ardenpackeer.com | Network Fuardenpackeer.com | Network Fu | Network Fu!

Tutorial: BGP Route Aggregation Part 1 – Using an Advertise-Map to control aggregation

Arden Packeer — Sun, 18 Jan 2009 23:56:23 +0000

BGP Route Aggregation is not only an important topic to learn for the CCIE exam, its what keeps the internet routing tables manageable. The basic idea is simple, instead of BGP advertising lots of different prefixes, we can summarize individual prefixes as an aggregate. In this series of articles we will be looking at BGP Route Aggregation using various methods that you should be familiar with before attempting the CCIE lab in case one of those evil proctors decides to limit the use of one or the other.

In this article we will be introducing the aggregate-address command to create route aggregates. We will be using the following topology for this tutorial:

Dynagen .net Configuration File:

ghostios = True
sparsemem = True
model = 3640

[localhost]

    [[3640]]
        image = \Program Files\Dynamips\images\c3640-jk9o3s-mz.124-12.bin
        # On Linux / Unix use forward slashes:
        # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
        ram = 128

        [[router R1]]
                model = 3640
                console = 2000
                e1/0 = LAN 12

        [[router R2]]
                model = 3640
                console = 2001
                e1/0 = LAN 12
                e1/1 = LAN 23
                e1/2 = LAN 24

        [[router R3]]
                model = 3640
                console = 2002
                e1/0 = LAN 23

        [[router R4]]
                model = 3640
                console = 2003
                e1/0 = LAN 24

You can download the pre-configured .net dynagen configuration file for this tutorial here.

Basic Configuration

Let’s take a look at the basic configuration for this topology:

R1

hostname R1
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.0
!
interface Loopback1
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.12.1 255.255.255.0
 full-duplex
 no shut
!
router bgp 1
 no synchronization
 bgp router-id 1.1.1.1
 network 10.0.0.0 mask 255.255.255.0
 network 10.0.1.0 mask 255.255.255.0
 neighbor 192.168.12.2 remote-as 2
 no auto-summary

R2

hostname R2
!
interface Ethernet1/0
 ip address 192.168.12.2 255.255.255.0
 full-duplex
 no shut
!
interface Ethernet1/1
 ip address 192.168.23.2 255.255.255.0
 full-duplex
 no shut
!
interface Ethernet1/2
 ip address 192.168.24.2 255.255.255.0
 full-duplex
 no shut
!
router bgp 2
 no synchronization
 bgp router-id 2.2.2.2
 neighbor 192.168.12.1 remote-as 1
 neighbor 192.168.23.3 remote-as 3
 neighbor 192.168.24.4 remote-as 4
 no auto-summary

R3

hostname R3
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
!
interface Loopback1
 ip address 10.0.3.1 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.23.3 255.255.255.0
 full-duplex
 no shut
!
router bgp 3
 no synchronization
 bgp router-id 3.3.3.3
 network 10.0.2.0 mask 255.255.255.0
 network 10.0.3.0 mask 255.255.255.0
 neighbor 192.168.23.2 remote-as 2
 no auto-summary

R4

hostname R4
!
interface Ethernet1/0
 ip address 192.168.24.4 255.255.255.0
 full-duplex
 no shut
!
router bgp 4
 no synchronization
 bgp router-id 4.4.4.4
 bgp log-neighbor-changes
 neighbor 192.168.24.2 remote-as 2
 no auto-summary

You can see in the configuration above we have four routers: R1, R2, R3 and R4 each in their own AS. R1 has two loopbacks defined which it is advertising into BGP. R3 also has two loopbacks defined which it is also advertising into BGP. Lets verify these advertised BGP prefixes:

R1#sh ip bgp
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      0.0.0.0                  0         32768 i
*> 10.0.1.0/24      0.0.0.0                  0         32768 i
*> 10.0.2.0/24      192.168.12.2                           0 2 3 i
*> 10.0.3.0/24      192.168.12.2                           0 2 3 i

R2#sh ip bgp
BGP table version is 5, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

R3#sh ip bgp
BGP table version is 5, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.23.2                           0 2 1 i
*> 10.0.1.0/24      192.168.23.2                           0 2 1 i
*> 10.0.2.0/24      0.0.0.0                  0         32768 i
*> 10.0.3.0/24      0.0.0.0                  0         32768 i

R4#sh ip bgp
BGP table version is 5, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.24.2                           0 2 1 i
*> 10.0.1.0/24      192.168.24.2                           0 2 1 i
*> 10.0.2.0/24      192.168.24.2                           0 2 3 i
*> 10.0.3.0/24      192.168.24.2                           0 2 3 i

You can see clearly above that the networks have been advertised into BGP. Let’s verify connectivity.

R1#ping 10.0.2.1 source 10.0.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/213/296 ms

Looks like we have connectivity from the networks that R1 is advertising (10.0.0.0/24 and 10.0.1.0/24) and the networks that R3 is advertising (10.0.2.0/24 and 10.0.3.0/24). We haven’t run an IGP here as we don’t usually have an IGP running between AS’s (thats the whole purpose of BGP!). When we did the ping, we have to source the address from R1′s loopback for connectivity. If we didn’t do that the source address of the ping packet would be 192.168.12.1, which R3 does not have a route for. We can run an IGP protocol here, but it is not needed for these examples.

Basic BGP Aggregation using the aggregate-address command

Lets do some aggregation! We will be using the aggregate-address command to create a summary.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 2
R2(config-router)#aggregate-address 10.0.0.0 255.255.252.0

We have created an aggregrate address on R2 here that summarizes the 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 networks. If you look at the four networks in binary we get:

10.0.0.0/24 = 00001010.00000000.00000000.00000000
10.0.1.0/24 = 00001010.00000000.00000001.00000000
10.0.2.0/24 = 00001010.00000000.00000010.00000000
10.0.3.0/24 = 00001010.00000000.00000011.00000000

The first 22 bits of these are common, hence an aggregate of 10.0.0.0/22.

One of the first things we need to remember is that we cannot aggregate an address unless at least one of the more specific routes we are trying to aggregate exists in the routing table already. If all the prefixes that we are summarizing in our aggregate go down, the router will remove the aggregate from the BGP table.

Let’s verify the aggregate:

R2#sh ip bgp
BGP table version is 6, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                            32768 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

R2#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, Ethernet1/0
C    192.168.24.0/24 is directly connected, Ethernet1/2
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B       10.0.2.0/24 [20/0] via 192.168.23.3, 00:10:57
B       10.0.3.0/24 [20/0] via 192.168.23.3, 00:10:57
B       10.0.0.0/24 [20/0] via 192.168.12.1, 00:10:57
B       10.0.0.0/22 [200/0] via 0.0.0.0, 00:10:57, Null0
B       10.0.1.0/24 [20/0] via 192.168.12.1, 00:10:57
C    192.168.23.0/24 is directly connected, Ethernet1/1

Looking at the routing table above we can see that we have an entry in the routing table to Null0 on R2.

Null0 – The road to nowhere

Why does an aggregate create an entry to Null0? Good question lets think about this. Say we had this scenario:

On R3 lets say we created 4 more loopbacks that we advertise into BGP: 150.0.0.0/24, 150.0.1.0/24, 150.0.2.0/24, 150.0.3.0/24.

R3

R3(config)#int lo10
R3(config-if)#ip add 150.0.0.1 255.255.255.0
R3(config-if)#int lo11
R3(config-if)#ip add 150.0.1.1 255.255.255.0
R3(config-if)#int lo12
R3(config-if)#ip add 150.0.2.1 255.255.255.0
R3(config-if)#int lo13
R3(config-if)#ip add 150.0.3.1 255.255.255.0
R3(config-if)#router bgp 3
R3(config-router)#network 150.0.0.0 mask 255.255.255.0
R3(config-router)#network 150.0.1.0 mask 255.255.255.0
R3(config-router)#network 150.0.2.0 mask 255.255.255.0
R3(config-router)#network 150.0.3.0 mask 255.255.255.0

R2

R2#sh ip bgp
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                            32768 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i
*> 150.0.0.0/24     192.168.23.3             0             0 3 i
*> 150.0.1.0/24     192.168.23.3             0             0 3 i
*> 150.0.2.0/24     192.168.23.3             0             0 3 i
*> 150.0.3.0/24     192.168.23.3             0             0 3 i

R2 then aggregates this as 150.0.0.0/22 and creates a Null0 route in its routing table.

R2

R2(config)#router bgp 2
R2(config-router)#aggregate-address 150.0.0.0  255.255.252.0

R2#sh ip route | b Gateway
Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, Ethernet1/0
C    192.168.24.0/24 is directly connected, Ethernet1/2
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B       10.0.2.0/24 [20/0] via 192.168.23.3, 00:48:15
B       10.0.3.0/24 [20/0] via 192.168.23.3, 00:48:15
B       10.0.0.0/24 [20/0] via 192.168.12.1, 00:48:15
B       10.0.0.0/22 [200/0] via 0.0.0.0, 00:30:07, Null0
B       10.0.1.0/24 [20/0] via 192.168.12.1, 00:48:15
C    192.168.23.0/24 is directly connected, Ethernet1/1
     150.0.0.0/16 is variably subnetted, 5 subnets, 2 masks
B       150.0.2.0/24 [20/0] via 192.168.23.3, 00:12:54
B       150.0.3.0/24 [20/0] via 192.168.23.3, 00:12:54
B       150.0.0.0/24 [20/0] via 192.168.23.3, 00:13:24
B       150.0.0.0/22 [200/0] via 0.0.0.0, 00:12:01, Null0
B       150.0.1.0/24 [20/0] via 192.168.23.3, 00:01:31

This aggregate is then passed it on to R1. Lets also say that R2 has a default gateway set to R1.

R2

R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.1

R2#sh ip route | b Gateway
Gateway of last resort is 192.168.12.1 to network 0.0.0.0

C    192.168.12.0/24 is directly connected, Ethernet1/0
C    192.168.24.0/24 is directly connected, Ethernet1/2
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B       10.0.2.0/24 [20/0] via 192.168.23.3, 00:50:08
B       10.0.3.0/24 [20/0] via 192.168.23.3, 00:50:08
B       10.0.0.0/24 [20/0] via 192.168.12.1, 00:50:08
B       10.0.0.0/22 [200/0] via 0.0.0.0, 00:32:00, Null0
B       10.0.1.0/24 [20/0] via 192.168.12.1, 00:50:08
C    192.168.23.0/24 is directly connected, Ethernet1/1
     150.0.0.0/16 is variably subnetted, 5 subnets, 2 masks
B       150.0.2.0/24 [20/0] via 192.168.23.3, 00:14:46
B       150.0.3.0/24 [20/0] via 192.168.23.3, 00:14:46
B       150.0.0.0/24 [20/0] via 192.168.23.3, 00:15:17
B       150.0.0.0/22 [200/0] via 0.0.0.0, 00:13:53, Null0
B       150.0.1.0/24 [20/0] via 192.168.23.3, 00:03:24
S*   0.0.0.0/0 [1/0] via 192.168.12.1

What would happen if the network 150.0.1.0/24 went down on R3 and we didn’t have that Null0 route on R2?

R3

R3(config)#int lo11
R3(config-if)#shut

R2

R2#sh ip bgp
BGP table version is 14, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                            32768 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i
*> 150.0.0.0/24     192.168.23.3             0             0 3 i
*> 150.0.0.0/22     0.0.0.0                            32768 i
*> 150.0.2.0/24     192.168.23.3             0             0 3 i
*> 150.0.3.0/24     192.168.23.3             0             0 3 i

R2#sh ip route | b Gateway
Gateway of last resort is 192.168.12.1 to network 0.0.0.0

C    192.168.12.0/24 is directly connected, Ethernet1/0
C    192.168.24.0/24 is directly connected, Ethernet1/2
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
B       10.0.2.0/24 [20/0] via 192.168.23.3, 00:51:18
B       10.0.3.0/24 [20/0] via 192.168.23.3, 00:51:18
B       10.0.0.0/24 [20/0] via 192.168.12.1, 00:51:18
B       10.0.0.0/22 [200/0] via 0.0.0.0, 00:33:10, Null0
B       10.0.1.0/24 [20/0] via 192.168.12.1, 00:51:18
C    192.168.23.0/24 is directly connected, Ethernet1/1
     150.0.0.0/16 is variably subnetted, 4 subnets, 2 masks
B       150.0.2.0/24 [20/0] via 192.168.23.3, 00:15:57
B       150.0.3.0/24 [20/0] via 192.168.23.3, 00:15:57
B       150.0.0.0/24 [20/0] via 192.168.23.3, 00:16:27
S*   0.0.0.0/0 [1/0] via 192.168.12.1

Well R1 pings 150.0.1.1, the Aggregate will be matched on R1′s routing table. It will be received on R2. The route for 150.0.1.0/24 is missing. Remember there is no Null0 route here, so what will R2 match? The default gateway! So it will send it back to R1. R1 will then send to R2. Ladies and Gentleman we have a routing loop! This is one of the reasons we create a Null0 route on R2 when an aggregate is generated.

Let’s clean up and get back to our aggregate for 10.0.0.0/22 on R2 and take a look at the atomic-aggregate attribute.

R3

R3(config)#no int lo10
R3(config)#no int lo11

R3(config)#no int lo12
R3(config)#no int lo13
R3(config)#router bgp 3
R3(config-router)#no network 150.0.0.0 mask 255.255.255.0
R3(config-router)#no network 150.0.1.0 mask 255.255.255.0
R3(config-router)#no network 150.0.2.0 mask 255.255.255.0
R3(config-router)#no network 150.0.3.0 mask 255.255.255.0

R2

R2(config)#router bgp 2
R2(config-router)#no aggregate-address 150.0.0.0 255.255.252.0

Atomic-Aggregate

I gotta admit, Atomic-Aggregate sounds kinda cool. Like an Aggregate with superpowers or something . But what the hell is it and what does it have to do with BGP aggregation? Take a look at the output below:

R2#sh ip bgp 10.0.0.0/22
BGP routing table entry for 10.0.0.0/22, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  Local, (aggregated by 2 2.2.2.2)
    0.0.0.0 from 0.0.0.0 (2.2.2.2)
      Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best

You can see above that R2 has now originated an entry in BGP for the 10.0.0.0/22 aggregate. You can see also that the aggregate has the atomic-aggregate attribute set. What this means is that the AS path information about the aggregate has been lost. What do I mean by that?

