All posts by Amolak

About Amolak

Network Consultant

OSPF Route Summarization

Consolidation of multiple routes into one single advertisement is called Route Summarization. In a nut shell, route summarization is the process of summarizing subnets into a larger subnet to be advertised to upstream routers for ease of management/troubleshooting and resource conservation.

There are two types of route summarization in OSPF.

1. Inter-Area Route Summarization

Although summarization could be configured between any two areas, it is better to summarize in the direction of the backbone. This way the backbone receives all the aggregate addresses and in turn will injects them, already summarized, into other areas.

Inter-Area route summarization can only be done on the Area Boarder Router (ABR) and summarize routes from one particular area into the another Area.

To specify an address range, perform the following task in router configuration mode:

area area-id range address mask

Where the “area-id” is the area containing networks to be summarized. The “address” and “mask” will specify the range of addresses to be summarized in one range.

2. External Route Summarization

External route summarization is specific to external routes that are injected into OSPF via redistribution.
Summarization is done via the following router ospf subcommand:

summary-address ip-address mask

This command is effective only on ASBRs doing redistribution into OSPF.

We will use following network topology for our discussion.

OSPF Route Summarization

Pre-Configuration

R1:

interface FastEthernet0/0
 ip address 10.10.123.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.16.1 255.255.255.0
!
router eigrp 100
 redistribute ospf 1
 network 192.168.16.1 0.0.0.0
 default-metric 10000 100 255 1 1500
 no auto-summary
!
router ospf 1
 router-id 1.1.1.1
 summary-address 192.168.0.0 255.255.0.0
 redistribute eigrp 100 subnets
 network 10.0.0.0 0.255.255.255 area 0


R2:

interface FastEthernet0/0
 ip address 10.10.123.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.24.2 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 2.2.2.2
 network 10.10.24.2 0.0.0.0 area 1
 network 10.10.123.2 0.0.0.0 area 0


R3:

interface FastEthernet0/0
 ip address 10.10.123.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 10.10.35.3 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 3.3.3.3
 network 10.10.35.3 0.0.0.0 area 2
 network 10.10.123.3 0.0.0.0 area 0


R4:

interface Loopback4
 ip address 10.4.4.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback5
 ip address 10.4.5.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback6
 ip address 10.4.6.1 255.255.255.0
 ip ospf network point-to-point
!         
interface Loopback7
 ip address 10.4.7.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 10.10.24.4 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 4.4.4.4
 network 10.0.0.0 0.255.255.255 area 1

R5:

interface Loopback0
 ip address 10.5.0.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback1
 ip address 10.5.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback2
 ip address 10.5.2.1 255.255.255.0
 ip ospf network point-to-point
!
interface Loopback3
 ip address 10.5.3.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 10.10.35.5 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 router-id 5.5.5.5
 network 10.0.0.0 0.255.255.255 area 2

R6:

interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!         
interface FastEthernet0/0
 ip address 192.168.16.6 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255
 no auto-summary

Note: Loopback Interfaces are used to simulate different networks connected to routers.

OSPF neighborships are UP and all routers have end-to-end network reachability.

R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:34    10.10.123.2     FastEthernet0/0
3.3.3.3           1   FULL/DR         00:00:31    10.10.123.3     FastEthernet0/0

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:31    10.10.123.1     FastEthernet0/0
3.3.3.3           1   FULL/DR         00:00:31    10.10.123.3     FastEthernet0/0
4.4.4.4           0   FULL/  -        00:00:34    10.10.24.4      FastEthernet0/1

R3#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DROTHER    00:00:31    10.10.123.1     FastEthernet0/0
2.2.2.2           1   FULL/BDR        00:00:34    10.10.123.2     FastEthernet0/0
5.5.5.5           0   FULL/  -        00:00:33    10.10.35.5      FastEthernet0/1

R4#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:32    10.10.24.2      FastEthernet0/0

R5#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:38    10.10.35.3      FastEthernet0/0

R6#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.16.1            Fa0/0             13 02:30:57   28   675  0  50

Routing Tables:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:29:08, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:30:27, FastEthernet0/0
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:30:27, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:30:25, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:06:06, FastEthernet0/1

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O       10.4.6.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.7.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.4.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O       10.4.5.0 [110/2] via 10.10.24.4, 00:29:13, FastEthernet0/1
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/1
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:29:13, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:29:13, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:29:14, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:29:14, FastEthernet0/0


