Preview of the OSPF Commands

Optional Commands:

Rtr(config-router)# default-information originate (Send default)

Rtr(config-router)# area area authentication (Plain authen.)

Rtr(config-router)# area area authentication message-digest

(md5 authen.)

Rtr(config)# interface loopback number (Configure lo as RtrID)

Rtr(config)# interface type slot/port

Rtr(config-if)# ip ospf priority <0-255> (DR/BDR election)

Rtr(config-if)# bandwidth kbps (Modify default bandwdth)

RTB(config-if)# ip ospf cost cost (Modify inter. cost)

Rtr(config-if)# ip ospf hello-interval seconds (Modify Hello)

Rtr(config-if)# ip ospf dead-interval seconds (Modify Dead)

Rtr(config-if)# ip ospf authentication-key passwd (Plain/md5authen)

Rtr(config-if)# ip ospf message-digest-key key-id md5 password

Distance Vector vs. Link State Routing

•2

With distance vector routing, each node has information only about the next hop:

Node A: to reach F go to B Node B: to reach F go to D Node D: to reach F go to E Node E: go directly to F

Distance vector routing makespoor routing decisions if directions are not completelycorrect (e.g., because a node is down).

If parts of the directions incorrect, the routing may be incorrect until the routing algorithms has re-converged.

AA BB CC

DD EE FF

Distance Vector vs. Link State Routing

•3

In link state routing, each node has a complete map of the topology

If a node fails, each node can calculate the new route

Difficulty: All nodes need to have a consistent view of the network

AA BB CC

DD EE FF

A B C

D E F

A B C

D E F

A B C

D E F

A B C

D E F

A B C

D E F

A B C

D E F

Advantages of OSPF (1 of 2)

OSPF is link-state routing protocol RIP, IGRP and EIGRP are distance-vector (routing by rumor)

routing protocols, susceptible to routing loops, split-horizon, and other issues.

OSPF has fast convergence RIP and IGRP hold-down timers can cause slow convergence.

OSPF supports VLSM and CIDR RIPv1 and IGRP do not

Advantages of OSPF (2 of 2) Cisco’s OSPF metric is based on bandwidth

RIP is based on hop count IGRP/EIGRP bandwidth, delay, reliability, load

OSPF only sends out changes when they occur. RIP sends entire routing table every 30 seconds, IGRP every 90 seconds Extra: With OSPF, a router does flood its own LSAs when it age reaches 30 minutes (later)

OSPF also uses the concept of areas to implement hierarchical routing

Two open-standard routing protocols to choose from: RIP, simple but very limited, or OSPF, robust but more sophisticated to implement.

IGRP and EIGRP are Cisco proprietary

Link State Routing: Basic princples

•6

1. Each router establishes a relationship (“adjacency”) with its neighbors

2.Each router generates link state advertisements (LSAs) which are distributed to all routers

LSA = (link id, state of the link, cost, neighbors of the link)

3. Each router maintains a database of all received LSAs (topological database or link state database), which describes the network has a graph with weighted edges

4. Each router uses its link state database to run a shortest path algorithm (Dijikstra’s algorithm) to produce the shortest path to each network

Operation of a Link State Routing protocol

•7

ReceivedLSAs

IP Routing Table

Dijkstra’s

Algorithm

Link StateDatabase

LSAs are flooded to other interfaces

OSPF

•8

OSPF = Open Shortest Path First The OSPF routing protocol is the most

important link state routing protocol on the Internet

The complexity of OSPF is significant

History: 1989: RFC 1131 OSPF Version 1 1991: RFC1247 OSPF Version 2 1994: RFC 1583 OSPF Version 2 (revised) 1997: RFC 2178 OSPF Version 2 (revised) 1998: RFC 2328 OSPF Version 2 (current version)

•Rick Graziani graziani@cabrillo.edu

OSPF’s Metric is Cost (Bandwidth)Cisco: Cost = Bandwidth

Cisco uses a default cost of 108/bandwidth

Default bandwidth of the interface (bandwidth command)

108 (100,000,000) as the reference bandwidth: This is used so that the faster links (higher bandwidth) have lower costs.

