Search This Blog

Saturday, December 11, 2010

BGP AS-Path filter using Regular Expressions

Using AS-Path filters we can filter route prefixes based on AS parameters,

In the following post I will use this network topology:

R1 router BGP is configured as follows:

router bgp 100

no synchronization

bgp log-neighbor-changes

neighbor ebgp peer-group

neighbor ebgp password cisco

neighbor ebgp ebgp-multihop 5

neighbor ebgp version 4

neighbor ebgp soft-reconfiguration inbound

neighbor 10.1.12.2 remote-as 2503

neighbor 10.1.12.2 peer-group ebgp

neighbor 10.1.13.3 remote-as 3113

neighbor 10.1.13.3 peer-group ebgp

no auto-summary

Looking on R1 bgp table will shows us all the prefixes from all AS's:

R1#sh ip bgp

BGP table version is 71, local router ID is 200.5.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 0.0.0.0 10.1.13.3 0 3113 5523 i

* 10.1.12.2 0 2503 4413 5523 i

* 2.2.2.0/24 10.1.13.3 0 3113 4413 2503 ?

*> 10.1.12.2 0 0 2503 ?

r 10.1.12.0/24 10.1.13.3 0 3113 4413 2503 ?

r> 10.1.12.2 0 0 2503 ?

* 10.1.24.0/24 10.1.13.3 0 3113 4413 2503 ?

*> 10.1.12.2 0 0 2503 ?

* 12.0.1.0/24 10.1.13.3 0 3113 4413 2503 ?

*> 10.1.12.2 0 0 2503 ?

* 13.0.1.0/24 10.1.12.2 0 2503 4413 3113 i

*> 10.1.13.3 0 0 3113 i

* 14.0.1.0/24 10.1.13.3 0 3113 4413 i

*> 10.1.12.2 0 2503 4413 i

*> 55.1.0.0/24 10.1.13.3 0 3113 5523 i

* 10.1.12.2 0 2503 4413 5523 i

*> 55.2.0.0/24 10.1.13.3 0 3113 5523 i

* 10.1.12.2 0 2503 4413 5523 i

*> 55.3.0.0/24 10.1.13.3 0 3113 5523 i

* 10.1.12.2 0 2503 4413 5523 i

The first AS-path filter I use is to filter out routes that pass-through R4 (AS4413), I will configure the following as-path access-list:

ip as-path access-list 1 deny _4413_

ip as-path access-list 1 permit .*

Which means everything that has in the beginning, middle or in the end the path 4413, then apply this as-path ACL to the neighbors with the in direction:

R1(config-router)#neighbor ebgp filter-list 1 in

(In this LAB I'm using peer-group which calls ebgp for configuring same configuration for both eBGP neighbors R2 and R3)

The result of this AS-Path filter:

R1#sh ip bgp

BGP table version is 73, local router ID is 200.5.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete


Network Next Hop Metric LocPrf Weight Path

*> 0.0.0.0 10.1.13.3 0 3113 5523 i

*> 2.2.2.0/24 10.1.12.2 0 0 2503 ?

r> 10.1.12.0/24 10.1.12.2 0 0 2503 ?

*> 10.1.24.0/24 10.1.12.2 0 0 2503 ?

*> 12.0.1.0/24 10.1.12.2 0 0 2503 ?

*> 13.0.1.0/24 10.1.13.3 0 0 3113 i

*> 55.1.0.0/24 10.1.13.3 0 3113 5523 i

*> 55.2.0.0/24 10.1.13.3 0 3113 5523 i

*> 55.3.0.0/24 10.1.13.3 0 3113 5523 i

All prefixes are coming from everywhere beside AS4413. Take note that a permit statement must be configured else an implicit deny will take place.

Next I will configure an AS-Path which allows only AS4413 originated prefixes using the following ACL:

ip as-path access-list 3 permit _4413$

The result:

R1#sh ip bgp

BGP table version is 83, local router ID is 200.5.0.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete


Network Next Hop Metric LocPrf Weight Path

* 14.0.1.0/24 10.1.13.3 0 3113 4413 i

*> 10.1.12.2 0 2503 4413 i

R1 has learned only AS4413 prefixes and nothing else.

More examples can be:

".*" is the regular expression for match-all

"^$" matches self-originating prefix, if the router AS is 100, this would match paths with an origin of AS 100 (only internal prefixes in the AS)

Monday, November 22, 2010

RIP – Using Offset List

Taking the following LAB:



All 4 routers are using RIPv2, R3 and R4 are advertising Loopback interface 1-3 with the corresponding networks.

On a normal state, R3 will have two equal cost paths to networks 192.168.4.0/24, 192.168.40.0/24 and 192.168.44.0/24.

If we want to influence on R3 in a way that he will prefer network 192.168.4.0 only through R1 we can use Offset-list on R4 and advertise network 192.168.4.0 with higher hop-count to R2. Due to the fact that R4 connected through multi-access network topology to R1 and R2 we will have to use GRE tunnels before we can use offset-list.

