CCDA Notes – WAN

Additions/subtractions needed? Let me know.

WAN Categories

1. Circuit Switched – created only when needed. i.e. ISDN and dial-up.
2. Leased Lines – dedicated connection. TDM based.
3. Packet switched - shared bandwidth using virtual circuits. i.e. Frame Relay.
4. Cell Switched – ATM
5. Broadband - xDSL, Cable, Wireless

Time Division Multiplexing (TDM)

1.  Multiple channels such as voice, video, and data can be combined
2. DS1 or T1 provides 24 time slots of 64kbps each and one 8 kbps control time slot

Frame Relay

1. NBMA
2. DLCI = L2 addressing
3. LMI reports VC status.
4. LMI has 3 types. Cisco, ANSI, Q.933A. Auto tries all three.
5. Multipoint interfaces require L2-to-L3 address resolution. Done via inverse-ARP or static “frame-relay map”.
6. Physical interface is multipoint by default. i.e Serial0/1
7. Static L2-to-L3 mappings override dynamic mappings.
8. “frame-relay interface-dlci <dlci #>” on point-to-point subifs. LMI does not communicate DLCI number on subifs.

Inverse-ARP

1.  Enabled automatically when a supported protocol is cfgd. i.e. “ip address 8.8.8.8 255.255.255.0″
2. Requests are sent out all circuits assigned to the interface for all supported protocols.
3. Requests can be disabled via “no frame-relay inverse-arp”. Replies can not be disabled.
4. Automatically supports multicast/broadcast via a replicated unicast.

SONET/SDH

1. Circuit-based ring topology.
2. Optical
3. ATM or Packet Over SONET(POS)
4. Optical carrier rates. i.e. OC-1 =51.85 Mbps  OC-255=13.21 Gbps

CCDA – Enterprise Composite Model

More notes.

Enterprise Composite Model
1) Still leverages the hierarchical model.
2) Modular:
    a) Enterprise Campus
    b) Enterprise Edge
    c) Enterprise WAN
    d) Enterprise Data Center
    e) Enterprise Branch
    f) Enterprise Teleworker
3) Enterprise Campus consists of:
    a) Campus Core
    b) Building Distribution
    c) Building Access
    d) Edge Distribution
    e) Server Farm / Data Center
4) Enterprise Edge consists of:
    a) E-Commerce
    b) Internet / DMZ
    c) VPN / Remote Access
    d) Enterprise WAN
5) Service Prodvider Edge consists of:
    a) Internet
    b) PSTN
    c) WAN Services
6) Remote modules:
    a) Enterprise Branch – site-to-site VPNs
    b) Enterprise Data Center – high speed LAN
    c) Enterprise Teleworker – remote access VPNs

CCDA Notes – Hierarchical Model

Missing anything? Let me know and I’ll update/correct.

Hierarchical Model
1) Easy to understand
2) Cost savings
3) Modular
4) Easily modified
5) Facilitates summarization
6) Fault isolation

Core Layer
1) Move data as quickly as possible
2) Reliability
3) Redundancy
4) Fault tolerance
5) No filters or other overhead
6) Limited, consistent diameter

Distribution Layer
1) Implement policies
2) Security
3) QoS
4) Redundancy and load balancing
5) Summarization
6) Policy routing
7) Routing between VLANs
8) Redistribution
9) Media translations
10) Define multicast and broadcast domains

Access Layer
1) High availability
2) Port security, ARP inspection, VACLs
3) Broadcast control
4) QoS and trust boundary definition
5) PoE
6) STP

CCDA Notes – Best Practices

Do you agree with the checklist and best practices mentioned below? Do you know any that should be added to these lists. Let me know and I’ll get them added if they are pertinent.

Network Health Checklist
1) Ethernet segments should not have a sustained utilization of 40% or higher.
2) All Ethernet segments should be switched. No shared segments(hub-based).
3) No WAN links should feature a sustained utilization of 70% or higher.
4) WAN response times should be generally less than 100ms.
5) LAN response times should be around 2ms.
6) No segments have more than one CRC error per MB of data.
7) Segments should be no more than 20% multicast/broadcast traffic.
8) Device CPU utilization should not exceed 75% over 5 minute intervals.
9) Output queue drops should not exceed 100 in an hour.
10) Input queue drops should not exceed 50 in an hour.
11) Buffer misses should not exceed 25 in an hour.
12) Ignored packets should not exceed 10 in an hour.

Access Layer Best Practices
1) QoS for performance.
2) Redundancy for availability.
3) Limit VLANs to a single closet.
4) RPVST+ instead of STP or PVST+.
5) DTP set to desirable/desirable. ** I do not agree with this one **
6) VTP transparent mode.
7) Disable trunk mode on access ports.
8) Routing in the access layer.
9) Portfast on edge ports.

