Sparkys CCNP Journey: March 2012

Friday 30 March 2012

IPv6 Routing - Implementing IPv6 Routing and Routing Protocols 1

What are we going to do, well;

Getting some pings going on with IPV6
Implementing IPV6 static routes
implementing IPV6 RIPng

Pings you might be thinking...wow!!! BUT think about it, if there is no broadcast now, hows does ARP find out the other hosts MAC address?

Then we will get some static routes working and then believe it or not ... get some RIP working (yes it still hanging on!! but its been tweaked and re-tooled up and now its called RIP Next Generation lol)

So;

Lets config Router1:

R1(config)#inter fa0/0
R1(config-if)#ipv6 address 2001:11AA::1/64
R1(config)#no shut

R1#show ipv6 inte fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C000:15FF:FEB8:0
Global unicast address(es):
    2001:11AA::1, subnet is 2001:11AA::/64 <-- shows our address then subnet
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FFB8:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

Remeber the link-local address is the MAC of the interface with FFFE squeezed in (to make it 64bits)

R1#show int fa0/0 | i address
Hardware is Gt96k FE, address is c000.15b8.0000 (bia c000.15b8.0000)

and now Router2

R2(config)#inter fa0/0
R2(config-if)#ipv6 address 2001:11AA::2/64

R2#show ipv6 inter
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C201:15FF:FEB8:0
Global unicast address(es):
    2001:11AA::2, subnet is 2001:11AA::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FFB8:0
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds

Okay, so we are looking good :0) .... lets do it, lets send that ping over to Router1

R2#ping ipv6 ?
WORD Ping destination address or hostname
<cr>

R2#ping ipv6 2001:11AA::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:11AA::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/52 ms

SWWEEEEEEEEEET! my first IPV6 ping ..... kkkkooooooool, no longer and IPV6 virgin lol

Iv gone off and already configured Router1's Serial interface, im now doing Router3's now;

Hey look, they have moved over IPv6 show ip int brief! lol:

R3#show ipv6 int brie
FastEthernet0/0            [administratively down/down]
    FE80::C203:13FF:FEB0:0
    2001:33AA::1
Serial0/0                  [up/up]
    FE80::C203:13FF:FEB0:0
    2001:22AA::2
FastEthernet0/1            [administratively down/down]
Serial0/1                  [administratively down/down]

not as pretty ...... but... lets prove connectivity across the serial interfaces:

R3#ping ipv6 2001:22AA::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:22AA::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/7/20 ms
Sweeet, so lets look at ARPs replacement (neighbour discovery via icmp)

R3#debug ipv6 nd
ICMP Neighbor Discovery events debugging is on

I have already configured Routers 4 (fast ethernet address) and Router3's, lets bring the interface up and see what happens:

R3(config-if)#no shut
*Mar 1 00:44:14.707: ICMPv6-ND: Sending NS for FE80::C203:13FF:FEB0:0 on FastEthernet0/0
*Mar 1 00:44:15.691: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
R3(config-if)#no shut
*Mar 1 00:44:15.711: ICMPv6-ND: DAD: FE80::C203:13FF:FEB0:0 is unique.
*Mar 1 00:44:15.711: ICMPv6-ND: Sending NA for FE80::C203:13FF:FEB0:0 on FastEthernet0/0
*Mar 1 00:44:15.715: ICMPv6-ND: Address FE80::C203:13FF:FEB0:0/10 is up on FastEthernet0/0
*Mar 1 00:44:15.723: ICMPv6-ND: Sending NS for 2001:33AA::1 on FastEthernet0/0
*Mar 1 00:44:16.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Mar 1 00:44:16.723: ICMPv6-ND: DAD: 2001:33AA::1 is unique.
*Mar 1 00:44:16.723: ICMPv6-ND: Sending NA for 2001:33AA::1 on FastEthernet0/0
*Mar 1 00:44:16.723: ICMPv6-ND: Address 2001:33AA::1/64 is up on FastEthernet0/0

So a breakdown:
*Mar 1 00:44:14.707: ICMPv6-ND: Sending NS for FE80::C203:13FF:FEB0:0 on FastEthernet0/0
This is the Neighbor Solicitation, which is a multicast address, which reaches everybody on the local-link network (which the addresses are auto generated) and says HEY! i have this address FE80::C203:13FF:FEB0:0
The Neighbor Solicitation message is a new message to ICMP (well ICMPV6) :

NDP Messages

NDP is defined in RFC 2461. It uses ICMPv6 to exchange the messages necessary for its functions; specifically, five new ICMPv6 messages are specified in RFC 2461:

Router Advertisement (RA) messages are originated by routers to advertise their presence and link-specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically, and also in response to Router Solicitation messages.
Router Solicitation (RS) messages are originated by hosts to request that a router send an RA.
Neighbor Solicitation (NS) messages are originated by nodes to request another node's link layer address and also for functions such as duplicate address detection and neighbor unreachability detection.
Neighbor Advertisement (NA) messages are sent in response to NS messages. If a node changes its link-layer address, it can send an unsolicited NA to advertise the new address.
Redirect messages are used the same way that redirects are used in ICMP for IPv4; they have merely been moved from being a part of the base ICMPv6 protocol to being a part of NDP.

*Mar 1 00:44:15.711: ICMPv6-ND: DAD: FE80::C203:13FF:FEB0:0 is unique.
This message is part of the neighbour discovery protocol, and is the Duplicate Address Detection
which is reporting the address is unique ....

more info:

Neighbour Discovery Protocol

The most distinct characteristics of IPv6 after its increased address space are its plug-and-play features. Neighbor Discovery Protocol (NDP) is the enabler of these plug-and-play features, using the following functions:

Router Discovery A node can discover, when it is connected to an IPv6 link, the local routers without the aid of Dynamic Host Configuration Protocol (DHCP).
Prefix Discovery A node can discover, when it is connected to an IPv6 link, the prefix or prefixes assigned to that link.
Parameter Discovery A node can discover parameters such as the link MTU and hop limits for its connected link.
Address Autoconfiguration A node can determine its full address, again without the aid of DHCP.
Address Resolution A node can discover the link-layer addresses of other nodes on the link without the use of Address Resolution Protocol (ARP).
Next-Hop Determination A node on a link can determine the link-layer next hop for a destination, either as a local destination or a router to the destination.
Neighbor Unreachability Detection A node can determine when a neighbor on a link, either another host or a router, is no longer reachable.
Duplicate Address Detection A node can determine if an address it wants to use is already being used by another node on the link.
Redirect A router can notify a host of a better next-hop than itself to an off-link destination. The redirect function is a part of basic ICMP functionality in IPv4, but is redefined as part of NDP in IPv6.

The next message:
*Mar 1 00:44:15.711: ICMPv6-ND: Sending NA for FE80::C203:13FF:FEB0:0 on FastEthernet0/0
Is a Neighbor Advertisement (NA), which is the follow up the NS msg sent earlier, this is now confirming we now have this addresses, and lets everyone know we have it!

