OSPF Authentication across multiple Area and Stub / NSSA networks

Topology_OSPF_Stubs

This may be brief as I am dealing with a mixture of back pain / medicine for it, so I am going to try to focus long enough to apply Authentication in a mixture of ways, across both my NBMA network and my Total Stub / NSSA Areas, this can be done two ways with OSPF:

  • Directly on the interface with two commands, I’ll use this approach on Stubs
  • In router configuration with “area x authentication” command which still requires some leg work on the interfaces in Area x

So to get started, I’m going to use plain-text authentication in Area 15 which is a very simple configuration:

R1(config)#int fa0/1
R1(config-if)#
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication ?
  message-digest  Use message-digest authentication
  null            Use no authentication
  <cr>

R1(config-if)#
*Mar  1 13:23:21.181: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#ip ospf pass
R1(config-if)#ip ospf au
R1(config-if)#ip ospf authentication-k
R1(config-if)#ip ospf authentication-key ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 8 characters)

R1(config-if)#ip ospf authentication-key CCNP
R1(config-if)#

A couple of things to note here:

  • As soon as authentication is configured, whether it is configured in router configuration or on the interface, it has until the dead timer expires until the adjacency drops
  • When issuing the first command to set authentication on the interface, I did a ? to show there is a <cr> indicating clear-text, message-digest for MD5 encryption, and also an odd option for “null” for no authentication to be used
  • For the authentication-key, I also used the ? to show the two options LINE which is clear text key and another oddity the 0-7 encryption type, I will experiment with that in the session
  • For clear text authentication it is limited to 8 characters

Now I jump on R5 and just pump out the commands quick:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int fa0/1
R5(config-if)#ip ospf auth
R5(config-if)#ip ospf authentication-key CCNP
R5(config-if)#
*Dec 30 01:59:20.539: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R5(config-if)#

And there it is, clear text authentication running on my NSSA, but can R4 still ping 5.5.5.5?

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#

Absolutely it can, authentication was successful and the adjacency reformed, so it is business as usual. However I am going to configure authentication in router config and on the interface for Area 0 using MD5, and we’ll see if that breaks the route from R4 to R5:

R1(config-if)#router ospf 1
R1(config-router)#area 0 authentication message-digest ?
  <cr>

R1(config-router)#area 0 authentication message-digest
R1(config-router)#

  • I could have left off message-digest for plain text key authentication
  • There are no further options after message-digest with this command
  • Now we must specify our MD5 key on the interface in Area 0

This is a mouthful of a command on the interface, so I am going to include the output of ? after every step of the way to view options:

R1(config-router)#int s0/0
R1(config-if)#ip ospf message-digest-key ?
  <1-255>  Key ID

R1(config-if)#ip ospf message-digest-key 1 ?
  md5  Use MD5 algorithm

R1(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#

So there are multiple interesting things going on here:

  • Again we have encryption 0-7, I assume meaning not encrypted (0) or using MD5 (7)
  • Key #, I would bet those have to match, so I will set one incorrectly and see how I can identify my mistake by show commands or debugs
  • Only option for encryption is md5
  • It let me continue to type CCNP without giving an error, so I’m going to try using CCNP CCNP CCNP as my key and see if it works
  • **** MD5 ENCRYPTION ALLOWS 16 CHARACTERS FOR THE KEY WHILE PLAIN TEXT ONLY ALLOWS 8 CHARACTERS **** VERY IMPORTANT DISTINCTION

So now I will hop on R3, and one thing I want to test is if I can put a single CCNP to authenticate and it allowing me to put it three times with spaces is a bug:

R3#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           1   FULL/DR         00:00:39    172.12.34.4     FastEthernet0/1
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest
R3(config-router)#int s0/2
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#
*Mar  1 15:04:29.086: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/2 from LOADING to FULL, Loading Done
R3(config-if)#

As can be seen, those null spaces are as much of the key as the CCNP repeated 3 times, also I found and highlight something interesting. Plain text keys only get 8 characters but MD5 encrypted keys get 16 characters, I went back and highlighted the examples for clarity. So R1 and R3 are authenticated and neighbors again, so a quick ping from R4 to R5 to see if packets are still able to hit 5.5.5.5:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#

Sure can. Now I am going to configure R2 for Area 0 authentication, however I am going to change the Key # to 2 to see what happens (or doesn’t happen):

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#int s0/0
R2(config-if)#ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#no ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R2(config-if)#
*Mar  1 12:07:33.149: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/0 from LOADING to FULL, Loading Done
R2(config-if)#

So after waiting the 30 seconds for a Hello, an Adjacency was not happening, so I changed it back to key 1. Now out of curiosity I am going to change this encryption type to see if that will drop the adjacency, and if it does drop, I’d like to see if setting it to 7 will allow the adjacency to re-form:

R2(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP

R2(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R2(config-if)#ip ospf message-digest-key 1 md5 3 ?
  LINE  The OSPF password (key) (maximum 16 characters)

R2(config-if)#ip ospf message-digest-key 1 md5 3 CCNP CCNP CCNP
R2(config-if)#do sh ip ospf nei


Neighbor ID     Pri   State           Dead Time   Address         Interface
172.16.11.1       1   FULL/DR         00:01:41    172.12.123.1    Serial0/0
R2(config-if)#

Given that takes 2 minutes for a dead timer on an NBMA network to slowly count down, I went over to R3 and R4 to configure that quickly, then came back to see if there were any drops but there were none. So now I am really curious, and going to assign all 3 NBMA routers with different encryption types and see if we see some drops in adjacencies:

R1(config-if)#
R1(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#ip ospf message-digest-key 1 md5 5 CCNP CCNP CCNP
R1(config-if)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-if)#int s0/2
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 6 CCNP CCNP CCNP
R3(config-if)#

And no drops in Adjacency anywhere, just to confirm I’ll do a ping from R4 to R5:

R4(config-if)#do ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4(config-if)#

Whoop there it is! SO THE ENCRYPTION TYPES IN THE MESSAGE-DIGEST COMMAND ON THE INTERFACE CAN BE SET TO DIFFERENT VALUES AND FORM AN ADJACENCY, BUT THE KEY NUMBER AND OF COURSE KEY ITSELF MUST MATCH!

