Showing posts with label OSPF. Show all posts
Showing posts with label OSPF. Show all posts

Thursday, February 6, 2014

NTS: L3VPN Redistribution

L3VPN Redistribution



Configuration Steps

  • Configure the VRFs
  • Configure the RDs
  • Configure the import/export RTs
  • Assign the PE=>CE interfaces to VRFs
  • Configure IGP/BGP between PE-CE
  • Configure MP-BGP between PEs
  • Mutually redistribute between MP-BGP and the PE-CE IGP


BGP<=>RIP

RIP=>BGP
RIP metric => BGP MED (auto)

RIP=>BGP=>RIP
RIP metric => BGP MED => RIP metric (auto)

OTHER=>BGP=>RIP
BGP X => RIP metric (manual)

If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing table on the PE or you can use the following to set manually the RIP metric:
  • redistribute bgp 100 metric transparent
  • redistribute bgp 100 metric X
  • redistribute bgp 100 route-map X
Clearing of vrf routing table might be needed every time a new prefix is redistributed.

If version 2 is to be used, then it must be defined under the ipv4 vrf address-family on the PE.

RIP metric = hops (0-16)

Configuration

IOS
router rip
 address-family ipv4 vrf VPN
  redistribute bgp 200
!
router bgp 100
 address-family ipv4 vrf VPN
  redistribute rip


IOS-XR
router rip
 vrf VPN
  redistribute bgp 200
!
router bgp 200
 vrf VPN
  address-family ipv4 unicast
   redistribute rip



BGP<=>EIGRP

EIGRP=>BGP
EIGRP composite metric => BGP MED (auto)
EIGRP vector metrics => BGP Extended Cost Community (auto)

EIGRP=>BGP=>EIGRP
EIGRP composite metric => BGP MED => EIGRP composite metric (auto)
EIGRP vector metrics => BGP Extended Cost Community => EIGRP vector metrics (auto)
original internal EIGRP routes appear as internal EIGRP routes when redistributed
original external EIGRP routes appear as external EIGRP routes when redistributed

OTHER=>BGP=>EIGRP
BGP X => EIGRP metrics (manual)
original routes appear as external EIGRP routes when redistributed

If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing table on the PE or you can use the following to set manually the EIGRP metrics:
  • redistribute bgp 100 metric K1 K2 K3 K4 K5
  • redistribute bgp 100 route-map X
  • redistribute bgp 100 route-policy X
  • redistribute bgp 100 & default-metric K1 K2 K3 K4 K5
Clearing of vrf routing table might be needed every time a new prefix is redistributed.

EIGRP vector metrics = K1 K2 K3 K4 K5 (i.e. 1000 10 255 1 1500)

Configuration 

IOS
router eigrp 100
 address-family ipv4 vrf VPN autonomous-system 1
  redistribute bgp 200
 exit-address-family
!
router bgp 200
 address-family ipv4 vrf VPN
  redistribute eigrp 1


IOS-XR
router eigrp 100
 vrf VPN
  address-family ipv4
   autonomous-system 1
   redistribute bgp 200
!
router bgp 200
 vrf VPN
  address-family ipv4 unicast
   redistribute eigrp 1


Redistribution of EIGRP into the BGP vrf requires the EIGRP autonomous-system number to be redistributed. Some software releases may accept the global EIGRP process too.

You can use the SoO extended community to prevent any possible loops.


BGP<=>ISIS

ISIS=>BGP
ISIS metric => BGP MED (auto)

ISIS=>BGP=>ISIS
ISIS metric => BGP MED => ISIS metric (auto)

OTHER=>BGP=>ISIS
BGP X => ISIS metric (manual)

You can use the following to set manually the ISIS metric:
  • redistribute bgp 100 metric X
  • redistribute bgp 100 route-map X
Clearing of vrf routing table might be needed every time a new prefix is redistributed.

ISIS metric = hops (10)

Configuration

IOS
router isis 100
 address-family ipv4 vrf VPN
  redistribute bgp 200
!
router bgp 200
 address-family ipv4 vrf VPN
  redistribute isis 100


IOS-XR
router isis 100
 vrf VPN
  redistribute bgp 200
!
router bgp 200
 vrf VPN
  address-family ipv4 unicast
   redistribute isis 100

Redistribution doesn't take into account the IS-IS connected routes. You have to explicitly define them.

In order to void a possible loop while doing redistribution (when L1 is involved), you can change the distance of the ISIS advertised routes (excluding connected) on the PE to be higher than BGP's.

IOS
router isis 100
 vrf VPN
 distance 201 0.0.0.0 255.255.255.255 ISIS-NOT-CONNECTED-ACL



BGP<=>OSPF

OSPF=>BGP
OSPF metric => BGP MED + 1 (auto)
OSPF Area/LSA => BGP extended community "OSPF RT" (auto)

OSPF=>BGP=>OSPF
OSPF metric => BGP MED + 1 => OSPF metric (auto)
  • original intra-area routes appear as inter-area routes when redistributed (if same OSPF Domain-ID)
  • original intra-area routes appear as external-2 routes when redistributed (if different OSPF Domain-ID)
  • type-4 LSAs are not redistributed into BGP
  • original external routes appear as external-2 routes when redistributed (requires "match external" in redistribution from OSPF to BGP)

OTHER=>BGP=>OSPF
BGP X => OSPF metric (manual)

You can always use the following to manually set the OSPF metric:
  • redistribute bgp 200 metric X
  • redistribute bgp 200 route-map X
Clearing of vrf routing table might be needed every time a new prefix is redistributed.

