Narbik’s Advanced Lab Notes — OSPF (II)

Lab 4 (summarization):

• External routes are summarized on ASBR using “summary-address” command.
• when summarizing internal routes on ABRs, the “area xx range” command must be used with xx is the area id. The routes that are being summarized originated in area xx (1 in our case), the “area range” command MUST specify the area “area 1 range” followed by the summary network address.
• In OPSF, the discard route is created automatically whenever summary route is configured. 2 types of summary routes: Internal and External. When internal summary routes are configured, OSPF will inject an internal discard route and same thing with external. This is to prevent loops.
• to get rid of these discard routes, you do, “no discard-route internal”

Lab 5 (Virtual Links and GRE tunnels)

• ensuring all adv network are reachable by all routers. Use any IP addressing and NOT using virtual link. We will be using GRE tunnels.
• so if R5 is not connected to area 0 and R4 is the ABR b/w Area 4 and Area 2. The GRE tunnel must be configured b/w R4 and R3.
• assign any arbitrary network on both routers, and include them in area 0. (e.g 200.1.34.3). This will be the ip address of the GRE tunnel interface “int tun1”. Then make tunnel source to be the link b/w R4 and R3 and the destination to be the other end. Do this on both sides.
• Neighbor relationship would be formed.
• The IP address of the tunnel interface MUST be advertised in area 0 or else the tunnel will not work.
• Configuring authentication over virtual link (simple)
  • router ospf 1 (on R1)
    • area 1 virtual-link 2.2.2.2 authentication
    • area 1 virtual-link 2.2.2.2 authentication-key Cisco
  • router ospf 1 (on R2)
    • area 1 virtual-link 1.1.1.1 auth
    • area 1 virtual-link 1.1.1.1 auth-key Cisco
• MD5:
  • on router 4
    • Rack1R4(config-router)#$ual-link 3.3.3.3 authentication message-digest
    • Rack1R4(config-router)#$ual-link 3.3.3.3 mess
    • Rack1R4(config-router)#$ual-link 3.3.3.3 message-digest-key 1 md5 cisco
  • on R3:
    • same thing…

Lab 6: Stub, totally stubby and NSSA

• Stub:
  • stops type 4 and 5. Issue “area xx stub” command on all router and the ABR for that area.
  • stub cannot be a transit area so no virtual link but a GRE tunnel can be used instead.
  • Stub area cannot have an ASBR.
  • backbone area cannot be a stub area.
  • no Lsa type 5 (E1 or E2) are allowed in STUB area, but routers can connect to external routes via default route that is injected in area by ABR.
  • by default, cost of default route is 1; verify using “sh ip ospf” and show ip route. This can be changed by “area xx default-cost yy”.
• Totally Stubby:
  • does not receive types 3,4 and 5.
  • on all routers “area xx stub” and on the ABR issue “area xx stub no-summary”
  • all IA and E routes are filtered.
  • default route IS injected
• NSSA:
  • the default 0/0 route will not be injected
• NSSA with default route:
  • you have to use the command: area xx nssa default-information-originate (on the ABR)
  • will inject a type N2 default route into the area.
• Totally Stubby NSSA with default route
  • area 1 nssa no-summary on ABR (allows 1,2,7 and default route)

Lab 7 (filtering routes in OSPF)

• Filter all LSA from other areas to area 2, the other areas do receive routes from area 2. No distribute-list, acl, or any command under router ospf is allowed:
  • go to interface level and issue: “ip ospf database-filter all out”
  • this command ONLY works on point-to-multipoint interfaces.

