Tuesday, 27 March 2012

Okay, I have aleady got my notes and labs on IPv4 Redistribution /Controlling Routing Updates and the almighty BGP, last nugget in the series left in this section is Policy Routing, then we hit IPV6 ... w00t woot!

Policy-Based Routing Lab


Objectives:
Your organization is implementing a dual ISP setup should be tightly controlled. They have requested the following parameters:
  • Client1 surfs the Internet all day doing nothing productive. All traffic from this client should route out ISP2, which is a slower Internet connection. If ISP2 is down, Client1 should not be able to access the Internet.
  • Client2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connection. All other traffic from Client2 should route out ISP2.
  • Traffic from other clients (not shown in this diagram) should route out ISP2.
  • Traffic originating from the PolicyRouter should prefer ISP1 but should fail over to ISP2 should ISP1 be unavailable. Verify ISP1 is available using proactive testing techniques.
To accomplish these objectives, you may create no more than two route-maps and three access-lists.




Testing:
1. Telnet from Client1 to ISP2 (201.1.1.2). The telnet session should connect to the ISP router; likewise, you should be able to verify traffic by using the show route-map command on the PolicyRouter. You can also verify by traffic by viewing the logging buffer on ISP2. Performing a telnet session to ISP1 (200.1.1.2) should fail (simply because ISP1 and ISP2 have no knowledge of each other).

2. Telnet from Client2 to ISP1 (200.1.1.2) using TCP port 23 and 443 (telnet 200.1.1.2 443). Both sessions should connect. You can validate the path used through the same process as Client1. Telnet to ISP2 using TCP port 80 (telnet 201.1.1.2) to validate alternate path routing. Telnetting to ISP2 using port 23 or 443 should fail (since traffic will be policy routed to ISP1 who has no knowledge of ISP2).

3. To test traffic originating from the router, issue pings to ISP1 (these should succeed), then ping ISP2 (these should fail). Verify that ISP1 received the packets by viewing the logging buffer. Shut down the interface to ISP1 and then ping ISP2; the pings should succeed.



Lets match all traffic from client 1 as per the first objective:


PolicyRouter(config)#ip access-list ext CLIENT1
PolicyRouter(config-ext-nacl)#permit ip host 192.168.1.20 any
PolicyRouter(config-ext-nacl)#exit

Done, lets get the route-map setup which will use the ACL above.


PolicyRouter(config)#route-map POLICY 10
PolicyRouter(config-route-map)#match ip address CLIENT1
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2

PolicyRouter(config-route-map)#do show route-map POLICY
route-map POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): CLIENT1
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 0 packets, 0 bytes
So Our route-map will match all traffic from client1 (192.168.1.20) and set its next hop address to ISP2, that is the the first task complete (although we still need to apply it)


PolicyRouter(config)#ip access-list ext CLIENT2
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 23
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 443

PolicyRouter(config)#route-map POLICY 20
PolicyRouter(config-route-map)#match ip address CLIENT2
PolicyRouter(config-route-map)#set ip next-hop 200.1.1.2
PolicyRouter(config-route-map)#
PolicyRouter#conf t
*Mar  1 00:38:11.263: %SYS-5-CONFIG_I: Configured from console by console


PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): CLIENT1
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
  Match clauses:
    ip address (access-lists): CLIENT2
  Set clauses:
    ip next-hop 200.1.1.2
  Policy routing matches: 0 packets, 0 bytes
Right, so as per the next objective, we have created a new ACL, which will match telnet and https traffic from client2 (192.168.1.21) and set it to route to ISP1, now to make all other traffic from client 2 to route out to ISP2;



PolicyRouter(config)#route-map POLICY permit 30
PolicyRouter(config-route-map)#set ip ne
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2
PolicyRouter(config-route-map)#exit
PolicyRouter(config)#do show route-map POLICY
route-map POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): CLIENT1
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
  Match clauses:
    ip address (access-lists): CLIENT2
  Set clauses:
    ip next-hop 200.1.1.2
  Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 30
  Match clauses:
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 0 packets, 0 bytes
With this next step in the policy, we can complete the task2 and task3, as we did not set a "match ip address" so this will MATCH EVERYTHING.
Which accomplishes the tasks requried.

If any other traffic other than telnet and https is sent to the router it will not match sequence 20 and will be caught in the catch all of statement 30 :0)



Lets apply the route-map


PolicyRouter(config)#inter fa0/0
PolicyRouter(config-if)#ip policy route-map POLICY


PolicyRouter#show ip policy
Interface      Route map
Fa0/0          POLICY


Lets test, So we should be able to telnet from Client1 to ISP2 (201.1.1.2) - as all traffic should route to ISP2



Client1#telnet 201.1.1.2
Trying 201.1.1.2 ... Open


User Access Verification

Password:



Sure enough, we connect succesfully, lets also try and connect to ISP 1 (200.1.1..2)


Client1#telnet 200.1.1.2
Trying 200.1.1.2 ...
% Destination unreachable; gateway or host down

We have matches on sequence 10, it fails because it is going out to ISP2, and this router knows nothing about ISP1!


PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): CLIENT1
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 21 packets, 1266 bytes

the ACL loggin on ISP2 confirms the packets:

*Mar  1 00:58:48.963: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 1 packet
ISP2#
*Mar  1 01:01:43.163: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 1 packet
ISP2#
*Mar  1 01:04:05.011: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 12 packets
ISP2#
*Mar  1 01:07:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 8 packets
ISP2#
*Mar  1 01:10:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 10 packets
ISP2#




Now lets test Client 2:


Client2#telnet 200.1.1.2
Trying 200.1.1.2 ... Open


Password required, but none set

[Connection to 200.1.1.2 closed by foreign host]

So this works as expected and the policy maps confirms this:


PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): CLIENT1
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 37 packets, 2226 bytes
route-map POLICY, permit, sequence 20
  Match clauses:
    ip address (access-lists): CLIENT2
  Set clauses:
    ip next-hop 200.1.1.2
  Policy routing matches: 10 packets, 606 bytes



lets confirm https access also:


Client2#telnet 200.1.1.2 443
Trying 200.1.1.2, 443 ... Open

[Connection to 200.1.1.2 closed by foreign host]


and we can see the matches on the CLIENT2 ACL being used by the route-map:

PolicyRouter#show access-list CLIENT2
Extended IP access list CLIENT2
    10 permit tcp host 192.168.1.21 any eq telnet (10 matches)
    20 permit tcp host 192.168.1.21 any eq 443 (12 matches)





Lets see if other traffic from Client2 is routed out to ISP2


Client2#telnet 201.1.1.2 80
Trying 201.1.1.2, 80 ... Open

HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 01:19:17 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 201.1.1.2 closed by foreign host]



It works:

route-map POLICY, permit, sequence 30
  Match clauses:
  Set clauses:
    ip next-hop 201.1.1.2
  Policy routing matches: 54 packets, 3240 bytes


Task4:
We can do this with IP SLA, which can send out probes (could be connecting to a webserver, like on port 80/443 or pinging a host etc, we can configure many probes over x amount of time, and when the availability of that probe comes back as down we can redirect routes elsewhere)
All very koool!



PolicyRouter(config)#ip sla monitor 1
PolicyRouter(config-sla-monitor)#type ?
  dhcp         DHCP Operation
  dns          DNS Query Operation
  echo         Echo Operation
  frame-relay  Perform frame relay operation
  ftp          FTP Operation
  http         HTTP Operation
  jitter       Jitter Operation
  pathEcho     Path Discovered Echo Operation
  pathJitter   Path Discovered Jitter Operation
  tcpConnect   TCP Connect Operation
  udpEcho      UDP Echo Operation
  voip         Voice Over IP measurement

PolicyRouter(config-sla-monitor)#type echo protocol ipIcmpEcho 200.1.1.2
PolicyRouter(config-sla-monitor-echo)#?
IP SLA Monitor echo Configuration Commands:
  buckets-of-history-kept           Maximum number of history buckets to
                                    collect
  default                           Set a command to its defaults
  distributions-of-statistics-kept  Maximum number of statistics distribution
                                    buckets to capture
  enhanced-history                  Enable enhanced history collection
  exit                              Exit probe configuration
  filter-for-history                Add operation to History when...
  frequency                         Frequency of an operation
  hours-of-statistics-kept          Maximum number of statistics hour groups to
                                    capture
  lives-of-history-kept             Maximum number of history lives to collect
  no                                Negate a command or set its defaults
  owner                             Owner of Entry
  request-data-size                 Request data size
  statistics-distribution-interval  Statistics distribution interval size
  tag                               User defined tag
  threshold                         Operation threshold in milliseconds
  timeout                           Timeout of an operation
  tos                               Type Of Service
  verify-data                       Verify data
  vrf                               Configure IP SLA Monitor for a VPN
                                    Routing/Forwarding instance

PolicyRouter(config-sla-monitor-echo)#timeout 1000
PolicyRouter(config-sla-monitor-echo)#frequency 3
PolicyRouter(config-sla-monitor-echo)#exit
now we need to attach them and schedual them (most monitoring tools can monitor this SLA's tpp)

PolicyRouter(config)#ip sla monitor schedule 1 ?
  ageout      How long to keep this Entry when inactive
  life        Length of time to execute in seconds
  recurring   Probe to be scheduled automatically every day
  start-time  When to start this entry
  <cr>

PolicyRouter(config)#ip sla monitor schedule 1 start-time now life forever
PolicyRouter(config)#track 1 ?
  interface  Select an interface to track
  ip         IP protocol
  list       Group objects in a list
  rtr        Response Time Reporter (RTR) entry
rtr is actually the old name, it looks like they have not correct the name to SLA lol

PolicyRouter(config)#track 1 inter serial0/0 line-protocol ?
  <cr>

look, we can even monitor an interfaces line protocol!!! that could be handy!! anyways ....

