Everything You Need to Know About OSPF

"Everything you'll ever need to know about OSPF" is a bold statement but is goes back to "Mastering the Foundations" something I've been saying for the past 25 days. If you can master these OSPF foundations the rest is icing on the cake.

PRO-TIP: Don't treat this as a long list of items to memorize but rather a checklist of topics to lab up.

Default Behavior

• Won't start unless OSPF can determine a router-id
• Router-id determined:
1. Configured router-id
2. Highest loopback IP address
3. Highest interface IP address
• Every router within an area must have the same OSPF database
• Filtering/Summaries happen at the ABR
• Default Priority = 1, highest priority becomes the DR (where applicable)
• A Priority of "0" means router will NOT participate in DR/BDR elections.

OSPF Network Types

Broadcast

• Default for Ethernet interfaces
• Elects DR/BDR
• Uses Multicast
• Allows more than 2 routers on a link
• Timers: Hello - 10, Dead  - 40

Non-Broadcast

• Elects a DR/BDR
• Uses Unicast (neighbor statements)
• Allows more the 2 routers on a link
• Timers: Hello - 30, Dead - 120

Point-to-Point

• Default for Serial and Tunnel interfaces
• Does NOT elect DR/BDR
• Uses Multicast
• Only 2 routers allowed on a link
• Timers: Hello - 10, Dead - 40

Point-to-MultiPoint

• Does NOT elect DR/BDR
• Uses Multicast
• Allows more than 2 routers on a link
• Installs /32 host routes per neighbor
• Timers: Hello - 30, Dead - 120

Point-to-MultiPoint Non-Broadcast

• Does NOT elect DR/BDR
• Uses Unicast (neighbor statements)
• Allows more than 2 routers on a link
• Installs /32 host routes per neighbor
• Timers: Hello - 30, Dead - 120

Loopback

• Default for Loopback interfaces
• When included in OSPF, uses a /32
• To advertise with mask other-than /32, manually set network type to "point-to-point"

LSA Types

LSA Type-1: Router LSA's

• Originated from each router
• Flooded within an area
• Tells the area about all the links participating in OSPF and are associated with that area

LSA Type-2: Network LSA's

• Originated by the DR
• Only DR can originate Type-2 LSA's (If there is no DR their aren't any Type-2's)
• This LSA tells all the routers in an area about all the routers on a shared medium like Ethernet

LSA Type-3: Summary LSA's

• Originated by an ABR
• Carry the destination network prefixes from one area into another

From nonbackbone > backbone

• Connected Routes
• Intra-Area Routes

From backbone > nonbackbone

• Connected Routes
• Intra-Area Routes
• Inter-Area Routes

LSA Type-4: ASBR-Summary LSA's

• Originated by an ABR
• Tells all the other areas about the ASBR
• Tells all the other areas "to get to this Router-ID(ASBR) go through Me(ABR)!"

LSA Type-5: External LSA's

• Originated by an ASBR
• Flooded through out the OSPF domain, except into stubby areas
• Contains the Network prefix and subnet-mask for the external network

LSA Type-7: NSSA External LSA's

• Originated by ASBR
• Exist only in a Not-So-Stubby Area (NSSA)
• Are NOT flooded outside the area they were originated

Area Types

Backbone Area

• Area 0
• Act's as the HUB for all other areas
• Accepts all LSA Types

Normal Area

• All non-stub areas
• Allows LSA's Type: 1, 2, 3, 4, 5 & External Default

Stub Area

• Allows LSA Types: 1, 2, 3 & Summary Default Route ( No External Type-5's )

Totally Stubby Area

• Allows LSA Types: 1, 2 & Summary Default Route

Not-So-Stubby Area (NSSA)

• Allows LSA Types: 1, 2, 3, 7 ( No External Type-5's )
• NSSA's allow redistributing into an area but still maintain it's 'stub area' properties (not allowing External Type-5's)
• Redistributed routes are converted to Type-7 LSA's and advertised throughout the area by the ASBR
• The ABR converts Type-7 LSA's into Type-5's before advertising them into the backbone area.
• LSA Type-7's are only flooded within the area they originate

Totally Not-So-Stubby Area (NSSA)

• Allows LSA Types: 1, 2, 7 & Summary Default Route ( No External Type-5's )
• NO LSA Type-3's

Route Types

• O = Intra-area Route
• O IA = Inter-area Route (Generated by Type-3 LSA's)
• E1 = External Metric Type-1 (Generated by Type-5 LSA's)
• E2 = External Metric Type-2 (Generated by Type-5 LSA's)
• N1 = NSSA Metric Type-1
• N2 = NSSA Metric Type-2

#100DaysOfLabbing - Day 3

Dual Stack - Multi Hub - DMVPN

tl;dr - After failure, success tastes so much sweeter.

