Exam: 642-902

Exam Objective: Configure OSPF routing. Contents

Introduction Technology Background Lab Scenario Lab Objectives Lab Solution

Lab 1

Introduction
OSPF is an open standard Link State Routing Protocol. The basic configuration of OSPF is covered in another lab. This one focuses on advanced OSPF features such as area types and authentication.

Technology Background
OSPF supports several types of areas, including standard areas, stub areas, totally stubby areas, and not-so-stubby (NSSA) areas. These special area types bring flexibility to OSPF network design, allowing OSPF to be molded according to needs and hardware.

It should be remembered that an area is a part of the OSPF Routing Domain. Routes are exchanged between area through Area Border Routers(ABRs). Areas break up the OSPD domain i small manageable blocks. Sometimes the design or hardware of routers in an area warrants less LSA information in. Imagine a small branch office router getting all LSAs from the Head Office router in a large OSPF domain. The router will soon exhaust its memory and/or CPU.

OSPF provides for different type of Stub areas which limit the number of LSAs which are received into it. There are 3 rules which need to be remembered when configuring any type of Stub

All routers in an area should be configured for the same stub type Area 0 cannot be a stub area A Virtual link cannot traverse a stub area

The different types of Stub Areas are:

Stub Area Totally Stubby Area


Stub Area:

Not-So-Stubby Area (NSSA) Totally Stubby NSSA

The ABR of a Stub area will filter all external advertisements (LSA type 5) and replace them with a default route. Which means you will never see an E1 or E2 route in a Stub area. The defa route injected by the ABR will have a next hop address of the ABR's interface. So all traffic destined to an external network will pass through the ABR. In Figure 1 if Area 1 is configured as S then the external routes being advertised by ASBR RouterA will not be seen on RouterD. RouterB, the ABR, would replace the External Routes with a default route.

Figure 1 The command to implement a stub area on an ABR is: Router(config-router)#area <area-id> stub Totally Stubby Area:

Totally stubby areas are areas where the ABR filters all inter-area and external advertisements and replaces them with a default route. The totally stubby option is Cisco proprietary. In a larg network the routing table's considerable size comes from other areas and external sources. Hence a totally stubby area would reduce the size of routing table a great deal. For example if Ar is configured as Totally Stubby in Figure 1, RouterC, the ABR, will not only filter the external routers from RouterA but also the Area 1 routes advertised by RouterB. The command to implement a totally stubby ABR is: Router(config-router)#area <area-id> stub no-summary The area <area-id> stub no-summary command is only entered on the ABR of a totally stubby area. The other routers in the totally stubby area are only configured with the area <area-id> stub command. Not-So-Stubby Area (NSSA):

A stub or a totally stubby Area does not have external routes. This means that these areas cannot have an ASBR also. NSSA is a stub area that allows an ASBR. The ASBR understands th type 5 LSAs are not permitted and so disguises the LSAs as type 7. The type 7 LSAs are converted to type 5 by the ABR and sent normally out to other Areas. NSSA external routes show u

N1 or N2 instead of E1 or E2. NSSA is similar to a stub area in all other aspects. Note that the ABR of an NSSA does not automatically generate a default route; the nosummary or default-originate optional keywords must be appended to the area nssa <area-id> command on the ABR for that to happen. The command to implement a stub or totally stubby NSSA ABR is Router(config-router)#area <area-id> nssa Remember that NSSA is a stub area so the ABR will not allow LSA type 5 to come into the Area. Totally Not-So-Stubby Area (NSSA): Similar to NSSA but the ABR of this area will not allow Inter Area routes to come into the area. This area is similar to Totally Stubby Area but will allow an ASBR and LSA type 7 routes. ABR of this area will also not generate a default route unless the nosummary or default-originate keyword are not configured on it. The command to configure an area as Totally NSSA is : Router(config-router)#area <area-id> nssa no-summary Authentication:

OSPF by default trusts any router. This can be dangerous if someone injects malicious routes. To prevent this from happening we can configure Authentication between OSPF routers. Ther two kinds of authentication available - clear text and MD5 hash. Clear text passwords can be found out by anyone who can capture the packets. MD5 hash cannot be reversed and hence are secure. Plain Text authentication can be enabled on per-interface basis using the following commands: Router(config-if)#ip ospf authentication Router(config-if)#ip ospf authentication-key <key> MD5 authentication can be enabled per-interface basis using the following commands: Router(config-if)#ip ospf authentication message-digest Router(config-if)#ip ospf message-digest-key <key id> md5 <key>

Lab Scenario
We are using OSPF in our network, shown in Figure 2.

