Category Archives: CCNP ROUTE – Redistribution

OSPF: Important details regarding Summarization and Default Routes for exam day, it’s a long but worthwhile read!

OSPF_Base_Topology

OSPF Summarization is done only on ABR and ASBR routers in your OSPF domain, and use two completely different commands, but what if a router is an ABR and an ASBR?

For example, did you know that using the command “default-information originate …” you are telling the router to create a Type 5 LSA to be propagated throughout the network, thus turning that router into an ASBR?

Another very interesting fact I did not know – OSPF will not allow you to redistribute a static default route. It cannot be done.

Being that I have never knew either of these things that seem like fairly good questions for exam day, I wanted to give them a run for their money to see if that they are true:

R1(config)#ip route 0.0.0.0 0.0.0.0 null0
R1(config)#router ospf 1
R1(config-router)#redistribute static subnets
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:00:11, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:00:11, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
R2#sh ip ospf data

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         45          0x80000005 0x00DC9D 1
2.2.2.2         2.2.2.2         1013        0x80000004 0x009AD9 1
3.3.3.3         3.3.3.3         132         0x80000005 0x006008 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.12.123.1    1.1.1.1         905         0x80000004 0x0023BE

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         1.1.1.1         1416        0x80000003 0x0043EE
2.2.2.2         2.2.2.2         1013        0x80000003 0x00F633
3.3.3.3         3.3.3.3         321         0x80000001 0x00AE75
172.12.15.0     1.1.1.1         1154        0x80000005 0x0072F9
172.12.23.0     2.2.2.2         696         0x80000001 0x000460
172.12.23.0     3.3.3.3         692         0x80000009 0x00D582

Nothing! I never knew that was a behavior before, so you HAVE to use the default-information originate command to propagate a static route even though it still uses a Type 5 LSA just like redistribution would have!!!

Keep that in mind on exam day, if you see redistribution in ospf of a static default route, that is beyond a red flag.

Now. Back to this about the default-information originate command making a router an ASBR, I don’t really want to assign a default route to the logical trash bin (null0), so I’m just going to add “always” so no static default route is needed:

R1(config)#router ospf 1
R1(config-router)#default-information originate always
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:07:10, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:07:10, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:07:10, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:12, Serial0/0

R2#

There we go, now R2 has a default route, and what appears to be an External Type 5 LSA route so I am guessing when I go back to R1:

R1(config-router)#do sh ip ospf
 Routing Process “ospf 1” with ID 1.1.1.1
 Start time: 00:00:18.800, Time elapsed: 01:39:06.588
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 Event-log enabled, Maximum number of events: 1000, Mode: cyclic
 It is an area border and autonomous system boundary router

 Redistributing External Routes from,
 Router is not originating router-LSAs with maximum metric

The interesting thing here is that I’ve never seen any other protocol leave the “Redistributing External Routes from” field empty, and it sure is both an ABR and an ASBR now.

So can I do both types of Summarization now? Lets break some stuff and find out! To be clear on how real this is getting:

R1(config-if)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            172.12.15.1     YES NVRAM  up                    up
Serial0/0/0                172.12.123.1    YES NVRAM  up                    up
Serial0/0/1                100.100.100.1   YES NVRAM  administratively down down
Loopback1                  1.1.1.1         YES NVRAM  up                    up
Loopback8                  172.16.8.1      YES manual up                    up

Loopback9                  172.16.9.1      YES manual up                    up

Loopback10                 172.16.10.1     YES manual up                    up

Loopback11                 172.16.11.1     YES manual up                    up

Loopback101                100.1.0.1       YES manual up                    up

Loopback102                100.2.0.1       YES manual up                    up

Loopback103                100.3.0.1       YES manual up                    up

Loopback104                100.4.0.1       YES manual up                    up

Loopback105                100.5.0.1       YES manual up                    up

Loopback106                100.6.0.1       YES manual up                    up

Loopback107                100.7.0.1       YES manual up                    up

Summary Address = 172.16.8.0 /22
Summary Address = 100.0.0.0  /13

Now for the ABR, the routes need to be put in via the “network” command, being that you are specifying the Area containing the routes, so they need to be entered into OSPF in the same Area.

I was actually just cursing looking at that for some reason thinking the Loopback # dictated the Area # or something, but I got it now lets give it a go here:

R1(config-if)#router ospf 1
R1(config-router)#network 100.1.0.0 0.0.255.255 area 100
R1(config-router)#network 100.2.0.0 0.0.255.255 area 100
R1(config-router)#network 100.3.0.0 0.0.255.255 area 100
R1(config-router)#network 100.4.0.0 0.0.255.255 area 100
R1(config-router)#network 100.5.0.0 0.0.255.255 area 100
R1(config-router)#network 100.6.0.0 0.0.255.255 area 100
R1(config-router)#network 100.7.0.0 0.0.255.255 area 100
R1(config-router)#area 100 range 100.0.0.0 255.248.0.0 ?
  advertise      Advertise this range (default)
  cost           User specified metric for this range
  not-advertise  DoNotAdvertise this range
  <cr>

R1(config-router)#area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#

Cost can be defined as a modifier to the command as highlighted in red there, otherwise OSPF will use the best Prefix’s Cost value for the Summary Route which I think should be left alone unless you have a reason to change it.

So lets take a look at R2’s OSPF route table to verify we have one type of summarization at work:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:43:36, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:16:54, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:43:36, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:43:36, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:16:49, Serial0/0
R2#sh ip ospf data

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         750         0x80000006 0x00DA9E 1
2.2.2.2         2.2.2.2         1590        0x80000005 0x0098DA 1
3.3.3.3         3.3.3.3         920         0x80000006 0x005E09 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
172.12.123.1    1.1.1.1         1487        0x80000005 0x0021BF

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         1.1.1.1         1971        0x80000004 0x0041EF
2.2.2.2         2.2.2.2         1590        0x80000004 0x00F434
3.3.3.3         3.3.3.3         920         0x80000002 0x00AC76
100.0.0.0       1.1.1.1         1028        0x80000001 0x00409A
172.12.15.0     1.1.1.1         1730        0x80000006 0x0070FA
172.12.23.0     2.2.2.2         1347        0x80000002 0x000261
172.12.23.0     3.3.3.3         1421        0x8000000A 0x00D383

So it is being advertised as an Inter-Area (Type 3 LSA) route as can be seen both in the IP route table, as it should because this is the ABR way to summarize routes. Ahem.

Also if you want to get granular with how you look at the LSA Database, to see this summary route for example, you can type in as follows:

R2#sh ip ospf data summ 100.0.0.0

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 1347
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 100.0.0.0 (summary Network Number)
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x409A
  Length: 28
  Network Mask: /13

        TOS: 0  Metric: 1

This command will give you a ton of output, like the Database itself, except with details which makes it incredibly hard to dig through if you have a decent amount of Areas it is reporting all these details before.

However, I did want you to see, you can verify if a route is a Summary from the LSA Database – And that is a good thing to know. You can also look at sections of it with “sh ip ospf data summ” and so on but I won’t flood the page with all that output.

So all this ABR Summarization is all fine and good you say, but what about ASBR Summarization? I am glad you asked.

I am not sure if it requires the networks to be entered via the “network” command, so I’ll test out whether they need to be added, lets take a look:

R1(config-router)#summary-address 172.16.8.0 255.255.252.0
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:55:55, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:29:13, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:55:55, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:55:55, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:29:08, Serial0/0
R2#

Well that stinks. Let me add the routes via “network” on R1 and try that again:

R1(config-router)#
R1(config-router)#network 172.16.8.0 0.0.0.255 area 51
R1(config-router)#network 172.16.9.0 0.0.0.255 area 51
R1(config-router)#network 172.16.10.0 0.0.0.255 area 51
R1(config-router)#network 172.16.11.0 0.0.0.255 area 51
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 00:58:21, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:31:40, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 00:58:21, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 00:58:21, Serial0/0
     172.16.0.0/32 is subnetted, 4 subnets
O IA    172.16.9.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0

O IA    172.16.8.1 [110/65] via 172.12.123.1, 00:00:21, Serial0/0

O IA    172.16.11.1 [110/65] via 172.12.123.1, 00:00:01, Serial0/0

O IA    172.16.10.1 [110/65] via 172.12.123.1, 00:00:11, Serial0/0

O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:06, Serial0/0
R2#

Now things are getting interesting, because if I remove the summarization R1 is doing as an ABR, will the summarization command as an ASBR kick into action? Lets see:

R1(config-router)#no area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 01:01:04, Serial0/0
     100.0.0.0/32 is subnetted, 7 subnets
O IA    100.5.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.4.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.7.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.6.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.1.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.3.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

O IA    100.2.0.1 [110/65] via 172.12.123.1, 00:00:12, Serial0/0

     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 01:01:04, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 01:01:04, Serial0/0
     172.16.0.0/32 is subnetted, 4 subnets
O IA    172.16.9.1 [110/65] via 172.12.123.1, 00:02:54, Serial0/0

O IA    172.16.8.1 [110/65] via 172.12.123.1, 00:03:04, Serial0/0

O IA    172.16.11.1 [110/65] via 172.12.123.1, 00:02:45, Serial0/0

O IA    172.16.10.1 [110/65] via 172.12.123.1, 00:02:55, Serial0/0

O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:00:08, Serial0/0
R2#

No it did not, so I am wondering if perhaps order of commands comes into play here, as I configured the summary-address of routes that weren’t in the OSPF config yet.