I have configured 2 tunnel interfaces on R4, one for each router (R1, R2):

interface Tunnel1

ip address 201.0.0.4 255.255.255.0

tunnel source 10.1.124.4

tunnel destination 10.1.124.1

!

interface Tunnel2

ip address 202.0.0.4 255.255.255.0

tunnel source 10.1.124.4

tunnel destination 10.1.124.2

and the same on R1:

interface Tunnel1

ip address 201.0.0.1 255.255.255.0

tunnel source 10.1.124.1

tunnel destination 10.1.124.4

And R2:

interface Tunnel2

ip address 202.0.0.2 255.255.255.0

tunnel source 10.1.124.2

tunnel destination 10.1.124.4

Next configure passive-interface for FastEthernet 0/0 on all 3 routers (R4, R1, R1) in order to prevent RIP route exchange on the main interface (which is multi-access) and configure tunnel interface on the RIP process to allow exchange of RIP route information through the tunnels:

[R4]

router rip

version 2

passive-interface FastEthernet0/0

network 10.0.0.0

network 192.168.4.0

network 192.168.40.0

network 192.168.44.0

network 201.0.0.0

network 202.0.0.0

no auto-summary

[R1]

router rip

version 2

passive-interface FastEthernet0/0

network 10.0.0.0

network 201.0.0.0

no auto-summary

[R2]

router rip

version 2

passive-interface FastEthernet0/0

network 10.0.0.0

network 202.0.0.0

no auto-summary

Now looking on R3 routing table we can see that network 192.168.4.0/24 is advertised from R1 and R2:

R3#sh ip route rip

R 192.168.44.0/24 [120/2] via 10.1.123.2, 00:00:00, Serial0/0

[120/2] via 10.1.123.1, 00:00:01, Serial0/0

R 201.0.0.0/24 [120/1] via 10.1.123.1, 00:00:01, Serial0/0

R 192.168.40.0/24 [120/2] via 10.1.123.2, 00:00:00, Serial0/0

[120/2] via 10.1.123.1, 00:00:01, Serial0/0

R 202.0.0.0/24 [120/1] via 10.1.123.2, 00:00:00, Serial0/0

R 192.168.4.0/24 [120/2] via 10.1.123.2, 00:00:00, Serial0/0

[120/2] via 10.1.123.1, 00:00:01, Serial0/0

10.0.0.0/24 is subnetted, 2 subnets

R 10.1.124.0 [120/1] via 10.1.123.2, 00:00:00, Serial0/0

[120/1] via 10.1.123.1, 00:00:01, Serial0/0

Configuring standard access-list on R4 to identify network 192.168.4.0/24:

R4(config)#access-list 1 permit 192.168.4.0

Then configure offset-list under router level for tunnel 2 which leads to R2:

R4(config-router)#offset-list 1 out 10 tunnel 2

Now looking on R3 routing table will reveal:

R3#sh ip route rip

R 192.168.44.0/24 [120/2] via 10.1.123.2, 00:00:10, Serial0/0

[120/2] via 10.1.123.1, 00:00:03, Serial0/0

R 201.0.0.0/24 [120/1] via 10.1.123.1, 00:00:03, Serial0/0

R 192.168.40.0/24 [120/2] via 10.1.123.2, 00:00:10, Serial0/0

[120/2] via 10.1.123.1, 00:00:03, Serial0/0

R 202.0.0.0/24 [120/1] via 10.1.123.2, 00:00:10, Serial0/0

R 192.168.4.0/24 [120/2] via 10.1.123.1, 00:00:03, Serial0/0

10.0.0.0/24 is subnetted, 2 subnets

R 10.1.124.0 [120/1] via 10.1.123.2, 00:00:10, Serial0/0

[120/1] via 10.1.123.1, 00:00:03, Serial0/0

Network 192.168.4.0/24 is now preferred only through R1 although in case of R1 failure, R2 will advertise 192.168.4.0/24 but with higher hop-count.

RIP Route Manipulation – Inbound Filtering

Inbound filtering deals with self-manipulation of incoming route updates, here I will describe two methods for applying RIP inbound filtering: prefix-list and extended ACL.

Using prefix-list allows us to filter route-prefixes from specific host using the following syntax:

router(config)#ip prefix-list NET seq 10 permit 192.168.3.0/24

router(config)#ip prefix-list NET seq 20 permit 192.168.30.0/24

router(config)#ip prefix-list SRC seq 10 permit 10.1.124.2/32

router(config-router)#distribute-list prefix NET gateway SRC in

Where the first two lines sets the networks that we allow to come into the routing table, the third line points the router that we wish to filter from and applying both prefix-lists into RIP using distribute-list command.

Distribute-list has local significant on the router and it doesn't apply for RIP update or request messages, it suppresses the route-prefixes from RIP database to the routing table.

Using extended access-list provides us much more flexibility when configuring RIP filtering. For example:

router(config-ext-nacl)#ip permit host 10.1.124.2 host 192.168.3.0

router(config-ext-nacl)#ip permit host 10.1.124.2 host 192.168.30.0

router(config-ext-nacl)#ip deny host 10.1.124.2 host 192.168.33.0

router(config-ext-nacl)#ip permit any any

router(config-router)#distribute-list 100 in

In the following example I have configured that the router will accept route-prefixes 192.168.3.0/24 and 192.168.30.0/24 from router 10.1.124.2 and deny route-prefix 192.168.33.0/24 from entering the route table, also permitting everything else from any other RIP enabled router.

Pay attention that the ACL is a little bit different then a normal ACL, in this case the next-hop router is refered as the first host and the route-prefix is the second host.


 


 


 


 

Friday, November 19, 2010

OSPF LSA Reduction

In OSPF every LSA need to be refreshed every 30 minutes by default, this behavior can be unnecessary on stable network topologies. For that we can use ip ospf flood-reduction command on a per-interface basis, this command will reduce the LSA refresh flood from 30 minutes to around 50 minutes and by that will save unnecessary flood traffic.

Config example:

interface serial 0

ip address 192.42.110.201 255.255.255.0

ip ospf flood-reduction

ip ospf authentication-key abcdefgh

ip ospf cost 10

!

interface serial 1

ip address 131.119.251.201 255.255.255.0

ip ospf flood-reduction

ip ospf authentication-key ijklmnop

ip ospf cost 20

ip ospf retransmit-interval 10

ip ospf transmit-delay 2

ip ospf priority 4

    

Wednesday, November 17, 2010

Breakout Recommendation – Have a good Cigar!

