OSPF Deep Dive
Dec 31, 2021Hello everyone and welcome to our
deep
dive
into OSPF. I'm delighted they've come together. We choose to join part of your Black Friday with us. We have been doing this. I was trying to think maybe six seven years, but the day after. Thanksgiving here in the US we always live stream a marathon training event that teaches a different topic each year. I thought that this time we would only deal with OSPF and what I mean by that is that today I want to cover with you all the OSPF topics at Cisco. ccna exam blueprint bis exam blueprint and anarchy exam blueprint now that's a difficult task so you might be wondering how long is it going to take and the answer is I really don't know my guess this is a guess approximate because I know it. some people have asked, but I guess about three hours could be a little less, it could be a little more, we'll see, but that's my guess right now, we're looking at about three hours, this is what's coming.
Specifically today I've had some questions saying I'm a little new to this. Let's start with the basics? Do I have to have some experience? And the good news is, let me mute one of my monitors here where I can listen. Myself, that's not good, okay, we're going to have a repeat of this, which is good news, but it will probably be published tomorrow and it's missing some things now. If you join us live, then we will be able to benefit from what we do every Black Friday and that is offer you our biggest discounts on our training products all year and I have some special surprises for those of you who stay until the end of the webcast . so I encourage you to do that, but we'll start with the basic theory and then we'll talk about how a pair of OSPF routers form neighborhoods and by the way, there's a difference between a neighborhood and an adjacency, and we'll talk about that, we'll also see that we can have some routers that get a special job in the network, they are called designated routers, we will see why they help us and how one is chosen to be one. a designated router and what happens if it goes down, we'll talk about how an OSPF network can be grouped into different areas that will be called and then we'll look at some types of networks.
More Interesting Facts About,
ospf deep dive...
Now remember we are Looking for topics in the ccna, the cs is the encore and nrc exams and one of the big topics especially in the anarchy exam and a little bit in the networking types of the ccna exam, so we will look at those types of networks and I'm I'm going to try to do the impossible today and that is simplify lsas and that's one of the most intimidating topics that seems to many students just understanding the concept of lsas is a little difficult, I'm going to try to break it. Take it down and super simplify it for you today we will talk about timers that may not look like anything super impressive but they are very different than eigrp timers and most people don't understand the difference, they think they are the same and they are definitely not the same.
We'll talk about how OSPF does its metric calculation and we don't like it by default. There are so many network administrators who have a false sense of security that they set up OSPF and it just works. it's giving us the best possible path to get from point a to point b i have gig links i have 10 gig links i have fast ethernet links it will choose the best link not by default by default it's not going to do that so I want to make sure Let's learn how to optimize those default settings. Then we'll talk about just a basic configuration starting again with the basics with OSPF version 2.
You may want to take note of this properly. From the beginning, we are going to talk today about
ospf
version 2 and version 3. Version 2 only supports ipv4, it only supports ip version 4. We can support ipv6 if we go toospf
version 3 and I will configure both. Those are ready for you today, we'll take a look once we understand the basics, we'll see how we can filter routes because as we move from an autonomous system, maybe a couple of companies will merge, this business was running eigrp this one business. was running ospf and suddenly they get merged, we may not want all those eigrrp routes going into our ospf autonomous system.We will see how to avoid this and there are three different ways to filter routes. We will talk about all of those. Today and to reduce the size of our routing tables, we're going to talk about route summary and see how if we have that company merger and we have an area that is not adjacent to area 0. We'll talk about why. that's a deal, we'll look at how to fix it, we'll look at a workaround and then we'll go into some ospf version 3 configuration to support ipv version 6. There's a traditional way to do it and that's where you configure it. ospf version 2 for ipv4 and you configure ospf v3 for ipv6, but then we will say here is a better way, here is an address family configuration approach that will allow us to have a hierarchical structure that does both, ospf or rather does both ip version 4 and ip version 6 and we're going to finish with authentication today authentication between a pair of routers and authentication between all routers in an area and outside the live interface.
I'll be doing a lot of during the demos for you, we're going to talk about commands we can give to fix some problems that might go wrong, how to recognize what's going wrong, so now we're integrating a troubleshooting discussion into all of this if you're not familiar. with me. If you saw me browsing YouTube, here's my super quick bio. My name again is Kevin Wallace. I got a couple of Ccies, one in enterprise infrastructure and one in collaboration. I got my first Ccie in 2001, so I'm just past my 20s. anniversary, which I'm really excited about and I've been working with Cisco Gear since the first Cisco router ever, the old Cisco Ags Plush router, if anyone remembers that one, and I taught Cisco Learning Partner courses for about 14 years and then.
In 2014 I decided to start doing this full time so I set up my own training company Kevin Wallace and we create IT training courses on demand and we also do live courses. I used to work at Walt Disney World where I was. a network designer, my family and I are big Disney fans and if you attend a lot of my sessions I will tell you a lot of stories from my time at Disney World, I wrote a lot of books and did a lot of video courses for people . At Cisco Press I had the honor of receiving the Distinguished Speaker Award a couple of times at Cisco Live.
The bottom line is that I love this stuff, that's enough about me. I love these things. It captivates me. I am ready to participate if you wish. so today we have three different sections, let's now
dive
into the first section with just an overview of some theories and terminology related to OSPF and the first thing I want you to know about OSPF is that it is an open standard and as a result, I think it is probably the most widely implemented igp interior gateway protocol based on my surveys of my students over the years. Now I saw someone write earlier, uh, in this OSPF session, they said that BGP is the king, yes, it is the king of the Internet, but that is an exterior gateway protocol, so let's do a poll right now .We have like 600 people joining us on different platforms, so I don't want you to give away any company secrets, but if you don't mind. share, can you just write which igp, which interior gateway protocol do you run in your company? Let's do a sort of group poll here, it might not include bgp because unless you're using ibgp, but for most people, that's how it will be. be ospf isis eigrp rip still let's see what they all say we have um we have a lot of upvotes let's see ospf ospf wins every time someone says scrolling down oh someone using eigrp and ospf someone using ospf and isis that could be in their data centers, I guess it's just mixes of eigrp and ospf, awesome, well that pretty much confirms what I was thinking.
It is an open standard and is widely implemented and is now considered a link-state routing protocol. very fast, what does that mean? It means you have a map of the network. I'll go into more depth on that in a moment, but think about eigrp or rip rip is called distance vector routing protocol and eigrp is an advanced distance vector. writing protocol oh what is a vector? You remember from high school a vector gives you two pieces of information, it gives you magnitude and direction, in other words, how far away the destination is and what direction I'm going, what my direction is.
You see eigrp as cool. As it is, I love Eight Europe when I worked at Disney, we had over 500 routers running eigrp, but eigrp doesn't have a map of the network. A router doesn't know how everything else is interconnected. OSPF knows this because it is a link state writing protocol. and it stores that map in what's called a link state database and we're going to look at that link state database today and once you get all that information in the link state database, this router It says I want to access this network. We're going to run an algorithm called the Dykstra algorithm which is called Dexter's first shortest path algorithm and it will give you the most efficient route to get to that destination network.
Now when I say more efficient, what makes it more efficient, the cost of bandwidth. We will use a cost metric and the lowest cost link will win or the lowest cost path will win and the higher speed links will have a lower cost than the lower speed links. We'll talk a lot more about that. Coming today, but it's not the only link state writing protocol out there, someone else said they were using it on an intermediate system to an intermediate system. Isis, that's the other popular link state writing protocol out there where each router has a map of the network. your car's navigation system or even on your smartphone, maybe you have Google Maps or Apple Maps when you say give me directions to this location, that's what it's doing, it's running the Daxter algorithm on this web map that you have and the metaphor I often give to my students is that OSPF is a lot like solving a puzzle, for example, here's one, I take one of my family's puzzles, by the way, I'm not a big person who does puzzles, but my wife and daughters are much more.
Also, they're a lot bigger puzzle fans than I am, but here's what I want you to understand about jigsaw puzzles, we have all these different puzzle pieces here and if it's you and me and a couple of friends. We were sitting around a table, we would each have a collection of puzzle pieces in front of us, in other words, we would each have a part of the whole picture. Now this was, it looks like this one is going to start a family of snowmen. one is going to do, but each one would have a picture or a piece of that snowman family on these puzzle pieces, that's what OSPF routers actually do.
An OSPF router will know about what pieces of the network it is connected to, for example, and what type of links it is connected to and these pieces of the puzzle are pieces of information that it will share with everyone else within the area and by putting it together. all those pieces of the puzzle, that's how these routers collaborate and build a map of the network and everyone in that area shares the same map and if I'm looking if I'm working on a corner over here or I'm trying to get the tube of the stove or the snowman's top hat, you could say, "Hey, I'm missing the little, uh, little holly leaf up here, does anyone have that and someone could say oh yeah, I have that and can you provide me with a piece?" missing?