So after a lot of failure with trying to redistribute an actual static route to make it an official “ASBR”, remove and re-add commands, I caved and watched the Summarization portion of my training video for summary address and I’ll be damned if this can’t ONLY be done by the ASBR because you redistribute the friggin connected routes! Gah!

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#no network 172.16.8.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.9.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.10.0 0.0.0.255 area 51
R1(config-router)#no network 172.16.11.0 0.0.0.255 area 51
R1(config-router)#redistribute connected subnets
R1(config-router)#area 100 range 100.0.0.0 255.248.0.0
R1(config-router)#summary-address 172.16.8.0 255.255.252.0
R1(config-router)#

Now for the moment of truth (I removed 172.x routes from OSPF):

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 01:31:24, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:01:19, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 01:31:24, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
O IA    172.12.15.0 [110/65] via 172.12.123.1, 01:31:24, Serial0/0
     172.16.0.0/22 is subnetted, 1 subnets
O E2    172.16.8.0 [110/20] via 172.12.123.1, 00:01:14, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:01:14, Serial0/0
R2#

FINALLY!! So that is why summary-address can only be done on the ASBR, because you need to redistribute the sequential routes to be summarized before entering the command to summarize them!

Also we now know that we can issue both commands on R1 as an ABR, and an ASBR with no problems.

HOWEVER WE ARE NOT DONE YET, AS WE HAVEN’T GONE INTO THE SECOND WAY OSPF CAN CREATE A STATIC ROUTE – AND THIS TIME IT AIN’T A TYPE 5 LSA!

The other way is to make an Area a Stub Area. By doing this, the Stub creates a default route for itself out of the network, does not allow LSA Type 5’s into the Area at all actually, so the default route created in this case is a Summary Type 3 LSA.

Lets look at Area 34 quick to wrap this one up:

R3(config-router)#area 34 stub
R3(config-router)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#
R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#router ospf 1
R4(config-router)#area 34 stub

That is all there is to the stub command, and the default route can be seen here, but there is still a LOT of clutter from Inter-Area routes:

R4(config-router)#do sh ip route ospf

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
O IA     3.3.3.3 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
O IA     100.0.0.0 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA     172.12.15.0/24 [110/66] via 172.12.34.3, 00:00:15, FastEthernet0/1
O IA     172.12.23.0/24 [110/2] via 172.12.34.3, 00:00:15, FastEthernet0/1
O IA     172.12.123.0/24 [110/65] via 172.12.34.3, 00:00:15, FastEthernet0/1
R4(config-router)#

In the LSDB under the Area 34 Summary Header we can see the route there as well:

 Summary Net Link States (Area 34)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         3.3.3.3         320         0x80000001 0x0057DA

1.1.1.1         3.3.3.3         320         0x80000001 0x00AB42
2.2.2.2         3.3.3.3         320         0x80000001 0x007D6C
3.3.3.3         3.3.3.3         320         0x80000001 0x00CC59
100.0.0.0       3.3.3.3         320         0x80000001 0x00A4EF
172.12.15.0     3.3.3.3         320         0x80000001 0x00DE4B
172.12.23.0     3.3.3.3         320         0x80000001 0x00045E
172.12.123.0    3.3.3.3         320         0x80000001 0x002C92

Now the thing that kind of amazes me, is the only verification command I could find outside of “show run” to verify this router is a stub router, was to do “sh ip ospf” and scroll all the way down under the Area 34 Header to find it:

Area 34
        Number of interfaces in this area is 1
        It is a stub area
        Area has no authentication
        SPF algorithm last executed 00:09:14.524 ago
        SPF algorithm executed 4 times
        Area ranges are
        Number of LSA 11. Checksum Sum 0x0528C8
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

So to finish this off, lets make it a total stub, and get rid of those Inter-Area routes all together:

R3(config-router)#no area 34 stub
R3(config-router)#area 34 stub no-summary
R3(config-router)#
ASR#4
[Resuming connection 4 to r4 … ]

*May 19 00:03:42.155: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done

R4#sh ip route ospf

Gateway of last resort is 172.12.34.3 to network 0.0.0.0

O*IA  0.0.0.0/0 [110/2] via 172.12.34.3, 00:12:49, FastEthernet0/1
R4#

So lets see if waaaay across the Topology R5 can still ping 4.4.4.4:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 0 msec 0 msec 4 msec
  2 172.12.15.1 !H  *  !H
R5#

That was interesting traceroute traffic, upon looking at R1, it does have the network 172.12.34.0 in its Summary Type 3 LSA’s, but no Area 34 or Area 4 at all in its LSDB. However I know what’s going on here, as 4.4.4.4 belong to Area 4 which to Area 34 would be blocked as an Inter-Area route, so if we do this:

R4(config)#router ospf 1
R4(config-router)#no network 4.4.4.4 0.0.0.0 area 4
R4(config-router)#network 4.4.4.4 0.0.0.0 area 34
R4(config-router)#

Then we should now be able to do this:

R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/69 ms
R5#

There we go, logical thinking isn’t always easy, but it does usually work.

I have one very last thing to add to this and I am done on this topic, seriously.

It has to do with the default-information originate command, because you can actually set it to track a certain route, and if that route goes down OSPF “Poisons” the default route and removes it from route tables / LSDB’s.

Lets take a look at the configuration:

R1#conf t
R1(config)#int lo99
R1(config-if)#ip add 99.99.99.99 255.255.255.255
R1(config)#access-list 99 permit 99.99.99.99
R1(config)#route-map 99bananas permit 10
R1(config-route-map)#match ip add 99
R1(config-route-map)#route-map 99bananas permit 20
R1(config-route-map)#exit
R1(config)#router ospf 1
R1(config-router)#default-information originate always route-map 99bananas

R1(config-router)#

Adding this route-map to it will “track” that route, so if that route or interface goes bye bye, so does our default route! Lets see this in action:

R2#sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/65] via 172.12.123.1, 02:13:02, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O IA    100.0.0.0 [110/65] via 172.12.123.1, 00:42:57, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/65] via 172.12.123.3, 02:13:02, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/66] via 172.12.123.3, 00:09:41, Serial0/0
     99.0.0.0/32 is subnetted, 1 subnets
O E2    99.99.99.99 [110/20] via 172.12.123.1, 00:05:35, Serial0/0

     172.12.0.0/24 is subnetted, 4 subnets
O IA    172.12.34.0 [110/65] via 172.12.123.3, 00:18:17, Serial0/0
O IA    172.12.15.0 [110/65] via 172.12.123.1, 02:13:06, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     172.16.0.0/22 is subnetted, 1 subnets
O E2    172.16.8.0 [110/20] via 172.12.123.1, 00:09:38, Serial0/0
O*E2 0.0.0.0/0 [110/1] via 172.12.123.1, 00:01:02, Serial0/0

R2#

Now lets remove the loopback and see the havoc it wreaks:

R1(config)#no int lo99
R1(config)#
*May 19 01:32:13.539: %LINK-5-CHANGED: Interface Loopback99, changed state to administratively down
*May 19 01:32:14.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback99, changed state to down
R1(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route

Gateway of last resort is not set

So that is something excellent to know for exam day and the real world, that your default routes can have dependencies or be conditional upon other routes being available.

Pretty cool stuff. Ok this post has gone on way too long, that its for these topics!

A collection of IMPORTANT links to review and know for exam day, then a quick overview of LSA Types / OSPF Router Types!

