Access Lists for SNMP

Access lists can be used to prevent SNMP-enabled devices from responding to an SNMP request from someone who is not allowed to have it. For example, this feature can be used to prevent other NMSs from altering the configuration of a given router or router group if they are not permitted in the access list, they are denied. Access lists are extremely useful in complex internetworks and are implemented across the majority of Cisco's supported protocols. This use of access lists is similar to an...

Acknowledgments

I am very grateful to the group of talented people that were assembled to make this book a reality. Through their knowledge, dedication, and hard work, this book has become more than I ever thought possible. The most important acknowledgment must go to my wife, Rose, who put up with me writing all night after working all day. Her unwavering support was the single greatest factor in my ability to complete the book you now hold in your hands. Writing this book allowed me to assemble a team of...

Activating OSPF

As with other routing protocols, the enabling of OSPF on Cisco routers requires taking the following preliminary steps before the process begins 1 Determine the process ID under which OSPF is to run within your network. This process ID must be different from any other OSPF network to which you might be connecting. The possible range for an OSPF process ID is 1-65535. 2 Specify the range of addresses that are to be associated with the OSPF routing process. This is part of one command that must...

Adding OSPF Areas

Figure 6-9 illustrates how each of the RIP clouds can be converted into an OSPF area. All three routers then become ABRs, which control network information distribution between OSPF areas and the OSPF backbone. Each router keeps a detailed record of the topology of its area and receives summarized information from the other ABRs on their respective areas. Figure 6-9 also illustrates VLSM addressing. VLSM uses different size network masks in different parts of the network for the same network...

Adding OSPF to the Center of a RIP Network

A common first step in converting a RIP network to an OSPF network is to convert backbone routers into running both RIP and OSPF, while the remaining network edge devices run RIP. These backbone routers automatically become OSPF ASBRs (redistributing RIP into OSPF). Each ASBR controls the flow of routing information between OSPF and RIP. In Figure 6-8, Routers Morpheus, Neo, and Trinity are configured as ASBRs when redistributing RIP into OSPF. RIP does not need to run between the backbone...

Adjacencies

For adjacencies to form, OSPF must first have discovered its neighbors. Adjacencies are formed for the purpose of exchanging routing information. Not every neighboring router forms an adjacency. The conditions under which OSPF forms adjacencies are as follows Network connectivity is point-to-point. Network connectivity is achieved through a virtual link. The neighboring router is the DR. The neighboring router is the BDR. Adjacencies control the distribution of routing updates in the sense that...

Administrative Distance and Metrics

Regardless of the reason that you have encountered redistribution, there are some characteristics of how it operates within OSPF and on Cisco routers. When redistributing from one routing protocol to another, keep in mind the following items Previous chapters have discussed the metrics used by OSPF and how to manipulate them. Administrative distances help with route selection among different routing protocols, but they can cause problems for redistribution. These problems can be in the form of...

Agent Response to NMS Request

The flow chart presented in Figure 8-8 describes the second part of the SNMP operation in which the SNMP request is received by the managed device, which passes it on to the agent who processes and answers the request. This flow of events is presented in a generic format from a high-level perspective. As with any complex network operation, many events also occur that allow the operation to take place. Figure 8-8 Agent Response Flow Chart to NMS Request Step 1 Agent uses ASPN.1 Basic Encoding...

Agents

An agent is a network management software module that resides in a managed device. It has local knowledge of management information and translates that information into a form that is compatible with SNMP by storing operational data in the MIB database for retrieval by the NMS. To be a managed device, each device must have firmware in the form of code. This firmware translates the requests from the SNMP manager and responds to these requests. The software, or firmware (not the device itself),...

Altering Link Cost

Recall that OSPF calculates its cost (metric) to a destination based on the bandwidth of the link(s) to that destination. Therefore, to influence OSPF's routing decisions, you can either change the bandwidth on the interface, which in turn affects the cost of the link, or you can directly change the OSPF cost of the interface. You can apply the following commands on a per-interface basis Router(config-if)ip ospf cost 1-65355 Allows you to configure the cost of an interface in OSPF, thus...

Altering LSA Retransmissions

Cisco routers have the capability to alter the timing in which they retransmit LSAs on a perinterface basis. When a router runs OSPF and when it transmits an LSA to a neighbor, the normal operation of OSPF is to hold that LSA until the router receives an acknowledgment that the LSA was received successfully. By default, a router waits 5 seconds for the acknowledgment and, if needed, the LSA is retransmitted. In certain instances, this waiting period is not long enough for the round trip when a...

Altering LSA Transmission Delay

The final option of altering the normal operation of OSPF LSAs also evolved from the need to have OSPF operate properly over slow links. Specifically, LSAs can take a longer time to be transmitted over a link. OSPF currently allows 1 second in the Cisco implementation. When this is not enough time, the ip ospf transmit-delay command should be used on the desired interface. This command allows a delay to be added prior to transmission, as demonstrated in Example 3-2. Example 3-2 Configuring a...

