Tuesday, August 2, 2011

Configuring Advanced OSPF

In this blogtorial we are going to talk about OSPF redistribution, authentication, ASBR, and default routes.


OSPF redistribution: We can redistribute networks into OSPF from static, connected, or from other protocols such as EIGRP.


Authenticate: We can configure md5 authentication on OSPF to provide security.


ASBR: Autonomous System Boundary Router -- basically a router which connects to networks using a routing protocol other than OSPF and inject routes into OSPF from those routing protocols.


Overview: We have Area 1 connected to Area 0 and EIGRP AS 10 connected to Area 0 through R2. We will take routes learned through EIGRP and inject them into OSPF and we will also take routes learned from Area 1 and inject them into Area 0 and vice-versa.

We are going to be building on the topology from my previous blogtorial "Configuring Basic OSPF". So let's get started.



Relevant configurations are posted below.


R2 is now configured with EIGRP 10 and note redistribute and default-metric. Redistribute OSPF 1 gets the OSPF routes into EIGRP but if you do not set the seed metric using default-metric then none of the OSPF routes will not end up in the EIGRP domain.

R2#sh run | sec eigrp
router eigrp 10
 redistribute connected
 redistribute ospf 1 ** This is so we can get OSPF into EIGRP **
 network 10.2.2.0 0.0.0.255
 default-metric 100000 1 255 1 1500 **Seed metric or else routes will not get injected **
 auto-summary

R2#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 redistribute eigrp 10 subnets ** This is so we can get EIGRP into OSPF **
 network 10.0.0.0 0.0.0.255 area 0

R6#sh run | sec eigrp
router eigrp 10
 network 10.2.2.0 0.0.0.255
 network 172.16.6.0 0.0.0.255
 no auto-summary ** If we do not do no auto-summary OSPF will end up with a route for 172.16.0.0/16 via 10.0.0.2 **

Notice below that on R4 has a route to loopback 172.16.6.0/24 on R6 (which is not in the OSPF domain). Thanks to our ASBR we now have route injection between EIGRP and OSPF.  

R4#sh ip route
O E2    172.16.6.0 [110/20] via 10.0.0.2, 00:05:22, FastEthernet1/0
R4#ping 172.16.6.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/56/88 ms

Now let's look at how R2 acts as an ABR (Area border router) and interacts with Area 1. 

R4#sh run int fast1/1
interface FastEthernet1/1
 ip address 10.1.1.4 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ithitman
 duplex auto
 speed auto
end

R5#sh run int fast1/0
interface FastEthernet1/0
 ip address 10.1.1.5 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ithitman
 duplex auto
 speed auto
end

** If you would like to enable authentication on an entire area use area # authentication <message-digest> under router ospf process-id and this will force every router in a certain area to use authentication.**

R4#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 1

R5#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 1
 network 172.16.5.0 0.0.0.255 area 1

Notice R2 has a route for 172.16.5.0/24 and it is listed as IA (Inter-Area meaning it is coming from another Area which in this case Area 1)

R2#sh ip route
     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
O IA    172.16.5.1/32 [110/3] via 10.0.0.4, 00:14:05, FastEthernet1/0
O E2    172.16.4.0/24 [110/20] via 10.0.0.4, 01:48:13, FastEthernet1/0
D       172.16.6.0/24 [90/156160] via 10.2.2.6, 00:03:37, FastEthernet1/1
O E2    172.16.1.0/24 [110/20] via 10.0.0.1, 01:46:38, FastEthernet1/0
C       172.16.2.0/24 is directly connected, Loopback0
O E2    172.16.3.0/24 [110/20] via 10.0.0.3, 01:47:07, FastEthernet1/0
     10.0.0.0/24 is subnetted, 3 subnets
C       10.2.2.0 is directly connected, FastEthernet1/1
O IA    10.1.1.0 [110/2] via 10.0.0.4, 00:29:29, FastEthernet1/0
C       10.0.0.0 is directly connected, FastEthernet1/0

R5#sh ip route
     172.16.0.0/24 is subnetted, 6 subnets
O E2    172.16.4.0 [110/20] via 10.1.1.4, 00:39:19, FastEthernet1/0
C       172.16.5.0 is directly connected, Loopback0
O E2    172.16.6.0 [110/20] via 10.1.1.4, 00:13:33, FastEthernet1/0 ** These are E2 because they are coming from redistribute connected subnets ** 
O E2    172.16.1.0 [110/20] via 10.1.1.4, 00:39:19, FastEthernet1/0
O E2    172.16.2.0 [110/20] via 10.1.1.4, 00:39:19, FastEthernet1/0
O E2    172.16.3.0 [110/20] via 10.1.1.4, 00:39:19, FastEthernet1/0
     10.0.0.0/24 is subnetted, 3 subnets
O E2    10.2.2.0 [110/20] via 10.1.1.4, 00:39:19, FastEthernet1/0
C       10.1.1.0 is directly connected, FastEthernet1/0
O IA    10.0.0.0 [110/2] via 10.1.1.4, 00:39:19, FastEthernet1/0 ** Notice IA. This is because it is coming from Area 0** 

As you can see we have routes from Area 1 injected into Area 0 and vice-versa. We also have EIGRP routes injected into OSPF domain and vice-versa. We also have authentication between R5 and R4. 


Now what if R1 has a 100mb fiber feed to the internet and you would like all routers to use R1 has its default gateway? Well we can use default-information originate to take care of that. 



R1#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.0.0.0 0.0.0.255 area 0
 default-information originate always ** Since I do not have a static default gateway or BGP learned default in the routing table default-information originate wont work unless I add the "always" option which will inject a default route in the OSPF no matter what ** 



R2#sh ip route
<-- output shortened -->
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:00:03, FastEthernet1/0 


What is next? Maybe configuring virtual-links or connecting areas using GRE tunnels and whatever else I can think of :) 

More articles to come so stay tuned!!