• • • neighbor <ip> database-filter all out

• Configure R3 or R4 such that R4 does not have reachability to Network 3.0.0.0. Using distribute-list.
  • This must be done on R4 since distribute-list out ONLY works on ASBR and R3 is not an ASBR. So we need to do a “distribute-list in” on R4.
• Configure the routers such that they don’t have reachability to network 4.4.3.0/24 (which was redistributed on R4). No global config command, neighbor command, int config command or ip ospf command allowed.
  • use “summary-address 4.4.3.0 255.255.255.0 no-advertise”
  • can be used to filter an external network when configured on ASBR
  • not be used to filter internal networks.
• Configure routers such that R3 and R4 don’t have reachability to 1.1.3.0/24 network
  • use “area 1 range 1.1.3.0 255.255.255.0 not-advertise” command on the ABR. This filters internal routes within an OSPF routing domain and can only be used on an ABR.
• Configure R2 such that network 1.1.1.0/24 (from area 1) is not advertised to area 2.
  • use prefix-list here

• • • ip prefix-list net seq 5 deny 1.1.1.0/24
    • ip prefix-list net seq 10 per 0.0.0.0/0 le 32
    • area 2 filter-list prefix NET in (1.1.1.0 is coming from area 1, but we’re filtering it out of area 2 by using “in”, filtering prefixes advertised in LSA type 3 BETWEEN OSPF area of an ABR)
• Ways of filtering:
  • ip ospf database-filter all out on interface level
  • neighbor <ip> database-filter all out (on point to multipoint int only)
  • using distribute-list in.
  • using distribute-list out on ASBR
  • using summary-address no-advertise on ASBR
  • using area 1 range not-advertise on ABR
  • using ip prefix list and area filter list to filter LSA type 3s.

Lab 8 (redirecting traffic)

• R1 has two ways to reach network 4.0.0.0/8. Ensure that R1 uses R2 instead of R3. R1 should go directly to R3 to reach network 3.0.0.0. DO NOT USE, bandwidth, any global config command, OSPF cost or distance command.
  • max-metric router-lsa
  • other routers do not prefer the router as a transit hop in their path to given network.

Lab 9 (limiting number of OSPF redistributed routes)

• use the command “redistribute maximum-prefix 10 70 (warning-only)”

Lab 10 (OSPF and NBMA)

• On Non-Broadcast media (like FR) OSPF can run in two modes:
  • NBMA: simulates broadcast model. Two ways to simulate a broadcast model:
    • ip ospf network broadcast (interface sub-command) [on both ends]. Map statements need to have “broadcast”.
    • configure neighbor statements using router ospf. [use “ip ospf priority 2” to assign DR]. Frame relay map commands in this case do NOT need a broadcast parameter because OSPF packets are unicasted with neighbor statement.
  • Point-to-Multipoint: treats non-broadcast networks as a collection of point-to-point links by configuring “ip ospf network point-to-multipoint” command. Need Broadcast statement. No DR and BDR elected when NBMA network is configured Point-to-Multipoint.
• you MUST define network type on non-broadcast networks to avoid configuring neighbor statements.
• FR subinterfaces can run in two modes:
  • p2p: the subinterface emulates a p2p network and OSPF treats it as a p2p network type.
  • multipoint: OSPF treats this subinterface as NBMA network type.
• One end configured as P2P, other as Multipoint Physicaly interface. How do we resolve? Configure the P2P interface on the hub as “ip ospf network non-broadcast” and assign a neighbor command under router ospf. In non-broadcast networks, the “neighbor” command in router config mode must be configured so the OSPF hello packets are exchanged via Unicast.
• changing an interface from “non-broadcast” to “point-to-point” earlier required changing hello intervals. in the latest IOS releases, hello intervals automatically change when you do “ip ospf network point-to-point”

Narbik’s Advanced Lab Notes – OSPF (I)

Currently doing OSPF labs based on Narbik’s workbook:

OSPF:

Lab 1 (optimization):

• turning off LSA type 6
  • go under router ospf –> ignore lsa mospf
• changing hello timers such that it sends 4 hellos per second with hold time of one second
  • under interface –> ip ospf dead-interval minimal hello-mult 4
• configuring ospf to display router id in it’s ospf show commands
  • global: ip ospf name
  • ip host <R1> <1.1.1.1>
• router ospf 1 –> timers pacing retransmission 60 (interpacket pacing b/w consecutive LSUs)

Lab 2 (auth):

• creating virtual link, “area <area to create vl over> virtual-link <routerid of other router>”
• configuring area auth:
  • area X authenticaton <message-digest>
  • int
    • ip ospf message-digest key 1 md5 cisco12

Lab 3 (cost):