PolicyRouter(config)#track 1 rtr 1 ?
  reachability  Reachability
  state         Return code state
  <cr>
PolicyRouter(config)#track 1 rtr 1 reac
PolicyRouter(config)#track 1 rtr 1 reachability
PolicyRouter(config-track)#?
Tracking instance configuration commands:
  default  Set a command to its defaults
  delay    Tracking delay
  exit     Exit from tracking configuration mode
  no       Negate a command or set its defaults

We will leave this at the defaults for now, lets create a new route-map to attach this too as this is for the traffic orginating from the router.



PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#ip access-list ext ROUTER
PolicyRouter(config-ext-nacl)#permit ip any any
PolicyRouter(config-ext-nacl)#exit
PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#match ip address ROUTER
PolicyRouter(config-route-map)#set ip next-hop verify-availability ?
  A.B.C.D  IP address of next hop
  <cr>

PolicyRouter(config-route-map)#set ip next-hop verify-availability 200.1.1.2 ?
  <1-65535>  Sequence to insert into next-hop list

PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 ?
  track  set the next hop depending on the state of a tracked object

PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 tr
PolicyRouter(config-route-map)#$y-availability 200.1.1.2 10 track 1
PolicyRouter(config-route-map)#do show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
  Match clauses:
    ip address (access-lists): ROUTER
  Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1  [up]
  Policy routing matches: 0 packets, 0 bytes

As we can see it is currently tracking ISP 1 as up :0)


PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2

route-map ROUTER-TRAFFIC, permit, sequence 10
  Match clauses:
    ip address (access-lists): ROUTER
  Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1  [up]
    ip next-hop 201.1.1.2
  Policy routing matches: 0 packets, 0 bytes
PolicyRouter#

Lets apply this to the router, to do this we do this globally:

PolicyRouter(config)#ip local policy route-map ROUTER-TRAFFIC


Lets test:

PolicyRouter#ping 200.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/32 ms
PolicyRouter#ping 200.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/16 ms


PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
  Match clauses:
    ip address (access-lists): ROUTER
  Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1  [up]
    ip next-hop 201.1.1.2
  Policy routing matches: 59 packets, 4496 bytes


Lets see if we can ping ISP2 ... which should fail (as ISP1 is still available):

PolicyRouter#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PolicyRouter#


Lets shut down the interface to ISP and see if we can ping ISP2 (becuase the route-map will then change the next hop ip address to ISP2)



PolicyRouter(config)#inter ser0/0
PolicyRouter(config-if)#shut

PolicyRouter#show route-map ROUTER-TRAFFIC
*Mar  1 01:58:12.051: %SYS-5-CONFIG_I: Configured from console by console
PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
  Match clauses:
    ip address (access-lists): ROUTER
  Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1  [up]
    ip next-hop 201.1.1.2
  Policy routing matches: 264 packets, 17796 bytes
PolicyRouter#
*Mar  1 01:58:13.819: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar  1 01:58:14.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
PolicyRouter#
*Mar  1 01:58:14.955: %TRACKING-5-STATE: 1 rtr 1 reachability Up->Down

PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
  Match clauses:
    ip address (access-lists): ROUTER
  Set clauses:
    ip next-hop verify-availability 200.1.1.2 10 track 1  [down]
    ip next-hop 201.1.1.2
  Policy routing matches: 266 packets, 17924 bytes

PolicyRouter#ping 201.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/16 ms
PolicyRouter#

SWEEET! how kool is that!!!! Gotta read up some more on IP SLA's ..... kool


Posted by at No comments:
OSPF Routing - Area Types and Options 2

OBJECTIVES
1. Configure basic OSPF for the network shown. Advertise all networks attached to each router into OSPF using the simplest method available. To inject external networks into the OSPF domain, redistribute the static routes on R1. These routes should be marked as type E1.

2. OSPF should never form neighbor relationships on any interface where other OSPF routers do not exist (as shown in the diagram).

3. All routers in Area 0 should use MD5 authentication for OSPF neighbors. Routers in Area 23 should be configured to support clear-text authentication for OSPF neighbors. All keys should be set to the passphrase ‘cisco’ (without quotes).

4. Routers in Area 45 are limited in their capacity and should not receive routes for networks outside the OSPF system. These routers should reach the external network using a default route which cannot be configured statically.

5. Routers in Area 23 must not receive any Type 3, 4, or 5 LSAs from the rest of the OSPF network. These routers should reach the external network using a default route with an initial OSPF cost of 100.