So I know you are thinking to yourself, “This is all fine and good but how can you tell what areas are running Authentication?” I have your answer, hold onto your horses for this output from R3 to demonstrate a lot of useful information from “sh ip ospf” :

R3(config-if)#do sh ip ospf
 Routing Process “ospf 1” with ID 3.3.3.3
 Start time: 00:00:41.792, Time elapsed: 02:27:13.561
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 It is an area border router
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 3. Checksum Sum 0x010175
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 3. 2 normal 1 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
    Area BACKBONE(0)
        Number of interfaces in this area is 1
        Area has message digest authentication
        SPF algorithm last executed 00:18:36.094 ago
        SPF algorithm executed 12 times
        Area ranges are
        Number of LSA 10. Checksum Sum 0x05C9A4
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 3
        Number of interfaces in this area is 1 (1 loopback)
        Area has no authentication
        SPF algorithm last executed 02:27:11.778 ago
        SPF algorithm executed 3 times
        Area ranges are
        Number of LSA 8. Checksum Sum 0x04E86F
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 34
        Number of interfaces in this area is 1
        It is a stub area, no summary LSA in this area
          generates stub default route with cost 1
        Area has message digest authentication
        SPF algorithm last executed 00:12:26.836 ago
        SPF algorithm executed 9 times
        Area ranges are
        Number of LSA 4. Checksum Sum 0x014DB0
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

R3(config-if)#

So much good information about every Area it knows about. Whether the Area is a stub, if it has authentication (and what kind) configured, what type of router it is (above Area info). While we are on the topic, I want to demonstrate useful info from a couple other show commands to troubleshoot with:

R3(config-if)#do sh ip proto
Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 3.3.3.3

  It is an area border router

  Number of areas in this router is 3. 2 normal 1 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    3.3.3.3 0.0.0.0 area 3
    172.12.34.0 0.0.0.255 area 34
    172.12.123.0 0.0.0.255 area 0
 Reference bandwidth unit is 100 mbps
  Routing Information Sources:
    Gateway         Distance      Last Update
    2.2.2.2              110      00:22:40
    172.16.11.1          110      00:22:40
  Distance: (default is 110)

R3(config-if)#

That is a lot of good information as well. The routers RID, its router type, number of areas it knows about, and what types of areas those are. One more here to complete the show commands:

R3(config-if)#do sh ip ospf int s0/2
Serial0/2 is up, line protocol is up
  Internet Address 172.12.123.3/24, Area 0
  Process ID 1, Router ID 3.3.3.3, Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DROTHER, Priority 0
  Designated Router (ID) 172.16.11.1, Interface address 172.12.123.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:07
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.16.11.1  (Designated Router)

  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled

    Youngest key id is 1

R3(config-if)#

Got my timers intervals, DR RID and IP address of connected interface, Neighbor count, shows Authentication with a key of 1, just a lot of good troubleshooting information here.

So I am going to “wr mem” on my configs in case I forgot anything, otherwise I am fried and you will just need to believe from the show output above I did do authentication between R3 and R4.

***Also one note for Hello / Dead Timers: Hello / Dead timers for NBMA are 30/120, on FastEthernet 10/40, and OSPF dynamically adjusts Dead timer to be 4x the Hello if changed***

/fin

Using Static Routes / Redistribution to overcome Stub to Stub communication

Topology_OSPF_Stubs

So I actually did not wr mem any routers from my previous lab where Area 15 and 34 were turned into virtual-links, so we are back to the NSSA for Area 15 and the Total Stub on Area 34. My goal is to figure out if and where static IP’s can be assigned to route traffic between Total Stub networks, and possibly get into Authentication and how it affects connectivity if time permits as I am fried already from work so going right back to the CLI is like pulling teeth some days ūüôā So the same old topology is shown that I will be working with.

So without reading the old post, I remember from R5 I could ping all the way to R4’s 172.12.34.4 FastEthernet interface, but couldn’t reach it’s loopback of 4.4.4.4 and vice versa to R5’s loopback of 5.5.5.5. So R1 and R3 are not learning these OSPF routes due to lack of a Virtual-Link, so I am thinking either a static route on each or a static route redistributed into OSPF (so this could get messy). Lets start on R1:

R1#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1#conf t
R1(config)#ip route 5.5.5.5 255.255.255.255 fa0/1
R1(config)#do ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R1(config)#

Easy as that, jump to R3 to create a static route to 4.4.4.4 and ping 5.5.5.5 from R4:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R4#

Where is my rage face emoji. There has to be a logical solution, and I think it is a static route needs to actually be added on those Non-Backbone routers as well, but I am going to confirm how far I can ping and not drop packets:
R4#ping 172.12.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.15.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#

Same thing as before, the return route needs to also be placed on the Stub routers to make this work I am hoping, that way I can say I learned something and get into Area Authentication. So I will just mirror the ip route statements on their stub routers:

R5(config)#ip route 4.4.4.4 255.255.255.255 fa0/1
R5(config)#do ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R5(config)#

So we have gone from U.U.U to complete packet loss, however I can still hit R4’s Fa0/1 IP:

R5#ping 172.12.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R5#

So something has got to give here, we went from an upstream router not knowing where to send traffic, to R4 and R5 dropping the others packets to the loopbacks. I first remove the static routes from R4 and R5 and ping again to confirm I am back to U.U.U, however I am going to get on the ASBR R1 and see if I can redistribute my was to routing success:

R1(config)#ip route 4.4.4.4 255.255.255.255 172.12.123.3
R1(config)#no ip route 5.5.5.5 255.255.255.255 fa0/1
R1(config)#ip route 5.5.5.5 255.255.255.255 172.12.15.5
R1(config)#router ospf 1
R1(config-router)#redistribute static subnets metric-type 1
R1(config-router)#

So as can be seen, to keep things consistent I changed the static route from an interface to the remote routers IP address, as I can’t send 4.4.4.4 traffic out the Serial interface as I have two spoke routers off of it and only one of them contains 4.4.4.4. Though it would be interesting to see if it would be 50% loss rate of packets or if they would all tank, I’ll try that out once I have this resolved. So here is how things look:

R3#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:33:45, Serial0/2
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/65] via 172.12.123.2, 00:33:45, Serial0/2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:33:45, Serial0/2
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/85] via 172.12.123.1, 00:07:17, Serial0/2
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:33:45, Serial0/2
     172.16.0.0/22 is subnetted, 1 subnets
O IA    172.16.8.0 [110/65] via 172.12.123.1, 00:33:45, Serial0/2
R3#

Ok, this HAS GOT TO WORK this time around, and yes I do just generally change the metric type to 1 automatically now with OSPF redistribution as not to get the seed metric of 20. So let the routing gods pass traffic between these two Stub networks so that I may move on:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#

YESSSSSS!!!!! YES YES YESSSSS!!!!!! TAKE THAT LOGICAL BEHAVIOR!!!

