Monday, July 29, 2013

OSPF Notes

OSPF:
·       Uses it’s own transport protocol 89.
·       OSPF multicast packets use TTL of 1.
·       Sees secondary networks as stub networks. no adjacencies will form using secondary network.
·       if the network statement  matches the IP address of primary interface, the primary interface and IP unnumbered will have OSPF enabled.
·       Elects DR and BDR on broadcast and NBMA networks.
·       To establish adjacencies the following values must match:
o    Area ID.
o    Authentication.
o    Network mask, point-to-point links are exception.
o    Hello and Dead Intervals.
o    MTU.
o    Options.
·       Hello Intervals for broadcast network 10 seconds, non-broadcast networks 30 seconds.
·       Hello Intervals can be configured per interface basis with ip ospf hello-interval
·       Dead Interval is 4 times the Hello Interval and configured with ip ospf dead-interval command.
·       Changing Hello Interval automatically adjusts the Dead Interval to 4 times the new value.
·       Fast Hello, multiple Hellos in less than 1 second.
#ip ospf dead-interval min hello-multiplier 5     # 5 hellos in 1 second, 200 msec interval.
·       Three ways to advertise routes using OSPF
o    Network Area command.  It serves two purposes
       defines the interfaces on which OSPF runs
       defines the area membership of the interface.
       configured with network {IP} {wildcard} area {area id} under OSPF process.
       The IP address and wildcard arguments together allow you to define one or more interfaces to advertise.
       The matched interfaces’ IP/subnet is advertised by OSPF, not the IP/wildcard of network command.
o    Interface command.  does the same thing as network command.
       switches do not support this command.
       configured with ip ospf {ID} area {area-id} under the interface.
o    redistribution command. see REDISTRIBUTION: section for detailed info.
·       Network Types.   OSPF defines 6 network types.
o    Broadcast Network
       default network type on Ethernet and elects DR/BDR. Hello 10 seconds, Dead Interval 40 seconds.
       uses 224.0.0.5 (0100.5E00.0005), AllSPFRouter and 224.0.0.6 (0100.5E00.0006,) AllDRouters
       no next-hop modification. it remains the IP address of the originating router.
       layer 3 to 2 resolution is required.
       can NOT configure neighbor command.
o    Non-Broadcast Network  [NBMA Needs Neighbor]
       can connect multiple routers, but has no broadcast capability. Hello 30 sec, Dead interval 120 seconds.
       defaults to NBMA network type on multipoint frame-relay interface, same as main Serial interface.
       elects DR, BDR by using unicast between configured neighbors.
       next-hop IP is not changed and remains the IP address of the originating router.
       default priority is 1, disabled 0, should be zero on all spokes, to prevent black-hole; becoming DR/BDR.
o    Point-to-Point Network
       Default on T1 and DS-3, SONET links and on P2P sub-interface on frame-relay
        no DR/BDR election, uses multicast to AllSPFRouters, 224.0.0.5, except retransmitted LSAs uses unicast.
       OSPF ignores subnet mask mismatch on P2P links, Hello 10 seconds and Dead interval 40 seconds.
o    Point-to-multipoint Network
       Cisco proprietary, not a default but best solution for NBMA networks.
       special configuration of NBMA, networks treated like a collection of P2P links.
       no DR/BDR election and OSPF packets use multicast 224.0.0.5 to reach neighbor.
       next-hop is that of the advertising neighbor, and end points of the link is advertised as /32, host route.
       L3 to L2 resolution is only needed for directly connected neighbors.
       Non directly connected neighbors use recursive L3 routing to reach each other.
       Hellos 30 seconds, Dead intervals 120 seconds.
o    Point-to-multipoint NON-BROADCAST Network
       Cisco proprietary, same as P2M, but configured with additional non-broadcast keyword.
       no DR/BDR, uses unicast to reach each manually configured neighbor.
       It’s adequate to configure neighbor only one side, but configure it on both sides of the link.
       the next-hop is that of advertising neighbor and IP routing is used to reach L2 non-adjacent neighbors.
       was created to allow cost per neighbor rather than interface cost.
       cost is based on the incoming interface bandwidth and not the bandwidth of neighbor’s interface.
       Hello 30 seconds, Dead interval 120 seconds.
o    Virtual Links
       used to link an area to the backbone through non-backbone, transit area. or disjointed backbone areas.
       must be configure between 2 ABRs, one of them must connect to area 0
       transit area must not be a stub network, and must have full routing information.
       virtual link is seen as an interface in area 0, transitions to a full P2P interface when neighbor ABR is in RIB
       area 0 attributes are inherited by virtual-link routers, including authentication and summarization.
       virtual-link cost is the cost of route to the neighbor’s interface via transit area.
o    OSPF over GRE
       OSPF virtual-link may not transit stub areas.
       If a virtual-link over a stub area is required, the only solution is GRE tunnel.
       the tunnel interface must have an IP address with a matching network statement in area 0.