Lets take a look at the BGP tables on R1.

R1#sh ip bgp
BGP table version is 18, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      0.0.0.0                  0         32768 i
*> 10.0.0.0/22      192.168.12.2             0             0 2 i
*> 10.0.1.0/24      0.0.0.0                  0         32768 i
*> 10.0.2.0/24      192.168.12.2                           0 2 3 i
*> 10.0.3.0/24      192.168.12.2                           0 2 3 i

Look at the output above we can see that the path information for the 10.0.0.0/22 prefix only contains AS 2!

R1#sh ip bgp 10.0.0.0/22
BGP routing table entry for 10.0.0.0/22, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  2, (aggregated by 2 2.2.2.2)
    192.168.12.2 from 192.168.12.2 (2.2.2.2)
      Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate, best

You can see that R1 thinks the 10.0.0.0/22 network originated in AS 2. The networks in that aggregate however originated in AS 1, and AS 3. By aggregating on R2 we have lost that information. So all an atomic-aggregate attribute on an aggregate route says is “I’ve lost all the as-path information for the routes that I am aggregating”.

Lets look a bit closer at the BGP table on R2:

R2#sh ip bgp
BGP table version is 6, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                            32768 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

You can see there that the 10.0.0.0/22 route has lost the as-path information. The atomic-aggregate attribute has been set so we don’t see the complete as-path for the prefixes contained within that aggregate.

This situation can also be seen on R3 and R4:

R3#sh ip bgp
BGP table version is 6, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.23.2                           0 2 1 i
*> 10.0.0.0/22      192.168.23.2             0             0 2 i
*> 10.0.1.0/24      192.168.23.2                           0 2 1 i
*> 10.0.2.0/24      0.0.0.0                  0         32768 i
*> 10.0.3.0/24      0.0.0.0                  0         32768 i

R4#sh ip bgp
BGP table version is 6, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.24.2                           0 2 1 i
*> 10.0.0.0/22      192.168.24.2             0             0 2 i
*> 10.0.1.0/24      192.168.24.2                           0 2 1 i
*> 10.0.2.0/24      192.168.24.2                           0 2 3 i
*> 10.0.3.0/24      192.168.24.2                           0 2 3 i

How can we retain the as-path information?

Using the as-set keyword

The as-path paramter for the aggregate-address command allows us to create an BGP aggregate without setting the atomic-aggregate attribute. This allows us to see the as-path of the routes we are aggregating.

Let’s take a look at the configuration:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 2
R2(config-router)#aggregate-address 10.0.0.0 255.255.252.0 as-set

Simple configuration huh? Just add the as-set keyword to the aggregate-address command. Let’s verify this and take a look at the effects this has on our BGP tables.

R2#sh ip bgp 10.0.0.0 255.255.252.0
BGP routing table entry for 10.0.0.0/22, version 7
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  {1,3}, (aggregated by 2 2.2.2.2)
    0.0.0.0 from 0.0.0.0 (2.2.2.2)
      Origin IGP, localpref 100, weight 32768, valid, aggregated, local, best

You can see above we have that the route is originated on R2 but it has a {1,3} in the as-path information. This means that 10.0.0.0/22 is an aggregate of prefixes that went through AS 1 and AS 3. Also notice, that the atomic-aggregate attribute is no longer set as no AS information for the aggregate has been lost.

What will this do to our BGP routing tables? Lets take a look at the routing table on R1:

R1#sh ip bgp
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      0.0.0.0                  0         32768 i
*> 10.0.1.0/24      0.0.0.0                  0         32768 i
*> 10.0.2.0/24      192.168.12.2                           0 2 3 i
*> 10.0.3.0/24      192.168.12.2                           0 2 3 i

Take a look carefully at the output above. Hey wait a minute, we don’t have the aggregate anymore. Did we stuff up our configuration? Is R2 even advertising the prefixes?

R2#sh ip bgp neighbors 192.168.12.1 advertised-routes
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                       100  32768 {1,3} i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

Total number of prefixes 5

R2#sh ip bgp neighbors 192.168.23.3 advertised-routes
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                       100  32768 {1,3} i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

Total number of prefixes 5

R2 is advertising the prefixes but R1 and R3 are not accepting them! What gives? Actually, this is expected behaviour. What the rule with BGP when a router sees its own AS number in the AS-PATH? It doesn’t accept the route!

R2#sh ip bgp
BGP table version is 7, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                       100  32768 {1,3} i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

On R2, we can clearly see that the AS path of the aggregate now contains all the AS’s of the routes that it is summarizing.

R3#sh ip bgp
BGP table version is 7, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.23.2                           0 2 1 i
*> 10.0.1.0/24      192.168.23.2                           0 2 1 i
*> 10.0.2.0/24      0.0.0.0                  0         32768 i
*> 10.0.3.0/24      0.0.0.0                  0         32768 i

R3 doesn’t accept the route because it sees its own AS 3 in the path for 10.0.0.0/22.

R4#sh ip bgp
BGP table version is 7, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.24.2                           0 2 1 i
*> 10.0.0.0/22      192.168.24.2             0             0 2 {1,3} i
*> 10.0.1.0/24      192.168.24.2                           0 2 1 i
*> 10.0.2.0/24      192.168.24.2                           0 2 3 i
*> 10.0.3.0/24      192.168.24.2                           0 2 3 i

R4 however accepts the route as it does not see its own AS in the aggregate. Cool huh?

Controlling the BGP aggregrate using advertise-map

Using the advertise-map option on the aggregate-address command allows us to control which routes make up the summary address. We can use this to say which prefixes make up the aggregate address.

Lets take a look at an example:

R2

router bgp 2
 no synchronization
 bgp router-id 2.2.2.2
 aggregate-address 10.0.0.0 255.255.252.0 as-set advertise-map AS_3_PREFIXES
 neighbor 192.168.12.1 remote-as 1
 neighbor 192.168.23.3 remote-as 3
 neighbor 192.168.24.4 remote-as 4
 no auto-summary
!
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.3.0 0.0.0.255
!
route-map AS_3_PREFIXES permit 10
 match ip address 1

We have created an access list that matches the 10.0.2.0/24, and 10.0.3.0/24 prefixes. Both of these prefixes are originated in AS 3. This access list is then associated with the route-map AS_3_PREFIXES. We call this route-map in the aggregate-address advertise-map command.

Notice we also have the as-set command so the atomic-aggregate will be set.

Lets take a look at the summary address that this creates.

R2#sh ip bgp 10.0.0.0/22
BGP routing table entry for 10.0.0.0/22, version 8
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Advertised to update-groups:
     1
  3, (aggregated by 2 2.2.2.2)
    0.0.0.0 from 0.0.0.0 (2.2.2.2)
      Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best

Notice that the AS-PATH information only has AS 3 in the path list. This is because when we created the aggregate address we told the router that “this aggregate is a summary of 10.0.2.0/24 and 10.0.3.0/24″. These prefixes only originate in AS 3 so thats all that goes in the path list! Also notice that the atomic-aggregate attribute is set. This is because information for the aggregate has been lost (ie. we don’t include AS 1′s prefixes).

R1#sh ip bgp
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      0.0.0.0                  0         32768 i
*> 10.0.0.0/22      192.168.12.2             0             0 2 3 i
*> 10.0.1.0/24      0.0.0.0                  0         32768 i
*> 10.0.2.0/24      192.168.12.2                           0 2 3 i
*> 10.0.3.0/24      192.168.12.2                           0 2 3 i

You can see above that R1 now accepts this aggregate as it no longer sees its own AS in the path.

R2#sh ip bgp
BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.12.1             0             0 1 i
*> 10.0.0.0/22      0.0.0.0                       100  32768 3 i
*> 10.0.1.0/24      192.168.12.1             0             0 1 i
*> 10.0.2.0/24      192.168.23.3             0             0 3 i
*> 10.0.3.0/24      192.168.23.3             0             0 3 i

R3#sh ip bgp
BGP table version is 7, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.23.2                           0 2 1 i
*> 10.0.1.0/24      192.168.23.2                           0 2 1 i
*> 10.0.2.0/24      0.0.0.0                  0         32768 i
*> 10.0.3.0/24      0.0.0.0                  0         32768 i

R3 does not accept the path. Why? Because it saw its own AS in the update.

R4#sh ip bgp
BGP table version is 17, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      192.168.24.2                           0 2 1 i
*> 10.0.0.0/22      192.168.24.2             0             0 2 3 i
*> 10.0.1.0/24      192.168.24.2                           0 2 1 i
*> 10.0.2.0/24      192.168.24.2                           0 2 3 i
*> 10.0.3.0/24      192.168.24.2                           0 2 3 i

R4 happily accepts the update. Notice the AS path looks like it originated from AS 3.

Why might this stuff come in handy? Well imagine those evil CCIE proctors as you to filter BGP updates but you are not allowed to use the traditional means (filter-lists etc). This just gives you another tool that you can add to your belt!

In our next article we will be looking at suppress-maps and attribute-maps as well as few other cool little things with BGP aggregation. Stay tuned!

HTH. Now back to labs!

Summary:

BGP can summaries prefixes with the aggregate-address command
When an aggregate is created, a Null0 route is entered into the routing table to stop routing loops.
By default, the aggregate will be originated from the AS creating the aggregate. All AS-PATH information about prefixes contained within the aggregate is lost.
When AS-PATH information is lost, the atomic-aggregate attribute is set on the aggregate.
We can control what prefixes make up the aggregate using the advertise-map parameter on the aggregate-address command.

Resources:

Dynamips/Dynagen .net configuration file

Tutorial: Filtering Routes in OSPF Part 2 » Filtering Between Areas Using area filter-list

Arden Packeer — Sun, 10 Aug 2008 02:33:02 +0000

In our last article on Filtering Routes in OSPF we looked at filtering routes within an OSPF area. In this article we will be filtering routes between areas using the area filter-list command. OSPF route filtering is an important concept to be familiar with for any CCIE candidate. We will be looking at the area filter-list command first. Part 3 will then look at some of the more obtuse ways of filtering using the area range and summary-address commands. Part of being a CCIE is knowing multiple ways of configuring the same task…just in case those evil proctors decide to restrict which of those methods you can and can’t do!

We will be using the following topology for this tutorial:

Dynagen .net Configuration File:

ghostios = True
sparsemem = True
model = 3640

[localhost]

    [[3640]]
        image = Program FilesDynamipsimagesc3640-jk9o3s-mz.124-12.bin
        # On Linux / Unix use forward slashes:
        # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
        ram = 128

    [[ROUTER R1]]
        console = 2000
        e1/0 = LAN 13
        e1/1 = LAN 12
        autostart = False
        model = 3640

    [[ROUTER R2]]
        console = 2001
        e1/0 = LAN 23
        e1/1 = LAN 12
        autostart = False
        model = 3640

    [[ROUTER R3]]
        console = 2002
        e1/0 = LAN 13
        e1/1 = LAN 23
        e1/2 = LAN 34
        autostart = False
        model = 3640

    [[ROUTER R4]]
        console = 2003
        e1/0 = LAN 45
        e1/1 = LAN 46
        e1/2 = LAN 34
        autostart = False
        model = 3640

    [[ROUTER R5]]
        console = 2004
        e1/0 = LAN 45
        e1/1 = LAN 56
        autostart = False
        model = 3640

    [[ROUTER R6]]
        console = 2005
        e1/0 = LAN 46
        e1/1 = LAN 56
        autostart = False
        model = 3640

You can download the pre-configured .net dynagen configuration file for this tutorial here.

Basic Configuration

First things first lets set up our basic topology. In this topology R1 and R2 will be internal area 2 routers with R3 the Area Border Router (ABR) between area 2 and area 0. R5 and R6 will be internal area 1 routers with R4 the ABR between area 1 and area 0.

Lets take at this configuration:

R1:

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet1/0
 ip address 10.2.13.1 255.255.255.0
!
interface Ethernet1/1
 ip address 10.2.12.1 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 2
 network 10.2.12.1 0.0.0.0 area 2
 network 10.2.13.1 0.0.0.0 area 2

R2:

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Ethernet1/0
 ip address 10.2.23.2 255.255.255.0
!
interface Ethernet1/1
 ip address 10.2.12.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.2.12.2 0.0.0.0 area 2
 network 10.2.23.2 0.0.0.0 area 2

R3:

hostname R3
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Ethernet1/0
 ip address 10.2.13.3 255.255.255.0
!
interface Ethernet1/1
 ip address 10.2.23.3 255.255.255.0
!
interface Ethernet1/2
 ip address 10.0.34.3 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 10.0.34.3 0.0.0.0 area 0
 network 10.2.13.3 0.0.0.0 area 2
 network 10.2.23.3 0.0.0.0 area 2

R4:

hostname R4
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Ethernet1/0
 ip address 10.1.45.4 255.255.255.0
!
interface Ethernet1/1
 ip address 10.1.46.4 255.255.255.0
!
interface Ethernet1/2
 ip address 10.0.34.4 255.255.255.0
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 10.0.34.4 0.0.0.0 area 0
 network 10.1.45.4 0.0.0.0 area 1
 network 10.1.46.4 0.0.0.0 area 1

R5:

hostname R5
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Ethernet1/0
 ip address 10.1.45.5 255.255.255.0
!
interface Ethernet1/1
 ip address 10.1.56.5 255.255.255.0
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 1
 network 10.1.45.5 0.0.0.0 area 1
 network 10.1.56.5 0.0.0.0 area 1

R6:

hostname R6
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface Ethernet1/0
 ip address 10.1.46.6 255.255.255.0
!
interface Ethernet1/1
 ip address 10.1.56.6 255.255.255.0
!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 1
 network 10.1.46.6 0.0.0.0 area 1
 network 10.1.56.6 0.0.0.0 area 1

We have added a loopback interface on each device and advertised them into OSPF. R1 and R2′s Loopback0 interfaces have been added to area 2. R3 and R4′s Loopback0 interfaces have been added to Area 0. R5 and R6′s Loopback0 interfaces have been added to Area 1.

Let’s verify the routing table on R5 and test connectivity before we start filtering routes.