(This post will be replacing the subnetting post in my sticky threads up top the blog)

I pulled this topology from my older posts when I took a deep dive into the world of LSA’s, how to read the Topology table like a laundry list and under stand it, and what type of routers did what.

First I want to list links that are absolutely vital to read and understand for exam day, as you will run into questions regarding these in some fashion or another, and then I will sticky this post up top so the links are available there as well:

LSA Part 1 – https://loopedback.com/2017/04/24/part-1-ospf-lsa-deep-dive-starting-with-lsa-types-1-2-3-and-an-intro-to-all-lsa-types-and-ospf-routers-types/

LSA Part 2 – https://loopedback.com/2017/04/25/part-2-ospf-lsa-deep-dive-lsa-types-4-5-and-turn-area-15-to-an-nssa-to-see-what-happens-with-the-ls-database/

LSA Part 3 – https://loopedback.com/2017/04/25/part-3-ospf-lsa-deep-dive-lsa-type-7-deep-dive-into-every-type-of-ospf-stub-area-and-how-it-impacts-lsas/

VPN types and Tunnel Modes – https://loopedback.com/2017/04/28/vpn-deep-dive-into-different-vpn-packet-types-differences-in-security-and-differences-in-modes-between-them/

OSPF Distribute-List vs Filter-List – https://loopedback.com/2017/04/27/ospf-deep-dive-distribute-list-vs-filter-list-in-and-reviewing-prefix-lists-as-they-filter-lists-use-prefixes-to-filter/

Quick methods to Subnet – https://loopedback.com/2017/05/09/important-subnetting-review-to-quickly-find-network-address-ranges-and-a-great-cheat-sheet-for-exam-day/

IPv6 Migration Strategies – https://loopedback.com/2017/03/11/ipv6-migration-strategies-from-ipv4-networks-need-to-know-details-for-exam-day-explained/comment-page-1/#comment-56

Identifying IPv6 Address Types – https://loopedback.com/2017/05/08/ipv6-quick-tips-on-some-good-to-knows-and-need-to-knows-for-ipv6-on-exam-day-may-be-adding-info-to-this-in-the-future/

EIGRP Distribute-List / Prefix-List configuration – https://loopedback.com/2017/05/10/eigrp-deep-dive-into-prefix-list-configurations-access-list-vs-prefix-list-using-prefix-lists-to-filter-eigrp-routes-with-distribute-lists/

I could keep adding posts to that list all day, as they are pretty important, but you need to have a solid understanding of VPN Types and Tunnel Modes (and what they do), LSA Types and Database understanding, the IPv6 material and knowing how to configure and apply Prefix-Lists, etc. I’d say read all my posts, but I wrote them and my mind still slips on the materials!

Now I pulled this explanation of the LSA types from an older post where I summarized them using the Topology above, so I will paste these into this post, and sticky this thread up top for visibility and move on to the next topic for review!

So first, I will start with a description of each LSA type of the 7 of them:

  • LSA Type 1 “Router” – “Router Link States” will be its header in the LSA DB, and the name is self explanatory, these LSA’s are generated by each router with updates on its local Link States, all router types generate and flood this LSA Type.
  • LSA Type 2 “Network” – “Net Link States” are only generated and sent by DR’s and BDR’s to routers in the Same Area, that are also on the same multi-access network type, LSA type stays within its own Area, only seen in NON-Point-to-Point network types
  • LSA Type 3 “Summary” – “Summary Net Link States” has nothing to do with summarization, but floods its summary of networks from one Area into others except for the Area it is part of – Not flooded into Total-Stub’d Areas (Stub or NSSA)
  • LSA Type 4 “Summary ASB” – “Summary ASB Link States” LSA type is only created by ABR’s back to the ASBR, so when redistribution is configured on the ASBR Router it flips a bit in its “Router LSA” (Type 1!), and the ABR(s) then create LSA type 4’s to pass along throughout the network giving OSPF neighbors the path back to the ASBR – Not flooded into Stub Areas.
  • LSA Type 5 “Autonomous System External Link State” – or “AS External Link States” in the OSPF LSA DB, these are your “O E1” and “O E2”  Redistributed routes, generated from the ASBR itself OUTSIDE an NSSA Area – Not flooded into Stub Areas.
  • LSA Type 6 – Not needed for the CCNP ROUTE, but it is for Multicast Extensions of OSPF (MOSPF), but again is not referenced in the the ROUTE exam, just wanted to mention for the sake of thoroughness
  • LSA Type 7 “NSSA LSA’s” – This type of LSA is generated by the ASBR INSIDE an NSSA Area does Redistribution, as Type 5 Redistribution LSA’s cannot enter an NSSA Area

Phew. So to cover what type of routers create which type of LSA’s ONE MORE TIME:

  • Type 1 – All Routers
  • Type 2 – All DR’s
  • Type 3, 4 – All ABR’s
  • Type 5 – ASBR’s OUTSIDE the NSSA Areas (NSSA’s don’t allow LSA type 5)
  • Type 6 – Reserved for MOSPF
  • Type 7 – ASBR’s INSIDE the NSSA Areas (Type 7 LSA’s [N1, N2 in route table])

 

If you don’t fully understand LSA’s, please review Part 1, 2, and 3 of the OSPF LSA posts linked above as this is crucial to exam success if you get some OSPF questions!

IPv6 Redistribution, Stub and Total Stub configuration, and some gotchas to watch for on exam day!

OSPFv3_No_NBMA

I was going to bring R1 in on this with a Point-to-Point Serial cable, to make the Topology look a little less pathetic than the usual all out routers everywhere model, however for these topics I only need these 3 – Though I may need to for further IPv6 studies.

So far I’ve confirmed the frame switch does not understand IPv6 at all, and R5 at very least has a bug in its code regarding IPv6 and OSPF, not sure yet about other protocols…

Redistribution with IPv6 is very similar to IPv4 in the way that you must go into the router configuration mode “ipv6 router ospf #” from global config, and actually I’ve already added some loopbacks on R2 for this demonstration:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int lo14
R2(config-if)#ipv6 add 2014::1/64
R2(config-if)#int lo15
R2(config-if)#ipv6 add 2015::1/64
R2(config-if)#int lo16
R2(config-if)#ipv6 add 2016::1/64
R2(config-if)#
R2(config-if)#
*Mar  1 22:44:19.449: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback14, changed state to up
*Mar  1 22:44:19.589: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback15, changed state to up
*Mar  1 22:44:19.625: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback16, changed state to up
R2(config-if)#

Typed them so fast the router could hardly keep up 🙂

So now I will drop into router config, and I’ll display the ? output as I go along:

R2(config)#ipv6 router ospf 1
R2(config-rtr)#redistribute ?
  bgp        Border Gateway Protocol (BGP)
  connected  Connected Routes
  eigrp      Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis       ISO IS-IS
  ospf       Open Shortest Path First (OSPF)
  rip        IPv6 Routing Information Protocol (RIPv6)
  static     Static Routes

R2(config-rtr)#redistribute connected ?
  metric       Metric for redistributed routes
  metric-type  OSPF/IS-IS exterior metric type for redistributed routes
  route-map    Route map reference
  tag          Set tag for routes redistributed into OSPF
  <cr>

R2(config-rtr)#redistribute connected
R2(config-rtr)#

Oh boy I see that route-map statement as part of the command and I just want to start redistributing everywhere, however I stuck to basics just to demonstrate the route table, if I think up a scenario where it’d be fun to use route-maps in IPv6 I will definitely be labbing it.

It’s so hard to put IPv6 and fun in the same sentence, I can’t believe I just did it, one step closer to true Cisco enlightenment!

All joking aside, there was one field missing there, and that would be “subnets” on the end of that redistribute command. That is because subnets is not necessary in OSPFv3 vs OSPFv2, so that will be a good detail to remember come exam day.

So let us see what this all looks like way over to R4 in it’s OSPF route table:

R4#sh ipv6 route ospf
IPv6 Routing Table – default – 10 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
OE2 2014::/64 [110/20]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OE2 2015::/64 [110/20]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OE2 2016::/64 [110/20]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2022::1/128 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2023::/64 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2033::1/128 [110/1]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
R4#

I have to admit, that was less spectacular or different than I expected, it shows the O E2 routes for the Redistributed routes just like in OSPFv2.

When you’re taking the CCNA (at least in my day, walked uphill both ways, etc), IPv6 was just a memorization game, it was just kind of points that were up in the air on exam day if you couldn’t remember which address type was which.