The process is repeated for the public address we setup on the link;

*Mar 1 00:44:15.723: ICMPv6-ND: Sending NS for 2001:33AA::1 on FastEthernet0/0
*Mar 1 00:44:16.723: ICMPv6-ND: DAD: 2001:33AA::1 is unique.
*Mar 1 00:44:16.723: ICMPv6-ND: Sending NA for 2001:33AA::1 on FastEthernet0/0
*Mar 1 00:44:16.723: ICMPv6-ND: Address 2001:33AA::1/64 is up on FastEthernet0/0

So ARP has been replaced by the Neighbor Discovery Protocol

Lets have a further look at these messages, onto Router4:

R4#debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
R4#debug ipv6 packet
IPv6 unicast packet debugging is on

*Mar 1 01:19:08.631: IPV6: source :: (local)
Here we are sending from a source address of .... nothing :: = all zeros

*Mar 1 01:19:08.631:       dest FF02::16 (FastEthernet0/0)
Here it is sending to the multicast address (one to many/group), when a msg is sent to this multicast address (:16) it is seeing if there are other devices out there that support multicast, notice it does this several times:

*Mar 1 01:19:08.635:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:08.635: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:08.639: IPV6: source :: (local)
*Mar 1 01:19:08.639:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:08.643:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:08.647: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:08.647: IPV6: source :: (local)
*Mar 1 01:19:08.651:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:08.651:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:08.655: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:08.659: IPV6: source :: (local)
*Mar 1 01:19:08.659:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:08.663:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:08.663: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:08.667: IPV6: source :: (local)
*Mar 1 01:19:08.667:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:08.671:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:08.671: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:09.171: IPV6: source :: (local)
*Mar 1 01:19:09.171:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:09.175:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating
*Mar 1 01:19:09.179: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:09.423: IPV6: source :: (local)
*Mar 1 01:19:09.423:       dest FF02::16 (FastEthernet0/0)
*Mar 1 01:19:09.423:       traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating

Next comes the Neighbor Solicitation (part of the NDP) as we saw before:
*Mar 1 01:19:09.423: IPv6: Sending on FastEthernet0/0
*Mar 1 01:19:09.627: ICMPv6-ND: Sending NS for FE80::C202:13FF:FEB0:0 on FastEthernet0/0

*Mar 1 01:19:09.627: IPV6: source :: (local)
*Mar 1 01:19:09.627:       dest FF02::1:FFB0:0 (FastEthernet0/0)
*Mar 1 01:19:09.627:       traffic class 224, flow 0x0, len 64+16, prot 58, hops 255, originating
So, we are not saying at this point we have address (notice soure is still ::) but notice the dest address (dest FF02::1:FFB0:0)
FF02 = Multicast
:1 = Solicity advertisement to the group FFB0


SO, if we have alook on Router4's connected interface to R3;

R4(config-if)#do show ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C202:13FF:FEB0:0
Global unicast address(es):
    2001:33AA::2, subnet is 2001:33AA::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FFB0:0

So, it when we added on the IPV6 public address on this interface, it automatically joined these multicast groups

Joined group address(es):
FF02::1    = This is essentially EVERYONE on the local-link (equivilant to broadcast if u will)
FF02::2    = All routers on that network segment
FF02::1:FF00:2
FF02::1:FFB0:0

The last two (above) are 2 groups, we have 1 group for each address we have (public and link-local)
Notice how the fa0/0 interfaces link-local address (or part of it) is the mutlicast group

IPv6 is enabled, link-local address is FE80::C202:13FF:FEB0:0

Think back to CCNA 101 ... where the MAC addresses are unique! and how they also include the OUI of the vendor, similar thing here! it ensures it will be unique :0)

So you are joining a specific multicast group for your address, WHY? ...
Well if R3 wanted to find out R4s MAC address, instead of sending an ARP broadcast, you will send a targeted/specific multicast message to that group, R4 would know the group as he is part of that group :0)

SO now, for ARP entries we do not need to disturb everyone on the network segment! instead only the router/host that needs it, gets it! much better proficiency!

Lets getting wireshark running and do a PING from R4 to R3 and have alooksie

R4#ping ipv6 2001:33AA::1 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001:33AA::1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 44/44/44 ms

2001:33aa::2 = Router 4
2001:33aa::2 = Router 3

And here you can see it, notice NO MORE BROADCASTS! ... wow!

All this said and done, it is Ciscos best practice that you manually assign the link local addresses

HEY, so you know we dont that ping earlier, well how do we check what was the ARP table:

R4#show arp

Nothing here, as IPV6 doesnt use arp, lol ....

Instead , its like a routing protocol, we have neighbours!

R4#show ipv6 neighbors
IPv6 Address                              Age Link-layer Addr State Interface
2001:33AA::1                                0 c003.13b0.0000 REACH Fa0/0
FE80::C203:13FF:FEB0:0                      0 c003.13b0.0000 REACH Fa0/0

How kool, if you want to clear the "ARP cache/table", then yup, you do a clear ipv6 neighbours

RIGHT, so lets manually configre a link-local address:

R4(config)#inter fa0/0
R4(config-if)#ipv6 address ?
WORD                General prefix name
X:X:X:X::X          IPv6 link-local address
X:X:X:X::X/<0-128> IPv6 prefix
autoconfig          Obtain address using autoconfiguration

R4(config-if)#ipv6 address FE80::1:2:3 ?
link-local Use link-local address

How did it know, the above was a link-local address ...... the FE80, well no, there is no subnet mask!!!! (we dont need one! its LOCAL) lol so it then knows it is a local address

R4(config-if)#ipv6 address FE80::1:2:3 link-local

R4#show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1:2:3
Global unicast address(es):
    2001:33AA::2, subnet is 2001:33AA::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF02:3
Notice we are now part of the new multicast group for our new address
If we change it again:

R4(config-if)#ipv6 address FE80::1:2222:3333 link-local

R4#show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1:2222:3333
Global unicast address(es):
    2001:33AA::2, subnet is 2001:33AA::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF22:3333

It always calving off the least significant 24bits!
Alot to take in, didnt get round to the static routes or RIPng! tomorrow we will check it out

Wednesday 28 March 2012

IPv6 Routing - Understanding and Implementing IPv6 Addressing Part 1

Will we ever need to upgrade to IPv6?
IPv6 Addressing format
IPV6 headers and address types
In depth exploration: understanding the new addresses

Will we ever need to upgrade to IPv6?
....maybe, probably not ... but will we? :0)

Main problem is the IPv4 addresses were poorly assigned;
For example originally Asia and Africa were only assigned a class C subnet of public IP addresses! ( they have been upgraded since). Some Campuses in USA were assigned whole class B subnets, which are still hardly touched! When IPV4 first came round they always thought we would never run out and were poorly assigned ..... HMMMmmmmm kinda sounds like IPV6 dont it! lol

Other counties already upgraded and moved to IPV6 because of the allocation decisions above (whereas some states in the USA still has plenty of IPV4 addresses and other countries too, estimated we will run out anytime from now - 2041)

New network devices on the rise

NAT (our current solution) is now seen as a hinderence to innovation:
Now moving to IPV6, becuase devices could do alot more if not behind NAT, it is blocking
alot of the features/apps that could otherwise be used on devices.. The goal is to elimate NAT

Potential future features:
* IPSEC is native (can be),
* Mobility: A moving device keeping the same address but moving over
different networks (currently we accomplish this with tunneling etc)
* Simplier header, although the header is bigger it is now less heavy on the processor of the device which means the routers can scale higher.

