1.14 9 0x80000003 0x00063D 4
10.255.1.15 10.255.1.15 102 0x80000002 0x001711 4
10.255.1.16 10.255.1.16 56 0x80000002 0x0084A9 5Summary Net Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum
10.0.0.0 10.255.1.5 5 0x80000001 0x003ED3
10.0.0.4 10.255.1.5 5 0x80000001 0x00B166
10.0.0.8 10.255.1.5 5 0x80000001 0x00ED1C
10.0.0.12 10.255.1.5 5 0x80000001 0x00C540
10.0.0.16 10.255.1.5 5 0x80000001 0x009D64
10.0.0.20 10.255.1.5 5 0x80000001 0x0011F6
10.0.0.24 10.255.1.5 5 0x80000001 0x004DAC
10.0.0.28 10.255.1.5 5 0x80000001 0x00C03F
10.0.1.0 10.255.1.5 5 0x80000001 0x00976F
10.0.1.4 10.255.1.5 5 0x80000001 0x000B02
10.0.1.8 10.255.1.5 5 0x80000001 0x0047B7
10.0.1.12 10.255.1.5 5 0x80000001 0x00BA4A
10.0.1.16 10.255.1.5 5 0x80000001 0x00F6FF
10.0.2.0 10.255.1.5 5 0x80000001 0x00C356
10.0.2.4 10.255.1.5 5 0x80000001 0x00FF0C
10.0.2.8 10.255.1.5 5 0x80000001 0x003CC1
10.0.3.0 10.255.1.5 5 0x80000001 0x001DF1
10.0.3.4 10.255.1.5 5 0x80000001 0x0059A7
10.0.3.8 10.255.1.5 5 0x80000001 0x00955D
10.0.5.0 10.255.1.5 5 0x80000001 0x000706
10.0.5.4 10.255.1.5 5 0x80000001 0x0043BB
10.0.5.8 10.255.1.5 5 0x80000001 0x00678D
10.1.1.1 10.255.1.5 5 0x80000001 0x0039D1
10.1.2.1 10.255.1.5 5 0x80000001 0x002EDB
10.1.3.1 10.255.1.5 5 0x80000001 0x0023E5
10.1.4.0 10.255.1.5 5 0x80000001 0x0022E6
10.1.5.0 10.255.1.5 5 0x80000001 0x0017F0
10.1.6.0 10.255.1.5 5 0x80000001 0x00F910
10.2.1.1 10.255.1.5 5 0x80000001 0x00C84B
10.2.2.1 10.255.1.5 5 0x80000001 0x00BD55
10.2.3.1 10.255.1.5 5 0x80000001 0x00B25F
10.2.4.1 10.255.1.5 5 0x80000001 0x000CFA
10.2.5.1 10.255.1.5 5 0x80000001 0x000105
10.2.6.1 10.255.1.5 5 0x80000001 0x00F50F
10.3.1.1 10.255.1.5 5 0x80000001 0x0021E7
10.3.2.1 10.255.1.5 5 0x80000001 0x0016F1
10.3.3.1 10.255.1.5 5 0x80000001 0x000BFB
10.3.4.1 10.255.1.5 5 0x80000001 0x006497
10.3.5.1 10.255.1.5 5 0x80000001 0x0059A1
10.3.6.1 10.255.1.5 5 0x80000001 0x004EAB
10.255.1.1 10.255.1.5 5 0x80000001 0x0045C6
10.255.1.2 10.255.1.5 5 0x80000001 0x003BCF
10.255.1.7 10.255.1.5 5 0x80000001 0x00A46B
10.255.1.8 10.255.1.5 5 0x80000001 0x009A74
10.255.1.9 10.255.1.5 5 0x80000001 0x00F40F
10.255.1.12 10.255.1.5 5 0x80000001 0x003BBB
10.255.255.11 10.255.1.5 5 0x80000001 0x00EB17Summary ASB Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum
10.255.1.10 10.255.1.5 5 0x80000001 0x0037C1
10.255.1.13 10.255.1.5 5 0x80000001 0x007D6EType-5 AS External Link StatesLink ID ADV Router Age Seq# Checksum Tag
10.255.1.10 10.255.1.10 813 0x80000001 0x00581E 0
10.255.1.13 10.255.1.13 742 0x80000001 0x002848 0
192.168.1.0 10.255.1.10 813 0x80000001 0x008D93 0
192.168.2.0 10.255.1.10 813 0x80000001 0x00829D 0
192.168.3.0 10.255.1.10 813 0x80000001 0x0077A7 0
Stub and Totally Stub AREA
Stub area helps remove LSA-type 4 & 5 which are External routes and ASBRouters from the router in the Stub router’s base.
Stub area only helps when the goal is just to hide the external route.