As demonstrated above with Redistribution it is almost completely similar in configuration, and I will now show you that creating a stub / total stub network is as well!

The funny thing is that R3 is the gateway right now for both R2 and R4 (which is why I thought about bringing R1 in), but we are all adults here and can handle imagining that R2 leads to other routers.

So I will first create the basic stub Area on 34:

R4(config)#ipv6 router ospf 1
R4(config-rtr)#area 34 stub ?
no-summary  Do not send summary LSA into stub area
<cr>

R4(config-rtr)#area 34 stub
R4(config-rtr)#
*Mar  7 00:55:50.455: %OSPFv3-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R4(config-rtr)#do sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
3.3.3.3           1   DOWN/DROTHER       –        5               FastEthernet0/1
R4(config-rtr)#

So far, so good? I wanted to show the neighbor relationship output in case you see this on your exam, this means you haven’t let your stub neighbor know that you are being stubborn all by yourself – So off to R3 to let it know they will both be stubs:

IMPORTANT BEHAVIOR TO NOTE FOR EXAM DAY, TAKE NOTE!! :

R3(config)#do sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
2.2.2.2           1   FULL/BDR        00:00:38    4               FastEthernet0/0
R3(config)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config-rtr)#do sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
3.3.3.3           1   DOWN/DROTHER       –        5               FastEthernet0/1
R4(config-rtr)#

On R3, its just no longer has an adjacency with R4 so it doesn’t show it in the neighbor table, however on R4 it is showing DOWN/DROTHER with a – through the Dead Time. I am not sure if I saw that in IPv4, so this will also be something to watch for on exam day, if its state is DOWN as the beginning portion with no dead timer its probably a not quite finished stub configuration (or so you shall hope in the exam room).

Anyways, back to stubbing R3:

R3(config)#ipv6 router ospf 1
R3(config-rtr)#area 34 stub
R3(config-rtr)#
*Mar  2 07:47:58.558: %OSPFv3-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config-rtr)#do sh ipv6 ospf nei

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
2.2.2.2           1   FULL/BDR        00:00:39    4               FastEthernet0/0
4.4.4.4           1   FULL/DR         00:00:36    4               FastEthernet0/1
R3(config-rtr)#

And there we have it back in the neighbor table. Really watch for that on exam day, that is a very tricky behavior that I would write a question about to test how much someone has been labbing their *ss off to prepare for this brutal exam!

So what does R4 look like now in its route table here:

R4(config)#do sh ipv6 route
IPv6 Routing Table – default – 8 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
OI  ::/0 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2022::1/128 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2023::/64 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
OI  2033::1/128 [110/1]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
C   2034::/64 [0/0]
     via FastEthernet0/1, directly connected
L   2034::4/128 [0/0]
     via FastEthernet0/1, receive
LC  2044::1/128 [0/0]   <— LC, Interesting
     via Loopback4, receive
L   FF00::/8 [0/0]      <— What??
     via Null0, receive
R4(config)#

I wanted to show the whole route table to see what different things look like. Obviously our redistributed routes are outta here, however our Inter-Area (routes known in other area than its own) are still around.

I also wanted to show this sort of oddity, or two of them, LC and our built in route to Null0. I am not sure what made the router to designate its own Loopback with an L and C together, but that’s a bit odd to me, and FF00::/8 which with some googling is just a discard bucket built into IPv6 enabled interfaces.

So everything is fine and good (except for that stupid frame switch that I still haven’t gotten over), however we still have all these OSPFv3 Inter-Area routes still going to the same next hop which spells out one thing to us CCNP’s – IT’S TOTAL STUB TIME!!

So I’ll see if that is the same from OSPFv2, and see if I can just make the change on R3:

R3(config)#ipv6 router ospf 1
R3(config-rtr)#no area 34 stub
R3(config-rtr)#
*Mar  2 08:02:31.881: %OSPFv3-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-rtr)#area 34 stub no-summary
R3(config-rtr)#
*Mar  2 08:02:40.187: %OSPFv3-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from DOWN to DOWN, Neighbor Down: Adjacency forced to reset
R3(config-rtr)#
*Mar  2 08:02:46.874: %OSPFv3-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/1 from LOADING to FULL, Loading Done
R3(config-rtr)#

And yes it does, so again, as with OSPFv2 on IPv4 you can just remove the stub command (best practice) and enter the same command with no-summary tacked onto the end. As seen the adjacency goes down, but reforms immediately.

 

Noooow lets see how R4’s route table is doing:

R4(config)#do sh ipv6 route ospf
IPv6 Routing Table – default – 5 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
OI  ::/0 [110/2]
     via FE80::20F:23FF:FE09:B181, FastEthernet0/1
R4(config)#

And then, there was one. If I did not already mention this route type somewhere in the posts, this would be an IPv6 default route (meaning everything go thataway).

Now last time I had a little grief getting return pings and had to manipulate some static route redistribution to get pinging working, lets see how this goes:

R4(config)#do ping 2022::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2022::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2(config-rtr)#do ping 2044::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2044::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2(config-rtr)#

Ok, nevermind everything I just said previous to these pings, cause that worked really as it should. Come to think of it I think it was stub area to stub area where I had to work some magic to get connectivity.

So if you take absolutely nothing else away from this post, it’s that the concepts from OSPFv2 are almost identical to OSPFv3, with some very slight differences.

One good verification command to check for stub area’s will be the same from OSPFv2, just with the ipv6 twist on it, for example:

R3#sh ipv6 ospf
 Routing Process “ospfv3 1” with ID 3.3.3.3
 It is an area border router
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 3. Checksum Sum 0x004335
 Number of areas in this router is 4. 3 normal 1 stub 0 nssa
 Reference bandwidth unit is 100 mbps
    Area BACKBONE(0)
        Number of interfaces in this area is 1
        SPF algorithm executed 9 times
        Number of LSA 10. Checksum Sum 0x04C947
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 3
        Number of interfaces in this area is 1
        SPF algorithm executed 6 times
        Number of LSA 7. Checksum Sum 0x041AA0
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 34
        Number of interfaces in this area is 1
        It is a stub area, no summary LSA in this area
          generates stub default route with cost 1
        SPF algorithm executed 12 times
        Number of LSA 8. Checksum Sum 0x02FDBB
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
  
R3#

It is really a wealth of information there, but for our purposes, I’ve highlighted where we can verify our stub areas. When I say it is just like v2, v3 for OSPF really is once you get over the addressing, and that itself takes time (I am still a bit blah about it honestly).

That is it for OSPFv3 for now, next on the plate is EIGRPv3 or whatever they call it using IPv6 (it’s probably not really called EIGRPv3 so I would not wr mem that to your brain).

Part 4: The right ACL for the right job (Distribute-List vs Route-Map), Configuring 3-way Route Redistribution with a lot of failures but final success!!!

labbers_delight_rev3

(Added interface #’s to the Topology as we increase working with both IP’s and interfaces)

I wanted to touch this quick before moving on to policy routing, whether Distribute-Lists can block certain networks from a Summary Route, or if it’s possibly at all. So I’ll run through it quick here to move on:

 

Distribute-List vs Summary Route on R5, Standard vs Extended ACL’s

 

First I want to confirm that my Distribute-List configured in OSPF is still blocking 5.5.5.5 from Redistributing into OSPF from the vantage of R2:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:05:28, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:05:28, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
R2#

It looks like the Distribute-List is still rocking, so I am going to attempt to add onto the existing ACL on R1 for it:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#do sh access-list 5
Standard IP access list 5
    10 deny   5.5.5.5 (1 match)
    20 permit any (3 matches)
R1(config)#access-list 5 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment

R1(config)#access-list 5 deny ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

R1(config)#access-list 5 deny 100.3.0.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

R1(config)#access-list 5 deny 100.3.0.0 0.0.255.255 ?
  log  Log matches against this entry
  <cr>

This is to demonstrate that with Standard Access-Lists you cannot add lines where you need them, that is going to require an Extended Access-Lists. Any new / additional statements to ACL 5 will be tacked onto the end, and they will be useless due to the permit any already on the ACL.

SO, I will blow away that ACL and try an Extended ACL that just uses ‘any’ for a destination addy, to simulate the feel of a Standard ACL. I’m also going to give it a name, to see if Distribute-Lists will accept named ACL’s, and it’s name will be “Bob”.