R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:28:53, FastEthernet0/0
O       10.5.3.0 [110/2] via 10.10.35.5, 00:28:53, FastEthernet0/1
O       10.5.2.0 [110/2] via 10.10.35.5, 00:27:46, FastEthernet0/1
O       10.5.1.0 [110/2] via 10.10.35.5, 00:27:46, FastEthernet0/1
O       10.5.0.0 [110/2] via 10.10.35.5, 00:27:56, FastEthernet0/1
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:28:53, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/1
C       10.10.123.0 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:28:53, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:28:54, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:28:54, FastEthernet0/0

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
C       10.4.6.0 is directly connected, Loopback6
C       10.4.7.0 is directly connected, Loopback7
C       10.4.4.0 is directly connected, Loopback4
C       10.4.5.0 is directly connected, Loopback5
O IA    10.5.3.0 [110/4] via 10.10.24.2, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/4] via 10.10.24.2, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/0
O IA    10.10.35.0 [110/3] via 10.10.24.2, 00:30:27, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.24.2, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.24.2, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.24.2, 00:29:31, FastEthernet0/0

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.7.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.4.0 [110/4] via 10.10.35.3, 00:29:03, FastEthernet0/0
O IA    10.4.5.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
C       10.5.3.0 is directly connected, Loopback3
C       10.5.2.0 is directly connected, Loopback2
C       10.5.1.0 is directly connected, Loopback1
C       10.5.0.0 is directly connected, Loopback0
O IA    10.10.24.0 [110/3] via 10.10.35.3, 00:30:27, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.35.3, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 00:29:31, FastEthernet0/0

R6#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
D EX    10.4.6.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.4.7.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.4.4.0 [170/284160] via 192.168.16.1, 00:29:08, FastEthernet0/0
D EX    10.4.5.0 [170/284160] via 192.168.16.1, 00:29:12, FastEthernet0/0
D EX    10.5.3.0 [170/284160] via 192.168.16.1, 00:28:53, FastEthernet0/0
D EX    10.5.2.0 [170/284160] via 192.168.16.1, 00:27:46, FastEthernet0/0
D EX    10.5.1.0 [170/284160] via 192.168.16.1, 00:27:46, FastEthernet0/0
D EX    10.5.0.0 [170/284160] via 192.168.16.1, 00:27:56, FastEthernet0/0
D EX    10.10.24.0 [170/284160] via 192.168.16.1, 00:30:27, FastEthernet0/0
D EX    10.10.35.0 [170/284160] via 192.168.16.1, 00:30:27, FastEthernet0/0
D EX    10.10.123.0 [170/284160] via 192.168.16.1, 02:12:11, FastEthernet0/0
C    192.168.0.0/24 is directly connected, Loopback0
C    192.168.16.0/24 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback1
C    192.168.2.0/24 is directly connected, Loopback2
C    192.168.3.0/24 is directly connected, Loopback3

First we want to summarize Area 1 routes. R2 is the ABR (Area Border Router), connecting Area1 to Backbone Area (Area 0). Here, R2 will do the inter-area route summarization and send summary advertisement into Area 0.

These four IP subnets can be summarized as follows:

10.4.4.0/24
10.4.5.0/24
10.4.6.0/24
10.4.7.0/24

Summary Network: 10.4.4.0
Mask: 255.255.252.0

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#area 1 range 10.4.4.0 255.255.252.0
R2(config-router)#end
R2#

Let’s see the changes in routing tables on other routers

R1 Before Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.7.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.4.4.0 [110/3] via 10.10.123.2, 00:29:08, FastEthernet0/0
O IA    10.4.5.0 [110/3] via 10.10.123.2, 00:29:13, FastEthernet0/0
O IA    10.5.3.0 [110/3] via 10.10.123.3, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/3] via 10.10.123.3, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/3] via 10.10.123.3, 00:27:56, FastEthernet0/0
O IA    10.10.24.0 [110/2] via 10.10.123.2, 00:30:27, FastEthernet0/0
O IA    10.10.35.0 [110/2] via 10.10.123.3, 00:30:27, FastEthernet0/0
C       10.10.123.0 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:30:25, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:30:26, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:06:06, FastEthernet0/1

