Module 01a - Basic OSPF

8/9/2019 Module 01a - Basic OSPF

http://slidepdf.com/reader/full/module-01a-basic-ospf 1/11

ISP Workshop Lab

Module 1a – Basic Topology and OSPF

Objective: Create a basic physical lab interconnection ith one OSPF !rea" #nsure that allrouters$ inter%aces$ cables and connections are or&ing properly"

Prere'uisites: (noledge o% Cisco router C)*$ previous hands on e+perience"

The following will be the common topology used for the first series of labs.

Figure 1 – *SP )ab Basic Con%iguration

1



Tuesday, anuary !", !#1$

Lab Notes

This workshop is intended to be run on a %ynamips ser&er with the appropriate lab topologies set up.The routers in the %ynamips en&ironment are using ser&ice pro&ider I'S. The configurations andconfiguration principles discussed below will work on all (isco I'S )elease 1!.* onwards. +arlier

(isco I'S releases are not supported but will mostly work using the notes below they will miss someof the features co&ered.

The purpose of this module is to construct the workshop lab and introduce e&eryone to the basic principles of constructing and configuring a network. -n important point to remember, and one thatwill be emphasised time and again through out this workshop, is that there is a distinct seuence to

building an operational network/

-fter the physical design is established, the connections between the hardware should be built and&erified.

0et, the routers should ha&e the base con%iguration installed, and basic but sufficient securityshould be set up.

0et the basic *P connectivity be tested and pro&en. This means assigning IP addresses on all linkswhich are to be used, and testing the links to the neighbouring de&ices.

'nly once one router can see its neighbour does it make sense to start configuring routing protocols. -nd start ith the *,P 2'SP3 is chosen for this workshop4. There is no purpose to building 56P while the chosen I6P 2in this case 'SP34 is not functioning properly. 56P relies on'SP3 to find its neighbours and net hops, and an improperly or non7functioning 'SP3 will resultin much time wasted attempting to debug routing problems.

'nce the I6P is functioning properly, the B,P con%iguration can be started, first internal 56P,then eternal 56P.

-e.e.ber to -TFM" What is )T389 It is critical that ISP 0etwork +ngineers fully utilise allinformation resources. The :1 source is the documentation. Read The F#$% Manual (RTFM) isthe traditional phase used to inform engineers that the answer is in the documentation and go readit.

3inally, docu.entation. %ocumentation is often o&erlooked or forgotten. It is an ongoing processin this workshop. If the instructor asks you to document something, either on the whiteboard in the

class, or at the back of this booklet, it is in your best interests to do so. There can ne&er be toomuch documentation, and documentation at the time of network design and construction canusually sa&es much frustration at a future date or e&ent.

Lab Exercise

!



ISP Workshop Lab

1" -outers and the /or&shops participants" This workshop is laid out such that a group of twostudents will operate a single router. 1* routers generally imply at least !; participants. 3or workshops with larger numbers of participants, groups of three should configure a single router.The Workshop Instructors will di&ide the routers amongst the workshop participants. In thefollowing notes, a <router team= refers to the group assigned to one particular router.

0" -outer ostna.e" +ach router will be named according to the table location, )outer1, )outer!,)outer>, etc. %ocumentation and labs will also refer to Router1 as )1. -t the router prompt, firstgo into enable mode, then enter <config terminal=, or simply <config= by itself/

Router> enable

Router# config terminal

Enter configuration commands, one per line. End with CNTL/.

Router!config"# hostname Router

Router!config"#

2" Turn O%% 3o.ain 4a.e )oo&ups" (isco routers will always try to look up the %0S for any name

or address specified in the command line. ?ou can see this when doing a trace on a router with no%0S ser&er or a %0S ser&er with no in7addr.arpa entries for the IP addresses. We will turn thislookup off for the labs for the time being to speed up traceroutes.