Now I have a couple piece of output here, as I was curious after I remove the list, will the Distribute-List dynamically be pulled from the OSPF config once it is removed from the router, and if it is isn’t will R2 then be able to see 5.5.5.5 anyways:

R1(config)#no access-list 5
R1(config)#ip access-list extended Bob
R1(config-ext-nacl)#10 deny ip host 5.5.5.5 any
R1(config-ext-nacl)#20 deny ip 100.4.0.0 0.0.255.255 any
R1(config-ext-nacl)#30 deny ip 100.6.0.0 0.0.255.255 any
R1(config-ext-nacl)#40 permit ip any any
R1(config-ext-nacl)#exit

ACL 5 is gone and Bob is now rampant on R1, lets look at the running config:

R1(config)#do show run
Building configuration…

(run output)
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute eigrp 100 subnets route-map EIGRP2OSPF
 network 1.1.1.1 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
 neighbor 172.12.123.2
 neighbor 172.12.123.3
 distribute-list 5 out eigrp 100
!
(More run output)

R1(config)#

And it is still referencing ACL 5, so we will want to remove that as well (which we do anyways as best practice before adding our Bob Distribute-List), but to confirm on R2:
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:40:24, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:40:24, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/84] via 172.12.123.1, 00:03:34, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
R2#

Sure enough 5.5.5.5 returns to the route table. So time to see if we can apply Bob in ACL 5’s stead and see what happens:

R1(config-router)#no distribute-list 5 out eigrp 100
R1(config-router)#distribute-list Bob out eigrp 100
Access-list type conflicts with prior definition
% This command only accepts named standard IP access-lists.
R1(config-router)#

So the lesson learned here – ***DISTRIBUTE-LISTS ONLY ACCEPT STANDARD ACL’S!!!***

My training materials only instructed to use Standard ACL’s for distribute-lists but did not specifically mention that Extended ACL’s would not take, so I am going to keep Bob around for another test here but first lets see about making a new ACL 5 and applying it:

R1(config-router)#exit
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.4.0.0 0.0.255.255
R1(config)#access-list 5 deny 100.6.0.0 0.0.255.255
R1(config)#access-list 5 permit any
R1(config)#router ospf 1
R1(config-router)#distribute-list 5 out eigrp 100
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:57:03, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:57:03, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
R2#ping 100.4.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.4.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R2#

So it worked for 5.5.5.5, but it didn’t even touch the connectivity of the Summary Route, so I am going for the full on block of the Summary itself as one last try with Distribute-Lists:

R1(config-router)#exit
R1(config)#no access-list 5
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.0.0.0 0.7.255.255
R1(config)#access-list 5 permit any
R1(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:59:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:59:53, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:08, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:0008, Serial0/0
R2#

Aaaaaaaaaand it’s gone! Notice I didn’t need to touch the distribute-list config as it’s already reference ACL 5, I just had to recreate ACL 5, and it kicked right in. So I want to keep my Summary Route in the mix, so I’ll set the Distribute-List back to only filtering 5.5.5.5 and see what we can do with Route-maps:

R1(config)#no access-list 5
R1(config)#access-list 5 deny 5.5.5.5
R1(config)#access-list 5 permit any
R1(config)#

So to move things right along, what’s see if we can use our Redistribution Route-Map to enforce Bob on our unsuspecting victim the Summary-Route:

 

Extended ACL blocking certain networks in a Summary Route on Route-map via Redistribution

 

Since we already have a route-map on our routes redistributing into OSPF, I wanted to see if I could possibly sneak a “Bob”clause in there to stop connectivity to 100.4.0.0 and 100.6.0.0, and of course to start this we want to examine our route-maps for the proper sequence spot for it to be inserted:

R1(config)#do sh route-map
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
(Right here before the (‘permit all’) tagging traffic)
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    metric-type type-1
    tag 100
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 100
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 15
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R1(config)#

We want it before sequence 10 because that clause will permit all traffic and tag it with a 100, so I’ll put it between our tag deny and permit sequences:

R1(config)#route-map EIGRP2OSPF deny 8
R1(config-route-map)#match ip add Bob
R1(config-route-map)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:22:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:22:53, Serial0/0
R2#

So it sort of worked, I guess, but now we are missing every external route despite my ‘permit ip any any’ at the end of the Bob. So I review Bob on R1 to see if anything looks wrong in the configuration in show run:

ip access-list extended Bob
 deny   ip host 5.5.5.5 any
 deny   ip 100.4.0.0 0.0.255.255 any
 deny   ip 100.6.0.0 0.0.255.255 any
 permit ip any any

And then R2 once Bob is removed:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:29:55, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:29:55, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0

So the interesting thing, is R1 is configured with 11.11.11.0 /24 and 172.12.15.0 /24 on it’s EIGRP configuration, however the access-list match on the route-map Redistributing EIGRP routes just blocks everything from EIGRP if applied at all.

So it turns out, there is no room in this network for Bob (yet), poor guy.

 

Configuring 3-way Route Redistribution with tagging via Route-Maps

 

I was going to move onto Policy Routing, but until all of my networks know of eachother, I don’t many hops around the network to mess with Policy Routing, so I am going to attempt to Redistribute OSPF / EIGRP / RIP into eachother on R3, again using the Tags listed in the Topology:

labbers_delight_rev3

I felt it was a good idea to post it down here as well, as it may belong down here for this even more. So lettuce not waste any time, and get right into the configuration, I’m going to start with 2-way between OSPF and EIGRP ensure our tagging is working to separate the 2 EIGRP domains:

R3#
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF permit 10
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map OSPF2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map OSPF2EIGRP permit 20
R3(config-route-map)#set tag 110
R3(config-route-map)#router ospf 1
R3(config-router)#redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#router eigrp 200
R3(config-router)#default-metric 1544 10 255 1 1500
R3(config-router)#redistribute ospf 1 route-map OSPF2EIGRP
R3(config-router)#

I am feeling pretty confident in this configuration, though I did delete a LOT of ? output for clarity sake of the configuration, I think we are going to see both EIGRP domains routes in each others route table with no route leaking (and of course OSPF will now have all EIGRP routes from the Topology). Lets check it out on R4:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
R4#

Beautiful, notice 5.5.5.5 is still being filtered by the Distribute-List, lets check R2 and R5 to confirm they are looking good as well:

R2#
R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:08:10, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:08:10, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
R2#

Problem #1: Where the fudge are R4’s redistributed routes? So this is going to be an issue I need to look into, let’s see how R5 is looking:

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:31:11, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:33:22, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:33:27, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
R5#

Problem #2  Routes are also missing here!

So I am beginning to think that perhaps this is a config on R4 and what networks it is advertising in it’s EIGRP domain, so time to start the troubleshooting, so lets take a look at R4’s configurations to find the issue here:

R4#show ip proto

(Output)

  Automatic Summarization: disabled
  Maximum path: 4
  Routing for Networks:
    4.4.4.4/32
    172.12.34.0/24
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.34.3           90      00:19:03
  Distance: internal 90 external 170

R4#

So that should be working, was the redistribution messed up somehow?

R3#sh route-map
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF deny 5
R3(config-route-map)#match tag 110
R3(config-route-map)#

One glaring mistake, I forgot to put a sequence before the permit, to deny traffic back out into OSPF with it’s tag of 110 from EIGRP AS 200. Lets see if that (hopefully) did the trick here:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:16:06, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:16:06, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
R2#

Nope, until I see 4.4.4.4 we on R2 it is not working, but how odd that R4 is rocking and rolling while R2 and R5 are not having any of it. Speaking of R1, or lack of it, I checked it’s route table and it is not seeing R4’s two networks either so it has to be on R3.

After some review, I found my first brain getting exhausted Derp of the night – I put “eigrp 100” in the redistribute command, after removing the palm from my face I fixed it and verified the fix as shown here:

R3(config-route-map)#router ospf 1
R3(config-router)#no redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#redistribute eigrp 200 route-map EIGRP2OSPF subnets
R3(config-router)#

Aaaaaand on R2:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:25:04, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:25:04, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
R2#

For now I will leave those as default E2 routes so I can tell them apart in the Route Table, lets see if R5 is on board as well and we have successfully configured “Multi-Point 2-way Redistribution” successfully with Route Tagging!! :

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:57:16, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:59:27, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:59:32, Null0
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R5#

This is great to see, the route-maps both came right to me how to configure the set / match, however lets see if this is the case with bringing the RIP domain into the mix:
R3(config-router)#exit
R3(config)#route-map OSPF2RIP permit 10
R3(config-route-map)#set tag 110
R3(config-route-map)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 120
R3(config)#route-map RIP2OSPF deny 10
R3(config-route-map)#match tag 110
R3(config-route-map)#route-map RIP2OSPF permit 20
R3(config-route-map)#set tag 120
R3(config)#router ospf 1
R3(config-router)#redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#router rip
R3(config-router)#redistribute ospf 1 ?
  match      Redistribution of OSPF routes
  metric     Metric for redistributed routes
  route-map  Route map reference
  vrf        VPN Routing/Forwarding Instance
  <cr>

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#router ospf 1
R3(config-router)#no redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#redistribute rip route-map RIP2OSPF subnets
R3(config-router)#

I took out a lot of ? output once again to keep the config tight and concise, however I did highlight where along the configuration, I forgot the metric has to be set on the OSPF routes going into RIP because of its hop count limit, but I didn’t need to set a metric for RIP routes going into OSPF so I removed that from the config.