OSPF metric = interface cost (0-65535)


"OSPF RT" Extended Community

"OSPF RT" format is "Area:LSA-Type:External-Type"

LSA Type to OSPF RT conversion
  • Type-1/2 => RT 2
  • Type-3 => RT 3
  • Type-5 => RT 5
  • Type-7 => RT 7
  • Sham-links => RT 129
Examples
  • OSPF RT:0.0.0.0:2:0
    • area 0.0.0.0
    • LSA-Type 1/2
  • OSPF RT:0.0.0.0:5:0
    • LSA-Type 5
    • External 1
  • OSPF RT:0.0.0.0:5:1
    • LSA-Type 5
    • External 2


Configuration

IOS
router ospf 100 vrf VPN
 redistribute bgp 200 subnets
!
router bgp 200
 address-family ipv4 vrf VPN
  redistribute ospf 100 vrf VPN

IOS-XR
router ospf 100
 vrf VPN
  redistribute bgp 200
!
router bgp 200
 vrf VPN
  address-family ipv4 unicast
   redistribute ospf 100


In IOS, if you don't include the vrf name in the redistribution of OSPF into BGP, it gets automatically added to the configuration.


The DN Bit and the VPN Route Tag

For a PE it is necessary to know if a particular prefix has been learned from another PE router, in order to avoid re-advertisement of it into BGP and cause a loop.

Two mechanisms are mainly used for loop prevention when OSPF is used as PE-CE protocol.
  • the DN bit
  • the VPN Route (or OSPF Domain) tag
By default, when a type 3, 5, 7 LSA is sent from a PE to a CE, the DN bit is set by the PE.

 When another PE receives from a CE router, a type 3, 5, 7 LSA with the DN bit set, the prefix information from that LSA is not used during the OSPF route calculation, which means that the prefix doesn't get installed into the PE's BGP table.

Almost all Cisco software releases support the setting of DN bit only for Type-3 LSAs and they use a 32-bit VPN Route tag for Type-5/7 LSAs. The configuration and inclusion of the VPN Route Tag is required by all implementations for backward compatibility with older implementations that do not set the DN bit in type 5/7 LSAs.

If a PE router receives an LSA that contains the same VPN Route Tag as the locally configured tag, then the local PE router knows that another PE router (from the same domain)  generated this route and the LSA is ignored.

  • 16bit ASNs
    • VPN Route tag Format: 1101 000000000000 ASN_of_VPN_Backbone
  • 32bit ASNs
    • VPN Route tag must be defined manually

You can change this default value by using the "domain-tag" command within the OSPF VRF process configuration.

IOS
router ospf 100 vrf VPN
 domain-tag 12345
 
IOS-XR
router ospf 100
 vrf TEST
  domain-tag 12345


In case of Multi-VRF (VRF-Lite), the router that is accepting the LSA with the DN bit is actually a CE router with no BGP VPNv4 functionality, so there is no danger of redistributing this prefix into BGP. In order to bypass this DN bit check, the following configuration can be enabled.

IOS
router ospf 100 vrf VPN
 capability vrf-lite

IOS-XR
router ospf 100
 vrf VPN
  disable-dn-bit-check


Verification

IOS
R1#sh ip ospf 100 database summary 10.7.7.7

            OSPF Router with ID (10.1.3.1) (Process ID 100)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 1196
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 10.7.7.7 (summary Network Number)
  Advertising Router: 10.1.2.2
  LS Seq Number: 80000005
  Checksum: 0x2761
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2


R1#sh ip ospf 100 database external 7.7.7.7

            OSPF Router with ID (10.1.3.1) (Process ID 100)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 1302
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 10.1.2.2
  LS Seq Number: 80000004
  Checksum: 0x6DCF
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 3489661028


Links


OSPF Domain-ID

OSPF Domain-ID is an attribute that defines how (internal, external) the OSPF routes will be transferred from one CE to another CE over their PEs BGP VPNv4 session.

On a PE, if the OSPF Domain-ID of the received BGP prefixes (encoded as extended community) is the same as the OSPF Domain-ID of the local OSPF process, then:
  • the MPLS core is treated like a SuperBackbone area (which is considered higher than area 0)
  • the PE is treated like an ABR (instead of an ASBR)
  • internal routes are being redistributed as Type-3 LSAs (instead of Type-5)

IOS-XR uses a null Domain-ID by default, so this needs to be changed if the other PE is running IOS (which is encoding the OSPF process-id as domain-id). OSPF Domain-ID needs to be changed on the PEs (where redistribution between BGP and OSPF takes place), not on the CEs.

The "type" value can be different is some cases for backwards compatibility (like in 0005 vs 8005).

