OSPF – Path Selection with Non-Backbone Transit Areas

Pretty much done with EIGRP labs for now and started with OSPF instead where I found a really interesting lab regarding using non-backbone areas as transit. The traffic really didn’t behave the way I “thought” it should based on what i’ve read earlier, the lab looked like this:

Requirements

  • Disable the link between R3 & R7 and make sure traffic in area 2 still can reach the rest of the network
  • Modify SPF calculations so that R4 can’t be used for transit traffic in area 1 to area 0, don’t use cost
  • Traffic from R9 should route via R1 to reach R8

By disabling the link between R3 – R7 traffic in area 2 will be separated from the rest of the network as traffic isn’t allowed to pass via another non-backbone area. We can verify this in R7 as it shouldn’t consider R6 an ABR.

R7#sh ip ospf border-routers

OSPF Router with ID (150.1.7.7) (Process ID 1)

Base Topology (MTID 0)

Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route

Checking the OSPF database we still see R3’s LSAs until they age out, but no summary-routes (LSA Type 3) are advertised from R6.

R7#sh ip ospf database

OSPF Router with ID (150.1.7.7) (Process ID 1)

Router Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Link count
150.1.3.3 150.1.3.3 262 0x80000002 0x002840 1
150.1.6.6 150.1.6.6 182 0x80000003 0x0073AA 1
150.1.7.7 150.1.7.7 181 0x80000005 0x00DD03 5
150.1.9.9 150.1.9.9 254 0x80000002 0x008AF8 3

Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum
155.1.67.6 150.1.6.6 182 0x80000001 0x00C5A1
155.1.79.9 150.1.9.9 255 0x80000001 0x003517

Summary Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum
150.1.1.1 150.1.3.3 269 0x80000001 0x00B973
150.1.2.2 150.1.3.3 269 0x80000001 0x00A486
150.1.3.3 150.1.3.3 319 0x80000001 0x0028D8
150.1.4.4 150.1.3.3 269 0x80000001 0x0051C0
150.1.5.5 150.1.3.3 279 0x80000001 0x0032DE
150.1.6.6 150.1.3.3 253 0x80000002 0x002FDC
150.1.8.8 150.1.3.3 248 0x80000001 0x00FC0D
150.1.10.10 150.1.3.3 244 0x80000001 0x00DC28
155.1.0.1 150.1.3.3 269 0x80000001 0x0079B0
155.1.0.2 150.1.3.3 269 0x80000001 0x006FB9
155.1.0.3 150.1.3.3 309 0x80000001 0x00FD02
155.1.0.4 150.1.3.3 269 0x80000001 0x0032DF
155.1.0.5 150.1.3.3 279 0x80000001 0x001EF3
155.1.5.0 150.1.3.3 279 0x80000001 0x0023ED
155.1.8.0 150.1.3.3 248 0x80000001 0x000C01
155.1.10.0 150.1.3.3 244 0x80000001 0x00FF0A
155.1.13.0 150.1.3.3 319 0x80000001 0x00965E
155.1.23.0 150.1.3.3 319 0x80000001 0x0028C2
155.1.45.0 150.1.3.3 279 0x80000001 0x00697F
155.1.58.0 150.1.3.3 279 0x80000001 0x00D902
155.1.108.0 150.1.3.3 248 0x80000001 0x00BBEC
155.1.146.0 150.1.3.3 269 0x80000001 0x00186A

We solve this by setting up a virtual link between R6 & R1, remember we’re not supposed to send area 2’s traffic to R4.

! R6

router ospf 1
 area 1 virtual-link 150.1.1.1

! R1

router ospf 1
 area 1 virtual-link 150.1.6.6

R6 will now have a virtual connection to area 0 and can now act as an ABR to area 2.

R6#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
150.1.1.1 0 FULL/ - - 155.1.146.1 OSPF_VL0
150.1.1.1 1 FULL/DROTHER 00:00:35 155.1.146.1 GigabitEthernet1.146
150.1.4.4 1 FULL/BDR 00:00:37 155.1.146.4 GigabitEthernet1.146
150.1.7.7 1 FULL/BDR 00:00:31 155.1.67.7 GigabitEthernet1.67

R6#sh ip ospf interface 
OSPF_VL0 is up, line protocol is up 
Internet Address 155.1.146.6/24, Area 0, Attached via Not Attached
Process ID 1, Router ID 150.1.6.6, Network Type VIRTUAL_LINK, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Configured as demand circuit
Run as demand circuit
DoNotAge LSA allowed
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can not be protected by per-prefix Loop-Free FastReroute
Can not be used for per-prefix Loop-Free FastReroute repair paths
Index 1/1/4, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1 
Adjacent with neighbor 150.1.1.1 (Hello suppressed)
Suppress hello for 1 neighbor(s)
R6#sh ip ospf database self-originate

OSPF Router with ID (150.1.6.6) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
150.1.6.6 150.1.6.6 739 0x80000003 0x00F126 1

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
150.1.6.6 150.1.6.6 739 0x80000002 0x00BF34
150.1.7.7 150.1.6.6 739 0x80000002 0x00B43C
150.1.9.9 150.1.6.6 739 0x80000002 0x009457
155.1.7.0 150.1.6.6 739 0x80000002 0x00B939
155.1.9.0 150.1.6.6 739 0x80000002 0x00AD42
155.1.37.0 150.1.6.6 739 0x80000002 0x006E66
155.1.67.0 150.1.6.6 739 0x80000002 0x00199E
155.1.79.0 150.1.6.6 739 0x80000002 0x009E0C
155.1.146.0 150.1.6.6 739 0x80000002 0x00B0B7

R7 now see’s R6 as an ABR which in turn will send summary-LSAs for the rest of the network.

R7#sh ip ospf border-routers

OSPF Router with ID (150.1.7.7) (Process ID 1)

Base Topology (MTID 0)

Internal Router Routing Table
Codes: i - Intra-area route, I - Inter-area route

i 150.1.6.6 [1] via 155.1.67.6, GigabitEthernet1.67, ABR, Area 2, SPF 6

R7#sh ip ospf database | beg Summary
Summary Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum
150.1.1.1 150.1.3.3 814 0x80000001 0x00B973
150.1.1.1 150.1.6.6 311 0x80000001 0x0035C8
150.1.2.2 150.1.3.3 814 0x80000001 0x00A486
150.1.2.2 150.1.6.6 306 0x80000002 0x005CB1
150.1.3.3 150.1.3.3 864 0x80000001 0x0028D8
150.1.3.3 150.1.6.6 306 0x80000002 0x0047C4
150.1.4.4 150.1.3.3 814 0x80000001 0x0051C0
150.1.4.4 150.1.6.6 306 0x80000002 0x00F303
150.1.5.5 150.1.3.3 824 0x80000001 0x0032D
....

R7#sh ip route 150.1.8.8
Routing entry for 150.1.8.8/32
Known via "ospf 1", distance 110, metric 5, type inter area
Last update from 155.1.67.6 on GigabitEthernet1.67, 00:06:17 ago
Routing Descriptor Blocks:
* 155.1.67.6, from 150.1.6.6, 00:06:17 ago, via GigabitEthernet1.67
Route metric is 5, traffic share count is 1

Even if we enable R3’s link to R7 now the traffic will still prefer the route via R6 as it has a lower metric to R8, indifferent to the fact that a virtual-link is needed to traverse that area.

