dardan:ccnp:enarsi:ospf
Link-state routing protocols operate by sending link-state advertisements (LSA) to all other link-state routers. All the routers need to have these link-state advertisements so they can build their link-state database or LSDB OSPF uses DR (Designated Router) If it crashes the BDR (Backup Designated Router) will take over. OSPF routers will only form full neighbor adjacency with the DR and BDR We only use a DR/BDR on a multi-access network, There is no need to do this on a point-to-point link. The LSDB is our full picture of the network, in network terms we call this the topology. Shortest-path first (SPF) algorithm is used to find shortest path to destinations OSPF works with the concepts of areas. by default is area 0 or also called the backbone area Routers in the backbone area (area 0) are called backbone routers. Routers between 2 areas (like the one between area 0 and area 1) are called area border routers or ABR. Routers connected to another network (for example RIP) are called autonomous system border routers or ASBR Routers will become neighbors If receives hello packets from each other Neighbors requires: Hello / Dead Interval Area ID Authentication password Stub area flag OSPF uses cost as metric which is based on the bandwidth of an interface Cost = Reference Bandwidth / Interface Bandwidth The lower the cost the better the path is. If path is equal OSPF do load balancing OSPF has protocol ID 89
OSPF Packets
Hello: neighbor discovery, build neighbor adjacencies and maintain them. DBD: This packet is used to check if the LSDB between 2 routers is the same. DBD is a summary of LSDB. LSR: Requests specific link-state records from an OSPF neighbor. LSU: Sends specific link-state records that were requested. Is like an envelope with multiple LSAs in it. LSAck: OSPF is a reliable protocol so we have a packet to acknowledge the others. Neighbor Discovery Down: no OSPF neighbors detected at this moment. Init: Hello packet received. Two-way: own router ID found in received hello packet. Exstart: master and slave roles determined. Exchange: database description packets (DBD) are sent. Loading: exchange of LSRs (Link state request) and LSUs (Link state update) packets. Full: OSPF routers now have an adjacency.
Hello and Dead Interval
hello interval 10 second dead interval 40 second debug ip ospf packet ---- to see OSPF packet debug ip ospf adj clear ip ospf process show ip ospf interface FastEthernet 0/0 | include intervals ---- to see intervals To speed up this process: R1 & R2 (config)#interface FastEthernet 0/0 (config-if)#ip ospf hello-interval 1 Superfast hello packets R1 & R2 (config-if)#ip ospf dead-interval minimal hello-multiplier 3 (config-if)#ip ospf dead-interval 3
DR/BDR Election
Used on multi-access network priority is used to change which router becomes the DR/BDR R1(config)#interface fastEthernet 0/0 R1(config-if)#ip ospf priority 200 priority of 0 means you will never be elected as DR or BDR
LSAs and LSDB flooding
OSPF LSA is only valid for 30 minutes
If the LSA expires then router that created the LSA will resend LSA and increase the sequence number.
It will consider the LSA to be more recent if it has:
A higher sequence number.
A higher checksum number.
An age equal to the maximum age.
If the link-state age is much younger.
What do the sequence numbers look like for OSPF LSAs?
There are 4 bytes or 32-bits.
Begins with 0x80000001 and ends at 0x7FFFFFFF.
Every 30 minutes each LSA will age out and will be flooded:
The sequence number will increment by one.
Every 30 minutes OSPF will flood a LSA to make sure the LSDB stays up to date
and when it does, sequence number will increase and OSPF will reset max age when it receives new LSA update.
