Tag Archives: CCIE

Demystifying the OSPFv3 database – Part 3

Previous posts in this series has been limited to a single area. Let’s now start adding new areas and see what LSAs are produced. I’m going to add R6 to area 6 as follows:
OSPFv3 4 Demystifying the OSPFv3 database – Part 3
Area 1 is a standard area. R6 is originating it’s loopback into OSPFv3. R1 is a regular ABR. In OSPFv2 I would expect R1 to originate Type3 LSAs for all the Type1 and Type2 LSAs in area 0. In OSPFv3 this is similar behaviour. The Type3 LSA is now labelled as the ‘Inter Area Prefix Link States’

R6#show ospfv3 database | begin Inter
		Inter Area Prefix Link States (Area 1)

ADV Router       Age         Seq#        Prefix
 1.1.1.1         783         0x80000001  2001:DB8::1:1:1:1/128
 1.1.1.1         783         0x80000001  2001:DB8:12::/64
 1.1.1.1         783         0x80000001  2001:DB8::2:2:2:2/128
 1.1.1.1         783         0x80000001  2001:DB8::3:3:3:3/128
 1.1.1.1         783         0x80000001  2001:DB8::7:7:7:7/128
 1.1.1.1         783         0x80000001  2001:DB8:13::/64

Note that there is a separate Type3 for each and every prefix. This is similar the Type3 in OSPFv2. If I add another loopback to R7, I would expect R7 to originate a new single Type9 in area 0 listing all it’s connected prefixes. I would also then expect R1 to originate an extra Type3 for that prefix in addition to the existing Type3s:

R7(config)#int lo0
R7(config-if)#ipv6 address 2001:db8::77:77:77:77/128
R1#show ospfv3 database prefix adv-router 7.7.7.7

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 56
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 7.7.7.7
  LS Seq Number: 80000002
  Checksum: 0xDB08
  Length: 72
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 7.7.7.7
  Number of Prefixes: 2
  Prefix Address: 2001:DB8::7:7:7:7
  Prefix Length: 128, Options: LA, Metric: 0
  Prefix Address: 2001:DB8::77:77:77:77
  Prefix Length: 128, Options: LA, Metric: 0
R6#show ospfv3 database | begin Inter
		Inter Area Prefix Link States (Area 1)

ADV Router       Age         Seq#        Prefix
 1.1.1.1         1464        0x80000001  2001:DB8::1:1:1:1/128
 1.1.1.1         1464        0x80000001  2001:DB8:12::/64
 1.1.1.1         1464        0x80000001  2001:DB8::2:2:2:2/128
 1.1.1.1         1464        0x80000001  2001:DB8::3:3:3:3/128
 1.1.1.1         1464        0x80000001  2001:DB8:13::/64
 1.1.1.1         82          0x80000001  2001:DB8::7:7:7:7/128
 1.1.1.1         82          0x80000001  2001:DB8::77:77:77:77/128

R1 being the ABR is also originating Type3′s into area 0:

R2#show ospfv3 database inter-area prefix

          OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)

		Inter Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 560
  LS Type: Inter Area Prefix Links
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x6F46
  Length: 36
  Metric: 64
  Prefix Address: 2001:DB8:16::
  Prefix Length: 64, Options: None

  Routing Bit Set on this LSA
  LS age: 560
  LS Type: Inter Area Prefix Links
  Link State ID: 1
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0xFF6A
  Length: 44
  Metric: 64
  Prefix Address: 2001:DB8::6:6:6:6
  Prefix Length: 128, Options: None

Area 1 will now be converted to a total stub.

R6(config)#router ospfv3 1
R6(config-router)#add ipv6 un
R6(config-router-af)#area 1 stub
R1(config)#router ospfv3 1
R1(config-router)#add ipv6 un
R1(config-router-af)#area 1 stub no-summary

R6 still has the area 1 Type1, Type8, and Type9s. There is now only a single Type3 advertising a default route:

R6#show ospfv3 database inter-area prefix

          OSPFv3 1 address-family ipv6 (router-id 6.6.6.6)

		Inter Area Prefix Link States (Area 1)

  Routing Bit Set on this LSA
  LS age: 243
  LS Type: Inter Area Prefix Links
  Link State ID: 7
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x49E9
  Length: 28
  Metric: 1
  Prefix Address: ::
  Prefix Length: 0, Options: None

This will create a standard inter-area route:

R6#sh ipv6 route ::/0
Routing entry for ::/0
  Known via "ospf 1", distance 110, metric 65, type inter area
  Route count is 1/1, share count 0
  Routing paths:
    FE80::C801:7BFF:FE9E:8, Serial1/0
      Last updated 00:05:54 ago

I’ll now originate an external LSA on R2:

R2(config)#router ospfv3 1
R2(config-router)#address-family ipv6 unicast
R2(config-router-af)#default-information originate always

This action will cause R2 to originate a Type5 LSA. This is pretty much identical to an OSPFv2 Type5:

R7#show ospfv3 database external

          OSPFv3 1 address-family ipv6 (router-id 7.7.7.7)

		Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 221
  LS Type: AS External Link
  Link State ID: 0
  Advertising Router: 2.2.2.2
  LS Seq Number: 80000001
  Checksum: 0x9871
  Length: 32
  Prefix Address: ::
  Prefix Length: 0, Options: None
  Metric Type: 2 (Larger than any link state path)
  Metric: 1
  External Route Tag: 1

I’m going to change area 1 back to a regular area. As there is an external LSA on area 0, that LSA should be flooded into area 1. Routers in area 1 also need to know how to get to the ASBR, R2 in this case. In OSPFv2 the ABR originated a Type4 LSA, the ASBR-Summary LSA. In OSPFv3 it’s also a Type4, but it’s now called the Inter-Area Router LSA. With this Type4 and Type5, R6 is able to work out a path for the external route:

R6#show ospfv3 database inter-area router

          OSPFv3 1 address-family ipv6 (router-id 6.6.6.6)

		Inter Area Router Link States (Area 1)

  Routing Bit Set on this LSA
  LS age: 150
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Inter Area Router Links
  Link State ID: 33686018
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0xC829
  Length: 32
  Metric: 1
  Destination Router ID: 2.2.2.2

I’m now going to convert area 1 to an NSSA and originate an external route via R6:

R1(config)#router ospfv3 1
R1(config-router)#add ipv6 un
R1(config-router-af)#area 1 nssa no-sum
R6(config)#int lo1
R6(config-if)#ipv6 add 2001:db8::66:66:66:66/128

R6(config-if)#route-map LOOPBACK1
R6(config-route-map)#match interface lo1

R6(config-route-map)#router ospfv3 1
R6(config-router)#add ipv6 un
R6(config-router-af)#area 1 nssa
R6(config-router-af)#redistribute connected route-map LOOPBACK1

R1 should see this as a Type7 NSSA external. OSPFv2 and OSPFv3 are the same in this regard:

R1#sh ospfv3 database nssa-external

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Type-7 AS External Link States (Area 1)

  Routing Bit Set on this LSA
  LS age: 60
  LS Type: AS External Link
  Link State ID: 1
  Advertising Router: 6.6.6.6
  LS Seq Number: 80000001
  Checksum: 0x8857
  Length: 60
  Prefix Address: 2001:DB8::66:66:66:66
  Prefix Length: 128, Options: P
  Metric Type: 2 (Larger than any link state path)
  Metric: 20
  Forward Address: 2001:DB8::6:6:6:6

R1 being the ABR into area 0 should convert that Type7 into a Type5:

R1#show ospfv3 database external adv-router 1.1.1.1

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Type-5 AS External Link States

  LS age: 172
  LS Type: AS External Link
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x23BB
  Length: 60
  Prefix Address: 2001:DB8::66:66:66:66
  Prefix Length: 128, Options: None
  Metric Type: 2 (Larger than any link state path)
  Metric: 20
  Forward Address: 2001:DB8::6:6:6:6

As R1 is originating this LSA, routers in area 0 don’t need the Type4 for information on how to get to the ASBR R6.

In part 4 I’ll go over various other parts of OSPFv3, including using IPv4.

Demystifying the OSPFv3 database – Part 2

In yesterday’s post I forgot to mention a very interesting behaviour of the way router’s originate Type9 LSAs over a broadcast segment. Let’s remind ourselves of the topology we were up to:
OSPFv3 3 Demystifying the OSPFv3 database – Part 2
I’ve reset this topology and currently R3 is the DR. Let’s first check the non-broadcast link between R1 and R2. Each router oritiginates a Type9 with all their OSPFv3 enabled prefixes. This includes the link between them:

R2#show ospfv3 database prefix self-originate

          OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 568
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 2.2.2.2
  LS Seq Number: 80000003
  Checksum: 0xF340
  Length: 64
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 2.2.2.2
  Number of Prefixes: 2
  Prefix Address: 2001:DB8::2:2:2:2
  Prefix Length: 128, Options: LA, Metric: 0
  Prefix Address: 2001:DB8:12::
  Prefix Length: 64, Options: None, Metric: 1

Here R2 has two prefixes in the LSA. R1 is also originating 2001:DB8:12::/64 in it’s LSA. When connected to a broadcast segment, routers do NOT advertise the connected prefixes address. Take a look at R7′s Type9:

R7#show ospfv3 database prefix self-originate

          OSPFv3 1 address-family ipv6 (router-id 7.7.7.7)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 6
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 7.7.7.7
  LS Seq Number: 80000003
  Checksum: 0x2E11
  Length: 52
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 7.7.7.7
  Number of Prefixes: 1
  Prefix Address: 2001:DB8::7:7:7:7
  Prefix Length: 128, Options: LA, Metric: 0

R7 is not showing it’s connected to the 2001:db8:13::/64 subnet.