IPV6 Addressing format

Address size moved from 32-bit (IPV4) to 128-bit (IPV6)

PROVIDES
340,282,366,920,938,463,463,374,607,431,770,000,000 addresses....

Thats something like you can have an IP address for every atom on earth! and still have some addresses left for 100 earths beyond that!

Becuase of this, they have agreed to leave 85% of the allocation untouched/reserved, until they have revised the standard, so we dont have addresses scattered around everywhere!!!

To make addresses more manageable, divided into 8 groups of 4 hex (not decimal) characters each

2001:0050:0000:0000:0000:0AB4:1E2B:98AA
Where as each octet (well they are not octets anymore, but you know what i mean) was 8 bits on IPV4, they are now 16 bits (16x8 = 128)

Rule 1: Elimate groups of consective zeros (ONCE per address)
2001:0050::0AB4:1E2B:98AA

Rule 2: Drop leading zeros
2001:50::AB4:1E2B:98AA

So this makes the loopback address 127.0.0.1 = ::1 - lol!!!!
apart from speciality addresses, the addresses are never going to be as easy as IPV4 to type :0(

So as you can see, although the header is bigger this just means it needs more bandwidth (these days, not as issue!) but its processor cyles it saves us on and its more secure as they are less fields.

NO more private IP addresses in IPV6, so no NAT (well its optional now)

BYE BYE DHCP ....
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using ICMP version 6 (ICMPv6) router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; if configured, routers respond to such a request with a router advertisement packet that contains network-layer configuration parameters.

SO, lets have a looksie on my router (you may need an IOS upgrade)...

R1(config)#inter loopback50
R1(config-if)#ipv6 address ?
WORD                General prefix name
X:X:X:X::X          IPv6 link-local address
X:X:X:X::X/<0-128> IPv6 prefix
autoconfig          Obtain address using autoconfiguration

R1(config-if)#ipv6 address 2011:2803:1234:AAA:BBBB:CCCC:1234:5678/64
Man is it hard to randomly make up an IP now!!!! and notice at last its gone CIDR!!! so thats better, no more typing the subnet mask!
So i have set the first 64bits to the network and the remainder 64bits are the host (its gonna take a while getting used to the size of these masks)

R1#show ipv6 interface loopback 50
Loopback50 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C201:14FF:FEA8:0
Global unicast address(es):
    2011:2803:1234:AAA:BBBB:CCCC:1234:5678, subnet is 2011:2803:1234:AAA::/64
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF34:5678
MTU is 1514 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is not supported
ND reachable time is 30000 milliseconds

* Notice we have auto-generated a link-local address!
* it starts with FE80
* it has FFEE in the address
* the last 64bits are the MAC Address - the MAC itself is 48bit (if a loopback it will borrow the MAC of one of the FastEthernet interfaces)

Lets have a look at how other devices will configure themselfs automatically on the network:

R1(config)#inter loopback51
R1(config-if)#ipv6 address ?
WORD                General prefix name
X:X:X:X::X          IPv6 link-local address
X:X:X:X::X/<0-128> IPv6 prefix

R1(config-if)#ipv6 address 2001:1234:abcd:5678::/64?
anycast Configure as an anycast
eui-64   Use eui-64 interface identifier
<cr>

R1(config-if)#ipv6 address 2001:1234:abcd:5678::/64 eui-64
this as the command suggests, enable the 64bit interface indentifer (the MAC and the FFEE bit)

R1#show ipv6 interface loopback 51
Loopback51 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C201:14FF:FEA8:0
Global unicast address(es):
    2001:1234:ABCD:5678:C201:14FF:FEA8:0, subnet is 2001:1234:ABCD:5678::/64 [EUI]
Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FFA8:0
MTU is 1514 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is not supported
ND reachable time is 30000 milliseconds

There is it is! notice the EUI bit, which was auto generated!!! :0) so if the other devices are configured with this auto config set, they too will now know the subnet ID and will also auto generate there own address from the interface ID to give them a global address!!!

SO DHCP is optional now too! ..... WOW!

Tuesday 27 March 2012

Okay, I have aleady got my notes and labs on IPv4 Redistribution /Controlling Routing Updates and the almighty BGP, last nugget in the series left in this section is Policy Routing, then we hit IPV6 ... w00t woot!

Policy-Based Routing Lab

Objectives:
Your organization is implementing a dual ISP setup should be tightly controlled. They have requested the following parameters:

Client1 surfs the Internet all day doing nothing productive. All traffic from this client should route out ISP2, which is a slower Internet connection. If ISP2 is down, Client1 should not be able to access the Internet.

Client2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connection. All other traffic from Client2 should route out ISP2.

Traffic from other clients (not shown in this diagram) should route out ISP2.

Traffic originating from the PolicyRouter should prefer ISP1 but should fail over to ISP2 should ISP1 be unavailable. Verify ISP1 is available using proactive testing techniques.

To accomplish these objectives, you may create no more than two route-maps and three access-lists.

Testing:
1. Telnet from Client1 to ISP2 (201.1.1.2). The telnet session should connect to the ISP router; likewise, you should be able to verify traffic by using the show route-map command on the PolicyRouter. You can also verify by traffic by viewing the logging buffer on ISP2. Performing a telnet session to ISP1 (200.1.1.2) should fail (simply because ISP1 and ISP2 have no knowledge of each other).

2. Telnet from Client2 to ISP1 (200.1.1.2) using TCP port 23 and 443 (telnet 200.1.1.2 443). Both sessions should connect. You can validate the path used through the same process as Client1. Telnet to ISP2 using TCP port 80 (telnet 201.1.1.2) to validate alternate path routing. Telnetting to ISP2 using port 23 or 443 should fail (since traffic will be policy routed to ISP1 who has no knowledge of ISP2).

3. To test traffic originating from the router, issue pings to ISP1 (these should succeed), then ping ISP2 (these should fail). Verify that ISP1 received the packets by viewing the logging buffer. Shut down the interface to ISP1 and then ping ISP2; the pings should succeed.