Routing metrics, lower the cost the better the route.

I.e. RIP: 3 hops is better than 10 hops

Extra: The reference bandwidth can be modified to accommodate networks with links faster than 100,000,000 bps (100 Mbps). See ospf auto-cost reference-bandwidth command.

Cost of a route is the cumulative costs of the outgoing interfaces from this router to the network.

•Rick Graziani graziani@cabrillo.edu

OSPF’s Metric is Cost (Bandwidth)Cisco default interface costs: 56-kbps serial link = 1785 64-kbps serial link = 1562 128-kbps serial link = 781 T1 (1.544-Mbps serial link) = 64 E1 (2.048-Mbps serial link) = 48 4-Mbps Token Ring = 25 Ethernet = 10 16-Mbps Token Ring = 6 Fast Ethernet = 1 Problem: Gigabit Ethernet and faster = 1

Notes: Cisco routers default to T1 (1.544 Mbps) on all serial interfaces and

require manual modification with the bandwidth command. ospf auto-cost reference-bandwidth reference-bandwidth can be

used to modify the reference-bandwidth for higher speed interfaces

•Cost = 100,000,000/Bandwidth

•Rick Graziani graziani@cabrillo.edu

Configuring Simple Authentication

A router, by default, trusts that routing information received, has come from a router that should be sending it.

Rtr(config-if)# ip ospf authentication-key passwd Configured on an interface password = Clear text unless message-digest is used (next)

Easily captured using a packet snifferPasswords do not have to be the same throughout an area, but they must be same between neighbors.

After a password is configured, you enable authentication for the area on all participating area routers with:

Rtr(config-router)# area area authentication Configured for an OSPF area, in ospf router mode.

•Rick Graziani graziani@cabrillo.edu

Configuring MD5 Encrypted Authentication

Rtr(config-if)# ip ospf message-digest-key key-id md5 password

Key-id = 1 to 255, must match on each router to authenticate. md5 = Encryption-type password = encrypted

Passwords do not have to be the same throughout an area, but they must be same between neighbors.

After a password is configured, you enable authentication for the area on all participating area routers with:

Rtr(config-router)# area area authentication [message-digest]

message-digest option must be used if using message-digest-key If optional message-digest is used, a message digest, or hash, of

the password is sent.

MD5 Encryption

MD5 authentication, creates a message digest. This is scrambled data that is based on the password

and the packet contents . The receiving router uses the shared password and the

packet to re-calculate the digest. If the digests match, the router believes that the source

of the packet and its contents have not been tampered with.

In the case of message-digest authentication, the authentication data field contains the key-id and the length of the message digest that is appended to the packet.

The Message Digest is like a watermark that can’t be faked.

Terminology

Router ID – Used to identify the routers in the OSPF network IP address configured with the OSPF router-id command (extra) Highest loopback address (configuration coming) Highest active IP address (any IP address)

Loopback address has the advantage of never going down, thus diminishing the possibility of having to re-establish adjacencies. (more in a moment)

Features of OSPF

•15

Provides authentication of routing messages Enables load balancing by allowing traffic to

be split evenly across routes with equal cost Type-of-Service routing allows to setup

different routes dependent on the TOS field Supports subnetting Supports multicasting Allows hierarchical routing

Link State Database

•16

The collection of all LSAs is called the link-state database

Each router has and identical link-state database

Useful for debugging: Each router has a complete description of the network

If neighboring routers discover each other for the first time, they will exchange their link-state databases

The link-state databases are synchronized using reliable flooding

•17

OSPF Packet Types

OSPF Hello Protocol

Hello subprotocol is intended to perform the following tasks within OSPF:

Dynamic neighbor discovery Detect unreachable neighbors Ensure two-way communications between neighbors Ensure correctness of basic interface parameters between

neighbors Provide necessary information for the election of the Designated

and Backup Designated routers on a LAN segment (coming)

OSPF Hello Protocol

OSPF routers send Hellos on OSPF enabled interfaces:Default every 10 seconds on multi-access and point-to-point segmentsDefault every 30 seconds on NBMA segments (Frame Relay, X.25, ATM)Most cases OSPF Hello packets are sent as multicast to ALLSPFRouters (224.0.0.5)

HelloInterval - Cisco default = 10 seconds or 30 seconds and can be changed with the command ip ospf hello-interval.

RouterDeadInterval - The period in seconds that the router will wait to hear a Hello from a neighbor before declaring the neighbor down.

Cisco uses a default of four-times the HelloInterval (4 x 10 sec. = 40 seconds, 120 secconds for NBMA) and can be changed with the command ip ospf dead-interval.

Note: For routers to become adjacent, the Hello, DeadInterval and network types must be identical between routers or Hello packets get dropped!

•20

Network Types – more later

•show ip ospf interface

Unless you are configuring an NBMA network like Frame Relay, this won’t be an issue.

• Many administrators prefer to use point-to-point or point-to-multipoint for NMBA to avoid the DR/BDR and full-mesh issues.

•21

•OSPF Type-4 packets have 7 LSA packets

OSPF packet types (Extra)

•Rick Graziani graziani@cabrillo.edu

Steps to OSPF Operation

OSPF Packet Format

•23

OSPF MessageIP header

Body of OSPF MessageOSPF MessageHeader

Message TypeSpecific Data

LSA LSALSA ...

LSAHeader

LSAData

...

Destination IP: neighbor’s IP address or 224.0.0.5 (ALLSPFRouters) or 224.0.0.6 (AllDRouters)

TTL: set to 1 (in most cases)

OSPF packets are not carried as UDP payload!OSPF has its own IP protocol number: 89

OSPF Packet Format

•24

source router IP address

authentication

authentication

32 bits

version type message length

Area ID

checksum authentication type

Body of OSPF MessageOSPF MessageHeader

2: current version is OSPF V2

Message types:1: Hello (tests reachability)2: Database description3: Link Status request4: Link state update5: Link state acknowledgement

ID of the Area from which the packet originated

Standard IP checksum taken over entire packet

0: no authentication1: Cleartext password2: MD5 checksum(added to end packet)

Authentication passwd = 1: 64 cleartext password Authentication passwd = 2: 0x0000 (16 bits)

KeyID (8 bits) Length of MD5 checksum (8 bits) Nondecreasing sequence number (32 bits)

Prevents replay attacks

OSPF LSA Format

•25

Link State ID

link sequence number

advertising router

Link Age Link Type

checksum length

Link ID

Link Data

Link Type Metric#TOS metrics

LSA

LSAHeader

LSAData

Link ID

Link Data

Link Type Metric#TOS metrics

LSA Header

Link 1

Link 2

Discovery of Neighbors

•26

Routers multicasts OSPF Hello packets on all OSPF-enabled interfaces.

If two routers share a link, they can become neighbors, and establish an adjacency

After becoming a neighbor, routers exchange their link state databases

OSPF Hello

OSPF Hello: I heard 10.1.10.2

10.1.10.1 10.1.10.2

Scenario:Router 10.1.10.2 restarts

Neighbor discovery and database synchronization

•27

OSPF Hello

OSPF Hello: I heard 10.1.10.2

Database Description: Sequence = X

10.1.10.1 10.1.10.2

Database Description: Sequence = X, 5 LSA headers = Router-LSA, 10.1.10.1, 0x80000006 Router-LSA, 10.1.10.2, 0x80000007 Router-LSA, 10.1.10.3, 0x80000003 Router-LSA, 10.1.10.4, 0x8000003a Router-LSA, 10.1.10.5, 0x80000038 Router-LSA, 10.1.10.6, 0x80000005

