Acknowledgments

I am very grateful to the group of talented people that were assembled to make this book a reality. Through their knowledge, dedication, and hard work, this book has become more than I ever thought possible. The most important acknowledgment must go to my wife, Rose, who put up with me writing all night after working all day. Her unwavering support was the single greatest factor in my ability to complete the book you now hold in your hands. Writing this book allowed me to assemble a team of...

Activating OSPF

As with other routing protocols, the enabling of OSPF on Cisco routers requires taking the following preliminary steps before the process begins 1 Determine the process ID under which OSPF is to run within your network. This process ID must be different from any other OSPF network to which you might be connecting. The possible range for an OSPF process ID is 1-65535. 2 Specify the range of addresses that are to be associated with the OSPF routing process. This is part of one command that must...

Adding OSPF Areas

Figure 6-9 illustrates how each of the RIP clouds can be converted into an OSPF area. All three routers then become ABRs, which control network information distribution between OSPF areas and the OSPF backbone. Each router keeps a detailed record of the topology of its area and receives summarized information from the other ABRs on their respective areas. Figure 6-9 also illustrates VLSM addressing. VLSM uses different size network masks in different parts of the network for the same network...

Adding OSPF to the Center of a RIP Network

A common first step in converting a RIP network to an OSPF network is to convert backbone routers into running both RIP and OSPF, while the remaining network edge devices run RIP. These backbone routers automatically become OSPF ASBRs (redistributing RIP into OSPF). Each ASBR controls the flow of routing information between OSPF and RIP. In Figure 6-8, Routers Morpheus, Neo, and Trinity are configured as ASBRs when redistributing RIP into OSPF. RIP does not need to run between the backbone...

Administrative Distance and Metrics

Regardless of the reason that you have encountered redistribution, there are some characteristics of how it operates within OSPF and on Cisco routers. When redistributing from one routing protocol to another, keep in mind the following items Previous chapters have discussed the metrics used by OSPF and how to manipulate them. Administrative distances help with route selection among different routing protocols, but they can cause problems for redistribution. These problems can be in the form of...

Agent Response to NMS Request

The flow chart presented in Figure 8-8 describes the second part of the SNMP operation in which the SNMP request is received by the managed device, which passes it on to the agent who processes and answers the request. This flow of events is presented in a generic format from a high-level perspective. As with any complex network operation, many events also occur that allow the operation to take place. Figure 8-8 Agent Response Flow Chart to NMS Request Step 1 Agent uses ASPN.1 Basic Encoding...

Altering Link Cost

Recall that OSPF calculates its cost (metric) to a destination based on the bandwidth of the link(s) to that destination. Therefore, to influence OSPF's routing decisions, you can either change the bandwidth on the interface, which in turn affects the cost of the link, or you can directly change the OSPF cost of the interface. You can apply the following commands on a per-interface basis Router(config-if)ip ospf cost 1-65355 Allows you to configure the cost of an interface in OSPF, thus...

Altering LSA Retransmissions

Cisco routers have the capability to alter the timing in which they retransmit LSAs on a perinterface basis. When a router runs OSPF and when it transmits an LSA to a neighbor, the normal operation of OSPF is to hold that LSA until the router receives an acknowledgment that the LSA was received successfully. By default, a router waits 5 seconds for the acknowledgment and, if needed, the LSA is retransmitted. In certain instances, this waiting period is not long enough for the round trip when a...

Altering LSA Transmission Delay

The final option of altering the normal operation of OSPF LSAs also evolved from the need to have OSPF operate properly over slow links. Specifically, LSAs can take a longer time to be transmitted over a link. OSPF currently allows 1 second in the Cisco implementation. When this is not enough time, the ip ospf transmit-delay command should be used on the desired interface. This command allows a delay to be added prior to transmission, as demonstrated in Example 3-2. Example 3-2 Configuring a...

Altering Neighbor Cost

In your network, you want to prioritize or alter traffic flow based on the cost of a link. Suppose that you want to alter (increase or decrease) the default cost that is associated with a link to a neighbor. You can change this cost by assigning a cost associated with that neighbor as follows On point-to-multipoint broadcast networks, there is no need to specify neighbors. However, you can specify neighbors with the neighbor command in which case you should specify a cost to that neighbor. On...

Altering OSPF Administrative Distance

An administrative distance is a rating of the priority (that is, trustworthiness) of a routing information source, such as an individual router or a group of routers. Numerically, an administrative distance is an integer from 0 to 255. Specifically, the higher the numerical value of administrative distance, the lower the trust rating. An administrative distance of 255 means that the routing information source cannot be trusted and should be ignored. Table 5-14 shows administrative distance...

Applying Access Lists to Interfaces

You can apply only one access list to an interface for a given protocol per direction (that is, inbound or outbound). With most protocols, you can apply access lists to interfaces as either inbound or outbound. If the access list is inbound, when the router receives a packet, Cisco IOS Software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the...