So that is awesome that I stumbled across that, worked through the issue, and learned a great lesson here about mixing static routing with Redistribution for Stub communication. That’s a lot of routing mechanisms working against a packet to get to it’s destination and back, but that packet was sent and returned! Now, I am going to break it again, because I am curious if I used interfaces instead of remote IP’s for the static routes:

R1(config)#no ip route 5.5.5.5 255.255.255.255 172.12.15.5
R1(config)#no ip route 4.4.4.4 255.255.255.255 172.12.123.3
R1(config)#ip route 5.5.5.5 255.255.255.255 fa0/1
R1(config)#ip route 4.4.4.4 255.255.255.255 s0/0

I first want to try pinging from R1 to 4.4.4.4 to see if there is connectivity at all:

R1(config)#do ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R1(config)#

I do believe if this was an EIGRP topology (which I may check at some point), it would actually equal-cost load balance that traffic so we might see ping results like ..!.! or basically 50% packet loss sending the traffic to both neighbors and only one replying.

HOWEVER, this is not EIGRP, so I will add the static routes by remote IP again, and I am going to be a slacker and call it a night here on the equipment because my belly is grumbling feed me and I feel I have learned a LOT from this lab session.

Next up, Authentication, then Redistribution and I think we are caught up!

OSPF Stub troubleshooting, Virtual-Links (solved on next post)

Topology_OSPF_Stubs

Between the holidays and throwing my back out worse than I think I ever have had kept me from moving forward with subjects, but I am determined to get back to where I left off months before the summer by the New Year if life doesn’t happen again by then.

That being said, I am going to work on the U.U.U response from R4 to R5’s loopback of 5.5.5.5, which seemed to break once I made area 15 an NSSA Total Stub. U.U.U means an upstream router does not have a path back to the source of the ping, so I am going to look at route tables on R1 and R3, as these are the ABR’s to both R4 and R5 (Remember there is no longer a virtual-link now that they are stubs).

Here are the results from pinging from R5 to R4’s loopback of 4.4.4.4:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#ping 172.12.123.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 172.12.123.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R5#ping 172.12.34.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.34.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms
R5#ping 172.12.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#

So what it is showing above is that it can ping everything over the WAN up to and including R4’s FastEthernet interface, but not it’s loopback. I’ve already checked R1’s OSPF route table, so now I am curious if R3 can ping 4.4.4.4, which I imagine it can because it is the default gateway that R4 will throw any traffic (including our ping traffic) back to:

R3#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:23:01, Serial0/2
2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/65] via 172.12.123.2, 00:23:01, Serial0/2
100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:23:01, Serial0/2
172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:23:01, Serial0/2
172.16.0.0/22 is subnetted, 1 subnets
O IA    172.16.8.0 [110/65] via 172.12.123.1, 00:23:01, Serial0/2
R3#

Not looking good, we no longer have a learned route to R5’s 5.5.5.5, so I tried to ping 4.4.4.4 from R3 to prove the idea it has to return traffic being the default gateway:

R3#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#

These two routers are directly connected via FastEthernet, but I cannot ping a logical interface on it, I don’t recall running into this before (so I must not have been checking my work). So it occurred to me that the issue may be lying in the fact that Areas configured on a non-Backbone router require a virtual-link for those area’s to be advertised to other neighbors. I removed the Total Stub configs on Area 34 and put back in place the Virtual-Link to see if I regain L3 connectivity or if both area’s need the virtual-link configured for their loopbacks to be advertised across the network.

One thing I bumped into that I found interesting was this:

R3(config-router)#no area 34 stub no-summary
R3(config-router)#area 34 virtual-link 4.4.4.4
% OSPF: Area 34 is a stub or nssa so virtual links are not allowed
R3(config-router)#

I even did “clear ip ospf proc” to make sure it wasn’t clinging to cached memory, but it just wasn’t happening. I then realized when I really looked at the syntax of the error message, it is saying that the area is configured as a stub, so I issued “no area 34 stub” on R3 and immediately the bells and whistles started going off:

R3(config-router)#no area 34 stub
R3(config-router)#area 34 virtual-link 4.4.4.4
R3(config-router)#
*Mar  1 13:54:43.500: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config-router)#
*Mar  1 13:55:05.384: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on OSPF_VL0 from LOADING to FULL, Loading Done
R3(config-router)#do ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3(config-router)#

MUCH better, however the test will be pinging R5’s loopback of 5.5.5.5 from R4:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R4#

Notta. So I will remove stub configs from Area 15 and give it a virtual-link to see if everything goes, along the way got some output I found interesting:

R1(config-router)#no area 15 stub
OSPF: Area is configured as NSSA already
R1(config-router)#

So the router won’t accept no area 15 stub, it wants the syntax and even tells you it wants that syntax correct.Once I removed the NSSA configurations from Area 15, a neighbor adjacency formed, however it is still not able to ping 5.5.5.5 and they are also two routers connected via FastEthernet.

So I wrestled with this for quite some time, as I took stub configs off and added virtual-links how I originally did, but since that original config I’ve added loopbacks that are numerically higher than 1.1.1.1. It took me seeing connections to drop and reform back to R1 several times and a few “sh ip ospf nei” to realize I had to make 172.16.11.1 the virtual-link’s remote RID as it will look for the highest loopback address in OSPF to form neighbor adjacencies (including virtual-links):

R5(config-router)#no area 15 virtual-link 1.1.1.1
R5(config-router)#area 15 virtual-link 172.16.11.1
R5(config-router)#
*Dec 28 00:58:43.767: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on OSPF_VL1 from LOADING to FULL, Loading Done
R5(config-router)#

One thing this troubleshooting has taught is the commands “sh ip proto” and “sh ip ospf nei” will give you just about all the info you need when troubleshooting a router, however “sh ip ospf” will give you the whole ball of wax.