Well, routers do that too, they'll be able to tell I'm missing a certain piece of part of my topology or my link state database, can anyone provide it? We'll take a look at the exact type of message that's going to request that. and a neighbor can say yes, I have that part here, but the idea is everyone has information, they will be able to share it and they will be able to build this map. We will then run Dexter's algorithm to determine the shortest path to get from point a to point b. and when a router is talking to another router and they are sharing the pieces of the puzzle, by the way, in your notes you might want to write that those pieces of information I'm referring to are called lsas link state announcement routers that share That information is called adjacencies, since we are about to see that there is a different relationship that routers could have and that is being neighbors, there is a difference between a neighbor and an adjacency, we will talk about that but we are going to send these lsas in a area and we're going to be able to build a map for the area and that map we said will be in a link state database, we're going to run that dexter algorithm on it, now here's the big point.
I want you to understand this on this slide once OSPF says, "Okay, I've determined the optimal path to get here and here and here and here simply because OSPF has determined what it considers the best path to this network is that any guaranteethat the router is going to use that no can someone tell me chat if ospf says the best way to get to 10.1.1.0624 is to go to the next higher router but the router running ospf says no I'm going to go this way? instead what would make a router override what ospf said was the best way to getIf anyone has an idea go and chat if you can yes administrative distance yes a lot of people say yes remy networks Many people say it is administrative distance, that is, the credibility of routing information.
Now OSPF has an administrative distance of 110 and the lower the aed, the lower the administrative distance, the more credible the routing source. Now, if a network is connected directly to my router, there is nothing more credible than being connected to me, so that will give you maximum administrative distance. from scratch now if I as an administrator go in and say well I want to statically configure a route that will override any default routing protocol that will have an administrative distance of one, now I say by default we can play. some games with the floating static graph that is the topic for another course, but yes, ospf is 110, so it is more believable than rip at 120.
It is more believable than isis at 115. By the way, it is less believable than eigrp at 90, but some more terminology. Before we get into how this all works, the way these two routers will start to form a relationship, it's like when you meet someone, what's one of the first things you say when you want to establish a relationship with someone, you can say hello and that would start the conversation, that's what these routers do, they greet each other and they're going to exchange information if they're adjacencies using information. Those puzzle pieces we were talking about contain information about how everything is interconnected, but here it is.
A common and common mistake, take note of this. You could say it incorrectly too because that's how a lot of people see it when a router sends that information to a neighboring router and an adjacency doesn't send an lsa rendezvous. packet without quotes is sending an lsu packet a link state update which is the type of packet that carries an lsa so the vehicle is the lsu the link state update but the passenger the actual information which is the lsa and then We have made a lot of trades and are trying to build our database. Typically, routers will have missing information.
I'm missing this piece of the puzzle like the holly leaf on my snowman I was talking about. Well, I can ask. Does anyone have that? Holly Leaf we can ask our neighbors for missing information and that is called a link state request and if someone has it they will give it to us within a link state acknowledgment so at this point just to summarize what we have talked about so far , we said we're going to have a bunch of routers, those routers are going to build a map of the network and they're going to exchange lsas to do that and then they're going to run daxter. algorithm to figure out the best way to get from point a to point b on that network and I said that two routers exchanging information were called adjacencies and I said there's also a neighborhood.
This is another common point of confusion among students so let's contrast a neighbor with an adjacency and as a metaphor I'm thinking about where I live now my wife and I built this house in 2019 we've been here for a little over two years and honestly , it is a bit isolated on this road there are actually only two neighbors are close to us. I have a neighbor right down the street from me and there is a neighbor right down the street from them. Now the person who lives right next to me has a much closer relationship than the other neighbor.
I mean, we've been to each other's houses, we've collaborated on different little projects around the garden, you know, we've texted and helped each other, we have a closer relationship, we exchange information from the other neighbor guy. I'm embarrassed to say it but I'm not sure I recognize them in public I see them passing by I'm leaving my door and I see them passing by in their vehicle I greet them I greet them but that's all just saying hello we don't exchange information that's what a neighbor is ospf they exchange information or they just say hello they don't exchange link state announcements so a neighborhood is when two neighbors exchange hello messages they know of each other's existence but they don't know each other much, they only say hello to each other and the way they say hello is through multicast with multicast we are going to use the multicast address if you want put this in your notes of 224.0.0.5.
That way, not everyone on this subnet has to see these hello messages that only go to other routers that speak ospf, but let's take it a step further. What is an adjacency where we have a closer relationship? Well, it is a first adjacency requirement. is that you have to be a neighbor, I mean the neighbor who lives next to me, that I said, we have a closer relationship, they are my neighbors, we say hello, but it goes beyond that, but as a prerequisite we first have to be neighbors, but then I said we exchange information, that's what these adjacent routers do, they exchange link state updates that contain the information, they exchange database description packets that talk about the structure of a database when later in our Today's session we will go.
Through the steps of setting up an adjacency, there are many different states that ospf can be in and we will learn more about the database description packages there, but to be a neighbor, it is important to know for the bis exam, specifically this is important. to know that for a router to become a neighbor of another router, it must be in the same area, now an area, we'll talk a lot more about areas later, but to be in a uh, but an area is a grouping of OSPF routers. . It could be the entire network, we could have all the routers belonging to the same area, that could be fine, it depends, but it could be fine, but if I have my network divided into different areas, then I have two. different databases for a router to be adjacent to another router must belong to the same area and we will see authentication which is our last topic today, in fact authentication matches, that is, if one side has a password that does not matches the other side, yes, no, we are not going to establish that relationship and we have to be on the same subnet, we have to be on the same because there is a link that interconnects us, that link is probably There will be a single subnet on a single subnet, so it will match the timers that we'll talk about a little later, these have to match, we'll also talk for a few minutes about different types of areas, check this out, this is getting crazy.
This is what I said, it is very difficult for students to understand, but I promise I will try my best to simplify it. We just have regular areas, we have cut areas, totally cut areas, not so short and not so short areas. areas, yes, we'll get into all that, but these stub flags have to match as the end result. I cannot have a router with an interface in a stub area forming a neighborhood with a router whose interface is not configured to be in a stub area. and the mtu has to match the maximum transmission unit if one side is set to 1500 bytes and the other side is set to 1470 bytes, that's not going to work.
Oh, I said I would give you some troubleshooting tips along the way and we're taking the exam so you might want to write this down if we had a couple of routers if we had a couple of routers that are connected but not match the mtu. The result if I said show neighbor ipospf, you know, what you would see is the current state would be the leading slash x swap state. I would like you to know that it could be useful information to memorize and definitely put in your notes. Oh, by the way, I mentioned that we had like 600+ people joining us right now, it seems to be growing as I say that, but I see a lot of questions coming in, we're going to have some questions and breaks, so no They get angry if I don't do it.
Pausing to answer your questions that we would never answer in classes like that, but I will have some dedicated questions and breaks, so if you have a burning question, you might want to write it down and then when I open it. q a I'll try to find some really interesting relevant questions, so I didn't want you to be offended if I don't. I'm not ignoring you. I'm just waiting for our q break to answer some questions. Now here it is. one of the I'm not mad, I'm just disappointed with OSPF, as parents might say OSPF metric calculation was probably fine 10 or 20 years ago, but the defaults now, by the way, are some of the newer equipment that can be found in data centers.
I've covered this, it's better on some equipment, but your traditional Cisco IOS router has problems and I'll explain, but first before we get into the problem, let's explain how OSPF does its metric calculation. Your metric calculation is in terms of cost and We said that cost is a function of bandwidth, so if I have a 100 meg link, what is the cost? Well, here's the formula you might want to write down. If you want to note, this initial cost is equal to something called reference bandwidth divided by interface bandwidth. What is the reference bandwidth? Well, the baseline bandwidth by default on most of our traditional Cisco IOS routers, even with the newer versions of Cisco IOS, the baseline bandwidth is 100 megabits, 100 megabits per second, so If I have a 100 megabyte link like the one I have. between r1 and r2 the cost is um 100 since my reference bandwidth divided by 100 that is my link speed 100 divided by 100 that is the one I have a cost of one okay, let's review this, I have a 10 mega link At the bottom you see between r1 and r3 what its cost would be.
That is the reference bandwidth of 100 megs divided by the link speed of 10 megs. 100 divided by 10. That would have a cost of 10. So let's see, I want to go from pc1 to pc2 so r1 is trying to figure out what is the best way to get to pc2. You could go through r2 and then go down to r3 which is nice or you could go straight to r3 now if you were using rip for those of you who remember the routing information protocol which uses hop count as a metric this is what would rip rip would say how many routers do I have to go through to get to that destination network so r1 would say well I could go through r2 and then I could go through r3 and finally get there or I could just go through r3 which is a shorter path and rip would go from r1 to r3 and I think it did a good job, it didn't consider the bandwidth that went over a much less efficient link, so let's do the math that ospf will do.