Altering Neighbor Cost

In your network, you want to prioritize or alter traffic flow based on the cost of a link. Suppose that you want to alter (increase or decrease) the default cost that is associated with a link to a neighbor. You can change this cost by assigning a cost associated with that neighbor as follows On point-to-multipoint broadcast networks, there is no need to specify neighbors. However, you can specify neighbors with the neighbor command in which case you should specify a cost to that neighbor. On...

Altering OSPF Administrative Distance

An administrative distance is a rating of the priority (that is, trustworthiness) of a routing information source, such as an individual router or a group of routers. Numerically, an administrative distance is an integer from 0 to 255. Specifically, the higher the numerical value of administrative distance, the lower the trust rating. An administrative distance of 255 means that the routing information source cannot be trusted and should be ignored. Table 5-14 shows administrative distance...

Altering Routes

OSPF also allows the altering of routes, as discussed in Chapter 5. Specifically, OSPF also supports the direct changing of the administrative distance associated with OSPF routes, through the use of the distance command. OSPF can also uses the passive interface command to prevent Hello packets and LSAs from being sent on the specified link. The list that follows shows the general syntax and descriptions for these commands that allow you to alter routes ospf 1-255 Use this command to change the...

Applying Access Lists to Interfaces

You can apply only one access list to an interface for a given protocol per direction (that is, inbound or outbound). With most protocols, you can apply access lists to interfaces as either inbound or outbound. If the access list is inbound, when the router receives a packet, Cisco IOS Software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the...

Area Address Assignment

Here, each Class C network is used entirely in its own area, which leaves you needing 16 more, so the Class B address is subdivided using an area subnet mask so that its addresses are distributed equally among the 16 areas. The Class B network, 150.100.0.0 16, could be subnetted as follows. The letters x, y, and z represent bits of the last two octets of Class B 150.100. x x x x y y y y . y z z z z z z z area mask boundary Note the following points about this command The 4 x bits are used to...

Area Design Overview

When creating large-scale OSPF internetworks, the definition of areas and assignment of resources within areas must be done with a pragmatic view of your OSPF internetwork. This assignment of resources includes both physical and logical networking components so that optimal performance results. This section discusses some of the items that are applicable to designing any type of OSPF area. Specific considerations are discussed after each area type. Areas are essentially small networks contained...

Area Sizing

Determining the number of routers to deploy within each OSPF area is extremely important and should be done with flexibility in mind. Factors that are hard to know during design (such as which links will flap) can be compensated for with flexibility in your design and implementation. During initial network convergence, OSPF uses the CPU-intensive SPF algorithm. Experience has shown that 40 to 50 routers per area is the optimal upper limit for OSPF in the majority of networks. This is not to say...

Assessing the Need for Security

As more users access the Internet, and as companies expand their networks, the challenge to provide security for internal networks becomes increasingly difficult. Companies must determine which areas of their internal networks they must protect, learn how to restrict user access to these areas, and determine which types of network services they should filter to prevent potential security breaches. It should now be obvious that security must be a consideration at all levels of your network. It...

Avoiding Redistribution Loops

Even though trying to avoid redistribution loops is a golden rule for route redistribution, these loops do occur. To summarize what is occurring, realize that Router A is distributing network 230.250.15.0 into the RIP network. Router B then sees this network advertised by RIP as a valid destination, so Router B tells the OSPF network that it can reach network 230.250.15.0. This results in a nasty routing loop, as illustrated in Figure 6-6. Figure 6-6 Example of a Redistribution Loop Figure 6-6...

Backbone Area Design

The OSPF backbone (also known as area 0) is extremely important. If more than one area is configured in an OSPF network, one of these areas must be area 0. When designing networks, it is good practice to start with area 0 and then later expand into other areas. To summarize, the OSPF backbone is the part of the OSPF network that acts as the primary path for traffic that is destined to other areas or networks. Accepted network design theory recommends a three-tiered approach (see Figure 4-24)....

Backbone Design Golden Rules

Use the following guidelines when designing an OSPF backbone (area 0) Understand that area 0 is a transit area, not a destination for traffic. Ensure that the stability of the backbone area is maintained and monitored. Ensure that redundancy is built into the design whenever possible. Ensure that OSPF backbones are contiguous. Keep this area simple. Fewer routers are better. Keep the bandwidth symmetrical so that OSPF can maintain load balancing. Ensure that all other areas connect directly to...

Basic Routing Protocol Operation

Consider an example of a router that is initially configured with two networks to which it directly connects. The router has only these two networks in its routing tables. However, other networks beyond the initial two are not entered into the routing table because they do not directly connect to the router. So how does the router recognize these other networks This can be accomplished in the following ways Static routing A manually defined and installed type of route within the router as the...

Benefits of OSPF Neighbor Authentication

When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring OSPF routers within the OSPF area that has authentication activated. This authentication ensures that a router receives reliable routing information from a trusted source (that is, an OSPF neighbor). Without OSPF authentication, unauthorized or deliberately malicious routing updates could compromise the integrity of your network traffic. A security compromise could occur if an unfriendly...

Blocking LSA Flooding

By default, OSPF floods new LSAs out all interfaces in the same area, except the interface on which the LSA arrives. OSPF floods based on the characteristics discussed earlier in this chapter. This is important because OSPF-specific behavior is to continue flooding until an acknowledgment on the link-state update packet is received. Some redundancy is desirable because it ensures robust flooding and accurate routing however, too much redundancy can waste bandwidth and might destabilize the...