R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/31] via 10.1.45.4, 00:05:51, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/31] via 10.1.45.4, 00:05:51, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/21] via 10.1.45.4, 00:05:51, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/11] via 10.1.45.4, 00:05:51, Ethernet1/0
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
O       6.6.6.6 [110/11] via 10.1.56.6, 00:05:51, Ethernet1/1
     10.0.0.0/24 is subnetted, 7 subnets
O IA    10.2.12.0 [110/40] via 10.1.45.4, 00:05:51, Ethernet1/0
O IA    10.2.13.0 [110/30] via 10.1.45.4, 00:05:51, Ethernet1/0
O IA    10.2.23.0 [110/30] via 10.1.45.4, 00:05:51, Ethernet1/0
O       10.1.46.0 [110/20] via 10.1.56.6, 00:05:51, Ethernet1/1
                  [110/20] via 10.1.45.4, 00:05:51, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/0
O IA    10.0.34.0 [110/20] via 10.1.45.4, 00:05:51, Ethernet1/0
C       10.1.56.0 is directly connected, Ethernet1/1

The routing table looks correct. We have inter-area routes to R1, R2, R3 and R4′s loopback0 addresses as well as to the 10.2.12.0/24, 10.2.13.0/24, 10.2.23.0/24 and 10.0.34.0/24 networks. Exactly what we would expect.

Let’s verify connectivity:

R5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/245/284 ms

Looks like we have full connectivity. Awesome!

OSPF – Distance Vector or Link State?

Remember back to when you were studying for your CCNA. If you took a course, the instructor probably blabbed on about the difference between Link State and Distance Vector routing protocols (I know I spend a large amount of time on this when I am teaching it!). In a nutshell, with Distance Vector routing protocols the routers cannot “see” past their neighbors. They rely on their neighbors to tell them everything. In turn they tell their neighbors everything they have learned so far.

With Link State routing protocols, the routers tell everyone (via a multicast exchange) information about itself, its links, and its neighbors (This is a massive simplification, but it will do for now). Link State Routers take this information and create a link state database. This database is identical for all routers. Based on this information each router use the Dijikstra’s shortest path algorithm to independantly calculate the shortest path.

Now if we had a large number of routers, this would make the size of that database massive. In “the old days” this was a problem because memory and cpu power was limited. So we break up that database into areas. This allows OSPF to scale to larger networks. The routers in an area maintain a linkstate database for their area. This database should be identical for all other routers in the same area. So there is a database for each area.

Each area is connected to another area via an ABR (Area Border Router). The ABR will have databases for two or more areas. This is where things get funky. The routers within an area inherently know how to get to other routers within the same area. The topology database will tell them. But how do they get to routers in another area. They cannot “see” past their own area. They rely on the ABR to tell them about routes to other areas. Hang on a sec doesn’t that sound a bit like Distance Vector?

In Distance Vector routing protocols, routers cannot “see” past their neighbors. They rely on there neighbors to tell them everything. This is the same as routers in different areas in OSPF. Internal area routers cannot “see” past their areas! They rely on the ABR to tell them everything about other areas. OSPF is a link state protocol within an area. OSPF can be considered a distance vector protocol between areas.

Think about this. Because we are relying on the ABR to tell our internal routers everything outside the area, we must ensure a loop free topology between areas. Hence the reason why all areas must attach to Area 0. By forcing all areas to touch Area 0 in a kind of floral petal arrangement, where area 0 is the center of the flower and the other areas are the petals, we can ensure that no loops will be formed between areas!

An ABR will summarize routes from other areas and create an LSA (Link State Advertisements) type 3 before sending it into the area.

You can see in the diagram above R3 will create a type 3 summary LSA’s for the networks in Area 1 and Area 0 and send it into area 2. R3 will also create a type 3 summary LSA for the the networks in area 2 and send it out of area 2. The direction there is important because it will come into play later when we filter these routes.

We can verify this on R1 by taking a look at the database:

R1#sh ip ospf database

            OSPF Router with ID (1.1.1.1) (Process ID 1)

                Router Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         444         0x80000004 0x0094F2 3
2.2.2.2         2.2.2.2         435         0x80000004 0x00CF95 3
3.3.3.3         3.3.3.3         401         0x80000003 0x00323F 2

                Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
10.2.12.2       2.2.2.2         435         0x80000002 0x00A466
10.2.13.3       3.3.3.3         401         0x80000002 0x00936D
10.2.23.3       3.3.3.3         401         0x80000002 0x00579B

                Summary Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
3.3.3.3         3.3.3.3         401         0x80000002 0x00AC76
4.4.4.4         3.3.3.3         401         0x80000002 0x00E232
5.5.5.5         3.3.3.3         401         0x80000002 0x0019ED
6.6.6.6         3.3.3.3         401         0x80000002 0x00EA18
10.0.34.0       3.3.3.3         402         0x80000002 0x009762
10.1.45.0       3.3.3.3         402         0x80000002 0x00766D
10.1.46.0       3.3.3.3         402         0x80000002 0x006B77
10.1.56.0       3.3.3.3         402         0x80000002 0x00616D

You can above that we have Router Link States (LSA Type 1) and Net Link States (LSA Type 2) in our database on R1. This describes the routers and networks in our area 2. R3 will take these routes and generate a LSA Type 3 and send it out into area 0. We can also see the Summary Net Link States (LSA Type 3). These have been generated by R3 and sent into area 2.

Enough theory, lets get into filtering some routes!

Recap: Filtering Routes Within An Area

In our previous tutorial, we looked at filtering routes within an OSPF area. We noted that when you use filtering tools within an area, you are only filtering from the routes entering the route table. You are not filtering the OSPF database. The database must be consistent within an area for OSPF to work correctly. This results in a discrepancy between the route table and OSPF database when filtering within an area.

An ABR will summarise routes as an LSA type 3 before sending it into the area. It is on the ABR that we will perform filtering between areas. How does filtering between areas affect the route tables and OSPF database? Let’s find out!

Filtering Routes Between Areas – Using and area filter-list

The first technique we are going to use to filter routes between areas is using the area filter-list command. Before we start lets take a look at the OSPF database on R5.

R5:

R5#sh ip ospf database

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
4.4.4.4         4.4.4.4         799         0x80000004 0x00D71F 2
5.5.5.5         5.5.5.5         792         0x80000004 0x00D7DC 3
6.6.6.6         6.6.6.6         810         0x80000004 0x007A29 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.45.5       5.5.5.5         792         0x80000002 0x00C8FA
10.1.46.6       6.6.6.6         810         0x80000002 0x00B702
10.1.56.6       6.6.6.6         810         0x80000002 0x007B30

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         4.4.4.4         799         0x80000002 0x00B35F
2.2.2.2         4.4.4.4         799         0x80000002 0x008589
3.3.3.3         4.4.4.4         799         0x80000002 0x00F222
4.4.4.4         4.4.4.4         799         0x80000002 0x0060BA
10.0.34.0       4.4.4.4         800         0x80000002 0x00797C
10.2.12.0       4.4.4.4         800         0x80000002 0x001DD8
10.2.13.0       4.4.4.4         800         0x80000002 0x00AD51
10.2.23.0       4.4.4.4         800         0x80000002 0x003FB5

You can see above that R5 has Router Link States (LSA Type 1) and Net Link States (LSA Type 2) that describe the networks and routers in area 1. We can also see the Summary Net Link States (LSA Type 3) that have been generated by R4 and sent into area 1.

R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/31] via 10.1.45.4, 00:50:57, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/31] via 10.1.45.4, 00:50:57, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/21] via 10.1.45.4, 00:50:57, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/11] via 10.1.45.4, 00:50:57, Ethernet1/0
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
O       6.6.6.6 [110/11] via 10.1.56.6, 00:50:57, Ethernet1/1
     10.0.0.0/24 is subnetted, 7 subnets
O IA    10.2.12.0 [110/40] via 10.1.45.4, 00:50:57, Ethernet1/0
O IA    10.2.13.0 [110/30] via 10.1.45.4, 00:50:57, Ethernet1/0
O IA    10.2.23.0 [110/30] via 10.1.45.4, 00:50:57, Ethernet1/0
O       10.1.46.0 [110/20] via 10.1.56.6, 00:50:57, Ethernet1/1
                  [110/20] via 10.1.45.4, 00:50:57, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/0
O IA    10.0.34.0 [110/20] via 10.1.45.4, 00:50:57, Ethernet1/0
C       10.1.56.0 is directly connected, Ethernet1/1

Looking at the route table we can see that we have inter-area routes to the Loopbacks for R1, R2, R3, and R4. We also have inter-area routes to the networks in Area 2, and the backbone area. It is these inter-area routes that we will look to filter from going into area 1.

Lets have a look at the database on R4 where we be performing the filtering.

R4:

R4#sh ip ospf database

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         745         0x80000003 0x00236F 2
4.4.4.4         4.4.4.4         780         0x80000003 0x00374E 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.34.4       4.4.4.4         780         0x80000002 0x0022BA

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         745         0x80000002 0x006DB3
2.2.2.2         3.3.3.3         745         0x80000002 0x003FDD
5.5.5.5         4.4.4.4         780         0x80000002 0x009676
6.6.6.6         4.4.4.4         780         0x80000002 0x0068A0
10.1.45.0       4.4.4.4         780         0x80000002 0x00F3F5
10.1.46.0       4.4.4.4         780         0x80000002 0x00E8FF
10.1.56.0       4.4.4.4         780         0x80000002 0x00DEF5
10.2.12.0       3.3.3.3         745         0x80000002 0x00D62D
10.2.13.0       3.3.3.3         745         0x80000002 0x0067A5
10.2.23.0       3.3.3.3         745         0x80000002 0x00F80A

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
4.4.4.4         4.4.4.4         780         0x80000004 0x00D71F 2
5.5.5.5         5.5.5.5         775         0x80000004 0x00D7DC 3
6.6.6.6         6.6.6.6         792         0x80000004 0x007A29 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.45.5       5.5.5.5         775         0x80000002 0x00C8FA
10.1.46.6       6.6.6.6         792         0x80000002 0x00B702
10.1.56.6       6.6.6.6         792         0x80000002 0x007B30

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         4.4.4.4         780         0x80000002 0x00B35F
2.2.2.2         4.4.4.4         780         0x80000002 0x008589
3.3.3.3         4.4.4.4         781         0x80000002 0x00F222
4.4.4.4         4.4.4.4         781         0x80000002 0x0060BA
10.0.34.0       4.4.4.4         781         0x80000002 0x00797C
10.2.12.0       4.4.4.4         781         0x80000002 0x001DD8
10.2.13.0       4.4.4.4         781         0x80000002 0x00AD51
10.2.23.0       4.4.4.4         781         0x80000002 0x003FB5

You can see above that R4 has a consistent database with all the routers in Area 0 and Area 1. It has a complete view of both areas. R4 has sent the LSA Type 3 routes from area 2 into area 1.

Let’s set up R4 so that it only passes the 10.2.12.0/24 and 10.2.23.0/24 routes into area 1 using the area filter-list command:

R4:

router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 1 filter-list prefix AREA_1_IN in
 network 4.4.4.4 0.0.0.0 area 0
 network 10.0.34.4 0.0.0.0 area 0
 network 10.1.45.4 0.0.0.0 area 1
 network 10.1.46.4 0.0.0.0 area 1
!
ip prefix-list AREA_1_IN seq 5 permit 10.2.12.0/24
ip prefix-list AREA_1_IN seq 10 permit 10.2.23.0/24

You can see above that we have created a prefix-list that matches the routes that we want to permit (ie allowed) to go into area 1. We have then applied this prefix-list to the area filter-list. Notice the direction. We are only allowing those routes matched by the prefix into area 1. Its from the perspective of the area not the router.

A lot of candidates make the mistake of saying “area 1 filter-list prefix AREA_1_IN out” thinking its filtering the routes from going out of the router. This is wrong. You have to think of it from the perspective of the areas. We are filtering routes from going into area 1.

Let’s verify the routing tables and OSPF database on R5:

R5:

R5#sh ip ospf database

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
4.4.4.4         4.4.4.4         1530        0x80000004 0x00D71F 2
5.5.5.5         5.5.5.5         1523        0x80000004 0x00D7DC 3
6.6.6.6         6.6.6.6         1541        0x80000004 0x007A29 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.45.5       5.5.5.5         1523        0x80000002 0x00C8FA
10.1.46.6       6.6.6.6         1541        0x80000002 0x00B702
10.1.56.6       6.6.6.6         1541        0x80000002 0x007B30

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.2.12.0       4.4.4.4         1530        0x80000002 0x001DD8
10.2.23.0       4.4.4.4         85          0x80000001 0x0041B4

Looks like the only LSA Type 3 (Summary Net Link States) routes that we received are the only ones we permitted on R4. Exactly what we expected! Now let’s check the route table:

R5#sh ip route | b Gateway
Gateway of last resort is not set

     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
O       6.6.6.6 [110/11] via 10.1.56.6, 00:56:45, Ethernet1/1
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.2.12.0 [110/40] via 10.1.45.4, 00:56:45, Ethernet1/0
O IA    10.2.23.0 [110/30] via 10.1.45.4, 00:00:05, Ethernet1/0
O       10.1.46.0 [110/20] via 10.1.56.6, 00:56:45, Ethernet1/1
                  [110/20] via 10.1.45.4, 00:56:45, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/0
C       10.1.56.0 is directly connected, Ethernet1/1

Awesome! The only inter-area routes that we can see on R5 are those that we permitted on the ABR (R4).

Let’s have a look at example of filtering routes coming out of an area:

R3:

router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 2 filter-list prefix AREA_2_OUT out
 network 3.3.3.3 0.0.0.0 area 0
 network 10.0.34.3 0.0.0.0 area 0
 network 10.2.13.3 0.0.0.0 area 2
 network 10.2.23.3 0.0.0.0 area 2
!
ip prefix-list AREA_2_OUT seq 5 permit 10.2.23.0/24

Recall that R3 will generate a Type 3 Summary LSA for all the routes in area 2 and then send it out of area 2. In the example above we area stopping R3 creating a Type 3 LSA and sending it into area 0. We are using a prefix list to specify that the only Type 3 LSA that R3 will generate is for the 10.2.23.0/24 route.

