Friday, July 15, 2011

notes: BGP Peering

The command 'neighbor 1.2.3.4 remote-as 100' explained
- The local router listens for the address 1.2.3.4 starting a TCP session to destination (dst) port 179
or the local router could initiate a TCP session to 1.2.3.4 on dst port 179.
- By default the source (src) IP is the IP configured on the outgoing interface.
- This is called the BGP update source, and can be manually configured "neighbor update-source" command.
- Recursive lookups are used to determine the outgoing interface to the destination.
- Unexpected BGP session will be refused, which includes the src/dst IP address, dst port, AS-number and authentication.
- If AS-numbers match between peers, the session according to Cisco IOS is iBGP, else it is eBGP. (Different to vendor 'J')

Note:  peering between 2 peers  the direction is from higher IP address to Lower IP Address

2.2.2.2(1024>)----->1.1.1.1(179)

- The IDLE state indicates that the router is currently not attempting any connection establishments.

- The BGP states are:
Idle
Active
OpenSent
OpenConfirm
Established

- The BGP Open message contains the following fields:

BGP version number - Has to match between neighbors.
Local AS number - Has to match between neighbors.
Holdtime - Routers agree on lowest suggested value between neighbors.
BGP router identifier (RID)
Optional parameters
- Test a connection between peers to confirm connectivity, by using "telnet {dst-ip} 179 /source-interface" .

-----------
COMMANDS
-----------

- Good for testing connectivity between peers

 telnet {peer ip} {port-179} {/source} 



- Good for seeing the TCP session being build, with src and dst IP's and ports

debug ip tcp packet detail

- Displays all TCP transactions (start of session, session errors, etc.)

debug ip tcp transactions

- Displays the BGP state transitions

debug ip bgp events 

- Debugs BGP keepalive packets

debug ip bgp keepalives

 - Displays all incoming or outgoing BGP updates (!!USE WITH CAUTION!!)

debug ip bgp updates [acl]

- Displays all BGP updates received from or sent to a BGP neighbor
[acl] Optionally matching an IP access-list. (Recommended)

debug ip bgp [ip] updates [acl]

- enabling bgp
AS - 16 bit
64512-65535 (Private)
router bgp {asn}


- Defines an external/internal neighbor as per their ASN

neighbor {ip|peer-group} remote-as {asn}

- Assigns a description to an external neighbor. Text can be up to 80 characters

neighbor {ip|peer-group} description {text}

 - Disables communication with a BGP neighbor
    Recommended while doing extensive modification to routing policies

neighbor {ip|peer-group} shutdown

- Specifies the source interface for the TCP session that

neighbor {ip|peer-group} update-source {int}

Tuesday, July 12, 2011

notes: BGP Process

- BGP is a path vector protocol.
- TCP port 179 is used for reliable transport.
- BGP has no periodic updates, it uses triggered updates:
     - Every 5 seconds for internal peers.
     - Every 30 seconds for external peers.
- Periodic keepalives used to verify TCP connectivity:
    -Default every 60 seconds.
- Holdtime interval: Time if passed with no received keepalive, before a notification message is sent, (default = 180 seconds).
- Only the holdtime is sent in updates. Two peers will agree on the lowest holdtime value between them, and then calculate the
keepalive value based on this holdtime value.

-----------
COMMANDS
-----------


1. - Enables BGP routing process

router bgp {as-number}

2. - Configures the RID for BGP Process, not used like the IGPs

bgp router-id {ip}

3. - Changes the default value of BGP scanner process runs (max/default = 60 sec)
- The BGP scanner walks the BGP table and confirms the reachability of next hops
- The BGP scanner process is also responsible for conditional advertisement check
and performing route dampening
bgp scan-time {scanner-interval}


4. - Changes the default values (60sec, 180sec) of BGP timers
- Only the holdtime value is communicated in the BGP open message
- Smallest configured holdtime value between BGP peers are used by both peers and
used to determine the keepalive

timers bgp {keepalive} {holdtime}

 5. - Changes the default time interval in the sending of BGP routing
updates for a specific neighbor
- If lowered, can improve convergence, but can consume considerable resources
in a jittery network if value is too low. (Range 0 to 600 seconds)
- Default values: 30 sec for eBGP neighbors, 5 sec for iBGP neighbors

neighbor {ip|peer-group} advertisement-interval {sec}

6.   - Changes the default values of BGP timers per specific neighbor or peer group
- Per neighbor timer overwrites the process timers

neighbor {ip|peer-group} timers {keepalive} {holdtime}

Friday, July 8, 2011

LAB: OSPF OSPF Features

- Configure SW4 so that it goes not generate a log message upon receipt of a Type-6 LSA advertisement.
- Configure SW4 so that it does not take the MTU value into account when establishing adjacencies on its Port-Channel1 interface.
- Configure SW4 to reflect the following output:

Neighbor ID     Pri   State           Dead Time   Address         Interface
Rack1SW2          1   FULL/BDR        00:00:35    155.1.108.8     Port-channel1


commands:

SW4:
ip host Rack1SW2 150.1.8.8
!
ip ospf name-lookup
!
interface Port-channel1
ip ospf mtu-ignore
!
router ospf 1
ignore lsa mospf
cisco's OSPV v2 doesnt support multicast OSPF which is advertised through lsa type6, to disable generating of log message when an LSA type6 received by the router "ignore lsa mospf" is used.

if the 2 routers having different mtu, it will not formed neighbor relationship. to ignore the mtu, "ip ospf mtu-ignore is used.

