Posts Tagged ‘ospf’

Multiple Area OSPF Networks on Cisco – Part 2 of 2

Friday, January 30th, 2009

Had a nice week everyone? I’ve been writing a lot and working a lot, but anyways here is part 2 of 2!

Link State Database / Topology Table
What’s that? you may ask – maybe only because I forgot to mention it in the previous article, well it’s a database which contains data on how the routers ‘see’ the network topology (link states), all the routers in an AS will have a copy of this table.
This table is getting changed as the network topology changes, as for example if a prefix is moved or an interface goes down.

VLSM
One time during this week I suddenly realized that I should probably mention that OSPF supports VLSM (Variable length Subnet Masks), that some people still stick to the usage of routing protocols that does not support VLSM is way beyond my understanding.

LSAs and LSA Types
There are 7 types of LSA (Link state advertisements) in OSPF;

  1. Router Link Advertisements, generated by each router and is flooded in a single area.
  2. Network Link Advertisements, flooded throughout the network and is generated by the DRs. Describes a set of routers connected to a network.
  3. Type 3 are summary link advertisements. These are generated by the Area Border Routers and describes Inter-area routes, generating a quad zero route by the command default information originate also generates a type 3 LSA.
  4. Type 3 and type 4 is very often described at the same time, the type 4 LSA describes routes to an ASBR.
  5. These are generated by the ASBR, and describes routes that are redistributed into OSPF from AS’s or routing protocols.  These are flagged in the routing table with O E1 and O E2 (external type 1 or 2) and are flooded to all areas except for stub areas.
  6. Group membership link entry LSAs are generated by multicast OSPF routers.
  7. Type 7 LSAs are only flooded to not-so-stubby-areas and are generated by ASBRs. When external routes are injected to areas other than the backbone area 0 are type 7, these are converted to type 5 by area border routers before they are injected into the backbone area.

Route summarization
My feeling is that at least once (a day?) in every network administrators life they’d wish the routing table was smaller and had a bunch of fewer prefixes, but what can we do?

We can use route summarization to make the routers summarize all routes in an area.

The configuration is as follows

Router(config-router)# network 10.0.0.0 0.0.0.255 area 0
Router(config-router)# network 10.0.1.0 0.0.0.255 area 1
Router(config-router)# area 0 range 10.0.0.0 255.255.255.0
Router(config-router)# area 1 range 10.0.1.0 255.255.255.0

This router will act as an area border router (ABR) between area 0 and area 1, the area areaid range command tells the router to summarize all routes that area to that summary address before advertising them in another area.

Multiarea OSPF Configuration on Cisco IOS

The scenario are 4 routers, preconfigured with IP addresses and daisy chained.
R1: Area 0
R2: Area 0
R3: Area 0 and area 1
R4: Area 1

Area 0 = 10.0.0.0/24
Area 1 = 10.0.1.0/24

We will use route summarization.

To configure R3 to be both in area 0 and area 1, let us say we use /30-ranges for connecting the routers.

R3(config-router)#network 10.0.0.0 0.0.0.3 area 0
R3(config-router)#network 10.0.1.0 0.0.0.3 area 1
R3(config-router)#area 0 range 10.0.0.0 255.255.255.0
R3(config-router)#area 1 range 10.0.1.0 255.255.255.0

Configure all the other routers as usual, but R4 should be configured as only area 1.
I configured all routers to redistribute connected and static subnets.

To verify that you see the area 1 as 10.0.1.0/24 instead of (now) 10.0.1.0/30.

R1#sh ip route
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, FastEthernet0/0
O IA 10.0.1.0/24 [110/2] via 10.0.0.2, 00:01:56, FastEthernet0/0

There you go!

Multiple Area OSPF Networks on Cisco – Part 1 of 2

Sunday, January 18th, 2009

Multi-area OSPF networks are widely used, in this article I am going to show some of the logic behind multi-area OSPF Networks. I will write a series of all 2 (yey!) posts about multiple area OSPF the next couple of weeks. Stay tuned in!

Single areas can be considered subsets of a larger autonomous system.

What are the benefits of splitting networks up in multiple areas?

You can solve situations like

  1. Every time a route flaps, it initiates shortest-path-first algorithm calculations on all routers in that area.
    This causes high CPU utilization that could be used for something more productive.
  2. The routing table is getting too large and equipment that can handle less IPv4 routes will have trouble operating.
  3. The Link-state Topology table (we will get back to this) is getting unmanageable.

Terms and definitions
There are some terms and definitions that you should know:

  1. Backbone area / Transit area / area 0
    This refers to the area with area id 0, which can be a group of routers acting as the main path for traffic between OSPF areas.
  2. ABR
    Area Border Router, technically – a router that is connected to area 0 and at least another area, and therefore maintains two link-state databases are considered ABRs.
  3. ASBR
    Autonomous System Border Router is a router that are between the OSPF network and another routing protocol network, for example BGP or IGRP.
  4. IR
    Internal router, this type have all its interfaces connected to a single area.

You should be familiar with terms like LSU, LSA and the different types.

This IMPORTANT rule applies to multiarea OSPF networks:
All areas needs to be connected to area 0, if it is impossible to physically connect an area directly to area 0, you can utilize a virtual-link to create a logical path for the traffic from this area to reach the backbone area.