o    Stub/Loopback Network
       default for loopback interfaces.
       assumes only a single attached router. OSPF advertises stub network as host /32 network.
       NOT a stub area.
·       DR and BDR 
o    Addressing
       will be elected on broadcast and NBMA networks.
       broadcast link itself is a pseudo-node, same concept as in ISIS.
       the cost from an attached router to the pseudo-node is the outgoing cost of that interface to broadcast link.
       the cost from the pseudo-node to any attached router is zero.
       the DR is a property of a router’s interface and NOT the entire router.
       on broadcast segments traffic doesn’t flow through DR, only updates are sent to DR and BDR.
       DR/BDR must have layer2 connectivity to all neighbors.
o    Router Interface Priority
       influences the election process between DR and BDR, but will not override an active DR or BDR.
       OSPF elections do not support pre-emption. Highest priority, 255, wins. Default priority is 1. No DR/BDR participation 0.
       can be changed per multi-access interface with ip ospf priority.
o    Router ID
       will be used as tie-breaker when router priorities are equal.
       Is the highest loopback IP in an UP state. If no loopbacks are configured, highest interface IP in UP state.
       can be statically set.
·       OSPF State Machine
o    Down
       initial state that indicates no hellos are seen from the neighbor in the last dead-interval.
       link state retransmission, database summary, and link-state request list is cleared.
o    Attempt
       only applies to NBMA networks where neighbors are manually configured.
o    Init
       Hello packets are seen from the neighbor, however, 2-way communication has not been setup yet.
o    2-way
       Router has seen it’s own router-id in the hello packets coming from the neighbor.
       on multi-access networks, the routers must be in this state or higher to participate in DR/BDR election.
o    ExStart
       the router and it’s neighbor will establish master/slave relationship & exchange Data Descriptor Packets.
       The neighbor with the higher router-ID becomes master.
o    Exchange
       the router sends DDP describing in summary it’s entire link state database.
       the router may also send link state request packets, requesting more recent LSAs.
o    Loading
       the router sends link state request, asking for more LSAs that it has not received yet.
o    Full
       routers are fully adjacent and adjacencies appear in router LSA and network LSA.
·       OSPF Packet Types.
The adjacency building process uses four OSPF packet types.
o    DDP (type 2) Database Description Packet
       carry a summary description of each LSA in the originating router’s link state database.
       these descriptions are not complete LSA.
       I-bit, initial bit, when the bit is set, indicates the first DDP is sent.
       M-bit, more bit, when the bit is set, indicates this is not the last DDP; more to come.
       MS-bit, master/slave bit, indicates which router is master.
o    LSR (type 3) Link State Request packet.
o    LSU (type 4) Link State Update packet.
o    LSAck (type 5) Link State acknowledgement packets.
·       LSA types, Link State Advertisement
o    LSA is the OSPF data structure used to describe topology information.
o    MaxAge, 1 hour, the LSA is flushed from the database if not updated.
o    LSARefreshTime, 30 minutes, originating router will flood a new copy of it’s LSA with an age of zero.
o    Router LSA, type 1
-        generated by each router for ALL it’s own connected interfaces, links, state and outgoing cost of each link and any known OSPF neighbors on the link
-        have intra-area flooding scope. displayed as O in RIB and describes intra-area routes.
-        show ip ospf database router.
o    Network LSA, type 2.
-        generated by DR on multi-access networks.
-        lists all attached routers including the DR itself.
-        have intra-area flooding scope.
-        identifies the designated router on a segment.
-        show ip ospf database network.
o    Network Summary LSA, type 3.
-        generated by ABR and are flooded into a single area to advertise destination outside that area, in same AS.
-        advertises default routes external to the area, still in the same AS though.
-        have inter-area flooding scope, displayed by O*IA in the RIB.
-        show ip ospf database summary.
o    ASBR Summary LSA, type 4.
-        generated by ABR and are identical to Network Summary LSA, except the destination they advertise is an ASBR route/router and not a network.
-        have inter-area flooding scope, and describes which router is doing the redistribution.
-        show ip ospf database asbr-summary.
o    AS External LSA, type 5.
-        generated by ASBR, and are the only LSAs that are not associated with a particular area.
-        advertise either a destination external to the OSPF AS or default route external to the AS.
-        an OSPF external route can not use another OSPF external route as it’s next hop.
-        have Autonomous System-wide flooding scope.