"ip ospf name-lookup" cmd is used by the router to perform a dns lookup to ospf neighbhors using their router-id.

LAB: OSPF Resource Limiting

- Configure R4 so that no more than 5000 LSAs can exist in the database.
- No more than 500 of these routes should be originated through
redistribution.
- R4’s OSPF process should be allowed to use up to 20% CPU utilization before allowing interrupts from higher priority processes.

R4:

router ospf 1
max-lsa 5000
redistribute maximum-prefix 500
process-min-time percent 20

LSA prefix limiting is used to prevent against attacks or misconfiguration in the OSPF, which can affect the normal forwarding traffic of the router.  such as full internet bgp table is accidentally redistributed into IGP.  also the process-min-time limits the OSPF's CPU usage.

verification:

Rack1R4#show ip ospf
 Routing Process "ospf 1" with ID 150.1.4.4
 Start time: 00:00:12.492, Time elapsed: 00:12:05.060
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Maximum number of non self-generated LSA allowed 5000
    Threshold for warning message 75%
    Ignore-time 5 minutes, reset-time 10 minutes
    Ignore-count allowed 5, current ignore-count 0
 It is an area border and autonomous system boundary router
 Redistributing External Routes from,
    rip, includes subnets in redistribution
    Maximum limit of redistributed prefixes 500
    Threshold for warning message 75%
 Originating router-LSAs with maximum metric
    Condition: always, State: active
 Initial SPF schedule delay 100 msecs
 Minimum hold time between two consecutive SPFs 1000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Initial LSA throttle delay 10 msecs
 Minimum hold time for LSA throttle 4000 msecs
 Maximum wait time for LSA throttle 6000 msecs
 Minimum LSA arrival 2000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 50 msecs
 Retransmission pacing timer 75 msecs
 Number of external LSA 21. Checksum Sum 0x127F78
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 11
 Number of areas in this router is 2. 2 normal 0 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 3 (1 loopback)
        Area has no authentication
        SPF algorithm last executed 00:00:46.804 ago
        SPF algorithm executed 4 times
        Area ranges are
        Number of LSA 38. Checksum Sum 0x2BD18A
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 37
        Flood list length 0
    Area 1
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm last executed 00:00:53.592 ago
        SPF algorithm executed 2 times
        Area ranges are
        Number of LSA 93. Checksum Sum 0x4D8CD6
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Sunday, July 3, 2011

LAB: OSPF Database Filtering

- Configure SW1 so that SW3 cannot learn any OSPF routes from SW1, but SW1 can still learn OSPF routes from SW3.
- Configure R5 so that R2 cannot learn from R5, but R5 can still learn OSPF routes from R2.

R5:
router ospf 1
neighbor 155.1.0.2 database-filter all out

SW1:
interface Vlan79
ip ospf database-filter all out

Note:  OSPF command database-filter all out is similar in operation to the  passive-interface command in RIPv2.  this features allows formation of OSPF neighbors, since hello packets are not filtered out. but stops the advertisements of all LSAs out the interface or to the neighbor in question.

LAB: OSPF NSSA ABR External Filtering

- Disable R6’s link to VLAN 146 and Loopback0.
- Configure area 2 as an NSSA.
- Configure summarization on R3 so that devices outside of area 2 do not have a route to the network 200.0.0.0/24.
- This filter should not affect any other prefixes.

commands:

R3:
router ospf 1
area 2 nssa

R6:
interface FastEthernet0/0.146
shutdown
!
interface Loopback0
shutdown
!
router ospf 1
area 2 nssa

SW1:
router ospf 1
area 2 nssa

SW3:
router ospf 1
area 2 nssa

summary address can be used to suppress the origination of Type-5 External LSA into Area0, the key difference of this from distribute-list and administrative distance filters is that the prefix is also filtered out in the ospf database not just the routing table.

before the summary-address filters is applied at R3.

Rack1R5#show ip ospf database external 200.0.0.0

            OSPF Router with ID (150.1.5.5) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 16
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 200.0.0.0 (External Network Number )
  Advertising Router: 150.1.3.3
  LS Seq Number: 80000001
  Checksum: 0x3BFE
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

  LS age: 627
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 200.0.0.0 (External Network Number )
  Advertising Router: 150.1.6.6
  LS Seq Number: 80000005
  Checksum: 0xC24
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

Rack1R5#
Rack1R5#
Rack1R5#sho ip route | inc E2                  
       E1 - OSPF external type 1, E2 - OSPF external type 2
O E2    51.51.51.51 [110/20] via 155.1.0.2, 00:03:31, Serial0/0
O E2 204.12.1.0/24 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2 200.0.0.0/24 [110/20] via 155.1.0.3, 00:00:19, Serial0/0
O E2    54.1.1.0 [110/20] via 155.1.0.3, 00:03:31, Serial0/0
O E2 200.0.1.0/24 [110/20] via 155.1.0.3, 00:03:31, Serial0/0
O E2 200.0.2.0/24 [110/20] via 155.1.0.3, 00:03:31, Serial0/0
O E2 200.0.3.0/24 [110/20] via 155.1.0.3, 00:03:31, Serial0/0
O E2    9.9.9.9 [110/20] via 155.1.0.3, 00:03:30, Serial0/0
O E2    31.3.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    31.2.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    31.1.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    31.0.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    30.2.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    30.3.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    30.0.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1
O E2    30.1.0.0 [110/20] via 155.1.45.4, 00:03:31, Serial0/1


applying the summary-address filter at R3.