Router !config"# no ip domain$loo%up

5" 3isable Co..and6line 4a.e -esolution" The router by default attempts to use the &arioustransports it supports to resol&e the commands entered into the command line during normal andconfiguration modes. If the commands entered are not part of (isco I'S, the router will attempt touse its other supported transports to interpret the meaning of the name. 3or eample, if thecommand entered is an IP address, the router will automatically try to connect to that remote

destination. This feature is undesirable on an ISP router as it means that typographical errors canresult in connections being attempted to remote systems, or time outs while the router tries to usethe %0S to translate the name, and so on.

Router !config"# line con &

Router !config$line"# transport preferred none

Router !config$line"# line 't( & )

Router !config$line"# transport preferred none

7" 3isable Source -outing" @nless you really belie&e there is a need for it, source routing should bedisabled. This option, enabled by default, allows the router to process packets with source routingheader options. This feature is a well7known security risk as it allows remote sites to send packets

with different source address through the network 2this was useful for troubleshooting networksfrom different locations on the Internet, but in recent years has been widely abused for miscreantacti&ities on the Internet4.

Router !config"# no ip source$route

8" 9serna.es and Passords" -ll router usernames should be isplab and all passwords should belab-PW . Please do not change the username or password to anything else, or lea&e the passwordunconfigured 2access to &ty ports is not possible if no password is set4. It is essential for a smoothoperating lab that all participants ha&e access to all routers.

Router !config"# username isplab secret lab$*+Router !config"# enable secret lab$*+

Router !config"# ser'ice password$encr(ption

>




The service password-encryption directi&e tells the router to encrypt all passwords stored in therouterAs configuration 2apart from enable secret which is already encrypted4.

4ote !/ There is the temptation to simply ha&e a username of cisco and password of cisco as a laBy

solution to the usernameCpassword problem. @nder no circumstances must any ser&ice pro&ider operator e&er use easily guessable passwords as these on their li&e operational network 1.

4ote B/ for I'S releases prior to 1!.>, the usernameCsecret pair is not a&ailable, and operators willha&e to configure usernameCpassword instead. The latter format uses type " encryption, whereas theformer is the slightly more secure md$ based encryption. I'S 1$.1 onwards uses SD-!$E as areplacement for 8%$.

" #nabling login access %or other tea.s" In order to let other teams telnet into your router in futuremodules of this workshop, you need to configure a password for all &irtual terminal lines.

Router !config"# aaa new$model

Router !config"# aaa authentication login default local

Router !config"# aaa authentication enable default enable

This series of commands tells the router to look locally for standard user login 2the username password pair set earlier4, and to the locally configured enable secret for the enable login. 5ydefault, login will be enabled on all &tys for other teams to gain access.

;" Con%igure syste. logging" - &ital part of any Internet operational system is to record logs. Therouter by default will display system logs on the router console. Dowe&er, this is undesirable for Internet operational routers, as the console is a FE## baud connection, and can place a high

processor interrupt load at the time of busy traffic on the network. Dowe&er, the router logs can

also be recorded into a buffer on the router G this takes no interrupt load and it also enables tooperator to check the history of what e&ents happened on the router. In a future module, the lab willconfiguration the router to send the log messages to a S?SL'6 ser&er.

Router !config"# no logging console

Router !config"# logging buffer - debug

which disables console logs and instead records all logs in a ;1F!byte buffer set aside on the router.To see the contents of this internal logging buffer at any time, the command <sh log= should be

used at the command prompt.

<" Save the Con%iguration" With the basic configuration in place, sa&e the configuration. To do this,eit from enable mode by typing <end= or <Hctrl J=, and at the command prompt enter <writememory=.

Router!config"#

Router# write memor(

0uilding configuration...

1234

Router#

It is highly recommended that the configuration is sa&ed uite freuently to 0K)-8, especially inthe workshop en&ironment where it is possible for power cables to become dislodged. If the

1 This sentence cannot be emphasiBed enough. It is uite common for attackers to gain access to networks simply becauseoperators ha&e used familiar or easily guessed passwords.