R7#sh ip ospf database summary 150.1.8.8

OSPF Router with ID (150.1.7.7) (Process ID 1)

Summary Net Link States (Area 2)

LS age: 976
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 150.1.8.8 (summary Network Number)
Advertising Router: 150.1.3.3
LS Seq Number: 80000001
Checksum: 0xFC0D
Length: 28
Network Mask: /32
MTID: 0 Metric: 1002

LS age: 493
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 150.1.8.8 (summary Network Number)
Advertising Router: 150.1.6.6
LS Seq Number: 80000001
Checksum: 0xB538
Length: 28
Network Mask: /32
MTID: 0 Metric: 4

By checking the metric you may already have realized how the traffic is currently flowing to R8 which was a surprise to myself. By setting up a virtual-link between R6 & R1 I thought that the transit traffic from area 2 would also route that way. But no, not at all!

R7#traceroute 150.1.8.8 numeric 
Type escape sequence to abort.
Tracing the route to 150.1.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.67.6 7 msec 3 msec 4 msec
2 155.1.146.4 5 msec 5 msec 5 msec
3 155.1.45.5 6 msec 6 msec 6 msec
4 155.1.58.8 6 msec * 6 msec

How come? Let’s dive in to R6’s database.

R6#sh ip ospf database summary 150.1.8.8

OSPF Router with ID (150.1.6.6) (Process ID 1)

Summary Net Link States (Area 0)

LS age: 484 (DoNotAge)
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 150.1.8.8 (summary Network Number)
Advertising Router: 150.1.5.5
LS Seq Number: 80000001
Checksum: 0xAE43
Length: 28
Network Mask: /32
MTID: 0 Metric: 2

So R5 is the ABR originating the summary-LSA with a metric of 2, so what is R6’s preferred path to R5?

R6# sh ip ospf database router 150.1.5.5

OSPF Router with ID (150.1.6.6) (Process ID 1)

Router Link States (Area 0)

LS age: 501 (DoNotAge)
Options: (No TOS-capability, DC)
LS Type: Router Links
Link State ID: 150.1.5.5
Advertising Router: 150.1.5.5
LS Seq Number: 80000004
Checksum: 0x56B2
Length: 108
Area Border Router
Number of Links: 7

Link connected to: a Stub Network
(Link ID) Network/subnet number: 150.1.5.5
(Link Data) Network Mask: 255.255.255.255
Number of MTID metrics: 0
TOS 0 Metrics: 1

Link connected to: a Transit Network
(Link ID) Designated Router address: 155.1.45.5
(Link Data) Router Interface address: 155.1.45.5
Number of MTID metrics: 0
TOS 0 Metrics: 1

 Link connected to: another Router (point-to-point)
(Link ID) Neighboring Router ID: 150.1.4.4
(Link Data) Router Interface address: 155.1.0.5
Number of MTID metrics: 0
TOS 0 Metrics: 1000

Traffic is going directly from R6 to R4 even though that it isn’t R6s virtual-link to area 0! This functionality is further explained in RFC 2328 section 16.3, examining transit area’s summary-LSAs.

16.3.  Examining transit areas' summary-LSAs

        This step is only performed by area border routers attached to
        one or more non-backbone areas that are capable of carrying
        transit traffic (i.e., "transit areas", or those areas whose
        TransitCapability parameter has been set to TRUE in Step 2 of
        the Dijkstra algorithm (see Section 16.1).

        The purpose of the calculation below is to examine the transit
        areas to see whether they provide any better (shorter) paths
        than the paths previously calculated in Sections 16.1 and 16.2.
        Any paths found that are better than or equal to previously
        discovered paths are installed in the routing table.

Apparently the parameter TransitCapability is on by default in all cisco-routers, which results in R6 preferring the route via R4 as it has lower metric even though the route is passing a non-backbone area. This functionality can be disabled however and that is also how we solve the labs requirement that traffic has to pass via R1.

! R6

router ospf 1
no capability transit

R6’s metric to R8 is updated to reflect the new path via R1:

R6#sh ip route 150.1.8.8
Routing entry for 150.1.8.8/32
Known via "ospf 1", distance 110, metric 1003, type inter area
Last update from 155.1.146.1 on GigabitEthernet1.146, 00:00:25 ago
Routing Descriptor Blocks:
* 155.1.146.1, from 150.1.5.5, 00:00:25 ago, via GigabitEthernet1.146
Route metric is 1003, traffic share count is 1

R6#traceroute 150.1.8.8
Type escape sequence to abort.
Tracing the route to 150.1.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 155.1.146.1 5 msec 4 msec 4 msec
2 155.1.146.4 5 msec 5 msec 5 msec
3 155.1.45.5 7 msec 6 msec 7 msec
4 155.1.58.8 7 msec * 7 msec

Very interesting! Even though it’s uses may be very specific and not commonly used in the “real world” it feels like it certainly can be something that they throw at you at the CCIE-exam.

 

OSPF – NSSA LSA Type7-5 Translator Election

Forsätter nöta OSPF-labbar från GNS3 Vault. 🙂

ospfnssa7to5telect

GOAL:

  • All IP addresses have been preconfigured for you.
  • Configure OSPF Area 0.
  • Configure OSPF Area 1 as NSSA.
  • Redistribute the loopback0 interface on router Sam into OSPF Area 1.
  • Ensure router Tron is the router performing the translation from LSA Type 7 to Type 5 into area 0

Konfig:

Skippar all grundkonfig då det är väldigt basic. Använde redistribute connected för att få in 4.4.4.4/24-nätet in i OSPF.

Kontrollerar vi OSPF-databasen kan vi ses att det just nu är Quorra som utför Type 7->5 translations.

Kevin#sh ip ospf database external
OSPF Router with ID (192.168.13.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA
 LS age: 53
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 192.168.34.3
 LS Seq Number: 80000001
 Checksum: 0x6E08
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Hur kommer då detta sig? Om vi kontrollerar OSPF-databasen för både Quorra & Tron ser vi följande:

Quorra

Quorra#sh ip ospf database nssa-external
OSPF Router with ID (192.168.34.3) (Process ID 1)
Type-7 AS External Link States (Area 1)
Routing Bit Set on this LSA
 LS age: 1079
 Options: (No TOS-capability, Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 4.4.4.4
 LS Seq Number: 80000001
 Checksum: 0x6E7C
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Tron

Tron#sh ip ospf database nssa-external
OSPF Router with ID (192.168.24.2) (Process ID 1)
Type-7 AS External Link States (Area 1)
LS age: 1120
 Options: (No TOS-capability, Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 4.4.4.4
 LS Seq Number: 80000001
 Checksum: 0x6E7C
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Så båda routrarna tar emot 4.4.4.0/24-nätet med information att de ska utföra Type 7 -> 5 translation. Kontrollerar vi istället databasen för Type-5 ser vi att endast Quorra som annonserar detta.