Today was all over the map. This morning I came into the labs charging like a bull. I wanted to do IPv6 DMVPN and I did! I was successful. That carried me on a little engineering high knowing I had done something I have never tried before that seemed so foreign and came out of the battle victorious.

But, I'm wise enough to know anyone can get lucky once, but very few get lucky twice.

So I wiped the routers and did it again, minimal errors and mostly from memory... success.

While I was completing my second run through the configs and topology I got an idea for a topology and a challenge: Dual Stack - Multi Hub - DMVPN

I felt comfortable enough with my understanding of the component technologies that I felt could pull it off and I shrugged "what the hell... we'll do it live". (https://www.youtube.com/watch?v=eUFY8Zw0Bag)

As I began the recording I can be quoted as saying something to the effect of "this might take about 30 minutes"... 65 minutes later I ended up at a dead end and I failed.

I got burned by a couple of items:

• I had to pull off the tunnel protection on the IPv4 DMVPN and put it back on for it too work. I'm not sure if this is a bug or have I unknowingly fell victim of order of operations and I didn't know it?
• Others were oversights and mis-configurations.

Have a Process:

When ever I'm writing configs they rarely look like the running-configs from a routers output or are in the same order, instead I build them in layers, like a cake.

1. Think ahead about all the elements that you'll need to complete a task.
2. Which configurable elements can be grouped and entered at the same time?
3. In-between layers, what can you verify?

Following the process from above I would order the tasks as follows:

1. Underlay (NBMA) addresses, connectivty
2. Loopbacks
3. Crypto
4. Tunnel Interface for IPv4 topology
5. Routing protocol for IPv4 topology
6. Verify
7. Tunnel interface for IPv6 topology
8. Routing Protocol for IPv6 topology
9. Verify

The Resources:

I found this group of documents extremely helpful from all aspects of this configuration. It includes specifics on IPv6 addressing which I still wasn't to keen on, but know I'm much more comfortable. It also broke down the elements we need for the IPv6 DMVPN.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2s/ipv6-15-2s-book/ip6-dmvpn.html

The Videos:

Day 3 - Part 1 (more than 1 hour)

Day 3 - Part 2

The Configs:

R1: (IPv4 Hub, IPv6 Spoke)

hostname R1

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC01::1/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.1 255.255.255.0

 no ip redirects

 no ip split-horizon eigrp 90

 ip nhrp map multicast dynamic

 ip nhrp network-id 1234

 tunnel source 172.17.100.1

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::1 link-local

 ipv6 address FC00:1234::1/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::1

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.1 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::1/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R2: (IPv4 Spoke, IPv6 Spoke)

hostname R2

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 2.2.2.2 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC02::2/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.2 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.2

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::2 link-local

 ipv6 address FC00:1234::2/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::2

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.2 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::2/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R3: (IPv4 Spoke, IPv6 Spoke)

hostname R3

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 3.3.3.3 255.255.255.255

interface Loopback6

 no ip address

 ipv6 address FC03::3/128

 ipv6 eigrp 6

interface Tunnel0

 ip address 10.123.234.3 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.3

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

interface Tunnel1

 no ip address

 ipv6 address FE80::3 link-local

 ipv6 address FC00:1234::3/64

 ipv6 eigrp 6

 ipv6 nhrp map FC00:1234::4/64 2001::4

 ipv6 nhrp map multicast 2001::4

 ipv6 nhrp network-id 10123

 ipv6 nhrp nhs FC00:1234::4

 ipv6 nhrp shortcut

 tunnel source 2001::3

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

interface GigabitEthernet0/0

 ip address 172.17.100.3 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::3/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

R4: (IPv4 Spoke, IPv6 Hub)

hostname R4

no ip domain lookup

ip cef

ipv6 unicast-routing

ipv6 cef

crypto isakmp policy 1

 authentication pre-share

crypto isakmp key SHOWIPINTBRI address 0.0.0.0

crypto isakmp key SHOWIPINTBRI address ipv6 ::/0

!

!

crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac

 mode tunnel

!

crypto ipsec profile DMVPN

 set transform-set MYTRANS

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

!

interface Loopback6

 no ip address

 ipv6 address FC04::4/128

 ipv6 eigrp 6

!

interface Tunnel0

 ip address 10.123.234.4 255.255.255.0

 no ip redirects

 ip nhrp map multicast 172.17.100.1

 ip nhrp map 10.123.234.1 172.17.100.1

 ip nhrp network-id 1234

 ip nhrp nhs 10.123.234.1

 tunnel source 172.17.100.4

 tunnel mode gre multipoint

 tunnel protection ipsec profile DMVPN

!

interface Tunnel1

 no ip address

 ipv6 address FE80::4 link-local

 ipv6 address FC00:1234::4/64

 ipv6 eigrp 6

 no ipv6 split-horizon eigrp 6

 ipv6 nhrp map multicast dynamic

 ipv6 nhrp network-id 10123

 ipv6 nhrp redirect

 tunnel source 2001::4

 tunnel mode gre multipoint ipv6

 tunnel protection ipsec profile DMVPN

!

interface GigabitEthernet0/0

 ip address 172.17.100.4 255.255.255.0

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001::4/48

router eigrp 90

 network 0.0.0.0

 passive-interface default

 no passive-interface Tunnel0

 no passive-interface Loopback0

!