While from time to time through work and the burden of life you need to enjoy the good taste of life.

My last breakout was in a chill evening tasting a new cigar – Hoyo de Monterrey Epicure No.2

Good Cuban cigar, completely hand-made with tobacco leaves coming from Vuelta Abajo, this Robusto cigar, with excellent burn, is the last product from Hoyo de Monterrey. With a smooth strength, it has an intense tobacco taste, blended with cocoa, cinnamon and dried fruits.

Ring size: 50 (Almost 1 inch width)

Length: 124 mm

Cost: ~80 NIS

For my opinion one of the best cigars that I had and probably the most preferred in manner of cost vs. quality and enjoyment,

Salute!

Using 3rd Party vendor SFP for Cisco Switch

Cisco switches are configured to use only Cisco genuine SFP's (Small Factor Pluggable) were unlike GBIC's where you can use almost any 3rd party vendor GBIC (Like Nortel, Juniper etc.). In order to overcome this limitation use the following command:

Switch(config)#service unsupported-transceiver

The following message will appear:

Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco's discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.

Then type the following command:

no errdisable detect cause gbic-invalid

After that you will be able to use almost any SFP from any vendor.

Note:

There might be some compatibility issues with one vendor or another but usually the main brands in the market will fit fine for both GBIC's and SFP's.

Firesheep - Sidejack cookies

A Firefox plugin called Firesheep was released this week that makes it easy to capture and exploit other user's HTTP session cookies sent over insecure connections on untrusted networks. This vulnerability makes it possible to login to other people's accounts on a variety of services by spying on network traffic and extracting those cookies. Wikipedia has a decent article on this technique: Session Hijacking.

Basically every user with firefox and firesheep plug-in installed and a laptop can sit on every cafe shop, restaurant or even gas station, connect to the nearest hotspot and grab your credentials for various sites that require login in a non-secure way (hence using http instead of https). Unlike sidejack and similar programs this plug-in allow, in very simple way, to retrieve this information and even to take control on chats and IM programs with a ease of use.

Using Https will solve this issue and prevent from malicious users to capture and exploit this information but unfortunately implementing SSL/TLS in web sites require more CPU and resources from the servers and this without mention the need for signed digital certificates.

One more way to prevent this issue depends on the WiFi/Hotspot provider, a lot of places (hotels, gas stations, cafe shops, lounges etc.) that provide WiFi access or hotspot services relay on a simple WiFi router which they had bought or get through their ISP and by that implement insecure and unmanageable wireless access and this without mention the illegal problem while providing free access to the internet!

Companies which provide in a professional way and Hotspot or WiFi is their main business will probably provide this kind of service in much more responsible way and by that will implement, with their equipment, a feature called PSPF which stands for Public Secure Packet Forwarding which cause Layer-2 isolation between all wireless clients and by that prevent from users to see each other on the same hotspot!

So even to provide a simple service like wireless internet access should be taken more seriously and in much more responsible way then a lot of places doing it today.

RIP

Good old RIP! The oldest distance vector routing protocol which exists here since early 1969

So what is the magic? And why we are going to keep using this old routing protocol?

The answer is very simple – simplicity and wide spread usage.

RIP is very simple routing protocol, which doesn't require complex routing calculations, large database or even the craving for memory unlike his more sophisticated brothers (EIGRP, OSPF, ISIS).

Due to his nature he is suitable for small LAN's and can be integrated in large wide networks were the end points are low-end non-brand routers (D-Link, Linksys, Edimax etc.). Furthermore RIP can be found in Microsoft Windows servers and UNIX/Linux systems and by that allow these machines to participate and to be aware to routing decisions.

RIP (routing Information Protocol) Summary

The metric of RIP is hop count were 1 is for directly connected neighbor and 16 for unreachable destination

RIP uses UDP port 520

There are two version of RIP: v1 and v2, the main difference between the two are classful and classless routing and the way they are sending updates (broadcast and multicast)

Each RIP packet is composed from 4 bytes for initial message, 20 bytes for each route advertised (up to 25 routes per packet) and more 8 bytes for UDP header will set the maximum packet size to 512 bytes.

RIP has 2 Message types: Request and Response, both are represented by the command area in the packet decode with the number 1 or 2 accordingly.

Timers

Update timer – every 30 seconds the RIP router sends update message with full routing table to each RIP enabled interface.

Invalid timer – the time that pass before a route become invalid. Cisco IOS default is 180 seconds (six update period)

Flush timer – 240 seconds before the router will flush the route from the routing table. Until then it will remain in the routing table and marked as unreachable.

Holddown timer – An update with a hop count higher than the metric recorded in the routing table will cause the route to go into holddown for 180 seconds.

Sleep timer – This timer, which sets in milliseconds, prevent routing flooding in case of flush event. The value should be less then update timer else routing tables will be unsynchronized.

These timers can be manipulated by the command:

timers basic update invalid holddown flush sleep

Flash-update Threshold

Suppress a flush update if regular update occurs within the specific time

router(config-router)#flash-update-threshold 10

Source IP Validates

RIP and IGRP are the only routing protocols that validate the source IP address of incoming updates.

In order to disable this behavior use the command:

router(Config-router)#no validate-source ip

Split –horizon

Basic routing-loop prevention mechanism which doesn't allow a router to advertise a route prefix back to an interface, which the router, has learned this route.

On a Frame-Relay topology where multipoint is used on a physical interface, split-horizon is disabled. While using multipoint on a sub-interface, split-horizon is enabled.