Distribution Layer Best Practices
1) Aggregate bandwidth together into EtherChannels.
2) QoS.
3) Security mechanisms.
4) FHRP protocols.
5) Routing.
6) Address summarization.
7) Triangles and not squares for redundancy in and between layers.

Core Layer Best Practices
1) Redundant triangle designs between switches.
2) Fast switching at Layer 2. No routing if possible.
3) Multilayer switches.

CCDA Notes – PPDIOO

This starts my foray into the CCDA. I will try to keep the CCDA notes blog posts to a specific topic per post. If you see any mistakes, missed subject matter, or just wish to berate my note taking skills then feel free to leave a comment.

PPDIOO
Prepare
Plan
Design
Implement
Operate
Optimize

Prepare
1) Business objectives. Identify technologies and develop a strategy.
2) Identify customer requirements.
    a) Speak with all managers.
    b) Follow these steps:
     Step 1. Identify network applications and services.
     Step 2. Define organizational goals.
     Step 3. Define organizational constraints.
     Step 4. Define technical goals.
     Step 5. Define technical constraints.

Plan
1) Characterize and asses the network to develop a project plan.
2) Information gathering.
    Step 1. Identify and gather all existing documentation.
    Step 2. Audit the network.
    Step 3. Perform traffic analysis.
3) Information to gather:
    a) Device list
    b) Hardware models
    c) Software versions
    d) Configs
    e) Auditing tools output
    f) Interface speeds
    g) Link, cpu, and memory utilization
    h) WAN technologies

Design
1) Top Down Approach
    a) Start with apps and work your way down to the network infrastructure.
    b) Accurately incorporates the business drivers.
    c) Disadvantage is that it is time-consuming.
2) Bottom Up Approach
    a) Based on previous experience.
    b) Allows for quick solutions.
    c) Might make for inappropriate solutions.
    d) Often misses the organizational goals.
3) Pilots and prototypes
    a) Prototype – A subset of a full network. These networks are generally isolated from production network.
    b) Pilot – A live location for testing on the actual network. Allows the discovery of any real issues.
4) A design document generally includes:
    a) Introduction
    b) Design requirements
    c) Existing network infrastructure
    d) Design
    e) PoC
    f) Implementation plan
    g) Appendices

Implement
1) Follow the project plan and design document.
2) Each step should include:
    a) Description
    b) Implementation guidelines
    c) Estimated time to complete
    d) Rollback steps
    e) Reference information

Operate
1) Network management
2) Network monitoring
3) Routine maintenance
4) Upgrades
5) Performance management
6) Network fault detection and correction

Optimize
1) Be proactive instead of reactive
2) This may lead back to the Prepare phase and start the process all over.

Quick Update

Have not posted in a while so wanted to give a quick update. I am about to finish up my “CCNP memory refresh”. I am half way through my final book and should finish it off in the next week or so.

The last book I am reading is Network Warrior Second Edition. This book is really good. I had read the first edition and forgot how much I like Gary Donahue’s writing style which is informative and funny at just the right times.

My big plans after completing this refresh are lining up perfectly. The CCDA books will be coming out during the month of June, just in time for me to start up my CCDA/DP path. Plans are to have it done by end of year and then 2012 will be my start up that big mountain know as the CCIE. I do plan to try, notice the word try there, to blog more on the topics I go over for the CCDA/DP studies so stay tuned for some boring posts on design and such.

See ya around!

OSPF Common Topics Lab Config #3

We will be going over the last configuration tasks on the list in this post. The first set of tasks can be found here and the second set can be found here.

Tasks
* R5-R7 OSPF area 1 is a totally stubby area.
* Mutually redistribute routes between OSPF area 5 and RIP on R9.
* R9 and R14 will use RIP version 2.
* Manually assign router IDs to all OSPF routers and use the format 0.0.0.x where x=Router#.
* All other links will be their default OSPF network type.
* Summarize networks at ABRs and ASBRs when possible.
* Summarized routes should be prevented from being redistributed back into source areas.
* Network addresses displayed on network diagram near a router are loopbacks. The loopback interfaces used for OSPF should be set to a OSPF network type of point-to-point.

Task 22
Area 1 is going to be a totally-stubby area so we can configure that on all routers that are participating in that area. For us that is only R5 and R7.

R5(config)#router ospf 1
R5(config-router)#area 1 stub no-summary

R7(config)#router ospf 1
R7(config-router)#area 1 stub no-summary

Lets verify that everything is correct.