Rack1R3(config)#router ospf 1
Rack1R3(config-router)#summary-address 200.0.0.0 255.255.255.0 not-advertise


 verification:

 Rack1R5#show ip ospf database external 200.0.0.0

            OSPF Router with ID (150.1.5.5) (Process ID 1)

       
Rack1R5#sho ip route | inc E2                 
       E1 - OSPF external type 1, E2 - OSPF external type 2
O E2    51.51.51.51 [110/20] via 155.1.0.2, 00:01:33, Serial0/0
O E2 204.12.1.0/24 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    54.1.1.0 [110/20] via 155.1.0.3, 00:01:33, Serial0/0
O E2 200.0.1.0/24 [110/20] via 155.1.0.3, 00:01:33, Serial0/0
O E2 200.0.2.0/24 [110/20] via 155.1.0.3, 00:01:33, Serial0/0
O E2 200.0.3.0/24 [110/20] via 155.1.0.3, 00:01:33, Serial0/0
O E2    9.9.9.9 [110/20] via 155.1.0.3, 00:01:33, Serial0/0
O E2    31.3.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    31.2.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    31.1.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    31.0.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    30.2.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    30.3.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    30.0.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1
O E2    30.1.0.0 [110/20] via 155.1.45.4, 00:01:33, Serial0/1


LAB: OSPF Filtering with Route-maps

 - Configure route-map filtering on R6 so that traffic going towards the Loopback0 network of R3 is sent towards R1.

using route-map with distribute-list command extends the filtering capability with additional match criteria
-outgoing interface in the routing table
- ip address
-ip next-hop
- ip route-source
- router-id
- metric
- route type (intra, inter etc.)
- tag

@ R6

Rack1R6#show ip route 150.1.3.3
Routing entry for 150.1.3.3/32
  Known via "ospf 1", distance 110, metric 130, type intra area
  Redistributing via eigrp 10
  Advertised by eigrp 10 metric 10000 1000 255 1 1500
  Last update from 155.1.146.1 on FastEthernet0/0.146, 00:31:23 ago
  Routing Descriptor Blocks:
    155.1.146.4, from 150.1.3.3, 00:31:23 ago, via FastEthernet0/0.146
      Route metric is 130, traffic share count is 1
  * 155.1.146.1, from 150.1.3.3, 00:31:23 ago, via FastEthernet0/0.146
      Route metric is 130, traffic share count is 1

adding the filter to eliminate route to 150.1.3.3 via R4


Rack1R6(config)#access-list 3 permit 150.1.3.3
Rack1R6(config)#access-list 4 permit 155.1.146.4

Rack1R6(config)#route-map DENY_R3_LOOPBACK_FROM_R4 deny 10
Rack1R6(config-route-map)#match ip address 3
Rack1R6(config-route-map)#match ip next-hop 4
Rack1R6(config-route-map)#route-map DENY_R3_LOOPBACK_FROM_R4 permit 20


Rack1R6(config)#router ospf 1
Rack1R6(config-router)#distribute-list route-map DENY_R3_LOOPBACK_FROM_R4 in


verification: route to 150.1.3.3 via R4 is not installed in the routing table.

Rack1R6#show ip route 150.1.3.3
Routing entry for 150.1.3.3/32
  Known via "ospf 1", distance 110, metric 130, type intra area
  Redistributing via eigrp 10
  Advertised by eigrp 10 metric 10000 1000 255 1 1500
  Last update from 155.1.146.1 on FastEthernet0/0.146, 00:00:06 ago
  Routing Descriptor Blocks:
  * 155.1.146.1, from 150.1.3.3, 00:00:06 ago, via FastEthernet0/0.146
      Route metric is 130, traffic share count is 1

LAB: OSPF Filtering with Administrative Distance

- Configure administrative distance filtering on R5 so that traffic going towards the VLAN 67 network is sent towards R3.


Administrative distance can be changed on a per-prefix and per-neighbor  basis in OSPF, the main difference here is that the address field in the distance command refers to the originator of the prefix into the area. not necessarily the neighbor you are learning the routes from.


in the scenario below. routes going to 155.1.67.0 network  is reachable via two ABRs,
1.  155.1.0.3 which is advertised by 150.1.3.3 (R3)-ABR
2.  155.1.0.1 which is advertised by 150.1.6.6 (R6)-ABR

so we can match either one of the above ABR ip address for the address field in the distance command.

Rack1R5#show ip route 155.1.67.0
Routing entry for 155.1.67.0/24
  Known via "ospf 1", distance 110, metric 66, type inter area
  Last update from 155.1.0.3 on Serial0/0, 00:00:02 ago
  Routing Descriptor Blocks:
    155.1.0.3, from 150.1.3.3, 00:00:02 ago, via Serial0/0
      Route metric is 66, traffic share count is 1
  * 155.1.0.1, from 150.1.6.6, 00:00:02 ago, via Serial0/0
      Route metric is 66, traffic share count is 1

adding the distance command at R5

Rack1R5(config)#access-list 67 permit 155.1.67.0

Rack1R5(config)#router ospf 1
Rack1R5(config-router)#distance 255 150.1.6.6 0.0.0.0 67

verification:  now only the routes toward R3 is installed.