Lets match all traffic from client 1 as per the first objective:

PolicyRouter(config)#ip access-list ext CLIENT1
PolicyRouter(config-ext-nacl)#permit ip host 192.168.1.20 any
PolicyRouter(config-ext-nacl)#exit

Done, lets get the route-map setup which will use the ACL above.

PolicyRouter(config)#route-map POLICY 10
PolicyRouter(config-route-map)#match ip address CLIENT1
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2

PolicyRouter(config-route-map)#do show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
    ip address (access-lists): CLIENT1
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
So Our route-map will match all traffic from client1 (192.168.1.20) and set its next hop address to ISP2, that is the the first task complete (although we still need to apply it)

PolicyRouter(config)#ip access-list ext CLIENT2
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 23
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 443

PolicyRouter(config)#route-map POLICY 20
PolicyRouter(config-route-map)#match ip address CLIENT2
PolicyRouter(config-route-map)#set ip next-hop 200.1.1.2
PolicyRouter(config-route-map)#
PolicyRouter#conf t
*Mar 1 00:38:11.263: %SYS-5-CONFIG_I: Configured from console by console

PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
    ip address (access-lists): CLIENT1
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
Match clauses:
    ip address (access-lists): CLIENT2
Set clauses:
    ip next-hop 200.1.1.2
Policy routing matches: 0 packets, 0 bytes
Right, so as per the next objective, we have created a new ACL, which will match telnet and https traffic from client2 (192.168.1.21) and set it to route to ISP1, now to make all other traffic from client 2 to route out to ISP2;

PolicyRouter(config)#route-map POLICY permit 30
PolicyRouter(config-route-map)#set ip ne
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2
PolicyRouter(config-route-map)#exit
PolicyRouter(config)#do show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
    ip address (access-lists): CLIENT1
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
Match clauses:
    ip address (access-lists): CLIENT2
Set clauses:
    ip next-hop 200.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 30
Match clauses:
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
With this next step in the policy, we can complete the task2 and task3, as we did not set a "match ip address" so this will MATCH EVERYTHING.
Which accomplishes the tasks requried.

If any other traffic other than telnet and https is sent to the router it will not match sequence 20 and will be caught in the catch all of statement 30 :0)

Lets apply the route-map

PolicyRouter(config)#inter fa0/0
PolicyRouter(config-if)#ip policy route-map POLICY

PolicyRouter#show ip policy
Interface      Route map
Fa0/0          POLICY

Lets test, So we should be able to telnet from Client1 to ISP2 (201.1.1.2) - as all traffic should route to ISP2

Client1#telnet 201.1.1.2
Trying 201.1.1.2 ... Open

User Access Verification

Password:

Sure enough, we connect succesfully, lets also try and connect to ISP 1 (200.1.1..2)

Client1#telnet 200.1.1.2
Trying 200.1.1.2 ...
% Destination unreachable; gateway or host down

We have matches on sequence 10, it fails because it is going out to ISP2, and this router knows nothing about ISP1!

PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
    ip address (access-lists): CLIENT1
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 21 packets, 1266 bytes

the ACL loggin on ISP2 confirms the packets:

*Mar 1 00:58:48.963: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 1 packet
ISP2#
*Mar 1 01:01:43.163: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 1 packet
ISP2#
*Mar 1 01:04:05.011: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 12 packets
ISP2#
*Mar 1 01:07:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 8 packets
ISP2#
*Mar 1 01:10:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 10 packets
ISP2#

Now lets test Client 2:

Client2#telnet 200.1.1.2
Trying 200.1.1.2 ... Open

Password required, but none set

[Connection to 200.1.1.2 closed by foreign host]

So this works as expected and the policy maps confirms this:

PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
    ip address (access-lists): CLIENT1
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 37 packets, 2226 bytes
route-map POLICY, permit, sequence 20
Match clauses:
    ip address (access-lists): CLIENT2
Set clauses:
    ip next-hop 200.1.1.2
Policy routing matches: 10 packets, 606 bytes

lets confirm https access also:

Client2#telnet 200.1.1.2 443
Trying 200.1.1.2, 443 ... Open

[Connection to 200.1.1.2 closed by foreign host]

and we can see the matches on the CLIENT2 ACL being used by the route-map:

PolicyRouter#show access-list CLIENT2
Extended IP access list CLIENT2
    10 permit tcp host 192.168.1.21 any eq telnet (10 matches)
    20 permit tcp host 192.168.1.21 any eq 443 (12 matches)

Lets see if other traffic from Client2 is routed out to ISP2

Client2#telnet 201.1.1.2 80
Trying 201.1.1.2, 80 ... Open

HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 01:19:17 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 201.1.1.2 closed by foreign host]

It works:

route-map POLICY, permit, sequence 30
Match clauses:
Set clauses:
    ip next-hop 201.1.1.2
Policy routing matches: 54 packets, 3240 bytes

Task4:
We can do this with IP SLA, which can send out probes (could be connecting to a webserver, like on port 80/443 or pinging a host etc, we can configure many probes over x amount of time, and when the availability of that probe comes back as down we can redirect routes elsewhere)
All very koool!

PolicyRouter(config)#ip sla monitor 1
PolicyRouter(config-sla-monitor)#type ?
dhcp         DHCP Operation
dns          DNS Query Operation
echo         Echo Operation
frame-relay Perform frame relay operation
ftp          FTP Operation
http         HTTP Operation
jitter       Jitter Operation
pathEcho     Path Discovered Echo Operation
pathJitter   Path Discovered Jitter Operation
tcpConnect   TCP Connect Operation
udpEcho      UDP Echo Operation
voip         Voice Over IP measurement

PolicyRouter(config-sla-monitor)#type echo protocol ipIcmpEcho 200.1.1.2
PolicyRouter(config-sla-monitor-echo)#?
IP SLA Monitor echo Configuration Commands:
buckets-of-history-kept           Maximum number of history buckets to
                                    collect
default                           Set a command to its defaults
distributions-of-statistics-kept Maximum number of statistics distribution
                                    buckets to capture
enhanced-history                  Enable enhanced history collection
exit                              Exit probe configuration
filter-for-history                Add operation to History when...
frequency                         Frequency of an operation
hours-of-statistics-kept          Maximum number of statistics hour groups to
                                    capture
lives-of-history-kept             Maximum number of history lives to collect
no                                Negate a command or set its defaults
owner                             Owner of Entry
request-data-size                 Request data size
statistics-distribution-interval Statistics distribution interval size
tag                               User defined tag
threshold                         Operation threshold in milliseconds
timeout                           Timeout of an operation
tos                               Type Of Service
verify-data                       Verify data
vrf                               Configure IP SLA Monitor for a VPN
                                    Routing/Forwarding instance

PolicyRouter(config-sla-monitor-echo)#timeout 1000
PolicyRouter(config-sla-monitor-echo)#frequency 3
PolicyRouter(config-sla-monitor-echo)#exit
now we need to attach them and schedual them (most monitoring tools can monitor this SLA's tpp)

PolicyRouter(config)#ip sla monitor schedule 1 ?
ageout      How long to keep this Entry when inactive
life        Length of time to execute in seconds
recurring   Probe to be scheduled automatically every day
start-time When to start this entry
<cr>

PolicyRouter(config)#ip sla monitor schedule 1 start-time now life forever
PolicyRouter(config)#track 1 ?
interface Select an interface to track
ip         IP protocol
list       Group objects in a list
rtr        Response Time Reporter (RTR) entry
rtr is actually the old name, it looks like they have not correct the name to SLA lol

PolicyRouter(config)#track 1 inter serial0/0 line-protocol ?
<cr>

look, we can even monitor an interfaces line protocol!!! that could be handy!! anyways ....