Stub area sample configuration
P3#show running-config | sec router ospf 1router ospf 1
router-id 10.255.1.5
area 4.4.4.4 stub
network 10.0.0.4 0.0.0.3 area 0.0.0.0
network 10.0.0.20 0.0.0.3 area 0.0.0.0
network 10.0.0.28 0.0.0.3 area 0.0.0.0P3#show run interface eth0/3
interface Ethernet0/3
ip address 10.0.4.1 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 4.4.4.4 ---> All routers in this area must have
end
Walk back to the hello packet, E-bit was unset as we can compare between P3 and R1-A4 (Not configured yet). E-bit standard for ExternalRoutingCapability and used only on non-stub areas.
So, let's check the R3-A4 Data base without LSAs type 4 & 5 also default route on Its RIB
R3-A4#show ip ospf databaseOSPF Router with ID (10.255.1.16) (Process ID 1)Router Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum Link count
10.255.1.5 10.255.1.5 100 0x80000005 0x004773 2
10.255.1.14 10.255.1.14 1766 0x80000008 0x001A26 4
10.255.1.15 10.255.1.15 1749 0x80000007 0x002BF9 4
10.255.1.16 10.255.1.16 1744 0x80000005 0x009C90 5Summary Net Link States (Area 4.4.4.4)Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.255.1.5 344 0x80000003 0x002EFD
10.0.0.0 10.255.1.5 344 0x80000004 0x0056BA
10.0.0.4 10.255.1.5 344 0x80000004 0x00C94D
10.0.0.8 10.255.1.5 344 0x80000004 0x000603
10.0.0.12 10.255.1.5 344 0x80000004 0x00DD27
10.0.0.16 10.255.1.5 344 0x80000004 0x00B54B
10.0.0.20 10.255.1.5 344 0x80000004 0x0029DD
10.0.0.24 10.255.1.5 344 0x80000004 0x006593
10.0.0.28 10.255.1.5 344 0x80000004 0x00D826
10.0.1.0 10.255.1.5 344 0x80000004 0x00AF56
10.0.1.4 10.255.1.5 344 0x80000004 0x0023E8
10.0.1.8 10.255.1.5 344 0x80000004 0x005F9E
10.0.1.12 10.255.1.5 344 0x80000004 0x00D231
10.0.1.16 10.255.1.5 344 0x80000004 0x000FE6
10.0.2.0 10.255.1.5 344 0x80000004 0x00DB3D
10.0.2.4 10.255.1.5 344 0x80000004 0x0018F2
10.0.2.8 10.255.1.5 344 0x80000004 0x0054A8
10.0.3.0 10.255.1.5 344 0x80000004 0x0035D8
10.0.3.4 10.255.1.5 344 0x80000004 0x00718E
10.0.3.8 10.255.1.5 344 0x80000004 0x00AD44
10.0.5.0 10.255.1.5 344 0x80000004 0x001FEC
10.0.5.4 10.255.1.5 344 0x80000004 0x005BA2
10.0.5.8 10.255.1.5 344 0x80000004 0x007F74
10.1.1.1 10.255.1.5 344 0x80000004 0x0051B8
10.1.2.1 10.255.1.5 344 0x80000004 0x0046C2
10.1.3.1 10.255.1.5 344 0x80000004 0x003BCC
10.1.4.0 10.255.1.5 344 0x80000004 0x003ACD
10.1.5.0 10.255.1.5 344 0x80000004 0x002FD7
10.1.6.0 10.255.1.5 344 0x80000004 0x0012F6
10.2.1.1 10.255.1.5 344 0x80000004 0x00E032
10.2.2.1 10.255.1.5 344 0x80000004 0x00D53C
10.2.3.1 10.255.1.5 344 0x80000004 0x00CA46
10.2.4.1 10.255.1.5 344 0x80000004 0x0024E1
10.2.5.1 10.255.1.5 344 0x80000004 0x0019EB
10.2.6.1 10.255.1.5 345 0x80000004 0x000EF5
10.3.1.1 10.255.1.5 344 0x80000004 0x0039CE
10.3.2.1 10.255.1.5 344 0x80000004 0x002ED8
10.3.3.1 10.255.1.5 344 0x80000004 0x0023E2
10.3.4.1 10.255.1.5 344 0x80000004 0x007C7E
10.3.5.1 10.255.1.5 344 0x80000004 0x007188
10.3.6.1 10.255.1.5 344 0x80000004 0x006692
10.255.1.1 10.255.1.5 344 0x80000004 0x005DAD
10.255.1.2 10.255.1.5 344 0x80000004 0x0053B6
10.255.1.7 10.255.1.5 344 0x80000004 0x00BC52
10.255.1.8 10.255.1.5 345 0x80000004 0x00B25B
10.255.1.9 10.255.1.5 345 0x80000004 0x000DF5
10.255.1.12 10.255.1.5 344 0x80000004 0x0053A2
10.255.255.11 10.255.1.5 344 0x80000004 0x0004FD
R3-A4#
------- NOT Exteral routesR3-A4#show ip route ospf | begin Gateway
Gateway of last resort is 10.0.4.9 to network 0.0.0.0O*IA 0.0.0.0/0 [110/31] via 10.0.4.9, 00:42:00, Ethernet0/1
10.0.0.0/8 is variably subnetted, with 62 subnets, 4 masks