R1 After Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:01:47, FastEthernet0/0
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:56:18, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:55:21, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 00:57:52, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:57:52, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:57:50, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:33:29, FastEthernet0/1

R5 Before Route Summarization:

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
O IA    10.4.6.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.7.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
O IA    10.4.4.0 [110/4] via 10.10.35.3, 00:29:03, FastEthernet0/0
O IA    10.4.5.0 [110/4] via 10.10.35.3, 00:29:12, FastEthernet0/0
C       10.5.3.0 is directly connected, Loopback3
C       10.5.2.0 is directly connected, Loopback2
C       10.5.1.0 is directly connected, Loopback1
C       10.5.0.0 is directly connected, Loopback0
O IA    10.10.24.0 [110/3] via 10.10.35.3, 00:30:27, FastEthernet0/0
C       10.10.35.0 is directly connected, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.35.3, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 00:29:31, FastEthernet0/0

R5 After Route Summarization:

R5#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/4] via 10.10.35.3, 00:06:30, FastEthernet0/0
C       10.5.3.0/24 is directly connected, Loopback3
C       10.5.2.0/24 is directly connected, Loopback2
C       10.5.1.0/24 is directly connected, Loopback1
C       10.5.0.0/24 is directly connected, Loopback0
O IA    10.10.24.0/24 [110/3] via 10.10.35.3, 01:02:34, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/0
O IA    10.10.123.0/24 [110/2] via 10.10.35.3, 01:03:04, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.35.3, 01:01:32, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.35.3, 01:01:36, FastEthernet0/0

 

Let’s do the same for Area 2. R3 is the ABR here and doing the route summarization for following networks.

10.5.0.0/24
10.5.1.0/24
10.5.2.0/24
10.5.3.0/24

Summary Network: 10.5.0.0
Mask: 255.255.252.0

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 2 range 10.5.0.0 255.255.252.0
R3(config-router)#end
R3#

Let’s see the changes in routing tables on other routers

Before Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:01:47, FastEthernet0/0
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:56:18, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:55:11, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:55:21, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 00:57:52, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:57:52, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 02:57:50, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 02:57:49, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 01:33:29, FastEthernet0/1
R1#

After Route Summarization:

R1#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 00:35:14, FastEthernet0/0
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 00:01:40, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:31:19, FastEthernet0/0
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 01:31:19, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
D    192.168.0.0/24 [90/156160] via 192.168.16.6, 03:31:17, FastEthernet0/1
C    192.168.16.0/24 is directly connected, FastEthernet0/1
D    192.168.1.0/24 [90/156160] via 192.168.16.6, 03:31:16, FastEthernet0/1
D    192.168.2.0/24 [90/156160] via 192.168.16.6, 03:31:16, FastEthernet0/1
D    192.168.3.0/24 [90/156160] via 192.168.16.6, 02:06:56, FastEthernet0/1

Let’s summarize external routes now. Router R1 is the ASBR connected to both EIGRP and OSPF domains and doing route redistribution between EIGRP and OSPF.

R1 (ASBR) will do the route summarization for external routes into OSPF.

These four IP subnets can be summarized as follows:

192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Summary Network: 192.168.0.0
Mask: 255.255.252.0

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#summary-address 192.168.0.0 255.255.252.0
R1(config-router)#end
R1#

Let’s see the changes in routing tables on other routers

Before Route Summarization:

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O       10.4.4.0/22 is a summary, 00:03:02, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 00:03:02, FastEthernet0/1
O IA    10.5.3.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.2.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.1.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
O IA    10.5.0.0/24 [110/3] via 10.10.123.3, 00:03:02, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:03:02, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.123.1, 00:03:02, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.123.1, 00:03:03, FastEthernet0/0

After Route Summarization:

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O       10.4.4.0/22 is a summary, 00:43:59, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 00:43:59, FastEthernet0/1
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 00:10:24, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 00:43:59, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 00:43:59, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 00:00:57, FastEthernet0/0
R2#

Let’s see the  routing tables on R4 and verify end-to-end connectivity.