• cost of loopback is cost of serial + cost of lo = 100,000,000/1.54MB (64) + 100MB/8000MB = 1

Narbik’s Soup-to-Nuts [Switching] Lab 1

<begin lab1 interesting stuff>

LAB 1:

• 3550 by default would negotiate ISL trunk and two ports negotiate to “n-isl”, since by default ports are configured in Desirable state.
• With 3560, ports are not in desirable mode, so the trunk must be configured statically to trunk or negotiate a trunk.
• extended range vlans can only be created when vtp is in transparent mode. This configuration can only be performed in the global config mode and not in the VLAN Database. And you would see these vlans appearing in running/startup config but NOT in the vlan database.
• CAT switches can be configured such that the IP address of any of it’s interfaces can be used as the source of all VTP messages. Use command: #vtp interface lo0. Verify it by looking at the last line in: show vtp status
• The priority of a given vlan for a STP is the combination of base priority and the Vlan number, e.g, 32768 + (vlan) 12 = 32780.
• Configuring a cat switch to be root for vlan 12 and 34 using the “root” command: #spanning-tree vlan 12,34 root primary. The keyword ‘root’ is a MACRO that REDUCES the BID of the switch for a given vlan by a value of 8192. For e.g. 32768 + 12 -8192 = 24588 (Priority of the above value after root macro is applied)
• The “spanning-tree portfast bpduguard default” command in global config mode will shut the port down in “err-disable” mode if any portfast enabled port receives BPDU packets
• switchport trunk encap command can have following options: 1) dot1q, 2) isl, 3) negotiate (local interface negotiates with neighboring interface to become either dot1q or isl).
• switchport mode trunk puts the interface in permanent trunking mode.
• MONITOR session: (local monitoring)
  • cat1(config)#monitor session 1 source interface f0/14 both
  • cat1(config)#monitor session 1 destination interface f0/15
  • there can only be two monitor sessions per switch. Their direction can be RX, TX or Both. Vlans can ONLY be configured in Rx direction.
  • Verify: #show monitor session 1
• Configuring SNMP:
  • Must have an IP address configured on a switch otherwise snmp server cannot be configured.
  • Setup SNMP server: (config)# snmp-server host 192.168.1.1 private
  • Configure it to send mac-address traps to NMS: (config)# snmp-server enable traps mac-notific
  • Enable MAC-address notification: (config)#mac-address-table notification
  • Enable SNMP trap on interface Fa0/1 to send MAC notification traps whenever MAC-address is added. int fa0/1 –> #snmp trap mac-notification added
  • if we want to switch to report when MAC addresses that are learnt are expired then, “snmp trap mac-notification removed” needs to be added.
  • Verify: show mac-address-table notification interface f0/1
• Regular and Smart Port Macro:
  • Define a port range (regular macro): (config)#define interface-range router-ports f0/1-6
  • Smartport Macro: (to configure port security)
    • config# macro name port-secur <– starts with a macro name, can be applied to int, int-range or a regular macro
    • Enter macro commands one per line. end with @
    • switchport mode access
    • switchport port-security
    • swithcport port-security mac-address sticky
    • switchport port-security max 1
    • switchport port-security violation shutdown.
    • @
  • applying the macro:
    • int range macro Router-ports
    • Macro apply port-secur
• Configuring bandwidth utilization for broadcast traffic to 50%
  • int fa0/1 –> #storm-control broadcast level 50.00
  • value of 0.0 means that type of traffic is blocked permanently (could be unicast, broadcast or multicast)
  • on 3550 when the rate of MULTICAST traffic exceeds a predefined threshold, ALL incoming traffic (BC, MC, or Unicast) is dropped until the level of MCast traffic is dropped below the threshold level.
• Protected ports:
  • You have two ports on the same vlan and you don’t want them to be able to talk to each other, issue this: int range fa0/15-16 –> switchport protected.
  • unknown Bcast and Ucast packets can be blocked (for security issues) by issuning –> switchport block unicast && switchport block multicast
• Configuring Dot1x
  • config# dot1x system-auth-control (enables dot1x)
  • config#aaa new model (enable AAA services)
  • config#aaa authentication dot1x default group radius (specify auth method list)
  • config#radius server host <ip> key cisco (specify radius server and password)
  • Now configure dot1x on the port. MAKE SURE the port in not in dynamic mode otherwise dot1x won’t work. Make sure it’s in access mode: “switch mode access”
  • configure on interface fa0/15 –> dot1x port-control auto

</end of lab 1 interesting stuff>

Web Browsing language

This is pretty cool…written in python:

http://twill.idyll.org/

Restarting my studies!!