Detailed Steps
OSPF=>BGP redistribution on PE1
  • if the OSPF Domain tag of the local OSPF process is the same as the VPN Route tag of the prefix, then that route isn't installed into BGP
  • if the OSPF DN bit check is enabled in the local OSPF process and the OSPF route has this bit set, then that route isn't installed into BGP
  • if the route is installed into BGP
    • the Domain-ID of the local OSPF process is encoded into OSPF DOMAIN ID community on the prefix
    • the area and the LSA type of the OSPF prefix is encoded into OSPF RT community on the prefix
    • the Router-ID of the local OSPF process is encoded into OSPF ROUTER ID community on the prefix
BGP=>OSPF redistribution on PE2
  • if the Domain-ID of the local OSPF process is the same as the OSPF DOMAIN ID community of the prefix, then that route is passed to the CE as internal else as external

Configuration

IOS
router ospf 100 vrf VPN
 domain-id type 0005 value 000000440101

IOS-XR
router ospf 100
 vrf VPN
  domain-id type 0005 value 000000440101


Verification

You can use "sh ip ospf" to see the Domain-ID of the local OSPF process.

You can use "sh bgp vpn4 unicast" to see the Domain-ID encoded as extended community in the BGP prefixes (OSPF RT is included too).

R2#sh ip ospf 100
 Routing Process "ospf 100" with ID 10.1.2.2
   Domain ID type 0x0005, value 0x000000440101
 Start time: 00:13:37.092, Time elapsed: 00:36:17.144
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Connected to MPLS VPN Superbackbone, VRF VPN
 Event-log disabled
 It is an area border and autonomous system boundary router
 Redistributing External Routes from,
    bgp 100, includes subnets in redistribution

R2#sh bgp vpnv4 unicast vrf VPN 1.1.1.1/32
BGP routing table entry for 100:1:1.1.1.1/32, version 2
Paths: (1 available, best #1, table VPN)
  Advertised to update-groups:
     1
  Local
    10.1.2.1 from 0.0.0.0 (2.2.2.2)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000440101
        OSPF RT:0.0.0.0:3:0 OSPF ROUTER ID:10.1.2.2:0
      mpls labels in/out 28/nolabel


R2#sh ip ospf 100 database

            OSPF Router with ID (10.1.2.2) (Process ID 100)
...
                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         10.1.1.1        980         0x80000002 0x00F336
...


 LSA Type-3 (Summary) in local OSPF table is encoded as "OSPF RT:0.0.0.0:3:0" in local BGP table.


Propagation of OSPF routes between CE1 and CE2
  • same domain-id
    • CE1 O => CE2 IA
  • different domain-id
    • CE1 O => CE2 E2
  • sham-link (regardless of domain-id)
    • CE1 O => CE2 O

Extra care needs to be taken if route tags are changed manually on OSPF=>BGP redistribution, because external OSPF routes are tagged by the BGP ASN when BGP=>OSPF redistribution takes place, which means that the original tag is lost (which could lead to a loop)

IOS
R6#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
  Known via "ospf 100", distance 110, metric 2
  Tag Complete, Path Length == 1, AS 100, , type extern 2, forward metric 1
  Last update from 10.10.10.5 on POS4/0, 00:00:03 ago
  Routing Descriptor Blocks:
  * 10.10.10.5, from 10.10.10.5, 00:00:03 ago, via POS4/0
      Route metric is 2, traffic share count is 1
      Route tag 3489661028



If a BGP VPNv4 route is redistributed into OSPF, then redistributed into another IGP like RIP (where all the information (DN bit, VPN Route-Tag) needed to prevent looping is lost), and then redistributed back into OSPF, then it is possible that it could be redistributed back into BGP as a VPNv4 route, thereby causing a loop.

You can use route tags at every step of redistribution in order to avoid possible routing loops, either caused by the above scenario or by mutual redistribution in two places.


Posted by at No comments:
Labels: , , , , , , , , ,

NTS: BFD

BFD



BFD (Bidirectional Forwarding Detection) is defined in RFC 5880.
BFD for one-hop IPv4/IPv6 is defined in RFC 5881.
BFD for multi-hop is defined in RFC 5883.
BFD for MPLS LSPs is defined in RFC 5884.


Common BFD applications
  • Control plane liveliness detection
  • Tunnel endpoint liveliness detection
  • Trigger mechanism for IP/MPLS FRR
  • MPLS date plane failure detection

BFD advantages
  • failure detection in sub-sec
  • generic/consistent failure detection mechanism for all protocols
  • less CPU intensive if distributed to the data plane 


BFD modes
  • Asynchronous mode
    • continuous and periodic BFD packets
  • Demand mode
    • BFD packets only after a demand

BFD echo (where a stream of echo packets is sent and received) is the most common function for both modes.

Cisco supports the asynchronous mode and the echo function by default.

BFD payload control packets are encapsulated in UDP packets
  • destination port 3784
  • source port 49152

Echo packets are also encapsulated in UDP packets
  • destination port 3785
  • source port 3785
BFD control packets are always sent as unicast packets to the BFD peer.

The encapsulation of BFD Control packets for multihop application in IPv4 and IPv6 is identical to that above, except that the UDP destination port is 4784.