-        show ip ospf database external.
o    MOSPF, type 6.
-        Cisco doesn’t support it, generates syslog message, and to ignore, configure ospf ignore lsa mospf.
o    NSSA External LSA, type 7.
-        generated by ASBR within NSSA areas, similar to External LSA, except flooded only within originating NSSA.
-        describes redistributed routes within a NSSA area.
-        show ip ospf database nssa-external.
o    Opaque LSA, type 10.
-        used for traffic engineering parameters for MPLS network interaction.
·       Area Types.
o    Stub Area. (single area could be 0 or 1000, only 2 or more areas need to have backbone, area 0 attached).
-        no type 4 or 5 LSAs are allowed to flood in this area.
-        receives type 3 LSA and ABR generates it to advertise a single default route into Stub area with AD 1.
-        default cost can be change with area default-cost command.
-        is configured on ALL routers in the stub area with area stub command.
-        All routers in the stub area must agree.  If E bit in hello packets is set to 0, then stub else rejects E=1.
-        No redistribution can occur in stub area including static and connected.
o    Totally Stubby Areas.
-        uses default-route to reach external as well as outside the area.
-        ABR of totally stubby area will block all type 3 LSA except single LSA 3 advertising default route, 0/0.
-        Configured with area stub no-summary on the ABR, internal routers in stub area use stub configuration.
o    NSSA, Not So Stubby Area.
-        Area that allows redistribution while retaining the characteristics of a stub area to the rest of AS.
-        Type 4 and 5 are not allowed, but redistributed AS-external are allowed; type 7.
-        ASBR generates type 7, flooded into the NSSA area, and highest IP ABR converts them to type 5.
-        If ABR receives type 7 and P-bit is set to 1, then translation to type 5 takes place.
-        If ABR receives type 7 and p-bit is set to 0, then no translation and no advertisement outside of NSSA.
-        Configured with area nssa on all routers in that area.
-        ABR does not originate default-route as in stub/totally stub area automatically.
-        To inject default-route into NSSA area, on ABR configure area nssa default-originate.
o    Totally NSSA.
-        Same as NSSA area but also block type 3 summary LSA, so types 3, 4, 5 not allowed, but type 7 is.
-        ABR defines NSSA as totally stubby and originates a default as O*IA.
-        Configured with area nssa no-autosummary on ABR and internal routers follow NSSA configuration.
-        When an ABR is also an ASBR AND connected to NSSA, the default behavior is to advertise redistributed routes into NSSA.  This can be turned off with area nssa no-redistribution command.
-        Suppressing OSPF Forwarding Address in translated type 5 LSA, used when an NSSA ABR translates type 7 to type 5 LSA. 0.0.0.0/0 must be used as Forwarding Address instead of address specified in the type 7 LSA.
-        Routers which are configured not to advertise Forwarding Addresses into backbone will directly forward traffic to the translating NSSA ASBRs.
-         
·       Filtering OSPF prefix advertisement.
o    ABR filtering type 3 LSA into or out of the area.
-        In-Lists filter LSAs before they are sent into an Area.
-        Out-Lists filter LSAs leaving an area to prevent those LSAs entering any other areas attached to the router.
o    Distribute-list Filtering.
-        Only prevents the prefixes entering the RIB and has no effect on LSA propagation.
-        Distribute-list out has no effect since all routers in that area must have the same database.
-        Using route-map, the match-route-type can be used with OSPF.
§  External type E1 and E2.
§  Internal inter and intra routes.
§  Local locally generated route on the router.
§  NSSA-external types N1 and N2.
·       Summarization.
o    Inter-Area Route Summarization.
-        Used on ABR to summarize inter-area prefixes.
-        A route to NULL0 will get created automatically, but  can be disabled with no discard-route.
-        Area range command specifies the area to which the summary address belongs.
-        Default behavior for area range is to advertise more specific routes along with summary route and can be suppressed with no-advertise keyword.
-        Summarizes type 3 LSAs.
o    External Route Summarization.
-        Summarizes external routes at ASBR, redistributed into OSPF, configured with summary-address CLI.
-        Summarizes type 5 and 7 LSAs and more specific routes will not be advertised.
·       Stub Router Advertisement (max-metric).
Two benefits:
o    Router injected into OSPF domain will not immediately route traffic.
o    Router reload is graceful since other routers will route around the reloaded unit as it marks max-metric high.
Advertises a maximum metric for all the routes that the particular router does not originate.
Also is used to allow BGP to converge.
Typical scenario for use is when multiple links exists between 2 areas and one of the link should be used as last resort.