show ip ospf database
Router ID
Each OSPF router selects a router ID (RID) that has to be unique in LSDB each router is identified with its unique router ID two OSPF routers with the same router ID will not become neighbors criteria to select the router ID: 1. Manual configuration of the router ID. 2. Highest IP address on a loopback interface. 3. Highest IP address on a non-loopback interface. show ip protocols | include Router ID ------ to see the RID R1(config-router)#router-id 111.111.111.111 ------ to configure manual RID
Passive Interface
we can use the passive-interface command If there are no routers on this network it’s also a security risk Attacker PC can starts an appl. that replies with OSPF hello packets then R1 will try to become neighbors. R1#debug ip ospf hello ----- to see Hello packets outgoing interfaces R1(config-router)#passive-interface FastEthernet 0/1 ------ to stop sending Hello packets to the interface or R1(config-router)#passive-interface default then R1(config-router)#no passive-interface FastEthernet 0/0 R1#show ip protocols ---- to see enabled passive interfaces
LSA Types
OSPF uses a LSDB and fills this with LSAs
types of LSAs:
LSA Type 1: Router LSA
LSA Type 2: Network LSA
LSA Type 3: Summary LSA
LSA Type 4: Summary ASBR LSA
LSA Type 5: Autonomous system external LSA
LSA Type 6: Multicast OSPF LSA
LSA Type 7: Not-so-stubby area LSA
LSA Type 8: External attribute LSA for BGP
Type 1 - Router LSA
Generated by each router for each area it is located.
In the link-state ID you will find the originating router’s ID.
Found within the area, the router LSA always stays within the area
In this LSA you will find a list with all the directly connected links of this router
How do we identify a link?
The IP prefix on an interface.
The link type. There are 4 different link types:
Type 2 - Network LSA
Generated by the DR
The link-state ID will be the interface IP address of the DR
created for multi-access networks
The broadcast and non-broadcast network types require a DR/BDR
network LSAs being generated by the DR
In this LSA we will find all the routers that are connected to the multi-access network, the DR and of course the prefix and subnet mask
the network LSA always stays within the area
Type 3 - Summary LSA
Created by the ABR and flooded into other areas.
OSPF works with multiple areas and you need full connectivity within all of the areas
R1 in area 2 send LSA in R2 which is ABR, it creates a Type 3 summary LSA and flood it into area 0
This LSA will flood into all the other areas of our OSPF network
summary LSA in routing table are seen like O IA, Those are your inter-area prefixes
Type 4 - Summary ASBR LSA
Other routers need to know where to find the ASBR
This is why the ABR will generate a summary ASBR LSA which will include the router ID of the ASBR in the link-state ID field.
R1 ASBR (it redistributs RIP into OSPF)
R1 will flip a bit in the router LSA to identify itself as an ASBR
When R2 who is an ABR receives this router LSA it will create a type 4 summary ASBR LSA and flood it into area 0
This LSA will also be flooded in all other areas
Type 5 - Autonomous system external LSA
Generated by the ASBR.
Same topology but I’ve added a prefix (5.5.5.0 /24) at our RIP router.
This prefix will be redistributed into OSPF.
R1 (our ASBR) will take care of this and create a type 5 external LSA for this.
Don’t forget we still need type 4 summary ASBR LSA to locate R1.
If you ever tried redistribution with OSPF you might have seen O E1 or E2 entries.
Those are the external prefixes and our type 5 LSAs.
Type 6 - Multicast OSPF LSA
skip because it’s not being used. It’s not even supported by Cisco.
Type 7 - Not-so-stubby area LSA
NSSA areas do not allow type 5 external LSAs.
R1 is still our ASBR redistributing information from RIP into OSPF.
Since type 5 is not allowed we have to think of something else.
That’s why we have a type 7 external LSA that carries the exact same information but
is not blocked within the NSSA area.
R2 will translate this type 7 into a type 5 and flood it into the other areas.
show ip ospf database ---- to see the LSDB
show ip ospf database | begin Type-5
show ip ospf database | begin Summary
show ip ospf database | begin Type-7
LSA type 1,2,3 can be seen if let say on 3 routers there are two areas
LSA type 5 you can see if you redistribute something on R1 into OSPF
LSA type 4 can be seen on R3 with is different area then R1, R2 generate type 4
R2 has the type 7 external LSA in its LSDB since it’s in the same area as R3.
It’s also generating a type 5 external LSA to flood into area 0.
This is because R2 is an ABR.