R5#show ip ospf | beg Area 1
    Area 1
        Number of interfaces in this area is 1
        It is a stub area, no summary LSA in this area
          generates stub default route with cost 1
        Area has no authentication
        SPF algorithm last executed 00:06:25.856 ago
        SPF algorithm executed 8 times
        Area ranges are
           192.168.7.0/28 Active(65) Advertise
        Number of LSA 3. Checksum Sum 0x012C47
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

R7#show ip ospf | beg Area 1
    Area 1
        Number of interfaces in this area is 5
        It is a stub area
        Area has no authentication
        SPF algorithm last executed 00:07:42.936 ago
        SPF algorithm executed 5 times
        Area ranges are
        Number of LSA 3. Checksum Sum 0x012C47
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

As you can see there is a difference in the show commands in the description of what type of stub area it is. The ABR is really the only one that needs the full area 1 stub no-summary config command. I personally like to put it on all routers in that area so that it is a reminder that the area is totally-stubby and not just a plain stub area.

Task 23 & 24
Here on R9 we are going to redistribute the RIP and OSPF routes into each other. We will also configure R9 and R14 to use RIPv2.

R9(config)#router ospf 1
R9(config-router)#redistribute rip metric 10 subnets
R9(config-router)#router rip
R9(config-router)#version 2
R9(config-router)#redistribute ospf 1 metric 3

R14(config)#router rip
R14(config-router)#version 2

You can verify the redistribution by looking at the route tables on R14 and R3 or by checking the OSPF and RIP databases on R9.

Task 25
This is a simple one. I am just going to display the configuration for a few of the routers. You should be able to figure out what the rest are.

R1(config)#router ospf 1
R1(config-router)#router-id 0.0.0.1

R5(config)#router ospf 1
R5(config-router)#router-id 0.0.0.5

R10(config)#router ospf 1
R10(config-router)#router-id 0.0.0.10

Now we should make sure the setting took. We can do this with the show command displayed below.

R10#show ip ospf | inc ID
 Routing Process "ospf 1" with ID 0.0.0.10

Task 26
Really no work to do here. If we have not configured anything on a link or an interface then it of course is going to be at its default OSPF network type.

Task 27
I summarized networks at the nearest ABR/ASBR whenever possible. I will give three examples of the summarizations.

R4(config)#router ospf 1
R4(config-router)#area 2 range 192.168.6.0 255.255.255.240
R4(config-router)#summary-address 4.4.4.0 255.255.255.240

R9(config)#router ospf 1
R9(config-router)#summary-address 10.8.0.0 255.248.0.0

Use the summary-address config command when summarizing at an ASBR and use the area # range config command when summarizing at an ABR.

Task 28
For grins and giggles I did the below configuration to get rid of the summarized route that was being advertised back into area 50 by R4. This of course does not scale well. :)

R11(config)#access-list 1 permit 4.4.4.0 0.0.0.15
R11(config)#route-map NO_SUMMARY_4 deny 10
R11(config-route-map)#match ip address 1
R11(config-route-map)#route-map NO_SUMMARY_4 permit 20
R11(config-route-map)#router ospf 50
R11(config-router)#distribute-list route-map NO_SUMMARY_4 in

Task 29
This last one is a simple one. On all the loopback interfaces in the OSPF areas you will use the ip ospf network point-to-point config command. This is only to make the routes produced by the loopbacks to appear the correct prefix length instead of a /32.

That’s it. Sometime soon I will be posting up a EIGRP lab that is similar to this one. If you want to get a headstart on it you can check out this post over at networking-forum.com.

OSPF Common Topics Lab Config #2

This is part 2 of the OSPF lab configuration. We will configure tasks 11-21 on the task list from the original OSPF lab post and those tasks are listed below. If you want to look at the configuration of tasks 1-10 then take a look over here. As mentioned in the first config blog, you will need to setup some of the basic OSPF stuff like network statements yourself because it is not covered in the tasks unless it is to demonstrate something that is out of the norm.

Tasks
* R3 OSPF process number will be different than all other routers OSPF process numbers to demonstrate that OSPF process number is unimportant in peering establishment.
* R3-R9 OSPF area 5 is a NSSA with a default route advertised back into it
* R4-R11 will be using a GREoIPSEC tunnel for all traffic including routing protocols.
* R4-R6 OSPF area 2 is a stub area.
* R4 will have all OSPF network statements use a 4 octet area identifier(i.e. network 2.2.2.1 0.0.0.0 area 0.0.0.50).
* R4-R11 OSPF area 50 will be a different OSPF process so in that R4 becomes an ASBR between the OSPF process for area 50 and the other OSPF process that area 2 and area 0 are in.
* R4 will use a different OSPF router-ID for each OSPF process. This is to demonstrate that there can be multiple router-IDs on one router.
* Mutually redistribute routes between OSPF area 50 process and OSPF area 0/area 2 process on R4.
* Routes redistributed from OSPF area 50 process into OSPF area0/area 2 process will be made external type 1 OSPF routes.
* Mutually redistribute routes between EIGRP and OSPF at R5 and R12.
* Prevent any redistribution loops that might be caused with mutual redistribution at R5 and R12.