6. When this exercise is complete, all routers should be able to reach (ping) every route in the OSPF routing table.








R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.100.1.1 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#ip route 172.31.0.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.1.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.2.0 255.255.255.0 nul 0
R1(config)#ip route 172.31.3.0 255.255.255.0 nul 0


R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 10.100.1.2 0.0.0.255 area 0
R2(config-router)#network 10.23
*Mar  1 00:09:41.511: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2(config-router)#network 10.23.1.2 0.0.0.255 area 23



R3(config)#router ospf 1
R3(config-router)#router-id 3.3.3.3
R3(config-router)#network 10.23.1.3 0.0.0.255 area 23
R3(config-router)#
*Mar  1 00:11:21.223: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0/0 from LOADING to FULL, Loading Done
R3(config-router)#network 172.30.0.0 0.0.255.255 area 23


R4(config)#router ospf 1
R4(config-router)#router-id 4.4.4.4
R4(config-router)#network 10.100.1.4 0.0.0.255 area 0
R4(config-router)#network 10
*Mar  1 00:14:35.439: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R4(config-router)#network 10.45.1.4
*Mar  1 00:14:40.811: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R4(config-router)#network 10.45.1.4 0.0.0.255 area 45
*Mar  1 00:15:33.031: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on Serial0/0 from LOADING to FULL, Loading Done

R5(config)#router ospf 1
R5(config-router)#router-id 5.5.5.5
R5(config-router)#network 10.45.1.0 0.0.0.255 area 45
R5(config-router)#
*Mar  1 00:15:29.903: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Serial0/0 from LOADING to FULL, Loading Done


R6(config)#router ospf 1
R6(config-router)#router-id 6.6.6.6
R6(config-router)#network 10.100.1.6 0.0.0.255 area 0
R6(config-router)#network 10
*Mar  1 00:17:08.035: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R6(config-router)#network 10.67.1.0 0.0.0.255
*Mar  1 00:17:13.735: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R6(config-router)#network 10.67.1.0 0.0.0.255 area 67


R7(config)#router ospf 1
R7(config-router)#router-id 7.7.7.7
R7(config-router)#network 10.67.1.0 0.0.0.255 area 67
R7(config-router)#netwo
*Mar  1 00:18:14.891: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on Serial0/0 from LOADING to FULL, Loading Done
R7(config-router)#network 10.78.1.7 0.0.0.255 area 78



R7 looks okay, looking at his routing table:


R7#show ip route

     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.2.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.1.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
O IA    172.30.0.1 [110/139] via 10.67.1.6, 00:00:55, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/138] via 10.67.1.6, 00:00:55, Serial0/0
O IA    10.45.1.0 [110/138] via 10.67.1.6, 00:00:55, Serial0/0
C       10.78.1.0 is directly connected, Serial0/1
C       10.67.1.0 is directly connected, Serial0/0
O IA    10.100.1.0 [110/74] via 10.67.1.6, 00:00:56, Serial0/0

lets configure naughty router8 (our illegal router):

R8(config)#router ospf 1
R8(config-router)#router-id 8.8.8.8
R8(config-router)#network 10.78.1.8 0.0.0.255 area 78
R8(config-router)#
*Mar  1 00:20:02.863: %OSPF-5-ADJCHG: Process 1, Nbr 7.7.7.7 on Serial0/0 from LOADING to FULL, Loading Done
R8(config-router)#


So, Router8 has formed a relationship with R7, but he is not recieving any LSA's from R7, R7 will not forward them on as R8 violates the OSPF rules without having a connection into the backbone (area 0)

R8#show ip route
     10.0.0.0/24 is subnetted, 1 subnets
C       10.78.1.0 is directly connected, Serial0/0


R8#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.7           0   FULL/  -        00:00:37    10.78.1.7       Serial0/0




Lets get this redistribution working on R1, we need to redistribute the static routes:

R1#show run | i ip route
 
ip route 172.31.0.0 255.255.255.0 Null0
ip route 172.31.1.0 255.255.255.0 Null0
ip route 172.31.2.0 255.255.255.0 Null0
ip route 172.31.3.0 255.255.255.0 Null0


R1(config)#router ospf 1

R1(config-router)#redistribute static ?
  metric       Metric for redistributed routes
  metric-type  OSPF/IS-IS exterior metric type for redistributed routes
  route-map    Route map reference
  subnets      Consider subnets for redistribution into OSPF
  tag          Set tag for routes redistributed into OSPF
  <cr>

R1(config-router)#redistribute static subnets metric-type ?
  1  Set OSPF External Type 1 metrics
  2  Set OSPF External Type 2 metrics

Remember we choose Type 1, as there metric increments as they travel thru the network, the default is E2 type, we also need to set a seed metric....
 
R1(config-router)#redistribute static subnets metric-type 1 ?
  metric     Metric for redistributed routes
  route-map  Route map reference
  tag        Set tag for routes redistributed into OSPF
  <cr>


R1(config-router)#redistribute static subnets metric-type 1 metric 50
Lets check R7 to see if them routes are coming through;

R7#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.2.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.1.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
O E1    172.31.0.0 [110/124] via 10.67.1.6, 00:04:00, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.67.1.6, 00:27:47, Serial0/0
O IA    172.30.2.1 [110/139] via 10.67.1.6, 00:27:47, Serial0/0
O IA    172.30.1.1 [110/139] via 10.67.1.6, 00:27:48, Serial0/0
O IA    172.30.0.1 [110/139] via 10.67.1.6, 00:27:48, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/138] via 10.67.1.6, 00:27:48, Serial0/0
O IA    10.45.1.0 [110/138] via 10.67.1.6, 00:27:48, Serial0/0
C       10.78.1.0 is directly connected, Serial0/1
C       10.67.1.0 is directly connected, Serial0/0
O IA    10.100.1.0 [110/74] via 10.67.1.6, 00:27:48, Serial0/0