To disable split-horizon used interface configuration mode command:


router(Config-if)#no split-horizon

Triggered Updates

Suppress periodic updates and sends only triggered updates

router(Config-if)#ip rip triggered

This command works on Point-to-point and some multipoint configurations and should be configured on both sides of the link.

Passive-interface

When passive-interface is configured on a RIP router it prevents from the router to send updates on the configured interface, but the router will continue to listen and receive RIP updates.

router(config-router)#passive-interface fastEthernet 0/0

Unicast updates

By default RIP sends and receive updates through broadcast (RIPv1) or Multicast (RIPv2 224.0.0.9).

In order to send and receive updates using unicast, first configure passive-interface to prevent multicast and then configure the neighbor command:

router(config-router)#neighbor 10.1.24.2

RIPv2 Broadcast

In order to configure RIPv2 routers to exchange updates using broadcast configure:

router(config-if)#ip rip v2-broadcast

Summary Address

To summarize an address:

router(config-if)#ip summary-address rip 150.1.0.0 255.255.255.0

Output Delay

In order to prevent routing information lose while sending updates we can configure a delay between using the following command:

router(config-router)#output-delay 10

Input Queue

Changing the receiving router's queue for getting updates:

router(config-router)#input-queue 75

The default is 50

Authentication

Using RIP authentication on interface level with two modes: clear text and MD5

In MD5 key number must be match.

MD5 Authentication example:

First create a key chain:

Router(Config)#key chain TST

Router(Config-keychain)#key 1

Router(Config-keychain-key)#key-string cisco

Configure authentication type (Clear-text or MD5 and key-chain on interface level)

Router(Config-if)#ip rip authentication mode md5

Router(Config-if)#ip rip authentication key-chain TST

Basic RIP Route Influence

Access-list with route-maps while injecting conditional default-route example:

router rip

version 2

default-information originate route-map TST

no auto-summary

access-list 1 permit 112.1.1.0 0.0.0.255

access-list 1 permit 112.2.2.0 0.0.0.255

route-map TST permit 10

match ip address 1

While 112.1.1.0/24 and 112.2.2.0/24 are in the routing table, this router will inject a default route into RIP domain.

Offset-list example:

router rip

version 2

offset-list 1 out 12 Serial0/0.12

offset-list 1 out 13 Serial0/0.14

no auto-summary

access-list 1 permit 103.0.0.0 0.63.255.255

access-list 1 permit 104.0.0.0 0.31.255.255

In this example the router will advertise routes 103.0.0.0/18 and 104.0.0.0/19 to interface serial 0/0.12 with hop count of 12 and to interface serial 0/0.14 with hop count of 14.

Thursday, November 11, 2010

Frame-Relay Switching Configuration

In the following example I will show how to create basic Frame-Relay (FR from now on…) toplogy.

I will use the following LAB which simulates hub-n-spoke topology, were R1 is the hub and R2-3-4 are spokes:


The object FR is a Cisco 3745 router which I configured in the following manner in order to convert him into a FR switch:

FR(Config)# frame-relay switching

This command enables FR switching on the router

interface Serial0/0

no ip address

encapsulation frame-relay

clock rate 2000000

frame-relay intf-type dce

frame-relay route 102 interface Serial0/1 201

frame-relay route 103 interface Serial0/2 301

frame-relay route 104 interface Serial0/3 401

For the hub interface (s0/0) I have configured encapsulation type which is frame-relay, frame-relay interface type which is DCE and frame-relay route commands which define where to route the traffic that enters the DLCI. For example the first route line define that if traffic is enter in DLCI 102 route it to interface Serial 0/1 DLCI 201.

Next the spoke interface for R2:

interface Serial0/1

no ip address

encapsulation frame-relay

clock rate 2000000

frame-relay intf-type dce

frame-relay route 201 interface Serial0/0 102

Again – encapsulation type (FR) and interface type (DCE) and route statement which route traffic that enters into this interface, to DLCI 201 will be route to interface serial 0/0 DLCI 102.

The same goes for the 2 more interfaces:

interface Serial0/2

no ip address

encapsulation frame-relay

clock rate 2000000

frame-relay intf-type dce

frame-relay route 301 interface Serial0/0 103

!

interface Serial0/3

no ip address

encapsulation frame-relay

clock rate 2000000

frame-relay intf-type dce

frame-relay route 401 interface Serial0/0 104


Type show frame-relay route command on the FR router will shows:

FR#show frame-relay route

Input Intf Input Dlci Output Intf Output Dlci Status

Serial0/0 102 Serial0/1 201 active

Serial0/0 103 Serial0/2 301 active

Serial0/0 104 Serial0/3 401 active

Serial0/1 201 Serial0/0 102 active

Serial0/2 301 Serial0/0 103 active

Serial0/3 401 Serial0/0 104 active


Friday, November 5, 2010

OSPF Network Types

Here is a quick summary of OSPF Network types:

Network Type 

LSA Flooding

DR/BDR Election 

Timers 

Neighbor Statement

Modify Next-hop

Default  

Broadcast 

Multicast 

Yes 

10/40 

No 

No 

Ethernet 

NBMA 

Unicast 

Yes 

30/120 

Yes 

No 

Default on Frame-Relay Physical and Point-to-Multipoint

Point-to-Point 

Multicast 

No 

10/40 

No 

No 

Default on Frame-Relay Point-to-Point sub-interface

Point-to-Multipoint 

Multicast 

No 

30/120 

No

Yes 

Ideal for NBMA

Point-to-Multipoint Non-broadcast 

Unicast 

No 

30/120 

Yes 

Yes 

 

Loopback 

 

No 

30/120

No 

No 

 

OSPF NSSA and STUB

Playing a little with OSPF areas - NSSA and Stub, see the following network diagram:


Loopback 1 and 2 interfaces on R6 and R7 are redistributed into OSPF using route-map, hence both prefixes on each router are advertised as external routes into the OSPF AS.

