OSPF notes
———————————-
Always define the ROUTER-ID!!!!!!
—————————————–
to ignore MOSPF (LSA type 6)
router ospf 1
net 0.0.0.0 0.0.0.0 a 0
ignore lsa mospf
———————————–
to ensure fast detection of a neighbor being down, config r2/r3 to send their hellos
four times a second with a hold time of one second.
r2/r3
int e0/0
ip ospf dead-interval minimal hello-multiplier 4 <—- by specifying the MINIMAL and
HELLO-MULTIPLIER I am enabling OSPF fast hello packets.
The MINIMAL keyword sets the dead interval to 1 second and the HELLO-MULTIPLIER
setsthe number of hello packets sent during that 1 second.
sho ip ospf inter e0/0
——————————————————-
make sure routers lookup DNS names
ip ospf name-lookup
ip host R1 1.1.1.1
——————————————
Config R2 so if it does not receive an acknowledgement from R3 for a LSA then it
should wait 10 seconds before it resends the LSA.
ip ospf retransmit-interval 10
—————————————–
limit the number of non-self-originated LSA’s that an OSPF routing process keeps in
the database (default is limitless)
router ospf 1
max-lsa 900
——————–
control the rate at which LSA retransmitted updates occur.
router ospf 1
timers pacing restransmission 60
———————————–
config ospf hello’s for 15 seconds and a 60 seconds dead interval.
int s1/0
ip ospf hello-interval 15
note:the dead is 4 times the hello. Hello on ethernet is 10 sec. On non-broadcast
it’s 30 seconds.
sho ip ospf int < — to verify
———————————————————————————-
all interfaces in are 5
router ospf 1
router-id 1.1.1.1
netw 0.0.0.0 0.0.0.0 a 5
——————————-
ALWAYs configure the router-id when using ospf.
———————————————————-
advertise loopback in ospf with the true mask
int loop1
ip ospf network point-to-point
or
area range 1 range 3.3.3.3 255.255.255.0
or
redistribute connected < — but this will not advertise the area in routing updates
——————————————————————————-
All ospf area’s must have a connection to area 0
r1 a0 <> r2 a3 <> r3 a2
r1 area 3 virtual-link 3.3.3.3
r3 area 3 virtual-link 1.1.1.1
AREA transit_area_id VIRTUAL-LINK router_id_of_remote
note: area 3 is the transit area.
————————————————————
Ospf MD5 area authentication
router ospf 1
area 2 authentication message-digest
int s1/0.1
ip ospf message-digest-key 1 md5 cisco12
note: no global key chain command needs to be configured. Pay attention because
under the interface there is also a ip ospf authentication and ip ospf
authentication-key command but that is used for clear text.
1. allow authentication under the interface.
2. enable authentication for the area under the routing process.
3. make sure you configure area 0 authen messsage-digest for area 0 where you have a
the far end of the virtual link,
—————————————————————–
interface-based clear test authentication
int s1/0.12
ip ospf authentication
ip ospf authentication-key cisco2
—————————————
have OSPF advertise the correct mask of the loopback address
before
sh ip route
1.0.0.0/32
after
int lo0
ip add 1.1.1.1 255.255.255.0
ip ospf network point-to-point
sh ip route
1.0.0.0/24
—————————————————–
to change the cost of loop0
int loop0
ip ospf cost 20
before: O 2.2.2.0 [110/65] 100,000,000 / 1,544,000 = 64 + the cost of the
loopback 100,000,000/8,000,000,000 = 1
after: O 2.2.2.0 [110/84]
——————————————If you have interfaces with bandwidth
higher than 100 million (100mbps) you should use the auto-cost reference-bandwidth
command to change the default value so OSPF will be able to differentiate the
difference between a 100mbps and a higher mbps interface. YOU MUST USE THIS COMMAND
ON EVERY ROUTER in the OSPF routing domain.
router ospf 1
auto-cost reference-bandwidth 1000
—————————————————–
change the cost on fastethernet interfaces on all routers to 70 without using an
interface command.
router ospf 1
auto-cost reference-bandwidth 7000 ( for dynamips ethernet interfaces use 700)
The formula to get 7000 is reference 7,000,000,000 / 100,000,000 bandwidth = cost.
But we need to ge the reference bandwidth first. The forumula is reference = cost x
bandwidth … 70 x 100,000,000 = 7,000,000,000.