Responsibility for advertising that Type9 lies with the DR. The interesting part is that the DR actually originates two separate Type9s:

R3#show ospfv3 database prefix self-originate

          OSPFv3 1 address-family ipv6 (router-id 3.3.3.3)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 876
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000004
  Checksum: 0xE984
  Length: 52
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 3.3.3.3
  Number of Prefixes: 1
  Prefix Address: 2001:DB8::3:3:3:3
  Prefix Length: 128, Options: LA, Metric: 0

  Routing Bit Set on this LSA
  LS age: 1150
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 2048
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000001
  Checksum: 0x1297
  Length: 44
  Referenced LSA Type: 2002
  Referenced Link State ID: 2
  Referenced Advertising Router: 3.3.3.3
  Number of Prefixes: 1
  Prefix Address: 2001:DB8:13::
  Prefix Length: 64, Options: None, Metric: 0

There is an important detail to note. The Type9 originated for the segment has a reference LSA Type value of 2002 while a regular Type9 has a value of 2001. The 2002 value tells you that the LSA was originated by the DR for the segment.

Ultimately this means that a DR will originate two separate LSAs for each broadcast segment. The second LSA being the link state Type2:

R3#show ospfv3 database network self-originate

          OSPFv3 1 address-family ipv6 (router-id 3.3.3.3)

		Net Link States (Area 0)

  LS age: 1524
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Network Links
  Link State ID: 2 (Interface ID of Designated Router)
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000002
  Checksum: 0xF0D8
  Length: 36
	Attached Router: 3.3.3.3
	Attached Router: 1.1.1.1
	Attached Router: 7.7.7.7

In part 3 I’ll be going over inter-area LSAs

Demystifying the OSPFv3 database – Part 1

Two years ago I published a post demystifying the OSPF database. I thought I’d do the same with OSPFv3 and the LSA types are fundamentally different. OSPFv3 is not simply OSPF for IPV6. OSPFv3 can also be used for IPv4 and has the capability to be extended.

In order to go through the LSA types, I’m going to be building a network as we go along and viewing the database. One thing to note is that since OSPFv3 has been extended on IOS, you can either use ipv6 ospf or simply ospfv3 in your configuration and show commands. I’m going to be using the ospfv3 version.

LSA Types

Let’s start with the following basic topology:
OSPFv3 1 Demystifying the OSPFv3 database   Part 1

I’ll be running this ethernet link in point-to-point mode. I’ll also have an IPv6 adress on each loopback in OSPFv3.

R2(config)#interface Loopback0
R2(config-if)#ipv6 address 2001:DB8::2:2:2:2/128
R2(config-if)#ipv6 ospf 1 area 0
R2(config-if)#int fa0/0
R2(config-if)#ipv6 address 2001:DB8:12:0:10:1:2:2/64
R2(config-if)#ipv6 ospf 1 area 0
R2(config-if)#ipv6 ospf network point-to-point
*Jul 29 16:04:26.915: %OSPFv3-4-NORTRID: Process OSPFv3-1-IPv6 could not pick a router-id, please configure manually

OSPFv3 still needs a 32bit router-id. Usually IOS will take the highest IPv4 loopback address as the 32bit number. I have no IPv4 configured on this router and hence will need to hard-code this value. Remember this is a 32bit number in dotted decimal format. It is not an IPv4 address in itself.

First, let’s confirm our adjacency is up:

R2#show ospfv3 neighbor

          OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
1.1.1.1           0   FULL/  -        00:00:39    2               FastEthernet0/0

The neighbour ID is the 32bit router-id on the other side. OSPFv3 uses IPv6 link-local addresses to form the adjacency:

R2#show ospfv3 neighbor detail

          OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)

 Neighbor 1.1.1.1
    In the area 0 via interface FastEthernet0/0
    Neighbor: interface-id 2, link-local address FE80::C800:6FFF:FE16:8
    Neighbor priority is 0, State is FULL, 6 state changes
    Options is 0x000013 in Hello (V6-Bit, E-Bit, R-bit)
    Options is 0x000013 in DBD (V6-Bit, E-Bit, R-bit)
    Dead timer due in 00:00:38
    Neighbor is up for 00:27:24
    Index 1/1/1, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

Let’s take a quick look at the database. In OSPFv2 I would expect to see 2 Type1 LSAs only. What does OSPFv3 give us?:

R1#show ospfv3 database

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Router Link States (Area 0)

ADV Router       Age         Seq#        Fragment ID  Link count  Bits
 1.1.1.1         12          0x80000007  0            1           None
 2.2.2.2         18          0x8000000B  0            1           None

		Link (Type-8) Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Interface
 1.1.1.1         13          0x80000005  2          Fa0/0
 2.2.2.2         18          0x80000004  2          Fa0/0

		Intra Area Prefix Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID
 1.1.1.1         12          0x8000000B  0          0x2001      0
 2.2.2.2         18          0x80000007  0          0x2001      0

A lot more than just two Type1s! There are still Type1 LSAs, but also Type8 and Type9s. In OSPFv2, the Type1 LSA would be originated by each router in the area and would contain it’s router-id, links, and IPs associated with those links. OSPFv3 removes the IP addressing from the Type1 as it’s now there to show the router-id and links it’s connected to:

R1#show ospfv3 database router adv-router 1.1.1.1

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Router Link States (Area 0)

  LS age: 87
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Router Links
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000007
  Checksum: 0xDA0F
  Length: 40
  Number of Links: 1

    Link connected to: another Router (point-to-point)
      Link Metric: 1
      Local Interface ID: 2
      Neighbor Interface ID: 2
      Neighbor Router ID: 2.2.2.2

Remember 2.2.2.2 is simply the neighbours router-id. Note that this LSA does not contain the p2p IPv6 address, nor the loopback address. It’s simply a link topology LSA.
Type8 LSAs have link flooding scope, something you simply do not see in OSPFv2. I’ll get back to this one once we hadd another router into the area as it’ll make more sense then.

The IP addressing information in this topology is contained in the Type9 LSA. The intra-area prefix LSA:

R1#show ospfv3 database prefix adv-router 1.1.1.1

          OSPFv3 1 address-family ipv6 (router-id 1.1.1.1)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 454
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000026
  Checksum: 0x1DFF
  Length: 64
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 1.1.1.1
  Number of Prefixes: 2
  Prefix Address: 2001:DB8::1:1:1:1
  Prefix Length: 128, Options: LA, Metric: 0
  Prefix Address: 2001:DB8:12::
  Prefix Length: 64, Options: None, Metric: 1

Here we see the two prefixes originated. Also notice the LSA can contain more than one prefix at a time. Much like a Type1 LSA.

I’ll now add a third router to the topology. This will also be in Area 0
OSPFv3 21 Demystifying the OSPFv3 database   Part 1

Let’s go back to the Type8 LSA we delayed earlier. In OSPFv2 all routers in an area need to have identical databases. In OSPFv3 this is not the case as each router will have different link LSAs. This LSA has link-only flooding scope and so is never flooded past the link in question. If we look at the Type8s from R3′s perspective:

R3#show ospfv3 database link

          OSPFv3 1 address-family ipv6 (router-id 3.3.3.3)

		Link (Type-8) Link States (Area 0)

  LS age: 847
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Link-LSA (Interface: FastEthernet0/0)
  Link State ID: 3 (Interface ID)
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000002
  Checksum: 0x9063
  Length: 56
  Router Priority: 1
  Link Local Address: FE80::C800:6FFF:FE16:6
  Number of Prefixes: 1
  Prefix Address: 2001:DB8:13::
  Prefix Length: 64, Options: None

  LS age: 772
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Link-LSA (Interface: FastEthernet0/0)
  Link State ID: 2 (Interface ID)
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000001
  Checksum: 0xAC3D
  Length: 56
  Router Priority: 1
  Link Local Address: FE80::C802:6FFF:FE16:8
  Number of Prefixes: 1
  Prefix Address: 2001:DB8:13::
  Prefix Length: 64, Options: None

R3 has two LSAs. One originated by R1 and the other by R3. It contains the link local address of each side plus the prefixes assigned to that interface itself. R1, in the same area, will have a different view as it has neighbours on two different links:

R1#show ospfv3 database | begin Type-8
		Link (Type-8) Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Interface
 1.1.1.1         81          0x80000003  3          Fa0/1
 3.3.3.3         1110        0x80000001  2          Fa0/1
 1.1.1.1         1967        0x80000020  2          Fa0/0
 2.2.2.2         164         0x80000020  2          Fa0/0

I’ll now add a new router in the area, and connect it to the same segment that R1 and R3 is connected to. I’ll change the network type back to broadcast for this link:
OSPFv3 3 Demystifying the OSPFv3 database   Part 1
On a broadcast link, the DR will originate a Type2 LSA. This is one of the few LSAs that is near identical to it’s OSPFv2 counterpart. This LSA still has area flooding scope and hence R2 will also be able to see it:

R2#show ospfv3 database network

          OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)

		Net Link States (Area 0)

  LS age: 368
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Network Links
  Link State ID: 2 (Interface ID of Designated Router)
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000002
  Checksum: 0xF0D8
  Length: 36
	Attached Router: 3.3.3.3
	Attached Router: 1.1.1.1
	Attached Router: 7.7.7.7

R3 is the DR for the segment, and the LSA contains the router-ids of all three routers connected to that segment. Each of those three routers will still only originate a single Type8 on that link. So I would expect to see three Type8s on that link from R7′s perspective:

R7#show ospfv3 database | begin Type-8
		Link (Type-8) Link States (Area 0)

ADV Router       Age         Seq#        Link ID    Interface
 1.1.1.1         718         0x80000004  3          Fa0/0
 3.3.3.3         1922        0x80000001  2          Fa0/0
 7.7.7.7         505         0x80000001  2          Fa0/0

Recalculation

It’s clear from above that OSPFv3 separates IP address information from the topology LSAs. This is important for a number of reasons. In OSPFv2, if a router originated a new Type1 or Type2 LSA, it would cause all routers in the area to run SPF. If I changed the IP address of any OSPF link, that would cause SPF to run. If I added a secondary address to an OSPF link, SPF would run. In OSPFv3 the adding or changing of addresses does not cause the router to originate a new Type1. This means that addresses being changed will not cause SPF to run.

Take a look at R7′s current excecution count:

R7#show ospfv3 statistic | include algorithm
  Area 0: SPF algorithm executed 2 times

On R1 I’ll add an address to the loopback interface. This would cause SPF to run in OSPFv2:

R1(config)#int lo0
R1(config-if)#ipv6 address 2001:db8::11:11:11:11/128

What does R7 see?

R7#show ospfv3 statistic | include algorithm
  Area 0: SPF algorithm executed 2 times

No increase.

Let’s dig a little deeper in the LSAs to see what’s happened. The Type1 LSA originated by R1:

R7#show ospfv3 database router adv-router 1.1.1.1

          OSPFv3 1 address-family ipv6 (router-id 7.7.7.7)

		Router Link States (Area 0)

  LS age: 1160
  Options: (V6-Bit, E-Bit, R-bit, DC-Bit)
  LS Type: Router Links
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000028
  Checksum: 0xF6AD
  Length: 56
  Number of Links: 2

    Link connected to: a Transit Network
      Link Metric: 1
      Local Interface ID: 3
      Neighbor (DR) Interface ID: 2
      Neighbor (DR) Router ID: 3.3.3.3

    Link connected to: another Router (point-to-point)
      Link Metric: 1
      Local Interface ID: 2
      Neighbor Interface ID: 2
      Neighbor Router ID: 2.2.2.2

The LSA age is 1160 seconds, even though I just added a new IPv6 address. i.e. no new Type1. If we look at the Type9 LSA from R1:

R7#show ospfv3 database prefix adv-router 1.1.1.1

          OSPFv3 1 address-family ipv6 (router-id 7.7.7.7)

		Intra Area Prefix Link States (Area 0)

  Routing Bit Set on this LSA
  LS age: 146
  LS Type: Intra-Area-Prefix-LSA
  Link State ID: 0
  Advertising Router: 1.1.1.1
  LS Seq Number: 8000002D
  Checksum: 0xADA5
  Length: 84
  Referenced LSA Type: 2001
  Referenced Link State ID: 0
  Referenced Advertising Router: 1.1.1.1
  Number of Prefixes: 3
  Prefix Address: 2001:DB8::1:1:1:1
  Prefix Length: 128, Options: LA, Metric: 0
  Prefix Address: 2001:DB8::11:11:11:11
  Prefix Length: 128, Options: LA, Metric: 0
  Prefix Address: 2001:DB8:12::
  Prefix Length: 64, Options: None, Metric: 1

There’s the new prefix we added. LSA age is lower so this is a new one. R7 already has the existing Type1 LSA so it knows about router-id 1.1.1.1 – It can therefore now work out the route to the new prefix with this Type9 LSA. It does not need to run SPF again as it has already run SPF on that Type1. R7 therefore has an intra-area route to that prefix:

R7#show ipv6 route 2001:db8::11:11:11:11
Routing entry for 2001:DB8::11:11:11:11/128
  Known via "ospf 1", distance 110, metric 1, type intra area
  Route count is 1/1, share count 0
  Routing paths:
    FE80::C800:6FFF:FE16:6, FastEthernet0/0
      Last updated 00:05:52 ago

OSPF as the PE-CE routing protocols deep dive – Part 3 of 3 – Loop Prevention

Read part 1
Read part 2
Read part 3

 
When customer sites are single-homed, there is no possibility of a loop forming, unless of course your customer decides to set up a bunch of GRE tunnels and run OSPF over that, but I digress. If a site is multi-homed, or two sites have a back-door between them, it’s essential that route from BGP going into OSPF, do not go back into BGP.

