CCIE - EI: 1.4 OSPF 📝

2022-04-29 · Topic: CCIE-EI

This is a summary of the notes I’ve written for CCIE-EI - CCIE - EI: 1.4 OSPF. In other words, this only contains what I felt the need to write down and is not meant as a complete study resource. Please see the study resources I’ve used or related blogs for more coherent writeups.

The reference bandwidth can be different between adjacent routers, but it doesn’t make much sense to do so.

1.4 - OSPF

Link state protocol using djikstra

Timers

  • Hello, 10s/30s
  • Dead, 40s/120s
  • Wait, equal to dead
  • LSRefresh, 30m
  • MaxAge, 30m

Messages

  • Hello
    • Discovery
    • Agreement on parameters
    • Bidirectionality check
    • Health check
  • DBD
  • LSR
  • LSU
  • LSAck

RID selection:

  1. Statically configured RID
  2. Highest loopback IP
  3. Highest non-loopback IP Different RIDs will be chosen for each process when there are multiple OSPF on a single router. The selection is done in the same way, only skipping the addresses that have already been used.

Authentication:
Classic auth:

  • Clear-text or MD5
  • Per interface with ip ospf authentication {type} plus corresponding key ip ospf authentication-key {key}
  • Default method can be set with ospf> area {n} authentication
  • Roll-over supported through adding multiple keys

Extended cryptographic OSPF authentication(key-chain):

  • MD5 or SHA
  • Supports send-lifetime and accept-lifetime
  • cryptographic-algorithm must be set per key
  • Per interface with ip ospf authentication key-chain {name}

1.4.a Adjacencies

Adjacency states:

  1. Init, hello received
  2. 2-Way, hello with RID “seen”
  3. ExStart, bidir communication both ways, DR elected, empty DBD sent
  4. ExChange, master/slave established, DBD both received and sent
  5. Loading, Exchange of LSAs
  6. Full, full

The master/slave relationship between two routers determines which router polls and which responds. The router with the highest RID is elected master. The master router is allowed to send DBD packets, while the slave is only allowed to respond to DBD packets with matching seq. This is achieved through the MS(Master), M(More) and I(initial) flags. The master router sets the MS and the I flag on it’s first DBD packet, the slave responds with only the M flag set(as long as there are more DBDs to follow) - signaling to the master that it should keep polling for DBDs.

Requirements

  • Matching timers
  • Authentication
  • Common subnet
  • Common area
  • Common area-type
  • Non-duplicate RID

MTU mismatch will cause any neighbor adjacency to fail during Exchange. Statically specifying a neighbor on one end is enough to bring up the adjacency in NBMA networks.

Designated routers

Preempting will never happen with an OSPF DR

Highest RID is elected as DR by default. Priority can be set between 0 and 255, all but 0 is elegible. Election is only performed for the roles that aren’t yet elected. Meaning that the elected BDR will always replace the DR and an election will be held for the BDR.

The wait timer decides how long ospf routers will wait before asserting itself as DR/BDR. If a hello packet with DR/BDR set is received during the wait timer the router will perform the DR/BDR election immediately.

Virtual Link

An un-numbered p2p link for exchanging LSAs, always exists in area 0. The transit area must be a regular area. ospf> area {transit area} virtual-link {target RID} both directions.

Authentication for virtual links can be configured with area {} virtual-link {} authentication ...

Sham link

A sham link can be used to turn inter-area routes through an MPLS superbackbone into intra-area routes. This allows for using backdoor links between sites as backup links.

The sham link configuration must be applied on PE routers

router ospf {}
 area {n} sham-link {local IP} {remote IP} [cost {}]

1.4.b Network types, area types

Network types

  • Broadcast
  • P2P, default for frame relay p2p
  • Non-broadcast, default for multipoint itnerfaces
  • P2MP
  • P2MP non-broadcast

The two network types most relevant for ethernet have 10s hello timer, the rest has 30s.

OSPF in NBMA networks

  • Verify timers
  • Verify expectation of DR
  • Connectivity of both DR and BDR

1.4.c Path preference

  • Split horizon rules apply between areas for inter-area LSAs. Eg. a T3 LSA will never be injected into a non-backbone area and back into the backbone. “Horizontal” links should hence be included in the backbone area.
  • An ABR will always choose a path directly through the backbone to reach another non-backbone area.

E routes are preferred over N routes.

1.4.d Operations

General operations

Route filtering

  • Distribute-list inbound filters pre-SPF on the local router.
  • Outbound filters what is injected by an ASBR.
  • Inbound interface on the distribute-list is evaluated as the outbound interface for the route.