Notice the metric has changed also, from the initial seed metric of 50 that i set :0)

Lets now set the passive-interface command to complete objective 2, this works exactly the same as on EIGRP (still advertises the network, but wont form neighbours),
  what we can do is the passive-interface command to be on by default and then simple allow OSPF to form relationships with other OSPF routers per interface, by the no passive-interface command:


R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#
*Mar  1 00:54:51.795: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:54:51.799: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:54:51.803: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-router)#no passive-interface fa0/0
*Mar  1 00:55:21.135: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar  1 00:55:21.515: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
R1(config-router)#

Lets do R2 now also;


R2(config)#router ospf 1
R2(config-router)#passive-inter default
*Mar  1 00:59:48.563: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:59:48.567: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:59:48.567: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:59:48.571: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-router)#no passive-inter fa0/0
R2(config-router)#no passive-inter ser0/0
*Mar  1 01:00:02.563: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from LOADING to FULL, Loading Done
*Mar  1 01:00:12.951: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar  1 01:00:13.779: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from LOADING to FULL, Loading Done

Okay, lets go do the rest of the other routers ...... all done :0)


Right,
Objective 3 ..... lets setup some authentication with these OSPF routers, OSPF is quite an old protocol as you can tell from the fact it supports clear-text authentication (we will set this up just for grins, but real world ... me thinks not lol) .
Also unlike EIGRP, OSPF does not use keychains :0( , we have to configure the auth per interface:






















R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest

RIGHT, so the above enables it global for Area 0, meaning any router in Area 0 wishing to talk to R1 will need MD5 authentication, however you dont configure the key under the OSPF process, that is done on the interface........ HOWEVER CISCO DO NOT RECOMMEND THIS METHOD

It is alot easier/more effiecient to do it per neighbout and configure the authentication on the interface per neighbour:

R1(config)#inter fa0/0
R1(config-if)#ip ospf authentication message-digest

If you press enter without entering the message-digest bit, it will enable clear text, notice my neighbours start dieing ....

*Mar  1 01:18:54.139: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from 2WAY to DOWN, Neighbor Down: Dead timer expired
*Mar  1 01:18:58.067: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
*Mar  1 01:18:58.371: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

R1(config-if)#ip ospf message-digest-key 1 md5 cisco

Lets apply it to the other routers in Area 0;

R2(config)#inter fa0/0
R2(config-if)#ip ospf authen message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco



NOTE: YOU HAVE TO USE THE SAME KEY ID

Lets check this out in wireshark, this capture is before the MD5 hashing is enabled on fa0/0















Notice, the Auth Type and Auth Data = none

Now we can see we have the Key ID, the Auth type and the hash of the key in the Auth Data field, the whole OSPF hello packet is hashed/encrypted/authenticated ... as well as other OSPF communication ... database descriptions, ls requests ... updates etc etc

Lets setup R6, BUT .... lets enable some debugs first:

R6(config)#do debug ip ospf adj
OSPF adjacency events debugging is on

R6(config)#inter fa0/0
R6(config-if)#
*Mar  1 01:43:31.059: OSPF: Rcv pkt from 10.100.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
R6(config-if)#
*Mar  1 01:43:33.303: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
R6(config-if)#
*Mar  1 01:43:34.991: OSPF: Rcv pkt from 10.100.1.4, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0

Type 2 = MD5
Type 1 = Cleartext
Type 0 = Not use authentication


R6(config-if)#ip ospf authen message-digest
R6(config-if)#ip ospf mess 1 md5 cisco