Let’s check the database on R4 now, I’ll just clear the OSPF process on R3 to speed to convergence along:

R3#clear ip ospf pro
Reset ALL OSPF processes? [no]: yes

R4:

R4#sh ip ospf data

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         31          0x80000005 0x00157C 2
4.4.4.4         4.4.4.4         117         0x80000004 0x002B5A 2

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.34.3       3.3.3.3         127         0x80000001 0x005C86

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
5.5.5.5         4.4.4.4         112         0x80000002 0x009676
6.6.6.6         4.4.4.4         122         0x80000001 0x006A9F
10.1.45.0       4.4.4.4         112         0x80000001 0x00F5F4
10.1.46.0       4.4.4.4         122         0x80000001 0x00EAFE
10.1.56.0       4.4.4.4         122         0x80000001 0x00E0F4
10.2.23.0       3.3.3.3         31          0x80000003 0x00F60B

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
4.4.4.4         4.4.4.4         117         0x80000006 0x00D321 2
5.5.5.5         5.5.5.5         126         0x80000006 0x00D3DE 3
6.6.6.6         6.6.6.6         62          0x80000005 0x00782A 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.45.5       5.5.5.5         123         0x80000003 0x00C6FB
10.1.46.6       6.6.6.6         62          0x80000003 0x00B503
10.1.56.6       6.6.6.6         62          0x80000003 0x007931

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.2.23.0       4.4.4.4         117         0x80000002 0x003FB5

You can see that the only Type 3 LSA from area 2 that R4 can see is the 10.2.23.0/24 network. Exactly what we expected. Awesome!

R5:

R5#sh ip route | b Gateway
Gateway of last resort is not set

     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
O       6.6.6.6 [110/11] via 10.1.56.6, 00:02:18, Ethernet1/1
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.2.23.0 [110/30] via 10.1.45.4, 00:02:18, Ethernet1/0
O       10.1.46.0 [110/20] via 10.1.56.6, 00:02:18, Ethernet1/1
                  [110/20] via 10.1.45.4, 00:02:18, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/0
C       10.1.56.0 is directly connected, Ethernet1/1

This in turn is the only inter-area route that we can see on R5 (remember that we are also filtering on R4).

R5#sh ip ospf database

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
5.5.5.5         5.5.5.5         6           0x80000006 0x00D3DE 3
6.6.6.6         6.6.6.6         1952        0x80000004 0x007A29 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.45.4       4.4.4.4         3609        0x80000001 0x0003C6
10.1.45.5       5.5.5.5         3           0x80000003 0x00C6FB
10.1.46.6       6.6.6.6         1952        0x80000002 0x00B702
10.1.56.6       6.6.6.6         1952        0x80000002 0x007B30

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.2.23.0       4.4.4.4         4           0x80000001 0x0041B4

So you can see that we can filter routes using the area filter-list command. The area filter-list command filter’s LSA Type 3′s from going in or out of an area. The routes in an area still maintain a consistent route table and OSPF database. Filtering between areas stops routes from entering the OSPF database and in turn stops them from going into the route tables.

In our next article in this series we will look at filtering between areas using a few of the more obtuse ways such as the area range command and summary-address commands.

Hope this helps. If anybody has any questions or suggestion, leave a comment below and I’ll be happy to help. Now get back to labs!

Summary:

OSPF can be considered Link-State within an area, and Distance Vector between areas
The area filter-list command filter’s routes going in or out from an area.

Resources:

Tutorial: OSPF Network Types & Frame-Relay Series

Arden Packeer — Thu, 24 Jul 2008 10:59:41 +0000

Knowing the OSPF Network Types and how they work with different frame relay topologies is one of those things that you should know inside out if you are attempting the CCIE lab. This five part series of tutorials are designed to take you through all the different OSPF network types and demonstrate how they interact with Frame-Relay over various partial-mesh topologies.

Tutorial: OSPF Network Types and Frame Relay Part 5

Arden Packeer — Thu, 24 Jul 2008 10:19:21 +0000

In my previous tutorials we looked at the different OSPF Network types (you can find Part 1 here, Part 2 here, Part 3 here, and Part 4 here) and also how they interact with each other. In this tutorial we will be looking at implementing OSPF over a partial mesh Frame-Relay network with multiple hubs and spokes. This is the last of the OSPF Network Types and Frame Relay series of articles….unless I find something cool!

We will be implementing the following topology for this tutorial:

Dynagen / Dynamips .net Configuration File:

ghostios = true
sparsemem = true
model = 3640

[localhost]

    [[3640]]
    image = Program FilesDynamipsimagesc3640-jk9o3s-mz.124-12.bin
    # On Linux / Unix use forward slashes:
    # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
    ram = 128

    [[ROUTER R1]]
        f0/0 = LAN 1
        s1/0 = FRAME 1
        console = 2000
        model = 3640

    [[ROUTER R2]]
        f0/0 = LAN 2
        s1/0 = FRAME 2
        console = 2001
        model = 3640

    [[ROUTER R3]]
        f0/0 = LAN 3
        s1/0 = FRAME 3
        console = 2002
        model = 3640

    [[ROUTER R4]]
        f0/0 = LAN 4
        s1/0 = FRAME 4
        console = 2003
        model = 3640

    [[FRSW FRAME]]
        1:102 = 2:201
        2:203 = 3:302
        3:304 = 4:403

You can download the pre-configured .net dynagen configuration file for this tutorial here.

Lets have a look at the basic configuration for this topology:

R1

hostname R1
!
no service timestamps debug uptime
no service timestamps log uptime
!
interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 192.168.1.1 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.2 102 broadcast
 frame-relay map ip 192.168.1.3 102
 frame-relay map ip 192.168.1.4 102
 no frame-relay inverse-arp

R2

hostname R2
!
no service timestamps debug uptime
no service timestamps log uptime
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 192.168.1.2 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.1 201 broadcast
 frame-relay map ip 192.168.1.3 203 broadcast
 frame-relay map ip 192.168.1.4 203
 no frame-relay inverse-arp

R3

hostname R3
!
no service timestamps debug uptime
no service timestamps log uptime
!
interface FastEthernet0/0
 ip address 3.3.3.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 192.168.1.3 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.1 302
 frame-relay map ip 192.168.1.2 302 broadcast
 frame-relay map ip 192.168.1.4 304 broadcast
 no frame-relay inverse-arp

R4

hostname R4
!
no service timestamps debug uptime
no service timestamps log uptime
!
interface FastEthernet0/0
 ip address 4.4.4.4 255.255.255.0
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.1 403
 frame-relay map ip 192.168.1.2 403
 frame-relay map ip 192.168.1.3 403 broadcast
 no frame-relay inverse-arp

Let’s take a close look at this configuration. You can see above we have a partial mesh configuration and it could be argued that we actually have two hubs. R2 and R3 could both be considered hubs. R2 is the hub for R1 and R3 spokes, and R3 is the hub for R2 and R4 spokes. The broadcast statements reflect this. R2 has broadcast statements in its frame-relay map for its spokes, and only its spokes. This is the same on R3, we have broadcast statements for R2 and R4 (its spokes only). This is to stop redundant broadcasts.

If we apply a broadcast statement to each and every frame-relay map statement this will cause redundant broadcasts frames to be sent. For example lets say we configure R4 as follows:

R4

interface Serial1/0
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 192.168.1.1 403 broadcast
 frame-relay map ip 192.168.1.2 403 broadcast
 frame-relay map ip 192.168.1.3 403 broadcast
 no frame-relay inverse-arp

Notice we have applied a broadcast option to every frame-relay map statement. When a broadcast frame is sent, it will create three packets with a layer2 header (frame relay) specifying DLCI 403, and a layer3 header (IP) specifying a destination of 192.168.1.255. R3 will receive all three of these frames.

R3 will look at the layer2 header of those frames and say “Oh this for me at layer2! Great, lets look at the layer3 header”. R3 will then de-encapsulate the layer2 header (the frame) and then take a look at the layer3 header which has a destination of 192.168.1.255. “Oh its a broadcast great, thats for me as well”, R3 says. Will it forward those back out the interface to the rest of the Routers? No. Think about this. When you get a broadcast packet on an ethernet network does your computer process it and then send it back out again. If it did this would result in a hell of a lot of broadcast traffic on our networks!

R3 will get three packets that have the broadcast as a destination address and process them. It will not resend those broadcast packets backout again. That is what it means by redundant broadcasts.

Let’s verify this:

R2:

R2#debug ip packet
IP packet debugging is on

R3:

R3#debug ip packet
IP packet debugging is on

R4:

R4#debug ip packet
IP packet debugging is on

We have turned on ip packet debugging on all routers (don’t try this on a production router!). Let’s generate some packets on R4:

R4#ping 192.168.1.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.255, timeout is 2 seconds:

IP: s=192.168.1.4 (local), d=255.255.255.255 (Serial1/0), len 100, sending broad/multicast
IP: tableid=0, s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), routed via RIB
IP: s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), len 100, rcvd 3
IP: tableid=0, s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), routed via RIB
IP: s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), len 100, rcvd 3
IP: tableid=0, s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), routed via RIB
IP: s=192.168.1.3 (Serial1/0), d=192.168.1.4 (Serial1/0), len 100, rcvd 3
Reply to request 0 from 192.168.1.3, 80 ms
Reply to request 0 from 192.168.1.3, 96 ms
Reply to request 0 from 192.168.1.3, 88 ms
-----Output Cut-----

R3#
IP: s=192.168.1.4 (Serial1/0), d=255.255.255.255, len 100, rcvd 2
IP: tableid=0, s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), routed via FIB
IP: s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), len 100, sending
IP: s=192.168.1.4 (Serial1/0), d=255.255.255.255, len 100, rcvd 2
IP: tableid=0, s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), routed via FIB
IP: s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), len 100, sending
IP: s=192.168.1.4 (Serial1/0), d=255.255.255.255, len 100, rcvd 2
IP: tableid=0, s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), routed via FIB
IP: s=192.168.1.3 (local), d=192.168.1.4 (Serial1/0), len 100, sending

You can see clearly in the output above that R3 got 3 ping packets for every one ping that was supposed to be sent. R3 then sent 3 unicast reply back to to R4 only. Be aware of this as I see a lot of people setting broadcast statement on every frame-relay map statement. I don’t know if you will loose marks on this in the CCIE Lab exam but it certainly helps to be aware of it.

On your hub, set a broadcast frame-relay map on all the DLCI’s leading to your spokes. On your spokes, set the broadcast frame-relay map on the DLCI leading to your hub.

This has implications for OSPF. It is why we usually want to make sure that the hub is the Designated Router (DR) in OSPF. The spokes send an update via a multicast (subset of broadcast) to 224.0.0.6 which the DR listens on. This is only applicable to network types that require a DR. The updates are then collated by the DR and sent out to the other spokes via the address 224.0.0.5. They are seperate broadcasts.

Let’s clean up before we move on to setting up OSPF across this network.

R2:

R2#un all
All possible debugging has been turned off

R3:

R3#un all
All possible debugging has been turned off

R4:

R4#un all
All possible debugging has been turned off
R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#default int s1/0
Building configuration...

Interface Serial1/0 set to default configuration
R4(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R4(config)#int s1/0
R4(config-if)# ip address 192.168.1.4 255.255.255.0
R4(config-if)# encapsulation frame-relay
R4(config-if)# frame-relay map ip 192.168.1.1 403
R4(config-if)# frame-relay map ip 192.168.1.2 403
R4(config-if)# frame-relay map ip 192.168.1.3 403 broadcast
R4(config-if)# no frame-relay inverse-arp
R4(config-if)#no shut
R4(config-if)#end

Setting Up An OSPF Network Across A Partial-Mesh Frame-Relay Network

One of the things that you should be asking yourself looking at that topology is what OSPF network type do we use? We’ve already stated that there are essentially two hubs in that topology. Both R2 and R3 could be considered hubs. Well, if there are two hubs which one do we make the DR? Can we even use a network type that requires a DR in this topology? Let’s explore this first.

OSPF DR Network Types:

R1:

interface Serial1/0
 ip ospf network broadcast
 ip ospf priority 0
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0

R2:

interface Serial1/0
 ip ospf network broadcast
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0

R3:

interface Serial1/0
 ip ospf network broadcast
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0

R4:

interface Serial1/0
 ip ospf network broadcast
 ip ospf priority 0
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.1.4 0.0.0.0 area 0

So we have activated ospf on all the interfaces in our topology. For simplicity sake we have used a single OSPF area (area 0) for our entire topology.

Let’s verify that we are able to establish adjacency on our routers:

R1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:30    192.168.1.2     Serial1/0

R2#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           0   FULL/DROTHER    00:00:36    192.168.1.1     Serial1/0
3.3.3.3           1   FULL/DR         00:00:30    192.168.1.3     Serial1/0

R3#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:32    192.168.1.2     Serial1/0
4.4.4.4           0   FULL/DROTHER    00:00:33    192.168.1.4     Serial1/0

R4#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/DR         00:00:38    192.168.1.3     Serial1/0

At first glance, that looks fine. They all came up as fully adjacent, but take a look at those DR/BDR relationships. They are not consistent at all!

R1#sh ip ospf int s1/0 | inc Designated|Backup
  Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
    Adjacent with neighbor 2.2.2.2  (Designated Router)

R2#sh ip ospf int s1/0 | inc Designated|Backup
  Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
    Adjacent with neighbor 3.3.3.3  (Designated Router)

R3#sh ip ospf int s1/0 | inc Designated|Backup
  Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)

R4#sh ip ospf int s1/0 | inc Designated|Backup
  Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
    Adjacent with neighbor 3.3.3.3  (Designated Router)

R1 believes that R2 is the DR. R2, R3, and R4 believe that R3 is the DR. How will this effect the routing tables?