*



ISP Workshop Lab

configuration is not sa&ed to 0K)-8, any changes made to the running configuration will be lostafter a power cycle.

Log off the router by typing eit, and then log back in again. 0otice how the login seuence haschanged, prompting for a <username= and <password= from the user. 0ote that at each checkpoint

in the workshop, you should sa&e the configuration to memory G remember that powering therouter off will result in it re&erting to the last sa&ed configuration in 0K)-8.

1=" *P !ddresses" This 8odule will introduce the basic concepts of putting together a sensibleaddressing plan for an ISP backbone. We are building one autonomous system out of the 1* routerswe ha&e in the lab. The )I)s are typically handing out IP&* address space in C!# chunks 2dependson which )I) region4 G we assume for the purposes of this lab that our ISP has recei&ed a C!#.)ather than using public address space, we are going to use a portion of 1#C; 2)3(1F1; or pri&ateaddress space4 for this lab. In the real world Internet, we would use public address space for our network infrastructure.

The typical way that ISPs split up their allocated address space is to car&e it into three pieces. 'ne piece is used for assignments to customers, the second piece is used for infrastructure point7to7 point links, and the final piece is used for loopback interface addresses for all their backbonerouters. The schematic in 3igure ! shows what is typically done.

Figure 0 – 3ividing allocated bloc& o% >0= into Custo.er$ *n%rastructure and )oopbac&s

Study the address plan which was handed out as an addendum to this workshop module. 0oticehow the infrastructure addressing starts at 1#.#.1$.# and carries on up to 1#.#.1$."# G this lea&e usroom to grow the network by more point7to7point links, up to 1#.#.1$.!!> in fact. 0otice how weha&e set a side ust a single C!" for the router loopbacks G but we ha&e only used the 1* addressesfrom !*1 up to !$* for our network, lea&ing some spare for future growth 2not that we ha&e futuregrowth planned for the workshop4, an entirely realistic proposition for an ISP backbone. Indeed,ISPs tend to document their addressing plans in flat tet files or in spreadsheets G 3igure > belowshows an etract from a typical eample 2using our addressing scheme here4.

$

1#.#.1$.!!>1#.#.1*.!$$ 1#.#.1$.!!* 1#.#.1$.!$$

Loopbacks(ustomer -ddress Space

1#.#.#.#C!# network block

1#.#.#.# 1#.#.1$.#

0etwork Infrastructure




Figure 2 – #+tract %ro. an *SP addressing plan

11" Bac&6to6Bac& Serial Connections" (onnect the serial connections as in 3igure 1. The %(+ side of a back7to7back serial connection is configured with the clock rate command that dri&es the

serial circuit. 2'lder &ersions of I'S used the clockrate command, now hidden but still functional.4Physically check the cable to see which side is %(+ and which is %T+. 'n some routers, thecommand show controller

<interface> will show %(+C%T+ status. 3or eample, on a

(isco >E!# router, show controllers serial 0/0 will produce a result that will display

whether the cable connected to serial #C# is a %T+ or %(+.

'nce the %T+ and %(+ cables ha&e been determined and the clock rate command has been

applied, configure the IP address 2as per the addressing plan discussed earlier4 and other recommended 5(P commands that are recommended for each ISPAs Interface/

Router!config"# interface serial /&

Router!config$if"# ip address &&..5. 66.66.66.6

Router!config$if"# description 7bps Lin% to Router) 'ia 8TE/8CE 9erial

Router!config$if"# bandwidth &&&

Router!config$if"# cloc% rate &&&&&&

Router!config$if"# no ip redirects

Router!config$if"# no ip directed$broadcast

Router!config$if"# no ip pro:($arpRouter!config$if"# no shutdown

4OT#: The lab instructors will ha&e drawn a large network map on the white7board in theworkshop lab. When the IP addresses are assigned, please annotate them and inform the instructor.-ll the point to point links M9ST be annotated there so that other )outer Teams can documentand understand the links and routing in this and future modules.