———————————————————————————
The difference between redistribute connected and redistribute connected subnets
r4
router ospf 1
redistribute connected
R3(config-router)#do sho ip route os
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/65] via 131.1.34.4, 00:00:02, Serial1/0.34
==== now lets try redistribute connected subnets ====
r4
router ospf 1
redistribute connected subnets
R3(config-router)#do sho ip route os
4.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 4.4.4.4/32 [110/65] via 131.1.34.4, 00:00:12, Serial1/0.34
O E2 4.4.0.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.1.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.2.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
O E2 4.4.3.0/24 [110/20] via 131.1.34.4, 00:00:03, Serial1/0.34
———————————————————————-
summarize ospf routes
Summarization can be configured on 2 types of routers
ABR = connected to the backbone and multiple area’s. Internal routes can only be
summarized on ABR’s with the AREA xx RANGE command. ( you don’t have to summarize on
the router where the route originates. You can summarize on any router with the
route in the routing table.)
ASBR = routers that act as gateways between OSPF and other protocols. External
routes can only summarized on ASBR’s with the SUMMARY-ADDRESS command. This includes
redistribute connected routes!
ABR = AREA xx RANGE
ASBR = SUMMARY-ADDRESS
———————————————-
When you summarize routes OSPF injects a discard route (Null route) to stop loops.
To get rid of the Null route =
ABR
router ospf 1
no discard-route internal
ASBR
router ospf 1
no discard-route external
———————————————
join two area O’s but do not use a virtual link
r1
router ospf 1
net 15.1.1.1 0.0.0.0 a 0
int tun15
ip add 15.1.1.1 255.255.255.0
tunnel source 15.1.1.1
tunnel destination 15.1.1.2
r2
router ospf 1
net 15.1.1.2 0.0.0.0 a 0
int tun 15
ip address 15.1.1.2 255.255.255.0
tun source 15.1.1.2
tun dest 15.1.1.1
———————————-
| type |
|
cmd |
|
|
lsa |
|
default route injected without :default-info originate? |
|
|
|
|
|
|
|
|
|
|
|
|
|
| stub |
|
area xx stub |
|
|
1,2,3,4 |
|
yes |
|
|
|
|
|
| totally stubby |
area x stub no-summary |
|
12, default of 3 |
yes |
|
|
|
|
|
| nssa |
|
area x nssa |
|
|
1,2,3,4,7 |
|
no |
|
|
|
|
|
| not so totally stubby |
area x nssa no-summary |
|
1,2, default of 3, 7 |
yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
…………………………………………………………….
OSPF network types
elects a DR
broadcast
non-broadcast – unicast – need neighbor cmd
does NOT elect a DR
point-to-point
point-to-multipoint – generates a /32
point-to-multipoint non-boradcast – generates a /32 – unicast – needs neighbor command.
Broadcast and non-broascast elect a DR.
point-to-multipoint and point-to-multipoint non-broadcast generate a /32
non-broadcast and point-to-multipoint non-broadcast are unicast and need a neighbor command.
————————————————–
————————————————
Ospf MD5 area authentication
router ospf 1
area 2 authentication message-digest
int s1/0.1
ip ospf message-digest-key 1 md5 cisco12
note: no global key chain command needs to be configured. Pay
attention because under the interface there is also a ip ospf
authentication and ip ospf authentication-key command but that is
used for clear text.
1. enable authentication under the interface
2. enable authentication for the area under the routing process
3. make sure you configure area 0 authen messsage-digest for area 0
where you have a the far end of the virtual link.
clear text area for a virtual-link
router ospf 1
area 1 virtual-link 2.2.2.2 authentication
area 1 virtual-link 2.2.2.2 authentication-key cisco
MD5 authentication for a virtual-link
router ospf 1
area 1 virtual-link 2.2.2.2 authenticaton message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco
– change the password to CCIE without interrupting the link
router ospf 1
area 2 virtual-link 3.3.3.3 message-digest-key 2 md5 CCIE
—————————————————————
Stub area
- stub area can not be a transit area for a virtual link. use GRE
instead.
- stub can not have an ASBR
- back bone area can not be configured as a stub area
- every router and the ABR should have the area xx stub configured.
- no LSA type 5 (e1 or e2) is allowed in a stub area. You can connect
to external routes via default route injected but the ABR.