Before Route Summarization:

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 11 subnets
C       10.4.6.0 is directly connected, Loopback6
C       10.4.7.0 is directly connected, Loopback7
C       10.4.4.0 is directly connected, Loopback4
C       10.4.5.0 is directly connected, Loopback5
O IA    10.5.3.0 [110/4] via 10.10.24.2, 00:28:53, FastEthernet0/0
O IA    10.5.2.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.1.0 [110/4] via 10.10.24.2, 00:27:46, FastEthernet0/0
O IA    10.5.0.0 [110/4] via 10.10.24.2, 00:27:56, FastEthernet0/0
C       10.10.24.0 is directly connected, FastEthernet0/0
O IA    10.10.35.0 [110/3] via 10.10.24.2, 00:30:27, FastEthernet0/0
O IA    10.10.123.0 [110/2] via 10.10.24.2, 00:30:57, FastEthernet0/0
O E2 192.168.0.0/24 [110/20] via 10.10.24.2, 00:29:24, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.1.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.2.0/24 [110/20] via 10.10.24.2, 00:29:29, FastEthernet0/0
O E2 192.168.3.0/24 [110/20] via 10.10.24.2, 00:29:31, FastEthernet0/0

After Route Summarization:

R4#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C       10.4.6.0/24 is directly connected, Loopback6
C       10.4.7.0/24 is directly connected, Loopback7
C       10.4.4.0/24 is directly connected, Loopback4
C       10.4.5.0/24 is directly connected, Loopback5
O IA    10.5.0.0/22 [110/4] via 10.10.24.2, 00:12:19, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/0
O IA    10.10.35.0/24 [110/3] via 10.10.24.2, 01:41:58, FastEthernet0/0
O IA    10.10.123.0/24 [110/2] via 10.10.24.2, 01:42:28, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.24.2, 01:41:00, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.24.2, 00:02:51, FastEthernet0/0
R4#

R4#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/84 ms

R4#ping 10.5.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/88 ms

So far we have seen that when route summarization is configured , either type inter-area or external, it advertise summary route and suppress advertisement of specific network advertisements.

Another point to note is, OSPF router advertise summary routes only if it is receiving advertisement for atleast one route, which falls within the summary network range.

R5 is sending LSA advertisements for networks  (10.5.0.0/24, 10.5.1.0/24, 10.5.2.0/24 and 10.5.3.0/24) and R3 is sending a single summary route (10.5.0.0/22) advertisement for those networks.

These Loopback interfaces are simulating different 10.5.x.x networks connected to R5.

R5#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.35.5      YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  up                    up      
Loopback0                  10.5.0.1        YES manual up                    up      
Loopback1                  10.5.1.1        YES manual up                    up      
Loopback2                  10.5.2.1        YES manual up                    up      
Loopback3                  10.5.3.1        YES manual up                    up      
R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int l0
R5(config-if)#shut
R5(config-if)#int l1
R5(config-if)#
*Mar  1 04:36:28.214: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
*Mar  1 04:36:29.214: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to down
R5(config-if)#shut  
R5(config-if)#int l2
R5(config-if)#
*Mar  1 04:36:33.582: %LINK-5-CHANGED: Interface Loopback1, changed state to administratively down
*Mar  1 04:36:34.582: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to down
R5(config-if)#shut  
R5(config-if)#
*Mar  1 04:36:37.922: %LINK-5-CHANGED: Interface Loopback2, changed state to administratively down
*Mar  1 04:36:38.922: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to down
R5(config-if)#

Loopback 0,1 and 2 are shutdown now.

See routing table on R3, It has route for 10.5.3.0/24 only now, but still sending advertisement for summary route 10.5.0.0/22.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:24:03, FastEthernet0/0
O       10.5.3.0/24 [110/2] via 10.10.35.5, 01:24:03, FastEthernet0/1
O       10.5.0.0/22 is a summary, 01:24:03, Null0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:24:03, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:24:03, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:14:35, FastEthernet0/0

Routing table on R2, it is still receiving summary advertisement from R3.

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O       10.4.4.0/22 is a summary, 02:00:05, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 02:00:05, FastEthernet0/1
O IA    10.5.0.0/22 [110/3] via 10.10.123.3, 01:26:30, FastEthernet0/0
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 02:00:05, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 02:00:05, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:17:02, FastEthernet0/0

Let’s shutdown interface loopback 3 also on R5.