Task 11
This step is pretty easy. It is more of a demonstration than anything else. The point of the task is just to show that you can have a different process number on a router than all other routers and the OSPF neighbor adjacency will still come up.

R3#show ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.0.1         200   FULL/DR         00:00:34    172.16.123.1    FastEthernet1/0
0.0.0.2         100   FULL/BDR        00:00:34    172.16.123.2    FastEthernet1/0
0.0.0.9           0   FULL/  -        00:01:46    172.16.39.1     Serial0/0

R3#show ip ospf | inc Process
 Routing Process "ospf 10000" with ID 0.0.0.3

R1#show ip ospf | inc Process
 Routing Process "ospf 1" with ID 0.0.0.1

R2#show ip ospf | inc Process
 Routing Process "ospf 1" with ID 0.0.0.2

R9#show ip ospf | inc Process
 Routing Process "ospf 1" with ID 0.0.0.9

The first show command is to display which routers are neighbors of R3 and whether or not the adjacency has been established. The second show command tells that R3 is using a process number of 10000 and the rest of the show commands display that all other routers are using process number 1.

Task 12
Area 5 is to be setup as a Not-So-Stubby Area. We will need to make sure that all routers in area 5 have the setting to make them a NSSA-type router in that area for it to work correctly. We also want to send a default route back into area 5.

R3(config)#router ospf 10000
R3(config-router)#area 5 nssa default-information-originate

R9(config)#router ospf 1
R9(config-router)#area 5 nssa

You will notice there is a difference between the two configurations. The default-information-originate is to be used only on the border router. Let us verify the settings.

R3#show ip ospf | beg Area 5
    Area 5
        Number of interfaces in this area is 1
        It is a NSSA area
        Perform type-7/type-5 LSA translation
        generates NSSA default route with cost 1
        Area has no authentication
        SPF algorithm last executed 01:25:18.112 ago
        SPF algorithm executed 9 times
        Area ranges are
           192.168.9.0/28 Active(65) Advertise
        Number of LSA 17. Checksum Sum 0x08B868
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Yep, the area is set to NSSA.

Task 13
This task wants us to setup a GRE over IPSec tunnel for all traffic, including routing protocols, that go on the link between R4 and R11. To my knowledge, this was my first time configuring one of these so I jumbled it together. It “appears” to work. :)

R4(config)#crypto isakmp policy 1
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#crypto isakmp key C1sc0 address 2.2.2.254
R4(config)#crypto ipsec transform-set CRYPT_SET esp-aes 256 esp-sha-hmac
R4(cfg-crypto-trans)#mode transport
R4(cfg-crypto-trans)#crypto map GRE_ENCRYPT 10 ipsec-isakmp
R4(config-crypto-map)#set peer 2.2.2.254
R4(config-crypto-map)#set transform-set CRYPT_SET
R4(config-crypto-map)#match address GRE_ENCRYPT
R4(config-crypto-map)#ip access-list extended GRE_ENCRYPT
R4(config-ext-nacl)#permit gre host 2.2.2.1 host 2.2.2.254
R4(config-ext-nacl)#interface Tunnel0
R4(config-if)#bandwidth 100000
R4(config-if)#ip address 1.1.1.0 255.255.255.254
R4(config-if)#tunnel source Serial0/2
R4(config-if)#tunnel destination 2.2.2.254
R4(config-if)#crypto map GRE_ENCRYPT

R11(config)#crypto isakmp policy 1
R11(config-isakmp)#authentication pre-share
R11(config-isakmp)#crypto isakmp key C1sc0 address 2.2.2.1
R11(config)#crypto ipsec transform-set CRYPT_SET esp-aes 256 esp-sha-hmac
R11(cfg-crypto-trans)#mode transport
R11(cfg-crypto-trans)#crypto map GRE_ENCRYPT 10 ipsec-isakmp
R11(config-crypto-map)#set peer 2.2.2.1
R11(config-crypto-map)#set transform-set CRYPT_SET
R11(config-crypto-map)#match address GRE_ENCRYPT
R11(config-crypto-map)#ip access-list extended GRE_ENCRYPT
R11(config-ext-nacl)#permit gre host 2.2.2.254 host 2.2.2.1
R11(config-ext-nacl)#interface Tunnel0
R11(config-if)#bandwidth 100000
R11(config-if)#ip address 1.1.1.1 255.255.255.254
R11(config-if)#tunnel source Serial0/0
R11(config-if)#tunnel destination 2.2.2.254
R11(config-if)#crypto map GRE_ENCRYPT

First we setup our basic IPSec settings, then create a tunnel interface that uses the default GRE mode, and finally implement the IPSec settings onto the tunnel to create a GREoIPSec tunnel. Rinse and repeat on the other side. Lets verify it is being used.