Area Address Assignment

Here, each Class C network is used entirely in its own area, which leaves you needing 16 more, so the Class B address is subdivided using an area subnet mask so that its addresses are distributed equally among the 16 areas. The Class B network, 150.100.0.0 16, could be subnetted as follows. The letters x, y, and z represent bits of the last two octets of Class B 150.100. x x x x y y y y . y z z z z z z z area mask boundary Note the following points about this command The 4 x bits are used to...

Area Design Overview

When creating large-scale OSPF internetworks, the definition of areas and assignment of resources within areas must be done with a pragmatic view of your OSPF internetwork. This assignment of resources includes both physical and logical networking components so that optimal performance results. This section discusses some of the items that are applicable to designing any type of OSPF area. Specific considerations are discussed after each area type. Areas are essentially small networks contained...

Area Sizing

Determining the number of routers to deploy within each OSPF area is extremely important and should be done with flexibility in mind. Factors that are hard to know during design (such as which links will flap) can be compensated for with flexibility in your design and implementation. During initial network convergence, OSPF uses the CPU-intensive SPF algorithm. Experience has shown that 40 to 50 routers per area is the optimal upper limit for OSPF in the majority of networks. This is not to say...

Avoiding Redistribution Loops

Even though trying to avoid redistribution loops is a golden rule for route redistribution, these loops do occur. To summarize what is occurring, realize that Router A is distributing network 230.250.15.0 into the RIP network. Router B then sees this network advertised by RIP as a valid destination, so Router B tells the OSPF network that it can reach network 230.250.15.0. This results in a nasty routing loop, as illustrated in Figure 6-6. Figure 6-6 Example of a Redistribution Loop Figure 6-6...

Backbone Area Design

The OSPF backbone (also known as area 0) is extremely important. If more than one area is configured in an OSPF network, one of these areas must be area 0. When designing networks, it is good practice to start with area 0 and then later expand into other areas. To summarize, the OSPF backbone is the part of the OSPF network that acts as the primary path for traffic that is destined to other areas or networks. Accepted network design theory recommends a three-tiered approach (see Figure 4-24)....

Backbone Design Golden Rules

Use the following guidelines when designing an OSPF backbone (area 0) Understand that area 0 is a transit area, not a destination for traffic. Ensure that the stability of the backbone area is maintained and monitored. Ensure that redundancy is built into the design whenever possible. Ensure that OSPF backbones are contiguous. Keep this area simple. Fewer routers are better. Keep the bandwidth symmetrical so that OSPF can maintain load balancing. Ensure that all other areas connect directly to...

Basic Routing Protocol Operation

Consider an example of a router that is initially configured with two networks to which it directly connects. The router has only these two networks in its routing tables. However, other networks beyond the initial two are not entered into the routing table because they do not directly connect to the router. So how does the router recognize these other networks This can be accomplished in the following ways Static routing A manually defined and installed type of route within the router as the...

Benefits of OSPF Neighbor Authentication

When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring OSPF routers within the OSPF area that has authentication activated. This authentication ensures that a router receives reliable routing information from a trusted source (that is, an OSPF neighbor). Without OSPF authentication, unauthorized or deliberately malicious routing updates could compromise the integrity of your network traffic. A security compromise could occur if an unfriendly...

Blocking LSA Flooding

By default, OSPF floods new LSAs out all interfaces in the same area, except the interface on which the LSA arrives. OSPF floods based on the characteristics discussed earlier in this chapter. This is important because OSPF-specific behavior is to continue flooding until an acknowledgment on the link-state update packet is received. Some redundancy is desirable because it ensures robust flooding and accurate routing however, too much redundancy can waste bandwidth and might destabilize the...

Business Considerations

Table 2-3 documents business issues to consider when selecting a routing protocol. Table 2-3 Important Business Considerations for Routing Protocol Selection Many companies prefer to use protocols that are based on standards whenever possible this is strongly recommended in every network. Networks running without the protocols and standards will eventually cause problems. OSPF is a standard protocol that was developed by a committee of the IETF as an alternative to the RIP protocol. OSPF is...

Case Study Adding a New OSPF Router to a Network

This case study provides a scenario that covers most of the information presented in this chapter. Suppose that a new OSPF router is added to a network. With this scenario, follow the case study to understand the ramifications of how adding a new OSPF router would affect an operating network. Refer to Figures 2-12 through 2-15, which detail each step of the process as it occurs in the following sequence 1 A new OSPF router is added to the network. 2 This new router immediately transmits a...

Case Study Assigning Unique Network Numbers to Each OSPF Area

In this scenario, each OSPF area has its own unique NIC-assigned IP address range. This can be as grand as a Class A address for the entire network, with multiple Class Bs assigned to each area, or more realistically, it can be a group of Class C addresses. This example is demonstrated in Figure 5-27. The benefits of this method are as follows Address assignment is simple because each area has its own unique network. Configuration of the routers is easy, reducing the likelihood of errors....

Case Study Conclusion

The objective of this case study was to demonstrate how to use, configure, and troubleshoot an OSPF point-to-multipoint link. You have seen an example and explanation for the configuration, which should help you in both design considerations and implementation. The different show and debug commands reviewed can assist you in troubleshooting the point-to-multipoint configuration and, by demonstrating the data, should be helpful in troubleshooting more general OSPF problems as well. A summary of...