Each system reports in the BFD Control packet how rapidly it would like to transmit BFD packets, as well as how rapidly it is prepared to receive them.  This allows either system to determine the max packet rate (minimum interval) in both directions.

To establish a BFD neighbor in IOS-XR, BFD must either be configured under an IGP or as a static route.


BFD Configuration

BFD can be configured
  • under an interface for a specific protocol (IOS)
  • under the protocol process for a specific interface (IOS-XR)
  • under the protocol process for all interfaces (IOS)
  • under the protocol process for all neighbors (IOS-XR)
  • under the protocol process for a specific neighbor (IOS,IOS-XR)

In all cases, BFD timers (interval, min_rx, multiplier) must be defined under the relevant interfaces too. BFD and BGP in IOS-XR is the exception, as show below.

If you are using BFD with uRPF on a particular interface, then you need to use the "echo disable" command to disable the echo mode on that interface, otherwise echo packets are rejected. You can disable echo mode for the entire router, or for an individual interface.

BFD can be combined with "carrier-delay 0" for quicker protocol reaction.

In IOS-XR, "bfd fast-detect" is required in order to start the BFD process.

BFD might cause crashes and malfunctions when enabled on GNS3 emulated routers.

Instead of running BFD at the link-level, you can also run BFD at the LSP level (aka across the LSP), something that offers faster detection in case of path protection.


BFD & BGP

IOS
interface X
 bfd interval 300 min_rx 300 multiplier 3
!
router bgp 100
 neighbor 2.2.2.2 fall-over bfd

IOS-XR
router bgp 100
 neighbor 2.2.2.2
  bfd fast-detect
  bfd multiplier 3
  bfd minimum-interval 300


In IOS-XR, BFD parameters (multiplier, min-interval) can be configured for all BGP neighbors (under the BGP process) or for a specific BGP neighbor. BFD activation is always per neighbor.

It is generally not recommended to use BFD for iBGP, when the underlying IGP is already doing so.


BFD & ISIS


IOS
interface X
 bfd interval 150 min_rx 150 multiplier 3
 isis bfd

or

IOS
router isis 1
 bfd all-interfaces
!
interface X
 bfd disable


IOS-XR
router isis 1
 interface X
  bfd minimum-interval 150
  bfd multiplier 3
  bfd fast-detect ipv4



BFD & OSPF


IOS
interface X
 bfd interval 150 min_rx 150 multiplier 3
 ip ospf bfd

or

IOS
router ospf 1
 bfd all-interfaces
!
interface X
 bfd disable


IOS-XR
router ospf 1
 area 0
 interface X
  bfd minimum-interval 150
  bfd multiplier 3
  bfd fast-detect ipv4


BFD parameters can also be configured directly under the ospf process.

BFD establishes sessions from a neighbor to a DR or BDR, only when the neighbor state is full.

BFD does not establish sessions between DR-Other neighbors (for example, when their OSPF states are both 2-way)


BFD & RSVP-TE/FRR


IOS
ip rsvp signalling hello bfd
!
interface X
 bfd interval 300 min_rx 300 multiplier 3
 ip rsvp signalling hello bfd


IOS-XR
mpls traffic-eng
 interface TenGigE0/0/0/0
  bfd fast-detect
 !
 bfd minimum-interval 150
 bfd multiplier 3


IOS relates the BFD configuration to RSVP configuration, while IOS-XR relates it to MPLS TE configuration.

IOS
R3#sh bfd neighbors detail

NeighAddr                         LD/RD    RH/RS     State     Int
12.3.4.4                           1/1     Up        Up        Fa0/0.34
Session state is UP and using echo function with 300 ms interval.
OurAddr: 12.3.4.3      
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 1000(17)
Rx Count: 15, Rx Interval (ms) min/max/avg: 1/996/834 last: 312 ms ago
Tx Count: 18, Tx Interval (ms) min/max/avg: 1/1000/845 last: 344 ms ago
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF TE/FRR
Uptime: 00:00:11
Last packet: Version: 1                  - Diagnostic: 0
             State bit: Up               - Demand bit: 0
             Poll bit: 0                 - Final bit: 0
             Multiplier: 3               - Length: 24
             My Discr.: 1                - Your Discr.: 1
             Min tx interval: 1000000    - Min rx interval: 1000000
             Min Echo interval: 300000 



BFD & IPv6

BFD for IPv6 (BFDv6) is not supported in IOS-XR < 4.1.

BFDv6 supports both global and link-local IPv6 addresses for neighbor session creation. BFDv6 sessions select automatically source addresses to match the neighbor address types. Each type of IPv6 address on the local router must be paired with the same type on the peer router.

You can have an IPv6 static route (2001:DB8::/64) pointing to a peer router associated with a BFD neighbor (2001::1). In order to remove this IPv6 static route from the RIB if the BFD neighbor goes down, you must associate the static route with the BFD neighbor

IOS
ipv6 route 2001:DB8::/64 Ethernet0/0 2001::1
ipv6 route static bfd Ethernet0/0 2001::1

In BFD associated mode (default), an IPv6 static route is automatically associated with an IPv6 BFD neighbor, if the static route next-hop matches exactly the static BFD neighbor. If you want to avoid this, you can configure the static route as "unassociated".