Business Considerations

Table 2-3 documents business issues to consider when selecting a routing protocol. Table 2-3 Important Business Considerations for Routing Protocol Selection Many companies prefer to use protocols that are based on standards whenever possible this is strongly recommended in every network. Networks running without the protocols and standards will eventually cause problems. OSPF is a standard protocol that was developed by a committee of the IETF as an alternative to the RIP protocol. OSPF is...

Case Study Adding a New OSPF Router to a Network

This case study provides a scenario that covers most of the information presented in this chapter. Suppose that a new OSPF router is added to a network. With this scenario, follow the case study to understand the ramifications of how adding a new OSPF router would affect an operating network. Refer to Figures 2-12 through 2-15, which detail each step of the process as it occurs in the following sequence 1 A new OSPF router is added to the network. 2 This new router immediately transmits a...

Case Study Assigning Unique Network Numbers to Each OSPF Area

In this scenario, each OSPF area has its own unique NIC-assigned IP address range. This can be as grand as a Class A address for the entire network, with multiple Class Bs assigned to each area, or more realistically, it can be a group of Class C addresses. This example is demonstrated in Figure 5-27. The benefits of this method are as follows Address assignment is simple because each area has its own unique network. Configuration of the routers is easy, reducing the likelihood of errors....

Case Study Conclusion

The objective of this case study was to demonstrate how to use, configure, and troubleshoot an OSPF point-to-multipoint link. You have seen an example and explanation for the configuration, which should help you in both design considerations and implementation. The different show and debug commands reviewed can assist you in troubleshooting the point-to-multipoint configuration and, by demonstrating the data, should be helpful in troubleshooting more general OSPF problems as well. A summary of...

Case Study Designing an OSPF Network

This case study uses the technical aspects discussed in the previous two case studies and then follows the design tenets and procedures that were presented in this chapter. Every network is different, having unique requirements and business considerations. Keep in mind that this fictional case study is not designed to be the ultimate answer or the only possible solution instead, consider it an outline on how to successfully meet design needs. Terrapin Pharmaceuticals has 25 regional sales...

Case Study OSPF Network Evolution and Convergence

The preceding two case studies reviewed the link-state database and how it was developed. This case study takes some concepts that were introduced in this chapter and shows how a simple OSPF network evolves and converges. MatrixNet, a high-tech graphics firm that does specialized animations for the movie industry, has approached you to implement OSPF in its core network. The network is connected via Ethernet between the three routers, as shown in Figure 2-19. Figure 2-19 MatrixNet OSPF Core...

Case Study Pointto Multipoint Link Networks

The objective of this case study is to demonstrate how to design, configure, and trouble-shoot an OSPF point-to-multipoint link network. This feature's importance is linked with the increased use of Frame Relay and ATM due to reduced cost for the service. As customers used point-to-multipoint on nonbroadcast media (Frame Relay), they found that their routers could not dynamically discover their neighbors. The OSPF point-to-multipoint link feature allows the neighbor command to be used on...

Case Study Troubleshooting Neighbor Problems

When you execute a show ip ospf neighbor command and it reveals nothing or it shows nothing about the particular neighbor you are analyzing, it indicates that this router has seen no valid OSPF Hellos from that neighbor. Check the following items 1 Is the local router or neighboring router's interface up, with line protocol up Use the show interface command to find out. 2 Check for IP connectivity between the neighboring routers as follows A Can you ping the neighbor B Does the neighbor respond...

Case Study Understanding Subinterfaces

One of the most difficult concepts to understand is the difference between point-to-point and multipoint interfaces on a router. This section briefly discusses the different scenarios regarding the use of each. A router has two different types of serial subinterfaces that provide a flexible solution for routing various protocols over partially meshed networks. A single, physical interface can be logically divided into multiple, virtual subinterfaces. The serial subinterface can be defined as...

Case Study VLSMs

In 1987, RFC 1009 was published with the purpose of specifying how a subnetted network could use more than one subnet mask. As discussed earlier in this chapter, when an IP network is assigned more than one subnet mask, it is considered a network with variable-length subnet masks because the subnet masks (prefixes) have varying lengths. If you recall, the use of VLSM brings benefits to a network and routing that allow for increased routing optimization in the form of a smaller and more concise...

Changing the Virtual Link Password

At some point, you should change the OSPF authentication password to keep your security fresh. This change is a best practice and should be done regularly. The tricky part is changing the authentication without upsetting routing. If you are going against the recommendations in this chapter and using plain text authentication, you must take a brief outage as the network adjusts to the change. However, if you are using MD5, you are in a much better position. OSPF and the Cisco IOS Software offer...

Chapter Summary

This chapter covered route redistribution and how it operates within OSPF. You have just begun to scratch the surface of the potential for redistributing routes you will find that from the topics presented, you are ready to solve redistribution scenarios or design them. A variety of golden rules were covered as they relate to redistribution. These rules form the basis of understanding how to design redistribution scenarios in OSPF. When you have trouble with redistribution, these golden rules...