O IA 10.0.0.0/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.4/30 [110/40] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.8/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.12/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.16/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.20/30 [110/40] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.24/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.0.28/30 [110/40] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.1.0/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.1.4/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.1.8/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.1.12/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.1.16/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.2.0/30 [110/40] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.2.4/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.2.8/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.3.0/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.3.4/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.3.8/30 [110/70] via 10.0.4.9, 00:42:00, Ethernet0/1
O 10.0.4.0/30 [110/30] via 10.0.4.9, 00:42:00, Ethernet0/1
O 10.0.4.4/30 [110/20] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.5.0/30 [110/50] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.5.4/30 [110/60] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.0.5.8/29 [110/70] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.1.1.0/24 [110/51] via 10.0.4.9, 00:08:30, Ethernet0/1
O IA 10.1.2.0/24 [110/51] via 10.0.4.9, 00:08:30, Ethernet0/1
O IA 10.1.3.0/24 [110/51] via 10.0.4.9, 00:08:30, Ethernet0/1
O IA 10.1.4.0/24 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.1.5.0/24 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.1.6.0/30 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.2.1.0/24 [110/41] via 10.0.4.9, 00:07:39, Ethernet0/1
O IA 10.2.2.0/24 [110/41] via 10.0.4.9, 00:07:39, Ethernet0/1
O IA 10.2.3.0/24 [110/41] via 10.0.4.9, 00:07:39, Ethernet0/1
O IA 10.2.4.0/24 [110/51] via 10.0.4.9, 00:07:07, Ethernet0/1
O IA 10.2.5.0/24 [110/51] via 10.0.4.9, 00:07:07, Ethernet0/1
O IA 10.2.6.0/24 [110/51] via 10.0.4.9, 00:07:07, Ethernet0/1
O IA 10.3.1.0/24 [110/51] via 10.0.4.9, 00:06:17, Ethernet0/1
O IA 10.3.2.0/24 [110/51] via 10.0.4.9, 00:06:17, Ethernet0/1
O IA 10.3.3.0/24 [110/51] via 10.0.4.9, 00:06:17, Ethernet0/1
O IA 10.3.4.1/32 [110/61] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.3.5.1/32 [110/61] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.3.6.1/32 [110/61] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.5.1.0/24 [110/71] via 10.0.4.9, 00:02:19, Ethernet0/1
O IA 10.5.2.0/24 [110/71] via 10.0.4.9, 00:02:19, Ethernet0/1
O IA 10.5.3.0/24 [110/71] via 10.0.4.9, 00:02:19, Ethernet0/1
O IA 10.255.1.1/32 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.2/32 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.7/32 [110/41] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.8/32 [110/41] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.9/32 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.12/32 [110/61] via 10.0.4.9, 00:42:00, Ethernet0/1
O IA 10.255.1.21/32 [110/71] via 10.0.4.9, 00:02:19, Ethernet0/1
O IA 10.255.255.11/32 [110/51] via 10.0.4.9, 00:42:00, Ethernet0/1
R3-A4#
Same way as the Stub area, totally stub also removes LSA Type 3 and at an default route. Let's configure area 5.5.5.5 as a totally stub.
Totally Stub area sample configuration
On ABRsP4(config-router)#do show run | sec router ospf 1router ospf 1
router-id 10.255.1.6
area 5.5.5.5 stub no-summary Others RouterR1-A5(config-router)#do show run | sec router ospf 1
router ospf 1
router-id 10.255.1.17
area 5.5.5.5 stub ! just stub :)
So, let’s check R5-A5 Database without LSAs type 3, 4 & 5 replaced by only LSA type 3 link id 0.0.0.0.