I am curious to see if static routes could be added to overcome this issue, but I am too mentally exhausted to push further and retain anything meaningful, so my next sit down I’d like to give some stub / static routing a try because no communication with a virtual-link just doesn’t seem right (but I am too drained to open that can of worms tonight). So next I’ll try making a single stub network, and see if I can statically route it, along with covering Authentication.

I am finding more and more unexpected behaviors each time I sit down to study, so it’s almost difficult to stay on track moving forward before I find the reason for these unexpected behaviors.

Redistribution, Stub Areas, NSSA’s, Summarization, Metric changing

Topology_OSPF_Stubs

After coming back from a weekend of being sick, I’m going to perform what has already been covered in previous posts so I may not go crazy with output from configs, however I do want to document any road blocks I struggle with or unexpected network behaviors. I did some reading of my original notes over the weekend while sick, which was cool to study from my own materials, and am going to set up the following at the very least:

  • Add loopbacks 101 – 107 on R1 for subnets 100.1.0.0 16 – 100.7.0.0 /16 (100.
  • Will ‘redistribute connected subnets’ to get some external routes going to Stub ūüôā
  • Add loopbacks for networks 172.16.8.0 /24 – 172.16.11.0 /24 on R1, and make it a summary route with the ‘area-range’ command I believe
  • Make Area 34 a Total Stub, showing the before and after output of the route table
  • Make are 15 an NSSA Total Stub, also showing route table changes as I go
  • Change the metric from Type 2 to Type 1 when Redistributing

I think this will at least set me up so I can play with Authentication, and how it works between areas and across the WAN connections, as well as some LSA type review given the Stub / Total Stub / NSSA area’s and what type of LSA’s they are letting in.

So let’s get to it. I added my 100.x.x.x loopbacks, and just went right into the changing the Metric type, as it is done on the ASBR (router doing redistribution) and my first priority is getting external routes out there, HOWEVER I WANT THEM TO HAVE THEIR TRUE METRIC AND NOT THE DEFAULT SEED METRIC OF ROUTES REDISTRIBUTED INTO OSPF OF 20:

On R1 in router config mode: “R1(config-router)#redistribute connected subnets metric-type 1”

And here is what R2 shows in its route table (R2 is never stubbed so its always pure OSPF):

R2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:18:41, Serial0/0
100.0.0.0/16 is subnetted, 7 subnets
O E1    100.4.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.5.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.6.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.7.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.1.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.2.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
O E1    100.3.0.0 [110/84] via 172.12.123.1, 00:18:41, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:18:41, Serial0/0
4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:18:41, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O IA    5.5.5.5 [110/66] via 172.12.123.1, 00:18:41, Serial0/0
172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:18:41, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:18:42, Serial0/0
172.16.0.0/24 is subnetted, 4 subnets
O E1    172.16.8.0 [110/84] via 172.12.123.1, 00:09:52, Serial0/0
O E1    172.16.9.0 [110/84] via 172.12.123.1, 00:09:37, Serial0/0
O E1    172.16.10.0 [110/84] via 172.12.123.1, 00:09:11, Serial0/0
O E1    172.16.11.0 [110/84] via 172.12.123.1, 00:08:55, Serial0/0
R2#

So we definitely have our redistributed routes, along with Inter-Area (O IA), however I actually didn’t notice we don’t have any Intra-Area (O) routes in the route table.

So I am going to call an audible as these as both external routes are directly connected to R1 so they redistributed by default, I am going to try to summarize both of them using the two different methods:

“R1(config-router)#area 80 range 172.16.8.0 255.255.252.0”

And on R2 we now see:

R2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:25:50, Serial0/0
100.0.0.0/16 is subnetted, 7 subnets
O E1    100.4.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.5.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.6.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.7.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.1.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.2.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
O E1    100.3.0.0 [110/84] via 172.12.123.1, 00:00:10, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:25:50, Serial0/0
4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:25:50, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O IA    5.5.5.5 [110/66] via 172.12.123.1, 00:25:50, Serial0/0
172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:25:50, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:25:51, Serial0/0
   172.16.0.0/22 is subnetted, 1 subnets
O IA    172.16.8.0 [110/65] via 172.12.123.1, 00:00:16, Serial0/0
R2#

I know you are wondering, wasn’t that just a bunch of external routes, that are now OSPF inter-Area routes? What’s the deal with that? Am I losing my mind and seeing things???

No. I had to add the 172.x.x.x networks to OSPF via the network command in router config mode for the first type of summarization to work, using the “area xx range …” command.

Now I am going to see if I can summarize these redistributed nets to make the route table easier to look at:

“R1(config-router)#summary-address 100.0.0.0 255.248.0.0”

Aaaaaaand back to R2, keep in mind this is only redistribution and summarization at this point in my network configuration:

R2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:33:49, Serial0/0
   100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:16, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:33:49, Serial0/0
4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:33:49, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O IA    5.5.5.5 [110/66] via 172.12.123.1, 00:33:49, Serial0/0
172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:33:49, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:33:49, Serial0/0
172.16.0.0/22 is subnetted, 1 subnets
O IA    172.16.8.0 [110/65] via 172.12.123.1, 00:08:14, Serial0/0

And there it is, they are still redistributed connected routes, I did not add any 100.x.x.x networks to R1’s OSPF database via network commands. This brings up the very test worthy difference in OSPF summarization, that summarizing using the range command the routes must be entered into the OSPF DB but for the summary-address command it impacts ALL redistributed routes on the router AND CAN ONLY BE ISSUED ON AN ASBR AS IT DOES ONLY IMPACT REDISTRIBUTED ROUTES!

To further drive home summarization differences, in EIGRP you would summarize the route on the interface you want it broadcasted out, whereas OSPF summarization happens in router config mode no matter which way you enter it (be area range or summary-address) and this is very important to distinguish and remember!