Cidr

VLSM was a step up from subnetting because it relayed subnet information through routing protocols. This idea leads directly into this section on CIDR, which is documented in the following RFCs 1517, 1518, 1519, and 1520. CIDR is an effective method to stem the tide of IP address allocation as well as routing table overflow. Without the implementation of CIDR in 1994 and 1995 in RFC 1817, the Internet would not be functioning today because the routing tables would have been too large for the...

Cisco IOS Password Encryption

A non-Cisco source has released a new program to decrypt user passwords (and other passwords) in Cisco configuration files. The program does not decrypt passwords that are set with the enable secret command. Why not Because MD5 triple DES (3DES) is used. Triple DES is too hard to crack DES is not. A 56-bit key is only used for the enable password if the service encryption command is enabled globally. The unexpected concern that this program has caused among Cisco customers indicates that many...

Ciscos MIB Extensions

With several hundred unique objects, Cisco's private MIB extensions provide network managers with broad, powerful monitoring and control facilities. Cisco's private MIB supports DECnet (including DECnet routing and host tables), XNS, AppleTalk, Banyan VINES, Novell NetWare, and additional system variables that highlight information such as average CPU utilization over selectable intervals. Furthermore, Cisco developers can add private extensions to the MIB as required. This capability gives...

Cisco View

CiscoView is a GUI-based device management software application that provides dynamic status, statistics, and comprehensive configuration information for Cisco Systems' internetworking products (switches, routers, concentrators, and adapters). CiscoView graphically displays a real-time physical view of Cisco devices. Additionally, this SNMP-based network management tool provides monitoring functions and offers basic troubleshooting capabilities. Figure 8-1 shows a typical view of a router...

Cisco Works

CiscoWorks network management software enables you to monitor complex internetworks that use Cisco routing devices, and it helps you plan, troubleshoot, and analyze your network. CiscoWorks uses SNMP to monitor and control any SNMP-enabled device on the network. 446 Chapter 8 Managing and Securing OSPF Networks CiscoWorks works directly with your SNMP network management platform, allowing CiscoWorks applications to be integrated with the features and applications of your platform. The following...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Software Command Reference. The Command Reference describes these conventions as follows Vertical bars (I) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets indicate a required choice within an optional element. Boldface indicates commands and keywords that are entered literally as shown....

Configuration Example 1 Setting the Default Metric for Redistributed Routes

In Figure 6-2,Router Trinity is receiving the routes 212.54.190.0 24 and 10.1.1.4 30 from Router Neo via EIGRP. These EIGRP routes are initially redistributed into OSPF using the default metric of 20. Figure 6-2 Default Metric Configuration Redistribute EIGRP into OSPF. The default metric is 20. Figure 6-2 Default Metric Configuration Redistribute EIGRP into OSPF. The default metric is 20. Once the network begins routing OSPF, the first thing that you need to verify is that Routers Morpheus and...

Configuration Example 2 External Route Summarization

Configuring external route summarization has the same result as area summarization. The difference is between the type of summarization you are trying to accomplish (that is, area versus external). To have OSPF advertise one summary route for all redistributed routes covered by a single network address and mask, perform the following task in router configuration mode. Summarization is done via the following router OSPF subcommand summary-address summary-ip-address subnet-mask not-advertise tag...

Configuration Example 2 RIP and OSPF

This case study is a classic for those making the transition from RIP to OSPF. It has become extremely popular within networking circles after it was published in the first edition of this book, and it has been updated. This case study addresses the issue of integrating RIP networks with OSPF networks. Most OSPF networks also use RIP to communicate with hosts or to communicate with portions of the internetwork that do not use OSPF, such as older legacy areas or small business partners. Cisco...

Configuration Example 3 Subnetting with Summarization

Summarization is a wonderful concept in networking that can give networks a variety of benefits, as discussed earlier in this chapter. It is important to provide a template that demonstrates how you might go about designing or redesigning an OSPF network with summarization in place from the beginning. This latter case is the more likely scenario, and you might have already been involved in projects to renumber and readdress networks that needed a new and improved logical look. These situations...

Configuration Example 5 Redistributing OSPF and RIP and Tagging Routes

In your network, you have connected Router Trinity to OSPF area 10 and a RIP network as well. The entire OSPF network needs to know about the following networks These networks are found on Router Trinity and are part of the RIP routing domain. Because the objective is for the entire OSPF network to learn about them, you are going to be monitoring the routing table of Router Apoc to see when it learns of these routes. As you would expect, in the routing table in Example 6-59, Router Apoc has no...

Configuration Example 6 Controlling Redistribution

To this point, the concepts of redistribution have been presented and examples were given to show how to make redistribution operate effectively. The following configuration example was placed later in the chapter for a specific reason. This example is a good review of the routing and redistribution concepts that were covered up to this point. By placing the concepts together, you can see some interesting OSPF effects. The following sections offer a review of the concepts previously presented.