R5-A5#show ip ospf databaseOSPF Router with ID (10.255.1.21) (Process ID 1)Router Link States (Area 5.5.5.5)Link ID ADV Router Age Seq# Checksum Link count
10.255.1.6 10.255.1.6 602 0x80000008 0x00713F 2
10.255.1.8 10.255.1.8 75 0x8000000C 0x0048C0 4
10.255.1.17 10.255.1.17 132 0x8000000A 0x003604 4
10.255.1.19 10.255.1.19 75 0x80000008 0x00B8AF 2
10.255.1.20 10.255.1.20 75 0x80000008 0x00D093 2
10.255.1.21 10.255.1.21 66 0x80000007 0x00FF18 5Net Link States (Area 5.5.5.5)Link ID ADV Router Age Seq# Checksum
10.0.5.11 10.255.1.20 87 0x80000002 0x009A1A
10.0.5.12 10.255.1.21 74 0x80000001 0x002C63Summary Net Link States (Area 5.5.5.5)Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.255.1.6 1073 0x80000001 0x002C01
R5-A5#show ip ospf database summaryOSPF Router with ID (10.255.1.21) (Process ID 1)Summary Net Link States (Area 5.5.5.5)Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1374
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number) ! Mean Network IP
Advertising Router: 10.255.1.6 ! Who ggeneratesthis link state ID
LS Seq Number: 80000001
Checksum: 0x2C01
Length: 28
Network Mask: /0
MTID: 0 Metric: 1R5-A5#show ip route ospf | begin Gateway
Gateway of last resort is 10.0.5.9 to network 0.0.0.0O*IA 0.0.0.0/0 [110/31] via 10.0.5.9, 00:08:43, Ethernet0/0
10.0.0.0/8 is variably subnetted, 11 subnets, 4 masks
O 10.0.5.0/30 [110/30] via 10.0.5.9, 00:08:43, Ethernet0/0
O 10.0.5.4/30 [110/20] via 10.0.5.9, 00:08:43, Ethernet0/0
R5-A5#
Understand LSA Type 2, broadcast network
Look at area 5.5.5.5, Routers R2 through R5shares a common infrastructure. Switch in this lab, could be an DMVPN in real scenarios.
Neighbor table
As we can see, adj reaches full only with DR and DBR. To become DR de rule are Higher priority, if a tie, higher router-id. In our case, Higher Router-id is router 10.255.1.21.
Priority 0 means "never be DR/BDR candidate"
We'll change priority on router R2-A5 to become DR. Will be necessary to reconverge topology to reach this goal. Be aware to run those commands onthe Prod network.
! R2-A5
R2-A5(config-if)#interface eth0/1
R2-A5(config-if)#ip ospf priority ?
<0-255> Priority
R2-A5(config-if)#ip ospf priority 255! R4-A5 R5-A5
R4-A5#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
R4-A5#R5-A5#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
R5-A5#
The multi-access network is described by DR using LSA Type 2 called Network
NSSA and Totally NSSA AREA
As said previously, NSSA and Stub area reduces CPU consunption Databasebase simplification. However, Not-so-Stub and Totally NSSA allow inject router ing domainsinside this Area.
In NSSA, ASBR injects the router using a link state type 7 for each network. ABR with P-bit instructions, translate LSA type 7 to type 4 & 5 into other areas. If ASBR and ABR are the same rrouters no translation is needed.
NSSA sample configuration, area 2.2.2.2
P3#show run | sec router ospf 1router ospf 1
router-id 10.255.1.5
area 2.2.2.2 nssa
area 4.4.4.4 stub
network 10.0.0.4 0.0.0.3 area 0.0.0.0
network 10.0.0.20 0.0.0.3 area 0.0.0.0
network 10.0.0.28 0.0.0.3 area 0.0.0.0P3#show run interface eth0/2interface Ethernet0/2
ip address 10.0.2.1 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 2.2.2.2
end
NSSA Data Base
Let's check what external network redistributed on R3-A2 looks like for R2-A1 in area 1.1.1.1.
To reach external link ID (redistributed network), first have existed least one LSA Type 4 generated by ABR to reach ASBR:
- Link ID- 10.255.1.5 (ASBR)
- ADV Router- 10.255.1.3, 10.255.1.4 (ABRs)
LSA Type 5, External Link
- Link ID- Redistributed network
- ADV Router- 10.255.1.5 (ASBRs)
As a told before, router external routes redistributed on NSSappearrs as LSA type 7.
Note, Link ID 0.0.0.0 is not dynamic create on NSSA. To do so, the options default-interface-originate have to be used on ABR.
P3(config-router)#area 2.2.2.2 nssa default-information-originate
Totally NSSA sample configuration, area 3.3.3.3
P4#show run | sec router ospf 1router ospf 1
router-id 10.255.1.6
area 3.3.3.3 nssa no-summary
area 5.5.5.5 stub no-summaryother routersrouter ospf 1
router-id 10.255.1.11
area 3.3.3.3 nssa
let's take a look at ARE 3.3.3.3 and Its size.
HARDENING and TUNNING OSPF
Path preference
OSPF cost is badwidth_refence / interface_bandwidth. By default, cisco router bandwidth_refence is 100Mbps, as we can see below. In this lab, all interfaces are 10Mbps. For future prososal, bandwidth_refence will be changed to 10Gbps on all routers.
Path typepreferencee
- Intra Area, O
- Inter Area, O IA
- External 1, E1 or N1
- External 2, E2 or N2
Redistribute routes
On the routers, R3-A2 and R3-A3 redistribution was done. By default, routes are redistributed with SED Metric type 2 and cost 20.