Examining R7 OSPF database:

R7#sh ip ospf database

OSPF Router with ID (192.168.77.1) (Process ID 1)


Router Link States (Area 1)


Link ID ADV Router Age Seq# Checksum Link count

5.5.5.5 5.5.5.5 47 0x80000008 0x009088 3

192.168.77.1 192.168.77.1 47 0x80000007 0x008EE2 3


Summary Net Link States (Area 1)


Link ID ADV Router Age Seq# Checksum

1.0.0.0 5.5.5.5 52 0x80000003 0x006E76

2.0.0.0 5.5.5.5 52 0x80000003 0x00C514

3.0.0.0 5.5.5.5 52 0x80000004 0x00528F

4.0.0.0 5.5.5.5 52 0x80000003 0x00C9D7

6.0.0.0 5.5.5.5 33 0x80000001 0x00362B

10.1.14.0 5.5.5.5 52 0x80000003 0x00CAC2

10.1.15.0 5.5.5.5 52 0x80000003 0x003D8F

10.1.24.0 5.5.5.5 52 0x80000003 0x00C0B8

10.1.35.0 5.5.5.5 52 0x80000004 0x005E59

10.1.46.0 5.5.5.5 52 0x80000003 0x00EB41

10.1.123.0 5.5.5.5 52 0x80000003 0x00F85D


Summary ASB Link States (Area 1)


Link ID ADV Router Age Seq# Checksum

192.168.66.1 5.5.5.5 33 0x80000001 0x00D7E2


Type-5 AS External Link States


Link ID ADV Router Age Seq# Checksum Tag

192.168.6.0 192.168.66.1 44 0x80000001 0x001272 0

192.168.7.0 192.168.77.1 62 0x80000001 0x00B9BE 0

192.168.66.0 192.168.66.1 44 0x80000001 0x007BCC 0

192.168.77.0 192.168.77.1 62 0x80000001 0x00B47D 0


We can see an LSA Type 4, which called Summary ASB Link States, pointing on R6 as an ASBR and 4 prefixes which have been flooded as LSA Type 5 - External routes by R7 and R6.

Now I will configure area 1 as NSSA in order to prevent LSA Type 5 into this area, in order to do that I will configure area 1 nssa on R5 and R7.

Looking again on R7 OSPF database revels:

R7#sh ip ospf database


OSPF Router with ID (192.168.77.1) (Process ID 1)


Router Link States (Area 1)


Link ID ADV Router Age Seq# Checksum Link count

5.5.5.5 5.5.5.5 55 0x8000000A 0x0038D6 3

192.168.77.1 192.168.77.1 56 0x80000009 0x003039 3


Summary Net Link States (Area 1)


Link ID ADV Router Age Seq# Checksum

1.0.0.0 5.5.5.5 60 0x80000004 0x0012CB

2.0.0.0 5.5.5.5 60 0x80000004 0x006969

3.0.0.0 5.5.5.5 60 0x80000005 0x00F5E4

4.0.0.0 5.5.5.5 60 0x80000004 0x006D2D

6.0.0.0 5.5.5.5 60 0x80000002 0x00D980

10.1.14.0 5.5.5.5 60 0x80000004 0x006E18

10.1.15.0 5.5.5.5 60 0x80000004 0x00E0E4

10.1.24.0 5.5.5.5 60 0x80000004 0x00640E

10.1.35.0 5.5.5.5 60 0x80000005 0x0002AE

10.1.46.0 5.5.5.5 60 0x80000004 0x008F96

10.1.123.0 5.5.5.5 60 0x80000004 0x009CB2


Type-7 AS External Link States (Area 1)


Link ID ADV Router Age Seq# Checksum Tag

192.168.7.0 192.168.77.1 63 0x80000001 0x0084CD 0

192.168.77.0 192.168.77.1 63 0x80000001 0x007F8C 0

As we can see no LSA Type 4 or 5 and no routes to 192.168.6x.0/24, we have minimized R7 LSDB and route table, which in OSPF is always a desired target.

Looking on R6 OSPF database shows:

R6# sh ip ospf database


OSPF Router with ID (192.168.66.1) (Process ID 1)


Router Link States (Area 2)


Link ID ADV Router Age Seq# Checksum Link count

4.4.4.4 4.4.4.4 572 0x80000008 0x00D46F 3

192.168.66.1 192.168.66.1 569 0x80000007 0x008E15 3


Summary Net Link States (Area 2)


Link ID ADV Router Age Seq# Checksum

1.0.0.0 4.4.4.4 589 0x80000003 0x008C5C

2.0.0.0 4.4.4.4 589 0x80000004 0x007D69

3.0.0.0 4.4.4.4 589 0x80000003 0x00D606

5.0.0.0 4.4.4.4 589 0x80000003 0x00DAC9

7.0.0.0 4.4.4.4 306 0x80000001 0x00471D

10.1.14.0 4.4.4.4 589 0x80000003 0x00666B

10.1.15.0 4.4.4.4 589 0x80000003 0x00DDB2

10.1.24.0 4.4.4.4 589 0x80000004 0x00F5D0

10.1.35.0 4.4.4.4 589 0x80000003 0x00650D

10.1.57.0 4.4.4.4 589 0x80000003 0x009095

10.1.123.0 4.4.4.4 589 0x80000003 0x001743


Summary ASB Link States (Area 2)


Link ID ADV Router Age Seq# Checksum

5.5.5.5 4.4.4.4 316 0x80000001 0x002176


Type-5 AS External Link States


Link ID ADV Router Age Seq# Checksum Tag

192.168.6.0 192.168.66.1 574 0x80000001 0x001272 0

192.168.7.0 5.5.5.5 302 0x80000001 0x00B14E 0

192.168.66.0 192.168.66.1 574 0x80000001 0x007BCC 0

192.168.77.0 5.5.5.5 304 0x80000001 0x00AC0D 0

Take note that R6 sees prefix 192.168.7x.0/24 as LSA Type 5.