Posted by at No comments:
Labels: , , , , , , , ,

NTS: OSPFv2/OSPFv3

OSPFv2/OSPFv3



OSPFv2 (Open Shortest Path First v2) is defined in RFC 2328.
OSPFv3 is defined in RFC 5340.
OSPFv2 as PE/CE protocol is defined in RFC 4577.


OSPF is protocol 89.

Sends updates to multicast 224.0.0.5 (all OSPF routers) and 224.0.0.6 (all DR routers)


Adjacencies

Adjacency can be formed between different networks if "ip unnumbered" is used on both sides.

If multiple "network" commands are used, the most specific wins.

The following must match for adjacency to be successful:
  • area
  • hello/dead timers
  • mtu
  • network type
  • stub
  • authentication

DR election per network type
  • DR/BDR
    • broadcast (default on ethernet, multicast hellos)
    • non-broadcast (default on frame-relay, unicast hellos)
  • no DR/BDR
    • point-to-point (default on serial/pos, multicast hellos)
    • point-to-multipoint (multicast hellos)
    • point-to-multipoint non-broadcast (unicast hellos)

Use the "neighbor" command to send unicast hellos.

You can use the commands "ip ospf hello-interval" and "ip ospf dead-interval" in order to tune the convergence time. Fast hellos (1 sec) are also possible using the "minimal" keyword.


By default the loopback interface is advertised as a /32 (stub). Use network-type point-to-point under the loopback interface to advertise it with the original subnet mask.


Path Selection

  • "bandwidth" under the interface (not applicable to IOS-XR)
  • "ip ospf cost" under the interface
  • "auto-cost reference-bandwidth" under the ospf process
  • "neighbor x.x.x.x cost" under the ospf process


OSPF Route Preference

O - OSPF (intra-area)
IA - OSPF inter area
E1 - OSPF external type 1
E2 - OSPF external type 2
N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2
      
Distance and metric are evaluated as a second step, between routes of same type.


LSAs

LSA types carried in IPv6 Stub areas:
  • Router-LSAs
  • Network-LSAs
  • Inter-Area-Prefix-LSAs
  • Link-LSAs
  • Intra-Area-Prefix-LSAs

LSA types carried in IPv6 NSSA areas:
  • Router-LSAs
  • Network-LSAs
  • Inter-Area-Prefix-LSAs
  • Link-LSAs
  • Intra-Area-Prefix-LSAs
  • NSSA-LSAs

LSA types carried in IPv4 Stub areas:
  • Router-LSAs
  • Network-LSAs
  • Summary-LSAs

LSA types carried in IPv4 NSSA areas:
  • Router-LSAs
  • Network-LSAs
  • Summary-LSAs
  • NSSA-LSAs



NSSA

The NSSA ASBR redistributes routes into OSPF and originates the Type-7 LSAs.

Type-7 LSAs are only flooded within the originating NSSA area.

Type-7 LSAs have a propagate (P) bit that, when set, tells an NSSA ABR to translate a Type-7 LSA into a Type-5 LSA.

The NSSA ABR translates Type-7 LSAs into Type-5 LSAs and floods them into area 0.

If there are multiple NSSA ABRs, the router with the highest Router ID is elected as the translator.

The NSSA ASBR and the NSSA ABR can be the same router.

Preference between two Type-7 LSAs is determined by the following tie breaker rules:
  • An LSA with the P-bit set is preferred over one with the P-bit clear
  • If the P-bit settings are the same, the LSA with the higher router ID is preferred

Links


LSDB optimization

You can decrease the LSA DB size by doing one or more of the following:
  • configure interfaces as unnumbered
  • remove network LSAs (caused by DRs) by using point-to-point as network type on interfaces
  • remove transit prefixes by activating prefix-suppression 

Prefixes that will be removed by prefix-suppression can be found under "Link connected to: a Stub Network" in Router LSAs (loopbacks, secondary IPs and passive interfaces are excluded).


LSA flood-reduction

OSPF requires every LSA to be refreshed by default every 1800 seconds (30 mins) or else the LSA will expire when it reaches 3600 seconds (1 hour).

When flood-reduction is enabled on a router (towards a neighbor), then this router will flood its self-originated LSAs with the DoNotAge (DNA) bit set, so they do not have to be re-flooded every 30 mins. Of course any change in the contents of the LSA will cause the new LSA to be re-flooded (again with the DoNotAge bit set).

IOS
interface X
 ip ospf flood-reduction
 ipv6 ospf flood-reduction

IOS-XR
router ospf X
 flood-reduction enable
 area 0
  flood-reduction enable
  interface X
   flood-reduction enable


In IOS-XR, flood-reduction can be configured under the ospf process, under a specific area and under a specific interface.

Prefer to enable it on stable topologies.

The demand-circuit offers the same functionality plus the suppression of periodic hello packets.

