OSPF: DEEP Dives into Summarization methods, Authentication, Default-Information Originate (Always)!

Posted on by Loopy

OSPF_LSA_Deep_Dive_Ver2

Since I already have the lab configured with different OSPF Area’s, and we had a riveting exploration into the world of LSA’s and the LS DB of each router, I wanted to hit some other topics again thoroughly before I switch up protocols for more DEEP Dives into all things CCNP ROUTE related!

Without further ado!

 

OSPF Route Summarization

 

We have two options when it comes to route summarization when it comes to OSPF, as it does not auto-summarize at classful boarders like RIP or EIGRP, and those are:

  • “area x range (summary network) (summary mask)” – This is only to be used on ABR routers!
  • “summary-address (summary network) (summary mask)” – This is only to be used on ASBR’s doing redistribution for the networks being summarized!

The “… range …” command is used to summarize route in Area x, where x is the Area containing the routes, which it will then flood out as Type 3 LSA’s throughout the network where they are allowed – Requires networks be entered into OSPF configuration via the “network” statement

The “summary-address …” command is used for routes being redistributed into OSPF, so all routes of the summary need to be configured on the ASBR via the “network …” command – Does not require routes to be entered into OSPF configuration (because we are summarizing redistributed routes!)

Both of these are configured in OSPF router configuration mode, not an interface!

First I’ll start with the Range method on the ABR R1:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface Loopback101
R1(config-if)# ip address 100.1.0.1 255.255.0.0
R1(config-if)#interface Loopback102
R1(config-if)# ip address 100.2.0.1 255.255.0.0
R1(config-if)#interface Loopback103
R1(config-if)# ip address 100.3.0.1 255.255.0.0
R1(config-if)#interface Loopback104
R1(config-if)# ip address 100.4.0.1 255.255.0.0
R1(config-if)#interface Loopback105
R1(config-if)# ip address 100.5.0.1 255.255.0.0
R1(config-if)#interface Loopback106
R1(config-if)# ip address 100.6.0.1 255.255.0.0
R1(config-if)#interface Loopback107
R1(config-if)# ip address 100.7.0.1 255.255.0.0
*Apr 26 20:08:20.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback101, changed state to up
*Apr 26 20:08:20.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback102, changed state to up
*Apr 26 20:08:20.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback103, changed state to up
*Apr 26 20:08:21.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback104, changed state to up
*Apr 26 20:08:21.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback105, changed state to up
*Apr 26 20:08:21.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback106, changed state to up
R1(config-if)# ip address 100.7.0.1 255.255.0.0
*Apr 26 20:08:21.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback107, changed state to up
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#network 100.1.0.0 0.0.255.255 area 100
R1(config-router)#network 100.2.0.0 0.0.255.255 area 100
R1(config-router)#network 100.3.0.0 0.0.255.255 area 100
R1(config-router)#network 100.4.0.0 0.0.255.255 area 100
R1(config-router)#network 100.5.0.0 0.0.255.255 area 100
R1(config-router)#network 100.6.0.0 0.0.255.255 area 100
R1(config-router)#network 100.7.0.0 0.0.255.255 area 100
R1(config-router)#area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#^Z
R1#wr
Building configuration…

So that is it for this command, however a couple bullet points on it:

  • The routes must be directly connected to the router to perform summarization
  • The routes must be entered into OSPF via “network …” statements individually first
  • This must be performed on an ABR (Area Boarder Router)
  • The Area specified in the range command must be that containing the routes to be summarized

So let’s verify the summary route is propagating and get moving on our other summarization method:

R3#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:34:02, Serial0/2
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/65] via 172.12.123.2, 00:34:02, Serial0/2
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:08:26, Serial0/2
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/2] via 172.12.34.4, 00:36:57, FastEthernet0/1
     55.0.0.0/24 is subnetted, 1 subnets
O E1    55.5.5.0 [110/85] via 172.12.123.1, 00:08:21, Serial0/2
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/85] via 172.12.123.1, 00:08:21, Serial0/2
     172.12.0.0/24 is subnetted, 4 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:34:02, Serial0/2
     22.0.0.0/32 is subnetted, 1 subnets
O       22.2.2.2 [110/65] via 172.12.123.2, 00:34:02, Serial0/2
     11.0.0.0/32 is subnetted, 1 subnets
O       11.1.1.1 [110/65] via 172.12.123.1, 00:34:02, Serial0/2
R3#

And to show its LSA Type 3:

R3#sh ip ospf data

            OSPF Router with ID (33.3.3.3) (Process ID 1)