Configuring area 2 as stub, using the command area 2 stub on R4 and R6, and looking again on R6 OSPF database:

R6# sh ip ospf database


OSPF Router with ID (192.168.66.1) (Process ID 1)


Router Link States (Area 2)


Link ID ADV Router Age Seq# Checksum Link count

4.4.4.4 4.4.4.4 423 0x8000000E 0x00C875 3

192.168.66.1 192.168.66.1 19 0x8000000F 0x009609 3


Summary Net Link States (Area 2)


Link ID ADV Router Age Seq# Checksum

0.0.0.0 4.4.4.4 20 0x80000001 0x0039F4

1.0.0.0 4.4.4.4 20 0x8000000A 0x009C47

2.0.0.0 4.4.4.4 20 0x8000000B 0x008D54

3.0.0.0 4.4.4.4 20 0x8000000A 0x00E6F0

5.0.0.0 4.4.4.4 20 0x8000000A 0x00EAB4

7.0.0.0 4.4.4.4 20 0x80000008 0x005708

10.1.14.0 4.4.4.4 20 0x8000000A 0x007656

10.1.15.0 4.4.4.4 20 0x8000000A 0x00ED9D

10.1.24.0 4.4.4.4 20 0x8000000B 0x0006BB

10.1.35.0 4.4.4.4 20 0x8000000A 0x0075F7

10.1.57.0 4.4.4.4 20 0x8000000A 0x00A080

10.1.123.0 4.4.4.4 20 0x8000000A 0x00272E

Only LSA Type 1 and 3 are seen, no LSA Type 3 because it's a point-to-point network type, also default route 0.0.0.0/0 has been installed automatically pointing next-hop R4, So for R6 reaching R7 networks is by using default route.

Using stub area cause the external networks of R6, 192.168.6x.0/24, not to appear at the OSPF AS, so in order to fix that we will have to configure area 2 as an NSSA area.

After configuring area 2 as an NSSA area R4 sees:

R4#sh ip route | in 192.168.6

O N2 192.168.66.0/24 [110/20] via 10.1.46.6, 00:02:24, Serial0/2

O N2 192.168.6.0/24 [110/20] via 10.1.46.6, 00:02:24, Serial0/2

The default cost for external routes is 20 and the type is N2 - external route with the cost calculated from the ASBR, changing the metric-type to type 1, using the command R6(config-router)#redistribute connected subnets route-map CNT metric-type 1 will show the full cost:

R4#sh ip route | in 192.168.6

O N1 192.168.66.0/24 [110/85] via 10.1.46.6, 00:00:02, Serial0/2

O N1 192.168.6.0/24 [110/85] via 10.1.46.6, 00:00:02, Serial0/2

Let's have a look on R6 route table:

R6#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


O IA 1.0.0.0/8 [110/129] via 10.1.46.4, 08:00:16, Serial0/0

O IA 2.0.0.0/8 [110/129] via 10.1.46.4, 08:00:16, Serial0/0

O IA 3.0.0.0/8 [110/139] via 10.1.46.4, 08:00:16, Serial0/0

O 4.0.0.0/8 [110/65] via 10.1.46.4, 08:00:16, Serial0/0

O IA 5.0.0.0/8 [110/193] via 10.1.46.4, 08:00:16, Serial0/0

C 6.0.0.0/8 is directly connected, Loopback0

O IA 7.0.0.0/8 [110/257] via 10.1.46.4, 08:00:16, Serial0/0

C 192.168.66.0/24 is directly connected, Loopback2

10.0.0.0/24 is subnetted, 7 subnets

O IA 10.1.15.0 [110/192] via 10.1.46.4, 08:00:16, Serial0/0

O IA 10.1.14.0 [110/128] via 10.1.46.4, 08:00:16, Serial0/0

O IA 10.1.24.0 [110/128] via 10.1.46.4, 08:00:16, Serial0/0

C 10.1.46.0 is directly connected, Serial0/0

O IA 10.1.35.0 [110/202] via 10.1.46.4, 08:00:16, Serial0/0

O IA 10.1.57.0 [110/256] via 10.1.46.4, 08:00:16, Serial0/0

O IA 10.1.123.0 [110/138] via 10.1.46.4, 08:00:16, Serial0/0

C 192.168.6.0/24 is directly connected, Loopback1

Now as we can see R6 still holds Intra-area (LSA Type 3) routes, so i will configure area 2 to Totally NSSA which in turn will accept only LSA Type 1,2 and 7, this will be accomplished by the command:

R6(config-router)#area 2 nssa no-summary

(Again on all routers that belong to this area)

Now look at R6 route table:

R6#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is 10.1.46.4 to network 0.0.0.0


O 4.0.0.0/8 [110/65] via 10.1.46.4, 00:00:19, Serial0/0

C 6.0.0.0/8 is directly connected, Loopback0

C 192.168.66.0/24 is directly connected, Loopback2

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.46.0 is directly connected, Serial0/0

C 192.168.6.0/24 is directly connected, Loopback1

O*IA 0.0.0.0/0 [110/65] via 10.1.46.4, 00:00:06, Serial0/0

Much smaller and by that more effective, now R6 consume much less memory and CPU time and it will converge much more quicker due to the fact that SPF will have much less to calculate. Also pay attention to the default-route which have been installed automatically, using totally NSSA/Stub will reduce the possibility for the router to learn routes outside from his area so a default one will do great.