Let’s create a slightly different diagram for this one. R3 is now also a PE router:
loop ospf OSPF as the PE CE routing protocols deep dive – Part 3 of 3 – Loop Prevention

The loop prevention used ultimately depends on whether a prefix comes in as internal or external. If a sham-link is configured and all OSPF routes are intra-area, no loop prevention is needed. Standard SPF is run everything is fine. This is because everything is seen in area 0, and SPF can run with full knowledge of the entire area.

As soon as type3s and type5s are used, OSPF becomes a little more distance vector like. ABRs/ASBRs originate new LSAs and other OSPF router believe what is told to them. This makes is possible for loops to appear when multual redistribution is occuring.

The down bit

Let’s go back to RFC 4577, specifically section 4.2.5.1

When a type 3 LSA is sent from a PE router to a CE router, the DN bit [OSPF-DN] in the LSA Options field MUST be set. This is used to ensure that if any CE router sends this type 3 LSA to a PE router, the PE router will not redistribute it further.

When a PE router needs to distribute to a CE router a route that comes from a site outside the latter’s OSPF domain, the PE router presents itself as an ASBR (Autonomous System Border Router), and distributes the route in a type 5 LSA. The DN bit [OSPF-DN] MUST be set in these LSAs to ensure that they will be ignored by any other PE routers that receive them.

There are deployed implementations that do not set the DN bit, but instead use OSPF route tagging to ensure that a type 5 LSA generated by a PE router will be ignored by any other PE router that may receive it. A special OSPF route tag, which we will call the VPN Route Tag (see Section 4.2.5.2), is used for this purpose. To ensure backward compatibility, all implementations adhering to this specification MUST by default support the VPN Route Tag procedures specified in Sections 4.2.5.2, 4.2.8.1, and 4.2.8.2. When it is no longer necessary to use the VPN Route Tag in a particular deployment, its use (both sending and receiving) may be disabled by configuration.

Essentially, if an LSA arrives at a PE with the down bit set, that will never be redistributed into BGP. This prevents the route from leaking in from one PE back into another PE.

Down Bit – IOS

R7 is advertising it’s loopback address. No sham-links are used and so R4 will originate a type3 LSA to R6:

R6#show ip ospf database summary 7.7.7.7  adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 441
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 7.7.7.7 (summary Network Number)
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000003
  Checksum: 0x5636
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

Options state ‘Downward’ – This LSA is flooded to R6 -> R5 -> R3. R3, another PE, will have the LSA (all databases need to match remember) but it will not use the LSA. The routing bit will not be set, and it will not redistribute that into BGP either:

R3#  show ip ospf database summary 7.7.7.7  adv-router 4.4.4.4

            OSPF Router with ID (10.0.35.3) (Process ID 1)

                Summary Net Link States (Area 0)

  LS age: 597
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 7.7.7.7 (summary Network Number)
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000003
  Checksum: 0x5636
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

The same happens vice-versa. Any LSA originated by R3 to R5, will be received but not used by R4.
loop ospf2 OSPF as the PE CE routing protocols deep dive – Part 3 of 3 – Loop Prevention

Down Bit – IOS-XR

No change in IOS-XR behaviour. You need to be sure your domain-ids match to get a type3 between IOS and IOS-XE:

R6#sh ip ospf database summary 7.7.7.7 adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 20
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 7.7.7.7 (summary Network Number)
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0x5A34
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

Down bit set on the type3.

Route tags – IOS

Let’s go back to the RFC to see what this is all about. Section 4.2.5.2

If a particular VRF in a PE is associated with an instance of OSPF, then by default it MUST be configured with a special OSPF route tag value, which we call the VPN Route Tag. By default, this route tag MUST be included in the Type 5 LSAs that the PE originates (as the result of receiving a BGP-distributed VPN-IPv4 route, see Section 4.2.8) and sends to any of the attached CEs.

The configuration and inclusion of the VPN Route Tag is required for backward compatibility with deployed implementations that do not set the DN bit in type 5 LSAs. The inclusion of the VPN Route Tag may be disabled by configuration if it has been determined that it is no longer needed for backward compatibility.

The value of the VPN Route Tag is arbitrary but must be distinct from any OSPF Route Tag being used within the OSPF domain. Its value MUST therefore be configurable. If the Autonomous System number of the VPN backbone is two bytes long, the default value SHOULD be an automatically computed tag based on that Autonomous System number

If the Autonomous System number is four bytes long, then a Route Tag value MUST be configured, and it MUST be distinct from any Route Tag used within the VPN itself.