?: What network mask should be used on point7to7point links9

!: 'n serial interfaces, the network mask should be C># 2or !$$.!$$.!$$.!$! in dotted uadformat4. There is no point in using any other siBe of mask as there are only two hosts on such a link.- !$$.!$$.!$$.!$! address mask means * a&ailable host addresses, of which two are usable 2theother two representing network and broadcast addresses4.

E



ISP Workshop Lab

10" #thernet Connections" The +thernet links between the routers will be made using cross-over )7*$ cables G these will directly connect the +thernet ports on the two routers without thereuirement for an +thernet switch. IP subnets will again be taken from the -ddressing Plan. %onAtmake the mistake of assigning a C!* mask to the interface address G there are only two hosts on the

+thernet connecting the two routers, so a C># mask should be entirely sufficient.

12" Ping Test @1" Ping all physically connected subnets of the neighbouring routers. If the physicallyconnected subnets are unreachable, consult with your neighbouring teams as to what might bewrong. %onAt ignore the problem G it may not go away. @se the following commands totroubleshoot the connection/

show arp / Shows the -ddress resolution protocol

show interface ;interface> ;number> / Interface status and configuration

show ip interface / 5rief summary of IP interface status and configuration

15" Create )oopbac& *nter%aces" Loopback interfaces will be used in this workshop for many things.

These include generating routes 2to be ad&ertised4 and configuring some 56P peerings. -sdiscussed earlier in Step 1#, we will use part of the allocated IP address block for loopback interfaces. 8ost ISPs tend to set aside a contiguous block of addresses for use by their router loopbacks. 3or eample, if an ISP had !# routers, they would need a C!" 2or >! host addresses4 to

pro&ide a loopback address for each router. We ha&e 1* routers in our lab G to be prudent and allowfor growth, we will set aside a C!" 2allows us >! loopbacks4 but only use 1* of them. The assignedloopback addresses are/

R1 10.0.15.241/32

R2 10.0.15.242/32

R3 10.0.15.243/32

R4 10.0.15.244/32

R5 10.0.15.245/32

R6 10.0.15.246/32

R7 10.0.15.247/32

R8 10.0.15.248/32

R9 10.0.15.249/32

R10 10.0.15.250/32

R11 10.0.15.251/32

R12 10.0.15.252/32

R13 10.0.15.253/32

R14 10.0.15.254/32

3or eample, )outer Team 1 would assign the following address and mask to the loopback on)outer 1/

Router!config"#interface loopbac% &

Router!config$if"#ip address &.&.6.) 66.66.66.66

?: Why do we use C>! masks for the loopback interface address9

!: There is no physical network attached to the loopback so there can only be one de&ice there. Sowe only need to assign a C>! mask G it is a waste of address space to use anything else.

Checkpoint #1 call lab assistant to verify the connectivity. Demonstrate that you can ping and telnet to the adjacent routers.

17" OSPF ith one area in the sa.e !S – activate the OSPF process" +ach router Team should

enable 'SP3 on their router. The 'SP3 process identifier should be 41 2see eample4. 2The 'SP3

"




process identifier is ust a number to uniuely identify this 'SP3 process on this router. It is not passed between routers.4

Router!config"#router ospf )

The default I'S configuration should be changed so that all interfaces are marked as passi&e for 'SP3 by default. This suppresses routing updates on all router interfaces and stops the router fromunintentionally forming 'SP3 adacencies o&er eternal facing interfaces, and the potential

problems this may bring!.

Router!config$router"#passi'e$interface default

-ny interfaces o&er which 'SP3 adacencies should be formed need to be marked with the no passive-interface subcommand.