!

router eigrp ipv6

 !

 address-family ipv6 unicast autonomous-system 6

  !

  af-interface GigabitEthernet0/0

   shutdown

  exit-af-interface

  !

  af-interface Tunnel1

   no split-horizon

  exit-af-interface

  !

  topology base

  exit-af-topology

 exit-address-family

line con 0

 logging synchronous

#100DaysOfLabbing - Day 1 & 2

It's actually day 3 as I write this but I wanted to put down some documentation I've been keeping in a text document.

I learned a few things doing the configs on Day 1 and Day 2. Some of them simpler than others but worth noting.

This is the DMVPN Cisco Validated Design Guide I mentioned:

https://supportforums.cisco.com/legacyfs/online/legacy/3/9/5/26593-DMVPNbk.pdf

Day 1

Day 2

Basic DMVPN

#1 Lesson Learned

!Hub int tun 0 ip add 10.123.234.1 255.255.255.0 tunnel source Gi0/0 tunnel mode gre multipoint no shut !Spoke int tun 0 ip add 10.123.234.2 255.255.255.0 tunnel source Gi0/0 tunnel destination 10.123.234.1 no shut ! Broke R2#sho int tun 0 Tunnel0 is up, line protocol is down   Hardware is Tunnel   Internet address is 10.123.234.2/24   MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive not set   Tunnel linestate evaluation down - no output interface   Tunnel source 172.17.100.2 (GigabitEthernet0/0), destination 10.123.234.1    Tunnel Subblocks:       src-track:          Tunnel0 source tracking subblock associated with GigabitEthernet0/0           Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>   Tunnel protocol/transport GRE/IP     Key disabled, sequencing disabled     Checksumming of packets disabled   Tunnel TTL 255, Fast tunneling enabled   Tunnel transport MTU 1476 bytes   Tunnel transmit bandwidth 8000 (kbps)   Tunnel receive bandwidth 8000 (kbps)   Last input never, output never, output hang never Lesson Learned: I made the error of incorrectly defining the tunnel destination. I defined it as the remote tunnel interface when actually I needed to use the public NBMA address. Fixed: R2#sho int tun 0 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Internet address is 10.123.234.2/24   MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive not set   Tunnel linestate evaluation up   Tunnel source 172.17.100.2 (GigabitEthernet0/0), destination 172.17.100.1    Tunnel Subblocks:       src-track:          Tunnel0 source tracking subblock associated with GigabitEthernet0/0           Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>   Tunnel protocol/transport GRE/IP     Key disabled, sequencing disabled     Checksumming of packets disabled   Tunnel TTL 255, Fast tunneling enabled   Tunnel transport MTU 1476 bytes   Tunnel transmit bandwidth 8000 (kbps)   Tunnel receive bandwidth 8000 (kbps)   Last input never, output never, output hang never Explanation: The tunnel interface linestate stays down until it has a valid exit interface and route to the remote tunnel destination.

#2 Lesson Learned - Tunnel Keepalives

In the output below you can see "Keepalive not set". Tunnel keepalives are not set by default. You can configure keepalives under the tunnel interface. You can do this be specifying just the keyword "keepalive" and press enter. This will give you the default value of keepalives sent every 10 seconds and will retry 3 times before considering the tunnel down. Conversely you can specify the keepalive values( example 5 seconds) the retry values can also be set but if they are excluded will default to 3 retries. R4#sho int tun 0 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Internet address is 10.123.234.4/24   MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive not set [ ... output omitted ... ] Keepalive with default values R3(config-if)#keepalive ?   <0-32767>  Keepalive period (default 10 seconds)   <cr> R3(config-if)#keepalive R3(config-if)# R3(config-if)#do sho int tun 0 Tunnel0 is up, line protocol is up   Hardware is Tunnel   Internet address is 10.123.234.3/24   MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive set (10 sec), retries 3 [ ... output omitted ... ] Keepalive with defined values R4(config)#int tun 0 R4(config-if)#keepalive 5 R4(config-if)#end R4# R4#sho int tun 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.123.234.4/24 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (5 sec), retries 3 [ ... output omitted ... ]