Figure 2 The relevant configuration of the routers is given below: RouterA#sh run ! hostname RouterA ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface Loopback2 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes redistribute connected subnets route-map connred network 192.168.1.1 0.0.0.0 area 0 ! route-map connred permit 10 match interface Loopback1 Loopback2 ! RouterB#sh run ! hostname RouterB ! interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 192.168.2.2 255.255.255.0 clock rate 2000000 ! router ospf 1

log-adjacency-changes network 192.168.1.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 1 RouterC#sh run ! hostname RouterC ! ! interface Loopback0 ip address 3.3.3.3 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.1.3 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 192.168.3.3 255.255.255.0 clock rate 2000000 ! router ospf 1 log-adjacency-changes network 192.168.1.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 2 ! RouterD#sh run ! hostname RouterD !

interface Loopback0 ip address 4.4.4.4 255.255.255.0 ! interface Serial0/0 ip address 192.168.2.4 255.255.255.0 clock rate 2000000 ! router ospf 1 log-adjacency-changes network 192.168.2.4 0.0.0.0 area 1 ! RouterE#sh run ! hostname RouterE ! interface Loopback0 ip address 5.5.5.5 255.255.255.0 ! interface Serial0/0 ip address 192.168.3.5 255.255.255.0 clock rate 2000000 ! interface Serial0/1 ip address 192.168.4.5 255.255.255.0 clock rate 2000000 ! router ospf 1 log-adjacency-changes redistribute rip subnets

network 192.168.3.5 0.0.0.0 area 2 ! router rip version 2 redistribute ospf 1 metric 5 network 192.168.4.0 no auto-summary ! RouterF#sh run ! hostname RouterF ! interface Loopback1 ip address 10.1.1.1 255.255.255.0 ! interface Loopback2 ip address 10.1.2.1 255.255.255.0 ! interface Loopback3 ip address 10.1.3.1 255.255.255.0 ! interface Serial0/0 ip address 192.168.4.6 255.255.255.0 clock rate 2000000 ! router rip version 2 network 10.0.0.0 network 192.168.4.0

no auto-summary Your task is to configure OSPF such that :

No external or inter-area routes are seen on RouterD. A default route should be present to reach these networks No E1 or E2 routes are seen on RouterE. A default route should be present to reach these networks. Routes from RouterF should be present on RouterA. Communication between RouterA, RouterB and RouterC is as secure as possible.

Lab Objectives

Configure Area 1 as Totally Stubby Configure Area 2 as NSSA and ensure that the ABR is sending default route Configure message-digest authentication between RouterA, RouterB and RouterC

Lab Solution
The first task requires us to configure Area 1 as Totally Stubby: RouterB(config)#router ospf 1 RouterB(config-router)#area 1 stub no-summary RouterD(config)#router ospf 1 RouterD(config-router)#area 1 stub Let's verify on RouterD: RouterD#sh ip ospf Routing Process "ospf 1" with ID 4.4.4.4 Start time: 00:09:17.700, Time elapsed: 00:25:47.876 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled

Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 0 normal 1 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 Area 1 Number of interfaces in this area is 1 It is a stub area Area has no authentication SPF algorithm last executed 00:01:02.744 ago SPF algorithm executed 4 times Area ranges are Number of LSA 3. Checksum Sum 0x016E12 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 RouterD#sh ip route --output truncated-Gateway of last resort is 192.168.2.2 to network 0.0.0.0 4.0.0.0/24 is subnetted, 1 subnets

C 4.4.4.0 is directly connected, Loopback0 C 192.168.2.0/24 is directly connected, Serial0/0 O*IA 0.0.0.0/0 [110/65] via 192.168.2.2, 00:01:48, Serial0/0 RouterD#ping 10.1.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/59/128 ms The above outputs shown that Area 1 is stub, a default route is being injected into the area by the ABR and RouterD can reach the external routes on RouterF. Next task requires us to configure Area 2 as NSSA: RouterC(config)#router ospf 1 RouterC(config-router)#area 2 nssa default-information-originate RouterE(config)#router ospf 1 RouterE(config-router)#area 2 nssa Let's verify the configuration and the routing tables: RouterE#sh ip ospf Routing Process "ospf 1" with ID 5.5.5.5 Start time: 00:10:21.252, Time elapsed: 00:29:35.448 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability It is an autonomous system boundary router Redistributing External Routes from, rip, includes subnets in redistribution Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs

Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 0 normal 0 stub 1 nssa Number of areas transit capable is 0 External flood list length 0 Area 2 Number of interfaces in this area is 1 It is a NSSA area Area has no authentication SPF algorithm last executed 00:01:20.680 ago SPF algorithm executed 5 times Area ranges are Number of LSA 9. Checksum Sum 0x05D8B9 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 RouterE#sh ip route --output truncated-Gateway of last resort is 192.168.3.3 to network 0.0.0.0

