Thursday, September 19, 2013

OSPF Inter-Area Filtering using Area Filter-List


Pic. 1 - Topology Diagram.

Task 1
Remove OSPF filtering applied in the previous lab.

Task2
Ensure that R5 learns all OSPF prefixes except for 172.16.12.0/24. Use area filter-list command to accomplish that.

Questions
Try to answer the following questions:
  1. What is the difference in operation between 'area number range', and 'area number filter-list prefix' command?
  2. What type of OSPF router do both of these command work on?
  3. Do they filter LSAs or just a prefix?
Lab Solution

Solution configuration below: 

Task 1
Remove OSPF filtering applied in the previous lab.

R4 Config:
!
router ospf 1
  no area 0 range 172.16.12.0 255.255.255.0 not-advertise
!

Task2
Ensure that R5 learns all OSPF prefixes except for 172.16.12.0/24. Use area filter-list command to accomplish that.

Pic. 2 - R5 Status Before Filter-List.


 R4 Config:
!
ip prefix-list BLOCK deny 172.16.13.0/24
ip prefix-list BLOCK permit 0.0.0.0/0 le 32

!
router ospf 1
 area 0 filter-list prefix BLOCK out
!

Verification:
Pic. 3 - R5 LSDB and Routing Table.


NOTICE!
LSDB entry will be removed after few seconds (wait at least 30-40 seconds for this to take effect)! 

The conclusion is that both commands ('area range' and 'area filter-list'), prevent ABR from sending LSAs into the area(s) as well. In this instance, R4 has filtered out LSA from the area for which it is not ABR (R4 is not directly connected to area 13).
  
Study Drill

If you have not tried my suggestion in the previous lab, try to use the same prefix (172.16.13.0) to filter it using 'area number range' command. Filtering will not work.


OSPF Inter-Area Filtering Using Area Range


Pic. 1 - Topology Diagram.



Task 1
Remove OSPF filtering applied in the previous lab.

Task 2
Configure OSPF Area 45 between R4 and R5.

Task 3
Ensure that R5 learns all OSPF prefixes except for 172.16.12.0/24. Use 'area range' command to accomplish that.

Questions
Try to answer the following questions:
  1. What type of OSPF routers allow LSA filtering?
  2. What LSA 1 through 5 (and LSA 7) represent?
  3. What types of routers generate which LSAs?
Lab Solution

Solution configuration below: 

Task 1
Remove OSPF filtering applied in the previous lab.

R4 Config:
!
R4(config)#
R4(config)#no access-list 1
R4(config)#router ospf 1
R4(config-router)#no distance 255 0.0.0.0 255.255.255.255 1
R4(config-router)#
!

Task 2
Configure OSPF Area 45 between R4 and R5.

R4 Config:
!
router ospf 1
 network 172.16.45.0 0.0.0.255 area 45
!

R5 Config:
!
router ospf 1
 network 172.16.45.0 0.0.0.255 area 45
!

Verification:
Pic. 2 - R5 Learns All OSPF Prefixes.

Task 3
Ensure that R5 learns all OSPF prefixes except for 172.16.12.0/24. Use 'area range' command to accomplish that.

Before filtering has been applied:



Pic. 3 - R5 (show ip ospf database summary).


R4 Config:
!
router ospf 1
 area 0 range 172.16.12.0 255.255.255.0 not-advertise
!


Verification:
Pic. 4 - R5's Routing Table.

Pic. 5 - R5's LSDB.

Let's make sure R4 still has 172.16.12.0/24 in its LSDB. Since, the link 172.16.12.0/24 belongs to broadcast network (link state = transit), either R1 (10.0.1.1) or R2 (10.0.2.2) must be the DR for that segment.

Pic. 6 - R4 (ABR) Keeps LSA in its LSDB.

Although it is completely redundant step here (since everything went as planned), let's humor ourselves by checking 172.16.12.2/24 (DR). 

Pic. 7 - R2's Information about 172.16.12.0/24.


Study Drill

Looking at pic. 7, we learn that:
  • DR is 10.0.2.2 and its IP address connected to the subnet in question is 172.16.12.2.
  • There are only two attached routers on the subnet: 10.0.1.1 and 10.0.2.2.
What do you think would happen if you used the same method of filtering on R4 trying to filter out the subnet 172.16.13.0/24 (LSA from area 13)? Try it out! Why did it work/not work?