R5(config-if)#int l3
R5(config-if)#shut
R5(config-if)#
*Mar  1 05:09:59.566: %LINK-5-CHANGED: Interface Loopback3, changed state to administratively down
*Mar  1 05:10:00.566: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to down
R5(config-if)#

If we see routing table on R3.It has lost all routes for 10.5.x.x networks, and now it will not send advertisement for summary route.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:36:57, FastEthernet0/0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:36:57, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:36:57, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:27:30, FastEthernet0/0

R2#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
O       10.4.6.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.7.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.4.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
O       10.4.4.0/22 is a summary, 02:11:46, Null0
O       10.4.5.0/24 [110/2] via 10.10.24.4, 02:11:46, FastEthernet0/1
C       10.10.24.0/24 is directly connected, FastEthernet0/1
O IA    10.10.35.0/24 [110/2] via 10.10.123.3, 02:11:46, FastEthernet0/0
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 02:11:46, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:28:43, FastEthernet0/0
R2#show ip route 10.5.0.0
% Subnet not in table
R2#

Enable all Loopback interfaces on R5.

R5(config-if)#int l0
R5(config-if)#no shut
R5(config-if)#int l1
R5(config-if)#no shut
R5(config-if)#
*Mar  1 05:20:26.106: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
*Mar  1 05:20:27.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R5(config-if)#int l2
R5(config-if)#no shu
*Mar  1 05:20:28.898: %LINK-3-UPDOWN: Interface Loopback1, changed state to up
*Mar  1 05:20:29.898: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R5(config-if)#no shut
R5(config-if)#int l3
R5(config-if)#no shut
R5(config-if)#
*Mar  1 05:20:32.470: %LINK-3-UPDOWN: Interface Loopback2, changed state to up
*Mar  1 05:20:33.470: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback2, changed state to up
R5(config-if)#
*Mar  1 05:20:35.922: %LINK-3-UPDOWN: Interface Loopback3, changed state to up
*Mar  1 05:20:36.922: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback3, changed state to up
R5(config-if)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.10.35.5      YES manual up                    up      
FastEthernet0/1            unassigned      YES unset  up                    up      
Loopback0                  10.5.0.1        YES manual up                    up      
Loopback1                  10.5.1.1        YES manual up                    up      
Loopback2                  10.5.2.1        YES manual up                    up      
Loopback3                  10.5.3.1        YES manual up                    up      
R5(config-if)#

Now R3 has routes for all those networks and sending advertisement for summary address into Backbone Area.

R3#show ip route | b Gateway
Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O IA    10.4.4.0/22 [110/3] via 10.10.123.2, 01:46:59, FastEthernet0/0
O       10.5.3.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.2.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.1.0/24 [110/2] via 10.10.35.5, 00:00:31, FastEthernet0/1
O       10.5.0.0/24 [110/2] via 10.10.35.5, 00:00:41, FastEthernet0/1
O       10.5.0.0/22 is a summary, 00:00:41, Null0
O IA    10.10.24.0/24 [110/2] via 10.10.123.2, 01:46:59, FastEthernet0/0
C       10.10.35.0/24 is directly connected, FastEthernet0/1
C       10.10.123.0/24 is directly connected, FastEthernet0/0
O E2 192.168.16.0/24 [110/20] via 10.10.123.1, 01:46:59, FastEthernet0/0
O E2 192.168.0.0/22 [110/20] via 10.10.123.1, 01:37:31, FastEthernet0/0
R3#

Did you notice this route on R3?

O       10.5.0.0/22 is a summary, 00:00:41, Null0

This is called a discard route.

Prior to Cisco IOS Software Release 12.1(6), it was recommended to manually configure, on the ABR, a discard static route for the summary address in order to prevent possible routing loops. For the summary route shown above, you can use this command:

ip route 10.5.0.0 255.255.252.0 null0

In IOS 12.1(6) and higher, the discard route is automatically generated by default. If for any reason you don’t want to use this discard route, you can configure the following commands under router ospf:

[no] discard-route internal
or
[no] discard-route external

 

Route Leak between VRFs with Import MAP

We will discuss route-leaking between VRFs using different import-map techniques in this session.

Here is the network topology for our discussion.

mpls-vrf-import

 

Task requirement: On R1, VRF AAA should import prefix 10.4.2.0/24 from ASN 444 and 10.6.1.0/24 from ASN 666.

