This section will pick up from where we left off in the previous article. We are configuring the following network:

OSPF-DIAG-1

Area 0 should be completely configured and the other two areas should also have been configured in a similar manner. Here are the configuration commands for R3 that will also apply to R5:

R3(config)#interface loopback 0

R3(config-if)#ip address 10.32.0.1 255.255.255.0

R3(config-if)#no shutdown

R3(config)#interface fastEthernet 0/0

R3(config)#ip address 10.0.0.10 255.255.255.252

R3(config-if)#no shutdown

 

R3(config)#router ospf 25

R3(config-router)#network 10.0.0.10 0.0.0.0 area 32

R3(config-router)#network 10.32.0.0 0.0.255.255 area 32

R3(config-router)#router-id 0.0.0.3

R3(config-router)#auto-cost reference-bandwidth 100000

The first changed that we are going to make in area 0 is to modify the DR/BDR roles. Currently, R4 holds the DR role and R2 is the BDR for this shared Ethernet segment.

OSPF-NEIGHBOR-1

Suppose that R1 is a newer router compared to the other two and we want to make him hold the DR role while R4 who is our second best router in this shared Ethernet segment should become our BDR. To make this change we will go under the interface that connects R1 to R2/R4 which is FastEthernet 0/0 and modify the priority.

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip ospf priority 100

In a similar manner we will connect to R4 and modify his priority to be 50. Let’s take a look at our neighbor command to see if this has changed anything.

OSPF-NEIGHBOR-2

Noticed that R4’s priority is now 50 and even though our priority is 100 it is still the DR for this network segment. When there is a change in priority that will cause a new DR/BDR to be elected, OSPF will not go through the election procedure unless we restart or clear the OSPF process which will cause our adjacencies to come down. I will go ahead and clear the OSPF process on R4 and R2 to cause an election to happen again.

R4#clear ip ospf process

OSPF-PROCESS-1

Note that if you clear the OSPF process on R4 first then R2 will become the DR since it is already marked as the BDR and therefore we must clear them on both. After we are finished clearing the OSPF process we get the following results:

OSPF-NEIGHBOR-3

R2 is labeled as the DROTHER while R4 is the BDR which will make us the DR and we can verify this via the following command.

OSPF-INT-1

Which has our interface labeled as the DR. Note that the priority can be a value between 0 and 255 where a value of 0 will disable that interface from participating in the DR/BDR election.

Now that we have learned how to tweak the OSPF priority, we can move to the next portion which is optimizing our timers. By default, OSPF will send Hello messages every 10 seconds and will consider a neighbor dead if they haven’t reply back to a hello message in 40 seconds. In time sensitive production networks where we need to minimize the amount of downtime, 40 seconds is a long time to wait before we reconverge and find an alternate path should a neighbor go down. When we make a change to OSPF timers on an interface we have to remember to change it on our neighboring devices as well because the timers have to match or the neighbor relationship will never come up. Let’s go ahead and modify the timers in Area 0.

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip ospf hello-interval 1

R1(config-if)#ip ospf dead-interval 4

Note that both the dead and hello intervals take a value in seconds and you should always make your dead interval greater than your hello interval. You want to have some breathing room so that in case a hello is missed then the neighbor relationship won’t come down. We can verify the timers via the following command:

OSPF-INT-2

The other two timers that we see here are the wait and retransmit intervals. Here is a description that I pulled from the cisco site over at this link

that explains these well:

Timer Meaning
Wait Timer interval that causes the interface to exit out of the wait period and select a DR on the network. This timer is always equal to the dead timer interval.
Retransmit Time to wait before retransmitting a database description (DBD) packet when it has not been acknowledged.