If a PE router needs to use OSPF to distribute to a CE router a route that comes from a site outside the CE router’s OSPF domain, the PE router SHOULD present itself to the CE router as an Autonomous System Border Router (ASBR) and SHOULD report such routes as AS-external routes. That is, these PE routers originate Type 5 LSAs reporting the extra-domain routes as AS-external routes. Each such Type 5 LSA MUST contain an OSPF route tag whose value is that of the VPN Route Tag. This tag identifies the route as having come from a PE router. The VPN Route Tag MUST be used to ensure that a Type 5 LSA originated by a PE router is not redistributed through the OSPF area to another PE router.

Note that it says the OSPF should set a route-tag when the implementation doesn’t support setting the down bit in type5 LSAs. Also note in the previous RFC quote that it did note an implementation could set the down bit in type5s if desired. At this point I’ve stopped advertising R7′s loopback directly into OSPF and simply redistributed the loopback. This ensures that the LSA is external.

Usually when an ASBR originates a type5, that type5 remains unchanged in the domain. i.e. the originating router is the same. However according to the quote above, the PE need to originate a new type5 to the attached CE. This we see on R6:

R6#show ip ospf database external 7.7.7.7  adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 38
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0x77C7
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 3489661028

Notice no down bit. Also note the originator of this type5 is R4 itself. Finally the route has an external route tag of 3489661028

Much like the down bit, if a PE router receives an external LSA with a domain tag that matches it’s own, that LSA will not be used or redistributed
loop ospf31 OSPF as the PE CE routing protocols deep dive – Part 3 of 3 – Loop Prevention

R3#show ip ospf 1 database external 7.7.7.7 adv-router 4.4.4.4

            OSPF Router with ID (10.0.35.3) (Process ID 1)

                Type-5 AS External Link States

  LS age: 744
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0x77C7
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 3489661028

No routing bit set, no redistribution happening.

Route tags – IOS-XR

R6#sh ip ospf database external 7.7.7.7 adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 11
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0xEFCE
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 3489661028

IOS-XR and IOS have the same behaviour.

IOS – 32bit AS number – Route-tag

The RFC states that when using 16bit AS numbers, the domain tag is automatically derived. When using a 32bit AS number, it should be manually configured. You are able to manually set this even when using a 16bit number with the domain-tag command. You can see above that when using a 16bit number it was automatic. Let’s move to a 32bit number and see what we see.
A quick change of the BGP sessions:

R4#sh run | sec router bgp
router bgp 4294967295
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 4294967295
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 3.3.3.3 remote-as 4294967295
 neighbor 3.3.3.3 update-source Loopback0

Take a look at the type5 on R6. The domain-tag matches the 32bit AS number directly. This is not 100% confirming to the RFC which states it should be manually set:

R6#sh ip ospf database external 7.7.7.7 adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 76
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0x2C48
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 4294967295

Of course, R3 will not use that LSA as it’s domain-tag matches.

Considering the domain-tag matches, it stands to reason that any inter-AS VPN using OSPF would be susceptible to routing loops as each SP will have a different domain-tag. One of them could manually set it to match the other.

32bit AS number – Route-tag – IOS-XR

IOS-XR’s 32bit external behaviour is identical to IOS:

R6#sh ip ospf database external 7.7.7.7 adv-router 4.4.4.4

            OSPF Router with ID (6.6.6.6) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 76
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 7.7.7.7 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0xA44F
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 4294967295

Once again, IOS and IOS-XR have the same behaviour.

Notes

  • Unlike parts 1 and 2 of this blog, IOS and IOS-XR finally show identical behaviour when it comes to loop prevention.

Connecting IOS-XRv to dynamips through vmware

The title should in fact read: How to connect dynamips routers to IOS-XRv, or and other emulated network device, as well as real switches connecting to more devices – But this title is far too long.

I did all of this on an older ESX 4.0 server. I’m pretty sure the steps would be almost identical if not identical on a newer version. Note that this blog shows how I set up and use it. You might tweak it to your own environment. What I do is host a linux VM running dynamips on my ESX server. I load up Firefly and IOS-XRv images as needed. I log into all these devices via telnet over an IPSec tunnel.

Installing

Head over to Cisco to download IOS-XRv
Importing the .ova file is a piece of cake. For now ensure you have at least two E1000 NICS attached to the VM. The first one goes to the management port and the second to Gig0/0/0/0

Create another VM and install your favourite version of *nix on it. Ensure the machine has at least two NICs. Install dynamips and dynagen. As I’m using Ubuntu server 12.04LTS I simply do it like so:

sudo apt-get install dynamips dynagen

Upload your IOS images as needed.