R2#sh ip route | b Gateway
Gateway of last resort is not set

     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/0
     3.0.0.0/24 is subnetted, 1 subnets
O       3.3.3.0 [110/65] via 192.168.1.3, 00:03:40, Serial1/0
     4.0.0.0/24 is subnetted, 1 subnets
O       4.4.4.0 [110/65] via 192.168.1.4, 00:03:40, Serial1/0
C    192.168.1.0/24 is directly connected, Serial1/0

R3#sh ip route | b Gateway
Gateway of last resort is not set

     2.0.0.0/24 is subnetted, 1 subnets
O       2.2.2.0 [110/65] via 192.168.1.2, 00:04:07, Serial1/0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, FastEthernet0/0
     4.0.0.0/24 is subnetted, 1 subnets
O       4.4.4.0 [110/65] via 192.168.1.4, 00:04:07, Serial1/0
C    192.168.1.0/24 is directly connected, Serial1/0

R4#sh ip route | b Gateway
Gateway of last resort is not set

     2.0.0.0/24 is subnetted, 1 subnets
O       2.2.2.0 [110/65] via 192.168.1.2, 00:04:18, Serial1/0
     3.0.0.0/24 is subnetted, 1 subnets
O       3.3.3.0 [110/65] via 192.168.1.3, 00:04:18, Serial1/0
     4.0.0.0/24 is subnetted, 1 subnets
C       4.4.4.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Serial1/0

It looks like R2, R3, and R4 can see each others Ethernet networks, but they have no visibility of R1′s Ethernet segment.

R1#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Serial1/0

R1 has no visibility at all of the other networks even though we are fully adjacent with R2!

Let’s examine this a little closer. In the above topology, R2, R3, and R4 will be able to swap routes as they have a consitent DR. Updates will be sent to the DR, these will be collated by the DR and then resent out to the spokes. But R1 thinks R2 is the DR. R1 will send its updates to what it thinks is the DR (R2). R2 will not accept these routes because it believes R3 is the DR!

The biggest problem with this topology and OSPF network types that require a DR is “who do we make the DR?”. We usually make the hub in a hub and spoke topology the DR, but what happens when we effectively have 2 hubs? These types of topologies are simply not suited to OSPF network types that require a DR (broadcast, and non-broadcast). We can’t have 2 DR’s!

OSPF Non-DR Network Types:

Let’s try the same thing with a Non-DR OSPF Network type. In this example we will be using the point-to-multipoint OSPF network type, although we could also use any of the other types that don’t require a DR.

Let’s take a look at the configuration:

R1:

interface Serial1/0
 ip address 192.168.1.1 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 192.168.1.2 102 broadcast
 frame-relay map ip 192.168.1.3 102
 frame-relay map ip 192.168.1.4 102
 no frame-relay inverse-arp
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0

R2:

interface Serial1/0
 ip address 192.168.1.2 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 192.168.1.1 201 broadcast
 frame-relay map ip 192.168.1.3 203 broadcast
 frame-relay map ip 192.168.1.4 203
 no frame-relay inverse-arp
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.1.2 0.0.0.0 area 0

R3:

interface Serial1/0
 ip address 192.168.1.3 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 192.168.1.1 302
 frame-relay map ip 192.168.1.2 302 broadcast
 frame-relay map ip 192.168.1.4 304 broadcast
 no frame-relay inverse-arp
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0

R4:

interface Serial1/0
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 192.168.1.1 403
 frame-relay map ip 192.168.1.2 403
 frame-relay map ip 192.168.1.3 403 broadcast
 no frame-relay inverse-arp
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.1.4 0.0.0.0 area 0

Once again we have setup all our interfaces so that they are in area 0. We have used the ip ospf network point-to-multipoint command on all our routers so we have a consistent network type. This network type does not require a DR as OSPF will inject /32 route to all our end points. You can check out my previous tutorial on the point-to-multipoint OSPF network type on why this is so cool!

Our two hubs, R2 and R3 have frame-relay maps with broadcast statements to their respective spokes. R2 has a broadcast statement for R1 and R3 in its frame-relay map statement. R3 has a broadcast statement for R2 and R4 in its frame-relay maps. Once again, we don’t apply broadcast statements to all our traffic as we would receive redundant broadcast messages.

Let’s verify the routing table:

R1#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
O       2.2.2.0 [110/65] via 192.168.1.2, 00:15:43, Serial1/0
     3.0.0.0/24 is subnetted, 1 subnets
O       3.3.3.0 [110/129] via 192.168.1.2, 00:15:43, Serial1/0
     4.0.0.0/24 is subnetted, 1 subnets
O       4.4.4.0 [110/193] via 192.168.1.2, 00:15:43, Serial1/0
     192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C       192.168.1.0/24 is directly connected, Serial1/0
O       192.168.1.3/32 [110/128] via 192.168.1.2, 00:15:43, Serial1/0
O       192.168.1.2/32 [110/64] via 192.168.1.2, 00:15:43, Serial1/0
O       192.168.1.4/32 [110/192] via 192.168.1.2, 00:15:43, Serial1/0

You can see clearly above OSPF has inserted an extra hop via R2 for R1 for all our routers in the 192.168.1.0/24 segment. OSPF’s point-to-multipoint network type creates next hops to make the layer 3 topology mirror that of the layer 2 topology.

R1 looks great, let’s verify R4′s routing table and see if we can ping across the furthest spokes:

R4#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
O       1.1.1.0 [110/193] via 192.168.1.3, 00:24:11, Serial1/0
     2.0.0.0/24 is subnetted, 1 subnets
O       2.2.2.0 [110/129] via 192.168.1.3, 00:24:11, Serial1/0
     3.0.0.0/24 is subnetted, 1 subnets
O       3.3.3.0 [110/65] via 192.168.1.3, 00:24:11, Serial1/0
     4.0.0.0/24 is subnetted, 1 subnets
C       4.4.4.0 is directly connected, FastEthernet0/0
     192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
O       192.168.1.1/32 [110/192] via 192.168.1.3, 00:24:11, Serial1/0
C       192.168.1.0/24 is directly connected, Serial1/0
O       192.168.1.3/32 [110/64] via 192.168.1.3, 00:24:11, Serial1/0
O       192.168.1.2/32 [110/128] via 192.168.1.3, 00:24:11, Serial1/0

The routing table looks great! Let’s check reachability:

R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/47/136 ms

Looks like we have full reachability! Awesome!

So whats the moral of this story? On topologies that have one hub, make sure the hub becomes the DR by setting the ip ospf priority of the spokes to 0 (or use a network type that doesn’t require a DR!).

For a frame-relay topology that effectively has multiple hubs like our topology above we should use an OSPF network type that doesn’t require a DR.

If anybody has any other questions regarding OSPF networks and frame-relay, or has some weird topology that would make a great tutorial shoot me an email.

HTH. Now get back to labs!

Summary:

For topologies where you have one hub, ensure the hub is the DR or use a network type that doesn’t require a DR
For topologies that have more than one hub, use a network type that doesn’t require a DR
In partial mesh topologies, the hubs should use a broadcast frame-relay map on DLCI’s to all connected spokes. This is to stop redundant broadcasts
In partial mesh topologies, the spokes should use a broadcast frame-relay map on DLCI’s to the hub only. This is to stop redundant broadcasts

Resources:

Dynamips/Dynagen .net configuration file

Tutorial: Filtering Routes in OSPF Part 1 » Filtering Within An Area

Arden Packeer — Sat, 21 Jun 2008 05:16:55 +0000

In addition to knowing all the different OSPF Network Types and how they relate to Frame-Relay, a CCIE candidate must be familiar with the different methods of filtering routes in OSPF. This two part series of tutorials will focus on filtering routes in OSPF, both within an area and between areas. This tutorial will focus on filtering routes within an area using distribute-lists, access-lists and using a route-map.

We will be using the following topology for this tutorial:

Dynagen .net Configuration File:

ghostios = True
sparsemem = True
model = 3640

[localhost]

    [[3640]]
        image = Program FilesDynamipsimagesc3640-jk9o3s-mz.124-12.bin
        # On Linux / Unix use forward slashes:
        # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
        ram = 128

    [[ROUTER R1]]
        model = 3640
        console = 2000
        e1/0 = LAN 13
        e1/1 = LAN 12
        autostart = False       

    [[ROUTER R2]]
        model = 3640
        console = 2001
        e1/0 = LAN 23
        e1/1 = LAN 12
        autostart = False

    [[ROUTER R3]]
        model = 3640
        console = 2002
        e1/0 = LAN 13
        e1/1 = LAN 23
        e1/2 = LAN 34
        e1/3 = LAN 35
        autostart = False

    [[ROUTER R4]]
        model = 3640
        console = 2003
        e1/0 = LAN 34
        e1/1 = LAN 45
        autostart = False

    [[ROUTER R5]]
        model = 3640
        console = 2004
        e1/0 = LAN 35
        e1/1 = LAN 45
        autostart = False

You can download the pre-configured .net dynagen configuration file for this tutorial here.

Basic Configuration

First things first lets set up our basic topology. You can see in the diagram above R3 will be our Area Border Router (ABR) between Area 0 and Area 1. R1 and R2 will be backbone routers in Area 0, and R4 and R5 will be internal Area 1 routers.

R1:

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet1/0
 ip address 10.0.13.1 255.255.255.0
 full-duplex
!
interface Ethernet1/1
 ip address 10.0.12.1 255.255.255.0
 full-duplex
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 10.0.12.1 0.0.0.0 area 0
 network 10.0.13.1 0.0.0.0 area 0

R2:

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Ethernet1/0
 ip address 10.0.23.2 255.255.255.0
 full-duplex
!
interface Ethernet1/1
 ip address 10.0.12.2 255.255.255.0
 full-duplex
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 10.0.12.2 0.0.0.0 area 0
 network 10.0.23.2 0.0.0.0 area 0

R3:

hostname R3
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Ethernet1/0
 ip address 10.0.13.3 255.255.255.0
 full-duplex
!
interface Ethernet1/1
 ip address 10.0.23.3 255.255.255.0
 full-duplex
!
interface Ethernet1/2
 ip address 10.1.34.3 255.255.255.0
 full-duplex
!
interface Ethernet1/3
 ip address 10.1.35.3 255.255.255.0
 full-duplex
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 10.0.13.3 0.0.0.0 area 0
 network 10.0.23.3 0.0.0.0 area 0
 network 10.1.34.3 0.0.0.0 area 1
 network 10.1.35.3 0.0.0.0 area 1

R4:

hostname R4
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Ethernet1/0
 ip address 10.1.34.4 255.255.255.0
 full-duplex
!
interface Ethernet1/1
 ip address 10.1.45.4 255.255.255.0
 full-duplex
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 1
 network 10.1.34.4 0.0.0.0 area 1
 network 10.1.45.4 0.0.0.0 area 1

R5:

hostname R5
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Ethernet1/0
 ip address 10.1.35.5 255.255.255.0
 full-duplex
!
interface Ethernet1/1
 ip address 10.1.45.5 255.255.255.0
 full-duplex
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 1
 network 10.1.35.5 0.0.0.0 area 1
 network 10.1.45.5 0.0.0.0 area 1

You can see above, we have also added a loopback interface on each device and advertised them into OSPF. R1, R2, and R3′s Loopback0 interfaces have been added to Area 0. R4 and R5′s Loopback0 interfaces have been added to Area 1.

Let’s verify the routing table on R5 and test connectivity before we start filtering routes.

R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/21] via 10.1.35.3, 00:47:50, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/21] via 10.1.35.3, 00:47:50, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/11] via 10.1.35.3, 00:47:50, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 10.1.45.4, 00:47:50, Ethernet1/1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 6 subnets
O IA    10.0.12.0 [110/30] via 10.1.35.3, 00:47:50, Ethernet1/0
O IA    10.0.13.0 [110/20] via 10.1.35.3, 00:47:50, Ethernet1/0
O IA    10.0.23.0 [110/20] via 10.1.35.3, 00:47:50, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/1
C       10.1.35.0 is directly connected, Ethernet1/0
O       10.1.34.0 [110/20] via 10.1.45.4, 00:47:50, Ethernet1/1
                  [110/20] via 10.1.35.3, 00:47:50, Ethernet1/0

The routing table looks correct. We have inter-area routes to R1, R2, and R3′s loopback0 addresses as well as to the 10.0.12.0/24, 10.0.13.0/24 and 10.0.23.0/24 networks.

R5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/245/284 ms

Looks like we have full connectivity. Now time to filter some routes!

Filtering Routes Within An Area

OSPF is a link-state routing protocol. Routers running OSPF within an area swap state information and populate a topology database. Each router then independently calculates the best paths based on the information contained in their topology database. All routers within an area must have the same topology information so that they can accurately make routing decisions.

Let’s take a look at the current OSPF topology database on R5:

R5#sh ip ospf database 

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         473         0x80000004 0x00EC42 2
4.4.4.4         4.4.4.4         473         0x80000005 0x006887 3
5.5.5.5         5.5.5.5         454         0x80000005 0x000BD3 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.4       4.4.4.4         473         0x80000003 0x0014C6
10.1.35.5       5.5.5.5         454         0x80000003 0x0003CD
10.1.45.5       5.5.5.5         454         0x80000003 0x00C6FB

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         473         0x80000003 0x006BB4
2.2.2.2         3.3.3.3         473         0x80000003 0x003DDE
3.3.3.3         3.3.3.3         473         0x80000003 0x00AA77
10.0.12.0       3.3.3.3         473         0x80000003 0x00EC18
10.0.13.0       3.3.3.3         474         0x80000003 0x007D90
10.0.23.0       3.3.3.3         474         0x80000003 0x000FF4

We will be filtering routes on R5 so it will be interesting to see the effect that this will have on the topology database. If we lose any of the database entries, we will have an inconsistent database in our area with some routers missing pieces of the the topology database. An inconsistent topology database might cause the Dijkstra’s shortest-path-first algorithm that OSPF uses to calculate paths that contain routing loops or routing black holes.

Herein lies the challenge. If we filter routes on a particular router, does that mean that some routers in an area will have a different topology database than the others in the same area? How will this affect the routing process? It is these questions that I want you to keep in mind when we go through our examples.

Filtering within an area – Using distribute-list

The first tool we will be using to filter routes is a distribute-list. We will first use a distribute list to filter all routes except R3′s loopback address (3.3.3.3) from R5′s routing table.

Let’s take a look at the configuration:

R5:

router ospf 1
 distribute-list 1 in
!
access-list 1 permit 3.3.3.3

You can see we have created an inbound distribute-list on the OSPF process on R5. We have used an access-list to define that we only want to permit the 3.3.3.3 address (don’t forget there is an implicit deny at the end of that access list).

Let’s verify this:

R5#sh ip route | b Gateway
Gateway of last resort is not set

     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/11] via 10.1.35.3, 00:00:14, Ethernet1/0
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.45.0 is directly connected, Ethernet1/1
C       10.1.35.0 is directly connected, Ethernet1/0

Looks like our distribute-list worked as anticipated. The only non-connected route that we can see is the 3.3.3.3/32 network (ie R3′s loopback0).