Quorra

Quorra#sh ip ospf database external
OSPF Router with ID (192.168.34.3) (Process ID 1)
Type-5 AS External Link States
LS age: 1252
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 192.168.34.3
 LS Seq Number: 80000001
 Checksum: 0x6E08
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Tron

Tron#sh ip ospf database external
OSPF Router with ID (192.168.24.2) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA
 LS age: 1316
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 192.168.34.3
 LS Seq Number: 80000001
 Checksum: 0x6E08
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Varför? Lite efterforskning visade att Ciscos IOS ej har något stöd för att definiera translator direkt i OSPF-processen utan använder sig istället av högst Router-ID. När Tron tar emot LSA Type 5-annonseringen från Quorra som har ett högre RID “flushade” den bort sin egen Type-5 LSA och började använda Quorras istället.

Vill vi ändra Translator måste vi således ändra Router-ID.

Tron(config)#int lo0
Tron(config-if)#ip add 10.10.10.10 255.255.255.255
Tron(config-if)#router ospf 1
Tron(config-router)#router-id 10.10.10.10
Reload or use "clear ip ospf process" command, for this to take effect
Tron(config-router)#do clear ip ospf process
Reset ALL OSPF processes? [no]: yes
Quorra(config)#int lo0
Quorra(config-if)#ip add 9.9.9.9 255.255.255.255
Quorra(config-if)#router ospf 1
Quorra(config-router)#router-id 9.9.9.9
Reload or use "clear ip ospf process" command, for this to take effect
Quorra(config-router)#do clear ip ospf process
Reset ALL OSPF processes? [no]: yes

Kollar vi återigen i Kevin nu kan vi se att Tron har tagit över som Type 7-5 Translator pga ett högre RID. 🙂

Kevin#sh ip ospf database external
OSPF Router with ID (192.168.13.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA
 LS age: 11
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 4.4.4.0 (External Network Number )
 Advertising Router: 10.10.10.10
 LS Seq Number: 80000001
 Checksum: 0x4E8E
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.34.4
 External Route Tag: 0

Sweet!

OSPF – Forwarding Address Suppression Type-7

En till OSPF-labb från GNS3 Vault.

ospfsuppressforwardaddress

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure OSPF and use the correct areas. Ensure Area 1 is a NSSA.
  • Configure RIP between router Charlie and Evelyn.
  • Create a loopback0 interface on router Evelyn with IP address 1.1.1.1 /24 and advertise it in RIP.
  • Redistribute between RIP and OSPF.
  • Configure a prefix-list on router Jake which filters network 192.168.13.0 /24.
  • Ensure you can still reach network 1.1.1.0 /24 from all routers without removing the prefix-list. You are only allowed to use OSPF commands.

Konfig:

Simpel grundkonfig på samtliga enheter, kom ihåg att konfigurera nssa på både Alan & Charlie.

Berta

router ospf 1
 network 192.168.24.0 0.0.0.255 area 2

Jake

router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.24.0 0.0.0.255 area 2

Alan

router ospf 1
 area 1 nssa
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.13.0 0.0.0.255 area 1

Charlie

router ospf 1
 area 1 nssa
 redistribute rip metric 20 subnets
 network 192.168.13.0 0.0.0.255 area 1

router rip
 version 2
 redistribute ospf 1 metric 3
 network 192.168.35.0

Evelyn

interface Loopback0
 ip address 1.1.1.1 255.255.255.0

router rip
 version 2
 network 1.0.0.0
 network 192.168.35.0

Steg 2 var att filtrera bort 192.168.13.0/24 med en prefix-lista på Jake.

Jake

ip prefix-list JAKE seq 5 deny 192.168.13.0/24
ip prefix-list JAKE seq 10 permit 0.0.0.0/0 le 32

router ospf 1
 distribute-list prefix JAKE in FastEthernet0/0

Tanken är nu att vi fortfarande ska kunna nå exempelvis 1.1.1.0/24 från Berta.

Berta#sh ip route | beg Gate
Gateway of last resort is not set
O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 00:21:19, FastEthernet0/0
C 192.168.24.0/24 is directly connected, FastEthernet0/0

Nope..  Samma problem i Jake:

Jake#sh ip route | beg Gate
 Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, FastEthernet0/0
 C 192.168.24.0/24 is directly connected, FastEthernet1/0

I Evelyn ser det dock bra ut.

Evelyn#sh ip route | beg Gate
Gateway of last resort is not set
R 192.168.12.0/24 [120/3] via 192.168.35.3, 00:00:11, Serial0/0
 1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
R 192.168.13.0/24 [120/3] via 192.168.35.3, 00:00:11, Serial0/0
R 192.168.24.0/24 [120/3] via 192.168.35.3, 00:00:11, Serial0/0
C 192.168.35.0/24 is directly connected, Serial0/0

Så vad är då felet? Om vi kollar OSPF-databasen kan vi se att Jake fortfarande får info om 1.1.1.0/24 & 192.168.35.0/24 via Type-5 External LSAs men att “forward adress” är 192.168.13.3, men då vi inte har någon route dit blir den ogiltig och installeras ej i FIB.

Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.0.0.0 192.168.13.1 966 0x80000001 0x00713D 0
192.168.35.0 192.168.13.1 1021 0x80000001 0x004AD8 0
Jake#sh ip ospf database external
OSPF Router with ID (192.168.24.2) (Process ID 1)
Type-5 AS External Link States

LS age: 981
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 1.0.0.0 (External Network Number )
 Advertising Router: 192.168.13.1
 LS Seq Number: 80000001
 Checksum: 0x713D
 Length: 36
 Network Mask: /8
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.13.3
 External Route Tag: 0

LS age: 1036
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 192.168.35.0 (External Network Number )
 Advertising Router: 192.168.13.1
 LS Seq Number: 80000001
 Checksum: 0x4AD8
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.13.3
 External Route Tag: 0

Hur löser vi då detta? OSPF Forwarding Address Suppression in Translated Type-5 LSA 😀

The OSPF Forwarding Address Suppression in Translated Type-5 LSAs feature causes a not-so-stubby area (NSSA) area border router (ABR) to translate Type-7 link state advertisements (LSAs) to Type-5 LSAs, but use the address 0.0.0.0 for the forwarding address instead of that specified in the Type-7 LSA. This feature causes routers that are configured not to advertise forwarding addresses into the backbone to direct forwarded traffic to the translating NSSA ABRs.

I vår topologi är Charlie ASBR och Alan ABR för vårat NSSA, det blir således i Alan vi ska konfigurera detta.’

Alan

area 1 nssa translate type7 suppress-fa

Kollar vi Jakes database igen ser det nu betydligt bättre ut!

Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.0.0.0 192.168.13.1 53 0x80000002 0x006BBB 0
192.168.35.0 192.168.13.1 53 0x80000002 0x004457 0
Jake#sh ip ospf database external
OSPF Router with ID (192.168.24.2) (Process ID 1)
Type-5 AS External Link States

Routing Bit Set on this LSA
 LS age: 67
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 1.0.0.0 (External Network Number )
 Advertising Router: 192.168.13.1
 LS Seq Number: 80000002
 Checksum: 0x6BBB
 Length: 36
 Network Mask: /8
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 0.0.0.0
 External Route Tag: 0

Routing Bit Set on this LSA
 LS age: 67
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 192.168.35.0 (External Network Number )
 Advertising Router: 192.168.13.1
 LS Seq Number: 80000002
 Checksum: 0x4457
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 0.0.0.0
 External Route Tag: 0

Och routing-tabellen för Berta:

Berta#sh ip route | beg Gate
Gateway of last resort is not set
O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 00:08:56, FastEthernet0/0
O E2 1.0.0.0/8 [110/20] via 192.168.24.2, 00:08:56, FastEthernet0/0
C 192.168.24.0/24 is directly connected, FastEthernet0/0
O E2 192.168.35.0/24 [110/20] via 192.168.24.2, 00:08:56, FastEthernet0/0
Berta#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/129/204 ms

Sweet! Artikeln jag länkade till är väldigt läsvärd för att få en lite djupare förståelse om hur detta bör användas.