R11#show ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.50.4          0   FULL/  -        00:00:37    1.1.1.0         Tunnel0

R4#show ip ospf neigh | inc Tu
0.0.50.11         0   FULL/  -        00:00:38    1.1.1.1         Tunnel0

R11#show ip route | beg ^$

Gateway of last resort is not set

     1.0.0.0/31 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Tunnel0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     4.0.0.0/30 is subnetted, 4 subnets
C       4.4.4.4 is directly connected, Loopback1
C       4.4.4.0 is directly connected, Loopback0
C       4.4.4.12 is directly connected, Loopback3
C       4.4.4.8 is directly connected, Loopback2
     192.168.9.0/28 is subnetted, 1 subnets
O E2    192.168.9.0 [110/10] via 1.1.1.0, 01:17:37, Tunnel0
     192.168.10.0/28 is subnetted, 1 subnets
O E2    192.168.10.0 [110/10] via 1.1.1.0, 01:17:37, Tunnel0
     6.0.0.0/31 is subnetted, 2 subnets
O E2    6.6.6.2 [110/10] via 1.1.1.0, 01:17:37, Tunnel0
O E2    6.6.6.0 [110/10] via 1.1.1.0, 01:17:37, Tunnel0
     172.16.0.0/16 is variably subnetted, 10 subnets, 3 masks
O E2    172.16.57.0/31 [110/10] via 1.1.1.0, 01:16:22, Tunnel0
O E2    172.16.46.0/31 [110/10] via 1.1.1.0, 01:19:23, Tunnel0
O E2    172.16.39.1/32 [110/10] via 1.1.1.0, 01:17:37, Tunnel0
O E2    172.16.39.0/32 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
O E2    172.16.28.0/31 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
O E2    172.16.14.0/31 [110/10] via 1.1.1.0, 01:18:45, Tunnel0
O E2    172.16.15.0/31 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
O E2    172.16.123.0/24 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
O E2    172.16.112.0/31 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
O E2    172.16.80.0/31 [110/10] via 1.1.1.0, 01:17:40, Tunnel0
..... Rest of output snipped .....

Adjacency is established over the tunnel. All routes on R11 are going over the tunnel except for 2.2.2.0/24.

Task 14
Area 2 is going to be a standard OSPF stub area. The same applies for this as did the NSSA in that all routers in the area must be set the same for the stub-type area to function correctly.

R4(config)#router ospf 1
R4(config-router)#area 2 stub

R6(config)#router ospf 1
R6(config-router)#area 2 stub

You can use the same show command as mentioned in task 12 to verify the configuration.

Task 15
Another simple one. We are just displaying that you can use the 4 octet area identifier in the network statement and it will still work with an adjacent router that is only using a decimal digit for the area #.

R4(config)#router ospf 1
R4(config-router)#network 172.16.14.1 0.0.0.0 area 0.0.0.0
R4(config-router)#network 172.16.46.0 0.0.0.0 area 0.0.0.2
R4(config-router)#router ospf 50
R4(config-router)#network 1.1.1.0 0.0.0.0 area 0.0.0.50
R4(config-router)#do show ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.50.11         0   FULL/  -        00:00:39    1.1.1.1         Tunnel0
0.0.0.1           0   FULL/  -        00:01:44    172.16.14.0     Serial0/0
0.0.0.6           0   FULL/  -        00:00:36    172.16.46.1     Serial0/1

As you can see the neighbors are still up even though using a different format for the area number in the network statement.

Task 16 & 17
Task 16 is just to prove that you can have more than one OSPF process on a router. We have an OPSF process number 1 and OSPF process number 50 on R4. Task 17 is to show that you can have more than one router ID on a single router. Router ID 0.0.0.4 is being used for R4′s OSPF process 1 and router ID 0.0.50.4 is being used under OSPF process 50.

R4#show run | beg router
router ospf 1
 router-id 0.0.0.4
 log-adjacency-changes
 area 2 stub
 area 2 range 192.168.6.0 255.255.255.240
 summary-address 4.4.4.0 255.255.255.240
 redistribute ospf 50 metric 10 subnets
 network 172.16.14.1 0.0.0.0 area 0.0.0.0
 network 172.16.46.0 0.0.0.0 area 0.0.0.2
!
router ospf 50
 router-id 0.0.50.4
 log-adjacency-changes
 summary-address 192.168.6.0 255.255.255.240
 redistribute ospf 1 metric 10 subnets
 network 1.1.1.0 0.0.0.0 area 0.0.0.50
!
R4#show ip ospf | inc Process
 Routing Process "ospf 50" with ID 0.0.50.4
 Routing Process "ospf 1" with ID 0.0.0.4

Task 18 & 19
In this task we are redistributing routes between the two OSPF processes on R4. Routes from process 50 into process 1 are to be metric type E1 and routes from process 1 into process 50 are to be the default metric type of E2.