Database Description: Sequence = X+1, 1 LSA header= Router-LSA, 10.1.10.2, 0x80000005

Database Description: Sequence = X+1

Sends empty database description

Scenario:Router 10.1.10.2 restarts

Discovery of adjacency

Sends database description. (description only contains LSA headers)

Database description of 10.1.10.2Acknowledges

receipt of description

After neighbors are discovered the nodes exchange their databases

Regular LSA exchanges

•28

10.1.10.1 10.1.10.2

Link State Request packets, LSAs = Router-LSA, 10.1.10.1, Router-LSA, 10.1.10.2, Router-LSA, 10.1.10.3, Router-LSA, 10.1.10.4, Router-LSA, 10.1.10.5, Router-LSA, 10.1.10.6,

Link State Update Packet, LSA = Router-LSA, 10.1.1.6, 0x80000006

Link State Update Packet, LSAs = Router-LSA, 10.1.10.1, 0x80000006 Router-LSA, 10.1.10.2, 0x80000007 Router-LSA, 10.1.10.3, 0x80000003 Router-LSA, 10.1.10.4, 0x8000003a Router-LSA, 10.1.10.5, 0x80000038 Router-LSA, 10.1.10.6, 0x80000005

10.1.10.2 explicitly requests each LSA from 10.1.10.1

10.1.10.1 sends requested LSAs 10.1.10.2 has more

recent value for 10.0.1.6 and sends it to 10.1.10.1(with higher sequence number)

Dissemination of LSA-Update

•29

A router sends and refloods LSA-Updates, whenever the topology or link cost changes. (If a received LSA does not contain new information, the router will not flood the packet)

Exception: Infrequently (every 30 minutes), a router will flood LSAs even if there are not new changes.

Acknowledgements of LSA-updates: explicit ACK, or implicit via reception of an LSA-Update

Reliable Flooding ---

Terminology

CCNA 3.0 covers Single Area OSPF as opposed to Multi-Area OSPF

All routers will be configured in a single area, the convention is to use area 0

If OSPF has more than one area, it must have an area 0 CCNP includes Multi-Area OSPF

•Or “OSPF Routing Domain”

Single Area OSPF uses only one area, usually Area 0

Electing the DR and BDR

Without a DR, the formation of an adjacency between every attached router would create many unnecessary LSA (Link State Advertisements), n(n-1)/2 adjacencies.

Flooding on the network itself would be chaotic.

• DRDR - Designated Router

• BDRBDR – Backup Designated Router

• DR’s serve as collection points for Link State Advertisements (LSAs) on multi-access networks

• If the IP network is multi-access, the OSPF routers will elect one DR and one BDR

• On multi-access, broadcast links (Ethernet), a DR and BDR (if there is more than one router) need to be elected.

•Rick Graziani graziani@cabrillo.edu

Electing the DR and BDR

Router with the highest Router ID is elected the DR, next is BDR. But like other elections, this one can be rigged. The router’s priority field can be set to either ensure that it becomes

the DR or prevent it from being the DR. Rtr(config-if)# ip ospf priority <0-255>

Higher priority becomes DR/BDR Default = 1 0 = Ineligible to become DR/BDR

The router can be assigned a priority between 0 and 255, with 0 preventing this router from becoming the DR (or BDR) and 255 ensuring at least a tie. (The highest Router ID would break the tie.)

•Rick Graziani graziani@cabrillo.edu

Electing the DR and BDR

All other routers, “DROther”, establish adjacencies with only the DR and BDR.

DRother routers multicast LSAs to only the DR and BDR (224.0.0.6 - all DR routers)

DR sends LSA to all adjacent neighbors (DROthers)(224.0.0.5 - all OSPF routers)

Backup Designated Router - BDR Listens, but doesn’t act. If LSA is sent, BDR sets a timer. If timer expires before it sees the reply from the DR, it becomes the

DR and takes over the update process. The process for a new BDR begins.