#router ospf 1
  #max-metric router-lsa on-startup {sec}   #advertises maximum metric on startup, no default value.
  #max-metric router-lsa on-startup {sec} wait-for-bgp 
     # lets BGP decide when to generate LSA with normal metric.  default 600 seconds.
#router ospf 1    
  #max-metric router-lsa
   # configure OSPF to advertise it, so other neighbors to route around it. Sets it for self originated router LSAs.
     #max-metric router-lsa [summary-lsa | include-stub | external-lsa | onstart-up]
     # overrides summary-lsa metric with max-metric.
     # sets max-metric for stub-links in router LSAs.
     # overrides external-lsa metric with max-metric value.
     # sets maximum metric on start-up; booting, rebooting.
·       Passive Interface
o    No hello packets on configured interface in passive mode, no adjacency or neighbor-ship forms.
o    This is different from vector protocols like RIP which will still receive routes, but not send any.
o    To simulate the same behavior as RIP use ip ospf database-filter all out under interface.
·       Originating default-route
o    Default-route is announced as an IP prefix 0.0.0.0/0 in OSPF.
o    Unlike other protocols, default-route can not be redistributed, needs manual configuration in OSPF.
o    Default-route can be inserted into OSPF only as an external or inter-area summary, no intra-area route.
o    Methods to originate a default route within OSPF:
-        Unconditional default-route.
§  Inject the route regardless of local router being able to reach the areas outside of OSPF domain or not.
§  Advertised as E2, metric 1, configured with default-information originate always under OSPF process.
-        Conditional default-route.
§  Advertises a default-route into OSPF domain only if the advertising router has a non-ospf default-route in its routing table.
§  Non-ospf default route could be a static default route with next-hop pointing outside of OSPF domain.
§  Non-ospf default route could be a static route based on IP SLA measurements.
§  Non-ospf default route could be a BGP advertised default route.
§  Configured with default-information originate.
#ip route 0.0.0.0 0.0.0.0 serial1.1    # static default route via serial 1.1 which is non-ospf route.
#router ospf 1
  #default-information originate metric 10
# ospf advertises default route with metric of if the route 0.0.0.0/0 is up and reachable else withdraws.
-        Conditional default-route with a route-map.
§  Route-map can check IP prefix, next-hop and metrics to inject default-route into OSPF.
§  Configured with default-information originate route-map <NAME>.
-        OSPF stub area default-route.
§  ABR injects default-route into stub area as inter-area summary route with OSPF metric of 1.
§  When multiple exit point out of the stub area exits, the nearest one will be chosen.
§  Inter-area default-route for stub can be changed with default-cost command.
#router ospf 1
  #area 1 stub
  #area 1 default-cost 300  #change stub default-route cost to 300.
-        OSPF NSSA default-route.
§  Cisco routers do not advertise external default-routes into NSSA area even when configured with default-information originate always.
§  ABR can be configured to do so either with manual advertisement, type 7, NSSA external default-route by area nssa default-information-originate OR configure the NSSA area as totally NSSA area and generate inter-area, type 3, default route by area nssa no-summary.
·       Path Selection:
o    OSPF routes are classified according to a destination type; network or router.
o    show ip route ospf displays these routes
o    show ip ospf border-routers displays the ABR and ASBR router entries.
o    Route lookups:
-        O Intra-area          paths are destinations within one of route’s attached Areas.
-        OIA inter-area    paths are destinations in another Area, but within the same OSPF AS.
-        E1(N1)            paths are external to the AS; external cost + cost to ASBR
-        E2(N2)            paths are external to the AS; external cost only; default type.
-        Use E1 metrics when packet should exit from the closest exit point in the network
-        Use E2 metrics when packet should exit from the closest exit to the external destination.
-        Lowest cost metric, unless ECMP exists.
o    Default Cost is OSPF metric calculated from 10^8/int. bandwidth, between 1-65535 can be modified:
-        Interface bandwidth
-        Interface ip ospf cost
-        Process auto-cost reference-bandwidth
-        Process neighbor 1.2.2.1 cost on P2M non-broadcast areas.
·       Authentication:
o    if area authentication is configured, it must be configured for ALL the routers in the area.
o    Don’t forget virtual-links, one leg is in area 0.
o    Interface passwords do not have to match, but neighbors do, default is NULL and types are:
-        type 0, null authentication
-        type 1, clear-text password
-        type 2, MD5 cryptographic checksum.
o    Authentication keys are locally significant to an interface, so can be different for each interface.
o    when doing keychain changes, first remove it from the interface.