R4(config)#router ospf 1
R4(config-router)#redistribute ospf 50 metric 10 subnets metric-type 1
R4(config-router)#router ospf 50
R4(config-router)#redistribute ospf 1 metric 10 subnets

Lets verify that the routes from process 50 into process 1 are showing as E1 routes. We will take a look on R12.

R12#show ip route | inc E1
       E1 - OSPF external type 1, E2 - OSPF external type 2
O E1    1.1.1.0 [110/138] via 172.16.112.0, 00:10:55, Serial0/0
O E1    4.4.4.0 [110/138] via 172.16.112.0, 00:10:55, Serial0/0

Looks good. Now we verify that the redistribution is working into process 50.

R11#show ip route | inc E2
       E1 - OSPF external type 1, E2 - OSPF external type 2
O E2    192.168.9.0 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    192.168.10.0 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    6.6.6.2 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    6.6.6.0 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.57.0/31 [110/10] via 1.1.1.0, 02:23:19, Tunnel0
O E2    172.16.46.0/31 [110/10] via 1.1.1.0, 02:26:20, Tunnel0
O E2    172.16.39.1/32 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.39.0/32 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.28.0/31 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.14.0/31 [110/10] via 1.1.1.0, 02:25:39, Tunnel0
O E2    172.16.15.0/31 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.123.0/24 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.112.0/31 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    172.16.80.0/31 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    9.9.9.0 [110/10] via 1.1.1.0, 02:24:24, Tunnel0
O E2    10.8.0.0/13 [110/10] via 1.1.1.0, 02:24:24, Tunnel0
O E2    10.255.252.0/22 [110/10] via 1.1.1.0, 02:24:34, Tunnel0
O E2    192.168.6.0 [110/10] via 1.1.1.0, 02:26:20, Tunnel0
O E2    192.168.7.0 [110/10] via 1.1.1.0, 02:23:19, Tunnel0

Yep, they are there.

Task 20 & 21
Here we are going to mutually redistribute between EIGRP and OSPF but the catch is that there are two routers doing the redistribution so there are redistribution loop issues that will have to be dealt with. I had to look this up as it had been a long time since I had configured something like this. This is pretty much a plagiarism from one of the bazillion Cisco Press books I have.

R5(config)#route-map EIGRP_TO_OSPF deny 10
R5(config-route-map)#match tag 110
R5(config-route-map)#route-map EIGRP_TO_OSPF permit 20
R5(config-route-map)#set tag 90
R5(config-route-map)#route-map OSPF_TO_EIGRP deny 10
R5(config-route-map)#match tag 90
R5(config-route-map)#route-map OSPF_TO_EIGRP permit 20
R5(config-route-map)#set tag 110
R5(config-route-map)#router eigrp 1
R5(config-router)#redistribute ospf 1 metric 100000 100 255 1 1500 route-map OSPF_TO_EIGRP
R5(config-router)#router ospf 1
R5(config-router)redistribute eigrp 1 metric 10 subnets route-map EIGRP_TO_OSPF

The route-map is basically denying any route that originally was tagged when it was first redistributed into the other routing protocol(to prevent loops) and if it does not have a tag that matches the deny statement then it is going to allow the route to be redistributed and the tag added to it. The redistribution commands under each route process call the route-map.

OSPF Common Topics Lab Config #1

We will be configuring the first 10 tasks in the lab that was pasted up a few days back. These tasks are listed below for reference. I will be showing information only about the tasks listed. Initial configuration of the OSPF routing processes and network statements are not covered so you will have to take care of that yourself.

Tasks
* Make R1 the DR and R2 the BDR for the 172.16.123.0/24 network.
* R1-R2-R3 will be using their default OSPF network type of broadcast.
* R1-R4 link is frame-relay and the OSPF network type is point-to-multipoint.
* R1-R4 link is using MD5 authentication for peering.
* R1-R5 link is frame-relay and the OSPF network type is the default of non-broadcast.
* R1-R5 link is using simple authentication for peering.
* R1-R12 link is using its default OSPF network area type of point-to-point.
* R1, R2, R3, R4, R5, and R12 are all in OSPF area 0.
* R2-R8 will serve as a virtual link for OSPF area 4.
* R3-R9 link is using frame-relay and OSPF network type is point-to-multipoint non-broadcast.