Routing entry for 155.1.67.0/24
  Known via "ospf 1", distance 110, metric 66, type inter area
  Last update from 155.1.0.3 on Serial0/0, 00:00:06 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.3.3, 00:00:06 ago, via Serial0/0
      Route metric is 66, traffic share count is 1

Rack1R5#traceroute 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

  1 155.1.0.3 20 msec 36 msec 0 msec
  2 155.1.37.7 16 msec 8 msec 8 msec
  3 155.1.67.6 12 msec *  56 msec

LAB: OSPF Summarization and Discard Routes

- Configure R5 to advertise the summary 150.X.0.0/22 into area 3.
- Ensure that R5, SW2, and SW4 can still reach the Loopback0 networks of R1 and R2, even with the previously configured distribute-list filter applied.

when performing summarization in OSPF, similar with other protocols (EIGRP/BGP) a matching route to Null0 for the summary is installed locally in the routing table.  the "discard" route is used to prevent the forwarding traffic towards a shorter match, such as a default route if no specific route towards the actual destination.

command:
no discard-route [internal|external]
internal - refers to inter area summarization with area-range command
external - refers to redistributed summarization with summary-address command.

@ SW2 before adding the area-range command in R5

Rack1SW2#show ip route | include 150.
     150.1.0.0/16 is variably subnetted, 8 subnets, 2 masks
O IA    150.1.7.0/24 [110/97] via 155.1.58.5, 00:00:06, Vlan58
O IA    150.1.6.6/32 [110/96] via 155.1.58.5, 00:00:06, Vlan58
O       150.1.5.5/32 [110/31] via 155.1.58.5, 00:05:04, Vlan58
O IA    150.1.4.4/32 [110/95] via 155.1.58.5, 00:00:06, Vlan58
O IA    150.1.3.3/32 [110/95] via 155.1.58.5, 00:00:06, Vlan58
O       150.1.10.0/24 [110/151] via 155.1.108.10, 00:05:04, Port-channel1
O IA    150.1.9.0/24 [110/98] via 155.1.58.5, 00:00:06, Vlan58
C       150.1.8.0/24 is directly connected, Loopback0

Rack1R5(config)#router ospf 1
Rack1R5(config-router)#area 0 range 150.1.0.0 255.255.252.0

at SW2 after adding the area-range command in R5

Rack1SW2#show ip route | include 150.
     150.1.0.0/16 is variably subnetted, 8 subnets, 3 masks
O IA    150.1.7.0/24 [110/97] via 155.1.58.5, 00:02:00, Vlan58
O IA    150.1.6.6/32 [110/96] via 155.1.58.5, 00:02:00, Vlan58
O       150.1.5.5/32 [110/31] via 155.1.58.5, 00:06:58, Vlan58
O IA    150.1.4.4/32 [110/95] via 155.1.58.5, 00:02:00, Vlan58
O IA    150.1.0.0/22 [110/95] via 155.1.58.5, 00:00:06, Vlan58
O       150.1.10.0/24 [110/151] via 155.1.108.10, 00:06:58, Port-channel1
O IA    150.1.9.0/24 [110/98] via 155.1.58.5, 00:02:00, Vlan58
C       150.1.8.0/24 is directly connected, Loopback0



@ SW2 reachabilit to 150.1.3.3 is ok but not with 150.1.1.1


let us examine the R5's longest match to 150.1.1.1 is discard route via null0. which shows that the null0 is the longest match against the default route 0.0.0.0/0.

Rack1R5#show ip route 150.1.1.1
Routing entry for 150.1.0.0/22
  Known via "ospf 1", distance 110, metric 0, type intra area
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1

Rack1R5#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 104, candidate default path
  Tag 1, type extern 1
  Last update from 155.1.0.4 on Serial0/0, 00:00:53 ago
  Routing Descriptor Blocks:
  * 155.1.45.4, from 150.1.4.4, 00:00:53 ago, via Serial0/1
      Route metric is 104, traffic share count is 1
      Route tag 1
    155.1.0.4, from 150.1.4.4, 00:00:53 ago, via Serial0/0
      Route metric is 104, traffic share count is 1
      Route tag 1


with disabling the discard route at R5.

Rack1R5(config)#router ospf 1
Rack1R5(config-router)#no discard-route internal

Rack1R5#show ip route 150.1.1.1
% Subnet not in table

Rack1R5#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 104, candidate default path
  Tag 1, type extern 1
  Last update from 155.1.0.4 on Serial0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 155.1.45.4, from 150.1.4.4, 00:00:16 ago, via Serial0/1
      Route metric is 104, traffic share count is 1
      Route tag 1
    155.1.0.4, from 150.1.4.4, 00:00:16 ago, via Serial0/0
      Route metric is 104, traffic share count is 1
      Route tag 1

final result is SW2 will use the 150.1.0.0/22 route as a result of the area-range command in R5 to reach 150.1.1.1 and R5 will use the 0.0.0.0/0 prefix to route the traffic towards R4.