It will say that the bottom link is 100, the reference bandwidth divided by 10, that's a cost of 10. all 100 meg links, which is 100 divided by 100, will have a cost of one, so if I passed from r1 to r2 and then when I go out from r3, that adds another cost of one because that's 100 links going down to pc2, that's a total cost of three. What happens if I go from r1 directly to r3? Well, it's a cost. to 10 just to get to r3 and then there is another cost of 1 to get out of r3, that's a cost of 11.
Clearly from OSPF perspective and I agree with this, the most efficient path is from r1 to r2 to r3 and then exit to pc2 that is the way ospf by default does its cost calculations and path selection, however here is the problem: what if you had a working link? Tell me what the cost of a working link is by default with ospf, go ahead and chat I enter it and realize there is a 10-15 second delay from the time I ask something to the time it you hear it, so I'm currently about to kill 15 seconds to give you time to write it, okay? a lot of people say one, oh it's just flooding here, yeah, a lot of people say one, yeah, because cost can't be a decimal value, so yeah, 100 megs divided by 1000 megs, that's 0.1, we can't have a decimal, it has to be an integer, so we round to 1.
So you mean that a 100 meg fast Ethernet link has the same cost as a gig link. What about a team? Same with the tinker glink. Its cost will be 0.01, it still has to be rounded to 1. one, so my problem with OSPF by default is that it doesn't distinguish between a fast Ethernet link and a gig link and a 10 gig link. I think that's horrible and there are so many administrators today that don't even think about it or I don't do it regularly and there are a lot of networks that might not be optimal, so how do we fix that we need to get a baseline bandwidth that is higher?
Now my personal preference is to choose something that gives me a lot. Of a lot of future tests that I like to set, sometimes I set two terabits per second, but lately I've just been doing 100 uh 100 gigabits per second because that will give me different cost values forlink speeds up to 100 gigs and Yes, I know there are some 400 gig transceivers out there, but I don't have any of those so I usually set mine to about 100 gigs, so I'll show you how to do it in the live interface on Just a few moments, but let's think about a group of routers, all connected to a switch, they all belong to the same subnet and if they are going to exchange information with each other, I said one router would exchange information with another router, which one was it? requirement could be just one neighbor no it had to go beyond just being a neighbor it had to be an adjacency so let's say I have these six routers on the screen and I want each router to be able to talk and send its information to all the other routers so that everyone can agree on what this topology looks like in order to do itwe have to have a full mesh topology, every router has to talk to every other router and the problem is that this just doesn't scale well now, this It's not even that many routers, it's just six routers, here is the formula of the This way, if you want to calculate the number of adjacencies that need to be formed, we say n times n minus one, where n is the number of nodes, so here the number of nodes is six, we have six routers six times n minus one six. multiplied by five and then divide that by 2 so it's 30 divided by 15, it takes 15 adjacencies and isn't that horrible, what if you had 10 routers?
That's 10 times 9 divided by 2, that's 45. You'll see how this just doesn't scale on what's called a broadcast network. Remember, if we're all connected to the same subnet, we're saying we're all connected to the same broadcast domain. and in a broadcast domain a router needs to send its information to all other routers, this is not a good way to do it, this is where something called a designated router comes into play. What we can do is choose a router like dr. The designated router, by the way, if it goes down, we will have another router as a backup, the backup designated router is called bdr, but they will be a kind of relay station for all this information if all my other routers can form adjacencies with just the dr and the bdr, that will drastically reduce the number of adjacencies we have. has to have r3 it just has to be adjacency with r1 and r2 my dr no longer has to be adjacent with r4 r5 r6 this is a big savings and when r3 sends its information to r1 r1 will replicate it to everyone else in the area because it has adjacencies with everyone else in the area, so for broadcast or multiple networks, I should say multi-axis networks where we have a bunch of routers sharing the same subnet, yes this is enormously useful, here's a question, although if I want to send adjacency information.
I just want to talk to my doctor. I said it before. If I send a greeting, I will send it to 224.0.0.5. What if I don't want to talk to everyone? I just want to talk to my doctor. Well, there's another multicast address for that and you might want to make a note of it. I have it for you on the screen or stay until the end and I have those downloads for you. anyone who is live and will stay with us until the end, but we will go to 224.0.0.6. that's how we talk only to the dr or the bdr and the next logical question is who becomes the dr and bdr, well, elections are being held, let's vote who is the dr and the bdr and it's who.
By default, it is whoever has the highest router priority. Now, by default, you simply configure ospf on a router. The default priority. Could you tell me who knows what the default priority is for wsbf? Who can be the first to chat? Go ahead and chat. That's when I'm looking at all the different interfaces here and I see it first again. I'm killing those 15 seconds. Who can tell me that the default priority is not 100? Yeah, wow, I can't bring it. something happens that I can't pronounce but yeah it's one by default so if you get everyone together it's going to be a tie so I'm a big fan of setting the router priority so you can it's your decision who becomes dr and bdr;
You may want to assign that responsibility to some of the more powerful routers. This is how you set priority. You can enter the router or rather enter interface configuration mode for that subnet that everyone belongs to. and you say ipuspf priority and you give a higher number, higher is better, then you can set your dr to 10, you can set your bdr as second best to five and all others can stay to one or if I have this router that is very very busy doing other things and I don't want it to be a PhD, it is too busy for that, we can say that I refuse to be elected, I will not run and if I am elected I will not serve, we can say that "I am out of the election saying that our priority is zero, set the priority to zero and suddenly we will not be considered for that election, but if we leave everything tied, what happens?
Here are the tiebreaker routers in OSPF. to be known by their router ID and me like to go in and configure as r1. You could configure a router id of 1.1.1.1, which gives me an intuitive notion that it's r1 and r2. I would say your router id is 2.2. .2.2 Now yeah, those sound like IP addresses and they are, but I'm not saying I'm going to take you to 1.1.1.1 or I'm going to take you to 2.2.2.2, it's just a name, the router ID. It's just a name, yes it looks like an IP address, but we're not advertising many people will miss it, but I can go in and set the router ID.
This is how I do it in router configuration mode, it is the router script id, give the id as 1.1.1.1 What if we don't do that? What is the next tiebreaker? Well, the next tiebreaker is fine. Let's look at the loopback interfaces on these routers and whichever loopback interface has the highest IP address, that IP address will be the router ID. What if we don't have loopback interfaces? Okay, final tiebreaker, if we don't have Lootback interfaces, we will see all of our interfaces on the router that are up and that have IP addresses and any interface that has the highest IP address will be our router ID.
What if we haven't configured the IP addresses on the interfaces yet? You can't configure OSPF yet. Try it sometime. Try configuring OSPF before assigning IP addresses. You won't be able to do it. It won't let you now let's go back to the concept of areas that I talked about. I said that we could take a topology and divide it into different areas and each of these areas would have its own map. It would simply be a map. of your area would not be a map of everything and when we run the dexter algorithm we would simply be doing it in our area like here I have these nine different routers and I have divided them into three areas, area zero that is called my trunk area and notice that there is a pair of routers that sit on the border of these, uh, more than one area, which are called for your notes, are called area border routers abrs and an area border router is Let's talk about this when we go into lsas, but it will allow one area to know what networks are available in this other area.
We're not going to run the dexter algorithm on that other area, it's just going to say here for example, r3 doesn't tell the routers in area one, it doesn't say, hey, you want to get to area zero, here's a map, no, no, That's the point, we don't want to run the Daxter algorithm in area zero. uh, map, if we're in area one, it just says here's a list of networks available in area zero and the initial reason that Cisco used to give in their design guidelines for dividing a network into different areas was that we don't want to overwhelm. the router processor running a daxter algorithm on an overly large database, in fact it reminds me of years and years ago, maybe 15 years ago, I remember my wife had an SUV and it had one of the first versions of the router systems navigation in and I remember one time we were going to go on vacation and we were in Kentucky and we were going to I don't know Florida or somewhere and I thought, well, what's the shortest way?
Well, it said, well, I just have this little region of the United States loaded on this map, you're going to have to add it on this other map, so it didn't want to run the Daxter algorithm on the entire map of the United States, it made us load. in these different areas of the country, like where do you want to go, okay, I have to load that area, but while it was a good intention from the beginning, in my opinion it stayed for a long time, this is what I mean when Cisco used to have a design. recommendation that said that if your area grows beyond 50 routers, you should split it into more than one area because that is getting too large for the daxter algorithm to run without overloading your router's processor.