Thursday, November 4, 2010

OSPF Forwarding Address Suppression

Let's do a quick recall on OSPF LSA types and route designators:

LSA Type 1 - All SPF routers advertise their connected interfaces

LSA Type 2 - All DR routers advertise their connected interfaces for each different subnet

LSA Type 3 - Advertise by an ABR's, traverse areas and contain short description on their networks.

LSA Type 4 - Advertise by an ABR and point an ASBR host

LSA Type 5 - External routes (hence redistribution from other routing protocols) which have been injected by an ASBR into OSPF AS

LSA Type 7 - External routes (LSA Type 5) which have been translated to Type 7 and then advertised by an ASBR which reside in an NSSA area


NSSA area is similar to a stub area, an area which receive only Type 1,2 and 3 LSA's but in an NSSA also Type 7 (which are actually converted Type 5 LSA's) can traverse. In this way we can configure a stub area with external route connection.

Totally NSSA area, again similar to Totally stub area which allows type 1 and 2 and in the Totally NSSA also type 7.

Route Designators:

Route designators are the letters which can be found left to prefix routes when doing show ip route on a Cisco device,

E1 express external route with a full total cost and that mean the cost from the router (the one that you have typed show ip route) to the ASBR, Which has advertised the external route, and the cost or metric from the ASBR to the final destination, hence the advertised prefix/route.

E2, which is default on Cisco IOS, express only the cost/metric from the ASBR to the final destination. No cost calculation occurs regarding the way from the ASBR to the router.

N1 and N2 are similar to E1 and E2 equally beside the fact that both belong to an ASBR in an NSSA area.

And now finally we are ready to talk about Forwarding Address Suppression, take the following Lab for example:


R3, R4, R5 and R6 are all configured in an NSSA area, While R4,R5 and R6 redistribute their Loopback interface into OSPF, these networks are advertised as LSA Type 7 into area 1 and traverse into area 0, through R3, as LSA Type 5.

While we want to minimize unnecessary route advertisement and LSA flooding I have configured R3 to summarize the prefixes that connect R3 to R4,R5 and R6 (200.1.3x.0), this has been accomplished by the command area 1 range 200.1.3x.0 255.255.255.0 not-advertise on R3. But doing so has raised new problem - R6, for example, was advertised, by LSA Type 4, as the ASBR for prefix 6.0.0.0/8 and R3 has advertised this prefix to area 0 with LSA Type 5 that pointing R6 IP address as the forwarding address!

R2#show ip ospf database external 4.0.0.0


OSPF Router with ID (2.2.2.2) (Process ID 1)


Type-5 AS External Link States


LS age: 147

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 4.0.0.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 80000004

Checksum: 0xF3A9

Length: 36

Network Mask: /8

Metric Type: 2 (Larger than any link state path)

TOS: 0

Metric: 20

Forward Address: 200.1.34.4

External Route Tag: 0

So if R2 for example doesn't know a way to 200.1.34.4 he can't send traffic for network 4.0.0.0/8.

The solution - using Forwarding address suppression which helps us to keep small route tables in one hand and still be able to reach external routes in the other.

Configuring on R3 - the ABR the following commands:

R3(config-router)#area 1 range 200.1.34.0 255.255.255.0 not-advertise

R3(config-router)#area 1 range 200.1.35.0 255.255.255.0 not-advertise

R3(config-router)#area 1 range 200.1.36.0 255.255.255.0 not-advertise

R3(config-router)#area 1 nssa translate type7 suppress-fa

The first three lines are doing summarize on the ABR for the following prefixes while not-advertise keep them from being advertised to area 0, If you recall this is one of the methods for filtering OSPF LSA type 3.

The last line change the LSA Type 7 forward address from its original address to 0.0.0.0, then convert it to LSA type 5 and forward it to area 0:

R2#show ip ospf database external 4.0.0.0


OSPF Router with ID (2.2.2.2) (Process ID 1)


Type-5 AS External Link States


Routing Bit Set on this LSA

LS age: 209

Options: (No TOS-capability, DC)

LS Type: AS External Link

Link State ID: 4.0.0.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 80000005

Checksum: 0x513B

Length: 36

Network Mask: /8

Metric Type: 2 (Larger than any link state path)

TOS: 0

Metric: 20

Forward Address: 0.0.0.0

External Route Tag: 0

And by that allows R2 to reach prefix 6.0.0.0/8 although he doesn't know the IP address of the ASBR.

Configuring this feature causes the router to be noncompliant with RFC 1587. Also, suboptimal routing might result because there might be better paths to reach the destination's forwarding address. This feature should not be configured without careful consideration and not until the network topology is understood.


Cisco doc link: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftoadsup.html

OSPF Autocost

Using the following Lab i will demonstrate the use of Autocost.


Links A,B and C are all Giga-Ethernet interfaces while link D is Fast-Ethernet. The default cost calculation, by Cisco, is:

Cost = Reference Bandwidth \ Interface Bandwidth

Reference Bandwidth is an number which set by Cisco to 100,000,000.