R3-A2#show route-maproute-map RIP-TO-OSPF, permit, sequence 10
Match clauses:
ip address prefix-lists: RIP-TO-OSPF
Set clauses:
Policy routing matches: 0 packets, 0 bytesR3-A2#show ip prefix-list RIP-TO-OSPFip prefix-list RIP-TO-OSPF: 1 entries
seq 5 permit 192.168.0.0/16 le 24R3-A2#show run | sec router ospf 1router ospf 1
router-id 10.255.1.10
auto-cost reference-bandwidth 1000
area 2.2.2.2 nssa
redistribute connected subnets route-map RIP-TO-OSPFR3-A3#show run | sec router ospf 1router ospf 1
router-id 10.255.1.13
auto-cost reference-bandwidth 1000
area 3.3.3.3 nssa
redistribute static subnets
network 10.0.3.8 0.0.0.3 area 3.3.3.3
Changing to External type 2, all path costs are calculated, including inside ospf and outside costs.
R3-A2#show run | sec router ospf 1
router ospf 1
router-id 10.255.1.10
auto-cost reference-bandwidth 1000
area 2.2.2.2 nssa
redistribute connected metric-type 1 subnets route-map RIP-TO-OSPF!R3-A3
R3-A3(config)#router ospf 1
R3-A3(config-router)# redistribute static subnets ?
metric Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
nssa-only Limit redistributed routes to NSSA areas
route-map Route map reference
tag Set tag for routes redistributed into OSPF
<cr>R3-A3(config-router)# redistribute static subnets metric-type 1
Graceful Shutdown
This feature allow remove neighbor adjacencies and flush LSA the the router generated with Age 3600. Basically, helps neighbor drop adjacency without wait dead time.
It could be configured on the interface or Router level
R1-A1#sh debuggingOSPF:
OSPF adjacency debugging is onCondition 1: interface Et0/0 (1 flags triggered)
Flags: Et0/0R1-A1(config)#interface eth0/0
R1-A1(config-if)#ip ospf shutdown
R1-A1(config-if)#
*Aug 11 20:50:11.030: OSPF-1 ADJ Et0/0: Interface going Down
*Aug 11 20:50:11.030: OSPF-1 ADJ Et0/0: 10.255.1.3 address 10.0.1.6 is dead, state DOWN
*Aug 11 20:50:11.030: %OSPF-5-ADJCHG: Process 1, Nbr 10.255.1.3 on Ethernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1-A1(config-if)#
*Aug 11 20:50:11.030: OSPF-1 ADJ Et0/0: 10.255.1.1 address 10.0.1.5 is dead, state DOWN
R1-A1(config-if)#
BFD, Bidirectional Forwarding Detection
To provide convergence and optimization recursos como LSA throtting, SPF tuning and fast hello can be used. Related to LSA throtting that control LSA computation and LSA forwarding, change its default only in most especific situation.
Fast hello provides a way to sendo hgellos unders interval of 1 second (High cpu time consuption). But I prefer, lightweith layer 1 protocol call BFD.
!P5
router ospf 1
bfd all-interfacesinterface range eth1/0-3
bfd interval 50 min_rx 50 multiplier 3!P3
router ospf 1
bfd all-interfacesint range eth0/2-3
ip ospf bfd disableinterface range eth0/0-1, eth1/2
bfd interval 50 min_rx 50 multiplier 3
GTSM (Generic TTL Security Mechanism)
By default, ospf packet are send with TTL 1. When TTL Security is enable, ospf router only accepts packet with TTL 255. What means that if an attacker with 2 or more hope way the router can spoof OSPF packet and do router's CPU compute those packets.
Authentication
Ospf router support three type of authentica whica are type 0 (null), type 1 (plain text) and Type 2 (md5 or SHA). Only authentication type 2 make sense nowadays. Some point must match to reach full adj:
- Key ID
- Authentication type
- Hash algorithm
Authentication can be enable on area or interface level. Check it out
key chain KEY_OSPF_AREA_2.2.2.2
key 1
key-string AR3A4a4a
cryptographic-algorithm hmac-sha-512interface Ethernet0/0
ip address 10.0.2.5 255.255.255.252
ip ospf authentication key-chain KEY_OSPF_AREA_2.2.2.2
ip ospf network point-to-point
!
interface Ethernet0/2
ip address 10.0.2.2 255.255.255.252
ip ospf authentication key-chain KEY_OSPF_AREA_2.2.2.2
ip ospf network point-to-point
Prefix Suppression
Suppose for any mentivation, to have uplinks network in your routing table is not useful because there's no end user in this network. LSA type 3, 4, 5 and 7 will not be suppressed. Take a look at P5 RIB.