Is LSA about 172.16.12.0 still present on R5 (give it a few seconds after you have applied the filter)?

What is the implication of using this method as far as the routing table on R6 regarding 172.16.12.0? Check its routing table before and after you have applied the filtering.


Tuesday, September 17, 2013

OSPF Filtering Using Administrative Distance


Pic. 1 - Topology Diagram.


Task 1
Remove OSPF filtering applied in the previous lab.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Do not use distribute-list to accomplish the goal.

Questions
Try to answer the following questions:
  1. What is the process a router uses to pick the best path when more than one is available?
  2. What is an Administrative Distance?
  3. Are Administrative Distance (aka 'distance') values the same on multivendor routing equimpent?
Lab Solution

Solution configuration below: 

Task 1
Remove OSPF filtering applied in the previous lab.

R4 Config:
!
no ip prefix-list DENY_R4_LO
!
no route-map BLOCK
!
router ospf 1
 no distribute-list route-map BLOCK in
!


Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Do not use distribute-list to accomplish the goal.

R4 Config:
!
access-list 1 permit 10.0.2.2
!
router ospf 1
 distance 255 0.0.0.0 255.255.255.255 1
!

Notice!
Administrative Distance of 255  (highest possible number) is considered UNKNOWN. As such, cannot be used by the router as a valid path to a given destination.

Verification:
Pic. 2 - ACL Got a Hit.

Pic.3 - Prefix 10.0.2.2/32 Removed from RT.

Pic. 4 - Prefix 10.0.2.2/32 Still Present in LSDB.


Study Drill

Recall that a router has pre-defined algorithm to pick the best path.

  1. If there is only one path (prefix) available, it is chosen as the best path.
  2. In case, there is more than one path available with the same prefix-length, the one with lower Administrative Distance is chosen.
  3. In case there is more that one longest match AND they have the same value of AD, the one with the lowest value of metric is chosen.
  4. In case all the above are the same, a router performs traffic sharing.

The value of Administrative Distance is arbitrarily set by a router's vendor. This is why, Cisco's AD will not be the same as Juniper's assigned values of AD on their routers. The value of 255 is considered UNKNOWN. Prefixes marked with this highest value cannot be considered by a router as a valid path.

Before you leave INTRA-AREA prefix filtering, try out 'distribute-list gateway prefix-list' command. See what it does. You can do the a quick test like this. Let me, display the current OSPF table on R4:


Pic. 5 - Current OSPF Routing Table.


Now, let's add the following filtering:

R4 Test config:
!
ip prefix-list FILTER_TEST seq 5 deny 10.0.1.1/32

ip prefix-list FILTER_TEST seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list R1 seq 5 permit 172.16.0.1/32
!
! Let's apply this in OSPF context
!
router ospf 1
 log-adjacency-changes
 network 172.16.0.0 0.0.0.255 area 0
 distribute-list prefix FILTER_TEST gateway R1 in
!

Now, let's inspect the OSPF table on R4:

Pic. 6 - OSPF Routing Table with Filtering.


Do you see the difference? Looking at the topology diagram, can you guess what this filtering does?

Do not forget to remove this extra task before doing next lab.

OSPF Filtering Using Distribute-List with Route-Map


Pic. 1 - Topology Diagram.


Task 1
Remove OSPF filtering applied in the previous lab.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use distribute-list in OSPF process with route-map and ACL as your matching tool.

Task 3
Configure the same filtering as specified in Task 2. Use distribute-list and route-map with ip prefix-list as your matching tool.

Questions
Try to answer the following questions:
  1. What type of prefixes can distribute list with options filter out?
  2. What type of options does distribute-list take to filter prefixes?
  3. What would you do if you had to do the same filtering but the task stipulated that no distribution-list were allowed (crying is not an option, nor is 'cannot be done'? 
Lab Solution

Solution configuration below: 

Task 1
Remove OSPF filtering applied in the previous lab.

R4 Config:
!
no ip access-list standard BLOCK_R4_L0
!
router ospf 1
 no distribute-list BLOCK_R4_L0 in
!

Verification:
Pic. 2 - Prefix 10.0.2.2/32 Back in the Routing Table.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use distribute-list in OSPF process with route-map and ACL as your matching tool.

R4 Config:
!
access-list 1 deny 10.0.2.2
access-list 1 permit any
!
route-map BLOCK permit 10
 match ip address 1
!
router ospf 1
 distribute-list route-map BLOCK in
!