OSPF – Discard Route

Tänkte roa mig med att göra lite OSPF-labbar från GNS3 Vault, först ut var denna om Summarization Discard Route.

ospfsummarizationdiscardroute

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure OSPF and use the correct areas.
  • Configure a loopback0 interface on router Spielburg with network address 3.3.3.3 /24.
  • Configure router Shapeir to summarize network 3.3.3.0 /24 to 3.0.0.0 /8.
  • Configure router Shapeir so it doesn’t add a null0 entry in its routing table.

Konfig:

Basic config på samtliga enheter, summera nät kan vi som bekant endast göra på ABR. För interna nät används area x range, E1/E2 använder summary-address direkt på ASBR.

Tarna

router ospf 1
 log-adjacency-changes
 network 192.168.12.0 0.0.0.255 area 0

Shapeir

router ospf 1
  log-adjacency-changes 
  area 1 range 3.0.0.0 255.0.0.0
  network 192.168.12.0 0.0.0.255 area 0
  network 192.168.23.0 0.0.0.255 area 1

Spielburg

interface Loopback0
ip address 3.3.3.3 255.255.255.0
router ospf 1
log-adjacency-changes
network 3.3.3.0 0.0.0.255 area 1
network 192.168.23.0 0.0.0.255 area 1

Vilket ger följande resultat i Tarna:

Tarna#sh ip route | beg Gate
Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, FastEthernet0/0
O IA 3.0.0.0/8 [110/3] via 192.168.12.2, 00:24:49, FastEthernet0/0
O IA 192.168.23.0/24 [110/2] via 192.168.12.2, 00:32:18, FastEthernet0/0

Och i Shapeir:

Shapeir#sh ip route | beg Gate
Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, FastEthernet1/0
 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.23.3, 00:00:23, FastEthernet0/0
O 3.0.0.0/8 is a summary, 00:00:23, Null0
C 192.168.23.0/24 is directly connected, FastEthernet0/0

Det var null0-routen vi ej fick ha.. Här körde jag fast rätt rejält, en lösning hade ju kunnat vara att göra en statisk route på Speilberg och sedan redistributa in den i OSPF, men enligt labben skulle konfigändringen göras i Shapeir.. Titeln på labben spoilade dock lite, följande information fanns att läsa på Cisco’s OSPF Commands:

discard-route

To reinstall either an external or internal discard route that was previously removed, use the discard-route command in router configuration mode. To remove either an external or internal discard route, use the no form of this command.

discard-route [external | internal]

no discard-route [external | internal]

Syntax Description

 
external (Optional) Reinstalls the discard route entry for redistributed summarized routes on an Autonomous System Boundary Router (ASBR).
internal (Optional) Reinstalls the discard-route entry for summarized internal routes on the Area Border Router (ABR).

Hemligheten ligger i “To remove either an external or internal discard route, use the no form of this command.” Testade helt enkelt med “no discard-route internal” och vips så var null0-routen borta. 🙂

router ospf 1
no discard-route internal
Shapeir#sh ip route | beg Gate
Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, FastEthernet1/0
 3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 192.168.23.3, 00:18:12, FastEthernet0/0
C 192.168.23.0/24 is directly connected, FastEthernet0/0

Vet inte om jag ser så mycket praktiskt nytta att använda detta dock. 😛

VRF-Lite & BGP

Tänkte skriva ett kortare inlägg om ett rätt intressant problem jag stötte på tidigare vilket löstes med hjälp av VRF-Lite och lite trixande med BGP. Topologin som önskades var enligt följande:

lightvrf

Länken mot ISP-1 önskades vara primär pga bättre serviceavtal & bandbredd samtidigt som länken till ISP-2 endast skulle användas som backup. Både ISP-1 & 2 genererar en default-route samt annonserar varsitt 10.x.0.0/23-nät. Det fanns även önskemål att AS #666 skulle agera transit mellan ISP-1 & 2.

lightvrfigp

Som IGP användes EIGRP inom AS #666 samt mellan R1 – ISP-1 och OSPF mellan R3 – ISP-2 där respektive länknät redistributas. Detta är egentligen helt onödigt men användes för att göra uppgiften lite mer komplicerad bara. 🙂

Problematiken var dock att ISP-1 & ISP-2 består av en och samma router! Den fysiska topologin ser nämligen ut enligt följande:

lightvrftopologi

Med andra ord behöver vi dela upp R1 till två virtuella routrar med separata routing tables & bgp-adjacencys. Detta löser vi med hjälp av VRF-Lite! 🙂

Låt oss ta och kika lite närmare på konfigen för respektive router.

R2

interface Serial1/0
 ip address 12.0.0.2 255.255.255.252
 description Primary uplink to ISP-1
 no shut
interface Loopback3
 description For testing
 ip address 172.32.0.1 255.255.255.0
 no shut
interface Loopback4
 description For testing
 ip address 172.32.1.1 255.255.255.0
 no shut

interface FastEthernet0/0
 description to MLS1
 ip address 172.16.11.11 255.255.255.0
 ip hello-interval eigrp 101 2
 ip hold-time eigrp 101 6
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 s3cr3t
 ip summary-address eigrp 101 172.32.0.0 255.255.254.0 5
 duplex full
 speed 100
 no shut

IGP-konfig

Då vi endast vill redistributa in länknätet mellan R1 & ISP-1 till EIGRP 101 använde jag en en route-map, passade även på att tagga route’sen om vi skulle behöva utföra någon filtrering senare.

!Internal IGP-routing
router eigrp 101
 redistribute eigrp 666 route-map EIGRP666-EIGRP101
 passive-interface default
 no passive-interface FastEthernet0/1
 network 172.16.0.0
 network 172.32.0.0 0.0.0.255
 network 172.32.1.0 0.0.0.255
 no auto-summary
 eigrp router-id 172.16.99.11

ip prefix-list EIGRP666-EIGRP101 seq 5 permit 12.0.0.0/30

route-map EIGRP666-EIGRP101 permit 10
 match ip address prefix-list EIGRP666-EIGRP101
 set metric 100000 100 255 1 1500
 set tag 1666

route-map EIGRP666-EIGRP101 deny 20

!External IGP routing ISP-1
router eigrp 666
 passive-interface default
 no passive-interface Serial1/0
 network 12.0.0.0 0.0.0.3
 no auto-summary

BGP

Inga konstigheter här, peer-groups för lite mer “kompakt” konfig.

router bgp 666
 no synchronization
 bgp log-neighbor-changes
 network 172.16.0.0
 network 172.32.0.0 mask 255.255.254.0
 redistribute eigrp 666

 neighbor 12.0.0.1 remote-as 65001
 neighbor 12.0.0.1 description ISP-1

 neighbor IBGP peer-group
 neighbor IBGP remote-as 666
 neighbor IBGP next-hop-self
 neigbhor IBGP password s3cr3t

 neighbor 172.16.11.1 peer-group IBGP
 neighbor 172.16.11.1 description MLS1
 neighbor 172.16.13.3 peer-group IBGP
 neighbor 172.16.13.3 description MLS2
 neighbor 172.16.33.33 peer-group IBGP
 neighbor 172.16.33.33 description R3
 no auto-summary

Konfigen är mer eller mindre identisk för R3.