- Cost of a default route is 1. you can adjust with the AREA xx
DEFAULT-COST ##.
r1
router ospf 1
area 1 stub
sh ip route | ex C
Gateway of last resort is 131.1.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
2.0.0.0/24 is subnetted, 1 subnets
O 2.2.2.0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
3.0.0.0/24 is subnetted, 1 subnets
O IA 3.3.3.0 [110/75] via 131.1.12.2, 00:14:02, Serial1/0.12
4.0.0.0/24 is subnetted, 1 subnets
O IA 4.4.4.0 [110/139] via 131.1.12.2, 00:14:02, Serial1/0.12
5.0.0.0/24 is subnetted, 1 subnets
O IA 5.5.5.0 [110/149] via 131.1.12.2, 00:01:53, Serial1/0.12
22.0.0.0/24 is subnetted, 1 subnets
O IA 22.2.2.0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
131.1.0.0/24 is subnetted, 4 subnets
O IA 131.1.23.0 [110/74] via 131.1.12.2, 00:14:02, Serial1/0.12
O IA 131.1.34.0 [110/138] via 131.1.12.2, 00:14:02, Serial1/0.12
O IA 131.1.45.0 [110/148] via 131.1.12.2, 00:01:44, Serial1/0.12
44.0.0.0/24 is subnetted, 1 subnets
O IA 44.4.4.0 [110/139] via 131.1.12.2, 00:14:02, Serial1/0.12
O*IA 0.0.0.0/0 [110/65] via 131.1.12.2, 00:14:02, Serial1/0.12
r2
routers ospf 1
area 1 stub
If I use area 1 stub no-summary **ON R2** I will see all it the IA
and E routes filtered.
R1
sh ip route | ex C
Gateway of last resort is 131.1.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
2.0.0.0/24 is subnetted, 1 subnets
O 2.2.2.0 [110/65] via 131.1.12.2, 00:07:33, Serial1/0.12
131.1.0.0/24 is subnetted, 1 subnets
O*IA 0.0.0.0/0 [110/65] via 131.1.12.2, 00:07:33, Serial1/0.12
—————————————–
area 1 should only use lsa 1,2,3 and 7. no ability to connect to any
external redistributed routes in the routing domain.
access-list 1 per 11.1.0.0 0.0.3.255
route-map TEST per
match ip add 1
router ospf 1
area 1 nssa
redistribute connected route-map TEST subnets
NOTE: NSSA area’s you will not see the 0.0.0.0/0 route injected by
the ASBR. so you need to add the default-information-originate
command to the nssa.
———————————-
config r5 with loopback 1-3 and redistribute into ospf. After
redistribution the area should only maintain and propagte LSA type
1,2,3,7 and a default route.
note: NSSA’s propagate type 1,2,3,7 LSA’s but you need nssa default-
information-originate to propagate the default route.
r4
router ospf 1
area 2 nssa default-information-originate
r5
access-list 5 perm 155.1.0.0 0.0.3.255
route-map RC2OSPFA2 perm 10
match ip add 5
router ospf1
area 2 nssa
redistribute connected subnets route-map RC2OSPFA2
note:
r4
default-information originate
area 2 nssa
I tested and it will not work. It generated a default route on R3 and
not on R5!!!
——————————-
area 1 should receive/propagate type 1,2,7 LSA’s and a default route.
so this needs to Not so totally stubby area.
router ospf 1
area 1 nssa no-summary < — the no-summary means that it filers LSA
type 3 routes
———————————-
change the cost of the injected default route to 50.
note: a default routes cost is 1.
router ospf 1
area 1 default-cost 1
before:
sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1″, distance 110, metric 65 (64 + cost of default-
route (1))
after:
sho ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1″, distance 110, metric 114 (64 + 50)
———————————————————–
configure the loopbacks to advertise the actual subnets mask
int loo0
ip ospf network point-to-point
———————————-
config r5 so that routers in area 5 do not receive any LSA’s from
other area’s, but other area’s should receive routes from area 5.
Don’t user distribute-list, access-list, or any command under the
routing process to accomplish this task.
r3
int s1/0.34
des connection to r4 – area 5
ip ospf database-filter all out < — this filters all outgoing lsa’s
to R4.
————————————–
config r2 so that it filters al locally generated LSA’s and prevents
the LSA’s from R1 to reach R3 and R4. R3 and R4 should receive all
LSA’s from R3 & R4. Do not use any global config commands to solve
this task.