LAB: OSPF Filtering with Distribute-Lists

- Configure distribute-list filtering on R5, SW2, and SW4 so that these devices do not install routes to the loopback0 networks of R1 and R2.

Intra-area filtering can be accomplished in OSPF with an inbound distribute-list, filtering only affects the local routing table not the OSPFdatabase.

Note: when implementing this it can result traffic black holes, ensure that all routers still agree on the forwarding paths in the network.

pre-verification:

Rack1R5#show ip route | inc 150.
     150.1.0.0/16 is variably subnetted, 10 subnets, 2 masks
O IA    150.1.7.0/24 [110/67] via 155.1.0.1, 00:05:53, Serial0/0
C       150.1.5.0/24 is directly connected, Loopback0
O IA    150.1.6.6/32 [110/66] via 155.1.0.1, 00:05:53, Serial0/0
O       150.1.4.4/32 [110/65] via 155.1.45.4, 00:05:53, Serial0/1
O       150.1.3.3/32 [110/65] via 155.1.0.3, 00:05:53, Serial0/0
O       150.1.2.2/32 [110/65] via 155.1.0.2, 00:05:53, Serial0/0
O       150.1.1.1/32 [110/65] via 155.1.0.1, 00:05:53, Serial0/0

O       150.1.10.0/24 [110/152] via 155.1.58.8, 00:07:41, FastEthernet0/0
O IA    150.1.9.0/24 [110/68] via 155.1.0.1, 00:05:53, Serial0/0
O       150.1.8.0/24 [110/2] via 155.1.58.8, 00:07:41, FastEthernet0/0

applying the distribute-list command on R5

Rack1R5(config)#access-list 1 deny 150.1.1.1
Rack1R5(config)#access-list 1 deny 150.1.2.2
Rack1R5(config)#access-list 1 permit any
Rack1R5(config)#router ospf 1
Rack1R5(config-router)#distribute-list  1 in

result: 150.1.1.1 and 150.1.2.2 is not installed in the routing table.

Rack1R5#show ip route | inc 150.             
     150.1.0.0/16 is variably subnetted, 8 subnets, 2 masks
O IA    150.1.7.0/24 [110/67] via 155.1.0.1, 00:00:08, Serial0/0
C       150.1.5.0/24 is directly connected, Loopback0
O IA    150.1.6.6/32 [110/66] via 155.1.0.1, 00:00:08, Serial0/0
O       150.1.4.4/32 [110/65] via 155.1.45.4, 00:00:08, Serial0/1
O       150.1.3.3/32 [110/65] via 155.1.0.3, 00:00:08, Serial0/0
O       150.1.10.0/24 [110/152] via 155.1.58.8, 00:00:08, FastEthernet0/0
O IA    150.1.9.0/24 [110/68] via 155.1.0.1, 00:00:08, Serial0/0
O       150.1.8.0/24 [110/2] via 155.1.58.8, 00:00:08, FastEthernet0/0

 @ SW2, the route to 150.1.1.1 and 150.1.2.2 is in the routing table and ospf database, but unable to ping, this is due to at ABR R5 distribute-list filter.

 Rack1SW2#show ip route 150.1.1.1
Routing entry for 150.1.1.1/32
  Known via "ospf 1", distance 110, metric 95, type inter area
  Last update from 155.1.58.5 on Vlan58, 00:00:45 ago
  Routing Descriptor Blocks:
  * 155.1.58.5, from 150.1.5.5, 00:00:45 ago, via Vlan58
      Route metric is 95, traffic share count is 1

Rack1SW2#show ip route 150.1.2.2
Routing entry for 150.1.2.2/32
  Known via "ospf 1", distance 110, metric 95, type inter area
  Last update from 155.1.58.5 on Vlan58, 00:00:51 ago
  Routing Descriptor Blocks:
  * 155.1.58.5, from 150.1.5.5, 00:00:51 ago, via Vlan58
      Route metric is 95, traffic share count is 1

Rack1SW2#show ip route 150.1.2.2
Routing entry for 150.1.2.2/32
  Known via "ospf 1", distance 110, metric 95, type inter area
  Last update from 155.1.58.5 on Vlan58, 00:01:22 ago
  Routing Descriptor Blocks:
  * 155.1.58.5, from 150.1.5.5, 00:01:22 ago, via Vlan58
      Route metric is 95, traffic share count is 1

Rack1SW2#ping 150.1.2.2         

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


adding the distribute-list filter at SW2

Rack1SW2(config)#access-list 1 deny   150.1.1.1
Rack1SW2(config)#access-list 1 deny   150.1.2.2
Rack1SW2(config)#access-list 1 permit any
Rack1SW2(config)#router ospf 1
Rack1SW2(config-router)# distribute-list 1 in


verifcation:  the route is not in the routing table but inside the ospf database.