Case Study Designing an OSPF Network

This case study uses the technical aspects discussed in the previous two case studies and then follows the design tenets and procedures that were presented in this chapter. Every network is different, having unique requirements and business considerations. Keep in mind that this fictional case study is not designed to be the ultimate answer or the only possible solution instead, consider it an outline on how to successfully meet design needs. Terrapin Pharmaceuticals has 25 regional sales...

Case Study OSPF Network Evolution and Convergence

The preceding two case studies reviewed the link-state database and how it was developed. This case study takes some concepts that were introduced in this chapter and shows how a simple OSPF network evolves and converges. MatrixNet, a high-tech graphics firm that does specialized animations for the movie industry, has approached you to implement OSPF in its core network. The network is connected via Ethernet between the three routers, as shown in Figure 2-19. Figure 2-19 MatrixNet OSPF Core...

Case Study Pointto Multipoint Link Networks

The objective of this case study is to demonstrate how to design, configure, and trouble-shoot an OSPF point-to-multipoint link network. This feature's importance is linked with the increased use of Frame Relay and ATM due to reduced cost for the service. As customers used point-to-multipoint on nonbroadcast media (Frame Relay), they found that their routers could not dynamically discover their neighbors. The OSPF point-to-multipoint link feature allows the neighbor command to be used on...

Case Study Troubleshooting Neighbor Problems

When you execute a show ip ospf neighbor command and it reveals nothing or it shows nothing about the particular neighbor you are analyzing, it indicates that this router has seen no valid OSPF Hellos from that neighbor. Check the following items 1 Is the local router or neighboring router's interface up, with line protocol up Use the show interface command to find out. 2 Check for IP connectivity between the neighboring routers as follows A Can you ping the neighbor B Does the neighbor respond...

Case Study VLSMs

In 1987, RFC 1009 was published with the purpose of specifying how a subnetted network could use more than one subnet mask. As discussed earlier in this chapter, when an IP network is assigned more than one subnet mask, it is considered a network with variable-length subnet masks because the subnet masks (prefixes) have varying lengths. If you recall, the use of VLSM brings benefits to a network and routing that allow for increased routing optimization in the form of a smaller and more concise...

Changing the Virtual Link Password

At some point, you should change the OSPF authentication password to keep your security fresh. This change is a best practice and should be done regularly. The tricky part is changing the authentication without upsetting routing. If you are going against the recommendations in this chapter and using plain text authentication, you must take a brief outage as the network adjusts to the change. However, if you are using MD5, you are in a much better position. OSPF and the Cisco IOS Software offer...

Cidr

VLSM was a step up from subnetting because it relayed subnet information through routing protocols. This idea leads directly into this section on CIDR, which is documented in the following RFCs 1517, 1518, 1519, and 1520. CIDR is an effective method to stem the tide of IP address allocation as well as routing table overflow. Without the implementation of CIDR in 1994 and 1995 in RFC 1817, the Internet would not be functioning today because the routing tables would have been too large for the...

Cisco IOS Password Encryption

A non-Cisco source has released a new program to decrypt user passwords (and other passwords) in Cisco configuration files. The program does not decrypt passwords that are set with the enable secret command. Why not Because MD5 triple DES (3DES) is used. Triple DES is too hard to crack DES is not. A 56-bit key is only used for the enable password if the service encryption command is enabled globally. The unexpected concern that this program has caused among Cisco customers indicates that many...

Ciscos MIB Extensions

With several hundred unique objects, Cisco's private MIB extensions provide network managers with broad, powerful monitoring and control facilities. Cisco's private MIB supports DECnet (including DECnet routing and host tables), XNS, AppleTalk, Banyan VINES, Novell NetWare, and additional system variables that highlight information such as average CPU utilization over selectable intervals. Furthermore, Cisco developers can add private extensions to the MIB as required. This capability gives...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Software Command Reference. The Command Reference describes these conventions as follows Vertical bars (I) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets indicate a required choice within an optional element. Boldface indicates commands and keywords that are entered literally as shown....

Configuration Example 1 Setting the Default Metric for Redistributed Routes

In Figure 6-2,Router Trinity is receiving the routes 212.54.190.0 24 and 10.1.1.4 30 from Router Neo via EIGRP. These EIGRP routes are initially redistributed into OSPF using the default metric of 20. Figure 6-2 Default Metric Configuration Redistribute EIGRP into OSPF. The default metric is 20. Figure 6-2 Default Metric Configuration Redistribute EIGRP into OSPF. The default metric is 20. Once the network begins routing OSPF, the first thing that you need to verify is that Routers Morpheus and...

Configuration Example 2 External Route Summarization

Configuring external route summarization has the same result as area summarization. The difference is between the type of summarization you are trying to accomplish (that is, area versus external). To have OSPF advertise one summary route for all redistributed routes covered by a single network address and mask, perform the following task in router configuration mode. Summarization is done via the following router OSPF subcommand summary-address summary-ip-address subnet-mask not-advertise tag...