Filtering on ABR:

area {} filter-list prefix {prefix-list} {in|out}
area {} range {} not-advertise`

OSFPv3

  • configured using interface commands
  • RID must be set if no IPv4 addresses exist on the router
  • New LSAs with different flooding scopes: link-local, area, AS
  • Supports the use of instance IDs ipv6 ospf {n} area {n} instace {0-255}
  • Authentication through AH, ESP or authentication trailer
  • link-local used for everything except virtual links
  • NBMA reqires statically configured neighbor, on the interface.

OSPFv3 LSAs:

  • 8 - Link LSA, link-local address and prefixes on the local link
  • 9 - Intra-area-prefix LSA, ties prefixes to routers and networks

Graceful shutdown

Allows a router to remove itself from routing before stopping it’s OSPF process.

ospf> shutdown
or
int> ip ospf shutdown

GTSM (Generic TTL Security Mechanism)

int> ip ospf ttl-security {} [hops]
ospf> ttl-security all-interface

Defining the minimum TTL value of incoming OSPF packets, limiting number of hops.

1.4.e Optimization, convergence and scalability

Metrics

Cost is chosen in the following order:

  1. Per neighbor cost neighbor {ip} cost {val} in p2mp nbma networks
  2. Per interface ip ospf cost {val}
  3. Default based on interface bandwidth/reference-bandwidth auto-cost reference-bandwidth {mbps}(100mbps default).

The reference bandwidth can be different between adjacent routers, but it doesn’t make much sense to do so.

External metric

E2 metrics are considered to be orders of magnitude larger than any other cost. Hence they don’t include any OSPF internal cost at all. The any router will hence choose the route with the lowest initial metric. If multiple E2 routes exist for the same prefix and same metric, the route with the lowest cost to the ABR will be chosen.

E routes are preferred over N routes.

LSA throttling, SPF tuning, fast hello

SPF tuning SPF tuning/scheduling allows applying an increasing delay between subsequent SPF runs. By default a router will wait 5 seconds between the first update arriving and performing an SPF calculation, if another update arrives shortly after it will wait 10s.

The following values are used for SPF throttling configuration:

  • SPF start, initial wait time
  • SPF hold, wait time between subsequent runs, doubles per run
  • SPF max-wait, cap to SPF hold

Once the network has been stable for the duration of max-wait, the hold timer will reset to it’s initial value. If the network has been stable for the duration of the hold timer but not the max-wait, the first run will run after the value of SPF start with the subsequent run being 2 x current hold.

ospf> timers throttle spf {start} {hold} {max}

LSA throttling LSA throttling is similar to SPF tuning, but in the “other end”. It regulates how often a router can originate an update message. The default is 0ms start, 5000ms hold and max-wait.

timers throttle lsa {type} {start} {hold} {max}

Fast hello

Setting the hello timer below 1s. This is intuitively done by defining the dead timer of 1 second(minimal) and how many hellos should be sent per dead timer.

ip ospf dead-interval minimal hello-multiplier {}

Incremental SPF Allowing routers to only calculate the affected part of the SPF tree. Enabled with ospf> ispf

LSA propagation control (area types)

All variations of stubby areas prevent T4 and T5 LSA’s from being injected into the area. “^Totally.*$” means that no type 3 LSAs will be injected. *NSSA allows Type 7 LSAs that are converted to T5 LSA’s by the highest RID ABR..

The NSSA (non totally) doesn’t inject a default route into the area by default. area {n} nssa default-information-originate enables the ABRs to inject a default route.

All routers in a stubby area needs to be configurated for the same area type. Except for when configuring Totally NSSA areas where you should only add “no-summary” to the ABRs.

Stub router

A router that sends updates with maximum cost for all but local stub prefixes. Either permanently, based on a timer or when BGP comes up.

ospf> max-metric router-lsa [on startup {{start-time} | wait-for-bgp}]

Loop-free alternate

Similar to EIGRP LFA, enables each router to find alternate paths by running SPF with different routers as the root.

fast-reroute per-prefix enable area {}

Prefix suppression

Supresses advertisement of transit prefixes.

int> ip ospf prefix-suppression
! or 
ospf> prefix-suppression

Troubleshooting

To be populated…

Study resources

The BGP Section of the INE CCIE Enterprise infrastructure learning track is a good starting-point. Though I wouldn’t rely on it as my only study source.

Books used, ranked by most value for time spent:

The CCIE Enterprise Infrastructure Foundation book by Narbik Kocharians hasn’t been released at the time of writing this, but i suspect it will also be a very good resource for the EI.

I have also used the IOS XE 16.2.x configuration guide extensively.

Various links I’ve found useful:


Got feedback or a question?
Feel free to contact me at hello@torbjorn.dev