         
                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         11.1.1.1        864         0x80000002 0x00EA3E
2.2.2.2         22.2.2.2        471         0x80000002 0x0044D2
3.3.3.3         33.3.3.3        567         0x80000002 0x009D67
4.4.4.4         33.3.3.3        567         0x80000002 0x007986
100.0.0.0       11.1.1.1        840         0x80000001 0x00E5EA
172.12.15.0     11.1.1.1        604         0x80000004 0x001A49
172.12.34.0     33.3.3.3        571         0x80000002 0x005BDA

So there it is, we’ll hop into our Total-Stub NSSA to configure our Summary-Address command, as that is already Redistributing connected routes:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int lo8
R5(config-if)#ip add 172.16.8.1 255.255.255.0
R5(config-if)#int lo9
R5(config-if)#ip add 172.16.9.1 255.255.255.0
R5(config-if)#int lo10
R5(config-if)#ip add 172.16.10.1 255.255.255.0
R5(config-if)#int lo11
R5(config-if)#ip add 172.16.11.1 255.255.255.0
R5(config-if)#
R5(config-if)#
*Mar 31 20:29:11.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback8, changed state to up
*Mar 31 20:29:11.176: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback9, changed state to up
*Mar 31 20:29:11.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
*Mar 31 20:29:11.252: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback11, changed state to up
R5(config-if)#router ospf 1
R5(config-router)#summary-address 172.16.8.0 255.255.252.0
R5(config-router)#^Z
R5#wr
Building configuration…

That should be it for that, this time lets see how R2 see’s both of these summary routes:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:48:59, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:23:33, Serial0/0
     33.0.0.0/32 is subnetted, 1 subnets
O       33.3.3.3 [110/65] via 172.12.123.3, 00:48:59, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:48:59, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:48:59, Serial0/0
     55.0.0.0/24 is subnetted, 1 subnets
O E1    55.5.5.0 [110/85] via 172.12.123.1, 00:23:28, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/85] via 172.12.123.1, 00:23:28, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:48:59, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:48:59, Serial0/0
     172.16.0.0/22 is subnetted, 1 subnets
O E1    172.16.8.0 [110/85] via 172.12.123.1, 00:01:47, Serial0/0
     11.0.0.0/32 is subnetted, 1 subnets
O       11.1.1.1 [110/65] via 172.12.123.1, 00:49:00, Serial0/0
R2#

There is our “range” made summary on ABR R1, and there is our “summary-address” summary configured on our ASBR, working exactly as they should.

One more important note before moving on about either method, you will use a subnet mask instead of a wildcard mask, so watch that as OSPF is all about Wildcard Masks in a majority of its configurations!

 

OSPF Area Authentication

 

To start off a couple of notes bullet point style for commands and details:

  • OSPF Authentication can use either Clear Text or MD5 encryption
  • Turning on Authentication for an Area can be done on the interface in that Area, or in router configuration mode using the area 0 authentication …” command
  • Any Virtual-Links must use the same Authentication method as Area 0 if in use in Area 0, as a Virtual-Link is considered an extension of Area 0

I’ll set this up between R1 / R2 / R3 all at interface level for now, using clear-text style on R2, and MD5 on R1 and R3 with different key numbers to see what impact it has:

R2(config)#int s0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key CCNP
R2(config-if)#^Z
R2#

ASR#1
[Resuming connection 1 to r1 … ]

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int s0/0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 CCNP
R1(config-if)#^Z
R1#
*Apr 26 20:53:25.751: %SYS-5-CONFIG_I: Configured from console by console
R1#
ASR#3
[Resuming connection 3 to r3 … ]

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int s0/2
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 2 md5 CCNP
R3(config-if)#
ASR#1
[Resuming connection 1 to r1 … ]

R1#
R1#
*Apr 26 20:54:10.083: %OSPF-5-ADJCHG: Process 1, Nbr 22.2.2.2 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1#
*Apr 26 20:54:45.211: %OSPF-5-ADJCHG: Process 1, Nbr 33.3.3.3 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1#

So we have officially dropped both our adjacencies by mixing clear-text authentication with md5, and by using different key numbers on the interface.

To fix this mess, I am going to configure R2’s authentication in router configuration, and add the correct key on the interface, and fix R3’s key number to see if that will make them three amigos once again:

*Mar 30 23:22:31.240: %OSPF-5-ADJCHG: Process 1, Nbr 11.1.1.1 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R2#
R2#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s0/0
R2(config-if)#no ip ospf authentication
R2(config-if)#no ip ospf authentication-key CCNP
R2(config-if)#ip ospf message-digest-key 1 md5 CCNP
R2(config-if)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#
ASR#3
[Resuming connection 3 to r3 … ]

*Mar 31 20:15:58.784: %OSPF-5-ADJCHG: Process 1, Nbr 11.1.1.1 on Serial0/2 from FULL to DOWN, Neighbor Down: Dead timer expired
R3(config-if)#
R3(config-if)#no ip ospf message-digest-key 2 md5 CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#
ASR#1
[Resuming connection 1 to r1 … ]

R1(config-router)#
*Apr 26 21:06:10.631: %OSPF-5-ADJCHG: Process 1, Nbr 22.2.2.2 on Serial0/0/0 from LOADING to FULL, Loading Done
R1(config-router)#
*Apr 26 21:06:45.755: %OSPF-5-ADJCHG: Process 1, Nbr 33.3.3.3 on Serial0/0/0 from LOADING to FULL, Loading Done
R1(config-router)#

I highlighted in red the commands for router configuration for clarity sake, however we see that configuring the authentication doesn’t matter if it’s on the interface or router configuration as long as either is the correct Area, however the key configuration does need to be on the interface – there is no options in OSPF router configuration for keys.