Configuration Example 3 Subnetting with Summarization

Summarization is a wonderful concept in networking that can give networks a variety of benefits, as discussed earlier in this chapter. It is important to provide a template that demonstrates how you might go about designing or redesigning an OSPF network with summarization in place from the beginning. This latter case is the more likely scenario, and you might have already been involved in projects to renumber and readdress networks that needed a new and improved logical look. These situations...

Configuration Example 5 Redistributing OSPF and RIP and Tagging Routes

In your network, you have connected Router Trinity to OSPF area 10 and a RIP network as well. The entire OSPF network needs to know about the following networks These networks are found on Router Trinity and are part of the RIP routing domain. Because the objective is for the entire OSPF network to learn about them, you are going to be monitoring the routing table of Router Apoc to see when it learns of these routes. As you would expect, in the routing table in Example 6-59, Router Apoc has no...

Configuration Example 6 Controlling Redistribution

To this point, the concepts of redistribution have been presented and examples were given to show how to make redistribution operate effectively. The following configuration example was placed later in the chapter for a specific reason. This example is a good review of the routing and redistribution concepts that were covered up to this point. By placing the concepts together, you can see some interesting OSPF effects. The following sections offer a review of the concepts previously presented.

Configuration File Examples

Example 6-25 shows the commands in the configuration file for Router Morpheus that determine the IP address for each interface and enable RIP on those interfaces. Example 6-26 shows the commands in the configuration file for Router Neo to determine the IP address for each interface and enable RIP on those interfaces. interface serial 0 ip address 130.10.62 interface serial 1 ip address 130.10.64 interface ethernet 0 ip address 130.10.17 interface tokenring 0 ip address 130.10.16 Example 6-27...

Configuring Access Lists for Specific Protocols

To control packet transmission for a given protocol, you must configure an access list for that protocol. Table 8-1 identifies the protocols for which you can configure access lists. 502 Chapter 8 Managing and Securing OSPF Networks Table 8-1 Protocols with Access Lists by Range Table 8-1 Protocols with Access Lists by Range Transparent bridging (protocol type) Source-route bridging (protocol type) TIP You should consider configuring access lists for each protocol that you have configured for...

Configuring an Interface as Pointto Multipoint Nonbroadcast

To treat the interface as point-to-multipoint nonbroadcast when the media does not support broadcast, perform the tasks in Table 4-3 in interface configuration mode. Table 4-3 Steps to Assigning a Cost to Each Neighbor in Point-to-Multipoint Nonbroadcast Networks Configure an interface as point-to-multipoint for nonbroadcast media. This is the only difference from Table 4-2. ip ospf network point-to-multipoint non-broadcast Configure an OSPF routing process and enter router configuration mode....

Configuring OSPF

OSPF is a straightforward protocol to get running at a basic level in Cisco routers. This section covers the process needed to activate OSPF and then examines how some of OSPF's advanced features can be configured and properly deployed on the different types of OSPF functional routers. OSPF typically requires coordination among many internal routers, ABRs (routers connected to multiple areas), and Autonomous System Boundary Routers (ASBRs). At a minimum, OSPF-based routers, or access servers,...

Configuring the RIP Network

Figure 6-7 illustrates a RIP network. Three sites are connected with serial lines. The RIP network uses a Class B address and an 8-bit subnet mask. Each site has a contiguous set of network numbers assigned to it. The creators must have read the first edition of this book when designing the network because they clearly planned for future growth in the OSPF direction Table 6-2 lists the network address assignments for the RIP v2 network, including the network number, subnet range, and subnet...

Contents

Part I OSPF Fundamentals and Communication 3 Chapter 1 Networking and Routing Fundamentals 5 Why Was the OSI Reference Model Needed 6 Characteristics of the OSI Layers 7 Understanding the Seven Layers of the OSI Reference Model 9 Upper Layers 9 Layer 7 Application 9 Layer 6 Presentation 10 Layer 5 Session 10 Lower Layers 10 Layer 4 Transport 10 Layer 3 Network 11 Layer 2 Data Link 11 Layer 1 Physical 12 OSI Reference Model Layers and Information Exchange 13 Headers, Trailers, and Data 13 TCP IP...

Control and Limit Your Secrets

Most security is based on information that is required to be secret. Passwords, SSH or PGP encryption keys, and SNMP community strings, for example, should be kept secret. Too often, though, the secrets are not all that secret. The most important part of keeping secrets is in knowing the areas that you need to protect through secrecy. For example, what knowledge would enable someone to circumvent your system You should jealously guard that knowledge and assume that your adversaries know...

Controlling Access to Network Equipment

It is important to control access to all your network equipment. Most equipment manufacturers now design their equipment with multiple levels of passwords, typically read and then read write. This is probably the easiest and most basic step in securing your network. This section discusses some of the techniques that you must consider regarding Cisco router access and the operation of Cisco router passwords. You can control access to the router using the following methods Telnet access...

Controlling Inter Area Traffic

When an area has only a single ABR (a simple stub area), all traffic that does not belong in the area is sent to the ABR. In areas that have multiple ABRs, the following choices are available for traffic that needs to leave the area Use the ABR closest to the originator of the traffic. This results in traffic leaving the area as soon as possible. Use the ABR closest to the destination of the traffic. This results in traffic leaving the area as late as possible. However, if the ABRs are only...