*Mar  1 01:46:41.067: OSPF: Rcv pkt from 10.100.1.2, FastEthernet0/0 : Mismatch Authentication Key - No message digest key 1 on interface
R6(config-if)#
*Mar  1 01:46:43.271: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar  1 01:46:44.967: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.031: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0xC80 opt 0x52 flag 0x7 len 32  mtu 1500 state INIT
*Mar  1 01:46:45.031: OSPF: 2 Way Communication to 4.4.4.4 on FastEthernet0/0, state 2WAY
*Mar  1 01:46:45.035: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar  1 01:46:45.035: OSPF: DR/BDR election on FastEthernet0/0
*Mar  1 01:46:45.035: OSPF: Elect BDR 4.4.4.4
*Mar  1 01:46:45.035: OSPF: Elect DR 6.6.6.6
*Mar  1 01:46:45.035:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar  1 01:46:45.035: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF2 opt 0x52 flag 0x7 len 32
*Mar  1 01:46:45.035: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.035: OSPF: First DBD and we are not SLAVE
*Mar  1 01:46:45.039: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar  1 01:46:45.039: OSPF: DR/BDR election on FastEthernet0/0
*Mar  1 01:46:45.039: OSPF: Elect BDR 4.4.4.4
*Mar  1 01:46:45.039: OSPF: Elect DR 6.6.6.6
*Mar  1 01:46:45.039:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar  1 01:46:45.055: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF2 opt 0x52 flag 0x2 len 372  mtu 1500 state EXSTART
*Mar  1 01:46:45.059: OSPF: NBR Negotiation Done. We are the MASTER
*Mar  1 01:46:45.063: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF3 opt 0x52 flag 0x3 len 332
*Mar  1 01:46:45.063: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.071: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF3 opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 01:46:45.071: OSPF: Send DBD to 4.4.4.4 on FastEthernet0/0 seq 0x1FF4 opt 0x52 flag 0x1 len 32
*Mar  1 01:46:45.071: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.071: OSPF: Send LS REQ to 4.4.4.4 length 96 LSA count 8
*Mar  1 01:46:45.071: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.083: OSPF: Rcv LS REQ from 4.4.4.4 on FastEthernet0/0 length 36 LSA count 1
*Mar  1 01:46:45.083: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.083: OSPF: Send UPD to 10.100.1.4 on FastEthernet0/0 length 40 LSA count 1
*Mar  1 01:46:45.091: OSPF: Rcv DBD from 4.4.4.4 on FastEthernet0/0 seq 0x1FF4 opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 01:46:45.091: OSPF: Exchange Done with 4.4.4.4 on FastEthernet0/0
*Mar  1 01:46:45.103: OSPF: Rcv LS UPD from 4.4.4.4 on FastEthernet0/0 length 276 LSA count 8
*Mar  1 01:46:45.107: OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0
*Mar  1 01:46:45.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar  1 01:46:45.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar  1 01:46:45.107: OSPF: Synchronized with 4.4.4.4 on FastEthernet0/0, state FULL
*Mar  1 01:46:45.107: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar  1 01:46:45.139: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.511: OSPF: Rcv LS UPD from 4.4.4.4 on FastEthernet0/0 length 76 LSA count 1
*Mar  1 01:46:45.543: OSPF: Build router LSA for area 0, router ID 6.6.6.6, seq 0x8000000C
*Mar  1 01:46:45.543: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.551: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.563: OSPF: 2 Way Communication to 2.2.2.2 on FastEthernet0/0, state 2WAY
*Mar  1 01:46:45.567: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar  1 01:46:45.567: OSPF: DR/BDR election on FastEthernet0/0
*Mar  1 01:46:45.571: OSPF: Elect BDR 4.4.4.4
*Mar  1 01:46:45.571: OSPF: Elect DR 6.6.6.6
*Mar  1 01:46:45.575:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar  1 01:46:45.575: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB3 opt 0x52 flag 0x7 len 32
*Mar  1 01:46:45.579: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.579: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar  1 01:46:45.583: OSPF: DR/BDR election on FastEthernet0/0
*Mar  1 01:46:45.583: OSPF: Elect BDR 4.4.4.4
*Mar  1 01:46:45.583: OSPF: Elect DR 6.6.6.6
*Mar  1 01:46:45.583:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
*Mar  1 01:46:45.583: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.595: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0xA47 opt 0x52 flag 0x7 len 32  mtu 1500 state EXSTART
*Mar  1 01:46:45.595: OSPF: First DBD and we are not SLAVE
*Mar  1 01:46:45.603: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB3 opt 0x52 flag 0x2 len 372  mtu 1500 state EXSTART
*Mar  1 01:46:45.607: OSPF: NBR Negotiation Done. We are the MASTER
*Mar  1 01:46:45.611: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB4 opt 0x52 flag 0x3 len 352
*Mar  1 01:46:45.615: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.627: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB4 opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 01:46:45.631: OSPF: Send DBD to 2.2.2.2 on FastEthernet0/0 seq 0x1AB5 opt 0x52 flag 0x1 len 32
*Mar  1 01:46:45.631: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.639: OSPF: Rcv LS REQ from 2.2.2.2 on FastEthernet0/0 length 36 LSA count 1
*Mar  1 01:46:45.639: OSPF: Send with youngest Key 1
*Mar  1 01:46:45.639: OSPF: Send UPD to 10.100.1.2 on FastEthernet0/0 length 40 LSA count 1
*Mar  1 01:46:45.647: OSPF: Rcv DBD from 2.2.2.2 on FastEthernet0/0 seq 0x1AB5 opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 01:46:45.651: OSPF: Exchange Done with 2.2.2.2 on FastEthernet0/0
*Mar  1 01:46:45.651: OSPF: Synchronized with 2.2.2.2 on FastEthernet0/0, state FULL
*Mar  1 01:46:45.651: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Mar  1 01:46:46.119: OSPF: Rcv LS UPD from 2.2.2.2 on FastEthernet0/0 length 76 LSA count 1
*Mar  1 01:46:46.123: OSPF: Send with youngest Key 1
*Mar  1 01:46:47.611: OSPF: Send with youngest Key 1
*Mar  1 01:46:50.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar  1 01:46:50.107: OSPF: Build network LSA for FastEthernet0/0, router ID 6.6.6.6
*Mar  1 01:46:50.111: OSPF: Send with youngest Key 1
*Mar  1 01:46:51.075: OSPF: Neighbor change Event on interface FastEthernet0/0
*Mar  1 01:46:51.079: OSPF: DR/BDR election on FastEthernet0/0
*Mar  1 01:46:51.079: OSPF: Elect BDR 4.4.4.4
*Mar  1 01:46:51.083: OSPF: Elect DR 6.6.6.6
*Mar  1 01:46:51.083:        DR: 6.6.6.6 (Id)   BDR: 4.4.4.4 (Id)
R6(config-if)#
R6(config-if)#
*Mar  1 01:46:53.291: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#u all
*Mar  1 01:46:54.751: OSPF: Rcv LS UPD from 2.2.2.2 on FastEthernet0/0 length 60 LSA count 1
*Mar  1 01:46:54.755: OSPF: Send with youngest Key 1
*Mar  1 01:46:54.759: OSPF: Send UPD to 10.100.1.2 on FastEthernet0/0 length 40 LSA count 1
*Mar  1 01:46:55.011: OSPF: Send with youngest Key 1
*Mar  1 01:46:55.547: OSPF: Send with youngest Key 1
*Mar  1 01:47:03.263: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar  1 01:47:05.551: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar  1 01:47:13.275: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar  1 01:47:15.551: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar  1 01:47:23.263: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar  1 01:47:25.555: OSPF: Send with youngest Key 1
R6(config-if)#
*Mar  1 01:47:33.267: OSPF: Rcv pkt from 10.100.1.1, FastEthernet0/0 : Mismatch Authentication Key - Message Digest Key 1
R6(config-if)#
*Mar  1 01:47:35.559: OSPF: Send with youngest Key 1
R6(config-if)#