Default Route
default-information originate can advertise a default route in OSPF. If you add the always keyword it will advertise the default route even if you don’t have it in the routing table show ip ospf database | begin Type-5 It will show up as a LSA type 5 external route. show ip route ospf O*E2 0.0.0.0/0 [110/1] via 192.168.12.1, 00:00:35, FastEthernet0/0
Summarization
OSPF uses LSA type 3 for inter-area routers and LSA type 5 for external prefixes that are redistributed into OSPF So OSPF can only summarize our LSA type 3 and 5. OSPF can do summarization but it’s impossible to summarize within an area. This means we have to configure summarization on an ABR or ASBR. default OSPF does not do summarization R2(config)#router ospf 1 R2(config-router)#area 0 range 172.16.0.0 255.255.0.0 R2#show ip route ospf R2#show ip ospf database | begin Summary
Plain Text Authentication
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0 ip ospf authentication ip ospf authentication-key MYPASS ! router ospf 1 network 192.168.12.0 0.0.0.255 area 0 area 0 authentication show ip ospf interface fastEthernet 0/0 debug ip ospf packet
MD5 Authentication
interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 ip ospf message-digest-key 1 md5 MYPASS ip ospf authentication message-digest ! router ospf 1 network 192.168.12.0 0.0.0.255 area 0 area 0 authentication message-digest show ip ospf interface fastEthernet 0/0 debug ip ospf packet
HMAC-SHA Extended Authentication
key chain R1 key 1 key-string R1_R2_PASSWORD cryptographic-algorithm hmac-sha-512 ! interface GigabitEthernet0/1 ip address 192.168.12.1 255.255.255.0 ip ospf authentication key-chain R1 ! router ospf 1 network 192.168.12.0 0.0.0.255 area 0 show ip ospf interface GigabitEthernet 0/1 | begin auth show ip ospf neighbor
Stub Area
area as stub will block all type 5 external LSAs
In order to reach networks in other areas there will be a default route. R2(config)#router ospf 1 R2(config-router)#area 1 stub ! R3(config)#router ospf 1 R3(config-router)#area 1 stub show ip route ospf
Totally Stub Area
Blocks type 5 external LSAs and type 3 summary LSAs. It’s impossible to have an ASBR in the totally stub area since type 5 external LSAs are blocked. You only have to configure this on the ABR, we don’t have to make any changes to R3. R2(config)#router ospf 1 R2(config-router)#area 1 stub no-summary
NSSA (Not So Stubby) Area
if you want an area to be stub area but you also have an ASBR
This is where the type 7 external LSA kicks in Since we are not allowed to use the type 5 external LSA we’ll just use a new LSA type. R2(config)#router ospf 1 R2(config-router)#area 1 nssa R3(config)#router ospf 1 R3(config-router)#area 1 nssa show ip route ospf O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:00:44, FastEthernet0/0 R2(config)#router ospf 1 R2(config-router)#area 1 nssa default-information-originate show ip route ospf O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:06:21, FastEthernet0/0 O*N2 0.0.0.0/0 [110/1] via 192.168.23.2, 00:00:54, FastEthernet0/0
Totally NSSA Area
If you want to block type 3 summary LSAs and type 5 external LSAs but still need an ASBR within the totally stub area you can turn it into a totally NSSA This will block both LSA types but you can still have an ASBR in this area type. R2(config-router)#area 1 nssa no-summary R3#show ip route ospf O*IA 0.0.0.0/0 [110/2] via 192.168.23.2, 00:00:39, FastEthernet0/0 sho ip ospf database | begin Type-7 show ip ospf database | begin Type-5
Path Selection
prefered path list that OSPF uses: Intra-Area (O) Inter-Area (O IA) External Type 1 (E1) NSSA Type 1 (N1) External Type 2 (E2) NSSA Type 2 (N2) After the path selection it will look at the lowest cost path.
OSPF Network Type
Non-Broadcast Broadcast Point-to-Multipoint Point-to-Multipoint Non-Broadcast Point-to-Point
Troubleshooting OSPF Neighbor Adjacency
If neighbor adjacency is not in the full state then it’s in one of the other states:
There’s no OSPF neighbor at all.
It’s stuck in ATTEMPT.
It’s stuck in INIT.
It’s stuck in 2-WAY.