•Rick Graziani graziani@cabrillo.edu

Electing the DR and BDR

A new router enters the network: Once a DR is established, a new router that enters the

network with a higher priority or Router ID it will NOT become the DR or BDR. (Bug in early IOS 12.0)

Regardless of the priority or Router ID, that router will become a DROther.

If DR fails, BDR takes over as DR and selection process for new BDR begins.

•Rick Graziani graziani@cabrillo.edu

DR/BDR Elections

Router with the highest Router ID is elected the DR, next is BDR.

But like other elections, this one can be rigged.

Rtr(config)# interface fastethernet 0Rtr(config-if)# ip ospf priority <0-255>

Higher priority becomes DR/BDR Default = 1 Ineligible to become DR/BDR = 0

•OSPF Areas•36

Stub and Totally Stubby Area Criteria A single exit point Not a transit area for virtual links (these join

Area 0 to another network by transiting another area)

No ASBR internal to stub area Not backbone or Area 0

•OSPF Areas•37

Stub and Totally Stubby Areas

•OSPF Areas•38

Stub and Totally Stubby Areas Size of the LS DB inside that area can be

greatly reduced Uses quad 0 route to get to rest of world Stub areas are typically created when using a

hub-and-spoke topology Works when a mix of Cisco and non Cisco

routers exist

•OSPF Areas•39

Totally Stubby Area – Cisco only A totally stubby area is a stub area that blocks

external Type 5 LSA’s and summary, Type 3 and Type 4, LSA’s from entering

Intra-area routes and the default of 0.0.0.0/0 are the only routes known to the stub area

ABR’s inject the default summary link 0.0.0.0/0 into the totally stubby area

•OSPF Areas•40

Setting up stub and totally stubby Areas

Router(config-router)#area [area id] stub

Routers exchange packets with the E bit set to 0.

Add no-summary to ABR’s - this blocks inter-area summaries and makes the area Totally Stubby

On ABR’s define the cost of the default route manually:

Router(config-router)#area [area id]

default-cost [cost]

•OSPF Areas•41

Not So Stubby Area Stub and Totally Stubby Areas cannot accept

external routes If we connect to an area e.g. RIP that is

outside our jurisdiction, and routers are low spec, use NSSA

Accepts external routes as Type 7 and converts then to Type 5 at ABR

•OSPF Areas•42

NSSA

Autonomous Systems

•43

An autonomous system is a region of the Internet that is administered by a single entity.

Routing is done differently within an autonomous system (intradomain routing) and between autonomous system (interdomain routing).

Autonomous Systems (AS)

•44

Ethernet

Router

Ethernet

Ethernet

RouterRouter

Ethernet

Ethernet

EthernetRouterRouter

Router

AutonomousSystem 2

AutonomousSystem 1

BGP

•45

BGP = Border Gateway Protocol Currently in version 4 Note: In the context of BGP, a gateway is nothing

else but an IP router that connects autonomous systems.

Interdomain routing protocol for routing between autonomous systems

Uses TCP to send routing messages BGP is neither a link state, nor a distance vector

protocol. Routing messages in BGP contain complete routes.

Network administrators can specify routing policies

BGP

•46

BGP’s goal is to find any path (not an optimal one). Since the internals of the AS are never revealed, finding an optimal path is not feasible.

For each autonomous system (AS), BGP distinguishes:

local traffic = traffic with source or destination in AS

transit traffic = traffic that passes through the AS Stub AS = has connection to only one AS,

only carry local traffic Multihomed AS = has connection to >1 AS, but does

not carry transit traffic Transit AS = has connection to >1 AS and

carries transit traffic

BGP

•47

AS 1 AS 2

AS 3Router

AS 4

RouterRouter Router

Router

Router

Router