OSPF
Stub area:
* filters Type 5 LSAs
* default route is inserted into routing table on all routers in Stubby area
* E1/E2 routes are removed from routing table on all routers in Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
* default route is inserted into routing table on all routers in Stubby area
* E1/E2 routes are removed from routing table on all routers in Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
Totally Stubby area:
* filters Type 3, 4, 5 LSAs
* default route is inserted into routing table on all routers in Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Totally Stubby area
* IA routes are removed from routing table on all routers in Totally Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Totally Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
* default route is inserted into routing table on all routers in Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Totally Stubby area
* IA routes are removed from routing table on all routers in Totally Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Totally Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
Not So Stubby area:
* filters Type 5 LSAs but permits Type 7 LSAs to pass through NSSA and once they reach backbone area they are converted back into Type 5 LSAs
* E1/E2 routes are removed from routing table on all routers in NSSA
* external routes can be learned via NSSA and then inserted into all OSPF areas
* default route is not inserted into routing table unless put the “area number nssa default-information-originate” command in router mode
* E1/E2 routes are removed from routing table on all routers in NSSA
* external routes can be learned via NSSA and then inserted into all OSPF areas
* default route is not inserted into routing table unless put the “area number nssa default-information-originate” command in router mode
Not So Stubby Totally Stubby area:
* filters Type 3,4, 5 LSAs but permits Type 7 LSAs to pass through Not So Stubby Totally Stubby area and once they reach backbone area they are converted back into Type 5 LSAs
* default route is inserted into routing table on all routers in Not So Stubby Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* IA routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* external routes can be learned via Not So Stubby Totally Stubby area and then inserted into all OSPF areas
* default route is inserted into routing table on all routers in Not So Stubby Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* IA routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* external routes can be learned via Not So Stubby Totally Stubby area and then inserted into all OSPF areas
the difference between Stubby area and NSSA is that NSSA can redistribute some external networks into OSPF while Stubby area cannot (they both filter Type 5 LSAs)the difference between Totally Stubby area and Not so Stubby Totally Stubby area is that Not so Stubby Totally Stubby area can redistribute some external networks into OSPF while Totally Stubby area cannot (they both filter Type 3, 4, 5 LSAs)
Filter
|
Inserted
|
E.g Command
|
|
Stub Area
|
LSA 5
|
Default route
|
area 1 stub
|
Totally Stub
|
LSA 3,4,5
|
Default route
|
area 1 stub no-summary
|
Not So Stubby (NSSA)
|
LSA 5
|
LSA 7
|
area 1 nssa
|
Totally Not So Stubby
|
LSA 3,4,5
|
LSA 7
|
area 1 nssa no-summary
|
Defalt route
|
-----------------------------------------------------------------------
OSPF E1 and E2 external route
R2(external)------R1(ABR/ASBR)------R4
E2 is the default route type for routes learned via redistribution. The key with E2 routes is that the cost of these routes reflects only the cost of the path from the ASBR to the final destination. It will not reflect the correct “Cost” or path.
R4#sh ip route ospf
O E2 5.1.1.1 [110/20] via 172.34.34.3, 00:33:21, Ethernet06.0.0.0/32 is subnetted, 1 subnets
Now if we want the cost of the routes to reflect the entire path, not just the path between the ASBR and the destination network. The routes must be redistributed into OSPF as E1 routes on the ASBR, as shown here.
R1(config)#router ospf 1
R1(config-router)#redistribute rip subnets metric-type 1
R1(config-router)#redistribute rip subnets metric-type 1
Now on R4, the routes appear as E1 routes and have a larger metric, since the entire path cost is now reflected in the routing table.
O E1 5.1.1.1 [110/94] via 172.34.34.3, 00:33:21, Ethernet06.0.0.0/32 is subnetted, 1 subnets
Personal Note: If it is E1 and E2 then it does not matter what the metrics are. It does not matter whether the metric for the E1 route is better or worse than the E2 metric. OSPF compares the route type E1 or E2 and makes a choice. OSPF only compares metric when both advertisements are of the same route type.
-----------------------------------------------------------------------
Explanation:
Type 5 external link LSAs are used to advertise external routes originated from an ASBR. They are flooded through the whole OSPF domain.