Totally NSSA sample configuration, area 3.3.3.3
R3-A2(config-router)#int eth0/1
R3-A2(config-if)#ip ospf prefix-suppressionR3-A3(config)#int eth0/1
R3-A3(config-if)#ip ospf prefix-suppressionAll other routers
router ospf 1
prefix-suppressionR1-A1#show ip route ospf | begin Gateway
Gateway of last resort is not set10.0.0.0/8 is variably subnetted, 65 subnets, 3 masks
O IA 10.0.0.0/30 [110/200] via 10.0.1.10, 00:00:55, Ethernet0/2
[110/200] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.0.4/30 [110/200] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.0.8/30 [110/200] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.0.12/30 [110/200] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.0.0.16/30 [110/200] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.0.0.20/30 [110/300] via 10.0.1.10, 00:00:55, Ethernet0/2
[110/300] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.0.24/30 [110/300] via 10.0.1.10, 00:00:55, Ethernet0/2
[110/300] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.0.28/30 [110/300] via 10.0.1.10, 00:00:55, Ethernet0/2
[110/300] via 10.0.1.6, 00:00:55, Ethernet0/0
O 10.0.1.12/30 [110/110] via 10.0.1.2, 00:00:55, Ethernet0/1
O 10.0.1.16/30 [110/110] via 10.0.1.2, 00:00:55, Ethernet0/1
O IA 10.0.2.0/30 [110/300] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.2.4/30 [110/400] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.2.8/30 [110/500] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.3.0/30 [110/300] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.0.3.4/30 [110/400] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.0.3.8/30 [110/500] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.0.4.0/30 [110/300] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.4.4/30 [110/400] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.0.4.8/30 [110/500] via 10.0.1.6, 00:00:55, Ethernet0/0
O 10.1.4.1/32 [110/101] via 10.0.1.2, 00:00:55, Ethernet0/1
O 10.1.5.1/32 [110/101] via 10.0.1.2, 00:00:55, Ethernet0/1
O 10.1.6.1/32 [110/101] via 10.0.1.2, 00:00:55, Ethernet0/1
O IA 10.2.1.1/32 [110/301] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.2.2.1/32 [110/301] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.2.3.1/32 [110/301] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.2.4.1/32 [110/401] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.2.5.1/32 [110/401] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.2.6.1/32 [110/401] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.3.1.1/32 [110/301] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.3.2.1/32 [110/301] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.3.3.1/32 [110/301] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.3.4.1/32 [110/401] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.3.5.1/32 [110/401] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.3.6.1/32 [110/401] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.4.1.1/32 [110/501] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.4.2.1/32 [110/501] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.4.3.1/32 [110/501] via 10.0.1.6, 00:00:55, Ethernet0/0
O 10.255.1.2/32 [110/101] via 10.0.1.2, 00:00:55, Ethernet0/1
O IA 10.255.1.3/32 [110/101] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.4/32 [110/101] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.255.1.5/32 [110/201] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.6/32 [110/201] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.255.1.7/32 [110/201] via 10.0.1.10, 00:00:55, Ethernet0/2
[110/201] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.8/32 [110/301] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.9/32 [110/401] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.10/32 [110/501] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.11/32 [110/301] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.255.1.12/32 [110/401] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.255.1.13/32 [110/501] via 10.0.1.10, 00:00:55, Ethernet0/2
O IA 10.255.1.14/32 [110/301] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.1.16/32 [110/501] via 10.0.1.6, 00:00:55, Ethernet0/0
O IA 10.255.255.15/32 [110/401] via 10.0.1.6, 00:00:55, Ethernet0/0
172.31.0.0/24 is subnetted, 3 subnets
O E1 172.31.1.0 [110/521] via 10.0.1.10, 00:00:55, Ethernet0/2
O E1 172.31.2.0 [110/521] via 10.0.1.10, 00:00:55, Ethernet0/2
O E1 172.31.3.0 [110/521] via 10.0.1.10, 00:00:55, Ethernet0/2
O E1 192.168.1.0/24 [110/521] via 10.0.1.6, 00:00:55, Ethernet0/0
O E1 192.168.2.0/24 [110/521] via 10.0.1.6, 00:00:55, Ethernet0/0
O E1 192.168.3.0/24 [110/521] via 10.0.1.6, 00:00:55, Ethernet0/0
R1-A1#P4 ETH0/3 WAS DOWN - NO AREA 5.5.5.5 NETWORKS
However, only network 10.[12345].x.x and 172.31.X.X does matter. Prefix suppression suppress network where there's ospf ADJ. Stub network will be in the RIB and FIB.