I’m back! I had changes at work with management and group and then a long vacation, so I had to stop my studies since September! but I’m back now and hoping to catch up with where I left off!

How to configure SSH on your router

[taken from IE VOL1 workbook]

It’s best to only allow SSH access on your VTY ports. Here’s how you can do it:

1) Configure a domain name on your router:

Rack1R4(config)#ip domain-name internetworkexpert.com

2) Generate the keys:

Rack1R4(config)#crypto key generate rsa general-keys modulus 512

3) Configure the VTY ports with SSH access only:

Rack1R4(config)#line vty 0 4

Rack1R4(config-line)#transport input ssh

4) enable local login for your VTY ports:

Rack1R4(config-line)#login local

5) Don’t forget to configure a local username/password

Rack1R4(config)#username CISCO password CISCO

[make sure you also have an enable password configured]

THAT’S IT!

-qospf

Going back to the “intermediate” router with term server

[hint taken from Brian Dennis's CoD]

Suppose you are using a term server to login to all your routers. And you’re on R1. You SSH to R4. How do you go back to R1? See below:

ccie-ts#1
[Resuming connection 1 to r1 ... ]

Rack1R1#ssh -l CISCO 155.1.146.4

Password:

Rack1R4>
<—-now you want to go back to R1, how would you do it? If you press, CTRL+SHIFT+6+x, you’d go back to the term server, not to R1!

Rack1R4> [press CTRL+SHIFT+6+x]
ccie-ts#
So to go back to R1 (the intermediate router), you’d have to press, CTRL+SHIFT+6+6+x, this would get you back to R1

Rack1R4> [press CTRL+SHIFT+6+6+x]
Rack1R1#

Hope this helps!

-qospf

routing to next-hop vs routing to interface

concept learnt from IE’s Vol5.0 workbook for “IP Routing”

• When routing to a next-hop value the router performs L2 to L3 resolution on the next-hop address. (e.g. ip route 150.1.4.4 255.255.255.255 155.1.146.4). So in the arp table, you’ll see the MAC for ip address: 155.1.146.4.
• When routing to an INTERFACE, the router performs L2 to L3 resolution on the FINAL destination (not on the next hop). (e.g. ip route 150.1.6.6 255.255.255.255 fa0/0 configured on Router1). Let’s assume 150.1.6.6 is a Loopback interface on Router6 and Router 6 is connected to the LAN via Fa0/6. When we configure the ip route mentioned above on R1, on R1’s ARP table, you’ll see the MAC address of Fa0/6 interface for the loopback of R6 (i.e. 150.1.6.6). This is because, PROXY ARP is enabled by default on the routers. If we were to disable proxy arp on Fa0/6, you’d notice that you won’t be able to ping the loopback of R6 anymore, since the router does not know the correct l2 address to use when building the L2 frame. You’ll see “encapsulation failed” message in the debugs:

*Mar  5 02:18:49.733: IP ARP: creating incomplete entry for IP address: 150.1.6.6 interface FastEthernet0/0
*Mar  5 02:18:49.733: IP ARP: sent req src 155.1.146.1 000f.f756.6560,
                 dst 150.1.6.6 0000.0000.0000 FastEthernet0/0
*Mar  5 02:18:49.733: IP: s=155.1.146.1 (local), d=150.1.6.6 (FastEthernet0/0), len 100, encapsulation failed.

• Resolution: 1) change the ip routing so it uses next hop rather than ARPing on Final destination. 2)statically configure the MAC address to use when sending packet to the loopback of R6 by using: router(config)”arp 150.1.6.6 <mac> arpa command.

Q-OSPF