Router!config$router"#no passi'e$interface fastethernet &/&

Router!config$router"#no passi'e$interface fastethernet &/

Router!config$router"#no passi'e$interface serial /&

18" !ctivating OSPF on each inter%ace" 0ow that the 'SP3 process is configured, each team shouldacti&ate 'SP3 on the indi&idual router interfaces as reuired. @nlike pre&ious releases of I'S, I'S1!.* and later releases also allow 'SP3 to be run on a link 2rather than ust on a subnet4. )ather than using the older 2and confusing4 <network= statement, we now acti&ate 'SP3 on each interfacethat will form an adacency/

Router!config"#interface serial /&

Router!config$if"#ip ospf ) area &

<

Router!config$if"#interface fastethernet &/&

Router!config$if"#ip ospf ) area &<

Router!config$if"#interface fastethernet &/


.1" !nnouncing the )oopbac& >20" The loopback interface also reuires 'SP3 to be acti&ated on it.

+&en though there is no adacency to be formed 2because there is no physical neighbour and theinterface is marked as passi&e by default in the pre&ious step4, we need to declare 'SP3 on theloopback interface so that the IP address used for the loopback is placed into the 'SP3 )I5.

Router!config"#interface loopbac% &


1;" OSPF !djacencies" +ach team should enable logging of 'SP3 adacency changes. 24ote: 3rom

I'S 1!.* onwards, log-neighbor-changes is acti&ated by default when 'SP3 is first configured4.This is so that a notification is generated e&ery time the state of an 'SP3 neighbour changes, and isuseful for debugging purposes/


Router!config$router"#log$ad=acenc($changes

! ItAs a common error in many ISP configurations to ha&e the I6P acti&e on all interfaces on the router. There ha&e been

many documented accidents where a customer I6P has established a connection with the ISPAs I6P, resulting in a cross pollution of routing information, and the resulting traffic chaos. Switching off this ability by marking all interfaces passi&e by default helps a&oid forgetfulness or errors at a later date.

;



ISP Workshop Lab

1<" !voiding Tra%%ic Blac&hole on -eboot" When a router restarts after being taken out of ser&ice,'SP3 will start distribute prefies as soon as adacencies are established with its neighbours. In thenet part of the workshop lab, we will be introducing i56P. So if a router restarts, 'SP3 will startup well before the i56P mesh is re7established. This will result in the router landing in the transit

path for traffic, with out the routing table being completed by 56P. There will not be complete

routing information on the router, so any transit traffic 2from customer to peer or upstream, or &ice7&ersa4 will be either dropped, or resulting in packets bouncing back and forth between adacentrouters. To a&oid this problem, we reuire the router to not announce it is a&ailability until the i56Pmesh is up and running. To do this, we ha&e to pro&ide the following command/


Router!config$router"#ma:$metric router$lsa on$startup wait$for$bgp

This sets up 'SP3 such that all routes &ia this router will be marked as unreachable 2&ery highmetric4 until i56P is up and running. 'nce i56P is running, the prefies distributed by 'SP3 willre&ert to standard metric &alues, and the router will pass transit traffic as normal.

0=" AOptional" #nable 34S na.e and address resolution on the routers" If the workshopinstructors ha&e set up the nameser&er in the workshop at this stage, all router teams should nowenable %0S lookups on their routers. 'SP3 is carrying all the prefies, including the network connecting to )outer1$, around the classroom, so all routers should be able to see )outer1$.

Router!config"#ip domain$loo%up

Router!config"#ip name$ser'er -...)

Router!config"#ip domain$name wor%shop.net

These commands undo what was configured in step > at the beginning of the module. 8ake surethat you can ping the nameser&er before you do this. If you canAt ping the nameser&er, in&estigate

why.

0ote that the team operating )outer E will be added to add configuration which will allow the %0Sser&er address block to be propagated throughout the classroom network. The etra configurationfor )outerE is as follows/

router ospf )

networ% -...& &.&.&.66 area &

<

interface ?astEthernet&/

ip addr -...6) 66.66.66.&

no shutdown

<

01" AOptional" #nable OSPF na.e loo&ups on the routers" 3ollowing from the pre&ious step, nowenable 'SP3 name lookups on the router.