Let’s check out the OSPF topology database:

R5#sh ip ospf data

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         1476        0x80000005 0x00D659 2
4.4.4.4         4.4.4.4         1415        0x80000006 0x006688 3
5.5.5.5         5.5.5.5         1362        0x80000006 0x00DC03 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.4       4.4.4.4         1415        0x80000002 0x0016C5
10.1.35.3       3.3.3.3         1476        0x80000002 0x007566
10.1.45.5       5.5.5.5         1362        0x80000002 0x00C8FA

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         1476        0x80000002 0x006DB3
2.2.2.2         3.3.3.3         1476        0x80000002 0x003FDD
3.3.3.3         3.3.3.3         1476        0x80000002 0x00AC76
10.0.12.0       3.3.3.3         1476        0x80000002 0x00EE17
10.0.13.0       3.3.3.3         1478        0x80000002 0x007F8F
10.0.23.0       3.3.3.3         1478        0x80000002 0x0011F3

Whoa! We have NO change to the OSPF topology database!

At first glance this might seem counter-intuitive but this is exactly what we want to happen. Remember OSPF is a link-state routing protocol where each router then calculates the best paths based on the information contained in their topology database. All routers within an area must have the same topology information so that they can accurately make routing decisions. If they don’t have the same topology database on the routers within an area we risk routing loops or routing black holes in that area.

So the distribute-list command doesn’t affect routes as they enter or leave the OSPF topology database. The distribute-list command affects routes as they go in and out of the routing table. It does not prevent link state packets from being propagated.

This is very important to remember. When Dijkstra’s shortest-path-first algorithm calculates the best path in OSPF it needs to have a complete view of the topology in an area. If it does not, it cannot calculate best paths that are guaranteed to be loop free.

This configuration could still result in a routing black hole if R4 decides to send packets for any other address (other than R3′s Loopback0) via R5.

Let’s check this:

R4:

R4#sh ip ospf data

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         41          0x80000003 0x00EE41 2
4.4.4.4         4.4.4.4         45          0x80000003 0x006C85 3
5.5.5.5         5.5.5.5         44          0x80000003 0x000FD1 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.4       4.4.4.4         45          0x80000001 0x0018C4
10.1.35.5       5.5.5.5         43          0x80000001 0x0007CB
10.1.45.5       5.5.5.5         54          0x80000001 0x00CAF9

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         32          0x80000001 0x006FB2
2.2.2.2         3.3.3.3         42          0x80000001 0x0041DC
3.3.3.3         3.3.3.3         82          0x80000001 0x00AE75
10.0.12.0       3.3.3.3         42          0x80000001 0x00F016
10.0.13.0       3.3.3.3         83          0x80000001 0x00818E
10.0.23.0       3.3.3.3         83          0x80000001 0x0013F2

You can see R4′s topology database above. It has the same entries as R5′s. This is needed by OSPF to make accurate routing decisions.

R4#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/21] via 10.1.34.3, 00:00:02, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/21] via 10.1.34.3, 00:00:02, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/11] via 10.1.34.3, 00:00:02, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/11] via 10.1.45.5, 00:00:02, Ethernet1/1
     10.0.0.0/24 is subnetted, 6 subnets
O IA    10.0.12.0 [110/30] via 10.1.34.3, 00:00:02, Ethernet1/0
O IA    10.0.13.0 [110/20] via 10.1.34.3, 00:00:02, Ethernet1/0
O IA    10.0.23.0 [110/20] via 10.1.34.3, 00:00:03, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/1
O       10.1.35.0 [110/20] via 10.1.45.5, 00:00:03, Ethernet1/1
                  [110/20] via 10.1.34.3, 00:00:03, Ethernet1/0
C       10.1.34.0 is directly connected, Ethernet1/0

R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/52 ms

At the moment R4 is routing everything correctly to R3. Let’s take a look what happens when we shut down R4′s e1/0 interface:

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int e1/0
R4(config-if)#shut
R4(config-if)#end

R4#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/31] via 10.1.45.5, 00:00:03, Ethernet1/1
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/31] via 10.1.45.5, 00:00:03, Ethernet1/1
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/21] via 10.1.45.5, 00:00:03, Ethernet1/1
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/11] via 10.1.45.5, 00:00:03, Ethernet1/1
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.0.12.0 [110/40] via 10.1.45.5, 00:00:03, Ethernet1/1
O IA    10.0.13.0 [110/30] via 10.1.45.5, 00:00:03, Ethernet1/1
O IA    10.0.23.0 [110/30] via 10.1.45.5, 00:00:04, Ethernet1/1
C       10.1.45.0 is directly connected, Ethernet1/1
O       10.1.35.0 [110/20] via 10.1.45.5, 00:00:04, Ethernet1/1

Take a look at the routing table above. R4′s OSPF has noticed a topology change and Dijkstra’s shortest-path algorithm has recalculated that the new best path is via R5. Because we still have the same topology database as R5, R4 assumes that this is a valid decision. It doesn’t realise that we are filtering all routes except for 3.3.3.3 on R5.

R4#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/35/72 ms

R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

This results in a routing black hole, which is exactly what we would expect. The distribute-list command doesn’t affect the topology database, only the routing table.

Let’s reset the configuration on R4 and R5 before we proceed:

R4:

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int e1/0
R4(config-if)#no shut
R4(config-if)#end

R5:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#no access-list 1
R5(config)#router ospf 1
R5(config-router)#no distribute-list 1 in
R5(config-router)#end

Filtering within an area – Using a distribute-list with a route-map

We can combine the distribute list command with a route-map to give us more flexibility in matching routing table entries. With a route-map on our distribute-list we can use the following options:

match interface
match ip address
match ip next-hop
match ip route-source
match metric
match route-type
match tag

Let’s use the match ip address in conjunction with a prefix-list so we can be more flexible with what gets permitted into our routing table.

Let’s verify the current routing table before we proceed:

R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/21] via 10.1.35.3, 00:00:07, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/21] via 10.1.35.3, 00:00:07, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/11] via 10.1.35.3, 00:00:07, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 10.1.45.4, 00:00:07, Ethernet1/1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 6 subnets
O IA    10.0.12.0 [110/30] via 10.1.35.3, 00:00:07, Ethernet1/0
O IA    10.0.13.0 [110/20] via 10.1.35.3, 00:00:07, Ethernet1/0
O IA    10.0.23.0 [110/20] via 10.1.35.3, 00:00:08, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/1
C       10.1.35.0 is directly connected, Ethernet1/0
O       10.1.34.0 [110/20] via 10.1.45.4, 00:00:08, Ethernet1/1
                  [110/20] via 10.1.35.3, 00:00:08, Ethernet1/0

You can see in the routing table above we have complete connectivity in our little network. We will use a distribute-list, this time with a route-map to deny all the 10.0.0.0/16 networks (ie. 10.0.12.0/24, 10.0.13.0/24 and 10.0.23.0/24 networks).

R5:

router ospf 1
  distribute-list route-map NO_AREA0 in
!
ip prefix-list AREA0 seq 5 deny 10.0.0.0/16 le 32
ip prefix-list AREA0 seq 10 permit 0.0.0.0/0 le 32
!
route-map NO_AREA0 permit 10
 match ip address prefix-list AREA0

The distribute-list above uses a route-map to deny any networks in the 10.0.0.0/16 supernet. This will cover the 10.0.12.0, 10.0.13.0/24 and 10.0.23.0/24 networks that we want to filter. Everything else will be allowed into our routing table. Let’s verify this:

R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/21] via 10.1.35.3, 00:00:02, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/21] via 10.1.35.3, 00:00:02, Ethernet1/0
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/11] via 10.1.35.3, 00:00:02, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 10.1.45.4, 00:00:02, Ethernet1/1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 3 subnets
C       10.1.45.0 is directly connected, Ethernet1/1
C       10.1.35.0 is directly connected, Ethernet1/0
O       10.1.34.0 [110/20] via 10.1.45.4, 00:00:03, Ethernet1/1
                  [110/20] via 10.1.35.3, 00:00:03, Ethernet1/0

The distribute list should not effect the topology database as it only filters routes coming into the route table.

R5#sh ip ospf data

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         1791        0x8000000D 0x00C462 2
4.4.4.4         4.4.4.4         1794        0x8000000E 0x0040A7 3
5.5.5.5         5.5.5.5         1780        0x8000000B 0x00FED9 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.3       3.3.3.3         1791        0x80000009 0x004099
10.1.35.5       5.5.5.5         1780        0x80000009 0x00F6D3
10.1.45.5       5.5.5.5         1780        0x80000009 0x00BA02

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         1791        0x80000009 0x005FBA
2.2.2.2         3.3.3.3         1791        0x80000009 0x0031E4
3.3.3.3         3.3.3.3         1791        0x80000009 0x009E7D
10.0.12.0       3.3.3.3         1791        0x80000009 0x00E01E
10.0.13.0       3.3.3.3         1792        0x80000009 0x007196
10.0.23.0       3.3.3.3         1792        0x80000009 0x0003FA

Awesome! It worked as anticipated. We still have a complete topology database, however we have successfully filtered the 10.0.12.0/24, 10.0.13.0/24 and 10.0.23.0/24 networks from the route table.

Let’s reset the configuration on R5 before we proceed:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#no route-map NO_AREA0 permit 10
R5(config)#no ip prefix-list AREA0
R5(config)#router ospf 1
R5(config-router)#no  distribute-list route-map NO_AREA0 in
R5(config-router)#end

Using Administrative Distance

We can also filter routes within an OSPF area by changing the the administrative distance of routes to 255 (an invalid route). We can use the distance command to do this.

Let’s take a look at an example.

R5:

router ospf 1
 distance 255 0.0.0.0 255.255.255.255 1
!
access-list 1 permit 3.3.3.3

The example above shows the use of the distance command to filter routes in an OSPF area. The command states that any routes from any router that matches the access-list 1 (ie. the 3.3.3.3/32 network) will be given a administrative distance of 255 (invalid).

The result of this is that the 3.3.3.3/32 network will be filtered from entering the routing table. Let’s verify this:

R5#clear ip route *
R5#sh ip route | b Gateway
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/21] via 10.1.35.3, 00:00:01, Ethernet1/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/21] via 10.1.35.3, 00:00:01, Ethernet1/0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 10.1.45.4, 00:00:01, Ethernet1/1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 6 subnets
O IA    10.0.12.0 [110/30] via 10.1.35.3, 00:00:01, Ethernet1/0
O IA    10.0.13.0 [110/20] via 10.1.35.3, 00:00:01, Ethernet1/0
O IA    10.0.23.0 [110/20] via 10.1.35.3, 00:00:01, Ethernet1/0
C       10.1.45.0 is directly connected, Ethernet1/1
C       10.1.35.0 is directly connected, Ethernet1/0
O       10.1.34.0 [110/20] via 10.1.45.4, 00:00:01, Ethernet1/1
                      [110/20] via 10.1.35.3, 00:00:01, Ethernet1/0

Looks great! We have routes for everything except for the 3.3.3.3/32 network. This should have not affected the topology database. Lets verify this:

R5#sh ip ospf data

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         964         0x8000000E 0x00C263 2
4.4.4.4         4.4.4.4         978         0x8000000F 0x003EA8 3
5.5.5.5         5.5.5.5         985         0x8000000C 0x00FCDA 3

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.3       3.3.3.3         964         0x8000000A 0x003E9A
10.1.35.5       5.5.5.5         985         0x8000000A 0x00F4D4
10.1.45.5       5.5.5.5         985         0x8000000A 0x00B803

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         3.3.3.3         964         0x8000000A 0x005DBB
2.2.2.2         3.3.3.3         964         0x8000000A 0x002FE5
3.3.3.3         3.3.3.3         964         0x8000000A 0x009C7E
10.0.12.0       3.3.3.3         964         0x8000000A 0x00DE1F
10.0.13.0       3.3.3.3         965         0x8000000A 0x006F97
10.0.23.0       3.3.3.3         965         0x8000000A 0x0001FB

Nice! It worked as anticipated. We successfully filtered the route from entering the routing table but not the topology database.

When you perform route filtering within an OSPF area with the distribute-list and distance commands you are filtering routes as they enter the route-table, not the topology database. The topology database must be consistent within an area for the Dijkstra’s shortest path first algorithm to work correctly. It does not affect LSA propagation.

That’s it for filtering with an OSPF area. In the next article we will be looking at filtering between areas. Stay tuned. Now back to labs!

Summary:

You can use a distribute-list or distance command to filter routes within an area.
The distribute-list and distance commands filter routes as they enter the routing-table not the topology database.
The distribute-list and distance commands do not affect link state packet progagation

Resources:

Dynamips/Dynagen .net configuration file

Tutorial: IPv6 Tunnels Part 2 – Automatic 6to4 Tunnels

Arden Packeer — Sat, 31 May 2008 10:10:53 +0000

In our previous article on IPv6 tunnels, we looked at manual GRE and IPv6IP Tunnels in order to provide connectivity for IPv6 networks segregated by an IPv4 network. By tunneling IPv6 over IP, we can migrate our internal networks to IPv6 and still have communication between these networks, even though we are seperated by an IPv4 network. In this article we will be using another method to provide connectivity for IPv6 networks segregated by an IPv4 network: The Automatic 6to4 Tunnel! Mastering IPv6 is not only an important part of a CCIE candidates journey, but will become increasingly important as the global pool of IPv4 addresses diminishes.

We will be using the following topology for this tutorial:

Dynagen .net configuration:

ghostios = True
sparsemem = True
model = 3640

[localhost]

    [[3640]]
        image = Program FilesDynamipsimagesc3640-ik9o3s-mz.124-7.bin
        # On Linux / Unix use forward slashes:
        # image = /opt/7200-images/c7200-jk9o3s-mz.124-7a.image
        ram = 96

    [[ROUTER R1]]
        f0/0 = LAN 1
        s1/0 = FRAME 1
        console = 2000
        model = 3640

    [[ROUTER R2]]
        f0/0 = LAN 2
        s1/0 = FRAME 2
        console = 2001
        model = 3640

    [[ROUTER R3]]
        f0/0 = LAN 3
        s1/0 = FRAME 3
        console = 2002
        model = 3640

    [[FRSW FRAME]]
        1:102 = 2:201
        1:103 = 3:301

You can download the pre-configured .net dynagen configuration file for this tutorial here.