Configuration File Examples

Example 6-25 shows the commands in the configuration file for Router Morpheus that determine the IP address for each interface and enable RIP on those interfaces. Example 6-26 shows the commands in the configuration file for Router Neo to determine the IP address for each interface and enable RIP on those interfaces. interface serial 0 ip address 130.10.62 interface serial 1 ip address 130.10.64 interface ethernet 0 ip address 130.10.17 interface tokenring 0 ip address 130.10.16 Example 6-27...

Configuring Access Lists for Specific Protocols

To control packet transmission for a given protocol, you must configure an access list for that protocol. Table 8-1 identifies the protocols for which you can configure access lists. 502 Chapter 8 Managing and Securing OSPF Networks Table 8-1 Protocols with Access Lists by Range Table 8-1 Protocols with Access Lists by Range Transparent bridging (protocol type) Source-route bridging (protocol type) TIP You should consider configuring access lists for each protocol that you have configured for...

Configuring an Interface as Pointto Multipoint Nonbroadcast

To treat the interface as point-to-multipoint nonbroadcast when the media does not support broadcast, perform the tasks in Table 4-3 in interface configuration mode. Table 4-3 Steps to Assigning a Cost to Each Neighbor in Point-to-Multipoint Nonbroadcast Networks Configure an interface as point-to-multipoint for nonbroadcast media. This is the only difference from Table 4-2. ip ospf network point-to-multipoint non-broadcast Configure an OSPF routing process and enter router configuration mode....

Configuring Loopback Interfaces

When a loopback interface is not configured, OSPF uses the highest active interface IP address as its router ID. In this network, a single Class C subnet contains all the network management addresses for the entire network. Because the loopback interfaces are immune to physical and data link problems, configuring them is an excellent method to set an RID. Example 2-8 shows the configuration of a loopback interface on Routers Neo, Cypher, and Apoc. Example 2-8 Configuring a Loopback Interface...

Configuring OSPF

OSPF is a straightforward protocol to get running at a basic level in Cisco routers. This section covers the process needed to activate OSPF and then examines how some of OSPF's advanced features can be configured and properly deployed on the different types of OSPF functional routers. OSPF typically requires coordination among many internal routers, ABRs (routers connected to multiple areas), and Autonomous System Boundary Routers (ASBRs). At a minimum, OSPF-based routers, or access servers,...

Configuring the Designated Router

As discussed in Chapter 4, Design Fundamentals, some definite benefits are to be gained by selecting the router within the network that should be the designated router (DR) as well as the backup designated router (BDR). Here, you want to choose a specific router to be the DR by manually assigning the priority of a router and thus affecting the DR election process. Recall that the election process first compares priority (default of 1), where the highest value wins (in the case of a tie, the...

Configuring the RIP Network

Figure 6-7 illustrates a RIP network. Three sites are connected with serial lines. The RIP network uses a Class B address and an 8-bit subnet mask. Each site has a contiguous set of network numbers assigned to it. The creators must have read the first edition of this book when designing the network because they clearly planned for future growth in the OSPF direction Table 6-2 lists the network address assignments for the RIP v2 network, including the network number, subnet range, and subnet...

Contents

Part I OSPF Fundamentals and Communication 3 Chapter 1 Networking and Routing Fundamentals 5 Why Was the OSI Reference Model Needed 6 Characteristics of the OSI Layers 7 Understanding the Seven Layers of the OSI Reference Model 9 Upper Layers 9 Layer 7 Application 9 Layer 6 Presentation 10 Layer 5 Session 10 Lower Layers 10 Layer 4 Transport 10 Layer 3 Network 11 Layer 2 Data Link 11 Layer 1 Physical 12 OSI Reference Model Layers and Information Exchange 13 Headers, Trailers, and Data 13 TCP IP...

Control and Limit Your Secrets

Most security is based on information that is required to be secret. Passwords, SSH or PGP encryption keys, and SNMP community strings, for example, should be kept secret. Too often, though, the secrets are not all that secret. The most important part of keeping secrets is in knowing the areas that you need to protect through secrecy. For example, what knowledge would enable someone to circumvent your system You should jealously guard that knowledge and assume that your adversaries know...

Controlling Access to Network Equipment

It is important to control access to all your network equipment. Most equipment manufacturers now design their equipment with multiple levels of passwords, typically read and then read write. This is probably the easiest and most basic step in securing your network. This section discusses some of the techniques that you must consider regarding Cisco router access and the operation of Cisco router passwords. You can control access to the router using the following methods Telnet access...

Controlling Inter Area Traffic

When an area has only a single ABR (a simple stub area), all traffic that does not belong in the area is sent to the ABR. In areas that have multiple ABRs, the following choices are available for traffic that needs to leave the area Use the ABR closest to the originator of the traffic. This results in traffic leaving the area as soon as possible. Use the ABR closest to the destination of the traffic. This results in traffic leaving the area as late as possible. However, if the ABRs are only...

Cost Effectiveness

Cost effectiveness is the true bottom line of network design. Budgets and resources are limited, and building or expanding the network while staying within the predetermined budget is always a benefit to your career and proper network design. Management is literally always happy when a project comes in under budget consider this carefully and you know how they feel when it goes over budget. Although the five basic goals of network design can be followed in any situation, there should also be a...