Different area types

  1. Standard/normal area
    A default route (0/0) is generally not generated by routers in a normal area, but it can be forced with this command under router ospf

    Router( config-router)# default-information originate always

    Normal areas (like in single area setups) can receive external route information, link updates and route summaries.

  2. Stub area
    While stub areas can’t receive external routes, they can receive inter-area routes, intra-area routes and default routes.

  3. Totally stubby area
    This area does not receive summary routes from other areas in the network, and it does not receive external routes. To reach networks outside the area it will always use the default route (0/0)
  4. Not So Stubby Area (NSSA)
    This is a stubby area which can receive a part of external routes from outside the AS.
    The LSA it can receive is Type 7 LSA.

  5. Backbone area
    ..or “transit area” always has the area id 0, every other area must have a link to area 0. Either physically or via a logical ‘virtual-link’.
  6. That was the area types, these are defined under the router ospf configuration.
    So, every 30 minute all the OSPF routers floods the area with so called LSU (Link state updates) just to make sure that every router in that area agree about the link state database. These LSUs are received by the other routers and flooded across the area until all the routers agree about the current link-state database.

    Network events and LSA flooding
    When an event happens, for example an interface goes down; the router will send a LSA and a LSU packet to 224.0.0.6 – the multicast address for the BR and BDR – which in turn will flood this packet out on all their active interfaces on the multicast address 224.0.0.5 – which is the multicast address that all routers should listen on, and they will then do the same until the network agrees about the topology and is so called ‘converged’.

    In my next post I will cover the configuration and route summarization and LSA types.

    Have a nice OSPF Sunday!

5 Tips to Securing a Cisco Network

Monday, October 27th, 2008

Some things you can’t do something about, but you should take security seriously.

1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.

The way to configure reverse path forwarding is like this

Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path

2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.

Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive

This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface. In my last post I wrote a little about storm-control and port security.

3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#

This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.

If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:

Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#

4. Encrypt passwords in Configuration
Do you see this in your configuration?

Switch#show run | include ^username
username admin password 0 mysecret

To enable encryption of passwords just configure

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11

This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ‘secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.

5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.

router routing-protocol
passive-interface default
no passive-interface interface

Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console

This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.

Route overlaps, it’s dangerous!

Sunday, September 14th, 2008

Just wanted to tell you that I added a new page, it’s aIP subnet calculator tool.

It works with IPv4 and IPv6 addresses, just remember to add the network length in the end (/24) for a 255.255.255.0

The danger with dynamic routing is the possibility of route overlaps, by this I mean having the same subnet defined on two routers announcing it in a dynamic routing protocol like for example OSPF.

Let us say you have configured a customer as 10.0.0.48/28 and he uses 10.0.0.49 and 10.0.0.50

Then you get a new customer and configure for example a new subnet 10.0.0.48/30, which is a more specific route (CIDR wise).

You might end up effectively blackholing the old customers traffic, this is something one should consider.

Use my IP subnet calculator tool to be sure not to overlap networks!

Configuring Cisco redistribution of OSPF to BGP with community filtering route-map

Tuesday, September 9th, 2008

I was wondering about something to write about, and I hope this is an interesting subject.
If there is anything you want me to write about, or something you wonder about or think I am mistaking about – please don’t be shy.. Just use the comment box! :-)

Quick overlook:

Router1
ASN: 1
Prefix from OSPF: 192.168.0.0/24
IP for BGP: 172.16.1.1/24

Router2
ASN: 2
IP for BGP: 172.16.1.200/24

Verify OSPF route
Router1#sh ip route | include ^O
O E2 192.168.0.0/24 [110/20] via 10.0.10.2, 00:02:10, FastEthernet0/0

Redistribute OSPF route to BGP table with a community
I created a prefix-list to match the prefixes in the route-map:
ip prefix-list ourPrefixes seq 5 permit 192.168.0.0/24

Then I went on and created the route-map that matches this prefix-list and set the community 1:150 (65686)
route-map ospfTag permit 10
match ip address prefix-list ourPrefixes
set community 65686

Then I did redistribution of OSPF into BGP with this command (in config-router (bgp configuration)):
redistribute ospf 1 route-map ospfTag

So I go on and verify the prefix is in the BGP table with the right community:
Router1#sh ip bgp 192.168.0.0/24 | i Comm
Community: 65686

Perfect!  Now I went on to create a community list for matching the communities in a route-map
ip community-list 1 permit 1:150

As you can see, the router converted this number to the long format number again for me:
Router1(config)#do sh run | i community-list
ip community-list 1 permit 65686

Current announcement to Router2:
Router2(config)#do sh ip bgp | i \*\>
*> 10.20.30.0/24    172.16.1.1               0             0 1 ?
*> 192.168.0.0      172.16.1.1               0             0 1 ?

So far, so good!   The 10.20.30.0/24 network is added as a twist, and it should disappear when the route-map outbound is working!  It is my test to see if things got applied.
Then I went on to create a route-map to match with this community list:
Router1(config)#route-map communityFilter permit 10
Router1(config-route-map)# match community 1

Then I applied the route map on to the BGP peer
Router1(config-route-map)#router bgp 1
Router1(config-router)#neighbor 172.16.1.200 route-map communityFilter out

Okay, after clearing the peer, do we have one less address in BGP then?
Router2#sh ip bgp | i \*\>
*> 192.168.0.0      172.16.1.1              20             0 1 ?
Router2#

Voila!  Please use the comment box if you spot errors, this tutorial was written kind of in a jiffy!