Ok, enough bold text, back to business. I jumped around to R5 and R4 to look at their route tables, because both are both non-backbone routers connected by a Virtual-Link as previously configured, and they show the same summarized routes all around.

Now I know the drill with stub networks in OSPF, and the commands are going to decimate the route table to about nothing my total stub, but my NSSA Total Stub for some reason allowed summary routes in last time and I’m not quite sure why. Couple of things:

  • To make a stub area, “area xx stub” must be entered on both routers, in this example those routers will be R3 and R4
  • Total Stub areas require adding “no-summary” to the stub command, and it only needs it on the Backbone router
  • Stub area’s cannot contain Virtual-Links, as R3 reminded me here:

R3(config-router)#area 34 stub
% OSPF: Area cannot be a stub as it contains a virtual link
R3(config-router)#

So then we remove the Virtual-Link and add the stub command on R3:

R3(config-router)#no area 34 virtual-link 4.4.4.4
R3(config-router)#
*Mar  1 15:27:26.271: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached
R3(config-router)#
R3(config-router)#area 34 stub
R3(config-router)#
*Mar  1 15:28:22.115: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-router)#

So first we lost the Virtual-Link of course, but then it shows the neighbor going down and resetting the relationship, and it is staying that way:

R3(config-router)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DR         00:01:45    172.12.123.1    Serial0/2
4.4.4.4¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 1¬†¬† DOWN/DROTHER¬†¬†¬†¬†¬†¬† –¬†¬†¬†¬†¬†¬†¬† 172.12.34.4¬†¬†¬†¬† FastEthernet0/1¬†¬† <- Not Cool

***One odd behavior I wanted to point out before moving on, is when configuring the virtual-link it will freak out with a repeating error until both sides are configured, but when I removed the command from R3 I went over to R4 and saw no repeating error messages flooding the console – Very interesting***

So I go to R4 which is not freaking out about the virtual-link as mentioned above, and issue the command as well to fix this relationship and make some neighbors form:

R4(config-router)#area 34 stub
% OSPF: Area cannot be a stub as it contains a virtual link
R4(config-router)#

And R4 says GTFO until this virtual-link config is removed, so even though the error wasn’t spamming, the configuration was on R4 and must be removed to create the stub. So I will go ahead and do that and see what we have for a route table on R4:

R4(config-router)#no area 34 virtual-link 3.3.3.3
R4(config-router)#area 34 stub
R4(config-router)#
*Dec 20 01:33:28.371: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
R4(config-router)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/BDR        00:00:34    172.12.34.3     FastEthernet0/1
R4(config-router)#do sh ip route ospf
(Route codes redacted)

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:00:42, FastEthernet0/1
1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:00:42, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:00:42, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:00:42, FastEthernet0/1
5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:00:42, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:00:42, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.34.3, 00:00:42, FastEthernet0/1
172.16.0.0/22 is subnetted, 1 subnets
O IA     172.16.8.0 [110/66] via 172.12.34.3, 00:00:42, FastEthernet0/1
R4(config-router)#

So it came up maybe 1-2 seconds after issuing the stub command, and I see an O*IA route for the Stub Area itself we just configured, and now our Gateway of last resort (default route) is pointing at R3’s connected interface to R4. I will have to review what LSA types are being blocked at this point, the only route I see missing is the E1 (Redistributed) summary route, on top of adding that default route to the area.

Now to add no-summary to R3 and see what happens to R4’s route table:

R3(config-router)#no area 34 stub
*Mar  1 15:48:38.629: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-router)#area 34 stub no-summary
R3(config-router)#
*Mar  1 15:48:52.965: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from DOWN to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-router)#
*Mar  1 15:48:56.294: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config-router)#

So the adjacency popped right back up after adding the new stub command, lets see what R4 looks like in terms of routes here:

R4#sh ip route ospf
(Route codes redacted)

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:01:17, FastEthernet0/1
R4#

Kaboom, this router knows only one thing, and that is all traffic is going to R3’s connected FastEthernet interface. Can we still ping other networks and get a response from them?

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#

We sure can. Speaking of cans, I am going to make Area 15 first an NSSA, then an NSSA Total Stub Area, and show the route table differences every step of the way as my finisher to this post.

Firstly, R5’s OSPF route table as it stands with no Stub or NSSA configs:

R5#sh ip route ospf
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/2] via 172.12.15.1, 02:41:59, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.15.1, 02:17:44, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/66] via 172.12.15.1, 00:10:12, FastEthernet0/1
100.0.0.0/13 is subnetted, 1 subnets
O E1     100.0.0.0 [110/21] via 172.12.15.1, 00:53:15, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA     172.12.34.0/24 [110/66] via 172.12.15.1, 00:06:13, FastEthernet0/1
O        172.12.123.0/24 [110/65] via 172.12.15.1, 02:41:59, FastEthernet0/1
172.16.0.0/22 is subnetted, 1 subnets
O IA     172.16.8.0 [110/2] via 172.12.15.1, 01:01:13, FastEthernet0/1
R5#

Looks about right, now I’ll remove the virtual-link and NSSA it:

R5(config-router)#no area 15 virtual-link 1.1.1.1
R5(config-router)#
*Dec 20 02:57:16.643: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached
R5(config-router)#
ASR#1
[Resuming connection 1 to r1 … ]

R1(config-router)#
*Mar  1 15:00:44.560: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-router)#no area 15 virtual-link 5.5.5.5
R1(config-router)#area 15 nssa
R1(config-router)#
*Mar  1 15:01:07.193: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R1(config-router)#
ASR#5
[Resuming connection 5 to r5 … ]

R5(config-router)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:06    172.12.15.1     FastEthernet0/1
R5(config-router)#do sh
*Dec 20 02:58:17.747: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R5(config-router)#do sh ip ospf nei

R5(config-router)#

No neighbors to speak of until I issue the area 15 nssa command on R5, one interesting thing was that the neighbor as DOWN as soon as we switched up the commands, however the OSPF neighbor table showed they were active neighbors until the dead timer expired.