PolicyRouter(config)#track 1 rtr 1 ?
reachability Reachability
state         Return code state
<cr>
PolicyRouter(config)#track 1 rtr 1 reac
PolicyRouter(config)#track 1 rtr 1 reachability
PolicyRouter(config-track)#?
Tracking instance configuration commands:
default Set a command to its defaults
delay    Tracking delay
exit     Exit from tracking configuration mode
no       Negate a command or set its defaults

We will leave this at the defaults for now, lets create a new route-map to attach this too as this is for the traffic orginating from the router.

PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#ip access-list ext ROUTER
PolicyRouter(config-ext-nacl)#permit ip any any
PolicyRouter(config-ext-nacl)#exit
PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#match ip address ROUTER
PolicyRouter(config-route-map)#set ip next-hop verify-availability ?
A.B.C.D IP address of next hop
<cr>

PolicyRouter(config-route-map)#set ip next-hop verify-availability 200.1.1.2 ?
<1-65535> Sequence to insert into next-hop list

PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 ?
track set the next hop depending on the state of a tracked object

PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 tr
PolicyRouter(config-route-map)#$y-availability 200.1.1.2 10 track 1
PolicyRouter(config-route-map)#do show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
    ip address (access-lists): ROUTER
Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
Policy routing matches: 0 packets, 0 bytes

As we can see it is currently tracking ISP 1 as up :0)

PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2

route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
    ip address (access-lists): ROUTER
Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
    ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
PolicyRouter#

Lets apply this to the router, to do this we do this globally:

PolicyRouter(config)#ip local policy route-map ROUTER-TRAFFIC

Lets test:

PolicyRouter#ping 200.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/32 ms
PolicyRouter#ping 200.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/16 ms

PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
    ip address (access-lists): ROUTER
Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
    ip next-hop 201.1.1.2
Policy routing matches: 59 packets, 4496 bytes

Lets see if we can ping ISP2 ... which should fail (as ISP1 is still available):

PolicyRouter#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PolicyRouter#

Lets shut down the interface to ISP and see if we can ping ISP2 (becuase the route-map will then change the next hop ip address to ISP2)

PolicyRouter(config)#inter ser0/0
PolicyRouter(config-if)#shut

PolicyRouter#show route-map ROUTER-TRAFFIC
*Mar 1 01:58:12.051: %SYS-5-CONFIG_I: Configured from console by console
PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
    ip address (access-lists): ROUTER
Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
    ip next-hop 201.1.1.2
Policy routing matches: 264 packets, 17796 bytes
PolicyRouter#
*Mar 1 01:58:13.819: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar 1 01:58:14.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
PolicyRouter#
*Mar 1 01:58:14.955: %TRACKING-5-STATE: 1 rtr 1 reachability Up->Down

PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
    ip address (access-lists): ROUTER
Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1 [down]
    ip next-hop 201.1.1.2
Policy routing matches: 266 packets, 17924 bytes

PolicyRouter#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/16 ms
PolicyRouter#

SWEEET! how kool is that!!!! Gotta read up some more on IP SLA's ..... kool

OSPF Routing - Area Types and Options 2

OBJECTIVES
1. Configure basic OSPF for the network shown. Advertise all networks attached to each router into OSPF using the simplest method available. To inject external networks into the OSPF domain, redistribute the static routes on R1. These routes should be marked as type E1.

2. OSPF should never form neighbor relationships on any interface where other OSPF routers do not exist (as shown in the diagram).

3. All routers in Area 0 should use MD5 authentication for OSPF neighbors. Routers in Area 23 should be configured to support clear-text authentication for OSPF neighbors. All keys should be set to the passphrase ‘cisco’ (without quotes).

4. Routers in Area 45 are limited in their capacity and should not receive routes for networks outside the OSPF system. These routers should reach the external network using a default route which cannot be configured statically.

5. Routers in Area 23 must not receive any Type 3, 4, or 5 LSAs from the rest of the OSPF network. These routers should reach the external network using a default route with an initial OSPF cost of 100.

6. When this exercise is complete, all routers should be able to reach (ping) every route in the OSPF routing table.

R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.100.1.1 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#ip route 172.31.0.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.1.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.2.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.3.0 255.255.255.0 nul 0

R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 10.100.1.2 0.0.0.255 area 0
R2(config-router)#network 10.23
*Mar 1 00:09:41.511: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2(config-router)#network 10.23.1.2 0.0.0.255 area 23

R3(config)#router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 10.23.1.3 0.0.0.255 area 23
R3(config-router)#
*Mar 1 00:11:21.223: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/0 from LOADING to FULL, Loading Done
R3(config-router)#network 172.30.0.0 0.0.255.255 area 23

R4(config)#router ospf 1
R4(config-router)#router-id 4.4.4.4
R4(config-router)#network 10.100.1.4 0.0.0.255 area 0
R4(config-router)#network 10
*Mar 1 00:14:35.439: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R4(config-router)#network 10.45.1.4
*Mar 1 00:14:40.811: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R4(config-router)#network 10.45.1.4 0.0.0.255 area 45
*Mar 1 00:15:33.031: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on Serial0/0 from LOADING to FULL, Loading Done

R5(config)#router ospf 1
R5(config-router)#router-id 5.5.5.5
R5(config-router)#network 10.45.1.0 0.0.0.255 area 45
R5(config-router)#
*Mar 1 00:15:29.903: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Serial0/0 from LOADING to FULL, Loading Done

R6(config)#router ospf 1
R6(config-router)#router-id 6.6.6.6
R6(config-router)#network 10.100.1.6 0.0.0.255 area 0
R6(config-router)#network 10
*Mar 1 00:17:08.035: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R6(config-router)#network 10.67.1.0 0.0.0.255
*Mar 1 00:17:13.735: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R6(config-router)#network 10.67.1.0 0.0.0.255 area 67

R7(config)#router ospf 1
R7(config-router)#router-id 7.7.7.7
R7(config-router)#network 10.67.1.0 0.0.0.255 area 67
R7(config-router)#netwo
*Mar 1 00:18:14.891: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on Serial0/0 from LOADING to FULL, Loading Done
R7(config-router)#network 10.78.1.7 0.0.0.255 area 78

R7 looks okay, looking at his routing table:

R7#show ip route

     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.2.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.1.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.0.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/138] via 10.67.1.6, 00:00:55, Serial0/0
O IA    10.45.1.0 [110/138] via 10.67.1.6, 00:00:55, Serial0/0
C       10.78.1.0 is directly connected, Serial0/1
C       10.67.1.0 is directly connected, Serial0/0
O IA    10.100.1.0 [110/74] via 10.67.1.6, 00:00:56, Serial0/0

lets configure naughty router8 (our illegal router):

R8(config)#router ospf 1
R8(config-router)#router-id 8.8.8.8
R8(config-router)#network 10.78.1.8 0.0.0.255 area 78
R8(config-router)#
*Mar 1 00:20:02.863: %OSPF-5-ADJCHG: Process 1, Nbr 7.7.7.7 on Serial0/0 from LOADING to FULL, Loading Done
R8(config-router)#

So, Router8 has formed a relationship with R7, but he is not recieving any LSA's from R7, R7 will not forward them on as R8 violates the OSPF rules without having a connection into the backbone (area 0)

R8#show ip route
     10.0.0.0/24 is subnetted, 1 subnets
C       10.78.1.0 is directly connected, Serial0/0

R8#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.7           0   FULL/ -        00:00:37    10.78.1.7       Serial0/0

Lets get this redistribution working on R1, we need to redistribute the static routes:

R1#show run | i ip route

ip route 172.31.0.0 255.255.255.0 Null0
ip route 172.31.1.0 255.255.255.0 Null0
ip route 172.31.2.0 255.255.255.0 Null0
ip route 172.31.3.0 255.255.255.0 Null0

R1(config)#router ospf 1

R1(config-router)#redistribute static ?
metric       Metric for redistributed routes
metric-type OSPF/IS-IS exterior metric type for redistributed routes
route-map    Route map reference
subnets      Consider subnets for redistribution into OSPF
tag          Set tag for routes redistributed into OSPF
<cr>

R1(config-router)#redistribute static subnets metric-type ?
1 Set OSPF External Type 1 metrics
2 Set OSPF External Type 2 metrics

Remember we choose Type 1, as there metric increments as they travel thru the network, the default is E2 type, we also need to set a seed metric....

R1(config-router)#redistribute static subnets metric-type 1 ?
metric     Metric for redistributed routes
route-map Route map reference
tag        Set tag for routes redistributed into OSPF
<cr>

R1(config-router)#redistribute static subnets metric-type 1 metric 50
Lets check R7 to see if them routes are coming through;

R7#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.2.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.1.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.0.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.67.1.6, 00:27:47, Serial0/0
O IA    172.30.2.1 [110/139] via 10.67.1.6, 00:27:47, Serial0/0
O IA    172.30.1.1 [110/139] via 10.67.1.6, 00:27:48, Serial0/0
O IA    172.30.0.1 [110/139] via 10.67.1.6, 00:27:48, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/138] via 10.67.1.6, 00:27:48, Serial0/0
O IA    10.45.1.0 [110/138] via 10.67.1.6, 00:27:48, Serial0/0
C       10.78.1.0 is directly connected, Serial0/1
C       10.67.1.0 is directly connected, Serial0/0
O IA    10.100.1.0 [110/74] via 10.67.1.6, 00:27:48, Serial0/0

Notice the metric has changed also, from the initial seed metric of 50 that i set :0)

Lets now set the passive-interface command to complete objective 2, this works exactly the same as on EIGRP (still advertises the network, but wont form neighbours),
what we can do is the passive-interface command to be on by default and then simple allow OSPF to form relationships with other OSPF routers per interface, by the no passive-interface command:

R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#
*Mar 1 00:54:51.795: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:54:51.799: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:54:51.803: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-router)#no passive-interface fa0/0
*Mar 1 00:55:21.135: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar 1 00:55:21.515: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R1(config-router)#

Lets do R2 now also;

R2(config)#router ospf 1
R2(config-router)#passive-inter default
*Mar 1 00:59:48.563: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:59:48.567: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:59:48.567: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:59:48.571: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-router)#no passive-inter fa0/0
R2(config-router)#no passive-inter ser0/0
*Mar 1 01:00:02.563: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from LOADING to FULL, Loading Done
*Mar 1 01:00:12.951: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar 1 01:00:13.779: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from LOADING to FULL, Loading Done

Okay, lets go do the rest of the other routers ...... all done :0)

Right,
Objective 3 ..... lets setup some authentication with these OSPF routers, OSPF is quite an old protocol as you can tell from the fact it supports clear-text authentication (we will set this up just for grins, but real world ... me thinks not lol) .
Also unlike EIGRP, OSPF does not use keychains :0( , we have to configure the auth per interface:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest

RIGHT, so the above enables it global for Area 0, meaning any router in Area 0 wishing to talk to R1 will need MD5 authentication, however you dont configure the key under the OSPF process, that is done on the interface........ HOWEVER CISCO DO NOT RECOMMEND THIS METHOD

It is alot easier/more effiecient to do it per neighbout and configure the authentication on the interface per neighbour:

R1(config)#inter fa0/0
R1(config-if)#ip ospf authentication message-digest

If you press enter without entering the message-digest bit, it will enable clear text, notice my neighbours start dieing ....

*Mar 1 01:18:54.139: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from 2WAY to DOWN, Neighbor Down: Dead timer expired
*Mar 1 01:18:58.067: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
*Mar 1 01:18:58.371: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

R1(config-if)#ip ospf message-digest-key 1 md5 cisco

Lets apply it to the other routers in Area 0;

R2(config)#inter fa0/0
R2(config-if)#ip ospf authen message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco

NOTE: YOU HAVE TO USE THE SAME KEY ID

Lets check this out in wireshark, this capture is before the MD5 hashing is enabled on fa0/0

Notice, the Auth Type and Auth Data = none

Now we can see we have the Key ID, the Auth type and the hash of the key in the Auth Data field, the whole OSPF hello packet is hashed/encrypted/authenticated ... as well as other OSPF communication ... database descriptions, ls requests ... updates etc etc

Lets setup R6, BUT .... lets enable some debugs first:

R6(config)#do debug ip ospf adj
OSPF adjacency events debugging is on

R6(config)#inter fa0/0
R6(config-if)#
*Mar 1 01:43:31.059: OSPF: Rcv pkt from 10.100.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
R6(config-if)#
*Mar 1 01:43:33.303: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
R6(config-if)#
*Mar 1 01:43:34.991: OSPF: Rcv pkt from 10.100.1.4, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

Type 2 = MD5
Type 1 = Cleartext
Type 0 = Not use authentication

R6(config-if)#ip ospf authen message-digest
R6(config-if)#ip ospf mess 1 md5 cisco