! No more network 10.0.x.x
P5#show ip route ospf | begin Gateway
Gateway of last resort is not set10.0.0.0/8 is variably subnetted, 52 subnets, 2 masks
O IA 10.1.1.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:20, Ethernet1/0
O IA 10.1.2.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:20, Ethernet1/0
O IA 10.1.3.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:20, Ethernet1/0
O IA 10.1.4.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:30, Ethernet1/0
O IA 10.1.5.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:30, Ethernet1/0
O IA 10.1.6.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:30, Ethernet1/0
O IA 10.2.1.1/32 [110/201] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.2.2.1/32 [110/201] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.2.3.1/32 [110/201] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.2.4.1/32 [110/301] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.2.5.1/32 [110/301] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.2.6.1/32 [110/301] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.3.1.1/32 [110/301] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/301] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.3.2.1/32 [110/301] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/301] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.3.3.1/32 [110/301] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/301] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.3.4.1/32 [110/401] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/401] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.3.5.1/32 [110/401] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/401] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.3.6.1/32 [110/401] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/401] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.4.1.1/32 [110/401] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.4.2.1/32 [110/401] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.4.3.1/32 [110/401] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.5.1.1/32 [110/501] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/501] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.5.2.1/32 [110/501] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/501] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.5.3.1/32 [110/501] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/501] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.255.1.1/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:20, Ethernet1/0
O IA 10.255.1.2/32 [110/201] via 10.0.0.13, 00:39:32, Ethernet1/1
[110/201] via 10.0.0.9, 00:39:30, Ethernet1/0
O 10.255.1.3/32 [110/101] via 10.0.0.9, 00:39:33, Ethernet1/0
O 10.255.1.4/32 [110/101] via 10.0.0.13, 00:39:33, Ethernet1/1
O 10.255.1.5/32 [110/101] via 10.0.0.21, 00:39:33, Ethernet1/2
O 10.255.1.6/32 [110/201] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/201] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.255.1.8/32 [110/201] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.255.1.9/32 [110/301] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.255.1.10/32 [110/401] via 10.0.0.21, 00:12:57, Ethernet1/2
O IA 10.255.1.11/32 [110/301] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/301] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.255.1.12/32 [110/401] via 10.0.0.21, 00:39:33, Ethernet1/2
[110/401] via 10.0.0.13, 00:39:33, Ethernet1/1
O IA 10.255.1.13/32 [110/501] via 10.0.0.21, 00:10:52, Ethernet1/2
[110/501] via 10.0.0.13, 00:10:52, Ethernet1/1
O IA 10.255.1.14/32 [110/201] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.255.1.16/32 [110/401] via 10.0.0.21, 00:36:04, Ethernet1/2
O IA 10.255.1.17/32 [110/301] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/301] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.255.1.18/32 [110/401] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/401] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.255.1.20/32 [110/501] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/501] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.255.1.21/32 [110/501] via 10.0.0.21, 00:00:50, Ethernet1/2
[110/501] via 10.0.0.13, 00:00:50, Ethernet1/1
O IA 10.255.255.15/32 [110/301] via 10.0.0.21, 00:36:04, Ethernet1/2
172.31.0.0/24 is subnetted, 3 subnets
O E1 172.31.1.0 [110/521] via 10.0.0.21, 00:10:51, Ethernet1/2
[110/521] via 10.0.0.13, 00:10:51, Ethernet1/1
O E1 172.31.2.0 [110/521] via 10.0.0.21, 00:10:51, Ethernet1/2
[110/521] via 10.0.0.13, 00:10:51, Ethernet1/1
O E1 172.31.3.0 [110/521] via 10.0.0.21, 00:10:51, Ethernet1/2
[110/521] via 10.0.0.13, 00:10:51, Ethernet1/1
O E1 192.168.1.0/24 [110/421] via 10.0.0.21, 00:12:56, Ethernet1/2
O E1 192.168.2.0/24 [110/421] via 10.0.0.21, 00:12:56, Ethernet1/2
O E1 192.168.3.0/24 [110/421] via 10.0.0.21, 00:12:56, Ethernet1/2
P5#
STUB ROUTER
Stub router is not stub area. Stub router prevents router to be used as a transit. Suppose there's a maintance in the router, before start maintanence we wannt be sure the router not be used in the users traffic flow. Other examples is wait BGP convergence and then be used in the traffic flow.
As we can see below, to reach network 192.168.1.1 R1-A1 uses 10.0.1.6 as next-hop.
P1(config-router)#do sh run | sec router ospf 1
router ospf 1
router-id 10.255.1.3
max-metric router-lsa
Loop-Free Alternate, LFA, Fast Reroute, FRR
EIGRP uses concept of Sucessor and feasible sucessor routers. Once sucessor got down, feasible sucessor is imediatly offer to RIB. Whitout needs of algorithm re-calculation. OSPF can use LFA described by RFC5286 to do the same.
Of course, a few criteria should be true to allow FRR can be useful. Please, check link below.
!R1-A2 will use R1-A1 as downstream to reach 192.168.3.0/32
R1-A2(config)#interface range eth0/0, eth0/2
R1-A2(config-if-range)#shutdownR2-A1#show ip cef 192.168.3.1
192.168.3.0/24
nexthop 10.0.1.1 Ethernet0/1
R2-A1#show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface
10.255.1.1 0 FULL/ - 00:00:35 10.0.1.1 Ethernet0/1
R2-A1#R2-A1#traceroute 192.168.3.1 source lo0 numeric
Tracing the route to 192.168.3.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.1.1 0 msec 0 msec 1 msec
2 10.0.1.10 0 msec 1 msec 0 msec
3 10.0.0.14 1 msec 1 msec 1 msec
4 10.0.0.21 1 msec 1 msec 1 msec
5 10.0.2.2 1 msec 1 msec 1 msec
6 10.0.2.6 2 msec 1 msec 1 msec
7 10.0.2.10 2 msec * 1 msec
R2-A1#
Let's check how many times is necessary to R1-A1 reconverge from P1 to P2 path.