Know what? Know what? Know what? that limit or do you know what they are based on they are based on the Cisco 2500 series router, does anyone still have a 2500 series router, those are old, I mean they are very old, they are like routers from the mid 1990s , I actually have one, although I use one. I use mine to access the consoles of some of my other devices, so I use it as what's called a terminal server, but I wouldn't want to route it because the current processors in our new routers are slow, like the isr second . 3rd generation, they are literally orders of magnitude more powerful than the old 2500 series router processors.
The bottom line is that this is no longer a concern. I wasn't anymore when I worked at Disney. I said we would have had over 500 routers if we were running. eigrp by the way, but if we were running ospf I wouldn't hesitate to make them all members of the same area because modern routers can handle that, now there may be a time where I would want to split my network into different areas, let me give you a couple of examples, one would be data centers, not because if you go into a lot of data centers, there are tons, I mean, tons of different subnets there, in fact, we run out of VLAN names, so uh we have to go into something called vx lands, that is the topic you will cover in the encore course, but we can run out of more than 4000 vlans.
There are a lot of things you might want to put in their own area, no so I'm saving them. the router's processor, but it's because I'm saving myself if I'm looking at a link state database. I don't want to see all those other millions of routes that are in my data center, so just for my own sanity I might break the data center. in your own area maybe another reason, oh yeah, one person is saying maybe a couple of companies are merging, which could be a reason to have different areas. I totally agree with that, in fact that's mixing with what I was about to say that if I'm about to connect something to my network that hasn't been tested yet, maybe like another company's network or maybe I buy equipment from vendor x and I'm really not sure how well ospf works.
I don't want it to corrupt my database, so I could put it in its own area just as a safety precaution, but OSPF areas, if you have more than one, you must have what is called a trunk area and that area must have the number zero or u Area numbers can be in the form of a dotted decimal. They can be seen as an IP address. They could be in the form of something like 0.0.0.0, which by the way also counts as a trunk area, but all other areas must touch the trunk area if they wish. Won't we talk about a solution a little later today?
But now let's get into one of the most challenging topics in the types of OSPF link state announcements and the different types of areas. I'm going to take this nice, slow attempt at telling it. Some stories along with it, so be prepared to take some notes because of everything I've had today from students I've had for over two decades, this is one of the hardest pieces of OSPF to understand, but let's take it calmly. again, an lsa is just a piece of information, it's a puzzle piece, but there are different types of puzzle pieces, different types of information and here a super simple topology.
I have two areas and I have router r1, r2 and r3, now r1 to r2. We'll say it's an r2 to r3 Ethernet link which is going to be a point to point link and we'll look at that later today when we get into different types of networks, point to point links, they only have two routers, one on each. In the end, there is no need for a dr, so they don't choose er, it's important, it's important to understand that, and the first type of lsa is called router lsa. A router will generate lsa for each network it connects to. so if I am r1 and I am connected to fi, I have five interfaces connected to different networks, I will send within my area five lsas type one because that is what I am connected to, there is another type of lsa that floods within an area called lsa type 2 , this also tells us about links within that area for your notes now for a router to generate a type 2 lsa over a link, that link must meet two criteria, the first criterion is that link has to be again, please write this, it has to be a transit area, in other words, it has to go from one router that speaks ospf to another router that speaks ospf, it cannotThere is a type 8 that is used with OSPF version 2 and can carry BGP attributes for Wispy version 2, but you probably won't see it in that context, you will see it with OSPF version three. when and we'll look at that version three database osp later today and I'll point out type eight lsa which is where we advertise information that's on a link, maybe there are three active routers, it's on the same subnet in other words, we're advertising addresses, including link-local addresses on that link on that link on that subnet, there's a type 9, now it had a use in OSPF version 2 that I don't think I'll ever see, it could carry some additional OSPF. information if both ends knew how to interpret that I have never seen it used but you will see it with type three or ospf version three here it carries information about the links within the network and I know what you are thinking Thinking, wait a minute, type 1 and the Type 2 don't contain all that information, but interestingly they didn't include the IP address information for those links, so type 9 does.
Type 9 is like a new and improved build of type 1 and type 2. now write 10 lsas, as you will normally see them with multiprotocol tags that change in service provider environments because they can advertise certain information that can be used for traffic engineering and there is a type 11 and it is like a type 10 it is still mainly used for ospf or excuse me it is used for multiprotocol label switching the only difference is that a type 11 lsa is not sent to a stub area it is something like no you send a type 5 lsa to a stub area, the same as the top 11.
So again, just a little extra information to fill out now, before we take our first break, I want to do a setup with you, so I'm going. to take us over to some live equipment and we're going to do a basic ospf version 2 configuration. so let me move this over and here's the topology that we're working on that you see on the screen and I just want to configure this so that each router can see all the networks here, so let's go to router r1 and I'll go into the global configuration by saying uh configure terminal and then I'll start the routing process, I'll say ospf router and I'll just give you a screenshot: I'm giving a locally meaningful process id, This is not an autonomous system number folks, if I was doing eigrp and I said router eigrp1, that would be an autonomous system number that I would have to match with my neighbor. not true with ospf, it doesn't have to match on my neighbor, normally I match just to remember what my process ideas are, but it doesn't have to match now I need to announce the networks that r1 knows, I'm going to say network oh you know what let me do one thing first I want to show you one thing first we are going to use something called wildcard mask and this wildcard mask can be derived from a subnet mask that we are going to use Use a wildcard mask in this command and some people get a little confused when we talk about wildcard mask , so this is what I mean: it's kind of like the inverse of a subnet mask.
Let's say you had a subnet mask of 255.255. 255.0 of that, how do I calculate the wildcard mask? Here's the plain and simple math, you're ready to create an address with all the 255's, the two pi's, the 255's and from that you subtract your subnet mask which will give you your wildcard mask, so in this example. Let's say I want to convert 255 to 255 to 255.0, that's a subnet mask of size 24. I want to convert that to a wildcard mask, so octet by octet I can say that 255 minus 255 is zero, the next octet is zero the next. the octet is zero, finally the fourth octet, 255 minus zero, is 255.
Let me challenge you with one now. My challenge to you is this: can you give me the wildcard mask for 255.255.255.252? that's a slash 30 subnet mask, go ahead and chat if you want, yeah, Casey's the first one in without that. I saw the correct answer. Casey says 0.000.3 is excellent. I think you understood it well. Let's go back to our demo now. that we understand wildcard skins and let's say I want to advertise that network outside of r1's gig zero slash one interface, which is 10.1.1.0.24. Now please listen to me. This is another very common point of confusion.
Here is the command I will give to advertise that network. This is the way we normally do it. We're saying I want to advertise 10.1.1.0 and size 24. I'm going to put it there as subnet mask. I'm going to put it as a wildcard mask that we just said is 0.0.0.255. and I need to say what area that interface belongs to, not the router, but what area that interface belongs to. It belongs to area 0. Now that command looks like I said announce network 10.1.1.0 size 24 in area 0. And that's the effect. that's what it does, but that's not exactly what the command says, that command says here is a network address space if you have an interface on this router whose IP address is within that address space and is currently active , will announce that network of interfaces.
Try it a little later, but I just want you to understand that this command doesn't actually say announce this network. I'm just saying that there is an address space here and any interface whose IP address falls within that address space advertises that and it will be up. announce that interface network again, I'll show you a little bit later, but I'll continue as we do traditionally for now and for the loopback interface which is 1.1.1.1 32 I'll say announce 1.1.1.1 and my wildcard mask will be 0.0.0.0 and also It will be in area 0. There is one interface missing, I will say network and this is the one that leaves concert 2 or 0, bar 2 towards r2, it will be network. 177 172.16.1.0 notice that it is a subnet with slash 30.
You see it on the screen in the topology, which means I'm going to give it a wildcard mask of 0.0.0.3. It's also in area 0. Now I could stop here, let me show you. a couple of additional things and I didn't even include this in that script that I talked about giving you later, excuse me, I want to note this, but if you notice that there is an interface, zero, slash two and r1, it's not connecting. another router, is there really any reason to send greetings from that interface? In fact that could be a security risk, couldn't it be that some malicious user could connect to switch one and could configure a router connected to switch one as an ospf router forms an adjacency and starts corrupting our database , so if I don't want to send greetings to that part of the network, I can say that I still want that network to participate.