Lets have a look at the basic configuration for this topology:

R1

hostname R1
!
ipv6 unicast-routing
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:1:1:1::1/64
!
interface Serial1/0
 ip address 10.1.123.1 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 10.1.123.2 102 broadcast
 frame-relay map ip 10.1.123.3 103 broadcast
 no frame-relay inverse-arp
!
router ospf 1
 router-id 10.10.10.10
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R2

hostname R2 ! ipv6 unicast-routing ! interface Loopback0 ip address 10.20.20.20 255.255.255.0 ! interface FastEthernet0/0 no ip address ipv6 address 2001:2:2:2::2/64 ! interface Serial1/0 ip address 10.1.123.2 255.255.255.0 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 10.1.123.1 201 broadcast frame-relay map ip 10.1.123.3 201 no frame-relay inverse-arp ! router ospf 1 router-id 10.20.20.20 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0

R3

hostname R3
!
ipv6 unicast-routing
!
interface Loopback0
 ip address 10.30.30.30 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:3:3:3::3/64
!
interface Serial1/0
 ip address 10.1.123.3 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 frame-relay map ip 10.1.123.1 301 broadcast
 frame-relay map ip 10.1.123.2 301
 no frame-relay inverse-arp
!
router ospf 1
 router-id 10.30.30.30
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

This is the same basic configuration we used in our previous article on IPv6 tunnels. We have a hub-and-spoke frame-relay topology with R1 acting as the hub. Looking at the route table, we should have full connectivity between all the hubs and spokes and their corresponding loopbacks over IPv4.

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O       10.10.10.10/32 [110/65] via 10.1.123.1, 00:15:53, Serial1/0
C       10.30.30.0/24 is directly connected, Loopback0
O       10.20.20.20/32 [110/129] via 10.1.123.1, 00:15:53, Serial1/0
C       10.1.123.0/24 is directly connected, Serial1/0
O       10.1.123.1/32 [110/64] via 10.1.123.1, 00:15:53, Serial1/0
O       10.1.123.2/32 [110/128] via 10.1.123.1, 00:15:53, Serial1/0

R1#ping 10.30.30.30 source lo0 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.30.30, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/100/160 ms

Looks good we have complete IPv4 connectivity. Excellent! But what about IPv6?

R3#ping 2001:1:1:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1:1::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#sh ipv6 route
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:3:3:3::/64 [0/0]
     via ::, FastEthernet0/0
L   2001:3:3:3::3/128 [0/0]
     via ::, FastEthernet0/0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0

The routers don't have any connectivity between IPv6 because the IPv6 stack of the router doesn't have any routes to the other IPv6 networks.

We had the exact same problem in our previous article on IPv6 Tunnels. We solved this using manual GRE and IPv6IP tunnels but wouldn't it be cool if we could do something like this:

ipv6 route 2001:1:1:1::/64 10.10.10.10

The command above will not work but it demonstrates the basic premise of the need for 6to4 tunnels. We want to get to the 2001:1:1:1::/64 network via an IPv4 address. The ipv6 route command above won't work because we must have an IPv6 destination. 6to4 tunnels get around this by representing the IPv4 address as an IPv6 address.

Representing an IPv4 Address as a IPv6 Address in 6to4 Tunnels

6to4 tunnel addresses have the format 2002:. Following the embedded IPv4 site address are 16 bits that can be used to number networks within the site, so we end up with:

2002::::/64

The easiest way to demonstrate this is to look at an example:

R1

interface Loopback0
 ip address 10.10.10.10 255.255.255.0
 ipv6 address 2002:0A0A:0A0A:0000::1/64

Here we have converted the 10.10.10.10 address to a hexadecimal number of 0A0A:0A0A (IOS will truncate the leading zeros of all the hexadecimal fields, but I have included them here for clarity). We will call this our site address because we want everyone that wants to get to R1's IPv6 network (2001:1:1:1::/64), our IPv6 site, to go via the IPv4 address of 10.10.10.10. We have also allocated the Loopback0 interface to be in the 0000 (ie. the first) network of the site.

R2

interface Loopback0
 ip address 10.20.20.20 255.255.255.0
 ipv6 address 2002:0A14:1414:0000::2/64

R3

interface Loopback0
 ip address 10.30.30.30 255.255.255.0
 ipv6 address 2002:0A1E:1E1E:0000::3/64

Here we have converted the 10.20.20.20 address on R2 to a hexadecimal number of 0A14:1414 (10.20.20.20 in hexadecimal). This will be R2's site address. We want everyone that wants to get to R2's IPv6 network to go via the IPv4 address of 10.20.20.20. R3's loopback0 has been also been given an 6to4 address. Both R2 and R3's Loopback0 interfaces have been put int he 0000 network of their corresponding IPv6 site address.

Cool so now we have our Loopback address allocated with IPv6 6to4 addresses. These addresses are the IPv6 representation of the IPv4 addresses. We will use them in our static routes to say that to get to the IPv6 networks use these IPv4 addresses represented as IPv6 addresses.

Time to get to the tunnel!

6to4 tunnels

6to4 tunnels are not point-to-point tunnels like manual GRE or manual IPv6IP tunnels. 6to4 tunnels are multi-point tunnels. The tunnel interfaces just need a source address and the destination address is derived from the destination of a packet. When I first started analyzing 6to4 tunnels, I kept thinking "what do you mean the tunnels don't need a destination address?!!". This was usually followed by various expletives about why this stuff didn't work. It was only when it clicked that the 6to4 tunnels are multipoint tunnels that it made sense.

Let's take a look at an example:

The diagram above shows what will be implementing in this tutorial. We will be creating a tunnel interface (tu0) on R1, R2, and R3. These tunnel interfaces will be given a 6to4 IPv6 address that matches there corresponding Loopback IPv4 address. Remember that the routers already have IPv4 connectivity between there loopback address because OSPF is advertising the loopback address into the OSPF area. We want to be able to get to the IPv6 networks via these addresses.

Let's have a look at R1's configuration for this:

R1

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:A0A:A0A:FFFF::1/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
 ipv6 address 2002:A0A:A0A::1/64
!
ipv6 route 2002::/16 Tunnel0

You can see above that the Tunnel0 interface of R1 has an IPv6 6to4 address. Both Loopback0 and Tunnel0 have been assigned addresses in 2002:0A0A:0A0A::/48. Loopback0 is in the 2002:0A0A:0A0A:0000::/64 network. Tunnel0 is in the 2002:0A0A:0A0A:FFFF::/64. We have added a route that says, anything with an IPv6 6to4 address (2002::/16) send it out tu0.

R2

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:A14:1414:FFFF::2/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
interface Loopback0
 ip address 10.20.20.20 255.255.255.0
 ipv6 address 2002:A14:1414::2/64
!
ipv6 route 2002::/16 Tunnel0

R3

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:A1E:1E1E:FFFF::3/64
 tunnel source Loopback0
 tunnel mode ipv6ip 6to4
!
interface Loopback0
 ip address 10.30.30.30 255.255.255.0
 ipv6 address 2002:A1E:1E1E::3/64
!
ipv6 route 2002::/16 Tunnel0

Why don't we need a destination address for the tunnel? Let's have a look at the basic packet flow. Lets say on R3 we issue a ping 2002:A0A:A0A::1 (trying to get to R1's Lo0 IPv6 address). R3 looks up its route table and sees the output interface for the destination packet is tu0. This is because we have a static route that says anything that starts with 2002::/16 send it out tu0. This interface has 6to4 tunnel encapsulation turned on. R3 takes the IPv6 destination Address of the ping packet (2002:A0A:A0A::1) and converts it into an IPv4 address. This results in an IPv4 destination address of 10.10.10.10. The IPv6 ping packet is then encapsulated in an IPv4 header. and sent along to 10.10.10.10.

We end up with a packet that looks like this:

Let's verify this:

R3#debug ip packet detail
IP packet debugging is on (detailed)
R3#ping 2002:A0A:A0A::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:A0A:A0A::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/146/224 ms
R3#
IP: tableid=0, s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), routed via FIB
IP: s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), len 120, sending, proto=41
IP: tableid=0, s=10.10.10.10 (Serial1/0), d=10.30.30.30 (Loopback0), routed via RIB
IP: s=10.10.10.10 (Serial1/0), d=10.30.30.30, len 120, rcvd 4, proto=41
IP: tableid=0, s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), routed via FIB
IP: s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), len 120, sending, proto=41
IP: tableid=0, s=10.10.10.10 (Serial1/0), d=10.30.30.30 (Loopback0), routed via RIB
IP: s=10.10.10.10 (Serial1/0), d=10.30.30.30, len 120, rcvd 4, proto=41
IP: tableid=0, s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), routed via FIB
IP: s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), len 120, sending, proto=41
IP: tableid=0, s=10.10.10.10 (Serial1/0), d=10.30.30.30 (Loopback0), routed via RIB
IP: s=10.10.10.10 (Serial1/0), d=10.30.30.30, len 120, rcvd 4, proto=41
IP: tableid=0, s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), routed via FIB
IP: s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), len 120, sending, proto=41
IP: tableid=0, s=10.10.10.10 (Serial1/0), d=10.30.30.30 (Loopback0), routed via RIB
IP: s=10.10.10.10 (Serial1/0), d=10.30.30.30, len 120, rcvd 4, proto=41
IP: tableid=0, s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), routed via FIB
IP: s=10.30.30.30 (local), d=10.10.10.10 (Serial1/0), len 120, sending, proto=41
IP: tableid=0, s=10.10.10.10 (Serial1/0), d=10.30.30.30 (Loopback0), routed via RIB
IP: s=10.10.10.10 (Serial1/0), d=10.30.30.30, len 120, rcvd 4, proto=41

Take a look at the source and destination addresses of that debug. Even though we pinged an IPv6 address, you can see that the IPv6 icmp packet is encapsulated into an IPv4 packet. We now have connectivity between our Loopback0 IPv6 addresses!

We still cannot ping the internal IPv6 addresses:

R3#ping 2001:1:1:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1:1::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#sh ipv6 route
IPv6 Routing Table - 9 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:3:3:3::/64 [0/0]
     via ::, FastEthernet0/0
L   2001:3:3:3::3/128 [0/0]
     via ::, FastEthernet0/0
S   2002::/16 [1/0]
     via ::, Tunnel0
C   2002:A1E:1E1E::/64 [0/0]
     via ::, Loopback0
L   2002:A1E:1E1E::3/128 [0/0]
     via ::, Loopback0
C   2002:A1E:1E1E:FFFF::/64 [0/0]
     via ::, Tunnel0
L   2002:A1E:1E1E:FFFF::3/128 [0/0]
     via ::, Tunnel0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0

Why? Take a look at that route table. If I try to ping 2001:1:1:1::1 what will it match? Nothing. We need routes for those networks. Remember earlier in the tutorial when we said we needed something like:

ipv6 route 2001:1:1:1::/64 10.10.10.10

Well, after we create our tu0 interface on R1, we could rewrite this route on R2, and R3 as:

ipv6 route 2001:1:1:1::/64 2002:A0A:A0A::1

This effectively means, anything we get for the 2001:1:1:1::/64 network send it to 10.10.10.10. We know that we have connectivity to 2002:A0A:A0A::1. We proved that above. After we add the route above, when we try to ping 2001:1:1:1::1 from R3 the router looks at the route table and matches a destination address of 2002:A0A:A0A::1. We need to perform route recursion to an interface, so we then do a lookup of 2002:A0A:A0A::1 and we match the tu0 interface. This interface has 6to4 tunnel encapsulation turned on. R3 takes the IPv6 destination Address of the ping packet (2002:A0A:A0A::1) and converts it into an IPv4 address. This results in an IPv4 destination address of 10.10.10.10. The IPv6 ping packet is then encapsulated in an IPv4 header and sent along to 10.10.10.10.

Lets set up the routes for each of the IPv6 networks and test it:

R1

ipv6 route 2001:2:2:2::/64 2002:A14:1414::2
ipv6 route 2001:3:3:3::/64 2002:A1E:1E1E::3

R2

ipv6 route 2001:1:1:1::/64 2002:A0A:A0A::1
ipv6 route 2001:3:3:3::/64 2002:A1E:1E1E::3

R3

ipv6 route 2001:1:1:1::/64 2002:A0A:A0A::1
ipv6 route 2001:2:2:2::/64 2002:A14:1414::2

R3#ping 2001:2:2:2::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:2:2:2::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/180/260 ms

Woohoo! Awesome! We have successfully implemented 6to4 automatic tunnels! This can be quite a difficult concept to grasp, so I recommend implementing the above in dynamips and playing around with the concepts. Once you understand how to convert IPv4 address to 6to4 address and that 6to4 tunnels are multipoint tunnels the rest is pretty easy.

I really hope this helps. Please leave a comment below if you have any questions or comments. Now back to labs!

Summary:

IPv6 6to4 Automatic tunnels allow you to join up IPv6 networks segregated by an IPv4 network.
IPv6 6to4 Automatic tunnels are a multipoint tunnel
IPv6 6to4 Automatic tunnels represent an IPv4 address endpoint as an IPv6 address to join segregated IPv6 networks

Resources:

Dynamips/Dynagen .net configuration file

Tutorial: Time-Based ACLS

Arden Packeer — Tue, 20 May 2008 06:37:27 +0000

Time-based ACLs are useful when you want to restrict traffic based on the time of day. For example, you might employ time-based ACLs if you wanted to only allow web surfing during a particular time of day or allow access to a particular server only during work hours. We will be exploring these scenarios in this tutorial.

Time-Based ACLs – Scenario 1:

Let’s say you had the following requirement:

“Users should only be allowed to access the Web Server located at the IP address of 192.168.1.254 during work hours. After work, users should not have access to this web server. All other traffic should be allowed.”

Seems simple enough. We will define work hours as Monday to Friday 9:00am to 5:00pm (you wish!). Most people when given this problem respond with this (or something similar):

time-range WORK-HOURS
 periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS
 permit ip any any

We have defined a time-range called WORK-HOURS. WORK-HOURS is defined as including all times between 9am to 5pm Monday to Friday. Cool. Exactly what we want. We have then defined an access-list called DENY-WEB that matches tcp traffic destined to the host during the time-range WORK-HOURS. Everything else is permitted.