 

Pre-Configuration of devices:

R1:

hostname R1
!
vrf definition AAA
 rd 333:3
 !
 address-family ipv4
 route-target export 333:3
 route-target import 333:3
 exit-address-family
!
interface Loopback0
 ip address 172.16.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 172.16.12.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding AAA
 ip address 172.16.13.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
!
router bgp 100
 bgp router-id 172.16.0.1
 no bgp default ipv4-unicast
 no bgp default route-target filter
 bgp log-neighbor-changes
 neighbor 172.16.0.2 remote-as 100
 neighbor 172.16.0.2 update-source Loopback0
 !
 address-family ipv4
  no synchronization
  no auto-summary
 exit-address-family
 !
 address-family vpnv4
  neighbor 172.16.0.2 activate
  neighbor 172.16.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf AAA
  no synchronization
  redistribute connected
  neighbor 172.16.13.3 remote-as 333
  neighbor 172.16.13.3 activate
 exit-address-family
!
end



R2:


hostname R2
!
vrf definition BBB
 rd 444:4
 !
 address-family ipv4
 route-target export 444:4
 route-target import 444:4
 exit-address-family
!
vrf definition CCC
 rd 666:6
 !
 address-family ipv4
 route-target export 666:6
 route-target import 666:6
 exit-address-family
!
interface Loopback0
 ip address 172.16.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 172.16.12.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding BBB
 ip address 172.16.24.2 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CCC
 ip address 172.16.26.2 255.255.255.0
!
router ospf 1
 log-adjacency-changes
!
router bgp 100
 bgp router-id 172.16.0.2
 no bgp default ipv4-unicast
 no bgp default route-target filter
 bgp log-neighbor-changes
 neighbor 172.16.0.1 remote-as 100
 neighbor 172.16.0.1 update-source Loopback0
 !
 address-family ipv4
  no synchronization
  no auto-summary
 exit-address-family
 !
 address-family vpnv4
  neighbor 172.16.0.1 activate
  neighbor 172.16.0.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf BBB
  no synchronization
  redistribute connected
  neighbor 172.16.24.4 remote-as 444
  neighbor 172.16.24.4 activate
 exit-address-family
 !
 address-family ipv4 vrf CCC
  no synchronization
  redistribute connected
  neighbor 172.16.26.6 remote-as 666
  neighbor 172.16.26.6 activate
 exit-address-family
!


R3:

hostname R3
!
interface Loopback1
 ip address 10.3.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.3.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.13.3 255.255.255.0
!
router bgp 333
 no synchronization
 bgp router-id 172.16.13.3
 bgp log-neighbor-changes
 network 10.3.1.0 mask 255.255.255.0
 network 10.3.2.0 mask 255.255.255.0
 neighbor 172.16.13.1 remote-as 100
 no auto-summary
!

R4:

hostname R4
!
interface Loopback1
 ip address 10.4.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.4.2.1 255.255.255.0
!
interface Loopback192
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.24.4 255.255.255.0
!
router bgp 444
 no synchronization
 bgp router-id 172.16.24.4
 bgp log-neighbor-changes
 network 10.4.1.0 mask 255.255.255.0
 network 10.4.2.0 mask 255.255.255.0
 network 192.168.1.0
 neighbor 172.16.24.2 remote-as 100
 no auto-summary
!


R6:

hostname R6
!
interface Loopback1
 ip address 10.6.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.6.2.1 255.255.255.0
!
interface Loopback192
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 172.16.26.6 255.255.255.0
!
router bgp 666
 no synchronization
 bgp router-id 172.16.26.6
 bgp log-neighbor-changes
 network 10.6.1.0 mask 255.255.255.0
 network 10.6.2.0 mask 255.255.255.0
 network 192.168.1.0
 neighbor 172.16.26.2 remote-as 100
 no auto-summary
!

All BGP neighborships are UP and Routers are advertising their respective prefixes into BGP.