I still want to announce 10.1.1.0. I just don't do it. I don't want to send you greetings. I can turn it into what's called a passive interface. You could say let's make gigabit zero slash one a passive interface. Another thing we might want to do because we talked about setting that baseline bandwidth. Yes, let's do it. a little more reasonable than 100 megabytes, let's do this. I'll say here's the command if you want to write it down. Automatic cost reference bandwidth. I'm going to say one hundred thousand one hundred units of measurement are megabits per second, so 100,000. mega, that's 100 gigs and warn me, make sure you do this on all the routers and I'll do it as we set this up, I think already i ended up on a router r1 right now, let's go to the router, let's go to router r2 and I'll do it. do this faster because it's basically the same thing, I'll say the locally significant process id of the OSPF router of a network between r1 and r2 is 172.16.1.0 0.0.0.3 is my wildcard mask, it's a member of area 0.
Now let's be careful with The following is my loopback interface and it is not a member of area 0. It is not a member of area 0. I am going to say network 2.2.2.2 wildcard mask 0.0.0.0 is in area one, you have to be very careful when doing Make sure that You have specified the correct areas. We have a network available and it is between r2 and r3. I will say that network 172 actually doesn't, it's not 172. It's 192, isn't it 192.168.1.0? It's a slash 30 subnet mask, so my wildcard mask will be 0.0.0.3. This will be an area where I can configure a passive interface on r2.
I don't really see a big need to do it. I don't see a big need to do it, so, uh oh. I want to set the reference bandwidth, although I will say auto cost reference bean with 100,000 megs. Okay, one router to go to router r3, basically the same type of setup here on r3, we'll say ospf router again, I don't have to make these process IDs match, I do it so I can remember what they are if I make them all the same. I'll remember it now. Let me show you what I said before. Say a network statement and say one of the networks. connected to the router and it advertised that network, but I said the network command actually said here is the network address space and if we have an active interface whose IP address falls within that address space, it advertises that network of interfaces and its mask of subnet in ospf So what happens if I do this?
What happens if I give only one network statement? What if I give a network statement that covers all possible IP addresses? I'll say network 0.0.0.0 or the all-255 wildcard mask that encompasses all IPv4 addresses that exist. and it is in ariel one that the address space by definition spans the IP addresses of gig zero slash one loopback zero gig zero slash two so that one command will make them all participate, let's configure the reference bandwidth, I will say that the automatic cost of the reference bandwidth is 100 000, make sure I have the right number of zeros in there one hundred thousand and uh oh, I have another chance for a passive interface.
I'm not going to connect to a router outside of concert zero size two and r3, I'll say concert zero, slash two, okay. Let's see how we do now, let's see if I've learned any of these routes. I'm going to say show IP route and I have learned some routes in r3. Look at this, it says I learned 1.1.1.1, that's the blue back interface of r1. I learned it through OSPF, that's what this means and this means it was from another area, it was an OSPF route learned between areas because I mean area one, I learned it from area zero, so it's an interesting route between areas now.
I will learn 2.2.2.2 but there is no ai, that is the loopback interface of r2 because it is in my area. Can I reach the entire network? Can I reach r1? Can I say ping 10.1.1.1? That is the segment zero interface of the job. in r1, yes it was successful, it's great news, I can do it here. There's another great troubleshooting command you might want to note down. show ip protocols gives me a lot of detailed information about how my routing protocols are configured. It says here is my router ID. I didn't configure the router id to go with my loopback interfaces that we talked about and it says I'm routing for everyone that falls within this address space which is everyone and here's my passive interface let me go to r2 because we have a a couple of neighbors there on r2 I will say show neighbors ipospf and I see that I have a neighbor with r1 and the neighbor with r3, won't you be my neighbor?
We are in a complete state, which is what we want. excellent excellent now we said that ospf is going to build a link state database, let's take a look at that, I'm going to say show the ipospf database on r3 and we said that we should have a type 1 lsa for each network, each network . link within an area and I have two links within my area r1 by the way loots don't count it has a segment mask 32 but I have a link between r2 and r3 and r3 goes to sw2 and you see that I have two I have two lsa type one two router lsa, I said I would have one, I would have a type 2 lsa for each link that went, it was a transit link, I was interconnecting two routers and one link on which a dr would be chosen, well these are all ethernet, so dr will be chosen, but only one is a transit link r2 to r3 that goes between two routers, r3 is going to change, it is not a transit link, it does not go to another router, so I only have one type 2 lsa and we said that unless we start setting up stub areas and that kind of thing, we will see a type 3 lsa for every network that comes from this other area, so I don't like these summarized lsas.
By the way, as we described, I have these three networks and it tells me the actual networks that I learned from area 0. If you want to see the networks known only by OSPF and not necessarily the router's routing protocol or the IP script. table I can say show ip ospf rib which is the routing information base and this shows me the routes that ospf knows and if it has more than one route it will indicate the best one with a greater than sign and another command that relates to some things that we are going to do later today show interface ip uspf gig zero slash one it will give me a lot of information about that interface it will tell me the cost of that interface because I adjusted that baseline bandwidth suddenly instead of having a cost of one I have a cost of 100.
Well, it's a type of broadcast network, we see the router ID, a lot of other great information here, more on some of this a little later, okay, let's get into the second part of our session today, which will be about types of networks now if you read the exam plan for ccna and for encore they tell you that you need to know the types of networks, if i remember correctly ccna says that you need to know about the type of broadcast network and the type of network point-to-point encore adds the non-broadcast multi-access and point-to-multipoint that we are going to talk about today and some of their features.
The firstIt is a type of transmission network, that is, Ethernet. If we have an Ethernet switch and we have many devices connected to that Ethernet switch, if I send a broadcast, it will go to all of those devices, that's why we say it's a broadcast network and because we have multiple devices connected to one. subnet that's why we say it's a multiple access network, we have multiple devices that can access that network and I want you to understand some features, you might as well start saying you're going to take notes, but you can take notes if you're not going to stay until the end or if you're watching this on the replay but those who are with us live will be able to download it at the end but yeah if you're watching this on the replay by default uh absolutely take notes but this will be the default ospf network type on an ethernet interface we will choose a dr and a bdr and how often will we send hello messages 10 seconds every 10 seconds we will be sending a hello message compare it to point to point which is just two routers one connection between them maybe it is a serial link, some kind of Wayne connection, will act differently, do we really think about it?
I need a designated router if there are only two routers on the link, I don't think so, I mean designated routers were trying to overcome the problem of having a full mesh of adjacencies, we will only have one adjacency here and this is what By default, we have a serial interface on the Cisco router, so serial interfaces that are not configured for Frame Relay are specific. I also want you to know that we just said that these dr's and bdrs are not going to be interestingly, the timer chosen is the same as with streaming. The greeting interval is 10 seconds.
Let's take a look at the types of non-broadcast multiple access networks. This one is a little confusing for people. Let me break it down. This is a multiple axis. network what that means is that all these r1r2 r304 routers are all connecting to the same subnet which they all access we have multiple devices accessing the same subnet however we are not doing transmissions over these links yes and by the way When I say that we are not doing broadcasts, that also implies that we are not doing multicasts either, so we are not doing broadcasts or multicasts.
Now the question arises: if I can't do a multicast, how do I send a greeting to? r2 because I don't know where r2 is I don't know how to send a multicast how do I know how to get it right with nbma networks? In fact, we have to configure the IP address of our neighbors because we're not going to just discover it dynamically through multicast because we can't send them and this will be the default value on uh on a frame relay serial interface and we're choosing dr's and bdrs because we're on a multiple access network which is The big point I want you to understand from this if we are on a multiple access network, we are going to choose dr's and bdrs, we have to specify who our neighbor is because we will not find them automatically nor the timer.
It starts to vary here, it will be 30 seconds, it is three times longer than what we have seen so far and the final type is point to multipoint. Now this looks like the other one, doesn't it? All these routers belong to the same subnet, that is not the case here. r1 in this case will have three subinterfaces like series zero cut a point one zero slash a point zero 0 1.3 and there will be a subnet in each of those permanent virtual circuits there is a subnet from a subinterface in r1 to r2 different subnet that goes to r3 subnet different that goes to r4, so this is not a multicast or multi-spindle network, therefore we don't need bdrs and dr right? and what's happening here is We're actually treating each of those dashed lines, each of those permanent virtual circuits, we're treating each of them as point-to-point links, separate point-to-point links, and point-to-point links that we don't need. . dr's or bdrs what r1 does is simply replicate the information and send it to the other links and the hello interval is 30 seconds.