Links


Route Filtering

  • distribute-list
    • in: filter the routes from entering the RIB
    • out: filter the redistributed routes (E1/E2) entering OSPF on an ASBR
  • stub area
    • stub (filter LSA-5)
    • totally stub (filter LSA-3/4/5)
    • nssa (filter LSA-5, allow LSA-7)
    • totally nssa (filter LSA-3/4/5, allow LSA-7)
  • LSA-3 prefix filter
    • "area x filter-list prefix x"


LSA Searching

Depending on what type of LSAs you're searching for, you can use the following commands to do so:

IOS
sh ip ospf database router | i Link State ID  
  Link State ID: x.x.x.x
 
sh ip ospf database network | i Link State ID
  Link State ID: x.x.x.x (address of Designated Router) 

sh ip ospf database summary | i Link State ID
  Link State ID: x.x.x.x (Summary Network Number)
 
sh ip ospf database asbr-summary | i Link State ID
  Link State ID: x.x.x.x (AS Boundary Router address)

sh ip ospf database external | i Link State ID
  Link State ID: x.x.x.x (External Network Number)
 

IOS-XR
sh ospf database router | i Link State ID
  Link State ID: x.x.x.x
 
sh ospf database network | i Link State ID
  Link State ID: x.x.x.x (address of Designated Router)

sh ospf database summary | i Link State ID
  Link State ID: x.x.x.x (Summary Network Number)
 
sh ospf database asbr-summary | i Link State ID
  Link State ID: x.x.x.x (AS Boundary Router address)

 sh ospf database external | i Link State ID
  Link State ID: x.x.x.x (External Network Number)


Searching for IPv6 is a little bit different, because the IPv6 prefix information is stored in another attribute.



Summarization

  • Type-3 summary
    • at ABR
    • area x range 10.10.10.0 255.255.255.0 (IOS)
    • area 1 range 10.10.10.0/24 (IOS-XR)
  • Type-5 summary
    • at ASBR
    • summary-address 20.20.20.0 255.255.255.0 (IOS)
    • summary-prefix 20.20.20.0/24 (IOS-XR)

Both types of summarization can also accept "not-advertise" as parameter.

Sub-routes must pre-exist in order for the summaries to be advertised.


OSPFv3

Multicast addresses have become FF02::x from 224.0.0.x (where x=5 for all OSPF routers, or x=6 for all DR routers).

If there is no IPv4 address assigned to any interface, then you must manually configure an IPv4-formatted router-id under the OSPFv3 process.

OSPFv3 runs per-link instead of per-subnet.

You cannot automatically detect OSPFv3 neighbors when using NBMA interfaces. You must manually configure your router to detect neighbors when using an NBMA interface.

All manually configured neighbors in OSPFv3 must be identified by their link-local IPv6 address.

On all OSPFv3 interfaces except virtual links, OSPFv3 packets are sent using the interface's associated link-local unicast address as the source address.

On virtual links, a global scope IPv6 address must be used as the source address for OSPFv3 packets.

Router-LSAs (Type-1) and Network-LSAs (Type-2) no longer contain network addresses, but simply express topology information.

Link-LSAs (Type-8) include the prefixes which are configured on links and are flooded only on local-link scope. Link-local addresses appear only in Link-LSAs.

For Stub areas, the Inter-area Prefix LSA can only be a default route.
For NSSA areas, the AS-External LSA can also be a default route.


IOS
ipv6 router ospf 1
 router-id 2.2.0.2 
!
interface Ethernet1/0
 ipv6 ospf 1 area 0


IOS-XR
router ospfv3 1
 router-id 2.2.0.8
 address-family ipv6 unicast
 area 0
  interface Loopback0
   passive
  !
  interface GigabitEthernet0/2/1/1


A use for running multiple OSPFv3 instances is to have a single link belong to two or more OSPFv3 areas.
Also on a LAN you can have multiple adjacencies between different routers, each one on a separate OSPFv3 process/instance.


OSPFv2 Authentication

  • Null (Type 0)  - default
  • Plain-text (Type 1)
  • MD5 (Type 2)

In IOS, you can configure the authentication type under the ospf process or under the interface.

IOS
router ospf 1
 area 0 authentication
!
interface X
 ip ospf authentication
 ip ospf authentication-key xxx


IOS
router ospf 1
 area 0 authentication message-digest
!
interface X
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 xxx


In IOS-XR, you can configure the authentication type/key under the ospf process, under the area or under the interface.

IOS-XR
router ospf 1
 authentication-key xxx
 authentication
 area 0
  authentication-key xxx
  authentication
  interface X
   authentication-key xxx
   authentication


IOS-XR
router ospf 1
 authentication message-digest
 message-digest-key 1 md5 xxx
  area 0
  authentication message-digest
  message-digest-key 2 md5 xxx
  interface X   authentication message-digest
   message-digest-key 3 md5 xxx


You can always use various combination of enabling authentication for a specific area (under the ospf process) or for a specific adjacency (under the interface).

More specific configurations override the less specific ones.


OSPFv3 Authentication

You can configure an authentication (AH) or encryption (ESP) policy, either on an interface or for an OSPFv3 area/process.

IPSec AH
  • Authentication
    • MD5
    • SHA1

IPSec ESP
  • Encryption
    • 3DES
    • AES (128,192,256 bits)
    • DES
    • NULL
  • Authentication
    • MD5
    • SHA1

To use the IPsec AH (for authentication), you must use commands with the "authentication" keyword.

To use the IPsec ESP (for authentication & confidentiality), you must use commands with the "encryption" keyword.