R2
int f0/0
ip opsf net point-to-mulitpoint
router ospf 1
neigh 131.1.23.3 database-filter all out
NOTE: this question is confusing because I can do this without the
global command or chaning the OSPF interface type by doing this:
r2
int f0/0
ip ospf database-filter all out
—————————————
config r3 or R4 so that r4 does no have reachability to network
3.0.0.0. You must use a distribute list.
r4
access-list 3 deny 3.0.0.0 0.255.255.255
access-list 3 permit any
router ospf 1
distribute-list 3 in s1/0.43
NOTE: DISTRIBUTE-LIST OUT will not work in OSPF unless it’s perfomred
on the ASBR
——————————————–
Redistributing connected will turn the router into and ASBR
————————————————————–
ensure net 3.3.0.0 – 3.3.3.0 are seen as external routes
r3
access-list 33 per 3.3.0.0 0.0.2.255
route-map 3EXTROUTE per 10
match ip add 33
router ospf 1
redistribute connected subnets route-map 3EXTROUTE
—————————————————–
config ospf routers so they do not have access to net 4.4.2.0/24. Do
not use any global, neighbor, interface, or any ip ospf cmd to
accomplish this task.
router ospf 1
summary-address 4.4.3.0 255.255.255.0 not-advertise
NOTE:by adding the not-advertise command you actually filter that
net. Can be used on ASBR. External routes only.
another way but only on ABR. Internal only. Can not filter external
routes.
router ospf 1
area 1 range 4.4.3.0 255.255.255.0 not-advertise
——————————————————
config router so that net 2.2.2.0/24 is not advertised to area 2
R3
ip prefix-list FILTER2 seq 5 deny 2.2.2.0/24
ip prefix-list FILTER2 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 2 filter-list prefix FILTER in
NOTE: this filters LSA type 3 – sho ip ospf data = look for router
link states.
I tested to see if you do not use le 32 what would happen. I found
that r4 will not have any ospf routes.
———————————————–
sh ip ospf database database-summary
OSPF Router with ID (2.2.2.2) (Process ID 1)
Area 0 database summary
LSA Type Count Delete Maxage
Router 2 0 0 <—- LSA Type 1
Network 1 0 0 <—- LSA Type 2
Summary Net 6 0 0 <—- LSA Type 3
Summary ASBR 1 0 0 <—- LSA Type 4
Type-7 Ext 0 0 0 <—- LSA Type 7
Prefixes redistributed in Type-7 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Subtotal 10 0 0
Process 1 database summary
LSA Type Count Delete Maxage
Router 4 0 0
Network 1 0 0
Summary Net 10 0 0
Summary ASBR 2 0 0
Type-7 Ext 0 0 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Type-5 Ext 3 0 0 <—- LSA Type 5
Prefixes redistributed in Type-5 0
Opaque AS 0 0 0
Total 20 0 0
————————————————
ospf 02 jan 2009
r1 has two paths to net 4.0.0.0 via r2 & r3. R1 should use r2 to get ot 4.0.0.0 and r3 to get
to 3.0.0.0. If r2 goes down R1 should user r3 t oget into 4.0.0.0
router ospf 1
max-metric router-lsa < — set the lsa to infinity. this is donw so that other routers do
not prefer the routes as a transit hop in their path to a given network.
—————————-
redistribute between ospf and eigrp
router ei 100
redistribute ospf 100 metrci 1500 10000 255 1 1500 < — you must add the metric. or use
default metric.
router ospf 100
redistribute eigpr 100 subnets
NOTE: when you redistribure routes into OSPF they will be redistributed with a metric of 20.
———————————————–
the max # of prefix redistributed into OSPF is 9. At 80% generate a warning message.
router ospf 1
redistribute maximum-prefix 9 80 warning-only
note: if you wanted to ignore all prefixs DO NOT add the warning-only command.ooooo
——————————————————
make sure routers in area 2 can for an adjecency. (Full state) do not make any changes on R2
note: r1 & r2 are in area 2. R1 is the hub.
r1 int s1/.0.12 – ospf net type p-to-p
r2 int s1/0 – non-broadcast
r1
router ospf 1
nei 111.1.12.2
int s1.0.12
ip ospf net point-to-multipoint nonbroadcast
note: with non_broadcast you need a neightbor statement. With p2p or p2m a DR is not elected.
——————————————————————————————
make sure routers in area 5 can establish a neighbor adjacency. do not change anything on r5
r1
int s1.0.15
ip ospf net non_broadcast
ip ospf pri 255
router ospf 1
neigh 155.1.15.5
NOTE: always make the hub router the DR! non_broadcast/broadcast elect a DR. Non_br needs a
nei statement.