Now for verification, this is very important to close this out with, so listen up!

Depending on where Authentication is configured (router config or interface) there are two different ways to verify if an Area is running Authentication that you need to know about for exam day.

First lets look at the first example of R1 using “sh ip ospf” :

R1#sh ip ospf
 Routing Process “ospf 1” with ID 11.1.1.1
(Output Removed for clarity)
    Area BACKBONE(0)
        Number of interfaces in this area is 2 (1 loopback)
        Area has no authentication
        SPF algorithm last executed 00:20:26.612 ago
        SPF algorithm executed 12 times

If authentication was configured (not the key itself but turning on authentication) on the physical interface, it will show up in “sh ip ospf” that it has no Authentication when it in fact does!

To verify authentication in this case, you would need to use the “sh ip ospf int (int)” command to verify as seen here:

R1#sh ip ospf int s0/0/0
Serial0/0/0 is up, line protocol is up
  Internet Address 172.12.123.1/24, Area 0
  Process ID 1, Router ID 11.1.1.1, Network Type NON_BROADCAST, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 11.1.1.1, Interface address 172.12.123.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:13
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/4, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 7
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 2, Adjacent neighbor count is 2
    Adjacent with neighbor 22.2.2.2
    Adjacent with neighbor 33.3.3.3
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1
R1#

I know that’s a lot of output, but I wanted to clarify it’s allllll the way at the bottom. So for R2 we can do a “sh ip ospf” and have no problem seeing it there:

R2#sh ip ospf
 Routing Process “ospf 1” with ID 22.2.2.2
 (Output Removed for clarity)
    Area BACKBONE(0)
        Number of interfaces in this area is 2 (1 loopback)
        Area has message digest authentication
        SPF algorithm last executed 00:26:48.292 ago
        SPF algorithm executed 9 times

So to summarize:

  • Authentication can be set on either the interface or router config as long as the Areas and authentication type (clear / md5) both match with neighbors
  • The key always needs to be configured on the physical interface connected to the Area doing Authentication
  • Virtual-Links require the same Authentication as Area 0 to work as they are considered an extension of Area 0
  • “sh ip ospf” will not show Authentication for an Area if it is configured directly on the interface, use “sh ip ospf int (int)” to verify Authentication is set

That was a lot to get out, but I think we have all bases covered for Authentication.

 

Default-Information Originate (Always) Command

 

This command is pretty straight forward so I won’t spend too much time on it, however there are two approaches to propagating a default route in OSPF:

  • The first option: Configure a static default route to the next hop router you want traffic to flow to, and configure “default-information originate” in OSPF router configuration mode as such:

R1(config)#ip route 0.0.0.0 0.0.0.0 172.12.123.1
%Invalid next hop address (it’s this router)
R1(config)#ip route 0.0.0.0 0.0.0.0 172.12.15.5
R1(config)#router ospf 1
R1(config-router)#default-information originate
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

So we had to configure an upstream router as the default gateway for R1 as well, however R2 immediately got the default route, and one thing I found extremely interesting from our LSA brainwashing:

R2#sh ip ospf data

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         11.1.1.1        235         0x80000001 0x00C80F 1

The static route shows up in the route table as this:

O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:06:25, Serial0/0

So if you’re ever asked by a stranger walking down the street what LSA type a static route used for default-information originate is, it is a Type 5 External Route LSA.

However I don’t want R1 with a default route pointing towards R5, I just want routers to send their traffic to R1 to handle, to make Area 0 like a Stub (because you cannot actually make Area 0 a Stub).

  • The Second Option: Use the command “Default-Information Originate Always” and the Router will send out default routes pointing at itself, without any default route being required to be configured on it pointing at another router:

R1(config)#no ip route 0.0.0.0 0.0.0.0 172.12.15.5
R1(config)#router ospf 1
R1(config-router)#no default-information originate
R1(config-router)#default-information originate always

I’ll spare the output from R2 as it is the exact same either way you configure it, however with “always” tacked onto the end, I no longer have a default route on R1.

That is it for this deep dive, not sure what will be up next, but they will keep coming!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s