#router ospf 20
    #area 10 authentication                                                      # type 1 auth clear-text password for area 10
    #area 20 authentication {message-digest}             # type 2 MD5 authentication for area 20
  #area 30 virtual-link 1.1.1.10 auth {key}                        # type 1 authentication for virtual-link
  #area 40 virtual-link 2.2.2.20 message-digest-key {key-id} md5 {key}   # type 2 MD5 auth.

o    By default routes redistributed into OSPF flagged E2 with the cost of 20, except EBGP which is 1.
o    Order of preference: O, O*IA, E1, E2 and subnet keyword required if classless desired, else will be classfull.
o    O Intra-area, O*IA inter-area, E1 internal and external cost, E2 external cost only.
o    E1 used for multi-exit out of AS, E2 used for single exit.
o    Router bit set, show ip ospf datab means the routes are sent to rib, but may not be installed due to another best path.
o    P = 0 -> this router is an NSSA ABR+ASBR; no translation or advertisement outside of the NSSA area.
o    P = 1 -> this router is an NSSA ASBR; ABR will do type 7 translation

·       Miscallaneous:
o    Backbone                                  type 1, 2, 3, 4, 5 LSAs
o    Non-Backbone                            type 1, 2, 3, 4, 5 LSAs
o    Stub Area                                  type 1, 2, 3, 4 LSAs 
o    Totally Stubby Area                    type 1, 2 LSAs
o    Not So Stubby Area                    type 1, 2, 3, 4, 7 NO type 5 LSAs 
o    Totally Not So Stubby Area          type 1, 2, 7 NO Type 3, 4, 5 LSAs

o    OSPF cost of an Interface == (Ref bandwidth)100Mbs / bandwidth.
o    Paranoid or periodic update interval == 30 minutes.
o    area range translated by ABR uses type 5 LSA.
o    summary-address translated by ASBR injects type 7 LSA
o    default-information-originate on ASBR injects type 7 LSA; default route must exist unless always is used.
o    Periodic LSA refreshes that take place every 30 minutes do not occur with OSPF demand circuit. When a demand circuit link is established a unique option bit (the DC bit) is exchanged between neighboring routers. If two routers negotiate the DC bit successfully they make a note of it and set a specific bit in the LSA Age called the DoNotAge bit (DNA). The DNA bit is the most significant bit in the LS Age field. By setting this bit the LSA stops aging, and no periodic updates are sent.

ECMP:
Per destination load balancing using fast switching:
Router(config)# interface Ethernet 0
Router(config-if)# ip route-cache

Per packet load balancing using process switching:
Router(config)# interface Ethernet 0
Router(config-if)# no ip route-cache
 
·       Newer switching schemes such as Cisco Express Forwarding (CEF) allow you to do per-packet and per-destination load-balancing more quickly. However, it does imply that you have the extra resources to deal with maintaining CEF entries and adjacencies.
·       The OSPF Forwarding Address Suppression in Translated Type-5 LSAs feature causes a not-so-stubby area (NSSA) area border router (ABR) to translate Type-7 link state advertisements (LSAs) to Type-5 LSAs, but use the address 0.0.0.0 for the forwarding address instead of that specified in the Type-7 LSA. This feature causes routers that are configured not to advertise forwarding addresses into the backbone to directly forward traffic to the translating NSSA ABRs.

·       The OSPF Inbound Filtering Using Route Maps with a Distribute List feature allows users to define a route map to prevent Open Shortest Path First (OSPF) routes from being added to the routing table. In the route map, the user can match on any attribute of the OSPF route; distribute-list route-map tag-filter in. This feature can be useful during redistribution if the user tags prefixes when they get redistributed on ASBRs and later uses the tag to filter the prefixes from being installed in the routing table on other routers.
·       Users can define a route map to prevent OSPF routes from being added to the routing table. This filtering happens at the moment when OSPF is installing the route in the routing table. This feature has no effect on LSA flooding. In the route map, the user can match on any attribute of the OSPF route. That is, the route map could be based on the following match options: match interface, match ip address, match ip next-hop, match ip route-source, match metric, match route-type and match tag.