ESP may use encryption and authentication or only authentication (when encryption=null), but is not recommended.


IOS
ipv6 router ospf 1
 area 0 authentication ipsec spi 256 md5 yyy
 area 0 encryption ipsec spi 256 esp 3des md5 yyy
!
interface X
 ipv6 ospf authentication ipsec spi 256 md5 zzz
 ipv6 ospf encryption ipsec spi 256 esp 3des md5 zzz
 
IOS > 12.3(4)T is required for OSPFv3 IPsec authentication.


IOS-XR
router ospfv3 1
 authentication ipsec spi 256 md5 password xxx
 encryption ipsec spi 256 esp 3des password xxx
!
 area 0
  authentication ipsec spi 256 md5 password yyy
  encryption ipsec spi 256 esp 3des password yyy
!
  interface GigabitEthernet0/2/1/1.78
   authentication ipsec spi 256 md5 password zzz
   encryption ipsec spi 256 esp 3des password zzz


More specific configurations override the less specific ones.

Links


Options Bits

Hello/DBD/LSA Options Bits
  • V6 bit: It should be set, unless the router will not participate in IPv6 topology calculation and IPv6 transit routing. If this bit is clear, the router/link should be excluded from any IPv6 routing calculations.
  • R bit: It should be set, unless the router will not participate in any transit routing. It allows the router to participate in the unicast topology, but does not allow transit traffic.
  • E bit: It should be set if the interface attaches to a regular area (i.e., not a stub or NSSA area).
  • N bit: It should be set if the interface attaches to an NSSA area.
  • DC bit: This bit describes the router's handling of demand circuits. It should be set in Hellos/DBDs if the router wishes to suppress the sending of future Hellos over the interface. It should be set in LSAs, if the router can correctly process the DoNotAge bit when it appears in the LS age field of LSAs.

IPv6 Prefix Options Bits
  • NU bit: The "No Unicast" capability bit. If set, the prefix should be excluded from IPv6 unicast calculations. If not set, it should be included.
  • LA bit: The "Local Address" capability bit. If set, the prefix is actually an IPv6 interface address of the Advertising Router.
  • P bit: The "Propagate" bit. Set on NSSA area prefixes that should be readvertised by the translating NSSA area border.
  • DN bit: The "Down" bit. This bit controls an inter-area-prefix-LSAs or AS-external-LSAs re-advertisement in a VPN environment. It is used for loop prevention in PE=>CE=>PE advertisements and should not be checked in CE multi-vrf (vrf-lite) scenarios.


Special multi-hop adjacencies
  • virtual-link
    • connects two areas 0 or extends area 0 across a transit area
    • uses a transit area in order to connect areas 0 or extend area 0
    • used in normal environments with multiple areas 0 or area 0 extension
    • configured betweens two ABRs under the OSPF process
  • sham-link
    • connects two areas X (including 0)
    • uses the MPLS core in order to connect the areas
    • used in MPLS VPN environments with backdoor links
    • configured betweens two PEs/ABRs under the OSPF vrf process

Virtual-Link

All areas in an OSPF autonomous system must be connected to area 0. When this is not possible in terms of direct connectivity, then a virtual-link can be used in order to connect the non-backbone areas to area 0, as long as there is a common area between them.

  • connect two areas 0
    • R1 <=(area 0)=> R2 <=(area 1)=> R3 <=(area 0)=> R4
    • a virtual link can be configured between ABRs R2,R3 that connect to area 0 from different sides and have a common area between them
  • extend area 0 
    • R1 <=(area 0)=> R2 <=(area 1)=>R3 <=(area 2)=> R4
    • a virtual link can be configured between ABRs R2,R3 that connect to a common area, with only one ABR directly connected to area 0.
    • area 0 is extended to R3, in order to serve area 2
If a common area does not exist between the ABRs, then an additional area can be created to become the transit area.

The transit area through which the virtual link is configured, must have full routing information, so it cannot be any type of stub area. If this is the case, a GRE tunnel can be used to connect the two areas 0.


For virtual-links in OSPFv3 you have to use the remote neighbor's router-id (IPv4 format).

ABR #1

IOS
router ospf 1
 area 1 virtual-link 2.2.2.2

IOS-XR
router ospf 1
 area 1
  virtual-link 2.2.2.2


ABR #2

IOS
router ospf 1
 area 1 virtual-link 3.3.3.3

IOS-XR
router ospf 1
 area 1
  virtual-link 3.3.3.3


Sham-Link

To make a route through an MPLS backbone appear to be an intra-area route, it is necessary to make it appear as if there is an intra-area link connecting the two PE routers. A sham link can be thought of as a indirect relation between two VRFs.  If two VRFs are to be connected by a sham link, each VRF must be associated with a "Sham Link Endpoint Address", a 32-bit IPv4 address that is treated as an address of the PE router containing that VRF.

The Sham Link Endpoint Address is an address in the VPN's address space, not the SP's address space.  It must not be advertised inside customer's OSPF, because when there is no BGP VPNv4 route to the Sham Link Endpoint Address, that address must become unreachable, so that the sham link comes down.

The sham link is an unnumbered point-to-point intra-area link and is advertised as a type 1 LSA.