Router!config"#ip ospf name$loo%up

This command enables the display of the 'SP3 router7ids as domain names. So, rather thandisplaying the following output with name lookups disabled/

router>sh ip ospf neigh

Neighbor @8 *ri 9tate 8ead Time Address @nterface&.&.6.) ?BLL/08R &&&&D &.&.6. ?astEthernet&/&

F




&.&.6.)) ?BLL/ $ &&&&D &.&.6. 9erial/&

&.&.6.6) ?BLL/8R &&&&D &.&.6. ?astEthernet&/

the router will display the following/

router#sh ip ospf neigh

Neighbor @8 *ri 9tate 8ead Time Address @nterface

router.wor%sho ?BLL/08R &&&&DD &.&.6. ?astEthernet&/&

router).wor%sho ?BLL/ $ &&&&D- &.&.6. 9erial/&

router).wor%sh ?BLL/8R &&&&D6 &.&.6. ?astEthernet&/

which is much more informati&e.

00" Ping Test @0" Ping all loopback interfaces in the classroom. This will ensure the 'SP3 I6P isconnected +nd7to7+nd. If there are problems, use the following commands to help determine the

problem/

show ip route / see if there is a route for the intended destination

show ip ospf / see general 'SP3 information

show ip ospf interface / (heck if 'SP3 is enabled on all intended interface

show ip ospf neighbor / see a list of 'SP3 neighbours that the router sees

Checkpoint #! call lab assistant to verify the connectivity. Save the configuration as it is on therouter – use a separate worsheet! or the worspace at the end of this "odule. #ou will re$uire thisconfiguration several times throughout the worshop.

02" Traceroute to all routers" 'nce you can ping all the routers, try tracing routes to all the routersusing trace %.%.%.% command. 3or eample, )outer Team 1 would type/

Router# trace &.&.6.6

to trace a route to )outer )1!. If the trace times out each hop due to unreachable destinations, it is possible to interrupt the traceroute using the (isco break seuence (T)L7M.

? ?" Why do some trace paths show multiple IP addresses per hop9-

!" If there are more than one eual cost paths, 'SP3 will <load share= traffic between those paths.

Router>trace router

T(pe escape seuence to abort.

Tracing the route to router.wor%shop.net !&.&.6.)"

fe&$&.router.wor%shop.net !&.&.6." ) msec

fe&$.routerD.wor%shop.net !&.&.6." & msec

fe&$&.router.wor%shop.net !&.&.6." & msec

fe&$&.router).wor%shop.net !&.&.6.6)" ) msec

fe&$.router).wor%shop.net !&.&.6." ) msec

fe&$&.router).wor%shop.net !&.&.6.6)" & msec

D ser&$&.router.wor%shop.net !&.&.6.-" ) msec F ) msec

Router>

1#



ISP Workshop Lab

05" Other Features in OSPF" )e&iew the documentation or use command line help by typing & to seeother show commands and other 'SP3 configuration features.

07" !dvanced Con%iguration" Those router teams who ha&e completed this module should refer to8odule 11 of the -d&anced 56P Workshop. The set7up steps ha&e been etended to include all the

basic reuirements of a router being used in an ISP backbone. While waiting for the module tocomplete, now would be a good time to re&iew the ad&anced 8odule and incorporate the additionsto the configuration used here.

Review Questions

1" What IP Protocol does Ping and Traceroute use9

0" Ping the IP address of your neighbourAs router 2for eample 1#.#.1$.!4. Look at the time it took for the ping to complete. 0ow Ping the IP address of your router on the same segment 2for eample1#.#.1$.14. Look at the time it took to complete a ping. What are the results9 Why is there adifference9

2" What I'S show command2s4 will display the routerAs forwarding table9

5" What I'S show command2s4 will display the routerAs 'SP3 database9

11

Documents

Module 01a - Basic OSPF