Rack1SW2#show ip route 150.1.1.1
% Subnet not in table
Rack1SW2#show ip route 150.1.2.2
% Subnet not in table

Rack1SW2#show ip ospf database summary 150.1.1.1

            OSPF Router with ID (150.1.8.8) (Process ID 1)

                Summary Net Link States (Area 3)

  Routing Bit Set on this LSA
  LS age: 1 (DoNotAge)
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 150.1.1.1 (summary Network Number)
  Advertising Router: 150.1.5.5
  LS Seq Number: 80000001
  Checksum: 0x605A
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 65

Rack1SW2#show ip ospf database summary 150.1.2.2

            OSPF Router with ID (150.1.8.8) (Process ID 1)

                Summary Net Link States (Area 3)

  Routing Bit Set on this LSA
  LS age: 1 (DoNotAge)
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 150.1.2.2 (summary Network Number)
  Advertising Router: 150.1.5.5
  LS Seq Number: 80000001
  Checksum: 0x4B6D
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 65

Note: SW4 has similar result with SW2.

Saturday, July 2, 2011

LAB: OSPF Reliable Conditional default routing using IP SLA

- Remove the previous default route advertisement on R4.
- Configure an IP SLA instance on R4 to check ICMP reachability to BB3 every five seconds.
- R4 should advertise a default route into OSPF, but only if the SLA
monitoring reports its status as OK.


Conditional default routing by monitoring layer 2 interface state is not a good indication of end-to-end reachability.  A good design is to employ IPL SLA tracking which is more reliable than layer 2 interface status, this provides an accurate end-to-end reachability information.


Rack1R4(config)#ip sla monitor 1
Rack1R4(config-sla-monitor)#type echo protocol ipicmpEcho 204.12.1.254
Rack1R4(config-sla-monitor-echo)#timeout 2000
Rack1R4(config-sla-monitor-echo)#frequency 5
Rack1R4(config-sla-monitor-echo)#exit

Rack1R4(config)#ip sla monitor schedule 1 start-time now life forever

Rack1R4(config)#track 1 rtr 1
Rack1R4(config)#ip route 169.254.0.1 255.255.255.255 null0 track 1

Rack1R4#show track
Track 1
  Response Time Reporter 1 state
  State is Up
    1 change, last change 00:02:35
  Latest operation return code: OK
  Latest RTT (millisecs) 36
  Tracked by:
    STATIC-IP-ROUTING 0

configuring the route-map

Rack1R4(config)#ip prefix-list PLACEHOLDER permit 169.254.0.1/32

Rack1R4(config)#route-map TRACK_PLACEHOLDER
Rack1R4(config-route-map)#match ip address prefix-list PLACEHOLDER

Rack1R4(config)#router ospf 1
Rack1R4(config-router)#default-information originate always route-map TRACK_PLACEHOLDER

before shutting down SW4 fa0/24 on the far-end of the connection.

Rack1R4#show ip ospf database | inc _0.0.0.0
0.0.0.0         150.1.4.4       44          0x80000001 0x00B35F 1
0.0.0.0         150.1.6.6       1152        0x80000002 0x009776 1

Rack1R4#
Rack1R4#show ip route 169.254.0.1
Routing entry for 169.254.0.1/32
  Known via "static", distance 1, metric 0 (connected)
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1

shutting down SW4 fa0/24

Rack1R4#
*Mar  1 01:41:29.419: %TRACKING-5-STATE: 1 rtr 1 state Up->Down

Rack1R4#show ip route 169.254.0.1          
% Network not in table

Rack1R4#show ip ospf database | inc _0.0.0.0
0.0.0.0         150.1.6.6       1288        0x80000002 0x009776 1

LAB: OSPF Conditional Routing

- Remove the previous default route advertisement on R6.
- Configure R6 to originate a default route into OSPF, but only if the local Serial interface connecting to BB1 is up.

conditional default-information origination in OSPF can use route-map to check the existence of a specific prefix in the routing table before the default route is originated.

int this scenario R6 is tracking the s0/0 interface which leads to the upstream network.


Rack1R6(config)#ip prefix-list LINK_TO_BB1 SEq 5 PERmit 54.1.1.0/24

Rack1R6(config)#route-map TRACK_LINK_TO_BB1 permit 10
Rack1R6(config-route-map)#match ip address prefix-list LINK_TO_BB1

Rack1R6(config)#router ospf 1
Rack1R6(config-router)#default-information originate always route-map TRACK_LINK_TO_BB1



@ R1 before shutting down R6's s0/0 interface

Rack1R1#show ip ospf database external 0.0.0.0

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 298
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 150.1.4.4
  LS Seq Number: 80000002
  Checksum: 0xB5B5
  Length: 36
  Network Mask: /0
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 40
        Forward Address: 0.0.0.0
        External Route Tag: 1

  LS age: 50
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 150.1.6.6
  LS Seq Number: 80000003
  Checksum: 0x9577
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 1

after shutting down R6's s0/0 interface, R6 type-5 external 0.0.0.0 route is not in the database.

Rack1R1#show ip ospf database external 0.0.0.0

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 349
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 150.1.4.4
  LS Seq Number: 80000002
  Checksum: 0xB5B5
  Length: 36
  Network Mask: /0
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 40
        Forward Address: 0.0.0.0
        External Route Tag: 1

LAB: OSPF Default Routing

- Configure R6 with a static default route pointing to BB1.
- Configure R6 to originate an external type-2 default route with a metric of 60 into OSPF as long as the static default route is installed in the routing table.
- Do not use a route-map to accomplish this.
- Configure R4 to originate an external type-1 default route with a metric of 40 regardless of whether it has a default route already installed in the routing table.