(Note: The dashed arrows show the directions of LSAs in this example)
Below is a summary of OSPF Link-state advertisements (LSAs)
Router link LSA (Type 1) Each router generates a Type 1 LSA that lists its neighbors and the cost to each. LSA Type 1 is only flooded inside the routers area, does not cross ABR.
Network link LSA (Type 2) is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Types 2 are ?ooded within its area only; does not cross ABR.
Type 1 & type 2 are the basis of SPF path selection.
Summary link LSA (Type 3) ABRs generate this LSA to send between areas (so type 3 is called inter-area link). It lists the networks inside other areas but still belonging to the autonomous system and aggregates routes.
Summary links are injected by the ABR from the backbone into other areas and from other areas into the backbone.
Summary LSA (Type 4) Generated by the ABR to describe routes to ASBRs. In the above example, the only ASBR belongs to area 0 so the two ABRs send LSA Type 4 to area 1 & area 2 (not vice versa).
This is an indication of the existence of the ASBR in area 0. Note: Type 4 LSAs contain the router ID of the ASBR.
External Link LSA (LSA 5) Generated by ASBR to describe routes redistributed into the area (which means networks from other autonomous systems). These routes appear as E1 or E2 in the routing table.
E2 (default) uses a static cost throughout the OSPF domain as it only takes the cost into account that is reported at redistribution. E1 uses a cumulative cost of the cost reported into the
OSPF domain at redistribution plus the local cost to the ASBR. Type 5 LSAs flood throughout the entire autonomous system but notice that Stubby Area and Totally Stubby Area do not accept Type 5.
Multicast LSA (Type 6) are specialized LSAs that are used in multicast OSPF applications.
NSSA External LSA (Type 7) Generated by an ASBR inside a NSSA to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA.
These routes appear as N1 or N2 in the ip routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR
Reference: http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml#appa1
-----------------------------------------------------------------------
OSPF Flooding Reduction VS Demand Circuit
* The "OSPF Flooding Reduction" and the "demand circuit" work by reducing unnecessary refreshing and flooding of already known and unchanged information with a difference:
* In OSPF demand circuit, hellos and the flooding of the LSAs are suppressed, whereas, in flood reduction, only the flooding of the LSAs are suppressed and NOT the hellos.
-----------------------------------------------------------------------
OSPF LSA Throttling
LSA could not be propagated in milliseconds, so the OSPF network could not achieve millisecond convergence. The OSPF LSA Throttling feature is enabled by default and allows faster OSPF convergence (in milliseconds). This feature can be customized.
example:
LSA could not be propagated in milliseconds, so the OSPF network could not achieve millisecond convergence. The OSPF LSA Throttling feature is enabled by default and allows faster OSPF convergence (in milliseconds). This feature can be customized.
example:
Router(config-router)# timers throttle lsa all 100(start-interval) 10000 (hold-interval) 45000 (max-interval)
OSPF pacing flood
In rare situations, you might need to change Open Shortest Path First (OSPF) packet-pacing default timers to mitigate CPU or buffer utilization issues associated with flooding very large numbers of link-state advertisements (LSAs). The OSPF Update Packet-Pacing Configurable Timers feature allows you to configure the rate at which OSPF LSA flood pacing, retransmission pacing, and group pacing updates occur.example:
router ospf 1
timers pacing flood 70
timers pacing retransmission 80
timers pacing retransmission 80
The default settings for OSPF packet pacing timers are suitable for the majority of OSPF deployments. You should change the default timers only as a last resort.
-----------------------------------------------------------------------
Configure R2 so it provides the following output (name 'R1' instead of 1.1.1.1):
R2 Configuration:
R2 Configuration:
!
ip host R1 1.1.1.1
ip ospf name-lookup
-----------------------------------------------------------------------
Remove discard route
When OSPF summarizes prefixes (area range or summary-address) it installs a discard route in the routing table (pointing to NULL0). This is a loop prevention mechanism that prevents a router from sending the traffic to a network/subnet with a shorter match if no more specific route exists in the routing table.