So I then apply the nssa command to R5 and lets see the route table:

R5(config-router)#do sh ip route ospf
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/2] via 172.12.15.1, 00:00:07, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.15.1, 00:00:07, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/66] via 172.12.15.1, 00:00:07, FastEthernet0/1
100.0.0.0/13 is subnetted, 1 subnets
O N1     100.0.0.0 [110/21] via 172.12.15.1, 00:00:07, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA     172.12.34.0/24 [110/66] via 172.12.15.1, 00:00:07, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.15.1, 00:00:07, FastEthernet0/1
172.16.0.0/22 is subnetted, 1 subnets
O IA     172.16.8.0 [110/2] via 172.12.15.1, 00:00:07, FastEthernet0/1
R5(config-router)#

If the metric was its default type 2, you would see an N2 route instead of an N1, and if they weren’t summarized it would show all 7 networks as N2’s / N1’s. Now to make it an NSSA Total Stub on R1 to complete the configuration for tonight and look at R5’s route table.

Here is R1 going through the motions of UP and DOWN neighbors while configuring:

R1(config-router)#no area 15 nssa
R1(config-router)#area
*Mar  1 15:10:57.016: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R1(config-router)#area 15 nssa no-summary
R1(config-router)#
*Mar  1 15:11:14.072: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from EXSTART to DOWN, Neighbor Down: Adjacency forced to reset
R1(config-router)#
*Mar  1 15:11:20.695: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from LOADING to FULL, Loading Done
R1(config-router)#

And now over on R5 the OSPF route table looks a lot like this:

ASR#5
[Resuming connection 5 to r5 … ]

*Dec 20 03:07:57.875: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R5(config-router)#do sh ip route ospf
(Route codes redacted)

Gateway of last resort is 172.12.15.1 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.15.1, 00:01:07, FastEthernet0/1
100.0.0.0/13 is subnetted, 1 subnets
O N1     100.0.0.0 [110/21] via 172.12.15.1, 00:01:07, FastEthernet0/1
R5(config-router)#

I remember last time it baffled me, as it still does, that this router is seeing the summary address of the redistributed routes. I know this is some type of behavior with NSSA Areas, but as of right now I am so brain dead fried from this I will stop here and write mem like a good future CCIE so I can pick up where I left off.

I know this is a repeat of a lot of information on my original post when studying, but I don’t think you can ever pound this material into your head enough, so now that my head has been pounded once again I will take my leave ūüôā

ONE THING TO ADD DAG NAB IT:

When doing wr mem to all the routers, I got to R4 wondering if it would still be able to ping that loopback 5.5.5.5 on R5 our new NSSA Total stub and got this:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R4#

Soggy cereal. It isn’t showing that it’s unreachable, but that it doesn’t have a return route (I believe) to R4 on an upstream router. This shall be investigated on my next session!

 

OSPF Basics came back almost instantly today, stubbys tomorrow, redistribution Sunday and I am caught up

I was going to only clean off my dry erase board for drawing out my topologies on the fly, and do a write erase on all routers for when I re-familiarized myself with OSPF, however like an IT nerd on a Friday night I decided to setup at least the NBMA routers R1 R2 and R3.

So I got those setup, which I tested NOT putting neighbor statements on the hub to confirm no routes propagated which of course didn’t, but after I turned on neighbors I saw neighbors forming and then they started flapping / I was getting flapping EIGRP links. I had completely forgot in an NBMA network you need to get on that serial interface and issue the “ip ospf priority 0” on the spokes so they do not participate in the DR / BDR election.

So I did that on the spoke interfaces, clear ip ospf proc all around, and adjacencies eventually formed after I think a minute is the hello timer – It took forever.

So I got frisky and setup the router 5 which I was finally able to find the correct cable and it came right up, configured it with lo5 interface advertising 5.5.5.5 network across the NBMA. Then I get even bolder and got on R4 and added that on there, which I know will require a virtual-link to get it’s loopback to propagate because any router without an interface in area 0 needs a virtual-link configured to a router with an interface in area 0.

So I threw the config in on both sides along with the ospf networks, not sweating it at all, but I’m not seeing either side freak out with errors after I configured the first side (as it always will start throwing tons of errors until you configure the other end). So I get on R3 also with no errors, and I’m sure I’ve got it right using “area 34 virtual-link 4.4.4.4” on R3 in router config and the same on R4 using 3.3.3.3, then I figured out my mistake.

I had not even plugged in the two Ethernet interfaces with a cable. After cabling together:

*Mar  1 13:37:46.633: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 4.4.4.4 is down
Run as demand circuit
DoNotAge LSA allowed.
Transit area 34, Cost of using 65535
Transmit Delay is 1 sec, State DOWN,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
R3#
*Mar  1 13:38:30.137: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3#
*Mar  1 13:38:45.157: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on OSPF_VL0 from LOADING to FULL, Loading Done
R3#show ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0¬†¬† FULL/¬† –¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† –¬†¬†¬†¬†¬†¬†¬† 172.12.34.4¬†¬†¬†¬† OSPF_VL0
1.1.1.1           1   FULL/DR         00:01:57    172.12.123.1    Serial0/2
4.4.4.4           1   FULL/DR         00:00:39    172.12.34.4     FastEthernet0/1

So I decided I am officially too fried for any further labbing to be useful / stick in my brain, however I am now to a point where I can make some stub networks tomorrow, and setup redistribution for Sunday or possibly save it until Monday then I am back to where I left off with Route-Maps.

I think anything ACL or NAT related is my cryptonite, and I think it’s because that is half my day at work doing it on Firewalls, so my brain for some reason does not want to learn the CCNP way of doing things for some odd reason. The psyche is a strange thing.

Stubbies next tomorrow, going to wr mem now before I forget!

EDIT:
I didn’t see 5.5.5.5 on R4’s route table, and forgot that the last I remember area 15 it was an NSSA total stub, so I added the virtual-link command on R5 and this is the freak out message I mentioned earlier:

*Mar  1 13:13:28.169: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from 172.12.15.5, FastEthernet0/1

It will keep repeating that until I enter “area 15 virtual-link 5.5.5.5” on R1, as seen in this output:

R1(config-router)#
*Mar  1 13:16:29.983: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from 172.12.15.5, FastEthernet0/1
R1(config-router)#area 15 virtual-link 5.5.5.5
R1(config-router)#
*Mar  1 13:16:39.310: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on OSPF_VL0 from LOADING to FULL, Loading Done

And now finally so I can live with myself knowing my lab is squared away:

R4#sh ip route ospf
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:31:23, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:31:23, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:31:23, FastEthernet0/1
5.0.0.0/32 is subnetted, 1 subnets
O IA     5.5.5.5 [110/67] via 172.12.34.3, 00:01:40, FastEthernet0/1
172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:31:23, FastEthernet0/1
O        172.12.123.0/24 [110/65] via 172.12.34.3, 00:31:23, FastEthernet0/1

BAM! It took two virtual-links but R4 can now communicate with R5.