Following this formula all links are stated with cost of 1 and by that R4 sees 2 equal cost paths to R1 and vice verse:

R4#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/3] via 10.1.34.3, 00:00:08, GigabitEthernet1/0

[110/3] via 10.1.24.2, 00:00:08, FastEthernet2/0

2.0.0.0/24 is subnetted, 1 subnets

O 2.2.2.0 [110/2] via 10.1.24.2, 00:00:08, FastEthernet2/0

C 192.168.44.0/24 is directly connected, Loopback2

3.0.0.0/24 is subnetted, 1 subnets

O 3.3.3.0 [110/2] via 10.1.34.3, 00:00:08, GigabitEthernet1/0

4.0.0.0/24 is subnetted, 1 subnets

C 4.4.4.0 is directly connected, Loopback0

O 192.168.11.0/24 [110/3] via 10.1.34.3, 00:00:08, GigabitEthernet1/0

[110/3] via 10.1.24.2, 00:00:08, FastEthernet2/0

C 192.168.4.0/24 is directly connected, Loopback1

10.0.0.0/24 is subnetted, 5 subnets

O 10.1.13.0 [110/2] via 10.1.34.3, 00:00:10, GigabitEthernet1/0

O 10.1.12.0 [110/2] via 10.1.24.2, 00:00:10, FastEthernet2/0

C 10.1.24.0 is directly connected, FastEthernet2/0

O 10.1.23.0 [110/2] via 10.1.24.2, 00:00:10, FastEthernet2/0

C 10.1.34.0 is directly connected, GigabitEthernet1/0

O 192.168.1.0/24 [110/3] via 10.1.34.3, 00:00:10, GigabitEthernet1/0

[110/3] via 10.1.24.2, 00:00:10, FastEthernet2/0

but in real these two paths are not equal! Path B+C are both GE while links A+D are FE and GE interfaces which gives less bandwidth and speed.

So we will need to configure autocost on every router in the AS in order to change the reference bandwidth in all:

R2(config-router)#auto-cost reference-bandwidth 1000

% OSPF: Reference bandwidth is changed.

Please ensure reference bandwidth is consistent across all routers.

The reference bandwidth is expressed in Mega bit per second (Mbps) so configuring 1000 means 1,000,000,000 or 1Gbps.

Note that the router alert us to do the change across all routers.

After configuring autocost on all routers, R4 see links C+B as total cost of 2 and Links A+D as total cost of 11 and by that prefer only one path to R1 networks.

OSPF Cost

Cost is the OSPF metric, expressed as an unsigned 16-bit integer in the range of 1 to 65535. Cisco uses a default cost of 100,000,000/BW (in bps), expressed in whole numbers. For example the cost of a serial link 1.5Mbps will be= 100,000,000\1,540,000=64, a cost of a Fast Ethernet link will be= 100,000,000\100,000,000=1.

The default reference bandwidth for OSPF is 10^8 bps or 100Mbit. Increasing the reference-bandwidth allows a more granular OSPF design. If changed it should be changed on all routers in the OSPF domain.

Link costs for individual intra-area LSAs are represented by a 16 bit unsigned integer which gives an upper bound of 2^16-1 (65535). The OSPF standard poses no limit on intra-area total path metric, though metrics of inter-area summary and external paths are limited by space in those LSAs of 24 bits, giving you max metric 2^24-1(16,777,215). Most implementations (including JunOS and IOS) are using 32 bit unsigned for total path cost, which gives you 2^32-1 (4,294,967,295)

Autocost

Due to the fact that IOS router uses 100mbps as a reference for cost calculation, a problem can occur when connecting giga-ethernet interfaces, for this particular reason we can change the reference to 1000mbps by using the command:

R1(config-router)#auto-cost reference-bandwidth 1000

The reference value is presented in Mbps units, so the default reference value is 100.

Reference= Cost X Bandwidth

Cost = Reference_BW/ Interface_BW

Cost can be modified by:

Interface bandwidth

Interface ip ospf cost

Process auto-cost

Process neighbor w.x.y.z cost

OSPF calculate loopback interface as 8Gb interface with a cost of 1.

OSPF Uses bandwidth based cost, calculating each link cost and then runs SPF over the tree in order to choose the Shortest-path from the root (the router itself) to the destination. Calculating the total cost for each link occurs from top to down.

Using the following LAB:

R1 will sees 2 equal path to R4:

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/32 is subnetted, 1 subnets

O 2.2.2.2 [110/2] via 10.1.123.2, 00:16:56, FastEthernet0/0

O 192.168.44.0/24 [110/3] via 10.1.123.3, 00:16:56, FastEthernet0/0

[110/3] via 10.1.123.2, 00:16:56, FastEthernet0/0

3.0.0.0/32 is subnetted, 1 subnets

O 3.3.3.3 [110/2] via 10.1.123.3, 00:16:56, FastEthernet0/0

4.0.0.0/24 is subnetted, 1 subnets

O 4.4.4.0 [110/3] via 10.1.123.3, 00:16:56, FastEthernet0/0

[110/3] via 10.1.123.2, 00:16:56, FastEthernet0/0

C 192.168.11.0/24 is directly connected, Loopback2

O 192.168.4.0/24 [110/3] via 10.1.123.3, 00:16:56, FastEthernet0/0

[110/3] via 10.1.123.2, 00:16:56, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

O 10.1.24.0 [110/2] via 10.1.123.2, 00:16:57, FastEthernet0/0

O 10.1.34.0 [110/2] via 10.1.123.3, 00:16:57, FastEthernet0/0

C 10.1.123.0 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, Loopback1

When I configured R2(config-if)#ip ospf cost 5 on R2 interface f0/0 (represented by Link B), R4 routing table has changed and now had only 1 route to R1 networks while R1 still had 2 equal cost paths to R4 networks.

The way R1 is calculating the cost to R4 includes Links A,D,C and E while R4 calculates F,E,C and B. Changing the cost is local significant to the configured router only and doesn't affect other routers calculations.