Count the Cost

Security measures usually reduce convenience, especially for sophisticated users. Security can delay work and create expensive administrative and educational overhead. Security can use significant computing resources and require dedicated hardware. Just as with anything 470 Chapter 8 Managing and Securing OSPF Networks in life, nothing that is worth having is free you must work for the results that you want to receive and understand that you must pay a price for security in convenience. The...

Creating Access Lists

Access list definitions provide a set of criteria that are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether the packet matches the access list criteria. Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined. For a given access list, you define each...

Database Exchange State Changes

The following is a brief description of the possible OSPF neighbor state changes when the routers are exchanging DDs. These steps occur when two routers decide to form an adjacency. For example, on broadcast media, a router becomes full only with the DR and the BDR it stays in the 2-way state with all other neighbors ExStart This state indicates the first step in creating an adjacency, the goal of which is to decide which router is the master and which is the slave. The master router is the...

Design Fundamentals

The Art of Strategy Those who are victorious plan effectively and change decisively. They are like a great river that maintains its course but adjusts its flow .they have form but are formless. They are skilled in both planning and adapting and need not fear the result of a thousand battles for they win in advance, defeating those that have already lost. Sun Tzu, Chinese warrior and philosopher, 100 B.C. The chapter opening quote is clear evidence that thousands of years ago Sun-Tzu foresaw the...

Designated Routers

OSPF builds adjacencies between routers for purposes of exchanging routing information. However, when OSPF has to deal with NBMA or broadcast networks, a problem presents itself. In these types of networks, there are multiple routers, which would result in too many adjacencies. To combat superfluous adjacencies, the Designated Router (DR) was introduced. OSPF designates a single router per multiaccess network to build adjacencies among all other routers. You can calculate the number of...

Detailed Neighbor Establishment

This section discusses some of the common issues that you can encounter in an OSPF network, including questions and issues related to neighbor and database initialization. Typically, you see OSPF go from 2-way to full however, when a full state is reached, this reflects that the LSDBs (that is, all the database exchanges) have been completely exchanged between the two routers in question. This process differs from the Hello protocol and is the subtle difference between the two. The following...

Determining the Number of Areas per ABR

ABRs keep a copy of the database for all areas that they service. For example, if a router is connected to five areas, it must keep five different databases. It is better not to overload an ABR rather, you should spread the areas over other routers. The ideal design is to have each ABR connected to two areas only the backbone and another area with three to five areas being the upper limit. Figure 4-19 shows the difference between one ABR holding five different databases, including area 0 (part...

Determining the Number of Neighbors per Router

OSPF floods all link-state changes to all routers in an area. Routers with many neighbors have the most work to do when link-state changes occur. In general, a router should have no more than 60 to 100 neighbors. TIP Chapter 2, Introduction to OSPF, discussed the differences between neighbors and adjacencies. Refer to that chapter as necessary. An example of the 60 to 100 neighbor rule is the case of a number of routers connected on the same LAN. Each LAN has a DR and BDR that build adjacencies...

Document Your Security Plan

This does not mean that you should write down all your network passwords Instead, as you go through the process of identifying and designing your network security needs and actions, you should document your findings and the resulting security actions. Having a written living security document is vital to proper implementation of your overall network security strategy. This also helps those that succeed you understand why the network security was implemented and designed in such a way. It can...

Enable Secret Passwords

The enable secret-encrypted passwords are hashed (that is, encrypted) using the MD5 algorithm. As far as anyone at Cisco knows, it is impossible to recover an enable secret password based on the contents of a configuration file (other than by obvious dictionary attacks), which would allow the password to be guessed if you were to use a word and not a random string of different characters. Please note that impossible means that many people cannot gather the resources needed to crack MD5, as you...

Ensuring a Connection to Area

In the rare situation that a new area, which cannot have a direct physical access to the backbone, is introduced, you need to configure a virtual link. A virtual link creates a path between two ABRs that are not directly connected. Refer to Figure 4-30 for an example of this concept. Here, area 4 does not have a physical connection to area 0, so it uses a virtual link (through area 1) to connect to area 0 using Routers A and B, respectively. Figure 4-30 Connecting to Area 0 with a Virtual Link...

Ensuring Contiguous Areas

A contiguous OSPF area (see Figure 4-23) is one in which a continuous path can be traced from any router in an area to any other router in the same area. Basically, all routers in the backbone should be directly connected to other backbone routers. This does not mean that all routers must share a common network media (such as Ethernet). Figure 4-23 Contiguous Areas Within an OSPF Network ' ' Area 4 ,' Is Discontiguous Ideally, areas should have multiple redundant internal and external links to...

Example 1 Remote Router Is in Two Areas Neither Is Area

This approach does not work because the LAN interface cannot be in more than one area, as shown in Figure 5-23. There is no exchange of link-state information between areas 1 and 2. As shown in Figure 5-23, the site router is located in two different OSPF areas, and neither of them is in area 0. However, if the site LAN is not included in the OSPF routing, and its routing information is injected with a static route either at the site router or at the ABR for area 1, this approach can be made to...