*Mar 1 01:46:41.067: OSPF: Rcv pkt from 10.100.1.2, FastEthernet0/0 : Mismatch Authentication Key - No message digest key 1 on interface
R6(config-if)#
*Mar 1 01:46:43.271: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar 1 01:46:44.967: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.031: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0xC80 opt 0x52 flag 0x7 len 32 mtu 1500 state INIT
*Mar 1 01:46:45.031: OSPF: 2 Way Communication to 4.4.4.4 on FastEthernet0/0, state 2WAY
*Mar 1 01:46:45.035: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar 1 01:46:45.035: OSPF: DR/BDR election on FastEthernet0/0
*Mar 1 01:46:45.035: OSPF: Elect BDR 4.4.4.4
*Mar 1 01:46:45.035: OSPF: Elect DR 6.6.6.6
*Mar 1 01:46:45.035:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar 1 01:46:45.035: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF2 opt 0x52 flag 0x7 len 32
*Mar 1 01:46:45.035: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.035: OSPF: First DBD and we are not SLAVE
*Mar 1 01:46:45.039: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar 1 01:46:45.039: OSPF: DR/BDR election on FastEthernet0/0
*Mar 1 01:46:45.039: OSPF: Elect BDR 4.4.4.4
*Mar 1 01:46:45.039: OSPF: Elect DR 6.6.6.6
*Mar 1 01:46:45.039:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar 1 01:46:45.055: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF2 opt 0x52 flag 0x2 len 372 mtu 1500 state EXSTART
*Mar 1 01:46:45.059: OSPF: NBR Negotiation Done. We are the MASTER
*Mar 1 01:46:45.063: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF3 opt 0x52 flag 0x3 len 332
*Mar 1 01:46:45.063: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.071: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF3 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 01:46:45.071: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF4 opt 0x52 flag 0x1 len 32
*Mar 1 01:46:45.071: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.071: OSPF: Send LS REQ to 4.4.4.4 length 96 LSA count 8
*Mar 1 01:46:45.071: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.083: OSPF: Rcv LS REQ from 4.4.4.4 on FastEthernet0/0 length 36 LSA count 1
*Mar 1 01:46:45.083: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.083: OSPF: Send UPD to 10.100.1.4 on FastEthernet0/0 length 40 LSA count 1
*Mar 1 01:46:45.091: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF4 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 01:46:45.091: OSPF: Exchange Done with 4.4.4.4 on FastEthernet0/0
*Mar 1 01:46:45.103: OSPF: Rcv LS UPD from 4.4.4.4 on FastEthernet0/0 length 276 LSA count 8
*Mar 1 01:46:45.107: OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0
*Mar 1 01:46:45.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar 1 01:46:45.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar 1 01:46:45.107: OSPF: Synchronized with 4.4.4.4 on FastEthernet0/0, state FULL
*Mar 1 01:46:45.107: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar 1 01:46:45.139: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.511: OSPF: Rcv LS UPD from 4.4.4.4 on FastEthernet0/0 length 76 LSA count 1
*Mar 1 01:46:45.543: OSPF: Build router LSA for area 0, router ID 6.6.6.6, seq 0x8000000C
*Mar 1 01:46:45.543: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.551: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.563: OSPF: 2 Way Communication to 2.2.2.2 on FastEthernet0/0, state 2WAY
*Mar 1 01:46:45.567: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar 1 01:46:45.567: OSPF: DR/BDR election on FastEthernet0/0
*Mar 1 01:46:45.571: OSPF: Elect BDR 4.4.4.4
*Mar 1 01:46:45.571: OSPF: Elect DR 6.6.6.6
*Mar 1 01:46:45.575:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar 1 01:46:45.575: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB3 opt 0x52 flag 0x7 len 32
*Mar 1 01:46:45.579: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.579: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar 1 01:46:45.583: OSPF: DR/BDR election on FastEthernet0/0
*Mar 1 01:46:45.583: OSPF: Elect BDR 4.4.4.4
*Mar 1 01:46:45.583: OSPF: Elect DR 6.6.6.6
*Mar 1 01:46:45.583:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar 1 01:46:45.583: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.595: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0xA47 opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Mar 1 01:46:45.595: OSPF: First DBD and we are not SLAVE
*Mar 1 01:46:45.603: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB3 opt 0x52 flag 0x2 len 372 mtu 1500 state EXSTART
*Mar 1 01:46:45.607: OSPF: NBR Negotiation Done. We are the MASTER
*Mar 1 01:46:45.611: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB4 opt 0x52 flag 0x3 len 352
*Mar 1 01:46:45.615: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.627: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB4 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 01:46:45.631: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB5 opt 0x52 flag 0x1 len 32
*Mar 1 01:46:45.631: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.639: OSPF: Rcv LS REQ from 2.2.2.2 on FastEthernet0/0 length 36 LSA count 1
*Mar 1 01:46:45.639: OSPF: Send with youngest Key 1
*Mar 1 01:46:45.639: OSPF: Send UPD to 10.100.1.2 on FastEthernet0/0 length 40 LSA count 1
*Mar 1 01:46:45.647: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB5 opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 01:46:45.651: OSPF: Exchange Done with 2.2.2.2 on FastEthernet0/0
*Mar 1 01:46:45.651: OSPF: Synchronized with 2.2.2.2 on FastEthernet0/0, state FULL
*Mar 1 01:46:45.651: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar 1 01:46:46.119: OSPF: Rcv LS UPD from 2.2.2.2 on FastEthernet0/0 length 76 LSA count 1
*Mar 1 01:46:46.123: OSPF: Send with youngest Key 1
*Mar 1 01:46:47.611: OSPF: Send with youngest Key 1
*Mar 1 01:46:50.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar 1 01:46:50.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar 1 01:46:50.111: OSPF: Send with youngest Key 1
*Mar 1 01:46:51.075: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar 1 01:46:51.079: OSPF: DR/BDR election on FastEthernet0/0
*Mar 1 01:46:51.079: OSPF: Elect BDR 4.4.4.4
*Mar 1 01:46:51.083: OSPF: Elect DR 6.6.6.6
*Mar 1 01:46:51.083:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
R6(config-if)#
R6(config-if)#
*Mar 1 01:46:53.291: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#u all
*Mar 1 01:46:54.751: OSPF: Rcv LS UPD from 2.2.2.2 on FastEthernet0/0 length 60 LSA count 1
*Mar 1 01:46:54.755: OSPF: Send with youngest Key 1
*Mar 1 01:46:54.759: OSPF: Send UPD to 10.100.1.2 on FastEthernet0/0 length 40 LSA count 1
*Mar 1 01:46:55.011: OSPF: Send with youngest Key 1
*Mar 1 01:46:55.547: OSPF: Send with youngest Key 1
*Mar 1 01:47:03.263: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar 1 01:47:05.551: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar 1 01:47:13.275: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar 1 01:47:15.551: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar 1 01:47:23.263: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar 1 01:47:25.555: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar 1 01:47:33.267: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar 1 01:47:35.559: OSPF: Send with youngest Key 1
R6(config-if)#

Here we can see all packets being sent with Key ID 1 :0)

and we have all our neighbours back:
R6#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:37    10.100.1.1      FastEthernet0/0
2.2.2.2           1   FULL/DROTHER    00:00:35    10.100.1.2      FastEthernet0/0
4.4.4.4           1   FULL/BDR        00:00:38    10.100.1.4      FastEthernet0/0
7.7.7.7           0   FULL/ -        00:00:30    10.67.1.7       Serial0/0

Lets setup cleartext authentication on R2 and R3:

R2(config-if)#inter ser0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key ccnp

R3(config-if)#ip ospf authentication
R3(config-if)#ip ospf authentication-key cisco
Wireshark confirms :0)

OBJECTIVE 4
Routers in Area 45 are limited in their capacity and should not receive routes for networks outside the OSPF system. These routers should reach the external network using a default route which cannot be configured statically.