So lets take a look at R2 to see if we see any RIP networks at all:

R2#show ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:43:21, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:43:21, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:07:39, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:43:21, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:19:09, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:19:14, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0

Alright!! That highlighted is a RIP network configured on R3, so we are officially getting RIP networks into OSPF, so now lets take a look at R5 and see if that is able to see them as well:

R5#show ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 03:16:48, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 03:18:59, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 03:19:04, Null0
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.23.0/24
           [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
R5#

So at this point we have verified that R5 knows about both EIGRP AS 200 Routes, OSPF routes, and RIP routes!

With that, I am going to conclude for the night as my brain is starting to melt once again out of my ears, however very good practical material covered in here, and a good example that 3-way protocol Redistribution can be performed just by tagging traffic into one protocol so that it will redistribute into the other because it is not claused to deny the routes tag.

That was a mouth full of a summary of the lesson to say, anyways, that’s it for tonight, next we’ll mess with some Policy routing and then it’s time to get back into study mode and tackle everything about VPN on routers.

EDIT EDIT EDIT, DAG NAB IT :

On my way to “wr mem” the routers, I did a quick “sh ip route” on R4 just to quickly confirm it was working as well, and it is missing the loopback22 22.22.22.0 /24 on R2 being advertised by RIP:

R2#sh ip proto

Routing Protocol is “rip”

 (Output)
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    22.0.0.0
    172.12.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.23.3          120      00:00:01
  Distance: (default is 120)

And here is R4’s dag nab #Y&%$&* route table:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
R4#

So I saw this and just shut the routers down thinking I’ll get it next time, and I didn’t get to the bottom of the stairs before it was driving me crazy what it’s problem is. So I got food (getting cold) and a 5 hour energy, and time to go back at this and hopefully take it down with one more configuration here.

I am thinking because RIP is local to router EIGRP AS 200 is on, we need a Redistribution between those two as well, with their own route-maps. So my food isn’t getting any hotter (or probably colder at this point) so lets do this:

R3(config)#route-map EIGRP2RIP deny 10
R3(config-route-map)#match tag 120
R3(config-route-map)#route-map EIGRP2RIP permit 20
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map RIP2EIGRP deny 10
R3(config-route-map)#set tag 200 <- WRONG – SHOULD BE MATCH TAG 200
R3(config)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#

That looks about right, now to Redistribute them into each other:

R3(config-route-map)#router eigrp 100
R3(config-router)#redistribute rip ?
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#router rip
R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric ?
  <0-16>       Default metric
  transparent  Transparently redistribute metric

R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric 2
R3(config-router)#

Aaaaaaaand, let there be light? :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:38:12, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
R4#

Nope, still nothing, HOWEVER A QUICK SHOW RUN AND STARE DOWN OF R3 SAVES THE DAY!!! :

R3(config-router)#do sh run

(Output)
!
router eigrp 200
 redistribute ospf 1 route-map OSPF2EIGRP
 network 172.12.34.0 0.0.0.255
 default-metric 1544 10 255 1 1500
 no auto-summary
!
router eigrp 100
 redistribute rip route-map RIP2EIGRP
 auto-summary
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 200 subnets route-map EIGRP2OSPF
 redistribute rip metric 2 subnets route-map RIP2OSPF
 redistribute eigrp 100
 network 3.3.3.3 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute eigrp 200 metric 2 route-map EIGRP2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 33.0.0.0
 network 172.12.0.0
 no auto-summary
!

Iiiiiii, need to correct this, and stop labbing for the night as my stupid mistakes are now running rampant on my network:

R3(config-router)#exit
R3(config)#no router eigrp 100
R3(config)#router eigrp 200
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#

AND NOW LETS SEE THAT NETWORK NUMBER 22.22.22.0 /24 ON R4!!! :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:47:01, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
R4#

It is still not there, so I highlighted the issue above from retrospect, however the issue was found using the route-map command, in conjunction with looking at the route-maps on “sh run” which makes them a bit easier to read for me without the extra output.

 

The answer to why R3 isn’t getting RIP routes

 

In my tired stupor, I did not closely review my route maps, or it would be clear that I set the RIP2EIGRP twice, meaning I put a “set” in each sequence for both matching a tag to deny and setting the RIP route tag #’s :

R3(config)#do sh route
route-map EIGRP2RIP, deny, sequence 10
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2RIP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, deny, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120

 

So I apply the fix and check on R4 with both fingers crossed:

R3(config)#no route-map RIP2EIGRP
R3(config)#route-map RIP2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#sh ip route

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback4
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
D EX     172.12.23.0/24
           [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
C        172.12.34.0/24 is directly connected, FastEthernet0/1
L        172.12.34.4/32 is directly connected, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
R4#

AND THERE IS OUR RIP ROUTES, FINALLY, 3-WAY REDISTRIBUTION ON ONE ROUTER!!!

Next lab I’ll look at sub-optimal routing all this redistribution may have caused, see if I can correct it with different mechanisms (Mainly Policy Routing), but for now that is all 🙂

Part 3: DEEP Dive into Redistribution with Route-Map tagging, and Distribute-Lists illustrated for clarity!

labbers_delight_rev2

(The title may be misleading as ACL’s will only be used for Distribute-List configuration)

As seen above I have though out how to keep all the route tagging that will need to occur straight in my mind, so the route tags for EIGRP will be their AS #’s, and OSPF / RIP will be using their domains. The authentication lab (Part 2) took so long I was unable to really get to anything else, so what I want to focus on right now is R1 and R5.

I am hoping to configure and cover in detail the following concepts:

  • Route-Tagging in 2-way Redistribution via Route-Maps
  • Distribute-List configurations illustrated and covered in detail

So lets gets it started with our first topic!

 

2-way Redistribution with Route tagging via Route-maps

 

For tagging via route-maps no ACL’s are needed, as the tags / permits / denies are all set in the route-map clauses. In this next example I will demonstrate the configuration of the route-maps, and apply them to the Redistribution, and take a look at how routes propagate:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#route-map EIGRP2OSPF permit 10
R1(config-route-map)#set tag 100
R1(config-route-map)#exit
R1(config)#route-map OSPF2EIGRP deny 10
R1(config-route-map)#match tag 100
R1(config-route-map)#route-map OSPF2EIGRP permit 20

So this is the creation of the route-map, simply setting a tag for EIGRP traffic going out into OSPF land, and a second list denying that tagged traffic back in, finishing with a catch all clause permitting all other non-tagged traffic to be redistributed back into EIGRP.

  • EIGRP2OSPF = Only tagging EIGRP redistributed routes with tag 100 as of now
  • OSPF2EIGRP = Denying any traffic tagged as 100, allowing all other traffic

I first worked with EIGRP, and set the default-metric so I wouldn’t need to add that with redistribution going forward:

R1(config)#router eigrp 100
R1(config-router)#default-metric ?
  <1-4294967295>  Bandwidth in Kbits per second

R1(config-router)#default-metric 1544 ?
  <0-4294967295>  Delay metric, in 10 microsecond units

R1(config-router)#default-metric 1544 10 ?
  <0-255>  Reliability metric where 255 is 100% reliable

R1(config-router)#default-metric 1544 10 255 ?
  <1-255>  Effective bandwidth metric (Loading) where 255 is 100% loaded

R1(config-router)#default-metric 1544 10 255 1 ?
  <1-65535>  Maximum Transmission Unit metric of the path

R1(config-router)#default-metric 1544 10 255 1 1500

These are the defaults I always use, now the tricky part (and I mean that), applying the correct map to the correct protocol. On labs this can always be fixed and adjusted, but during the exam it may not be, so you must really think about what your route map is doing to the protocol being redistributed into the network protocol your configuring:

R1(config-router)#redistribute ospf 1 route-map OSPF2EIGRP
R1(config-router)#router ospf 1
R1(config-router)#redistribute eigrp 100 route-map EIGRP2OSPF subnets

I removed a lot of ? output, but essentially looked at the route-maps, and I am applying OSPF2EIGRP as it is blocking traffic with the tag of 100 and permitting all other traffic to be redistributed, and the second line is the simple tag 100 route-map for EIGRP routes going into OSPF.