Count the Cost

Security measures usually reduce convenience, especially for sophisticated users. Security can delay work and create expensive administrative and educational overhead. Security can use significant computing resources and require dedicated hardware. Just as with anything 470 Chapter 8 Managing and Securing OSPF Networks in life, nothing that is worth having is free you must work for the results that you want to receive and understand that you must pay a price for security in convenience. The...

Creating Access Lists

Access list definitions provide a set of criteria that are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether the packet matches the access list criteria. Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined. For a given access list, you define each...

Database Exchange State Changes

The following is a brief description of the possible OSPF neighbor state changes when the routers are exchanging DDs. These steps occur when two routers decide to form an adjacency. For example, on broadcast media, a router becomes full only with the DR and the BDR it stays in the 2-way state with all other neighbors ExStart This state indicates the first step in creating an adjacency, the goal of which is to decide which router is the master and which is the slave. The master router is the...

Designated Routers

OSPF builds adjacencies between routers for purposes of exchanging routing information. However, when OSPF has to deal with NBMA or broadcast networks, a problem presents itself. In these types of networks, there are multiple routers, which would result in too many adjacencies. To combat superfluous adjacencies, the Designated Router (DR) was introduced. OSPF designates a single router per multiaccess network to build adjacencies among all other routers. You can calculate the number of...

Determining the Number of Areas per ABR

ABRs keep a copy of the database for all areas that they service. For example, if a router is connected to five areas, it must keep five different databases. It is better not to overload an ABR rather, you should spread the areas over other routers. The ideal design is to have each ABR connected to two areas only the backbone and another area with three to five areas being the upper limit. Figure 4-19 shows the difference between one ABR holding five different databases, including area 0 (part...

Determining the Number of Neighbors per Router

OSPF floods all link-state changes to all routers in an area. Routers with many neighbors have the most work to do when link-state changes occur. In general, a router should have no more than 60 to 100 neighbors. TIP Chapter 2, Introduction to OSPF, discussed the differences between neighbors and adjacencies. Refer to that chapter as necessary. An example of the 60 to 100 neighbor rule is the case of a number of routers connected on the same LAN. Each LAN has a DR and BDR that build adjacencies...

Document Your Security Plan

This does not mean that you should write down all your network passwords Instead, as you go through the process of identifying and designing your network security needs and actions, you should document your findings and the resulting security actions. Having a written living security document is vital to proper implementation of your overall network security strategy. This also helps those that succeed you understand why the network security was implemented and designed in such a way. It can...

Ensuring a Connection to Area

In the rare situation that a new area, which cannot have a direct physical access to the backbone, is introduced, you need to configure a virtual link. A virtual link creates a path between two ABRs that are not directly connected. Refer to Figure 4-30 for an example of this concept. Here, area 4 does not have a physical connection to area 0, so it uses a virtual link (through area 1) to connect to area 0 using Routers A and B, respectively. Figure 4-30 Connecting to Area 0 with a Virtual Link...

Ensuring Contiguous Areas

A contiguous OSPF area (see Figure 4-23) is one in which a continuous path can be traced from any router in an area to any other router in the same area. Basically, all routers in the backbone should be directly connected to other backbone routers. This does not mean that all routers must share a common network media (such as Ethernet). Figure 4-23 Contiguous Areas Within an OSPF Network ' ' Area 4 ,' Is Discontiguous Ideally, areas should have multiple redundant internal and external links to...

Example 1 Remote Router Is in Two Areas Neither Is Area

This approach does not work because the LAN interface cannot be in more than one area, as shown in Figure 5-23. There is no exchange of link-state information between areas 1 and 2. As shown in Figure 5-23, the site router is located in two different OSPF areas, and neither of them is in area 0. However, if the site LAN is not included in the OSPF routing, and its routing information is injected with a static route either at the site router or at the ABR for area 1, this approach can be made to...

Example 2 Site Router Is in Two Areas One Is Area

This approach makes the site router (Router A) an ABR under failure. It does work however, it is not considered an acceptable design because it would make the site router part of area 0 if it were ever disconnected from Router B. This design would require more resources than would be cost-effective in all but the smallest networks (see Figure 5-24). Figure 5-24 Site Router Is in Two Areas (One Is Area 0) Figure 5-24 Site Router Is in Two Areas (One Is Area 0) 326 Chapter 5 Routing Concepts and...

Example 3 Remote Site Router Is in One Area

This approach is the most suitable and works even if the backup router (Router C in Figure 5-25) is located elsewhere. The secret is that Router C does not summarize for its attached areas therefore, Router C originates more specific prefixes for the networks in failure. The disadvantage is that dedicated backup interfaces are required for each area. Example 5-39 shows some sample configurations for this design scenario. Example 5-39 Configuring OSPF for On-Demand Circuits Remote Site Router Is...