R1#sh bgp all summary 
For address family: VPNv4 Unicast
BGP router identifier 172.16.0.1, local AS number 100
BGP table version is 4, main routing table version 4
3 network entries using 456 bytes of memory
3 path entries using 156 bytes of memory
5/2 BGP path/bestpath attribute entries using 660 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1368 total bytes of memory
BGP activity 6/3 prefixes, 6/3 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.0.2      4          100       8       4        4    0    0 00:01:15        0
172.16.13.3     4          333       6       3        4    0    0 00:01:15        2

R1#sh bgp vpnv4 unicast all 
BGP table version is 12, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3 (default for vrf AAA)
*> 10.3.1.0/24      172.16.13.3              0             0 333 i
*> 10.3.2.0/24      172.16.13.3              0             0 333 i
*> 172.16.13.0/24   0.0.0.0                  0         32768 ?
Route Distinguisher: 444:4
*>i10.4.1.0/24      172.16.0.2               0    100      0 444 i
*>i10.4.2.0/24      172.16.0.2               0    100      0 444 i
*>i172.16.24.0/24   172.16.0.2               0    100      0 ?
*>i192.168.1.0      172.16.0.2               0    100      0 444 i
Route Distinguisher: 666:6
*>i10.6.1.0/24      172.16.0.2               0    100      0 666 i
*>i10.6.2.0/24      172.16.0.2               0    100      0 666 i
*>i172.16.26.0/24   172.16.0.2               0    100      0 ?
*>i192.168.1.0      172.16.0.2               0    100      0 666 i



R2#sh bgp all summary 
For address family: VPNv4 Unicast
BGP router identifier 172.16.0.2, local AS number 100
BGP table version is 9, main routing table version 9
8 network entries using 1216 bytes of memory
8 path entries using 416 bytes of memory
6/4 BGP path/bestpath attribute entries using 792 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2520 total bytes of memory
BGP activity 22/14 prefixes, 22/14 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.0.1      4          100       6       9        9    0    0 00:01:40        0
172.16.24.4     4          444       6       6        9    0    0 00:01:45        3
172.16.26.6     4          666       6       6        9    0    0 00:01:45        3

R2#sh bgp vpnv4 unicast all 
BGP table version is 12, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3
*>i10.3.1.0/24      172.16.0.1               0    100      0 333 i
*>i10.3.2.0/24      172.16.0.1               0    100      0 333 i
*>i172.16.13.0/24   172.16.0.1               0    100      0 ?
Route Distinguisher: 444:4 (default for vrf BBB)
*> 10.4.1.0/24      172.16.24.4              0             0 444 i
*> 10.4.2.0/24      172.16.24.4              0             0 444 i
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*> 192.168.1.0      172.16.24.4              0             0 444 i
Route Distinguisher: 666:6 (default for vrf CCC)
*> 10.6.1.0/24      172.16.26.6              0             0 666 i
*> 10.6.2.0/24      172.16.26.6              0             0 666 i
*> 172.16.26.0/24   0.0.0.0                  0         32768 ?
*> 192.168.1.0      172.16.26.6              0             0 666 i



R3#sh ip bgp summary 
BGP router identifier 172.16.13.3, local AS number 333
BGP table version is 29, main routing table version 29
3 network entries using 384 bytes of memory
3 path entries using 156 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 812 total bytes of memory
BGP activity 14/11 prefixes, 15/12 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.13.1     4          100      11      12       29    0    0 00:07:10        1

R3#sh ip bgp 
BGP table version is 29, local router ID is 172.16.13.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      0.0.0.0                  0         32768 i
*> 10.3.2.0/24      0.0.0.0                  0         32768 i
r> 172.16.13.0/24   172.16.13.1              0             0 100 ?


R3#sh ip route     
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.3.1.0/24 is directly connected, Loopback1
L        10.3.1.1/32 is directly connected, Loopback1
C        10.3.2.0/24 is directly connected, Loopback2
L        10.3.2.1/32 is directly connected, Loopback2
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.13.0/24 is directly connected, FastEthernet0/0
L        172.16.13.3/32 is directly connected, FastEthernet0/0



R4#sh ip bgp sum
BGP router identifier 172.16.24.4, local AS number 444
BGP table version is 31, main routing table version 31
4 network entries using 512 bytes of memory
4 path entries using 208 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 992 total bytes of memory
BGP activity 14/10 prefixes, 17/13 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.24.2     4          100      13      14       31    0    0 00:08:25        1

R4#sh ip bgp
BGP table version is 31, local router ID is 172.16.24.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.4.1.0/24      0.0.0.0                  0         32768 i
*> 10.4.2.0/24      0.0.0.0                  0         32768 i
r> 172.16.24.0/24   172.16.24.2              0             0 100 ?
*> 192.168.1.0      0.0.0.0                  0         32768 i