So let’s look at how routers are seeing this traffic:

R5#show ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 03:48:23, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 03:48:28, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
R5#show ip route 2.2.2.2

Routing entry for 2.2.2.2/32
  Known via “eigrp 100”, distance 170, metric 1662976, type external
  Redistributing via eigrp 100
  Last update from 172.12.15.1 on FastEthernet0/1, 02:00:23 ago
  Routing Descriptor Blocks:
  * 172.12.15.1, from 172.12.15.1, 02:00:23 ago, via FastEthernet0/1
      Route metric is 1662976, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 1544 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
R5#

As can be seen highlighted I did an extended show ip route on a redistributed route, and it has no tag (yet), but Redistribution is definitely working. Lets take a look in the OSPF domain on R2 to see what it shows:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 02:01:03, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E2    100.0.0.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 02:01:03, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E2    5.5.5.5 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.15.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E2    11.11.11.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
R2#show ip route 5.5.5.5

Routing entry for 5.5.5.5/32
  Known via “ospf 1”, distance 110, metric 20
  Tag 100, type extern 2, forward metric 64
  Last update from 172.12.123.1 on Serial0/0, 02:01:14 ago
  Routing Descriptor Blocks:
  * 172.12.123.1, from 11.11.11.1, 02:01:14 ago, via Serial0/0
      Route metric is 20, traffic share count is 1
      Route tag 100

Now to finish this off, I would like to deny traffic in the EIGRP domain from leaking back out into OSPF as well by adding another sequence or two to that route-map here, but first lets take a look at what we have already in place:

R1#sh route-map
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 100
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 100
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
R1#

Now the rule of thumb is that the deny must come before the tag on a route-map, otherwise the traffic will be tagged and off it goes, so the placement of the deny and set tags is important for both maps and should be done as shown below:

R1(config)#route-map EIGRP2OSPF deny 5
R1(config-route-map)#match tag 110
R1(config)#route-map OSPF2EIGRP permit 15
R1(config-route-map)#set tag 110
R1(config)#no route-map OSPF2EIGRP permit 20

R1(config-route-map)#exit
R1(config)#
R1#
*Mar  1 21:00:01.949: %SYS-5-CONFIG_I: Configured from console by console
R1#
ASR#5
[Resuming connection 5 to r5 … ]

R5#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
  Known via “eigrp 100”, distance 170, metric 1662976
  Tag 110, type external
  Redistributing via eigrp 100
  Last update from 172.12.15.1 on FastEthernet0/1, 00:00:41 ago
  Routing Descriptor Blocks:
  * 172.12.15.1, from 172.12.15.1, 00:00:41 ago, via FastEthernet0/1
      Route metric is 1662976, traffic share count is 1
      Total delay is 200 microseconds, minimum bandwidth is 1544 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110
R5#

So as can be seen, I’ve put the deny match tag 110 before the set tag 100 on the EIGRP2OSPF route-map, and set the tag 110 after the deny sequence on OSPF2EIGRP – However I also removed the catch-all clause on sequence 20 permitting all traffic.

Once I set the tag 110 for OSPF, it is permitting all traffic through anyways and tagging it as 110, which I want to happen so it doesn’t leak back out to OSPF. Now just one last confirmation down on R2 that nothing changed there:

R5#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via “ospf 1”, distance 110, metric 20
  Tag 100, type extern 2, forward metric 64
  Last update from 172.12.123.1 on Serial0/0, 00:24:51 ago
  Routing Descriptor Blocks:
  * 172.12.123.1, from 11.11.11.1, 00:24:51 ago, via Serial0/0
      Route metric is 20, traffic share count is 1
      Route tag 100

R2#

Good to go. So the big take-away from this is that deny’s matching tag #’s must come before permit’s setting tag #’s to stop route-leaks, and that a catch-all clause is not necessary as the tagging itself is acting as a sort of catch-all (for Redistribution).

ONE MORE THING IMPORTANT THING TO ADD TO ROUTE-MAPPING!

I saw on R2 that our OSPF external routes are E2 with the default metric going on, and I don’t want the seed metric of 20 for all routes, so I jumped back onto sequence # 10 where I tagged the traffic as 100 and configured another setting:

R1(config)#route-map EIGRP2OSPF permit 10
R1(config-route-map)#set metric-type type-1
R1#sh route-map
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, permit, sequence 10

  Match clauses:

  Set clauses:

    metric-type type-1 <- Hooray!

    tag 100

  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 100
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 15
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R1#

And then of course to verify quickly I jump over to R2 aaaaaand:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:07:00, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:07:00, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0

So instead of just having one objective with Route-maps, you can add in clauses on the route-maps in the correct sequence order to adjust a lot of things in the network, this is just an example of how great they work with Redistribution. Now on to Distribute-Lists!

 

Configuration of a Distribute-List’s with Redistribution

 

This is such a tricky set of commands to get right, as for some reason this just does not seem like correct syntax to block the routes from going into certain protocols. I will post a snip of the above Topology with traffic flow that we are blocking, followed by the exact configurations – Including the error you get when trying to use an interface with OSPF.

So to filter router 5.5.5.5 in the EIGRP AS 100 domain from redistributing into the OSPF domain, you will start the configuration in OSPF router configuration as illustrated here with the exact commands, as well as the OSPF route table of R2 before and after issuing the commands:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:20:20, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:20:20, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets

O E1    5.5.5.5 [110/84] via 172.12.123.1, 00:20:04, Serial0/0

     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
R2#

dist_list_1

 

R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 permit any
R1(config)#router ospf 1
R1(config-router)#distribute-list 5 ?

  in   Filter incoming routing updates
  out  Filter outgoing routing updates

R1(config-router)#distribute-list 5 out s0/0
% Interface not allowed with OUT for OSPF <- No interfaces for OSPF Distribute-Lists

R1(config-router)#distribute-list 5 out eigrp 100
R1(config-router)#

When we are denying a route in the EIGRP domain from outgoing updates being sent, my brain wants to configure it in EIGRP router configuration, with the outgoing protocol to be “ospf 1” but it isn’t as can be seen here after applying the command:

ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:32:43, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:32:43, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
R2#

So for OSPF you must enter the router configuration commands in OSPF, and define an ACL denying / permitting the other protocols networks, as well as the other protocol in OSPF router configuration mode.

*** A good metaphor would be to think of OSPF as the current US Trump Presidency telling other countries to keep their citizens in their own boarders, which is actually almost a perfect metaphor to remember that by, very sadly.***

So lets see if EIGRP wants to build a wall between itself and OSPF as well here, this time I’ll use an interface, I assume I will need to specify Serial0/0 at the end as that defines the OSPF domain:

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:05:03, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:02:52, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.15.1, 02:02:52, FastEthernet0/1

      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:05:03, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:05:08, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:05:03, FastEthernet0/1
R5#

dist_list_2

 

R1(config)#access-list 3 deny host 3.3.3.3
R1(config)#access-list 3 permit any
R1(config)#router eigrp 100
R1(config-router)#distribute-list 3 out s0/0
R1(config-router)#

It is a legal command, it is pointing to the route in the OSPF domain, and the interface that is in the OSPF domain so let’s see if R5 managed to keep 3.3.3.3 out:
R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:08:27, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:06:16, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.15.1, 02:06:16, FastEthernet0/1

      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:08:27, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:08:32, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:08:27, FastEthernet0/1
R5#

Nope, not at all, and this is what is so confusing with the configurations with Distribute-Lists. For OSPF you are configuring outgoing updates be denied to the domain they reside in (EIGRP), however in EIGRP I am defining the network from OSPF and the OSPF enabled interface but it doesn’t work.