Verification:
Pic.3 - Prefix 10.0.2.2/32 Filtered Out.

Pic. 4 - Match against ACL.

Task 3
Configure the same filtering as specified in Task 2. Use distribute-list and route-map with ip prefix-list as your matching tool.

Removing configuration from TASK 2. You know how to verify that 10.0.2.2/32 is back in the routing table, don't you?

R4 Config:
!
no access-list 1
!
no route-map BLOCK
!
router ospf 1
 no distribute-list route-map BLOCK in
!

R4 Config:
!
ip prefix-list DENY_R4_LO deny 10.0.2.2/32

ip prefix-list DENY_R4_LO permit 0.0.0.0/0 le 32
!
route-map BLOCK permit 10
 match ip address prefix-list DENY_R4_LO
!
distribute-list route-map BLOCK in
!

Verification:
Pic. 5 - Hits against IP Prefix-List Deny Entry.

Pic. 6 - Prefix 10.0.2.2/32 Removed from the Routing Table.

Study Drill

The most significant observation is that distribute-list applied into OSPF is only able to filter what is being introduced into the routing table. The prefixes are still learned as intra-area LSAs (LSA1 or LSA2), and placed in LSDB. This is because OSPF assumes that in order to build the same topology map, all routers within the area must share EXACT same information. So far, we have inspected a few options allowing us to do the filtering. However, these are not the only ones available (as of writing of this post). Try do do some digging on the Net to find other options. Alternatively, look at my next lab to see what else is available.
;)

Friday, September 13, 2013

OSPF Filtering Using Distribute-List with ACL


Pic. 1 - Topology Diagram.


Task 1
Remove OSPF filtering applied in the previous lab.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use IP ACL as your matching tool.

Questions
Try to answer the following questions:
  1. What other matching tool(s) apart from ip prefix-list and access-list could be used to filter OSPF prefixes?
  2. What is the difference in the syntax of 'distribute-list' command compared to the previous lab
Lab Solution
Remove OSPF filtering applied in the previous lab.
R4 Config:
!
conf t
router ospf 1
no distribute-list prefix BLOCK_R4_L0 in
exit
no ip prefix-list BLOCK_R4_L0
!
Verification:
Pic. 2 - Prefix 10.0.2.2/32 back in R4's Routing Table.
Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use IP ACL as your matching tool. 

R4 Config:
!
ip access-list standard BLOCK_R4_L0
 deny   10.0.2.2
 permit any
!
router ospf 1
 distribute-list BLOCK_R4_L0 in
!

Verification:
Pic. 3 - Prefix 10.0.2.2/32 Removed From R4's Routing Table.
Pic.4 - Remaining Prefixes Remain Intact.


NOTE!
Make sure you check that existing prefixes have not been filtered out. It is easy to forget to allow all other prefixes to be accepted while using filtering.

Study Drill

Consider all remaining alternative methods of filtering OSPF prefixes within an area.

Thursday, September 12, 2013

OSPF Filtering Using Distribute List with Prefix-List


Pic. 1 - Topology Diagram.


Task 1
On R1, R3, and R4 re-configure Frame-Relay and OSPF, so that there is no DR/BDR election needed on their serial0/0 links. The routers should use their default hello/dead timers 30/120 seconds respectively.

Task 2
On R2, advertise its loopback0 into OSPF area 0. Do not use network statement to accomplish that.

Task 3
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use ip prefix-list as you matching tool.

Questions
Try to answer the following questions:
  1. What is the implication of having the same LSDB within the OSPF area?
  2. How can we filter LSAs within the area?
  3. How can we prevent a router from learning particular destinations located in the same area?
  4. What filtering tools does IOS give us to filter prefixes?
Lab Solution

Solution configuration below:
https://docs.google.com/file/d/0BwE5C95tpjZOOHRGZWd0VFhSM2M/edit?usp=sharing

Task 1
On R1, R3, and R4 re-configure Frame-Relay and OSPF, so that there is no DR/BDR election needed on their serial0/0 links. The routers should use their default hello/dead timers 30/120 seconds respectively.

R1 Config:
!
interface Serial0/0
 no ip ospf network point-to-multipoint non-broadcast
 frame-relay map ip 172.16.0.4 104 broadcast
 frame-relay map ip 172.16.0.3 103 broadcast
 ip ospf network point-to-multipoint
!
router ospf 1
 no neighbor 172.16.0.4
 no neighbor 172.16.0.3
!