Sometimes I told you what we had by default. You can go into an interface and say here's your ospf network. write by the way and if you do that it will change the timer information and I want you to know for the bis exam what types of networks are compatible with each other r1 has this type r2 has this type can they form a neighborhood? some options obviously transmit to transmit, that's what we have most of the time, so transmit on r1, transmit on r2, yes we are adjacent or at least neighbors, what about no transmit to no transmit, sure those match points? for point to point, uh, point to multipoint, sure it matches too, what about broadcast to non broadcast for non broadcast, i mean nbna, non broadcast multiple access, actually, you can have a neighbor like that, the timers They are different, the transmission is 10? second hi, no streaming or mbma, they are 30 second holographic timers, you can set the timers manually as long as you make the timers match, yes you can have mismatched area types if here is the key instead of just memorizing this great list, here is the key to memorizing this. for exam, if both ends are compatible or if both ends choose dr, yes, set the timers and that's it, if you need to set timers, if both ends do not choose dr, yes they will also be compatible, so for example point a point and point to multipoint, yes they have different timers, but they are neither alexa dr nor bdr, so they can be companions in that environment.
Now let's talk about timers. I keep saying that there are all these different things that are a little, uh, that can be a little confusing, this is one of them, they are timers and the reason why it can be confusing is that if you work with eigrp, eigrp works like that. very different way to this, although many people think it is identical, this is how an ospf timer works. I've already talked about the hello timer and let's say my timer is set to 10 seconds like on an Ethernet port, so every 10 seconds, bam bam, I'm broadcasting a hello message over multicast and I'm getting hello messages from neighbors or potential neighbors if I don't hear from one of my, let's say I form a neighborhood, if I don't hear from that neighbor within a certain period of time called a dead timer or dead interval, I'm going to tear down that neighborhood.
I'm going to assume they are no longer there. Something happened to the link between them and me, so we just cut this off so we have to listen to a greeting from our neighbor within the dead interval and you'll notice that the dead timer is whatever the greeting timer is multiplied by four, so if your timer If your hello timer is 10 seconds, your dead timer is 40 seconds, if your hello timer is 30 seconds, yes you guessed it, your dead timer will be two minutes, 120 seconds and the timers must match to form a neighborhood that We noted earlier, now Assad will guide you through the different neighboring states, this will be one of those great reference slides for you, so if you're not attending this live or don't plan on staying until the end.
You'll definitely want to take a screenshot of this after you've fully completed it, but these are the different neighboring states that I'd like you to know about as we're trying to form a neighborhood or possibly an adjacency. The first is a router. up and your neighbor state ospf is down now what that means is I haven't received a greeting from anyone now maybe I've said hello down below doesn't mean I've never said hello down below it just means I haven't heard anything greetings from anyone else now on the try status please take note of this, you will only see this on an nbma network, a non broadcast multi access network where we have to specify the ip address of our neighbor, that is where we are sending hello to that neighbor configured but we have not received nothing from that neighbor.
It's like it's down, except it's like the bottom state on an nbma network. We can send greetings. We just haven't heard anything from our neighbors, so they are similar. The next thing is to start here. I received a greeting from my neighbor. Yes, there is someone who is talking to me, but when I look at his greeting message, they are not giving me all the information. They do not include the router ID of it. What does that mean? I mean, if they sent me a hello message and didn't include their router ID, it means they haven't heard a full message from me yet, so maybe they were the aggressors, they sent the hello message first and I just haven't responded still. what does init mean, I mean someone has to be first, so and it's not bad, it's not weird, but I finally got a greeting from my neighbor, it has their router ID, they got a greeting from me, it has my router ID. router, we maybe are in the final state, we are not sure yet, but we are in a two-way communication state right now, there is two-way communication, now we are neighbors, we are not necessarily adjacencies, but we are neighbors and then we decide if it is going to form an adjacency, well that will depend on whether we are not on a broadcast network or should I say, are we on a multiple access network?
Am I a doctor or am I talking to a doctor or a bdr? where the x-start state comes in here is where we are trying to choose a dr and a bdr for this multi-axis network that occurs during the x-start state based on priority now during the swap state this is where we have We choose a dr or , if we don't need a dr, we skip that step, but in the exchange state we have adjacencies, so let's have many, whether it's between a pair of point-to-point routers, whether it's a group of routers. By pointing to the dr and bdr adjacencies that have been established during the swap state, we are sending what are called database descriptor packets, which I know sounds silly.
I don't mean to say this, but they are database descriptor packages. describes the database, that's the only way I know how to say it, they're not populating the database, they're not saying this network is connected to this router and this is connected to this one, no, it's describing the nature of the database structure maybe the database is so big, it will have so many entries, you are describing the structure of the database, but you are not populating the database, populating the database happens during state loading, this is where we're exchanging those lsas and if I'm missing a piece of the puzzle, if I need that holly leaf that we talked about earlier, I'll send an lsr link status request saying, "Hey, I'm missing a piece in the my link status". database can anyone give it to me and my neighbor says my adjacency says yes I have it and sends it to me so now everyone has created their database they all match now we are at one now we have full adjacencies with everyone With everyone? which we should have adjacencies and this is a stable state, but sometimes you'll look at your neighbor's states, I might say bidirectional, that's totally fine, that just means yes, this is a neighbor but you don't have an adjacency. with it and I'm going to pause right there to let you take a screenshot because for those of you who are sticking to the end, I'm going to let you download today's slides, but if you're watching this on repeat or if we're not going to stay until Finally, this is one to take a screenshot of.
I'll give you a second to do it. Alright, next is route filtering. We have done the basics. Now we said that this is how OSPF works in theory. We define it. a bunch of terms we did a basic ospf version 2 setup we made sure everyone could see everyone else we talked about how neighbors are formed and adjacencies dr's and bdrs and all the establishment states now let's start overlaying some fun features on top Of the basics, the first one is route filtering because we may not want all routes to go into our ospf link state database, maybe some of those routes come from another autonomous system.
I may not want them on my network, maybe it's me. I have merged with another company and they are using the ten point private address space and so am I. I don't want your 10 point address space on my network, so I'm going to filter out some of that stuff now. Here is the problem with eigrp. If you want to do route filtering you can do it pretty much anywhere you want, but with ospf you can only do route filtering at very specific locations. You can perform route filtering on the ASBR, the autonomous system boundary router, and it is done as part. of your redistribution configuration and that redistribution is not a topic for today.
I actually have a YouTube video on it if you want to watch it, but that's covered as part of our redeploy setup, so it goes from a standalone setup. system to another that's where you can that's where you can set it up or as you go from one area to another that's another place where you can filter now are you ready for me to bend your brain a little bit and if I wanted to? filter a network from a router within an area, doesn't that seem likebreaking the rules what ospf is all about? If I'm filtering from just one, I mean, think about this within one area, that's the rule that they all have to have identical maps. we all have to have identical link state databases, so how is it possible?
It is not possible for routers in an area to have different link state databases, but remember that just because there is something in the link state database is not a guarantee that it will be that way. put the IP routing table of the router so we do this little trick, let's say we want to filter 10.1.1.0 10.1.1.0.24. We can filter it out as it passes between the OSPF database and the router's IP routing table during that population of the ips routing table we simply select it and delete it in between before it reaches the router's ip write table with something called a distribution list.
I'm going to demonstrate it for you and here is the topology that we are going to use. use, I will do the filtering two different ways in this demo and I will set this up and filter on r2 as we move from area to area and filter on r1 as we move from the link the state database to the routing table Router IP, so let me get my topology back on the screen. We're using the same topology we used before and I'm ready, let's go to router r1 and take a look at our routes. I'll say show iprout and note that I know a couple of loopback interfaces, one on r2 and one on r3, for no particular reason, just because they're easy to identify.
Let's say we want to filter those loopbacks. interfaces well, where do I get us to go from one area to another? That slide I just showed said that if we're filtering routes from one area to another, that needs to be done where it's going to be done. the abr the area border router which is r2 in our case so I'm going to go to r2 to configure this and to configure this I'm going to configure something called prefix list if you haven't worked with prefix list I'll describe it as Let us move forward. It is similar to an access control list because we have multiple entries as part of the same list.
We have sequence numbers that determine the order of operation, we process it from top to bottom, so there is a lot of commonality with an access control list. access control, but I'm going to say iprefix list and give it a name that we're trying to remove. of the loopback interfaces, let's say no script, no script loops, and I'm going to give a sequence number of 10 that will be executed before or evaluated before the sequence number of 20. Sequence number 10, let's negate the IP address loopback interface of 2.2.2.2 32. It had a 32-bit subnet mask which is the loopback interface of r2.
Let's do the same thing because I'm going to give it a different sequence number. Sequence number 20. Let's negate 3.3.3.3 slash 32. What about everyone else? It had a lot in common with an access control list that takes what's at the bottom and implicitly denies everything, just like a prefix list. I don't want to block everything, so I have to say: okay, allow everything else, so here it is I will make a final entry, I will make sequence 30. List of scripts iprefix no, no looting, sequence number 30 this time and I want to allow everyone that hasn't been matched yet and one way to specify all the IP addresses is I can say 0.0.0.0 and I'll say a zero slash mask, but look at this.