Example 2 Site Router Is in Two Areas One Is Area

This approach makes the site router (Router A) an ABR under failure. It does work however, it is not considered an acceptable design because it would make the site router part of area 0 if it were ever disconnected from Router B. This design would require more resources than would be cost-effective in all but the smallest networks (see Figure 5-24). Figure 5-24 Site Router Is in Two Areas (One Is Area 0) Figure 5-24 Site Router Is in Two Areas (One Is Area 0) 326 Chapter 5 Routing Concepts and...

Example 3 Remote Site Router Is in One Area

This approach is the most suitable and works even if the backup router (Router C in Figure 5-25) is located elsewhere. The secret is that Router C does not summarize for its attached areas therefore, Router C originates more specific prefixes for the networks in failure. The disadvantage is that dedicated backup interfaces are required for each area. Example 5-39 shows some sample configurations for this design scenario. Example 5-39 Configuring OSPF for On-Demand Circuits Remote Site Router Is...

Example 4 Remote Site Router Is in Two Routing Domains

This approach relies on one-way redistribution of multiple instances of a separate routing protocol into OSPF, as shown in Figure 5-26. Auto-summarization must also be disabled in this scenario. Administrative distances should be tweaked to ensure that OSPF is the favored routing protocol. This approach has the advantage that interfaces can be shared among areas, that is, a dedicated set of interfaces for each area is not required. Figure 5-26 Remote Site Router in Two Routing Domains Figure...

External Routes

In OSPF, external routes are classified either as Type E1 or Type E2 the difference is the calculation of the metric (cost) associated with each route. Specifically, a Type E2 route has a metric that is equal to the external cost, whereas a Type E1 route has a metric of the external cost plus the internal cost to that route. Remember the following points when performing redistribution By default, all redistributed routes are automatically categorized as Type E2 by OSPF. You can alter the type...

Filtering Routes

Two methods are used to filter routes with OSPF, distribute lists and route maps. The command syntax for configuring each is as follows protocol-name route-map route-map-name A route map is a powerful tool that allows easy altering of routing information. Route maps should be used in place of distribute lists whenever possible in OSPF because route maps do not have the limitations of distribute lists, as previously discussed. 1-99 in interface Use this command to call a standard access list to...

Fl fi VI VI

Adjacencies are formed with the DR (Rtr A) and BDR (Rtr D). The charts in this figure show how the adjacencies are formed and developed within the broadcast network shown. When configuring an interface as nonbroadcast, OSPF cannot perform multicasting on that link. Lack of multicast functionality impacts OSPF's operation because OSPF Hellos cannot be properly transmitted. Hellos are multicasted to different well-known OSPF multicast addresses. If OSPF cannot send these multicast Hello packets,...

Flooding Process Protocol

Flooding in OSPF is responsible for validating and distributing link-state updates to the link-state database whenever a change or update occurs to a link. Changes or updates are key concepts regarding when flooding occurs. Flooding is part of the LSDB synchronization mechanism within OSPF. The goal of this mechanism is to keep the LSDBs of the routers in an OSPF domain synchronized within time in the presence of topological changes. In the event of a link-state change (for example, from up to...

Fully Meshed Versus Partially Meshed Network Topology

Nonbroadcast multiaccess (NBMA) clouds, such as Frame Relay or X.25, are always a challenge in OSPF. The combination of low bandwidth and too many LSAs can cause problems. A partially meshed topology has been proven to behave much better than a fully meshed network topology. Figure 4-21 shows the benefits and differences between the two topologies. In some cases, a carefully laid out point-to-point or point-to-multipoint network can work better than multipoint networks, which must deal with LSA...

Golden Rules for Designing a Secure Network

Security measures keep people honest in the same way that locks do. Cyber-thieves by nature go after the least-defended part of a network. Consider this analogy. In a neighborhood where 25 percent of the homes have home security systems, thieves target the least-defended homes (those without security systems) first. This analogy fits well with networking. When a hacker is doing reconnaissance (for example, port scanning, nmap, and so on) against potential targets, a percentage of these hackers...

Golden Rules of Standard Area Design

When you design your OSPF network, you must start with area 0, the backbone area of every OSPF network. The following rules help get you started properly A contiguous backbone area must be present. All OSPF areas must have a connection to the backbone (area 0). This includes standard areas. The following are more general rules and OSPF capabilities that help ensure that your OSPF network remains flexible and provides the kind of performance needed to deliver reliable service to all of its users...

Golden Rules of Virtual Link Design

Some of the characteristics and suggested uses for virtual links are as follows Virtual link stability is determined by the stability of the area that the virtual links transit. Virtual links can only be configured on ABRs. Virtual links cannot run across stub areas. Virtual links assist in solving short-term network connectivity problems. Virtual links can assist in providing logical redundancy. OSPF treats two routers joined by a virtual link as if they were connected by an unnumbered...

Hello Process Protocol

Although this is an OSPF book, many different protocols use a concept of Hello packets just like OSPF, for example EIGRP. Therefore, understanding the rationale behind the use and implementation of Hello is important. Specifically in OSPF, the Hello protocol is used for the following purposes To ensure that communication between neighbors is bidirectional (two-way) To discover, establish, and maintain neighbor relationships To elect the DR and BDR on broadcast and NBMA networks To verify that...