Task 1

Network 172.16.123.0/24 is an Ethernet segment connecting R1, R2, and R3. This is what in OSPF terms is called a multiaccess network. Ethernet interfaces participating in OSPF have a default network type of broadcast so this means a Designated Router(DR) and Backup Designated Router(BDR) are going to be elected. We want R1 to always be elected the DR and R2 to be elected as BDR which will leave R3 to be a DROTHER. We can make R1 always elected the DR by giving it a higher priority value on its FastEthernet interface than R2 and R3. We then do the same thing for R2. We will leave R3 at the default priority value of 1.

R1(config)#interface fa1/0
R1(config-if)#ip ospf priority 200

R2(config)#interface fa1/0
R2(config-if)#ip ospf priority 100

R1 and R2 will not become DR and BDR now just because you have put in this configuration. If there is a currently elected DR and BDR then you will have to cause a new election and the easiest thing to do in a lab is of course reboot the R1, R2, and R3 routers. So that is done and now we can take a look to see if our settings worked out like we wanted.

R1#show ip ospf interface fa1/0 | inc Desig
  Designated Router (ID) 0.0.0.1, Interface address 172.16.123.1
  Backup Designated router (ID) 0.0.0.2, Interface address 172.16.123.2
    Adjacent with neighbor 0.0.0.2  (Backup Designated Router)

The output shows R1, router ID 0.0.0.1, is the DR and R2, router ID 0.0.0.2, is the BDR. There is another command that you can use to seem some of this info as well but will not show anything for the current router you are on.

R1#show ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.0.2         100   FULL/BDR        00:00:32    172.16.123.2    FastEthernet1/0
0.0.0.3           1   FULL/DROTHER    00:00:32    172.16.123.3    FastEthernet1/0

The neighbor command allows us to see that R3, router id 0.0.0.3, is a DROTHER.

Task 2

Nothing to configure here as the default network type for the 172.16.123.0/24 network is broadcast. Lets verify this of course.

R1#show ip ospf interface fa1/0 | inc Type
  Process ID 1, Router ID 0.0.0.1, Network Type BROADCAST, Cost: 1

R2#show ip ospf interface fa1/0 | inc Type
  Process ID 1, Router ID 0.0.0.2, Network Type BROADCAST, Cost: 1

R3#show ip ospf interface fa1/0 | inc Type
  Process ID 10000, Router ID 0.0.0.3, Network Type BROADCAST, Cost: 1

Looks good to me.

Task 3
In this task we will configure the R1-R4 link to use frame-relay and configure the OSPF network type to point-to-multipoint.

R1(config)#interface Serial0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay map ip 172.16.14.0 104
R1(config-if)#frame-relay map ip 172.16.14.1 104 broadcast
R1(config-if)#ip ospf network point-to-multipoint

R4(config)#interface Serial0/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#frame-relay map ip 172.16.14.0 401 broadcast
R4(config-if)#frame-relay map ip 172.16.14.1 401
R4(config-if)#ip ospf network point-to-multipoint

Lets verify on R4 that the configuration took.

R4#show ip ospf interface s0/0 | inc Type
  Process ID 1, Router ID 0.0.0.4, Network Type POINT_TO_MULTIPOINT, Cost: 64

Yep, point-to-multipoint as we configured it.

Task 4
We are going to setup MD5 authentication for the OSPF session between R1 and R4 in this task.

R1(config)#interface Serial0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 C1sc0

R4(config)#interface Serial0/0
R4(config-if)#ip ospf authentication message-digest
R4(config-if)#ip ospf message-digest-key 1 md5 C1sc0

Now we need to check that it is truly using MD5 encryption on the link. Lets look at a show command and a debug command that can do this for us.

R4#show ip ospf interface s0/0 | beg Message
  Message digest authentication enabled
    Youngest key id is 1

R4#debug ip ospf packet
OSPF packet debugging is on
*Mar  1 00:58:10.455: OSPF: rcv. v:2 t:1 l:48 rid:0.0.0.1
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7ED1CF from Serial0/0

The show command displays that MD authentication is enabled. The debug command shows that the OSPF packet received from rid:0.0.0.1(R1) is using aut:2 which is authentication type 2 so that is MD5. It also shows which key it is using in the keyid:1 value.

Task 5
This task is almost the same as task 3 except we will not be changing the network type. Frame-relay has a default OSPF network type of non-broadcast. In a non-broadcast network we are going to have to manually setup the neighbors.

R1(config)#interface Serial0/1
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay map ip 172.16.15.0 105
R1(config-if)#frame-relay map ip 172.16.15.1 105
R1(config-if)#router ospf 1
R1(config-router)#neighbor 172.16.15.1

R5(config)#interface Serial0/0
R5(config-if)#encapsulation frame-relay
R5(config-if)#frame-relay map ip 172.16.15.0 501
R5(config-if)#frame-relay map ip 172.16.15.1 501
R5(config-if)#router ospf 1
R5(config-router)#neighbor 172.16.15.0

Now we verify that the interface is using a non-broadcast network type and that the adjacencies are up.