I'm going to give a qualifier. I will say that the subnet mask can be less than or equal to 32 bits. Well, do you agree? I think each subnet mask is less than or equal to 32 bits, so it's a way to specify all possible IPV versions for the address. Now let's apply it, let's go into router configuration mode for OSPF process ID 1. and I. I'll say area 0 because I go to the area 0 filter list and give it the name. I actually say it's a list of prefixes as a kind of list. I will say that it is a list of prefixes and it is called without hyphens. to apply it to the incoming direction as I enter area 0.
I think we're done, that's simple, so let's go back to r1 and see if it worked, let's go to r1 and I'll do an IP display route, do I still see? Those blue back interfaces yes, I see mine, but I didn't block it, but I don't see 2.2.2.2 or 3.3.3.3 anymore. This is how we can filter the routes that go from one area to another. Okay, let's go to the next step. Let's filter one of the routes that router r1 knows in its OSPF database and filter it so that it does not appear in the router's routing table.
Let's filter if we take a look at the topology. Let's filter that path until it hangs on r3. to sw2 10.2.2.0 size 24. uh, let's look it up here here is 10.2.2.0624 is an entry route to the area, let's filter that from our routing table only on r1 and to do that we can't filter the one from the state database of the link we just just take it on its way from the link state database to the IP write table and I'm going to use a prefix list to do it. I'll do it here in r1, I'll say IP prefix list underscore filter 10.2.2.0 that's what I'll call it because that's what I'm filtering you don't have to say that's just the name, it's an intuitive name that I gave it, we'll still give it sequence numbers the first sequence number I'll say is 10 and I want to deny that network 10.2.2.0 24.
I want to allow everything else, so just like we did before, I'll say the last sequence number I want to allow 0.0. 0, actually, yes, let's try it. 0.0.0.0 0 and the subnet mask is less than or equal to 32, which is everyone, let's go into the configuration mode of our router and this time I'll say distribution list instead of filter list, I'll say well, oh, I just didn't give enough characters to distribute the list, it's a list of prefixes and I want to make sure I spell it correctly, so I'm just going to copy and paste this. There's my list of prefixes and I'm going to apply it to the incoming address, which means it goes to my IP. write table, let's first make sure that 10.2.2.0 still lives and is alive and well in our ospf database.
I will say show the ipospf database. Yes, there it is, it's still there. It came to us via a type 3 lsa, but is it on our route? table 10.2.2.0 no it's not, it's now conspicuously missing, so we've done a couple of things that we've filtered as we go from one area to another and filtered as we go from a state database link within a router to that of that router. ip write table, very good, the next topic we have is the route summary. This is a way to have more efficient routing tables because let me give an example, let's say I have these four networks 198 192.168.0.0.1.0.2.0.3.0.
If we look at those subnets in binary, they have a lot in common. If I split those octets into binary, can you see that they all have the first octet in common? I mean, they're all 192. They have the second one. octet in common is all 168, but if we look at that third octet and break down zero and one and two and three, they have the first six bits in that third octet in common, so instead of advertising four separate networks and having four separate networks entries in my IP write table, don't you think it would be more efficient if I just had one ad covering all four networks?
I think so, what if I did this? What if I said well, we have the first one? 22 bits in common, so what would happen if you created a subnet mask that was 22 bits long? What would it look like in dotted decimal? Well, if you make the binary, it would look like this: 225.225.2, excuse me, I said, I said 225, I meant 255.255.252.0 Do you remember how we get a network address? We set all the host bits to zero, so if I take the 22 bits that are in common and make the last eight bits zero, this is what it looks like in binary and if I convert that to decimal, we could advertise a network of 192.168.0.0.22 and that ad would cover all those networks, which can mean a big savings for us.
Here's something to think about if you have a summary address or address summary that you're advertising, you want to be very careful to make sure that there isn't another network, another subnet somewhere on your network that also falls under that advertisement, what happens sometimes. I mean, in this case I used the four addresses that ad was on. uh, it was advertising, but what if I had in that third octet? What if you had a zero, a one, and a three but not a two? I could still use the same ad, but if somewhere else on the network I had that third octet as a two, yeah, now the network and router should still work because if I have an entry like 192.168.2.0, that's more specific if is a forward slash 24.
That's more specific than 192.168.0.0.22, so it should still work, it's just that. can get you into trouble so be careful with that now, just like we had specific places where we were allowed to do route filtering, we have specific places where we are allowed to do route summaries and here they are, we can summarize them in an asbr a as we move from one autonomous system to another or we can summarize as we move from one area to another. I'm going to demonstrate both in just a second if we summarize that open the area border router, we'll use the area range command and I'll show you that syntax if we're summarizing in the asbr the autonomous system boundary router between similar ospf and something else that will use the summary address command, let me show you See this and here is the topology we are going to use.
Note that I have a bunch of loopbacks on r3 and they can all be summarized just like we did before with a slash 22 subnet mask which we will announce 172.18.0.0. size 22. that is going to summarize all the loopbacks on r3 on r2, we can summarize all the loopbacks with 172.6.17. excuse me dot 17.0.0.22, so let's see how to do it, let's exit to our live interface again and I'm ready. I need to move to my other topology right now because I didn't have all those loots in my old topology, so I'm on a different set of three routers right now and what we want to do is take a look at a couple of ways to summarize these routes , one way is when the routes come from another autonomous system, another way what we said is when we go between different ospf areas, so let's say I want to summarize those 172.18 networks, those are the loopback interfaces of r3, they are currently on eigrp and they are being redistributed into ospf and after we do that, then we'll summarize the 172.17 networks which are the loopback interfaces of r2 and we'll summarize them as they enter area 0. so let's start on r1, let's see what we have now.
I'll do a show ip route and we should see all of those routes individually yes I have all of these 172.17 networks and I have all of these 172.18 networks okay let's fix that we can see on these 172.17 networks that they all have this ia code which means they are coming from one area different if we look at all 172.18 networks, they have an e2 code e2 means external ospf type 2. That means that we come from another autonomous system, not from another area, but from another autonomous system. By the way, this is a redistribution issue. so I won't go into that today, by the way, we approach it narcissistically and maybe even a little bit in repetition, but definitely in an rc there is another one called type 1 or rather external type e1.
I'm just telling you now that I'm a big fan of e1 instead of e2. I like to always change it to e1 because I think it gives a more accurate cost calculation, but I don't want to talk about that, but Yeah, we'll save it for nrc, the nrc class, but first in r3, let's go to r3 and summarize all those loopbacks that They live in eigrp. We'll do that first, so I'll go to the ospf router global configuration mode. 1 and I will say summary address with hyphen. Now this wouldn't work between areas, half of the summary and direction command are between autonomous systems.
I'm going to give the summary address of 172.18.0.0 and I'm going to give a 22. bit subnet mask which is 255.255.252.0, that's it, we're done, so what we're doing is saying we want to summarize the networks that go down within that address space at just 172.18.0.0.22. Now here's a question for a lot of people or Not a lot of people, but when you're doing like Ccie Labbing and you're trying to do some pretty creative things, you might say, Well, I really want to advertise that network, so I'll just say advertise that won't do it. . It will be advertised unless there is at least one subordinate route that falls within that address space, so if we didn't have anyone actually listing it, it wouldn't be advertised.
It worked? I don't know, let's go back to r1 and see, what do we do? a show IP route, do I still have all those 172.18 networks? No, I have a summary of that 172.18.0.0.22. I don't have to look at all those four individual networks anymore, so we've had success as we move from a standalone system. In another, what happens within an area? Let's go to r2 right now and summarize all those 172.17 networks again. Pretty simple setup. I'll say ospf router 1 area 1 and by the way, I say area 1 and this. Sometimes it's confusing, you might say, "Well, am I specifying the area I'm going to or the area these addresses currently live in?
Are you specifying the addresses? Are you specifying the area they currently live in, which is area one?" I'll say area one range 172.17.0.0 255.255.252.00 oh I should point something out here if I give context sensitive help, you don't have to do this, but you can specify an ospf cost. I simply pressed Enter to have it do thelove the new naming system they've given us there? Scroll down to uh oh, we have a guy eight. You see we have type 8 lsas, these type 8 lsas give us information about the ipv6 addresses in a link which includes link local addresses as we talked earlier, let's see this, although it does not say type 9, these are type 9 lsas as prefix links within area, this contains prefixes for connecting and transit networks, this information is only sent within an area let's take a look at our ipv6 routes, I will say show ipv6 route.