!Shuting P2IP routing:
IP routing debugging is on for access list 100IP CEF:
IP CEF events debugging is on
OSPF:
OSPF adjacency debugging is onR1-A1#show ip access-list 100
Extended IP access list 100
10 permit ip any 192.168.3.0 0.0.0.255
11 permit ip 192.168.3.0 0.0.0.255 any (3 matches)*Aug 12 15:37:41.361: %BFDFSM-6-BFD_SESS_DOWN: BFD-SYSLOG: BFD session ld:17 handle:3,is going Down Reason: ECHO FAILURE
*Aug 12 15:37:41.361: OSPF-1 ADJ Et0/2: De-register neighbor 10.0.1.10 with BFD, session 3
*Aug 12 15:37:41.361: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed, ld:17 neigh proc:OSPF, handle:3 act
*Aug 12 15:37:41.361: OSPF-1 ADJ Et0/2: De-registration with BFD SUCCEEDED, retcode 0
*Aug 12 15:37:41.361: OSPF-1 ADJ Et0/2: 10.255.1.4 address 10.0.1.10 is dead
*Aug 12 15:37:41.361: OSPF-1 ADJ Et0/2: 10.255.1.4 address 10.0.1.10 is dead, state DOWN
R1-A1#
*Aug 12 15:37:41.361: %OSPF-5-ADJCHG: Process 1, Nbr 10.255.1.4 on Ethernet0/2 from FULL to DOWN, Neighbor Down: BFD node down
R1-A1#
*Aug 12 15:37:46.869: RT: updating ospf 192.168.3.0/24 (0x0) :
via 10.0.1.6 Et0/0 0 1048578*Aug 12 15:37:46.869: RT: closer admin distance for 192.168.3.0, flushing 1 routes
*Aug 12 15:37:46.869: RT: add 192.168.3.0/24 via 10.0.1.6, ospf metric [110/65956]#BFD improve instability byt SPF calculation dropped 3 icmp packets!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (21997/22000), round-trip min/avg/max = 1/1/22 ms
R2-A1#
!R1-A1 have to change it image from IOU to CSR1000vrouter ospf 1
fast-reroute per-prefix enable prefix-priority low --> resolve non /32 prefix first
VIRTUAL LINKS
Virtual links are the solution in scenarios where any regular or as can't directly connect to the area backbone. An area can't be able to connect in area 0 by an outage or available physical path.
Virtual links solution should be used in a temporary manner.
R2-A1#show ip ospf interface brief | include Lo27
Lo27 1 27.27.27.27 27.27.27.27/32 1 LOOP 0/0R2-A1#show run int lo27
interface Loopback27
ip address 27.27.27.27 255.255.255.255
ip ospf 1 area 27.27.27.27
end
interface Ethernet0/0
no prefix suppression
interface Ethernet0/0
no prefix suppression!P2
interface Ethernet0/0
no prefix suppression!P1
interface Ethernet0/2
no prefix suppressionrouter ospf 1
area 1.1.1.1 virtual-link 10.255.1.2R2-A1#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
VL1 1 0 10.0.1.17/30 10 P2P 1/1
VL0 1 0 0.0.0.0/0 65535 DOWN 0/0
OSPF routers flood LSA every 30 min "paranoic flood" with sync proposal. However, the network behind Virtual link has Dot age bit to does not need a flood.
OSPF NAME LOOKUP
It could be great to enable OSPF to resolve names of its name.
P5(config)#ip ospf name-lookup
P5(config)#ip host P3 10.255.1.5
P5(config)#ip host P4 10.255.1.6
P5(config)#ip host P2 10.255.1.4
P5(config)#ip host P1 10.255.1.3
SUMMARIZATION AND FILTERING
Ospf routers exchange LSA data structure and must be equal on all routers in the same area. This means, Filtering and summarization are allowed only on ABR and ASBR.
A distribuited list can create unpredicted as well backhole. Only filter data in the local RIB
SUMMARIZATION
Task — Summarize network 10.4.0.0/25 from area 4.4.4.4 ( Router P3).
!P3
router ospf 1
area 4.4.4.4 range 10.4.0.0 255.255.128.0
Task — Summarize external network redistributed from R3-A3.
R3-A3(config-router)#summary-address 172.31.0.0 255.255.0.0
FILTER LIST
Task, avoid external network redistributed by R3-A2 being propagated into other areas.
I've tried not to be too short that is so simples. Also, not too extensible than my CCIE Goals.
ABOUT ME
https://www.linkedin.com/in/rafaesil