Default-route

Som nämndes tidigare önskades företaget att vi använda denna länk som primär, både ISP-1 & 2 genererade varsin default-route. Att ändra local pref för samtliga routes vi lär oss från ISP-1 hade inte varit något hit då det även skulle påverka trafik vi är transit för. Tänkte istället använda en route-map som sätter en högre local pref endast för default-routen. Vi behöver även se till så att vi ej annonserar default-routen vidare utanför vårat AS.

R2

router bgp 666
 neighbor 12.0.0.1 prefix-list DEFAULT-ROUTE-BLOCK out
 neighbor 12.0.0.1 route-map ISP1-routes in

ip prefix-list DEFAULT-ROUTE-BLOCK seq 5 deny 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE-BLOCK seq 10 permit 0.0.0.0/0 le 32

ip prefix-list default-route seq 5 permit 0.0.0.0/0

route-map ISP1-routes permit 10
 match ip address prefix-list default-route
 set local-preference 150

route-map ISP1-routes permit 20

R3

router bgp 666
 neighbor 13.0.0.1 prefix-list DEFAULT-ROUTE-BLOCK out
 neighbor 13.0.0.1 route-map ISP2-routes in

ip prefix-list DEFAULT-ROUTE-BLOCK seq 5 deny 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE-BLOCK seq 10 permit 0.0.0.0/0 le 32

ip prefix-list default-route seq 5 permit 0.0.0.0/0

route-map ISP2-routes permit 10
 match ip address prefix-list default-route
 set local-preference 110

route-map ISP2-routes permit 20

Vilket ger följande resultat:

R3#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 4
Paths: (2 available, best #1, table Default-IP-Routing-Table)
 Not advertised to any peer
 65001
  172.16.11.11 (metric 30720) from 172.16.11.11 (172.32.1.1)
   Origin IGP, metric 0, localpref 150, valid, internal, best
 65002
  13.0.0.1 from 13.0.0.1 (2.2.2.2)
   Origin IGP, metric 0, localpref 100, valid, external

VRF-Lite / R1

Nu över till det lite roligare. 🙂 VRF:er har vi ju redan konfat i flera tidigare inlägg, så detta är väl inte direkt något nytt men själva användningsområdet  är något jag aldrig stött på tidigare.

interface Loopback1
 ip vrf forwarding ISP-1
 ip address 10.1.0.1 255.255.255.0

interface Loopback2
 ip vrf forwarding ISP-1
 ip address 10.1.1.1 255.255.255.0

interface Loopback3
 ip vrf forwarding ISP-2
 ip address 10.2.0.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0

interface Loopback4
 ip vrf forwarding ISP-2
 ip address 10.2.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0

interface Loopback5
 ip vrf forwarding Shared
 ip address 1.1.1.1 255.255.255.255

interface Loopback6
 ip vrf forwarding Shared
 ip address 2.2.2.2 255.255.255.255

interface Loopback11
description Management - RID
ip address 11.11.11.11 255.255.255.255

interface Serial0/0/0
 description ISP-1 to CustomerA-R1
 ip vrf forwarding ISP-1
 ip address 12.0.0.1 255.255.255.252
 ip summary-address eigrp 666 10.1.0.0 255.255.254.0 5

interface Serial0/0/1
 description ISP-2 to CustomerA-R3
 ip vrf forwarding ISP-2
 ip address 13.0.0.1 255.255.255.252
 ip ospf 1 area 666

Vi konfar först upp några VRF-instanser, shared simulerar i detta fallet externa routes/internet. La även till en export-map för att endast exportera 1.1.1.1/32 och 2.2.2.2/32 från Shared till ISP-1 & ISP-2 vrf:erna.

ip vrf ISP-1
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1

ip vrf ISP-2
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:2

ip vrf Shared
 rd 65000:3
 export map ISP-Loopback-Inject
 route-target export 65000:3
 route-target import 65000:3
 route-target import 65000:1
 route-target import 65000:2

route-map ISP-Loopback-Inject permit 10
 match ip address prefix-list ISP-1
 set extcommunity rt 65000:1 additive

route-map ISP-Loopback-Inject permit 20
 match ip address prefix-list ISP-2
 set extcommunity rt 65000:2 additive

route-map ISP-Loopback-Inject deny 30

IGP

Då vi använder oss av vrf:er måste vi även justera våra IGP-instanser precis som tidigare.

router eigrp 666
 passive-interface default
 no passive-interface Serial0/0/0
 no auto-summary

 address-family ipv4 vrf ISP-1
  network 10.1.0.0 0.0.0.255
  network 10.1.1.0 0.0.0.255
  network 12.0.0.0 0.0.0.3
  no auto-summary
  autonomous-system 666
  exit-address-family
 eigrp router-id 1.1.1.1

router ospf 1 vrf ISP-2
 router-id 2.2.2.2
 log-adjacency-changes
 area 0 range 10.2.0.0 255.255.254.0
 passive-interface default
 no passive-interface Serial0/0/1

BGP

Här stöter vi på ett litet problem då vi endast kan ha en aktiv BGP-instans, dvs skriver vi “router bgp 65001” kan vi ej konfa upp “router bgp 65002” för ISP-2 efteråt.

BGP har ju dock som bekant en hel del roliga funktioner vi kan använda oss av, och i detta fall kan vi lösa problemet med hjälp av “local-as“, “no-prepend” & “replace-as“. Klicka på respektive för mer info, Lostintransit.se har även en läsvärd artikel om detta här!

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 no auto-summary

 address-family ipv4 vrf Shared
  redistribute connected
  no synchronization
  exit-address-family

 address-family ipv4 vrf ISP-2
  neighbor 13.0.0.2 remote-as 666
  neighbor 13.0.0.2 local-as 65002 no-prepend replace-as
  neighbor 13.0.0.2 activate
  neighbor 13.0.0.2 default-originate
  no synchronization
  bgp router-id 2.2.2.2
  network 10.2.0.0 mask 255.255.255.0
  network 10.2.1.0 mask 255.255.255.0
  aggregate-address 10.2.0.0 255.255.254.0 summary-only
  exit-address-family

 address-family ipv4 vrf ISP-1
  neighbor 12.0.0.2 remote-as 666
  neighbor 12.0.0.2 local-as 65001 no-prepend replace-as
  neighbor 12.0.0.2 activate
  neighbor 12.0.0.2 default-originate
  no synchronization
  bgp router-id 1.1.1.1
  network 10.1.0.0 mask 255.255.255.0
  network 10.1.1.0 mask 255.255.255.0
  aggregate-address 10.1.0.0 255.255.254.0 summary-only
  exit-address-family

Vilket ger följande resultat:

R1#sh ip bgp neighbors 12.0.0.1
 BGP neighbor is 12.0.0.1, remote AS 65001, external link
 BGP version 4, remote router ID 1.1.1.1
 BGP state = Established, up for 00:45:25
 Last read 00:00:16, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds

R3#sh ip bgp neighbors 13.0.0.1
 BGP neighbor is 13.0.0.1, remote AS 65002, external link
 BGP version 4, remote router ID 2.2.2.2
 BGP state = Established, up for 00:46:18
 Last read 00:00:05, last write 00:00:21, hold time is 180, keepalive interval is 60 seconds

R2#sh ip bgp vpnv4 vrf ISP-1
 BGP table version is 60, local router ID is 1.1.1.1
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
 Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
 Route Distinguisher: 65000:1 (default for vrf ISP-1) VRF Router ID 1.1.1.1
 *> 1.1.1.1/32 0.0.0.0 0 32768 ?
 *> 2.2.2.2/32 12.0.0.2 0 666 65002 ?
 s> 10.1.0.0/24 0.0.0.0 0 32768 i
 r> 10.1.0.0/23 0.0.0.0 32768 i
 s> 10.1.1.0/24 0.0.0.0 0 32768 i
 *> 10.2.0.0/23 12.0.0.2 0 666 65002 i
 *> 13.37.0.0/16 0.0.0.0 0 32768 ?
 *> 172.16.0.0 12.0.0.2 28416 0 666 i
 *> 172.32.0.0/23 12.0.0.2 128256 0 666 i

R2#sh ip bgp vpnv4 vrf ISP-1
 BGP table version is 60, local router ID is 1.1.1.1
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
 Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
 Route Distinguisher: 65000:1 (default for vrf ISP-1) VRF Router ID 1.1.1.1
 *> 1.1.1.1/32 0.0.0.0 0 32768 ?
 *> 2.2.2.2/32 12.0.0.2 0 666 65002 ?
 s> 10.1.0.0/24 0.0.0.0 0 32768 i
 r> 10.1.0.0/23 0.0.0.0 32768 i
 s> 10.1.1.0/24 0.0.0.0 0 32768 i
 *> 10.2.0.0/23 12.0.0.2 0 666 65002 i
 *> 13.37.0.0/16 0.0.0.0 0 32768 ?
 *> 172.16.0.0 12.0.0.2 28416 0 666 i
 *> 172.32.0.0/23 12.0.0.2 128256 0 666 i

Vi kan även verifiera att vår transit fungerar som önskat, ISP-1 har följande information för 2.2.2.2/32 som ligger på samma router men under ISP-2s VRF.

R2#sh ip bgp vpnv4 vrf ISP-1 2.2.2.2/32
 BGP routing table entry for 65000:1:2.2.2.2/32, version 50
 Paths: (1 available, best #1, table ISP-1)
 Not advertised to any peer
 666 65002
 12.0.0.2 from 12.0.0.2 (172.16.99.11)
 Origin incomplete, localpref 100, valid, external, best
 Extended Community: RT:65000:1
 mpls labels in/out 31/nolabel

Vackert! VRF-Lite ger oss ett enkelt sätt att segmentera upp en router om vi exempelvis måste separera två avdelningar från varandra som ansluter till en och samma router. Fler läsvärda artiklar om detta finns här:

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

Inter-VRF routing using VRF-lite

OSPF – Stub router

Cisco’s IOS erbjuder en funktion som kallas “Stub router advertisements” vilket inte nämns i CCNP-materialet så tänkte ta och skriva ett kortare inlägg om det här istället.

OSPF-stubrouter

I ovanstående topologi så går trafiken just nu via R3 för att nå 200.0.0.0/24-nätet.

R1#sh ip route 200.0.0.0
Routing entry for 200.0.0.0/16, supernet
 Known via "ospf 1", distance 110, metric 21, type intra area
 Last update from 10.0.13.3 on FastEthernet0/1, 00:00:08 ago
 Routing Descriptor Blocks:
 * 10.0.13.3, from 4.4.4.4, 00:00:08 ago, via FastEthernet0/1
 Route metric is 21, traffic share count is 1

Låt oss nu säga att ex. Cisco har släppt en kritisk IOS-uppdatering vilket kräver att vi startar om R3. Men för att det ej ska påverka trafiken i vårat nät behöver vi först styra om trafiken.

I det här lilla nätet hade det ju varit rätt enkelt att gå in och modifiera cost-värden på interfacen, men om vi nu hade haft ett stort nät med massa länkar introducerade Cisco istället en funktion som kallas “Stub router advertisements”. Detta gör att vår router automatiskt börjar annonsera alla sina nät med max-metric (65,535).

R3(config)#router ospf 1
R3(config-router)#max-metric router-lsa

R3#sh ip ospf
 Routing Process "ospf 1" with ID 3.3.3.3
 Start time: 00:03:49.344, Time elapsed: 00:20:52.136
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Originating router-LSAs with maximum metric
 Condition: always, State: active

Kollar vi återigen i R1 kan vi nu se att trafiken går via R2 istället:

R1#sh ip route 200.0.0.0
Routing entry for 200.0.0.0/16, supernet
 Known via "ospf 1", distance 110, metric 41, type intra area
 Last update from 10.0.12.2 on FastEthernet0/0, 00:00:58 ago
 Routing Descriptor Blocks:
 * 10.0.12.2, from 4.4.4.4, 00:00:58 ago, via FastEthernet0/0
 Route metric is 41, traffic share count is 1

R1#sh ip ospf database router 3.3.3.3
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
LS age: 175
 Options: (No TOS-capability, DC)
 LS Type: Router Links
 Link State ID: 3.3.3.3
 Advertising Router: 3.3.3.3
 LS Seq Number: 80000007
 Checksum: 0xB7BC
 Length: 48
 Number of Links: 2

Link connected to: a Transit Network
 (Link ID) Designated Router address: 10.0.34.3
 (Link Data) Router Interface address: 10.0.34.3
 Number of TOS metrics: 0
 TOS 0 Metrics: 65535

Link connected to: a Transit Network
 (Link ID) Designated Router address: 10.0.13.3
 (Link Data) Router Interface address: 10.0.13.3
 Number of TOS metrics: 0
 TOS 0 Metrics: 65535

Detta kan även användas för att sätta en delay vid uppstart så att routern inte börjar annonsera routes direkt OSPF-processen startat upp och istället ge routern lite tid att först konvergera fullt ut.

R1(config-router)#max-metric router-lsa on-startup ?
 <5-86400> Time, in seconds, router-LSAs are originated with max-metric
 wait-for-bgp Let BGP decide when to originate router-LSA with normal metric

Vi kan som synes antingen sätta en egen timer, ex 120 sekunder, alternativt om denna router även är en BGP-speaker, avvakta tills BGP meddelar att routern är fullt konvergerad (max 10minuter).

OSPF – Svaren till “Veckans frågor”

Lite senare än planerat, men här kommer svaren från förra veckans post om OSPF.

ospf-fraga

1. Om vi vill summera subnäten 30.0.0.0/24 & 30.0.1.0/24 till en /23, var i nätet utför vi detta?

R5 – Då 30.0.x.0/24-näten redistributas in i OSPF räknas de som external routes och annonseras som LSA Type 5/7 (NSSA-External). Regeln att vi bara summerar i ABR’s (LSA Type 3 Summary) gäller endast för intra-area routes (LSA Type 1).