It’s stuck in EXSTART/EXCHANGE.
It’s stuck in LOADING.
-There’s no OSPF neighbor at all.
R1#show ip ospf neighbor
R1#show ip ospf interface fastEthernet 0/0
%OSPF: OSPF not enabled on FastEthernet0/0
R1#show run | section ospf ------ found wrong network address
Lesson learned: Make sure you have the configured the correct network address, wildcard bits and area.
R1#show ip ospf neighbor
R1#show run | section ospf ----- passive interface found on int. facing neighbor
Lesson learned: Make sure OSPF is sending hello packets on an interface because otherwise you won’t be able to become neighbors.
R1#show ip ospf neighbor ---- State = INIT/DROTHER
Check multicast ----R1#ping 224.0.0.5 ---- no response
Check unicast ------R1#ping 192.168.12.2 ---- OK
Check any ACL applied
R1#show ip interface fastEthernet 0/0 | include access list ---- ACL applied
Lesson learned: Don’t block OSPF multicast addresses 224.0.0.5 and 224.0.0.6.
R1#show ip ospf neighbor ----- no neighbors
Check multicast ---- R1#ping 224.0.0.5 ---- OK
R1#debug ip ospf hello ---- Mismatched hello parameters from 192.168.12.2
R2#show ip ospf interface fastEthernet 0/0 ---- wrong subnet Mask
Lesson learned: Make sure you use the same subnet mask on routers that are directly connected to each other.
R1#show ip ospf neighbor ---- no neighborship
R1#debug ip ospf hello ---- Hello and Dead interval mismatch
Lesson learned: Make sure all required parameters in the hello packets match.
R1#show ip ospf neighbor ---- no neighborship
R1#debug ip ospf adj ---- found Mismatch Authentication type
R2#show ip ospf interface fastEthernet 0/0 | include authentication
Message digest authentication enabled
Lesson learned: Make sure you use the same OSPF authentication type and password between routers.
R1#show ip ospf neighbor ---- ---- no neighborship
Received invalid packet: mismatch area ID,
R1#show ip ospf interface fastEthernet 0/0 | include Area --- Area 1
R2#show ip ospf interface fastEthernet 0/0 | include Area --- Area 0
R1#show run | section ospf ---- wrong area ID
Lesson learned: Make sure your OSPF routers agree on the same area number.
R1#show ip ospf neighbor ---- no neighborship
R1#debug ip ospf hello
---- Hello from 192.168.12.2 with mismatched Stub/Transit area
R2#show ip protocols | include area ---- 1 stub
R2(config-router)#no area 1 stub
Lesson learned: Make sure your OSPF routers use the same area type.
R1#show ip ospf neighbor ---- 2WAY/DROTHER
Both routers show each other as DROTHER.
The priority for both routers is 0.
R1#show ip ospf interface | include Network Type --- verify the network type
R1(config-if)#ip ospf priority 1
Lesson learned: The broadcast and non-broadcast network types require a DR/BDR election. Make sure one of the routers gets elected.
R1#show ip ospf neighbor ---- no neighborship
R1#show ip ospf interface serial 0/0 | include Network Type ---Network Type NON_BROADCAST,
R1(config-if)#ip ospf network broadcast
Lesson learned: Make sure you understand all the OSPF network types and their requirements.