—————————————————————————–
R1 should be the DR (FR hub router should be the hub)
r1
int s1/0.x
ip ospf priority 255 < — 255 means always elect this the DR router.
r2-4
int s1/0 or int s1/0.xx
ip ospf priority 0 <—- this means that this router will never be elected a DR.
—————————————–
r1 s1/0.12 non_Broascast <> r1 s1/0.21 non_Broascast – make these two routers exchange
routes. No not change the network type.
r1
int tun 1
ip add 222.0.0.1 255.255.255.0
tun source 12.1.1.1
tun dest 12.1.1.2
router ospf 1
no network 12.1.1.1 0.0.0.0 a 0 < — removed to prevent recursive loop
net 222.0.0.1 0.0.0.0 a 0
r2
int tun 1
ip add 222.0.0.2 255.255.255.0
tun sour 12.1.1.2
tun dest 12.1.1.1
router ospf 1
no net 12.1.1.2 0.0.0.0 a 0
net 222.0.0.2 0.0.0.0 a 0
————————————-
r6 should redistribute e0/0 into ospf – no acl or prefix list is allowed.
r6
route-map MATCHINT per 10
match interface e0/0
router ospf 1
redistribute connected route-map MATCHINT subnets
—————————————————————-
configure area 3 as nssa
note: all routers in a area 3 need to be configured with nssa.
r3-6 ( r4-6 and spoked of R3)
router ospf 1
area 3 nssa
r3
sh ip route osfp | in N2
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
O N2 4.0.0.0/8 [110/20] via 200.1.34.4, 00:00:17, Serial1/0.34
O N2 5.0.0.0/8 [110/20] via 200.1.35.5, 00:00:17, Serial1/0.35
O N2 6.0.0.0/8 [110/20] via 200.1.36.6, 00:00:17, Serial1/0.36
r1 (connects to r2 <> r 3)
R1(config-router)#do sho ip route | in E2
E1 – OSPF external type 1, E2 – OSPF external type 2
O E2 4.0.0.0/8 [110/20] via 200.1.12.2, 00:04:11, Serial1/0.12
O E2 5.0.0.0/8 [110/20] via 200.1.12.2, 00:03:50, Serial1/0.12
O E2 6.0.0.0/8 [110/20] via 200.1.12.2, 00:03:40, Serial1/0.12
NOTE:so the hub rtr see’s all the spoked as N2 routes and all the routers behind r3 see the
routes as E2.)
——————————————————————
filter these networks:
200.1.34.0/24 r3<>r4
200.1.35.0/24 r3<>r5
200.1.36.0/24 r3<>r6
router ospf 1
area 1 range 200.1.34.0 255.255.255.0 not-advertise
area 1 range 200.1.35.0 255.255.255.0 not-advertise
area 1 range 200.1.36.0 255.255.255.0 not-advertise
Note: these routes will not be advertised outisde of area 1
———————————————————–
config r3 so that routers in area 0 can reach the networks that were redistributed on r4-6
e0/0.
r3
router ospf 1
area 1 nssa translate type7 suppress-fa
R2
before: ( this is after the route were filtered via the area range cmd above)
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 200.1.12.1, 00:08:06, Serial1/0.21
C 2.0.0.0/8 is directly connected, Loopback0
C 200.1.23.0/24 is directly connected, Serial1/0.23
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 200.1.23.3, 00:08:06, Serial1/0.23
C 200.1.12.0/24 is directly connected, Serial1/0.21
after:
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 200.1.12.1, 00:14:10, Serial1/0.21
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 200.1.23.3, 00:14:10, Serial1/0.23
O E2 4.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
O E2 5.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
O E2 6.0.0.0/8 [110/20] via 200.1.23.3, 00:00:05, Serial1/0.23
——————————————————————————
lo1 should be redistributed into OSPF as metric-type 2 and tagged wthi 44 as its
redistributed in the OSPF domain.
route-map TAG44 per 10
match int lo1
set tag 44
router ospf 1
redistribute connected subnets route-map test
net 4.4.4.4 0.0.0.0 are 1
————————————————–
on r1 filer routes tagged with 44
route-map TASK-8-filtertag44 deny 10
match tag 44
route-map TASK-8-filtertag44 perm 20
router ospf 1
distribute-list route-map TASK-8-filtertag44 in
——————————————————
filter all external type 2 prefixes – do not use an acccess-list.
route-map FILTER_E2 deny 10
match route-type external type-2
route-map FILTER_E2 perm 20
router ospf 1
distribute-list route-map FILTER_E2 in
——————————————————–
hub
ip ospf pri 255
spokes
ip ospf pri 0
————————
non_broadcast / neighbor command…… frame-relay map broadcast command is not needed.