Example 4 Remote Site Router Is in Two Routing Domains

This approach relies on one-way redistribution of multiple instances of a separate routing protocol into OSPF, as shown in Figure 5-26. Auto-summarization must also be disabled in this scenario. Administrative distances should be tweaked to ensure that OSPF is the favored routing protocol. This approach has the advantage that interfaces can be shared among areas, that is, a dedicated set of interfaces for each area is not required. Figure 5-26 Remote Site Router in Two Routing Domains Figure...

Filtering Routes

Two methods are used to filter routes with OSPF, distribute lists and route maps. The command syntax for configuring each is as follows protocol-name route-map route-map-name A route map is a powerful tool that allows easy altering of routing information. Route maps should be used in place of distribute lists whenever possible in OSPF because route maps do not have the limitations of distribute lists, as previously discussed. 1-99 in interface Use this command to call a standard access list to...

Fl fi VI VI

Adjacencies are formed with the DR (Rtr A) and BDR (Rtr D). The charts in this figure show how the adjacencies are formed and developed within the broadcast network shown. When configuring an interface as nonbroadcast, OSPF cannot perform multicasting on that link. Lack of multicast functionality impacts OSPF's operation because OSPF Hellos cannot be properly transmitted. Hellos are multicasted to different well-known OSPF multicast addresses. If OSPF cannot send these multicast Hello packets,...

Flooding Process Protocol

Flooding in OSPF is responsible for validating and distributing link-state updates to the link-state database whenever a change or update occurs to a link. Changes or updates are key concepts regarding when flooding occurs. Flooding is part of the LSDB synchronization mechanism within OSPF. The goal of this mechanism is to keep the LSDBs of the routers in an OSPF domain synchronized within time in the presence of topological changes. In the event of a link-state change (for example, from up to...

Fully Meshed Versus Partially Meshed Network Topology

Nonbroadcast multiaccess (NBMA) clouds, such as Frame Relay or X.25, are always a challenge in OSPF. The combination of low bandwidth and too many LSAs can cause problems. A partially meshed topology has been proven to behave much better than a fully meshed network topology. Figure 4-21 shows the benefits and differences between the two topologies. In some cases, a carefully laid out point-to-point or point-to-multipoint network can work better than multipoint networks, which must deal with LSA...

Golden Rules for Designing a Secure Network

Security measures keep people honest in the same way that locks do. Cyber-thieves by nature go after the least-defended part of a network. Consider this analogy. In a neighborhood where 25 percent of the homes have home security systems, thieves target the least-defended homes (those without security systems) first. This analogy fits well with networking. When a hacker is doing reconnaissance (for example, port scanning, nmap, and so on) against potential targets, a percentage of these hackers...

Hello Process Protocol

Although this is an OSPF book, many different protocols use a concept of Hello packets just like OSPF, for example EIGRP. Therefore, understanding the rationale behind the use and implementation of Hello is important. Specifically in OSPF, the Hello protocol is used for the following purposes To ensure that communication between neighbors is bidirectional (two-way) To discover, establish, and maintain neighbor relationships To elect the DR and BDR on broadcast and NBMA networks To verify that...

Hello Protocol Operational Variations

In broadcast networks (for example, Ethernet or Token Ring), each router advertises itself by periodically sending out multicast Hello packets, which allow neighbors to be discovered dynamically. In NBMA networks (for example, frame relay, X.25, or ATM), the OSPF router can require some additional configuration information in order for the Hello protocol to operate correctly. This configuration is the protocol going out onto the network to find or elect the designated router, as previously...

Hello Protocol Packet Format

The OSPF Hello protocol packets are formatted in only one way. All OSPF packets start with a standardized 24-byte header, which contains information that determines whether processing is to take place on the rest of the packet. The packets contain the fields that are shown in Figure 3-23, always in the same order. All the fields in this format are 32-bit fields, except for the following fields The following list describes what each of the packet fields represents Version Identifies the OSPF...

Hello Protocol State Changes

The following is a brief description of the possible OSPF neighbor state changes when the Hello protocol is being used Down This is the initial state of a neighbor conversation. This state means that no information has been sent from any neighbors. This state is usually seen when a router first begins speaking OSPF in a network or when there is a problem and the router dead interval timer (Hello interval * 4) has expired for some reason, resulting in OSPF. Attempt This is valid only for...

Hierarchical Network Design Techniques

When designing your OSPF network, the following factors are supported by OSPF and are currently accepted network design theories A three-tiered backbone approach allows fast convergence and economy of scale. Never use more than six router hops from source to destination (see the following note). Use 30 to 100 routers per area. (This can be adjusted depending on factors discussed later.) Do not allow more than two areas per Area Border Router (ABR) in addition to the ABR's connection to area 0....

How OSPF Authentication Works

When OSPF authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router. The following types of OSPF neighbor authentication are used Message Digest Algorithm Version 5 (MD5) authentication Both forms work in essentially the same way, with the exception that MD5 sends a...

I

When route summarization is enabled, OSPF uses the metric of the best route in the summary advertisement. In Cisco IOS Software Release 10.2 and earlier, Cisco's implementation of OSPF assigned default costs to a router's interface, regardless of the bandwidth attached to the interface. For example, Cisco IOS Software would give a 64-kbps line and a T1 link the same OSPF cost clearly a problem. This required the user to override the default value to take advantage of the faster link. Cisco IOS...