5.0.0.0/24 is subnetted, 1 subnets C 5.5.5.0 is directly connected, Loopback0 C 192.168.4.0/24 is directly connected, Serial0/1 10.0.0.0/24 is subnetted, 3 subnets R 10.1.3.0 [120/1] via 192.168.4.6, 00:00:18, Serial0/1 R 10.1.2.0 [120/1] via 192.168.4.6, 00:00:18, Serial0/1 R 10.1.1.0 [120/1] via 192.168.4.6, 00:00:18, Serial0/1 O IA 192.168.1.0/24 [110/74] via 192.168.3.3, 00:01:49, Serial0/0 O IA 192.168.2.0/24 [110/138] via 192.168.3.3, 00:01:49, Serial0/0 C 192.168.3.0/24 is directly connected, Serial0/0 O*N2 0.0.0.0/0 [110/1] via 192.168.3.3, 00:01:49, Serial0/0 RouterC#sh ip route --output truncated-Gateway of last resort is not set 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 172.16.0.0/24 is subnetted, 2 subnets O E2 172.16.1.0 [110/20] via 192.168.1.1, 00:02:46, FastEthernet0/0 O E2 172.16.2.0 [110/20] via 192.168.1.1, 00:02:46, FastEthernet0/0 O N2 192.168.4.0/24 [110/20] via 192.168.3.5, 00:02:46, Serial0/0 10.0.0.0/24 is subnetted, 3 subnets O N2 10.1.3.0 [110/20] via 192.168.3.5, 00:02:46, Serial0/0 O N2 10.1.2.0 [110/20] via 192.168.3.5, 00:02:47, Serial0/0 O N2 10.1.1.0 [110/20] via 192.168.3.5, 00:02:47, Serial0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 O IA 192.168.2.0/24 [110/74] via 192.168.1.2, 00:02:47, FastEthernet0/0 C 192.168.3.0/24 is directly connected, Serial0/0 RouterA#sh ip route --output truncated--

Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.1.0 is directly connected, Loopback1 C 172.16.2.0 is directly connected, Loopback2 O E2 192.168.4.0/24 [110/20] via 192.168.1.3, 00:03:18, FastEthernet0/0 10.0.0.0/24 is subnetted, 3 subnets O E2 10.1.3.0 [110/20] via 192.168.1.3, 00:03:17, FastEthernet0/0 O E2 10.1.2.0 [110/20] via 192.168.1.3, 00:03:17, FastEthernet0/0 O E2 10.1.1.0 [110/20] via 192.168.1.3, 00:03:17, FastEthernet0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 O IA 192.168.2.0/24 [110/74] via 192.168.1.2, 00:03:33, FastEthernet0/0 O IA 192.168.3.0/24 [110/74] via 192.168.1.3, 00:03:33, FastEthernet0/0

The above outputs shown that Area 2 is a NSSA and the ABR is injecting a default route. We also see that no E1/E2 routes are seen on RouterE but the RouterC has the N2 routes which a shown as E2 on RouterA. The Final task requires us to configure Authentication between RouterA, RouterB and RouterC: RouterA(config)#interface fa0/0 RouterA(config-if)#ip ospf authentication message-digest RouterA(config-if)#ip ospf message-digest-key 1 md5 mypassword RouterB(config)#interface fa0/0 RouterB(config-if)#ip ospf authentication message-digest RouterB(config-if)#ip ospf message-digest-key 1 md5 mypassword RouterC(config)#interface fa0/0 RouterC(config-if)#ip ospf authentication message-digest RouterC(config-if)#ip ospf message-digest-key 1 md5 mypassword Let's verify the OSPF interface configuration and see if the routing table is correct after applying authentication: RouterA#sh ip ospf interface FastEthernet0/0 is up, line protocol is up Internet Address 192.168.1.1/24, Area 0

Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.1, Interface address 192.168.1.1 Backup Designated router (ID) 3.3.3.3, Interface address 192.168.1.3 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:04 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 2 Last flood scan time is 4 msec, maximum is 4 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 2.2.2.2 Adjacent with neighbor 3.3.3.3 (Backup Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 RouterA#sh ip route --output truncated Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 172.16.0.0/24 is subnetted, 2 subnets C 172.16.1.0 is directly connected, Loopback1 C 172.16.2.0 is directly connected, Loopback2 O E2 192.168.4.0/24 [110/20] via 192.168.1.3, 00:02:10, FastEthernet0/0 10.0.0.0/24 is subnetted, 3 subnets O E2 10.1.3.0 [110/20] via 192.168.1.3, 00:02:10, FastEthernet0/0

O E2 10.1.2.0 [110/20] via 192.168.1.3, 00:02:10, FastEthernet0/0 O E2 10.1.1.0 [110/20] via 192.168.1.3, 00:02:10, FastEthernet0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 O IA 192.168.2.0/24 [110/74] via 192.168.1.2, 00:02:10, FastEthernet0/0 O IA 192.168.3.0/24 [110/74] via 192.168.1.3, 00:02:10, FastEthernet0/0

The above outputs show that authentication is enabled and routing table is correct after authentication has been applied. This means that the communication between the Routers is now se References: OSPF Design Guide http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml http://