Because it’s using UNICAST vs multicast.
——————————————-
ip ospf network trypes must match, except
ip ospf net point-to-multipoint nonbroadcast <> ip ospf net point-to-point
on thie p2m nb you need to change the ospf hello to match the other sidee.
ip ospf hello-interval 10 and a neighbor statement.
—————————————————
config plain text on all frame interfaces – all area’s are 0
int s1/0
ip ospf authentication-key cisco
router ospf 1
area 0 authentication
————————————————
r1<>r2 md 5 authentication is enabled. All routers have the above config.
r1 & r2
int s1/0.xx
ip ospf message-digest-key 1 md5 cisco
router ospf 1
area 0 authen message-digest
R2 does not see routes from r3-5.(they are enabled for clear text)
r3-r5
router ospf 1
area 0 authentication message-digest
now r2 will see all the routes. The interface command was not used???
————————————————————————-
you can also disable authentication in the interface facing r3 and then r3-r5 do not need
authentication enabled.
r2
int s1/0.23
ip ospf authentication null
———————————————————————————-
to enable authentication on the interface
interface Serial1/0
ip ospf authentication message-digest < — enable authentication on the interface vs under
the routing process.
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cciers
This is called per interface authentication. When using per interface authentication other
routers in the area do not need to be configured for authentication.
—————————————————————————-
reditribute lo0 & lo1 this creates E2 routes
r3
route-map REDISTRIBUTE_LO0_LO1 per 10
match interface loop0 loop 1 < —- cool, I did not know you can match multiple int’s.
router ospf 1
redistribute connected subnets route-map REDISTRIBUTE_LO0_LO1
r1
r1(config-subif)#do sho ip route ospf
O 2.0.0.0/8 [110/65] via 10.1.12.2, 00:00:23, Serial1/0.21
O E2 33.0.0.0/8 [110/20] via 10.1.12.2, 00:00:23, Serial1/0.21 <—-
O E2 3.0.0.0/8 [110/20] via 10.1.12.2, 00:00:23, Serial1/0.21 <—-
O IA 4.0.0.0/8 [110/193] via 10.1.12.2, 00:00:23, Serial1/0.21
5.0.0.0/24 is subnetted, 1 subnets
O IA 5.5.5.0 [110/193] via 10.1.12.2, 00:00:23, Serial1/0.21
———————————————————————-
Config area 1&2 as a NSSA. Config R3 so that r4 & r5 get a default route
r3 – ABR for area 0,1,2
r4 area 1
r5 area 2
r3
router ospf 1
area 1 nssa default-information-originate
area 2 nssa default-information-originate
r4
ho ip route
Gateway of last resort is 10.1.34.3 to network 0.0.0.0
O IA 1.0.0.0/8 [110/193] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 2.0.0.0/8 [110/129] via 10.1.34.3, 00:00:02, Serial1/0.43
O N2 33.0.0.0/8 [110/20] via 10.1.34.3, 00:00:02, Serial1/0.43
O N2 3.0.0.0/8 [110/20] via 10.1.34.3, 00:00:02, Serial1/0.43
C 4.0.0.0/8 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 4 subnets
O IA 10.1.12.0 [110/192] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 10.1.23.0 [110/128] via 10.1.34.3, 00:00:02, Serial1/0.43
O IA 10.1.35.0 [110/128] via 10.1.34.3, 00:00:02, Serial1/0.43
C 10.1.34.0 is directly connected, Serial1/0.43
O*N2 0.0.0.0/0 [110/1] via 10.1.34.3, 00:00:02, Serial1/0.43 <– injected external default
route
————————————————————–
config so the default route injected by the ABR is an internal route
r3
router ospf 1
area 1 nssa no-summary
r4
r4(config-router)#do sho ip route os
O N2 33.0.0.0/8 [110/20] via 10.1.34.3, 00:01:32, Serial1/0.43
O N2 3.0.0.0/8 [110/20] via 10.1.34.3, 00:01:32, Serial1/0.43
O*IA 0.0.0.0/0 [110/65] via 10.1.34.3, 00:01:37, Serial1/0.43
————-
config r3 so that area 1 (r4) does not get redistributed routes
r3
router ospf 1
area 1 nssa no-redistribution
—————————————–
NOTE: when doing the labs I see that the commands are nested.
eg.