On a non-stub areas default routing is achieve by using default-information originate command.  OSPF first checks to see if a default route is installed in the routing table. if the default route exists either via static or learned via other routing protocols, the OSPF default route is originated.  but if the default route is not found, no origination will occur.  This design is desirable whereby you have 2 or more exit points out of the OSPF domain to ISP network.  Individual exit point will only originate a default traffic if they themselves have a default exit point to upstream network.

the default-information originate always argument skips over the checking for a default route already being installed in the table.

Rack1R1#show ip ospf database external 0.0.0.0

            OSPF Router with ID (150.1.1.1) (Process ID 1)

command sets

Rack1R6(config)#router ospf 1                
Rack1R6(config-router)#default-information originate metric 60

Rack1R4(config)#router ospf 1
Rack1R4(config-router)#default-information originate always metric 40 metric-type 1


verification:

R4 is originating a E1 default route with metric of 40  and R6 with default E2 metric of 60. same route logic is applied to these default routes. E1 is proffered over E2. and if both are E2 then forward metrics are compared.

Rack1R1#show ip ospf database external 0.0.0.0

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 2 (DoNotAge)
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 150.1.4.4
  LS Seq Number: 80000001
  Checksum: 0xB7B4
  Length: 36
  Network Mask: /0
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 40
        Forward Address: 0.0.0.0
        External Route Tag: 1

  Routing Bit Set on this LSA
  LS age: 173
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 150.1.6.6
  LS Seq Number: 80000001
  Checksum: 0xE9E9
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 60
        Forward Address: 0.0.0.0
        External Route Tag: 1

Rack1R1#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 41, candidate default path
  Tag 1, type extern 1
  Last update from 155.1.146.4 on FastEthernet0/0, 00:00:13 ago
  Routing Descriptor Blocks:
  * 155.1.146.4, from 150.1.4.4, 00:00:13 ago, via FastEthernet0/0
      Route metric is 41, traffic share count is 1
      Route tag 1

LAB: OSPF Forwarding Address Supression

- Modify R5’s NSSA configuration so that devices outside of area 3 maintain connectivity to SW4’s redistributed Loopback 10.10.10.10/32.

for External routes in OSPF database, the Forward Address field determines who the next recursive lookup should be performed towards. for Type-5 external LSAs, such as RIP routes  R4 redistributes into OSPF, the forward address is normally set to 0.0.0.0. it means the next router lookup should be performed towards the Advertising router.

Examining the  normal Type-5 External LSA lookup, the output below shows the forward Address is 0.0.0.0 and the advertising router is 150.1.4.4


Rack1R1#show ip ospf database external 30.0.0.0

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 2 (DoNotAge)
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 30.0.0.0 (External Network Number )
  Advertising Router: 150.1.4.4
  LS Seq Number: 80000001
  Checksum: 0xD80A
  Length: 36
  Network Mask: /16
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

R1 sees that the DR for VLAN 146 is R6 155.1.146.1

Rack1R1#show ip ospf database router 150.1.1.1 self-originate  | begi Area 1
                Router Link States (Area 1)

  LS age: 294
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 150.1.1.1
  Advertising Router: 150.1.1.1
  LS Seq Number: 80000002
  Checksum: 0xADEA
  Length: 36
  Area Border Router
  Number of Links: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 155.1.146.6
     (Link Data) Router Interface address: 155.1.146.1
      Number of TOS metrics: 0
       TOS 0 Metrics: 1



Rack1R1#show ip ospf database network 155.1.146.6

            OSPF Router with ID (150.1.1.1) (Process ID 1)

                Net Link States (Area 1)

  Routing Bit Set on this LSA
  LS age: 406
  Options: (No TOS-capability, DC)
  LS Type: Network Links
  Link State ID: 155.1.146.6 (address of Designated Router)
  Advertising Router: 150.1.6.6
  LS Seq Number: 80000001
  Checksum: 0x324E
  Length: 36
  Network Mask: /24
        Attached Router: 150.1.6.6
        Attached Router: 150.1.1.1
        Attached Router: 150.1.4.4

the output below shows that the 30.0.0.1 route is reachable via R4 with metric of 20 (type-2 external) and forwarding  metric of 1.

Rack1R1#show ip route 30.0.0.1
Routing entry for 30.0.0.0/16
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 1
  Last update from 155.1.146.4 on FastEthernet0/0, 00:05:41 ago
  Routing Descriptor Blocks:
  * 155.1.146.4, from 150.1.4.4, 00:05:41 ago, via FastEthernet0/0
      Route metric is 20, traffic share count is 1


Examining the Type-5 External LSA that was translated from a type-7 NSSA External LSA.

in this scenario SW4 redistribute routes 10.10.10.10/32 into area 3 as a type-7 NSSA External LSA and R5 translate it into a Type-5 External LSA as it moves to area 0.


the output below shows a non-zero forwarding address, so the next recursive lookup is performed towards 150.10.10.10 , instead of the advertising router 150.1.5.5.