Implementation Considerations

Consider the following items before implementing on-demand circuits on a Cisco router in an OSPF network Because LSAs that include topology changes are flooded over an on-demand circuit, you need to put demand circuits within OSPF stub areas or within NSSAs to isolate the demand circuits from as many topology changes as possible. If these circuits are constantly being activated, high costs result, defeating the purpose of their design. To take advantage of the on-demand circuit functionality...

Info

- Specific LSAs (Types 1 and 2) - Default external 0.0.0.0 route, blocks all other external routes You can also design totally stubby areas within your network. Totally stubby areas are a Cisco-specific feature that is available within its implementation of the OSPF standard. If an area is configured as totally stubby, only the default summary link is propagated into the area by the ABR interarea, and external LSAs are blocked at the ABR of a totally stubby area. An ASBR cannot be part of a...

Interoperability Issues with VLSM

Routers in a single segment must agree on the network mask. For example, if every router does not agree on the same mask for an Ethernet segment or a Frame Relay link, a breakdown in communication will occur. Consider that IGRP does not support VLSM, so when information is redistributed from OSPF to IGRP or RIP version 1 (RIP-1), only a single mask is used. The best way to make redistribution work is to hide all VLSMs from IGRP. OSPF should summarize the networks to achieve one mask per network...

Introduction to OSPF

It seems appropriate in this chapter to share with you a caption from a small picture that my wife gave me when we celebrated our 13 th wedding anniversary. I keep it on my desk to remind myself of the bigger picture. My daughter also likes it because it has a picture of a family of dolphins swimming, and it struck a chord that I felt was essential to have in my life The family is a harbor of safety in an ocean of change. It is an association established in nature and guided by enduring...

Introduction to SNMP

Until the early to mid-1990s, the network management method used for these devices depended on SNMP-compatible management platforms offered by the hardware vendors. The vendors provided remote configuration of the devices, capabilities for minor and major alarms, and network mapping. All of these items provided benefits to network managers, who no longer had to configure a device on site or look at the LEDs for alarms. Network management could now be controlled via a centrally located...

Limit the Scope of Access

You should create appropriate barriers inside your network so that if intruders access one part of the network, they do not automatically have access to the rest of the network. As with many things, the security of a network is only as good as the weakest security level of any single device in the system. Having a layered approach to security can slow an intruder and allow detection of him or her. Having a big lock is good, but if that lock is your only line of defense, you might want to...

Load Balancing

As part of your design, you must consider the traffic flow across the network and whether to use load balancing. This OSPF feature can be helpful in your network's overall design. This section discusses how to best utilize the OSPF load-balancing feature with a network. In routing, load balancing is the capability of a router to distribute traffic over all its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and...

Loopback Interfaces

OSPF uses the highest IP address configured on an active interface as its RID. If the interface associated with this IP address is ever unavailable, or if the address is removed, the OSPF process must recalculate a new RID and flood all its routing information out its interfaces. The highest IP address on a router would be the largest numerical IP address assigned to an active interface. If a loopback interface is configured with an IP address, OSPF defaults to using this IP address as its RID,...

Management Information Base Overview

The MIB is an established database of the hardware settings, variables, memory tables, or records stored within files. These records are called data elements. Data elements contain the information concerning the status, configuration, and statistical information base used to define the functionality and operational capacity of each managed device. This information is referred to as a MIB. Each data element is referred to as a managed object. These managed objects are comprised of a name, one or...

Managing and Securing OSPF Networks

No poor bastard ever won a war by dying for his country. He won it by making the other poor bastard die for his. General S. Patton The management of your OSPF network is just as important as the security. In fact, a case could be made that proper network management is the most important aspect of having your network operate smoothly. In many cases this a true statement this is because organizations and users now depend on the network to perform their daily activities. The success of a...

Mending a Partitioned Area

OSPF does not actively attempt to repair area 0 partitions. When an area becomes partitioned, the new sections simply become separate areas. As long as the backbone can reach both of these areas, it continues to route information to them. A virtual link functions as if it were a point-to-point link. Physically, however, the link is composed of the two backbone routers, each of which is connected to area 0. The two backbone routers establish a virtual adjacency so that LSAs and other OSPF...

MIBs and Object Identifiers

A MIB can be depicted as an abstract tree with an unnamed root. Individual data items make up the leaves of the tree. Object Identifiers (OIDs) uniquely identify or name MIB objects in the tree. OIDs are like telephone numbers they are organized hierarchically with specific digits assigned by different organizations. The OID structure of an SNMP MIB defines three main branches Consultative Committee for International Telegraph and Telephone (CCITT) Much of the current MIB activity occurs in the...

Multipoint Subinterfaces

Cisco serial interfaces are multipoint interfaces by default, unless specified as a point-to-point subinterface. However, it is possible to divide the interface into separate virtual multipoint subinterfaces. Multipoint interfaces or subinterfaces are still subject to the split horizon limitations, as previously discussed. All nodes attached to a multipoint subinterface belong to the same network number. Typically, multipoint subinterfaces are used in conjunction with point-to-point interfaces...