Innan vi går vidare kan vi se följande i R4 (observera att det är Type-7 pga NSSA-area):

R4#sh ip ospf database nssa-external
OSPF Router with ID (4.4.4.4) (Process ID 1)
Type-7 AS External Link States (Area 20)
Routing Bit Set on this LSA
 LS age: 65
 Options: (No TOS-capability, Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 30.0.0.0 (External Network Number )
 Advertising Router: 5.5.5.5
 LS Seq Number: 80000001
 Checksum: 0x8177
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.0.2
 External Route Tag: 0
Routing Bit Set on this LSA
 LS age: 65
 Options: (No TOS-capability, Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 30.0.1.0 (External Network Number )
 Advertising Router: 5.5.5.5
 LS Seq Number: 80000001
 Checksum: 0x7681
 Length: 36
 Network Mask: /24
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.0.2
 External Route Tag: 0

Så vill vi summera gör vi detta direkt på R5 via:

R5(config)#router ospf 1
R5(config-router)#summary-address 30.0.0.0 255.255.254.0

R5 annonserar nu endast /23-nätet via Type 7-LSA till R4:

R4#sh ip ospf database nssa-external
OSPF Router with ID (4.4.4.4) (Process ID 1)
Type-7 AS External Link States (Area 20)
Routing Bit Set on this LSA
 LS age: 23
 Options: (No TOS-capability, Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 30.0.0.0 (External Network Number )
 Advertising Router: 5.5.5.5
 LS Seq Number: 80000002
 Checksum: 0x7A7E
 Length: 36
 Network Mask: /23
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.0.2
 External Route Tag: 0

Vilket sen R4 konverterar till ett Type 5-LSA innan den vidarebefordrar det ut på backbone. Vi kan verifiera detta genom att kolla OSPF-databasen för ex. R1:

R1#sh ip ospf database external 30.0.0.0
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA
 LS age: 124
 Options: (No TOS-capability, DC)
 LS Type: AS External Link
 Link State ID: 30.0.0.0 (External Network Number )
 Advertising Router: 4.4.4.4
 LS Seq Number: 80000003
 Checksum: 0x2BDA
 Length: 36
 Network Mask: /23
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 20
 Forward Address: 192.168.0.2
 External Route Tag: 0

2. Vad händer med eventuella LSA Type 5-paket som skickas till area 20 från area 10 eller backbone?

Då area 20 är ett NSSA filtreras Type 4 & Type 5. Detta ersätts istället med en default-route med R4 som next-hop.

R5#sh ip route | beg Gate
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
O IA 172.16.0.0/16 [110/40] via 192.168.0.1, 00:00:15, FastEthernet0/1
 10.0.0.0/25 is subnetted, 2 subnets
O IA 10.0.0.0 [110/30] via 192.168.0.1, 00:00:15, FastEthernet0/1
O IA 10.0.0.128 [110/20] via 192.168.0.1, 00:00:15, FastEthernet0/1
C 192.168.0.0/24 is directly connected, FastEthernet0/1
 30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 30.0.0.0/24 is directly connected, Null0
O 30.0.0.0/23 is a summary, 00:07:26, Null0
S 30.0.1.0/24 is directly connected, Null0
O*N2 0.0.0.0/0 [110/1] via 192.168.0.1, 00:00:12, FastEthernet0/1

Observera att det står O*N2, NSSA External Type 2. Detta är unikt för just NSSA-areas och jag har ännu inte hittat orsaken till varför det är så.

Default-routen som annonseras av R4 verkar redistributas in och skickas därför istället som en Type 7-LSA.

R5#sh ip ospf database nssa-external
OSPF Router with ID (5.5.5.5) (Process ID 1)
Type-7 AS External Link States (Area 20)
Routing Bit Set on this LSA
 LS age: 45
 Options: (No TOS-capability, No Type 7/5 translation, DC)
 LS Type: AS External Link
 Link State ID: 0.0.0.0 (External Network Number )
 Advertising Router: 4.4.4.4
 LS Seq Number: 80000001
 Checksum: 0x940D
 Length: 36
 Network Mask: /0
 Metric Type: 2 (Larger than any link state path)
 TOS: 0
 Metric: 1
 Forward Address: 0.0.0.0
 External Route Tag: 0

Detta gäller endast för NSSA, konfigurerar vi stub, totally stub eller totally NSSA så annonseras default-routen “som vanligt” med en Type 3-LSA istället.

R5#sh ip route | beg Gate

Gateway of last resort is 192.168.0.1 to network 0.0.0.0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
 30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 30.0.0.0/24 is directly connected, Null0
O 30.0.0.0/23 is a summary, 00:06:12, Null0
S 30.0.1.0/24 is directly connected, Null0
O*IA 0.0.0.0/0 [110/11] via 192.168.0.1, 00:08:15, FastEthernet0/1

Gjorde en forum-post på Cisco’s CCIE-forum för att se om någon kanske känner till varför det skiljer sig för just NSSA default-routes, finns att läsa här.

3. Vilka LSA-paket kommer informera R1 om det summerade 30.0.0.0/23-nätet och hur den ska hitta dit?

Vi har ju redan vad som hände med LSA-paketen efter vi summerade näten i R5;

  • R5 annonserar nätet som ett Type 7-LSA
  • R4 konverterar Type 7 till Type 5 och skickar ut på backbone

Men vad händer sen?

Ett LSA Type 5 skickas mellan areas utan modifikationer såvida det är en Standard/Backbone-area, vilket area 10 är i detta fall. Så R1 får Type-5 paketet av R4 vilket annonserar 30.0.0.0/23-nätet. Men vet R1 hur den ska hitta till R4? Type 1 & 2 innehåller information om andra routrar men skickas endast inom den egna arean. Type 3 annonseras av ABRs och används inte i detta fall.

R1 behöver därför även ett LSA Type 4-paket som informerar om hur den ska hitta till R4!

R1#sh ip ospf database
OSPF Router with ID (1.1.1.1) (Process ID 1)
Summary ASB Link States (Area 10)
Link ID ADV Router Age Seq# Checksum
4.4.4.4 2.2.2.2 1245 0x80000001 0x004FC0
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
20.0.0.0 2.2.2.2 1297 0x80000001 0x00A6DD 0
20.0.1.0 2.2.2.2 1297 0x80000001 0x009BE7 0
20.0.2.0 2.2.2.2 1297 0x80000001 0x0090F1 0
20.0.3.0 2.2.2.2 1297 0x80000001 0x0085FB 0
30.0.0.0 4.4.4.4 1144 0x80000003 0x002BDA 0

LSA Type 2-paketet skapas av R2 (ADV Router 2.2.2.2), med R4’s RID som Link-ID, 4.4.4.4.

R1 inser därmed att den behöver gå via R2 för att komma till R4.

Kunde du inte svaret på dessa är det nog läge att repetera LSAs igen, tidigare postar om detta finns här för Type 1-5 här, och Type 7 här.

OSPF – “Veckans frågor”

Precis som för EIGRP var det denna vecka dags att ta fram lite frågor att ställa till övriga klassen om OSPF.

ospf-fraga

1. Om vi vill summera subnäten 30.0.0.0/24 & 30.0.1.0/24 till en /23, var i nätet utför vi detta?

2. Vad händer med eventuella LSA Type 5-paket som skickas till area 20 från area 10 eller backbone?

3. Vilka LSA-paket kommer informera R1 om det summerade 30.0.0.0/23-nätet och hur den ska hitta dit?

Lägger upp svaren efter vi haft “förhören” på måndag.