area 1 nssa
area 1 nssa default-information-originate
area 1 nssa no-summary = area 1 nssa default-information-originate no-summary
area 1 nssa no-redistribution = area 1 nssa default-information-originate no-summary no-
redistribution
———————————————
configure area 1 on r1-3 but do not use the network command
r1 – R2
int s1/0
ip ospf 1 area 0
R2-R3
int e0/0
ip ospf 1 area 0
———————————–
do not allow seconday interfaces to be advertised
r2
int e0/0
ip ospf 1 area 0 secondaries none
—————————————
loopbacks should be advertised
int lo0
ip add 1.1.1.1 255.255.255.0
ip ospf ne point-to-p
router ospf 1
net 1.1.1.1 0.0.0.0 a 1
——————————–
filfter 1.1.1.0/24 from r2 only
access-list 1 deny 1.1.1.0 0.0.0.155
access-list 1 permit any
router ospf 1
distribute-list 1 in
r3-r5 will still learn 1.1.1.1 from R2. It’s just filtered from r2′s routing table.
————————————-
05 Jan 2008 OSPF
————————–
make sure routers in a area 99 do not receive 111.1.1.0/24 in thier routing table
NOTE: you must do this on the Area Border Router (ABR)
ip prefix-list FILTER_111NET_FROM_AREA99 seq 5 deny 111.1.1.0/24
ip prefix-list FILTER_111NET_FROM_AREA99 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 99 filter-list prefix FILTER_111NET_FROM_AREA99 in
on area 99 routers you will not see 111.1.1.0/24 in the routing table and you will not see it if you
sho ip ospf database summary 11.1.1.0
You will see it on the ABR in the routing table and via sho ip ospf database summary 11.1.1.0 BUT
YOU WILL SEE IT AS A SUMMMARY IN AREA 0 not area 2.
—————————————————————–
COOL command
r3#sh ip ospf data database-summary
OSPF Router with ID (3.3.3.3) (Process ID 1)
Area 0 database summary
LSA Type Count Delete Maxage
Router 2 0 0 <—- LSA type 1
Network 0 0 0 <—- LSA type 2
Summary Net 7 0 0 <—- LSA type 3
Summary ASBR 0 0 0 <—- LSA type 4
Type-7 Ext 0 0 0
Prefixes redistributed in Type-7 0
Opaque Link 0 0 0
Opaque Area 0 0 0
Subtotal 9 0 0
——————————————————
to filter lSA type 1 – only on ABR
router ospf 1
area 1 range 111.111.111.0 255.255.255.0
to filter lsa type 3 – only on ABR – only lsa type 3 (network summary)
ip prefix-list FILTERLSA3 seq 5 deny 111.111.111.0/24
ip prefix-list FILTERLSA3 seq 10 permit 0.0.0.0/0 le 32
router ospf 1
area 1 range filter-list FILTERLSA3 in
——————————————————
COnfigure the routers so only R1 can see 100.1.1.0/24.
r2-4
sho access-list
access-list 1 deny 100.1.1.0 0.0.0.255
access-list 1 permit 100.1.1.0 0.0.0.255
router ospf 1
distribute-list 1 in
NOTE: this will filter net 100.1.1.0/25 fro the local router only so this needs to be done on all
the routers.
———————————————————————–
Config so that the loopback on r5 is seen as an E2 route in it’s neighbors routing table.
r5
route-map REDIST_L0 per 10
match inter lo0
router ospf 1
redistribute connected subnets route-map REDIST_L0
———————————————————–
ALWAYS use the subnets keywork when redistributing OSPF and EIGRP.
———————————————————————-
Filter 5.5.5.0/24 so that only R5 will see 5.5.5.0/25 in it’s routing table.
int lo0
ip address 5.5.5.5 255.255.255.0
ip access-list FILTER5NET
deny 5.5.5.0 0.0.0.255
permit any
or
access-list 1 deny 5.5.5.0
access-list per any
route-map REDIST_L0 per 10
match inter lo0
router ospf 1
redistribute connected subnets route-map REDIST_L0 <—- redistributing makes this an ASBR
distribute-list FILTER5NET out
NOTE: This is the only scenario where “distribute-list out” will work in OSPF. This can only be
done on the ASBR. This filters type 5 or 7 lsa’s. (Here it’s a LSA type 5)
————————————————————————————-
config r5 so that only it can see 50.5.5.0/24.