Notice that some of these have the oi flag which is ospf between areas, we still see that we learned one within our area which is our r2 loopback interface, so instead of just looking. in ipv4 write table we just say show ipv6 route. Okay, that's the traditional way of doing it. Now let's use a new and improved version. It's called the address family approach and to demonstrate this I need to undo what we just did. I need to remove our traditional setup, let me do it real quick. I'll go to router r1 and say no ospf router 1, no router, actually no ipv6 router, ospf one, okay, I got rid of ospf on that router, let's do it. for r2 I will say no ospf router one, no ipv6 ospf router 1 and we are there, one more missing, we will say no ospf router 1 and no ipv6 ospf router 1.
Okay, now let's establish the way you would still have than to go in and say enable unicast routing, that's just to enable the ipv6 routing period, but we've already done that, we're not going to get rid of that, now let's set up the address families approach, I think you're going to like it. this I am going to say router different syntax here I am not saying ipv6 router I am saying ospf v3 router for version 3 and I give a process id and here I can give a bunch of commands for example let's just give the router ID I will say the ID from the router i will say the router script id is 1.1.1.1, actually mr3 3.3.3.3 will be my router id now and it will apply to both ipv4 and ipv version 6.
I have a passive interface right?, could say with my passive interface uh let's see gigabit zero slash two could be passive so I'll say passive interface gig zero slash two now let's create those address families I'll say ipv4 script family address you also want to set up an address family for ipv6 so address the ipv6 family now I just need to go to those interfaces because I already said hey I want you to do ipv4 routing and hey I want you to write in ipv6. Now let's go to the interfaces and say yes, I want to belong to both.
Guys, let's go to interface zero, slash one and I'll say ospf v3. See the different syntax. Process ID one for ipv4 dress family. I want to belong to area one for the ipv6 address family. I also want to belong to area one for gigabit interface zero slash two the same I want to belong to area one for both address families same for interface loopback loopback zero I want to belong to both address families let's configure router r2 now on a router r2 I will do it let's say router ospf v3 process id1 we will say the router id is 2.2.2.2 which is inherited by address families and by the way if I go into an address family like uh for ipv4 what if I said at that point?
Oh I really want the router id will be 2.1.1.1, which one wins. I have conflicting information. The most specific configuration wins, so the ipv4 address family would outperform this that I configured globally for both address families. There is no passive interface here so just create the address families I will say ipv4 address family ipv6 address family and then we go straight to the interfaces and say I want it to belong to both ospf v3 process id1 ipv4 address family you belong to the area zero I want to make sure that's right, it's gig zero slash one, yeah, that looks good for ipv6 too.
Same thing, let's go to the gigabit zero slash two interface, these will belong to area one and our loopback interface will also belong to area one and we're done. r2 is just missing one router now on router r1 we will say process id one of the ospf v3 router and I will say the script id of the router is 1.1.1.1. I have opportunities for a couple of zero gigabit bar passive interfaces. one and my loopback interface uh oh typo now let's go to the interfaces and say I want you to belong to those address families gigabit interface zero slash one is going to be ospf version three process ID one for address family ipv4 area zero for the ipv6 address family there are zero gigs size zero two the same the same address families belong belong one more to go interface look back to zero ospf version three process id1 ipv4 address family ipv6 address family and once again we are done with our setup, it worked a little bit differently, didn't it?
We could configure passive interfaces just once and they would be inherited down to our clothing families. The verification commands are also a little different. Let me go to router r3 again and show the OSPF version. 3 neighbor instead of saying show ipv6 ospf neighbor is show ospf version 3 neighbor and notice it shows me my neighbor for ipv4 and my neighbor for ipv6, let's take a look at the database, show our database show ospf version 3 for see our link state database and here we see our link state database for ipv4 and we notice that although we are talking about ipv4 because it is osp version 3, they still do not call the type 3 lsas as summary lsas, they use the much improved name interarea. prefix, I love that, oh let's see the routes, can I say show ipv6 route, can I see the entire network?
Yeah, sure, that all looks good. Any other, no, I think that's enough configuration command or enough verification commands and I have. Just one more demo for you before we wrap up today and that is authentication. We'll stay here in the live interface and use the same topology, but we're going to build this OSPF version 3 configuration. Now we can configure authentication with IPV. or sorry about OSPF version 3, but OSPF version 3 gives us improved security, so I thought I would show you the way to do it in OSPF version 3, but it is very similar either way, here's the deal: when we configure OSPF authentication, we can configure it. configure it only between two routers like between r2 and r3 and I will do that or we could configure it for an entire area like ariel zero and I will do that too, but to start let's go to r2 and configure the authentication. between r2 and r3 right on that link again what we're trying to prevent we're trying to prevent some rogue actor from coming in and connecting their rogue router to the network somehow wow alexa just started talking to me for no apparent reason I'm not I'm sure what I said to activate that, but what does it say?
Oh yes, we have the link between r2 and r3 and we are trying to prevent someone from adding their own router, forming neighborhoods and corrupting our OSPF database so that authentication is done in an enterprise environment it is really a good practice to do it , This is how we do it. I'm going to say a size 2 zero gigabit interface because that's the link I'm going to authenticate over. I'm going to say ospf version 3 authentication now. I have options. I might say I don't want to do authentication at all. I can say no. I can use a keychain, that's something you sometimes see with eigrp authentication, where you can have different keys with ha that have different key lengths. a key will not be valid forever, it will go to a different key with a different start and end date.
You could do that. All that here. I love ipsec, although I'm going to use ipsec's IP security. I am very, very sure. I'm going to say ipsec and it says you need to give me an index of security parameters, what is that? Well that's just a number that specifies the parameters we're using, like what type of hash we're using, it has to match on the other end, basically I'll just say it's a bit of one and it'll just have to be one on the other side uh it's not really about one, I think it has to be in increments of something oh yeah, it has to start at 256.
I knew something was different with that, yeah, let's start at 256 and then I'll say I want to use shaw 251 or rather shaw one hash and I'm going to put in a hexadecimal string, it's 40. characters my sha-1 key now this is not going to be a key that I would like you to use in production, but just to make sure I type it correctly on both sides, it should have 40 characters, so what am I going to do? It's type zero to nine four times, are you ready for this? I'm going to say zero one two three four five six seven eight nine let's do it again zero one two three four five six seven eight nine halfway zero one two three four five six seven eight nine one more time zero uh one two three four five six seven eight nine hope I got this right and we'll do the same on the other side in a moment, but I added that big string and Once I'm done in r2, let's add a matching string in r3 in r3.
I'm going to go to the other end of this link interface, turn zero, slash one and say ospf authentication version three. I am using ipsec. I'll give the same. spi of 256 and my shaw one key will be zero one two three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine uh one two three four I think that's correct I'll enter that and let's confirm that we are still neighbors with r2 I'll say show ospf version 3 neighbors and let's see if why if I'm still a neighbor and that's great I can say show interface ipv6 ospf concert zero slash one let's see if it tells us anything about authentication there i thought it might not sure include authentication yeah it says uh yeah we're doing sha-1 authentication my spi is 256 and we're good to go here's how we can check it now let's take a look.
This will be our final demonstration of the day. Let's see how we can configure authentication within an area. We will do it. inside area 0. so I will go to r1 and in r1, actually I will start in r2 in r2, I will say process one of ospf router version 3 and I want to apply authentic, so I will go into router configuration mode, not in the interface. configuration mode this time because this is for the entire area, I'm going to say for area 0 I want to configure authentication, my spi has to be different, it has to be unique, it can't be 256, I will make it 512. and my shaw one key is that you guessed it zero one two three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine oh, what I tried do that break that was hard okay oh I had to misspell what was that I said authentication oh I forgot to say ipsec my bad let me fix that ipsec authentication here we go and let's do the same command on r1, the only other one. area zero member, I'll say ospf version three router, process id, an area zero, that's what we are ipsec authentication member.
I remember saying this time my spinnaker is uh 512, I think, and my shaw one key is zero one two. three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine zero one two three four five six seven eight nine okay, let's press enter, hopefully I understood you correctly, let's see if I did it, I still have a neighborhood with r2, let's do a show ospf version three, process id, a neighbor, yes I'm still a neighbor, am I doing authentication? Let's confirm that I am doing authentication.
I'm going to say show ipv, come on. to r2 because it has a couple of different authentications, I'll say show show ipv6 ospf interface to include authentication, yeah, and we see here's our authentication for that link and here's our authentication for the area now everything looks good, it says we're doing authentication , but how do we really know? I mean, come on, can you show me that we're actually doing encryption? Yes, we can test it because we are using ipv uh ipsec. I can say that here is a command ipsec show crypto ah. if you could spell it out it would be very helpful to show crypto ipsec security association for zero gigabit interface slash one and it says the number of packets that have been encrypted the number of packets that have been decrypted my friends give me the assurance that we really are We're really doing authentication within that area.
I hope you enjoyed the demo and let me click on these slides because we stayed live through all of that and that will conclude part three of our session today.
If you have any copyright issue, please Contact