Inget cert ännu

Varit dåligt med inlägg då jag i princip bara repeterat en massa inför certen, jobbat, varit sjuk & fyllt år… Tanken var ju att vi skulle åkt och skrivit cert redan förra veckan men det körde ihop sig i planeringen både för mig och mina “kollegor”.  Men nu är jag åtminstone frisk igen och födelsedagsfirandet avklarat så räknar med att åka till nästa onsdag istället.

Åker även ner till jönköping i helgen för party & hämta hem labbutrustningen jag köpte tidigare. 🙂

Har mest haft fokus på TSHOOT fortfarande, följande video med Scott Morris har en hel del bra tips om felsökning inom OSPF.

TSHOOT – Part III, Dist-layer

tshoot-distlayer

Tar och bygger vidare på vårat tshoot-nät med Distribution-layer den här gången. Vi behöver bl.a. konfa upp EIGRP<->OSPF & RIP_NG <->OSPFv3 redistrubution.

Men först måste vi givetvis fixa L2/L3-konfig.. Tyvärr är just switch-funktionen i GNS3 väldigt begränsad (använder endast NM-16ESW-kort i 3640s), så våra port-channel nummer kommer inte stämma överens. Det finns inte heller möjlighet att skapa en L3-channel mellan DSW1 & DSW2 så här blir det endast en port som kommer användas.

Basic L3

R4

R4(config)#inte fa0/0
R4(config-if)#ip add 10.1.4.5 255.255.255.252
R4(config-if)#descrip to DSW1
R4(config-if)#no shut
R4(config-if)#ipv6 add 2026::2:1/122
R4(config-if)#inte fa0/1
R4(config-if)#ip add 10.1.4.9 255.255.255.252
R4(config-if)#desc to DSW2
R4(config-if)#no shut

DSW1

DSW1(config)#ip routing
DSW1(config)#ipv6 unicast-routing
DSW1(config)#int fa0/0
DSW1(config-if)#ip add 10.1.4.6 255.255.255.252
DSW1(config-if)#descrip to R4
DSW1(config-if)#no shut
DSW1(config-if)#ipv6 add 2026::2:2/122
DSW1(config)#int range fa1/13 - 14
DSW1(config-if-range)#descrip L3 Etherchannel to DSW2
DSW1(config-if-range)#no switchport
DSW1(config-if-range)#shut
DSW1(config-if-range)#
DSW1(config-if-range)#inte fa1/13
DSW1(config-if)#ip add 10.2.4.13 255.255.255.252
DSW1(config-if)#ipv6 add 2026::3:1/122
DSW1(config-if)#no shut

DSW2

DSW2(config)#ip routing
DSW2(config)#ipv6 uni
DSW2(config)#ipv6 unicast-routing
DSW2(config)#inte fa0/0
DSW2(config-if)#ip add 10.1.4.10 255.255.255.252
DSW2(config-if)#descrip to R4
DSW2(config-if)#no shut
DSW2(config-if)#int range fa1/13 - 14
DSW2(config-if-range)#descrip L3 Etherchannel to DSW1
DSW2(config-if-range)#no switchport
DSW2(config-if-range)#shut
DSW2(config-if-range)#inte fa1/13
DSW2(config-if)#ip add 10.2.4.14 255.255.255.252
DSW2(config-if)#no shut
DSW2(config-if)#ipv6 add 2026::3:2/122
DSW2(config-if)#exit

EIGRP

R4

R4(config)#router eigrp 10
R4(config-router)#no auto
R4(config-router)#no auto-summary
R4(config-router)#passive-
R4(config-router)#passive-interface default
R4(config-router)#no passive
R4(config-router)#no passive-interface fa0/0
R4(config-router)#no passive-interface fa0/1
R4(config-router)#network 10.1.4.4 0.0.0.3
R4(config-router)#network 10.1.4.8 0.0.0.3

DSW1

DSW1(config)#router eigrp 10
DSW1(config-router)#no auto-summary
DSW1(config-router)#passive-interface default
DSW1(config-router)#no passive-interface fa0/0
DSW1(config-router)#no passive-interface fa1/13
DSW1(config-router)#network 10.1.4.4 0.0.0.3
DSW1(config-router)#network 10.2.4.12 0.0.0.3

DSW2

DSW2(config)#router eigrp 10
DSW2(config-router)#no auto-summary
DSW2(config-router)#passive-interface default
DSW2(config-router)#no passive-interface fa0/0
DSW2(config-router)#no passive-interface fa1/13
DSW2(config-router)#network 10.1.4.8 0.0.0.3
DSW2(config-router)#network 10.2.4.12 0.0.0.3

RIPng

R4

R4(config-router)#inte fa0/0
R4(config-if)#ipv6 rip RIP_ZONE enable
R4(config-if)#int fa0/1
R4(config-if)#ipv6 rip RIP_ZONE enable

DSW1

DSW1(config)#inte fa0/0
DSW1(config-if)#ipv6 rip RIP_ZONE enable
DSW1(config)#int fa1/13
DSW1(config-if)#ipv6 rip RIP_ZONE enable

DSW2

DSW2(config)#inte fa0/0
DSW2(config-if)#ipv6 rip RIP_ZONE enable
DSW2(config)#int fa1/13
DSW2(config-if)#ipv6 rip RIP_ZONE enable

Redistribution

Då vi inte har multipoint-redistribution behöver vi inte använda oss av route-maps/tags i det här fallet.

R4(config)#router eigrp 10
R4(config-router)#redistribute ospf 1 metric 1500 1 255 1 1500
R4(config-router)#router ospf 1
R4(config-router)#redistribute eigrp 10 subnets
R4(config)#ipv6 router ospf 6
R4(config-rtr)#redistribute rip RIP_ZONE include-connected metric 20
R4(config)#ipv6 router rip RIP_ZONE
R4(config-rtr)#redistribute ospf 6 metric 5 include-connected

Verifiering

DSW2#sh ipv6 rip database
RIP process "RIP_ZONE", local RIB
 2026::2:0/122, metric 2, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 2026::3:0/122, metric 2
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 2026::34:0/122, metric 7, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 ::/0, metric 7, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs

Ping till R1 från DSW2

DSW2#ping ipv6 2026::12:1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2026::12:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/160/200 ms
DSW2#ping 10.1.1.1
Translating "10.1.1.1"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/111/192 ms

Vackert!

En trace till webservern fungerar dock ej:

DSW2#traceroute 209.65.200.241 Translating "209.65.200.241"
Type escape sequence to abort.
 Tracing the route to 209.65.200.241
1 10.1.4.9 16 msec 48 msec 48 msec
 2 10.1.1.9 108 msec 48 msec 44 msec
 3 10.1.1.5 40 msec 80 msec 84 msec
 4 10.1.1.1 140 msec 108 msec 156 msec
 5 * * *

Detta beror helt enkelt på att vi inte konfigurerat upp någon NAT ännu i R1 så trafiken hittar inte tillbaka. Det fixar vi imorgon tillsammans med DHCP-tjänsten & access-layer. 🙂