Here we can see all packets being sent with Key ID 1 :0)

and we have all our neighbours back:
R6#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:37    10.100.1.1      FastEthernet0/0
2.2.2.2           1   FULL/DROTHER    00:00:35    10.100.1.2      FastEthernet0/0
4.4.4.4           1   FULL/BDR        00:00:38    10.100.1.4      FastEthernet0/0
7.7.7.7           0   FULL/  -        00:00:30    10.67.1.7       Serial0/0




Lets setup cleartext authentication on R2 and R3:
 
R2(config-if)#inter ser0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key ccnp


R3(config-if)#ip ospf authentication
R3(config-if)#ip ospf authentication-key cisco
Wireshark confirms :0)



















OBJECTIVE 4
Routers in Area 45 are limited in their capacity and should not receive routes for networks outside the OSPF system. These routers should reach the external network using a default route which cannot be configured statically.

Lets confirm that R5 is getting external routes from outside the OSPF network (which they are, our redistributed statics that we setup earlier - TYPE 5 LSA's)

R5#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.2.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.1.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
O E1    172.31.0.0 [110/124] via 10.45.1.4, 00:08:35, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.45.1.4, 00:08:40, Serial0/0
O IA    172.30.2.1 [110/139] via 10.45.1.4, 00:08:40, Serial0/0
O IA    172.30.1.1 [110/139] via 10.45.1.4, 00:08:42, Serial0/0
O IA    172.30.0.1 [110/139] via 10.45.1.4, 00:08:42, Serial0/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.23.1.0 [110/138] via 10.45.1.4, 00:38:27, Serial0/0
C       10.45.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/138] via 10.45.1.4, 00:21:53, Serial0/0
O IA    10.100.1.0 [110/74] via 10.45.1.4, 01:53:12, Serial0/0





R4(config)#router ospf 1
R4(config-router)#area 45 stub



Lets enable debugging on R5, as the relationship has died (hold down timers expired) as the stub flag in the HELLO packet does not match anymore, so they cannot be neighbours ...


R5#deb ip ospf pack
OSPF packet debugging is on
R5#
*Mar  1 02:14:08.015: OSPF: Rcv hello from 4.4.4.4 area 45 from Serial0/0 10.45.1.4
*Mar  1 02:14:08.019: OSPF: Hello from 10.45.1.4 with mismatched Stub/Transit area option bit
R5#
*Mar  1 02:14:10.787: OSPF: Send hello to 224.0.0.5 area 45 on Serial0/0 from 10.45.1.5
R5#u all
*Mar  1 02:14:18.003: OSPF: rcv. v:2 t:1 l:44 rid:4.4.4.4
      aid:0.0.0.45 chk:E669 aut:0 auk: from Serial0/0
*Mar  1 02:14:18.007: OSPF: Rcv hello from 4.4.4.4 area 45 from Serial0/0 10.45.1.4
*Mar  1 02:14:18.007: OSPF: Hello from 10.45.1.4 with mismatched Stub/Transit area option bit
R5#u all