Mutual Redistribution

So far, you have learned about redistribution, how to generate default routes, and how external routes represent routes that are redistributed into OSPF, but there is still a bit more to redistribution. Enter the last concept before getting into more configuration examples. This concept is known as mutual redistribution. As you should know by now, redistribution is the process of importing route information from one routing protocol into another. The concept is further expanded through mutual...

Naming an Area

This is an important task because everyone will be using the convention and name that you choose. OSPF uses an area ID (AID) to uniquely identify each area. In OSPF, the AID is a 32-bit number, which can be expressed either in dotted decimal format, like an IP address, or as a decimal number. Cisco routers understand either, and the formats can be used interchangeably, for example AID 192.168.5.0 and AID 3232236800 are the same. In the first example, AID 1 is easier to write than AID 0.0.0.1,...

Neighbor Stuck in 2Way State

In the topology in Figure 3-35, all routers are running OSPF neighbors over the Ethernet network. Example 3-18 provides sample output of the show ip ospf neighbor command on R7. Example 3-18 Output from the show ip ospf neighbor Command for Router 7 Example 3-18 provides sample output of the show ip ospf neighbor command on R7. Example 3-18 Output from the show ip ospf neighbor Command for Router 7 R7 establishes full adjacency only with the DR and BDR. All other routers have a 2-way adjacency...

Network Data Encryption

To safeguard your network data, Cisco provides network data encryption and route authentication services in Cisco IOS Software. This section briefly discusses how route authentication in OSPF is done and how it can benefit your network. Network data encryption is provided at the IP packet level. IP packet encryption prevents eavesdroppers from reading the data that is being transmitted. When IP packet encryption is used, IP packets can be seen during transmission, but the IP packet contents...

Network Management

As network deployment and use increase, network management is increasingly becoming the focus of many organizations. These organizations range from those using a network to support their core business to those using networks as sales tools to those outsourcing or selling network management solutions. The goal of everyone involved in network management is to proactively find and fix all network problems before users know that a problem exists. Many obstacles must be tackled ranging from the...

Network Management System

The network management system (NMS) (also known as the manager) is software that has the capability of operating on one or more workstations. This software can be configured to manage different portions of a network, or multiple managers can manage the same network. The manager's requests are transmitted to one or more managed devices on the desired network. These requests are sent via TCP IP. SNMP does not depend on TCP IP for transport across a network. SNMP has the capability to be...

Network Management System Operation

The flow chart presented in Figure 8-7 enables you to better understand the sequence of events that happens when an NMS requests information through the use of SNMP. This flow of events is presented in a generic format from a high-level perspective. As with any complex network operation, many events also occur that allow the operation to take place. The sequence of events that occurs during an NMS request can be described more fully as follows 1 The network manager or engineer decides he needs...

Network Management Tools

Literally hundreds of solutions, tools, and technologies exist in the market today to make the job of managing networks better, easier, and more efficient. Many different sources provide information regarding network management systems (NMSs). Therefore, you do not see coverage of specific systems, but rather details on some overall general characteristics that should be present in every enterprise-capable NMS. Cisco has developed the following tools to streamline network management

Network Security

Network security has probably been one of the least considered aspects of network operation and design. As enterprise networks evolve, it has become an increasingly larger concern. Is this concern justified The answer is a resounding yes and the concerns are probably late in coming. The Computer Security Institute conducts an annual Computer Crime and Security Survey. In 2002, the Institute reported that 90 of the companies polled detected computer security breaches within the last 12 months,...

Networking and Routing Fundamentals

Achievement Unless you try to do something beyond what you have already mastered, you will never grow. Successories In recent years, the growth of networks everywhere has accelerated as many organizations move into the international business arena and join the Internet community. This expansion continues to drive the development, refinement, and complexity of network equipment and software, consequently resulting in some unique issues and exciting advances. You rarely see an advertisement that...

Nonprivileged Access

As previously discussed, if all servers are unavailable, you could be locked out of the router. In that event, the following configuration command enables you to determine whether to allow a user to log in to the router with no password (succeed keyword) or to force the user to supply the standard login password (password keyword) tacacs-server last-resort password I succeed The following commands specify a TACACS server and allow a login to succeed if the server is down or unreachable...

Nonprivileged Mode Read Only

Use the RO keyword of the snmp-server community command to provide nonprivileged access to your routers via SNMP. The following configuration command sets the agent in the router to allow only SNMP GETREQUEST and GETNEXTREQUEST messages that are sent with the community string public You can also specify a list of IP addresses that are allowed to send messages to the router using the access-list option with the snmp-server community command. In the following configuration example, only hosts...

NotSoStubby Areas

As mentioned in Chapter 2, NSSAs have their own RFC and are an interesting concept to the normal operation of OSPF. The advent of this new type of hybrid stub area also introduced a new LSA, Type 7, which is responsible for carrying external route information. NSSAs are similar to regular OSPF stub areas except that an NSSA does not flood Type 5 external LSAs from the core into the NSSA, but as a hybrid stub area, an NSSA has the capability to import AS external routes in a limited fashion...