Rack1R3#show ip ospf database external 10.10.10.10

            OSPF Router with ID (150.1.3.3) (Process ID 1)

                Type-5 AS External Link States

  LS age: 547
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 10.10.10.10 (External Network Number )
  Advertising Router: 150.1.5.5
  LS Seq Number: 80000001
  Checksum: 0x1912
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 150.1.10.10
        External Route Tag: 0

Rack1R3#show ip route 150.1.10.10
% Subnet not in table

the problem here is that 150.1.10.0 LSAs was filtered out at ABR R5. so the recursion towards the forwarding address fails and it cannot be installed in the routing table.

the solution here is the supression of forwarding address in translated type-5 LSAs. which instructs ABRs to not preserve the value in the forward address field as a type-7 NSSA External LSA is traslated into a type-5 Extenal LSA.

Rack1R5(config)#router ospf 1
Rack1R5(config-router)#area 3 nssa no-redistribution no-summary translate type7 suppress-fa


verification: the result ow is that R3 now sees the forward address to be 0.0.0.0 which means a lookup must be performed on the advertising router 150.1.5.5

Rack1R3#show ip ospf database external 10.10.10.10            

            OSPF Router with ID (150.1.30.30) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 24
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 10.10.10.10 (External Network Number )
  Advertising Router: 150.1.5.5
  LS Seq Number: 80000002
  Checksum: 0x8352
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

Rack1R3#show ip ospf database router 150.1.30.30 self-originate

            OSPF Router with ID (150.1.30.30) (Process ID 1)

                Router Link States (Area 0)

  LS age: 54
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 150.1.30.30
  Advertising Router: 150.1.30.30
  LS Seq Number: 80000004
  Checksum: 0xEEB8
  Length: 60
  Area Border Router
  AS Boundary Router
  Number of Links: 3

    Link connected to: another Router (point-to-point)
     (Link ID) Neighboring Router ID: 150.1.5.5
     (Link Data) Router Interface address: 155.1.0.3
      Number of TOS metrics: 0
       TOS 0 Metrics: 64

final result is that the external route is installed with a metric of 20 which derive from SW4 default redistribution metric type-2 , plus the forward metric of 65.

Rack1R3#show ip route 10.10.10.10
Routing entry for 10.10.10.10/32
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 64
  Last update from 155.1.0.5 on Serial1/0, 00:00:53 ago
  Routing Descriptor Blocks:
  * 155.1.0.5, from 150.1.5.5, 00:00:53 ago, via Serial1/0
      Route metric is 20, traffic share count is 1



Suboptimal routing may be introduced when there are multiple exit points out of the NSSA.

for type7 to type5 translator the ABR with the highest  router-id wins. also the forward address calcution is kept separate which is base in metric.  in short, the control plane advertisement of the route does not need to do the following the traffic forwarding plane, but with the forwarding address supression the traffic will always flow through the type-7 to 5 translator.

in this scenario.  SW3's loopback int 9.9.9.9/32 that was redistributed to area 2.  R5 sees the external LSA 9.9.9.9/32 with a advertising router 150.1.30.30 R3 (type 7 to 5 translator)  and a forward address of  150.1.9.9

Rack1R5#show ip ospf database external 9.9.9.9

            OSPF Router with ID (150.1.5.5) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 112
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 9.9.9.9 (External Network Number )
  Advertising Router: 150.1.30.30
  LS Seq Number: 80000001
  Checksum: 0xE519
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 150.1.9.9
        External Route Tag: 0

the lookup towards 150.1.9.9 results of using R6 exit point in area 2 via R1.

Rack1R5#show ip route 150.1.9.9
Routing entry for 150.1.9.0/24
  Known via "ospf 1", distance 110, metric 68, type inter area
  Last update from 155.1.0.1 on Serial0/0, 00:02:11 ago
  Routing Descriptor Blocks:
  * 155.1.0.1, from 150.1.6.6, 00:02:11 ago, via Serial0/0
      Route metric is 68, traffic share count is 1

verified using traceroute

Rack1R5#traceroute 9.9.9.9

Type escape sequence to abort.
Tracing the route to 9.9.9.9

  1 155.1.0.1 16 msec 60 msec 12 msec
  2 155.1.146.6 56 msec 40 msec 12 msec
  3 155.1.67.7 12 msec 12 msec 8 msec
  4 155.1.79.9 8 msec *  44 msec

now adding the translate type7 supress-fa command

Rack1R3(config)#router ospf 1
Rack1R3(config-router)#area 2 nssa no-summary translate type7 suppress-fa

verification:

Rack1R5#show ip ospf database external 9.9.9.9

            OSPF Router with ID (150.1.5.5) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 112
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 9.9.9.9 (External Network Number )
  Advertising Router: 150.1.30.30
  LS Seq Number: 80000001
  Checksum: 0xE519
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0


Rack1R5#traceroute 9.9.9.9

Type escape sequence to abort.
Tracing the route to 9.9.9.9

  1 155.1.0.1 16 msec 60 msec 12 msec
  2 155.1.146.6 56 msec 40 msec 12 msec
  3 155.1.67.7 12 msec 12 msec 8 msec
  4 155.1.79.9 8 msec *  44 msec


Rack1R5#show ip route 9.9.9.9
Routing entry for 9.9.9.9/32
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 64
  Last update from 155.1.0.3 on Serial0/0, 01:37:23 ago
  Routing Descriptor Blocks:
  * 155.1.0.3, from 150.1.30.30, 01:37:23 ago, via Serial0/0
      Route metric is 20, traffic share count is 1