So far we have done modifications that will help with the performance of the OSPF operations and we need to start applying security measures that will keep our network secure. The first security measure that we will configure are passive interfaces so that we don’t create neighbor relationships where there are no routers attached. In our example network we will configure both R3 and R5 as they have /24 networks that are to be used for our end devices. Let’s configure one of the networks on R3:

R3(config)#router ospf 25

R3(config-router)#passive-interface loopback 0

In a similar manner you can configure the other interfaces. Note that a passive interface is still advertised via OSPF to your neighbors but no neighbor relationships can be formed over them. Alternatively, instead of configuring each interface as passive we can disable the router from forming neighbors completely on all interfaces via the following command

R3(config-router)#passive-interface default

We can then follow that up with the following command to only allow certain interfaces to form relationships.

R3(config-router)#no passive-interface TYPE#/#

You can choose either method for configuring passive interfaces. The whitelisting or blacklisting strategy is up to you. We can easily verify passive interfaces via the show ip protocols command.

OSPF-PROT-1

We will now configure authentication so that only our devices that will have a matching passphrase will establish a neighbor relationship. When we enable authentication we can enable it for the entire area or on an interface by interface basis. We will see both methods in this example. We will enable authentication for area 0 first on R1:

R1(config)#interface  fastEthernet 0/0

R1(config-if)#ip ospf message-digest-key 1 md5 CISCO

R1(config)#router ospf 25

R1(config-router)#area 0 authentication message-digest

Note: The maximum length of the passphrase is 16 characters.

The first command configures the MD5 passphrase on the interface that connects R1 to area 0. The second command will enable authentication for the entire area. When we configure the first command, the key # which in this case is 1 as well as the passphrase CISCO has to match on the other routers(R2 and R4) within area 0. Note that typing the first command will not bring down the neighbor relationship but when we type the second command it will if the authentication information on the other routers don’t match. Now that we know how to configure authentication via the entire area, let’s look at configuring authentication for just one interface.

Let’s go ahead and configure the R2 and R3 link for authentication without enabling it on the entire area. We can do so with the following commands:

R1(config)#interface  fastEthernet 1/0

R2(config-if)#ip ospf message-digest-key 2 md5 HELLO

R2(config-if)#ip ospf authentication message-digest

The first command is the same as what we used above while the second command will enable authentication on this interface only. Finish configuring R2 in a similar manner so that the neighbor relationship comes back up.

To see if interface has been enabled for MD5 authentication you can view the information via the show ip ospf interface command.

OSPF-INT-3

The next OSPF topic that I will cover is that of summarization. In OSPF we can only do route summarization at the ABR and ASBR. This means that in our sample network we will only be able to configure summarization at R1, R2, and R4. The purpose of summarization is to make the routing table smaller because a smaller routing table will give us quicker lookups. Looking at the routing table for R1 we see some routes that can be summarized nicely.

OSPF-ROUTE-1

The routes that can be summarized are the networks behind both R5 and R3. Let’s start by finding the summary address for the network behind R5 first.

172.45.0.0/24

172.45.1.0/24

172.45.2.0/24

172.45.3.0/24

This summary address is very easy to find and it is the following 172.45.0.0/22 which will cover the exact four networks that we are trying to summarize.

For the five networks behind R3

10.32.0.0/24

10.32.1.0/24

10.32.2.0/24

10.32.3.0/24

10.32.5.0/24

I will do something that is a little different. For these five networks we can in a similar manner summarize the 0-3 networks using the same mask /22 as above but another option is to use a /21 which will cover all 5 networks but will also include

10.32.4.0/24

10.32.6.0/24

10.32.7.0/24

even though they are not assigned yet. The reason for this doing this is that when you are assigning networks to be use throughout your enterprise, you want to be able to group similar ranges so that later on you can summarize them. With that said, keeping 10.32.0-7.0/24 networks in area 32 for future use will allow us to create a better summary address rather than if we separate them by putting the 10.32.4.0, 10.32.6.0, and 10.32.7.0 in other areas.