Command is "no discard-route internal/external"
-----------------------------------------------------------------------
Virtual Link using GRE Tunnel
Create GRE Tunnel and advertise Tunnel Interface IP Address in AREA 0.
When OSPF summarizes prefixes (area range or summary-address) it installs a discard route in the routing table (pointing to NULL0). This is a loop prevention mechanism that prevents a router from sending the traffic to a network/subnet with a shorter match if no more specific route exists in the routing table.
Command is "no discard-route internal/external"
-----------------------------------------------------------------------
Virtual Link using GRE Tunnel
Create GRE Tunnel and advertise Tunnel Interface IP Address in AREA 0.
# int tunnel 12
# ip add 200.1.1.1 255.255.255.0
# tunnel source 1.1.1.1 <--physical address="" interface="" ip="" span="">
# tunnel destination 1.1.1.2 <-- span="">direct connected link to neighbor
# router ospf 1
# network 200.1.1.1 0.0.0.0 area 0
-----------------------------------------------------------------------
Filtering OSPF
To filter OSPF route can be used as these methods under router commmand
To filter OSPF route can be used as these methods under router commmand
- distribute-list .. in/out
- area x filter-list ..
- distance 255 (source ip <--advertise ..="" ip="" router="" span="">
- area x range .. not-advertise
- summary-address .. not-advertise
* "distribute-list out" can be used on ASBR when it needs to filter external route to all area.
- to filter ospf lsa flooding, configure under interface "ip ospf database-filter all out"
- to filter ospf lsa flooding to its neighbor, configure under router "neighbor xx database-filter all out"
-----------------------------------------------------------------------
OSPF Broadcast/Non-Broadcast
OSPF NON_BROADCAST/BROADCAST network type, the next hop ip address is the ip address of the router that originated the route and NOT the router that advertised it.
This problem can be resolved by configuring the "Frame-relay map" commands (OR)
change OSPF network type to "point-to-multipoint"
- to filter ospf lsa flooding to its neighbor, configure under router "neighbor xx database-filter all out"
-----------------------------------------------------------------------
OSPF Broadcast/Non-Broadcast
OSPF NON_BROADCAST/BROADCAST network type, the next hop ip address is the ip address of the router that originated the route and NOT the router that advertised it.
This problem can be resolved by configuring the "Frame-relay map" commands (OR)
change OSPF network type to "point-to-multipoint"
-----------------------------------------------------------------------
OSPF Point-to-Point
OSPF Point-to-Point network type, the next hop ip address is no longer the router that originated the route, it's the router that advertised the route.
OSPF Point-to-Point
OSPF Point-to-Point network type, the next hop ip address is no longer the router that originated the route, it's the router that advertised the route.
-----------------------------------------------------------------------
OSPF Sham Link
Sham link is an OSPF intra-area link configured between the two PE routers. Sham link is included in the SLA calculation, just like any link in OSPF.
1. Create a loopback interface and assign an IP address with a prefix-length of 32.
2. Enable VRF forwarding on the loopback interface.
3. Advertise the /32 ip address of the loopback interface in BGP; under address-family ipv4 vrf …
4. Configure Sham link under OSPF; under router vrf
# router ospf 2 vrf CA
# area 0 sham-link 34.1.1.3(local) 34.1.1.4(remote) cost 1
5. If required, manipulate the OSPF cost on CE that the routers will take the provider as their primary and backup link will be use ONLy if the primary link is down.*personal note: Manipulating OSPF cost will NOT change the routing table, b/c INTRA-area routes are always preferred over INTER-area routes.
Sham link is an OSPF intra-area link configured between the two PE routers. Sham link is included in the SLA calculation, just like any link in OSPF.
1. Create a loopback interface and assign an IP address with a prefix-length of 32.
2. Enable VRF forwarding on the loopback interface.
3. Advertise the /32 ip address of the loopback interface in BGP; under address-family ipv4 vrf …
4. Configure Sham link under OSPF; under router vrf
# router ospf 2 vrf CA
# area 0 sham-link 34.1.1.3(local) 34.1.1.4(remote) cost 1
5. If required, manipulate the OSPF cost on CE that the routers will take the provider as their primary and backup link will be use ONLy if the primary link is down.*personal note: Manipulating OSPF cost will NOT change the routing table, b/c INTRA-area routes are always preferred over INTER-area routes.