Troubleshooting OSPF Route Advertisement
1. OSPF Network Command show ip route show ip ospf interface loopback 0 --- %OSPF: OSPF not enabled on Loopback0 show run | section router ospf ---wrong network command found no network 10.1.1.1 0.0.0.0 area 0 --- remove network 1.1.1.0 0.0.0.255 area 0 ---- add correct one #show ip route | include 1.1.1. ---- not route is present Lesson learned: Make sure you configure the correct network address, wildcard bits and area. 2. OSPF Interface Issue R1#show ip route R2#show ip route --- no 1.1.1.0 /24 learned R1#show ip protocols | begin Networks ---- networks adv. are OK R1#show ip interface brief ---- Lo0 admin down R1(config-if)#no shutdown ---- to fix the issue R2#show ip route | include 1.1.1 ---- now route 1.1.1 is leared Lesson learned: You can not advertise what you don’t have! 3. OSPF Distribute-List R1#show ip route ospf ---- empty R2#show ip route ospf ---- 1.1.1.1 leared R2#show ip protocols ---- adv network OK R1#show ip protocols ---- Incoming filter is applied R1#show access-lists ---- 10 deny 2.2.2.0 R1(config-router)#no distribute-list 1 in R1#show ip route ospf ----- now 2.2.2.2 is leared Lesson learned: Be aware of distribute-lists that prevent the advertising and/or installing of prefixes in the routing table. 4. OSPF Virtual Link R1#show ip route R2#show ip route R1 didn’t learn about network 2.2.2.0 /24 but R2 did learn about network 1.1.1.0 /24 R1#show ip ospf virtual-links Virtual Link OSPF_VL1 to router 192.168.12.2 is down R2#show ip ospf virtual-links Virtual Link OSPF_VL0 to router 192.168.12.1 is down R1#show ip ospf neighbor ---- FULL/DR R2#show ip ospf neighbor ---- FULL/DR Fix virtual link we need to configure the OSPF router ID of the other side, not the IP address of the other side R1(config-router)#no area 12 virtual-link 192.168.12.2 R1(config-router)#area 12 virtual-link 2.2.2.2 R2(config-router)#no area 12 virtual-link 192.168.12.1 R2(config-router)#area 12 virtual-link 1.1.1.1 Lesson learned: When you configure an OSPF virtual link, always use the router IDs. 5. OSPF Stub Area R1#show ip route R2#show ip route | include 2.2.2 ---- directly connected R2#show ip protocols ---- redistribution is there R2#show ip ospf database external --- nothing on database R2#show ip protocols | include areas ---1 stub Fix R1(config-router)#no area 12 stub R1(config-router)#area 12 nssa R2(config-router)#no area 12 stub R2(config-router)#area 12 nssa Lesson learned: Stub areas do not allow external prefixes (LSA Type 5). Either change the area to NSSA or stop redistributing. 6. OSPF Default Route R1#show run | section router ospf R2#show run | section router ospf R1#show ip route R2#show ip route R2(config)#ip route 0.0.0.0 0.0.0.0 null 0 --- first method R2(config)#no ip route 0.0.0.0 0.0.0.0 null 0 R2(config)#router ospf 1 R2(config-router)#default-information originate always --- second method R1#show ip route ospf Lesson learned: If you want to advertise a default route with OSPF you need to have a default route in your routing table or use the “always” keyword. 7. OSPF Network Type R1#show run | section router ospf R2#show run | section router ospf R1#show ip route R2#show ip route R1#show ip ospf neighbor R2#show ip ospf neighbor R1#show ip ospf database router 192.168.12.2 R2#show ip ospf database router 1.1.1.1 R1#show ip ospf interface fastEthernet 0/0 | include Network Type Network Type POINT_TO_POINT R2#show ip ospf interface fastEthernet 0/0 | include Network Type Network Type BROADCAST Fix R1(config-if)#ip ospf network broadcast R1#show ip route ospf R2#show ip route ospf Lesson learned: Make sure you use the correct OSPF network type on both routers. 8. OSPF Redistribute Subnets R1#show run | section router ospf R2#show run | section router ospf R1#show ip route R1#show ip protocols | include filter ---not set R2#show ip protocols | include filter ---not set R2#show run | include redistribute --- redistribute connected Fix R2(config-router)#redistribute connected subnets Lesson learned: Add the “subnets” keyword when using redistribution or only classful networks are redistributed 9. OSPF Summarization Commands R1#show run | section router ospf R2#show run | section router ospf R1#show ip route ospf R2#show run | section router ospf Fix R2(config-router)#no summary-address 172.16.0.0 255.255.0.0 R2(config-router)#area 2 range 172.16.0.0 255.255.0.0 R1#show ip route ospf Lesson learned: Use the correct command for OSPF summarization.
dardan/ccnp/enarsi/ospf.txt · Last modified: 2021/03/23 09:33 by dardan