Lets confirm that R5 is getting external routes from outside the OSPF network (which they are, our redistributed statics that we setup earlier - TYPE 5 LSA's)

R5#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.2.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.1.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.0.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.45.1.4, 00:08:40, Serial0/0
O IA    172.30.2.1 [110/139] via 10.45.1.4, 00:08:40, Serial0/0
O IA    172.30.1.1 [110/139] via 10.45.1.4, 00:08:42, Serial0/0
O IA    172.30.0.1 [110/139] via 10.45.1.4, 00:08:42, Serial0/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.23.1.0 [110/138] via 10.45.1.4, 00:38:27, Serial0/0
C       10.45.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/138] via 10.45.1.4, 00:21:53, Serial0/0
O IA    10.100.1.0 [110/74] via 10.45.1.4, 01:53:12, Serial0/0

R4(config)#router ospf 1
R4(config-router)#area 45 stub

Lets enable debugging on R5, as the relationship has died (hold down timers expired) as the stub flag in the HELLO packet does not match anymore, so they cannot be neighbours ...

R5#deb ip ospf pack
OSPF packet debugging is on
R5#
*Mar 1 02:14:08.015: OSPF: Rcv hello from 4.4.4.4 area 45 from Serial0/0 10.45.1.4
*Mar 1 02:14:08.019: OSPF: Hello from 10.45.1.4 with mismatched Stub/Transit area option bit
R5#
*Mar 1 02:14:10.787: OSPF: Send hello to 224.0.0.5 area 45 on Serial0/0 from 10.45.1.5
R5#u all
*Mar 1 02:14:18.003: OSPF: rcv. v:2 t:1 l:44 rid:4.4.4.4
      aid:0.0.0.45 chk:E669 aut:0 auk: from Serial0/0
*Mar 1 02:14:18.007: OSPF: Rcv hello from 4.4.4.4 area 45 from Serial0/0 10.45.1.4
*Mar 1 02:14:18.007: OSPF: Hello from 10.45.1.4 with mismatched Stub/Transit area option bit
R5#u all

R5(config)#router ospf 1
R5(config-router)#area 45 stub

Lets have a look now at the routing table:

R5#show ip route

Gateway of last resort is 10.45.1.4 to network 0.0.0.0

     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.2.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.1.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.0.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.23.1.0 [110/138] via 10.45.1.4, 00:00:08, Serial0/0
C       10.45.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/138] via 10.45.1.4, 00:00:10, Serial0/0
O IA    10.100.1.0 [110/74] via 10.45.1.4, 00:00:10, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 10.45.1.4, 00:00:10, Serial0/0
And now we have the default route and now external routes :0) - this only affects the stub router within the area (area 45)

OBJECTIVE 5.
Routers in Area 23 must not receive any Type 3, 4, or 5 LSAs from the rest of the OSPF network. These routers should reach the external network using a default route with an initial OSPF cost of 100.

R2(config)#router ospf 1
R2(config-router)#area 23 stub no-summary
R2(config-router)#
*Mar 1 02:21:24.291: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config)#router ospf 1
R3(config-router)#area 23 stub

Lets check it out:

R3#show ip route

Gateway of last resort is 10.23.1.2 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 4 subnets
C       172.30.2.0 is directly connected, Loopback2
C       172.30.3.0 is directly connected, Loopback3
C       172.30.0.0 is directly connected, Loopback0
C       172.30.1.0 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.23.1.0 is directly connected, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 10.23.1.2, 00:00:26, Serial0/0

Now the metric is 65, the inital cost is 1 we need to set this too 100:

R2(config-router)#area 23 default-cost ?
<0-16777215> Stub's advertised external route metric

R2(config-router)#area 23 default-cost 100

R3#show ip route
Gateway of last resort is 10.23.1.2 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 4 subnets
C       172.30.2.0 is directly connected, Loopback2
C       172.30.3.0 is directly connected, Loopback3
C       172.30.0.0 is directly connected, Loopback0
C       172.30.1.0 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.23.1.0 is directly connected, Serial0/0
O*IA 0.0.0.0/0 [110/164] via 10.23.1.2, 00:02:03, Serial0/0

Done, the WAN links cost must be 64, plus our initial cost of 100 :0)

OBJECTIVE 6.
When this exercise is complete, all routers should be able to reach (ping) every route in the OSPF routing table.

Easy you think....well remember Router8 .... we need to join him to area 0, so lets get him in the backbone area so he can talk OSPF with everyone else

We need the virtual link between R6 and R7

R6(config)#router ospf 1
R6(config-router)#area 67 virtual-link 7.7.7.7

R7(config)#router ospf 1
R7(config-router)#area 67 virtual-link 6.6.6.6
*Mar 1 02:35:20.299: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on OSPF_VL0 from LOADING to FULL, Loading Done

R7#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 6.6.6.6 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 67, via interface Serial0/0, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:00
    Adjacency State FULL (Hello suppressed)
    Index 1/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

So now, R8 believes R7 is directly connect to Area 0 (via the virtua link) - this could also be a GRE tunnel :0)

lets check:

R8#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.7           0   FULL/ -        00:00:34    10.78.1.7       Serial0/0

R8#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.2.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.1.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.0.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/203] via 10.78.1.7, 00:01:47, Serial0/0
O IA    172.30.2.1 [110/203] via 10.78.1.7, 00:01:47, Serial0/0
O IA    172.30.1.1 [110/203] via 10.78.1.7, 00:01:48, Serial0/0
O IA    172.30.0.1 [110/203] via 10.78.1.7, 00:01:48, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/202] via 10.78.1.7, 00:01:48, Serial0/0
O IA    10.45.1.0 [110/202] via 10.78.1.7, 00:01:48, Serial0/0
C       10.78.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/128] via 10.78.1.7, 00:01:58, Serial0/0
O IA    10.100.1.0 [110/138] via 10.78.1.7, 00:01:49, Serial0/0

R8#ping 172.30.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/38/68 ms