-----------------------------------------------------------------------
OSPF Domain-ID
When a link between two LSRs goes down, the two LSRs that share the link will tear down. When "MPLS LDP Session Protection" global config command is configured, targeted LDP session is built between the routers. The targeted LDP session remains up as long as a redundant link exists between two LSRs.
Under normal OSPF design rules, the process-id of an OSPF router does not need to match any other peer's process-id. However, with MPLS, the router use the OSPF process as a portion of the domain-id. Router that do not share the same domain-id are considered type 5 or external to OSPF. If the domain-ids match, the routers are considered type 3 LSA.
-change process-id to match on both sides
OR
-configure a domain-id that matches on both routers
R3
# router ospf 3 vrf CA
# Domain-id 0.0.0.1
R4
# router ospf 4 vrf CA
# Domain-id 0.0.0.1
When a link between two LSRs goes down, the two LSRs that share the link will tear down. When "MPLS LDP Session Protection" global config command is configured, targeted LDP session is built between the routers. The targeted LDP session remains up as long as a redundant link exists between two LSRs.
Under normal OSPF design rules, the process-id of an OSPF router does not need to match any other peer's process-id. However, with MPLS, the router use the OSPF process as a portion of the domain-id. Router that do not share the same domain-id are considered type 5 or external to OSPF. If the domain-ids match, the routers are considered type 3 LSA.
-change process-id to match on both sides
OR
-configure a domain-id that matches on both routers
R3
# router ospf 3 vrf CA
# Domain-id 0.0.0.1
R4
# router ospf 4 vrf CA
# Domain-id 0.0.0.1
-----------------------------------------------------------------------
OSPF Summarization OSPF summarization can be configured on two types of routers: ABR / ASBR
Internal OSPF route can only be summarized on ABR.
"area xx range ..." command must be used for internal ospf summarization.
External (redistribute) routes can be summarized on the router that originates the external routes.
"summary-address ..." command can be used for external route summarization.
-----------------------------------------------------------------------
OSPF Route Filtering (Ref link: http://cisqueros.blogspot.sg/2013/05/ospf-route-filtering.html)
First be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
There are 5 ways to perform OSPF Route Filtering:
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database
!!!distribute-list OUT works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!!
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database.
filter-list can be applied: IN - into the area, OUT - out of the area
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database)
Can be used with both, "area X range" (ABR) and "summary-address" (ASBR) commands
4. DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10="" acl="" an="" br="" is="">5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- br="" interface="" per="">(config-router)#neighbor x.x.x.x database-filter all out <- br="" neighbor="" per="">
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.
!!!DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers, the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- amp="" asbr="" br="" filter="" lsa5="" lsa7="" on="" only="" out="" to="" work="" would="">
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database,
and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table,but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
Filter using Distribute List
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. The advantage is that it's rather easy to implement, and it can filter any type of LSA:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- amp="" filter="" lsa5="" lsa7="" on="" only="" osbr="" out="" span="" to="" work="" would="">
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors.
The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
OSPF filter-list - LSA-3 FILTERING
This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32
Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in
This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-from the AREA 2
OSPF "not-advertise" LSA1 & LSA2 FILTERING
If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise
Tune the ADVERTISED DISTANCE to Filter the Prefix
Another way to filter the OSPF networks is manually setting the distance to 255, which is UNREACHABLE. It's not the most elegant way, but you should know that it's also an option.
Cisqueros_R4(config-router)#distance 255 3.3.3.3 255.255.255.0 10 <--- 10="" access-list="" an="" br="" filter="" is="" prefixes="" the="" to="" want="" we="" with="">
Filter EXTERNAL OSPF Routes: LSA5 & LSA7
The first way to filter there routes was already mentioned above:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST OUT
The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- applied="" asbr="" be="" br="" must="" on="">
Filter OSPF per Interface
If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out
*ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
Filter OSPF per NEIGHBOR
Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the "neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)
-----------------------------------------------------------------------
No comments:
Post a Comment