R5(config)#router ospf 1
R5(config-router)#area 45 stub


Lets have a look now at the routing table:



R5#show ip route

Gateway of last resort is 10.45.1.4 to network 0.0.0.0

     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.2.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.1.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
O IA    172.30.0.1 [110/139] via 10.45.1.4, 00:00:08, Serial0/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.23.1.0 [110/138] via 10.45.1.4, 00:00:08, Serial0/0
C       10.45.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/138] via 10.45.1.4, 00:00:10, Serial0/0
O IA    10.100.1.0 [110/74] via 10.45.1.4, 00:00:10, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 10.45.1.4, 00:00:10, Serial0/0
And now we have the default route and now external routes :0) - this only affects the stub router within the area (area 45)




OBJECTIVE 5.
 Routers in Area 23 must not receive any Type 3, 4, or 5 LSAs from the rest of the OSPF network. These routers should reach the external network using a default route with an initial OSPF cost of 100.



R2(config)#router ospf 1
R2(config-router)#area 23 stub no-summary
R2(config-router)#
*Mar  1 02:21:24.291: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Adjacency forced to reset
R3(config)#router ospf 1
R3(config-router)#area 23 stub

Lets check it out:

R3#show ip route

Gateway of last resort is 10.23.1.2 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 4 subnets
C       172.30.2.0 is directly connected, Loopback2
C       172.30.3.0 is directly connected, Loopback3
C       172.30.0.0 is directly connected, Loopback0
C       172.30.1.0 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.23.1.0 is directly connected, Serial0/0
O*IA 0.0.0.0/0 [110/65] via 10.23.1.2, 00:00:26, Serial0/0

Now the metric is 65, the inital cost is 1 we need to set this too 100:

R2(config-router)#area 23 default-cost ?
  <0-16777215>  Stub's advertised external route metric

R2(config-router)#area 23 default-cost 100


R3#show ip route
Gateway of last resort is 10.23.1.2 to network 0.0.0.0

     172.30.0.0/24 is subnetted, 4 subnets
C       172.30.2.0 is directly connected, Loopback2
C       172.30.3.0 is directly connected, Loopback3
C       172.30.0.0 is directly connected, Loopback0
C       172.30.1.0 is directly connected, Loopback1
     10.0.0.0/24 is subnetted, 1 subnets
C       10.23.1.0 is directly connected, Serial0/0
O*IA 0.0.0.0/0 [110/164] via 10.23.1.2, 00:02:03, Serial0/0

Done, the WAN links cost must be 64, plus our initial cost of 100 :0)




OBJECTIVE 6.
When this exercise is complete, all routers should be able to reach (ping) every route in the OSPF routing table.

Easy you think....well remember Router8 .... we need to join him to area 0, so lets get him in the backbone area so he can talk OSPF with everyone else


We need the virtual link between R6 and R7

R6(config)#router ospf 1
R6(config-router)#area 67 virtual-link 7.7.7.7


R7(config)#router ospf 1
R7(config-router)#area 67 virtual-link 6.6.6.6
*Mar  1 02:35:20.299: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on OSPF_VL0 from LOADING to FULL, Loading Done


R7#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 6.6.6.6 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 67, via interface Serial0/0, Cost of using 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:00
    Adjacency State FULL (Hello suppressed)
    Index 1/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

So now, R8 believes R7 is directly connect to Area 0 (via the virtua link) - this could also be a GRE tunnel :0)

lets check:

R8#show ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.7           0   FULL/  -        00:00:34    10.78.1.7       Serial0/0


 
R8#show ip route

     172.31.0.0/24 is subnetted, 4 subnets
O E1    172.31.3.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.2.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.1.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
O E1    172.31.0.0 [110/188] via 10.78.1.7, 00:01:46, Serial0/0
     172.30.0.0/32 is subnetted, 4 subnets
O IA    172.30.3.1 [110/203] via 10.78.1.7, 00:01:47, Serial0/0
O IA    172.30.2.1 [110/203] via 10.78.1.7, 00:01:47, Serial0/0
O IA    172.30.1.1 [110/203] via 10.78.1.7, 00:01:48, Serial0/0
O IA    172.30.0.1 [110/203] via 10.78.1.7, 00:01:48, Serial0/0
     10.0.0.0/24 is subnetted, 5 subnets
O IA    10.23.1.0 [110/202] via 10.78.1.7, 00:01:48, Serial0/0
O IA    10.45.1.0 [110/202] via 10.78.1.7, 00:01:48, Serial0/0
C       10.78.1.0 is directly connected, Serial0/0
O IA    10.67.1.0 [110/128] via 10.78.1.7, 00:01:58, Serial0/0
O IA    10.100.1.0 [110/138] via 10.78.1.7, 00:01:49, Serial0/0


R8#ping 172.30.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/38/68 ms


Posted by at 1 comment:
Subscribe to: Posts (Atom)