At first glance this looks fine, but it will not work.

Let’s examine why this will not work. Lets pretend it is Monday morning at 10am. The user hops on and points his browser to http://192.168.1.254. The first rule of the access list will be matched and then access is granted. Cool. This is the behaviour we want.

Now let’s pretend it is Monday night at 6pm. The same user hops on and points his browser to http://192.168.1.254. The first line of the access list will not be matched because it is not during the WORK-HOURS time range. All the conditions on the access-list line must be matched, so we go to the next rule defined in the access-list. We will match this rule (permit ip any any) and the traffic will also be allowed. This is obviously not what we want!

Solution:

time-range WORK-HOURS
 periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS
 deny tcp any host 192.168.1.254 eq www
 permit ip any any

Much better. Now when the first rule is not matched, we will allow everything except for traffic destined for the web server.

Time-Based ACLs – Scenario 2:

Let’s say we have a new requirement:

During work hours users must be able to access web sites only through a proxy server located at 192.168.1.254. The proxy server is listening on tcp port 3128. After work hours users should be granted full access to any IP address and any website. During work hours the only thing they should be able to access is the proxy server. Do not create two time-ranges for this.

Hmmm. Lets try this:

time-range WORK-HOURS
periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS
 permit ip any any

This is what most people that I presented this problem too responded with. This is incorrect. Lets have a look at a few use-cases to determine why. Lets pretend its Monday at 10am. The user tries to browse to cisco.com directly instead of going through a proxy server. The first rule of access list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server. The next rule will then be matched (permit ip any any). This will allow access to cisco.com during work hours without going through the proxy server which is not what we want.

We could try:

time-range NON-WORK-HOURS
 periodic weekend 0:00 to 23:59
 periodic weekdays 0:00 to 8:59
 periodic weekdays 17:01 to 23:59
!
time-range WORK-HOURS
periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS
 permit ip any any time-range NON-WORK-HOURS

This will work. On Monday at 9:30am, a user tries to access cisco.com directly instead of going through a proxy server. As per the requirement, this shouldn’t be allowed. The first rule of the access-list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server.

The second rule will also not be matched as it does not match the time-range NON-WORK-HOURS (ie. its during work time). The packet will be dropped which is exactly what we want to happen. Unfortunately, this will not meet the requirement of “Do not create two time-ranges for this”. DAMN! So how do we do this?

Solution:

time-range NON-WORK-HOURS
 periodic weekend 0:00 to 23:59
 periodic weekdays 0:00 to 8:59
 periodic weekdays 17:01 to 23:59
!
ip access-list extend DENY_WEB
 permit ip any any time-range NON-WORK-HOURS
 permit tcp any host 192.168.1.254 eq 3128

We have an access list that matches IP traffic only for the time-range NON-WORK-HOURS. During work hours we can only access the proxy server at 192.168.1.254 on tcp port 3128 Everything else will be blocked. Awesome, just what we wanted!

HTH!

Blog: My CCIE story….

Arden Packeer — Thu, 08 May 2008 07:39:44 +0000

I have been waiting to write this post. I am just so deliriously happy right now. Before I start, I want to thank my beautiful wife for her support. She was that voice I heard in my head that told me to just keep going, and never give up when I’d lost hope. I’m glad I listened.

The Day Before the exam (6th May 2008):

I got up earlier than my normal routine at around 5am. I wanted to be tired come bedtime so I could get a good nights sleep (This turned out to be a bad idea because, even though I was tired, my mind kept racing and I didn’t sleep much anyway). I try to resist the urge to study. My mind is going through all kinds of different scenarios, and possible solutions.

In the end, I decide to ignore all the advice I had been given on studying on the day before the exam. I figure if I am going to spend the day stressing about scenarios and solutions I might as well make it productive. I don’t want to do any more labs, so I put in IPexpert’s Video on Demand DVD.

This turned out to be a really good idea. The best part about these videos is that they are short, sweet and straight to the point. I have watched the awesome Internetwork Expert Class On Demand a million times and towards the end I got to the point where I knew what commands the Brian’s were going to type in ahead of time. This was great, but the IPexpert videos take a different tack. They covered a wide range of topics in detail but in a very short time (don’t have to wade through 80 hours of video). Exactly what I needed at this stage. My core topics knowledge was already pretty good. The DVD was perfect near the end of my preparations as I just wanted to be exposed to a whole range of stuff quickly that I just need to be aware of. I can look it up on the DocCD if I don’t know how to configure something, but it helps if you are aware of the options. That way when you are thrown curve balls in the exam (and you WILL get curve balls), you have a greater chance of recognizing what they are getting at.

I get through a couple of hours of video in before my taxi arrives to take me to the airport. I stayed at the Vibe Hotel in Alfred Street, North Sydney. This used to be the Duxton hotel (The Sydney location CCIE webpage still has it listed as the Duxton). The hotel is fine. Nothing special but it has a desk, Internet Access and room service. Everything I need at this stage. They have a shuttle that drops you right at the front door of Cisco which is great. I find out that it leaves at 7:15am and I make a booking. At least I know I will be on time.

I shower up, and continue watching the Video On Demand. At around 4pm, I’ve had enough of videos. I need to try and unwind. I put my iPod on and go for a long walk. A good friend of mine suggested that I do some visualization exercises before I do the exam. That is what he did, and he is a double CCIE so I decide to try it. I walk around the streets of Sydney imagining myself doing well in the exam. I imagined myself sitting at the exam calm and focused. I imagine a really hard topic coming up in the exam and visualize myself being calm and handling it perfectly.

This really helped. When I was doing the exam, it was like I had already done it! I had already gone through the stress of the hard questions and so it was like my mind went “Yeah, you’ve already gone through this and you came out okay so don’t panic”. I usually don’t go for that hippie crap but this kinda worked.

The Vibe is very close to the harbor so I got to see a magnificent Sydney sunset. I went back to the hotel at around 7pm, ordered dinner and watched a bit of TV.

The Day of the Exam (6th May 2008):

I got up at 5:30am. I didn’t really sleep much. I tossed and turned, and didn’t have longer than 3 hours worth of continuous sleep. I head up at 6:30am to grab a light breakfast and then catch the shuttle to the Sydney offices. It arrives at 7:30am. I am 30 minutes early. This is good!

The Cisco Sydney office is next to St. Leonards train station. There is a Gloria Jeans coffee shop and a Macdonald’s around the corner. I grab a coffee, and just relax. The Cisco website says that reception is open at 8am, but I head up at 7:45am and find that it already open and another candidate is already there. He has 3 (!) CCIE’s and is going for his 4th (voice) today. Another candidate arrives later and he too is going for his R&S. He is pretty nervous, but we chit chat about what we used to prepare etc. Turns out he reads my blog!

The Sydney proctor comes in around 8:15am and jokes that the Lab has moved to Cisco’s Chatswood offices and we will have to hurry to make it. The other two candidates just stare. I’m not sure if they understood the dry Australian humour..or were just too nervous. I laugh. I’m glad he has a sense of humour, its a good sign that he will be approachable.

The proctor turns out to be a great help. I think all up I asked close to 20 questions during the exam. Most of the time his response was to read the question back to me highlighting words specifically and that cleared most things up. Other times he would just look at me and say “you are over thinking it”. One piece of advice he gave was to “Ask a question”. Apparently most candidates just come up and say “I can do it this way or that which one do you want me to do?”. This is not something he can answer directly, so he says to phrase the question where he can answer yes or no and show him you know what you are talking about and not just fishing for answers. Cool, I can understand that.

He takes us for a little tour showing us where we will have lunch and where the toilets are. The Cisco offices look like a cool place to work.

We walk into the lab room. There is a white board on the wall where he marks the time. He goes through the rules, asks us to put our belongings in the corner and asks to check out our watches. Apparently someone brought in a watch with USB capabilities so he checks now. Sneaky!

There is 6 workstations. All flat screen Dells. Two of them are for the Voice Labs. On the desktop there are icons for Calculator, Notepad, Internet Explorer, SecureCRT sessions for each Router and Switch, and a SecureCRT session for the Terminal Server on the desktop. I opt to use the terminal server as this is how I had prepared.

The DocCD works perfectly. Internet Explorer doesn’t allow you to use tabs. We were allowed to save stuff on our desktop but warned not to log out as the desktop is cleared after each session.

You get only two sheets of paper to start with, but you can ask for more. Each sheet has a page number which is recorded, and will be collected after the exam. I spent 50 minutes before I touched the keyboard. I diagrammed a L2 topology, L3 topology, IGP topology, and EGP topology. The Cisco diagrams were good but I wanted to redraw them to get familiar with the topology. I also got a couple of extra sheets of paper and drew three columns on it: Task, Points and Notes.

Lunch is at 12:30pm. I have finished my core and well into the other topics. I am glad I worked on my speed and accuracy. I save and reboot my routers and switches before going to lunch.

So far I have had to look up the DocCD three times for stuff I have never seen before. The wording is especially cryptic in some questions and I read these questions over multiple times, slowly, even write one of them down on one of the sheets of paper and analyze the keywords. After analysis I would go to the proctor and say “This word or phrase here…it could mean they want us to do this or they want us to do this. I just want some clarification on that particular word”. To which he would read it back to me putting emphasis on words around it or read it slowly and asked me questions back to guide me along. I liked his approach. It gave nothing away but at the same time if you knew your stuff made it clear what they wanted.

Lunch is sandwiches. I brought a can of Red Bull with me after some advice from a friend and decide to drink it now for a caffine hit. This works great and I am pumped to go back in.

I finish the exam by 2:30pm. This gave me around 3 hours to check through my answers. I went through each question and verified everything. I tried to prove that everything worked by generating traffic and checking logs. Everything. I found about 5 silly mistakes this way.

After doing the Assessor labs, I got a feel for how the scripts must mark the exams with what verification commands to run. I am so glad I did them and spent a bit of time analyzing them now.

There was one question where I had no idea. I write down three possible interpretations and go to the proctor for clarification but I am still unclear. I decide to do the one with the least possible effect on my topology. I still don’t know if I got this one, but it is the only points I am unsure off. I am pretty sure on the rest, but not 100%. I count my marks. 73 marks I thought “yeah these are definite”. The rest could go either way, depends if my interpretation was correct.

This is probably what annoyed me the most about this experience. It was heavily focused on how you interpreted the question. If you had seen lots of scenarios like I had, you can really see multiple ways of doing things and every word takes on a special meaning. It becomes not just a challenge of your technical ability, but a challenge on your ability to decrypt the meaning in the question. That is where the proctor is invaluable.

If I had to rate the difficulty of the exam it would be about a 7-8 on the Internetwork Expert scale of mock labs. There were somethings that were totally out of left field but were found pretty easily if you know your way around the DOCCD.

The Aftermath:

The exam is finished at 5:11 pm. The proctor informs us that my exam should be marked pretty soon. A proctor from Bangalore will dial in and mark it. I walk out of the Cisco office literally shaking. I am a bundle of nerves. I keep going through the scenario in my head, with ideas of how I could have done this or that differently. Did I ask the right questions? Did I forget to do a no shut on an interface? Did I turn that debug off? I call my wife and let her know I am done. I grab a cab back to the hotel and head back to the airport.

At the airport I head to the Virgin Blue lounge and grab some dinner and have a couple of drinks while I wait the 3 hours for my flight. At around 6:30pm I decide to hop on the net to kill some time and there is an email waiting for me. 6:07pm. That’s what time the email arrived. It had just been over an hour since I left the hotel and my exam was marked already?! My heart was thumping so fast. I had to log in three times because my hands were shaking so bad that I typed in the wrong password. And there it was. I saw my CCIE number through a stream of tears. I did it.

“The more you sweat in training, the less you will bleed in battle”

It’s been a long road over the last year. I have been getting up at 5am, studying for two hours before I went to work, studying till midnight most nights, studying on weekends. It got exhausting. You have to love this stuff to go through that. You have to be passionate about it to the point where even though you are tired, you have the will to try “one more lab” or read “one more chapter”.

“The more you sweat in training, the less you will bleed in battle”. That’s the Navy Seal motto, and I think it is pretty apt for the mindset you need to have to achieve this. Determination. Hard Work. And a love of learning. There will be set backs, but it does not matter how fast or how slowly you go so long as you do not stop.

What Now? I don’t really know yet. Right now all I want to do is stay in this moment. I have a couple of things planned but the next couple of weeks are going to be interesting that’s for sure. Stay tuned!

CCIE #20716

Arden Packeer — Wed, 07 May 2008 08:33:08 +0000

I passed. I’m so happy right now.

I’ll post a full write up later…time for a scotch or three!!! CCIE #20716…has a nice ring to it!

Blog: Coming up for air…2 days to go

Arden Packeer — Mon, 05 May 2008 02:09:12 +0000

Okay, in the last week I have redone Mocklabs 3,4,5,6, and 7, Workbook2 Lab 8, Workbook 3 labs 7, 8 and 9. I’m done with labs. I was mainly focusing on speed because there wasn’t anything on those labs that I hadn’t seen before. At this stage, I’m pretty exhausted and I think I need to calm down a little. I think I will concentrate on watching CODs (Catalyst QOS, and advanced BGP videos come to mind as something I wouldn’t mind re watching) and exploring the DOCCD for the next two days.

I have been reading through labs while I listen to my mp3 notes on that particular lab. This strategy is working great, and I am getting better and recognizing different options that I could employ to solve a particular task. I didn’t get as much time as I hoped to review the CCIE Assessor’s so that is what I’ll do this afternoon. Maybe just do them on paper again and have a look through the results link that they sent through on email a bit more closely.

I fly up to Sydney tomorrow around Lunchtime. I think I will study a little in the morning and get some plane reading prepared. Once I arrive, I’ll take a cab or train ride to the Cisco Offices and make sure I know how to get there (I’ve been there before, just want to make sure I know the route). Tomorrow night, I’m going to try and get some sleep early, maybe watch a movie and just relax.

This will probably be my last post before my lab, so wish me luck. I think I am pretty well prepared, my biggest worry is question interpretation now. Tech wise, I think I have covered everything. This is the hardest I’ve ever worked for something, and I feel like it is finally within reach. I’ll let you know how I go….