R5#show ip ospf interface s0/0 | inc Type
  Process ID 1, Router ID 0.0.0.5, Network Type NON_BROADCAST, Cost: 64

R1#show ip ospf neigh s0/1
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.0.5           1   FULL/DR         00:01:59    172.16.15.1     Serial0/1

R5#show ip ospf neigh s0/0
Neighbor ID     Pri   State           Dead Time   Address         Interface
0.0.0.1           1   FULL/BDR        00:01:55    172.16.15.0     Serial0/0

Task 6
On the R1-R5 link we are going to use simple authentication. This passes the authentication key in plain-text so it is not exactly secure by any means.

R1(config)#interface Serial0/1
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key C1sc0

R5(config)#interface Serial0/0
R5(config-if)#ip ospf authentication
R5(config-if)#ip ospf authentication-key C1sc0

We will look at the same show and debug commands we used previously when configuring MD5 authentication.

R1#show ip ospf interface s0/1 | inc auth
  Simple password authentication enabled

R5#debug ip ospf packet
OSPF packet debugging is on
*Mar  1 01:35:51.851: OSPF: rcv. v:2 t:1 l:48 rid:0.0.0.1
      aid:0.0.0.0 chk:750F aut:1 auk: from Serial0/0

The show command displays the correct information for this interface and the debug command shows aut:1 which is simple authentication.

Task 7
Another simple one. We are just verifying that the R1-R12 link serial interfaces are using their default point-to-point OSPF network type.

R1#show ip ospf interface s0/2 | inc Type
  Process ID 1, Router ID 0.0.0.1, Network Type POINT_TO_POINT, Cost: 64

R12#show ip ospf interface s0/0 | inc Type
  Process ID 1, Router ID 0.0.0.12, Network Type POINT_TO_POINT, Cost: 64

Simple enough.

Task 8
So we want to check that all the specified routers are in area 0. Any single router in an area is supposed to have the same link-state database as all the other routers in that area. Lets take a look at the database on R12 and see what we can see.

R12#show ip ospf database

            OSPF Router with ID (0.0.0.12) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
0.0.0.1         0.0.0.1         878         0x8000000E 0x004885 6
0.0.0.2         0.0.0.2         397         0x80000006 0x007310 2
0.0.0.3         0.0.0.3         403         0x80000007 0x00EEC0 1
0.0.0.4         0.0.0.4         437         0x80000008 0x00C376 2
0.0.0.5         0.0.0.5         354         0x80000007 0x00D373 1
0.0.0.8         0.0.0.8         3     (DNA) 0x80000002 0x00B84B 1
0.0.0.12        0.0.0.12        407         0x80000005 0x00AE7C 2

....... rest of output removed .......

Type 1 LSAs, router LSAs, are used by a router to advertise its identity and all its links inside of an area. The database should therefore contain all the routers in an area and according to this show command it does include the ones listed on the task as well as R8. R8 is part of a virtual-link that we will be discussing in the next task.

Task 9
We are going to configure a virtual-link between R2 and R8 so that R4 can appear to be connected to the backbone area 0 even though it really is not.

R2(config)#router ospf 1
R2(config-router)#area 3 virtual-link 0.0.0.8

R8(config)#router ospf 1
R8(config-router)#area 3 virtual-link 0.0.0.2

Notice that you are using the router ID of the opposite site of the virtual-link and not and interface IP address. Now we verify that the link is up and working.

R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 0.0.0.8 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 3, via interface Serial0/0, Cost of using 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:03
    Adjacency State FULL (Hello suppressed)
    Index 1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

Task 10
Another frame-relay config and this time we will be using the OSPF network type of point-to-multipoint nonbroadcast. As before, because this is nonbroadcast we will need to manually configure the neighbors.

R3(config)#interface Serial0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#frame-relay map ip 172.16.39.0 309
R3(config-if)#frame-relay map ip 172.16.39.1 309
R3(config-if)#ip ospf network point-to-multipoint non-broadcast
R3(config-if)#router ospf 10000
R3(config-router)#neighbor 172.16.39.1

R9(config)#interface Serial0/0
R9(config-if)#encapsulation frame-relay
R9(config-if)#frame-relay map ip 172.16.39.0 903
R9(config-if)#frame-relay map ip 172.16.39.1 903
R9(config-if)#ip ospf network point-to-multipoint non-broadcast
R9(config-if)#router ospf 1
R9(config-router)#neighbor 172.16.39.0

You can use the same show commands as mentioned previously to verify anything.

We will cover the next 11 config tasks in post #2 and then the final config tasks in post #3.

Routing Challenge @ Networking-forum.com

Steve over at Networking-Forum.com is holding a cool contest. Click here to check it out.