Hello Protocol Operational Variations

In broadcast networks (for example, Ethernet or Token Ring), each router advertises itself by periodically sending out multicast Hello packets, which allow neighbors to be discovered dynamically. In NBMA networks (for example, frame relay, X.25, or ATM), the OSPF router can require some additional configuration information in order for the Hello protocol to operate correctly. This configuration is the protocol going out onto the network to find or elect the designated router, as previously...

Hello Protocol Packet Format

The OSPF Hello protocol packets are formatted in only one way. All OSPF packets start with a standardized 24-byte header, which contains information that determines whether processing is to take place on the rest of the packet. The packets contain the fields that are shown in Figure 3-23, always in the same order. All the fields in this format are 32-bit fields, except for the following fields The following list describes what each of the packet fields represents Version Identifies the OSPF...

Hello Protocol State Changes

The following is a brief description of the possible OSPF neighbor state changes when the Hello protocol is being used Down This is the initial state of a neighbor conversation. This state means that no information has been sent from any neighbors. This state is usually seen when a router first begins speaking OSPF in a network or when there is a problem and the router dead interval timer (Hello interval * 4) has expired for some reason, resulting in OSPF. Attempt This is valid only for...

Hierarchical Network Design Techniques

When designing your OSPF network, the following factors are supported by OSPF and are currently accepted network design theories A three-tiered backbone approach allows fast convergence and economy of scale. Never use more than six router hops from source to destination (see the following note). Use 30 to 100 routers per area. (This can be adjusted depending on factors discussed later.) Do not allow more than two areas per Area Border Router (ABR) in addition to the ABR's connection to area 0....

How OSPF Authentication Works

When OSPF authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router. The following types of OSPF neighbor authentication are used Message Digest Algorithm Version 5 (MD5) authentication Both forms work in essentially the same way, with the exception that MD5 sends a...

I

When route summarization is enabled, OSPF uses the metric of the best route in the summary advertisement. In Cisco IOS Software Release 10.2 and earlier, Cisco's implementation of OSPF assigned default costs to a router's interface, regardless of the bandwidth attached to the interface. For example, Cisco IOS Software would give a 64-kbps line and a T1 link the same OSPF cost clearly a problem. This required the user to override the default value to take advantage of the faster link. Cisco IOS...

Identify Your Assumptions

Every security system has underlying assumptions. For example, you might assume that your network has not been compromised, that attackers know less than you do, that hackers are using standard software, or that a locked room is safe. All of these assumptions are most likely incorrect and could cause holes in your security policy. Be sure to examine and justify your assumptions. Any hidden assumption is a potential security hole. Consider the assumptions made in the following example, where a...

Implementation Considerations

Consider the following items before implementing on-demand circuits on a Cisco router in an OSPF network Because LSAs that include topology changes are flooded over an on-demand circuit, you need to put demand circuits within OSPF stub areas or within NSSAs to isolate the demand circuits from as many topology changes as possible. If these circuits are constantly being activated, high costs result, defeating the purpose of their design. To take advantage of the on-demand circuit functionality...

Increasing SNMP Security

In the networking arena, it is generally understood that SNMP is not as secure as it can be. However, SNMP is widely used throughout most networks as a management and trending tool. In networks where security is extremely important, you should implement an access list on SNMP to limit who can access the device in question via SNMP. This is considered a best practice and can be accomplished as shown in the example that follows. This example permits the host IP addresses of 10.1.3.5 and 10.5.2.53...

Info

108 17 0SPF Use OSPF Auto Cost Cost Command TIP Cisco IOS Software Release 11.2 addressed this cost calculation issue with the introduction of the ospf auto-cost reference bandwidth command. This command alleviates the problem of how OSPF would calculate cost on a Gigabit Ethernet interface. When all routers know the current state of a network, OSPF convergence is extremely fast when compared to that of other protocols this was one of the main features included in OSPF's initial design. To keep...

Interoperability Issues with VLSM

Routers in a single segment must agree on the network mask. For example, if every router does not agree on the same mask for an Ethernet segment or a Frame Relay link, a breakdown in communication will occur. Consider that IGRP does not support VLSM, so when information is redistributed from OSPF to IGRP or RIP version 1 (RIP-1), only a single mask is used. The best way to make redistribution work is to hide all VLSMs from IGRP. OSPF should summarize the networks to achieve one mask per network...

Introduction

OSPF is in use in numerous networks worldwide. OSPF is also one of the most widely tested on protocols if you choose to pursue a networking certification. From a technical perspective, the overwhelming presence of OSPF ensures that almost everyone will encounter it at some point in their career. A result of these facts is that everyone should understand OSPF including how it operates, how to configure it, troubleshooting, and most importantly how to design a network that will use OSPF. You can...

Introduction to OSPF

It seems appropriate in this chapter to share with you a caption from a small picture that my wife gave me when we celebrated our 13 th wedding anniversary. I keep it on my desk to remind myself of the bigger picture. My daughter also likes it because it has a picture of a family of dolphins swimming, and it struck a chord that I felt was essential to have in my life The family is a harbor of safety in an ocean of change. It is an association established in nature and guided by enduring...