VM Networking

In IOS-XRv, the first NIC connects to the mgmt interface while the second connects to gi0/0/0/0. Add more NICs and you get gi0/0/0/1 and so on. For now we just need our single interface.

On the ESX host, create a new virtual switch. If you are going to connect your virtual devices to real switches and device in the real world, you’ll need to bind a physical NIC to it. If not you don’t need to.

vswitches in vmware drop tagged frames by default. You can add a vlan to the vswitch, but thats only a single vlan and its only for the vswitch sending traffic out the vhost on the physical NIC. You need to let vmware know that you intend to send tagged traffic from your vms. To do this you set the VLAN ID to 4095. When you click OK, it will change that to ‘ALL’
vswitch vlan Connecting IOS XRv to dynamips through vmware

Make sure the second interfaces on both your *nix and IOS-XRv VM are connected to this new vswitch:
network adaptors Connecting IOS XRv to dynamips through vmware

At this point, you can tag your gi0/0/0/0 interface which will send tagged frames into the vswitch. We now need to ensure dynamips can accept those frames and get them to the right router.

I’ll load up a very small topology in dynamips like so:

autostart = False
[127.0.0.1:7200]
    workingdir = /home/darreno/dynamips/working/blog
[[7200]]
        image = /home/darreno/dynamips/ios/7200/c7200-advipservicesk9-mz.122-33.SRE7.bin
        ram = 512
        idlepc = 0x6278f1a4
        ghostios = True
        npe = npe-400
        midplane = vxr
        idlemax = 100
    [[ROUTER R1]]
        model = 7200
        console = 2001
        f1/0 = s1 1
    [[ROUTER R2]]
        model = 7200
        console = 2002
        f1/0 = s1 2
    [[ETHSW s1]]
        1 = dot1q 1 
        2 = dot1q 1
        100 = dot1q 1 nio_gen_eth:eth1

A port on each 7200 is connected to a dynamips dumb switch. The switch is configured to accept tagged frames, with the native vlan being 1. Port 100 on this switch is connected to eth1, the second nic on the system.

You can either use nio_linux_eth or nio_gen_eth. When using nio_linux_eth, it seems to send tagged frames, but not receive them. Stick with nio_gen_eth.

If you wanted to connect all of this to the outside world, you can create another port on the switch that is mapped to eth2. In vmware ensure that eth2 maps to a physical NIC. Turn on promiscuous mode in vmware as well:
prom Connecting IOS XRv to dynamips through vmware
That physical NIC can then go off to a switch which you can then connect anything you want to.

Verification

On both 7200s I have very simple configs:

interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0

On an IOS-XRv box:

interface GigabitEthernet0/0/0/0.10
 ipv4 address 10.10.10.4 255.255.255.0
 encapsulation dot1q 10
!
interface GigabitEthernet0/0/0/0.20
 ipv4 address 20.20.20.4 255.255.255.0
 encapsulation dot1q 20
!
router ospf 1
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0.10
   network point-to-point
  !
  interface GigabitEthernet0/0/0/0.20
   network point-to-point
  !
 !
!

Do they speak? IOS:

R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:37    10.10.10.4      FastEthernet1/0.10

IOS-XR:

RP/0/0/CPU0:XR4#show ospf neighbor
Fri Feb 14 11:50:25.458 UTC

* Indicates MADJ interface

Neighbors for OSPF 1

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1         1     FULL/  -        00:00:32    10.10.10.1      GigabitEthernet0/0/0/0.10
    Neighbor is up for 00:01:28
2.2.2.2         1     FULL/  -        00:00:31    20.20.20.2      GigabitEthernet0/0/0/0.20
    Neighbor is up for 00:01:28

Total neighbor count: 2

RP/0/0/CPU0:XR4#ping 1.1.1.1
Fri Feb 14 11:57:07.951 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Caveats

  • You need to use subinterfaces. I use them extensively in real life so its not a problem for me.
  • It’s possible to do it without subinterfaces, but you’ll need a vswitch per p2p link. There is a limit to how many vnics you can have on a vm so it becomes unworkable quickly
  • With the above, you would need to create a link for every p2p link and add NICs on the fly. By using tagged interfaces I can connect any device to another simply by matching vlan tags.
  • All devices can send to each other directly via untagged interfaces. This generally isn’t a problem, but it can make looking at CDP offer up some interesting results:
 R1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
XR4.CCIE         Fas 1/0           152            R       IOS XRv S Gig 0/0/0/0
R2               Fas 1/0           172            R       7206VXR   Fas 1/0
  • You can prevent the above happening by putting each dynamips port into their own native vlan

 

 

At this point you can spin up any VM network device, like a Juniper FireFly, connect it to the same vswitch, and you’ll have full connectivity via tagged frames.