R5 is an ASBR
router ospf1
summary-address 50.5.5.0 255.255.255.0 not-advertise
————————————————————–
Filter net 55.5.5.0 from R1
sh access-list
access-list 1 deny 55.5.5.0
access-list 1 permit any
router ospf 1
distribute-list in
————————————
config so that routers in area 2 do not see any networks advertised by any other router in the
topology.
r1 a1 <> r2 a1
r1a1 <> r3 a1 <> r4 a2 <> r5 a2
r4
int s1/0.45
ip ospf database-filter all out
clear ip ospf pro
The “ip ospf database-filter all out” will prevent all routes from being advertised to R5. All other
routers will see all of R5′s advertised networks.
——————————————————————
config so that r1/2/3 (area1) only see routes in thier own are and r4 (area2) only see’s it’s own
routes.
r3
router ospf 1
neighbor 10.1.1.4 database-filter all out
r3(config-router)#neighbor 10.1.34.4 database-filter all out
OSPF: Neighbor command is allowed only on NBMA and point-to-multipoint networks
int s1/0.34
ip ospf net point-to-multipoint
clear ip ospf pro
——————————————-
OSPF ABR Type 3 LSA filtering -sent between different Area’s.
router ospf1
area 1 filter-list prefix FILTERtype3 in
ip prefix-list FILTERtype3 seq 5 deny 1.1.1.0/24
ip prefix-list FILTERtype3 seq 10 permint 0.0.0.0/0 le 32
To filter interarea routes:
router ospf 1
area 1 filter-list prefix FILTERIA out
ip prefix-list FILTERIA seq 5 deny 1.1.1.0/24
ip prefix-list FILTERIA seq 10 permint 0.0.0.0/0 le 32
show ip ospf
———————————————————
OSPF Forwarding Address Suppression in Translated Type-5 LSAs
causes a not-so-stubby area (NSSA) area border router (ABR) to translate Type-7 link state advertisements (LSAs) to Type-5 LSAs, but use the address 0.0.0.0 for the forwarding address instead of that specified in the Type-7 LSA.
This feature causes routers that are configured not to advertise forwarding addresses into the backbone to direct forwarded traffic to the translating NSSA ABRs.
1. enable
2. configure terminal
3. router ospf process-id
4. area area-id nssa translate type7 suppress-fa
5. end
—————————————————-
How to Configure OSPF Inbound Filtering Using Route Maps
1. enable
2. configure terminal
3. route-map map-tag [permit | deny] [sequence-number]
4. match tag tag-name
or other match commands.
5. Repeat Steps 3 and 4 with other route-map and match commands if you choose.
6. exit
7. router ospf process-id
8. distribute-list route-map map-tag in
9. end
route-map tag-filter deny 10
match tag 777
route-map tag-filter permit 20
!
router ospf 1
router-id 10.0.0.2
log-adjacency-changes
network 172.16.2.1 0.0.0.255 area 0
distribute-list route-map tag-filter in
———————————————–
OSPF Limit on Number of Redistributed Routes
SUMMARY STEPS
1. enable
2. configure terminal
3. router ospf process-id
4. redistribute protocol [process-id] [as-number] [metric metric-value] [metric-type type-value] [match {internal | external 1 | external 2}] [tag tag-value] [route-map map-tag] [subnets]
5. redistribute maximum-prefix maximum [threshold]
6. end
7. show ip ospf [process-id]
redistribute maximum-prefix maximum [threshold]
Example:
Router(config-router)# redistribute maximum-prefix 100 80
Sets a maximum number of IP prefixes that are allowed to be redistributed into OSPF.
•There is no default value for the maximum argument.
•The threshold value defaults to 75 percent.
Note If the warning-only keyword had been configured in this command, no limit would be enforced; a warning message is simply logged.
—————————–
OSPF Area Transit Capability
The OSPF Area Transit Capability feature provides an OSPF Area Border Router (ABR) with the ability to discover shorter paths through the transit area for forwarding traffic that would normally need to travel through the virtual-link path. This functionality allows Cisco IOS software to be compliant with RFC 2328.
1. enable
2. configure terminal
3. router ospf process-id [vrf vpn-name]
4. no capability transit
——————————————————
ABR = area XXX range
ASBR = summary-address
filter lsa 4 /5
aera 1 stub
filter lsa 3/4/5
r5
area 1 stub
r4
area 1 stub no-summary
after redistribution should receive las 1,2,3 7
area 1 nssa ( need a default route)
after redistribution should propogate las 1,2,3 7 & default
route
r5
area 2 nssa
r 4
area 2 nssa default-information-originate