Let’s start by configuring summarization on R4 since this is the ABR that connects area 45 to area 0. The summarization command is applied under the OSPF routing process:

R4(config)#router ospf 25

R4(config-router)#area 45 range 172.45.0.0 255.255.252.0

Some of the things to note about this command is that the subnets that we are summarizing must exist in the area we are specifying. What we are saying in the command above is that all those subnets 172.45.0-3.0/24 exist in area 45. The ABR which in this case is R4 will advertise the summary address into all other areas connected to it. Since we only have area 0 connected to R4 then area 0 will get the summary address but if we had other areas then they will get it too.

We know from previous examples that ABRs generate type 3 LSAs. R4 in this case is generating a type 3 LSAs for all the 172.45.0-3.0/24 networks. When we advertise a summary route, R4 will check to see if there is a type 3 LSA that falls within the range of our summary address and advertise the summary route instead if it finds one. When there are multiple type 3 LSAs that fall within the range of the summary address, the router will by default pick the best metric among all the networks for the summary route. Note that we can explicitly set the cost of the summary route and if there is no matching network then the ABR will never advertise the summary.

Looking at the routing table for R1 we can now see that it has gotten smaller:

OSPF-ROUTE-2

In a similar manner, we will configure summarization in R2.

R2(config)#router ospf 25

R2(config-router)#area 32 range 10.32.0.0 255.255.248.0 cost 10

Note that I explicitly set the cost with this summary route so that we know how to manually do so. The new type 3 LSA that R2 is advertising into area 0 can be seen below:

OSPF-WIRESHARK-1

Notice the new mask and metric that R2 is sending over into area 0.

OSPF-ROUTE-3

The routing table on R1 has been reduced even more. Let’s look at one of the ABRs to see what they have in their routing table.

OSPF-ROUTE-4

Notice that R2 has a route that leads to an interface named Null0. In fact, anything destined for the summary address will go to Null0. We know that the summary route encompasses networks that have not been defined yet. The following Networks

10.32.4.0/24

10.32.6.0/24

10.32.7.0/24

will by default match the summary address and go to Null 0 because there isn’t a more specific route in the routing table of R2. When a router gets a packet it will examine the destination IP and Subnet address to figure out which network it belongs to. It will then do a lookup against that network in its routing table and select the entry that is the most specific. This means that the router will choose the entry in its routing table that has the longest mask.

Notice that our networks are being advertised by a /32 masks rather than a /24. This is because OSPF is smart enough to know that these are loopback interfaces.

OSPF-INT-4

What we are going to do is trick OSPF into thinking that this is a point-to-point network. A point-to-point network is the default OSPF network type if you connect two routers using serial interfaces.

R3(config)#interface loopback 0

R3(config-if)#ip ospf network point-to-point

After modifying the network type for the loopback interfaces we can see that the subnet mask is now reflecting a /24 rather than the /32.

OSPF-ROUTE-5

The last thing that I will cover in this article is how to figure out a summary address. I noticed that I didn’t go into much details above on how I found the summary addresses so I will do so here before finalizing. Let’s go ahead and use the following 4 addresses as an example.

172.16.1.0/24

172.16.2.0/24

172.16.3.0/24

172.16.4.0/24

We are looking to summarize these 4 different subnets into one summary address. The first thing that I do is identify the octet where the addressing differs. In the above example, the third octet is where they start to differ. We then convert the third octet to binary to find out how many bits match which will later on become our subnet mask. I have converted the third octet to binary for the four networks below

00000001

00000010

00000011

00000100

Notice that In this case the first 5 bits in the third octet match. This means that we have a total of 21 bits matching including the first and second octet. Our summary address is therefore 172.16.0.0/21. When we use this address mask we are also wasting the following networks:

172.16.0.0/24

172.16.5.0/24

172.16.6.0/24

172.16.7.0/24

because it encompasses the networks from 0 – 7. This means that we won’t be able to use those networks anywhere else but here in the future due to the summary address. So this finishes up this article and in the next section I will cover OSPF area types as well as external routes. Thank you for reading this article.

Leave a Reply