R3 Config:
!
interface Serial0/0
 no ip ospf network point-to-multipoint non-broadcast
 ip ospf network point-to-multipoint
 frame-relay map ip 172.16.0.1 301 broadcast
!

R4 Config:
!
interface Serial0/0
 no ip ospf network point-to-multipoint non-broadcast
 ip ospf network point-to-multipoint
 frame-relay map ip 172.16.0.1 401 broadcast  !

Task 2
On R2, advertise its loopback0 into OSPF area 0. Do not use network statement to accomplish that.

R2 Config:
!
interface Loopback0
 ip address 10.0.2.2 255.255.255.255
 ip ospf 1 area 0

!
  
Task 3
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use ip prefix-list as your matching tool.
Pic.2 - R4 Before Filtering.


Notice!
10.0.2.2/32 is present in the routing table.

R4 Config:
!
ip prefix-list BLOCK_R4_L0 deny 10.0.2.2/32
ip prefix-list BLOCK_R4_L0 permit 0.0.0.0/0 le 32
!
router ospf 1
 distribute-list prefix BLOCK_R4_L0 in
!
Verification:
Pic. 3 - R4 After Filtering.


Pic. 4 - LSDB on R4 Contains LSA.

Study Drill

Within OSPF area, all routers share the same database information. LSA cannot be filter if it belongs to the same area. But we can filter what is going to be placed in the routing table. IP prefix-list is not the only one matching tool we could use here. Try to use other such as access-list or route-map to see if you can make it work.

Thursday, August 1, 2013

OSPF Network Loopback


Pic. 1 - Topology Diagram.


Task 1
On R1 create loopback 1 interface with the address 1.1.1.1/24. Advertise this subnet into OSPF area 13 and ensure other OSPF routers receive it with the network mask configured on R1 (/24).

Questions
Try to answer the following questions:
  1. What is the default network mask of loopback network when advertised into OSPF?
  2. How can you advertise loopback network with its actual network mask?

Lab Solution

Solution configuration below:
https://docs.google.com/file/d/0BwE5C95tpjZOWEFGdmtGYWhZbmc/edit?usp=sharing


Task 1
On R1 create loopback 1 interface with the address 1.1.1.1/24. Advertise this subnet into OSPF area 13 and ensure other OSPF routers receive it with the network mask configured on R1 (/24).

R1 Config:
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 13
!

Notice!
The statement 'ip ospf network point-to-point' allows OSPF to advertise loopback network with the actual (configured) network mask

Study Drill

Check ip ospf database to see what the  loopback interfaces (e.g. 10.0.1.1). Compare this output with the 1.1.1.0/24 loopback network you have configured in the lab solution. Use 'show ip ospf database router' on R1

Sunday, July 28, 2013

OSPF Null Authentication


Pic. 1 - Topology Diagram.


Task 1
Remove OSPF MD5 authentication between R1 and R2 (look at configuration in previous lab). Do not change anything else on R1. Ensure R1 and R2 stay OSPF neighbors.


Questions
Try to answer the following questions:
  1. What is OSPF Null authentication?
Study Drill

Consider the configuration on R1:

Pic. 2.

The task stipulates that we can remove OSPF configuration from R1's FastEthernet, but we CAN'T change anything in OSPF routing context (we can't remove 'area 0 authentication).

Since FastEtherent0/0 on R1 is enabled in OSPF area 0, the only option we have is to apply OSPF null authentication.

Lab Solution
Task 1
Remove OSPF MD5 authentication between R1 and R2 (look at configuration in previous lab). Do not change anything else on R1. Ensure R1 and R2 stay OSPF neighbors.


R1 Config:
!
interface FastEthernet0/0
 no ip ospf message-digest-key 1 md5 G33K
 no ip ospf message-digest-key 2 md5 CISCO123
 ip ospf authentication null

!

R2 Config:
!
interface FastEthernet0/0
 no  ip ospf authentication message-digest
 no  ip ospf message-digest-key 1 md5 G33K

!

Pic. 3.



Study Drill

Recall the order of operations in terms of OSPF: interface-based authentication overrides the routing context one. Also, if authentication is enabled in the OSPF routing context for a specific area, ALL interfaces in this authenticated area will send their 'hello' packets with the authentication method/data by default. 

In the later labs we will use OSPF Virtual Link configuration. Which area will a VL belong to? How area authentication will affect VL?