Sham links are treated as OSPF Demand Circuits. This means that LSAs will be flooded over them, but periodic refresh traffic will be avoided. Normal flooding is done over the backdoor link, but if that fails, flooding will occur over the sham-link (because LSA synchronization between sites must continue).

Configuration Steps
  • Create a /32 loopback that belongs to the relevant VRF on both PEs
  • Advertise the above /32 into BGP VPNv4 on both PEs
  • Don't advertise the above /32 into the OSPF vrf process on both PEs
  • Create a sham-link between the above /32 of the PEs under the OSPF vrf process

PE1

IOS
interface Loopback1
 vrf forwarding VPN
 ip address 1.1.1.1 255.255.255.255
!
router ospf 100 vrf VPN
 area 0 sham-link 1.1.1.1 2.2.2.2

IOS-XR
interface Loopback1
 vrf VPN
 ipv4 address 1.1.1.1/32
!
router ospf 100
 vrf VPN
  area 0
   sham-link 1.1.1.1 2.2.2.2


PE2

IOS
interface Loopback1
 vrf forwarding VPN
 ip address 2.2.2.2 255.255.255.255
!
router ospf 100 vrf VPN
 area 0 sham-link 2.2.2.2 2.1.1.1

IOS-XR
interface Loopback1
 vrf VPN
 ipv4 address 2.2.2.2/32
!
router ospf 100
 vrf VPN
  area 0
   sham-link 2.2.2.2 1.1.1.1


Verification

IOS
R1#sh ip ospf sham-links
Sham Link OSPF_SL0 to address 2.2.2.2 is up
Area 0 source address 1.1.1.1
  Run as demand circuit
  DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:04
    Adjacency State FULL (Hello suppressed)
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
R1#sh ip ospf interface | b _SL
OSPF_SL0 is up, line protocol is up
  Internet Address 0.0.0.0/0, Area 0
  Process ID 100, Router ID 10.10.10.1, Network Type SHAM_LINK, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Configured as demand circuit.
  Run as demand circuit.
  DoNotAge LSA allowed.
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.10.10.2  (Hello suppressed)
  Suppress hello for 1 neighbor(s)


 R1#sh ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
...
10.10.10.2        0   FULL/  -           -        2.2.2.2         OSPF_SL0
...

R1#sh ip ospf neighbor detail | b 2.2.2.2
 Neighbor 10.10.10.2, interface address 2.2.2.2
    In the area 0 via interface OSPF_SL0
    Neighbor priority is 0, State is FULL, 6 state changes
    DR is 0.0.0.0 BDR is 0.0.0.0
    Options is 0x32 in Hello (E-bit, L-bit, DC-bit)
    Options is 0x72 in DBD (E-bit, L-bit, DC-bit, O-bit)
    LLS Options is 0x1 (LR)
    Neighbor is up for 00:12:16
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec


IOS-XR
GSR#sh ospf vrf VPN sham-links

Sham Links for OSPF 2, VRF VPN

Sham Link OSPF_SL0 to address 2.2.2.2 is up
Area 0, source address 1.1.1.1
IfIndex = 2
  Run as demand circuit
  DoNotAge LSA allowed., Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Number of DBD retrans during last exchange 0
    Index 2/2, retransmission queue length 0, number of retransmission 0
    First 0(0)/0(0) Next 0(0)/0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec


Both sham-links and virtual-links can have most of their "interface" attributes (hellos, cost, authentication, etc.) configured (IOS-XR gives more options).

The OSPF Sham Link endpoint address must not be used as the endpoint address of an OSPF Virtual Link.


OSPF Multi-Area

Applicable to OSPFv2 and OSPFv3.

It allows a link to be configured in more than one area, so that the link could be considered as an intra-area link in all those areas and get preference over inter-area links.

It exists as a logical construct over an existing primary interface for OSPF; however, the neighbor state on the primary interface is independent of the multi-area interface.

Only point-to-point adjacencies are supported.

IOS
interface Ethernet 0/0
 ip ospf 1 area 0
 ip ospf multi-area 1

IOS-XR
router ospf 1
 area 0
  interface GigabitEthernet0/2/1/2
 area 1
  multi-area-interface GigabitEthernet0/2/1/2
 area 2
  multi-area-interface GigabitEthernet0/2/1/2


The multi-area interface inherits the interface characteristics from its primary interface, but some interface characteristics can be configured under the multi-area interface configuration.

It also inherits the BFD characteristics from its primary interface.



OSPF Multiple-instance

Both IOS and IOS-XR allows you to run multiple OSPFv3 instances. Peer routers need to use the same instance-id for ospfv3 communication to happen.

Also, OSPFv3 can support multiple address-families using a different instance per address-family.

Unlike OSPFv3 where the Instance ID can be used for multiple purposes, such as putting the same interface in multiple areas, the OSPFv2 Instance ID is reserved for identifying protocol instances.



Although the relevant RFC defines the mechanism to differentiate packets for different instances sent and received on the same interface, Cisco's current IOS implementation allows you to have multiple OSPFv2 processes (not instances) using only different interfaces. Some of these processes can be VRF ones.


Links



Posted by at No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)