So naturally let’s slap Fa0/1 on there and see what happens:

R1(config-router)#no distribute-list 3 out s0/0
R1(config-router)#distribute-list 3 out fa0/1
R1(config-router)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:16:12, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:14:01, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:16:12, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:16:17, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:16:12, FastEthernet0/1
R5#

And this just makes no sense to me why the command is written this way, but it keeps with the Trump Metaphor, we don’t want to see your routes behind our wall (interface) or lets see if you can keep the route in your domain:

R1(config-router)#no distribute-list 3 out fa0/1
R1(config-router)#distribute-list 3 out ospf 1
R1(config-router)#
*Mar  1 19:21:02.324: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.15.5 (FastEthernet0/1) is resync: route configuration changed
R1(config-router)#
ASR#5
[Resuming connection 5 to r5 … ]

*Feb  3 08:00:22.479: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is resync: peer graceful-restart
R5#s
*Feb  3 08:00:32.015: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is resync: peer graceful-restart
R5#sh ip route 3.3.3.3

% Network not in table

R5#

I confirmed the lazy way this time with sh ip route 3.3.3.3 and we have confirmed that you can keep your routes in your domain, or we will stop them at our interface. Not to drag politics into technical studies, but that is literally (and again sadly) a perfect metaphor for Distribute-Lists is our current President’s foreign policy on immigration – Our extensive screening consists of ACL’s and Distribute-Lists.

That is it for tonight, I really have a good concept on these as of right now, and will continue to use them wherever possible to keep the metaphor alive in my head 🙂

Going to go let brain defrag before bed, until next lab session fellow CCNP candidates!

Part 1: Setting up the new, bigger, and better lab to configure everything we’ve learned up to this point!

 

labbers_delight

As previously mentioned I believe, this will be a multi-part lab in which I will configure “Multi-Point” 2-way Redistribution / Policy-Routing / Distribute-Lists / Route-Maps / and troubleshooting all along the way.

Here are a few things I know I want to achieve over the several parts of this lab:

  • Authentication deep dive for all 3 protocols in Topology
  • DEEP Dive look at Redistribution with Route-Map tagging and Distribute-Lists
  • Policy Routing and Local Policy Routing configuration
  • 3-way Redistribution on R3 if possible, things might get crazy
  • Deep Dive into Policy Routing capabilities, applying around the network
  • Random other topics as I can think of them

I will be working as much with route-maps as possible, as they really are a huge chunk of all of those topics, so I believe those are critical to understand inside out. I have done a “wr er” and “reload” on all routers, and am going to configure the core network in the Topology, but I may review some of my previous posts to get my brain tuned up to lab until my brain melts out of my skull.

That being said I will just configure it for tonight, and add to it slowly while I am fresh, I don’t want to do anything while I am in zombie mode (like now) after a long work day.

So this will all be review, and as I said, saturate this network completely with all the concepts I have posted about and troubleshoot issues as needed.

I am going to whip up this Topology now, and we will get this party started on my next post, see you there 🙂

Part 3: Finally got Route-Maps for Redistribution working correctly, important notes within on how!

single-point_2way_redist_3routers_new

Boy do I feel stupid. After spending hours of scratching my head at why this is not working yet, as OSPF seems to be gettings tags but RIP is not, that is when I really put my work under a microscope and found that I was applying OSPF2RIP in OSPF router config and the other way around (I think). I have no other way to logically explain why they are working today, as they actually didn’t work earlier as well after “wr er” / “reload” / reconfigure.

So I stripped all redistribution off, deleted the route-maps, and started from square 1, again. Then when I was struggling to remember which way it went with applying what route-map to which protocol, I might have been on auto-pilot last night and completely overlooked that as the issue!

So here is how I applied a fix for that:

R3(config-router)#router ospf 1
R3(config-router)#redistribute rip subnets route-map RIP2OSPF
R3(config-router)#router rip

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#do sh route-map
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 10
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 20
  Policy routing matches: 0 packets, 0 bytes

And this is where I was able to verify and FINALLY see the results I was looking for(!!!):
R3(config-router)#
ASR#3
[Resuming connection 3 to r4 … ]

R4#show ip route ospf

Gateway of last resort is not set

      5.0.0.0/24 is subnetted, 1 subnets
O E2     5.5.5.0 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2     172.12.15.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
O E2     172.12.123.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
R4#show ip route 5.5.5.5
Routing entry for 5.5.5.0/24
  Known via “ospf 1”, distance 110, metric 20
  Tag 20, type extern 2, forward metric 1
  Last update from 172.12.34.3 on FastEthernet0/1, 00:02:05 ago
  Routing Descriptor Blocks:
  * 172.12.34.3, from 3.3.3.3, 00:02:05 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1
      Route tag 20

ASR#1
[Resuming connection 1 to r1 … ]

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:00, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
R1#show route 4.4.4.4
route-map 4.4.4.4 not found
R1#show ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via “rip”, distance 120, metric 2
  Tag 10
  Redistributing via rip
  Last update from 172.12.123.3 on Serial0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 172.12.123.3, 00:00:16 ago, via Serial0/0
      Route metric is 2, traffic share count is 1
      Route tag 10

R1#

OSPF is showing up as tag 10 on the RIP side, and RIP routes as tagged 20 on the OSPF side. Now I am going to try redistributing connected routes with these same route-maps and see if that breaks anything, and if not we will cap it off by adding some deny statements in our route-maps:

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router rip
R3(config-router)#redistribute connected route-map OSPF2RIP metric 3
R3(config-router)#router ospf 1
R3(config-router)#redistribute connected subnets route-map RIP2OSPF
R3(config-router)#

And now to pray I have some routes on R1:
R1#sh ip route rip
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/3] via 172.12.123.3, 00:00:22, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:22, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
R1#

This is a sweet roll to be on, where was this last night! I think it was both that I was getting the route-map’s named mixed up, and I was relying too much on how it was worded rather than what actions were happening. It took a mix of “show ip proto” / “sh route-map / “sh run” (which I wouldn’t count on for exam day) to read the route maps and how they will impact each other as explained below.

I will now attempt to do one more thing, add deny’s into the route maps, which is really the core of this lesson is using tags to stop route leaks or route loops from forming. Both route-maps have a “permit 10” sequence #, with a “set tag 10/20” to define ‘let all the traffic through but apply this tag to it’.

However the trick to this is placing the deny sequence # lower than the permit / set tag sequence for it to filter traffic, otherwise it will just hit the ‘let everything through with a tag’ clause and skip the deny clause, so this is why you want to plan for both current and future growth of sequences. So  will make these both sequence 5, so I have 1-4 and 6-9 to add additional clauses as needed

**REMEMBER YOU WANT TO WRITE ‘PERMIT’ SEQUENCES TO ‘SET’ A TAG FOR ROUTES, AND WRITE ‘DENY’ SEQUENCES TO ‘MATCH’ THE TAG # TO BE FILTERED!!**

Now I am done yelling at myself lets get back to configuring:

R3(config-router)#exit
R3(config)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 10
% “OSPF2RIP” used as redistribute connected into rip route-map, tag match not supported
R3(config-route-map)#route-map RIP2OSPF deny 5
R3(config-route-map)#match tag 20
% “RIP2OSPF” used as redistribute connected into ospf route-map, tag match not supported

As you can see by the complaints we got from the console about connected routes, that they are already active, and as soon as I hit enter to “match” the tag # to on the route-maps deny list, it kicked out the message about connected routes don’t support tag matching.

So lets once more see if R1 survived this change:

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:14, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0

Amazing, well that is going to do it for me today, that was relatively easy, just be sure to watch how you are applying those route-map’s, AND NAME THEM AS INTUITIVELY AS POSSIBLE to not make the mistakes I did.

For review of how it should look on the ASBR, I’m going to paste the running configuration below for future reference, and that is it for tonight and then onto PBR lessons :

R3#sh run
Building configuration…

Current configuration : 1588 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.iVA$HbHo0g/PqIytO6Yf5XLAm1
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 0/0
 framing sf
 linecode ami
!
controller T1 0/1
 framing sf
 linecode ami
!
!
!
!
!
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.12.34.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/2
 ip address 172.12.123.3 255.255.255.0
 no fair-queue
!
interface Serial0/3
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map RIP2OSPF
 redistribute rip subnets route-map RIP2OSPF
 network 172.12.34.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute connected metric 3 route-map OSPF2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 172.12.0.0
 no auto-summary
!
!
!
ip http server
no ip http secure-server
!
!
!
!
route-map OSPF2RIP deny 5
 match tag 10
!
route-map OSPF2RIP permit 10
 set tag 10
!
route-map RIP2OSPF deny 5
 match tag 20
!
route-map RIP2OSPF permit 10
 set tag 20
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password CCNP
 logging synchronous
 login
!
!
end

R3#