I am officially fried now, and must stop myself from labbing more, signing off now.

Finished EIGRP refresher, found good info for passive-int via debug eigrp pack, quick stub routing confusion

I wanted to quickly attack a few points tonight as I am mentally dead between working and studying simultaneously.

One thing I found amazingly interesting when familiarizing myself with debug output for “debug eigrp packets” especially with passive interfaces, is that the loopback interface is creating as much if not unneeded output than the Fa0/0 interface I am trying to prove is wasting CPU:

R2#debug eigrp pack
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R2#
*Mar  1 09:57:49.767: EIGRP: Sending HELLO on Serial0/0
*Mar  1 09:57:49.767:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 09:57:49.972: EIGRP: Sending HELLO on FastEthernet0/0
*Mar  1 09:57:49.972:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 09:57:50.120: EIGRP: Sending HELLO on Loopback2
*Mar  1 09:57:50.120:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 09:57:50.120: EIGRP: Received HELLO on Loopback2 nbr 2.2.2.2
*Mar  1 09:57:50.124:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Mar  1 09:57:50.124: EIGRP: Packet from ourselves ignored
R2#
*Mar  1 09:57:51.991: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.12.23.3
*Mar  1 09:57:51.995:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Mar  1 09:57:54.439: EIGRP: Sending HELLO on FastEthernet0/0
*Mar  1 09:57:54.439:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 09:57:54.956: EIGRP: Sending HELLO on Loopback2
*Mar  1 09:57:54.956:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar  1 09:57:54.956: EIGRP: Received HELLO on Loopback2 nbr 2.2.2.2
*Mar  1 09:57:54.960:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
*Mar  1 09:57:54.960: EIGRP: Packet from ourselves ignored

THOSE LOOPBACK ADDRESSES ARE SENDING AND RECEIVING UNNECESSARY TRAFFIC EVERY 5 SECONDS, THAT IS A CPU CRIME, AND I WILL NOT STAND FOR IT!

The idea is, you want interfaces that don’t have EIGRP speaking routers sending EIGRP traffic, as it wastes CPU resources. I ran “debug eigrp pack” like I did in my training video, but on my equipment it showed that not only the Fa0/0 LAN portion that doesn’t need traffic on it is sending Hello’s every 5 seconds, but SO ARE THE LOOPBACK INTERFACES – And they even have an Ignore-Self-Traffic message at the end which makes you wonder WHY WOULD YOU EVEN SEND IT TO YOURSELF IN THE FIRST PLACE?!?

However, the above output shows the one humble Hello from the Serial Interface, than Loopback and FastEthernet traffic every 5 seconds on the dot, though I didn’t post the full output as fun as it is to read (but did color code the snapshot of output to make it clear the atrocity Loopback2 is committing). So I got into router config, passive-interface both fa0/0 and lo2 / lo3 on my spoke routers and life is good.

Summary routes cannot get a whole lot more straight forward, you do have to remember to enter all the different networks into EIGRP via the network command, and then the single statement on the interface to advertise the networks from. In my case I made loopbacks for networks 100.1.0.0 – 100.7.0.0 /24, which summarization math turns to 100.0.0.0 /13, then on interface S0/0 entered:

R1(config-if)#ip summary-address eigrp 100 100.0.0.0 255.248.0.0
R1(config-if)#
*Mar  1 12:12:03.411: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.123.3 (Serial0/0) is resync: summary configured
*Mar  1 12:12:03.411: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.123.2 (Serial0/0) is resync: summary configured
R1(config-if)#

However I did learn after going to R2 and doing ‘sh ip route’ that it will not show the summary route without the networks being entered into EIGRP configuration. Also to note of course to see it’s Summary address of 5 you must be on the router with the summary address configured, and type in “show ip route 100 100.0.0.0 255.248.0.0” or in the “show run” it will show the number 5 after the summary address in the configuration.

The following will be some pretty boring output to most, but this is going to be me making the two spokes R2 and R3 stub routers in this EIGRP network, and I’m just going to throw the chunks of info up and go through the output after it, and its for both routers so it should be a large chunk of output:

R3(config-router)#eigrp stub
R3(config-router)#
*Mar  1 13:36:58.257: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.123.1 (Serial0/2) is down: peer info changed
R3(config-router)#
R3(config-router)#do sh ip route
(Route codes redacted)

Gateway of last resort is not set

3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
172.12.0.0/24 is subnetted, 2 subnets
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/2
R3(config-router)#
*Mar  1 13:37:07.364: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.123.1 (Serial0/2) is up: new adjacency
R3(config-router)#do sh ip route
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/2297856] via 172.12.123.1, 00:00:08, Serial0/2
2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/2809856] via 172.12.123.1, 00:00:08, Serial0/2
100.0.0.0/13 is subnetted, 1 subnets
D       100.0.0.0 [90/2297856] via 172.12.123.1, 00:00:08, Serial0/2
3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
172.12.0.0/24 is subnetted, 2 subnets
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/2
R3(config-router)#

So it took a hit on its neighbor relationships by about 10 seconds given the timestamps on the output, and it still has all EIGRP routes it should, let us see R1’s ‘sh ip route’ output:

R1#sh ip route
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/2297856] via 172.12.123.2, 00:35:53, Serial0/0
100.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C       100.4.0.0/16 is directly connected, Loopback104
C       100.5.0.0/16 is directly connected, Loopback105
C       100.6.0.0/16 is directly connected, Loopback106
C       100.7.0.0/16 is directly connected, Loopback107
D       100.0.0.0/13 is a summary, 00:34:06, Null0
C       100.1.0.0/16 is directly connected, Loopback101
C       100.2.0.0/16 is directly connected, Loopback102
C       100.3.0.0/16 is directly connected, Loopback103
3.0.0.0/32 is subnetted, 1 subnets
D       3.3.3.3 [90/2297856] via 172.12.123.3, 00:05:02, Serial0/0
172.12.0.0/24 is subnetted, 2 subnets
D       172.12.23.0 [90/2172416] via 172.12.123.3, 00:05:02, Serial0/0
[90/2172416] via 172.12.123.2, 00:05:02, Serial0/0
C       172.12.123.0 is directly connected, Serial0/0
R1#

Both Loopbacks and the LAN network are still there, it is unaffected by the Stub command on R2 which it should be. However it is taught that two stubs on the same network cannot form an EIGRP adjacency, so I am looking forward to what sort of mess that will cause making that a stub next. Here is the change output from R3:

R3(config-router)#eigrp stub
R3(config-router)#^Z
R3#
*Mar  1 13:47:03.966: %SYS-5-CONFIG_I: Configured from console by console
R3#show ip route
(Route codes redacted)

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/2297856] via 172.12.123.1, 00:10:02, Serial0/2
2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/2809856] via 172.12.123.1, 00:10:02, Serial0/2
100.0.0.0/13 is subnetted, 1 subnets
D       100.0.0.0 [90/2297856] via 172.12.123.1, 00:10:02, Serial0/2
3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
172.12.0.0/24 is subnetted, 2 subnets
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/2

I was fully expecting to lose a route or see some DUAL DON’T PLAY THAT HOMIE console messages, but I got nothing when making that stub change, all routes are as they should be. Then I started to think of the wording, an adjacency is a neighbor relationship:

R3#show ip eigrp nei
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
0   172.12.123.1            Se0/2            154 00:11:31   58   348  0  19

So to test if that is correct I will take off stub routing quick, I jumped on both spoke routers, and removed the stub routing command from EIGRP but they still only showed R1 as their only EIGRP neighbor, so I decided to turn off passive-interface to see if it’s something with the NBMA network and if the LAN would allow the neighborship to form:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router eigrp 100
R2(config-router)#no passive-interface fa0/0
R2(config-router)#
ASR#3
[Resuming connection 3 to r3 … ]

*Mar  1 13:52:48.543: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.123.1 (Serial0/2) is up: new adjacency
R3(config-router)#no passive-interface fa0/0
R3(config-router)#
*Mar  1 13:56:39.530: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.23.2 (FastEthernet0/0) is up: new adjacency
R3(config-router)#^Z
R3#
*Mar  1 13:56:46.745: %SYS-5-CONFIG_I: Configured from console by console
R3#sh ip eigrp nei
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
1   172.12.23.2             Fa0/0             14 00:00:19   10   200  0  22
0   172.12.123.1            Se0/2            160 00:04:10   50   300  0  26
R3#

And immediately we are all neighbors again, so that proved it was something to do with the Hub and Spoke / NBMA nature of the network. So I will leave those passive, so my spokes can have more than one neighbor to say Hello to, though those Loopbacks shall stay suppressed.

I still need to try getting ip default-network to propagate to my spoke routers, but I am officially 100% fried on networking for today, I’ll have a micro-segment regarding that if I get to it before some OSPF re-labbing ūüôā

Some things I know I will forget again, lots of bullet points, like the ‘in a can’ posts

eigrp_topology_12_14_2016

Above is the following topology I have created, all interfaces on the NBMA are on the 172.12.123.0 /24 subnet and the LAN section will be 172.12.23.0 /24 with all interfaces aside from loopbacks having the router # as the 4th octet IP address.

Upon going through even basic EIGRP setup videos over an NMBA network, there were some concepts I let slip, so I’ll kind of be doing a point by point here of those for myself:

  • EIGRP Hub and Spoke will not advertise routes due to Split-Horizon, you can flat out disabled on the Hub on the interface level with “no ip split eigrp (AS #), may drop adjacencies. You can also break the Hub’s interface up into sub-interfaces, I will try to get the info on making sub-int’s posted
  • For OSPF to form adjacences over an NBMA, you need ‘neighbor xx.xx.xx.xx’ address in router config mode, EIGRP DOES NOT REQUIRE NEIGHBOR STATEMENTS ON THE HUB(S) IN HUB AND SPOKE NETWORKS, ONLY OSPF
  • EIGRP Route table shows route paths being used from the Topology table as Successor routes, Topology table shows Successor and Feasible Successor paths, Neighbor tables shows random info about neighbors (peer addy, uptime, etc)
  • DUAL is the algorithm that runs throughout the EIGRP network, querying for a loop-free path to a destination network, if no path is found route goes ‘Stuck in Active’
  • By default EIGRP load balances up to 4 paths to a destination if their FD’s match, unless you use the Variance command in router config to multiply the acceptable FD for a route to be brought into the route table, but **WILL NOT change the FD #”
  • “sh ip eigrp int detail” will give a lot of good output, including authentication info
  • Hello / Hold timers set on interface, “ip hello / hold eigrp (AS #) #”
  • UNLIKE OSPF WHERE DEAD TIME DYNAMICALLY ADJUSTS IF THE HELLO TIME IS CHANGED, THE HOLD TIME WILL NOT DYNAMICALLY CHANGE IN EIGRP
  • Only need to agree on AS # and K Values to form adjacency
  • Feasibility Condition = Is the FS’s Advertised Distance lower than the Successors than the Feasible distance that the successor – It is that easy.

I only slipped a bit getting the spokes (R2, R3 to see eachother’s loopbacks of 2.2.2.2 and 3.3.3.3, and caught myself already missing an important part of the configuration – turning off split horizon on the Hub’s interface in the EIGRP domain. I know I have done this before by making the single physical interface into multiple sub-interfaces but I cannot recall how, but I assume along the way to certification I’ll figure out why. Next will be playing with advanced stuff like Variance, K Weights, and Authentication before moving onto OSPF.

I would like to wrap up getting my CCNP before I have to deal with moving in July / August so June is my unofficial deadline for everything to be done. I am thinking ROUTE by end of February, Switch by end of May, and TSHOOT somewhere in June.