R4#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.4.1.0/24 is directly connected, Loopback1
L        10.4.1.1/32 is directly connected, Loopback1
C        10.4.2.0/24 is directly connected, Loopback2
L        10.4.2.1/32 is directly connected, Loopback2
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.24.0/24 is directly connected, FastEthernet0/0
L        172.16.24.4/32 is directly connected, FastEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Loopback192
L        192.168.1.1/32 is directly connected, Loopback192




R6#sh ip bgp sum
BGP router identifier 172.16.26.6, local AS number 666
BGP table version is 33, main routing table version 33
4 network entries using 512 bytes of memory
4 path entries using 208 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 992 total bytes of memory
BGP activity 13/9 prefixes, 18/14 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.26.2     4          100      14      14       33    0    0 00:09:03        1

R6#sh ip bgp
BGP table version is 33, local router ID is 172.16.26.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.6.1.0/24      0.0.0.0                  0         32768 i
*> 10.6.2.0/24      0.0.0.0                  0         32768 i
r> 172.16.26.0/24   172.16.26.2              0             0 100 ?
*> 192.168.1.0      0.0.0.0                  0         32768 i

R6#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.6.1.0/24 is directly connected, Loopback1
L        10.6.1.1/32 is directly connected, Loopback1
C        10.6.2.0/24 is directly connected, Loopback2
L        10.6.2.1/32 is directly connected, Loopback2
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.26.0/24 is directly connected, FastEthernet0/0
L        172.16.26.6/32 is directly connected, FastEthernet0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Loopback192
L        192.168.1.1/32 is directly connected, Loopback192

 If we see the configuration on R2 ASN 444 prefixes are exported with route-target value 444:4. This is extended community attached to all prefixes exported into BGP table from VRF BBB.

We can verify the same with show output on R2 for any route of VRF BBB.

R2#sh bgp vpnv4 unicast vrf BBB 10.4.2.0
BGP routing table entry for 444:4:10.4.2.0/24, version 3
Paths: (1 available, best #1, table BBB)
  Advertised to update-groups:
     7         
  444
    172.16.24.4 from 172.16.24.4 (172.16.24.4)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Extended Community: RT:444:4
      mpls labels in/out 34/nolabel

Let’s import prefix from ASN 444 into VRF AAA on router R1.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#vrf definition AAA
R1(config-vrf)#address-family ipv4
R1(config-vrf-af)#route-target import ?
 ASN:nn or IP-address:nn Target VPN Extended Community

R1(config-vrf-af)#route-target import 444:4
R1(config-vrf-af)#end
R1#

We can see the prefixes with extended community value 444:4 are imported into VRF AAA now. And the same would be advertised to BGP Peer R3.

R1#sh bgp vpnv4 unicast all 
BGP table version is 16, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

 Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 333:3 (default for vrf AAA)
*> 10.3.1.0/24 172.16.13.3 0 0 333 i
*> 10.3.2.0/24 172.16.13.3 0 0 333 i
*>i10.4.1.0/24 172.16.0.2 0 100 0 444 i
*>i10.4.2.0/24 172.16.0.2 0 100 0 444 i
*> 172.16.13.0/24 0.0.0.0 0 32768 ?
*>i172.16.24.0/24 172.16.0.2 0 100 0 ?
*>i192.168.1.0 172.16.0.2 0 100 0 444 i
Route Distinguisher: 444:4
*>i10.4.1.0/24 172.16.0.2 0 100 0 444 i
*>i10.4.2.0/24 172.16.0.2 0 100 0 444 i
*>i172.16.24.0/24 172.16.0.2 0 100 0 ?
*>i192.168.1.0 172.16.0.2 0 100 0 444 i
Route Distinguisher: 666:6
*>i10.6.1.0/24 172.16.0.2 0 100 0 666 i
 Network Next Hop Metric LocPrf Weight Path
*>i10.6.2.0/24 172.16.0.2 0 100 0 666 i
*>i172.16.26.0/24 172.16.0.2 0 100 0 ?
*>i192.168.1.0 172.16.0.2 0 100 0 666 i

 BGP Table and Route table on R3:

R3#sh ip bgp sum
BGP router identifier 172.16.13.3, local AS number 333
BGP table version is 33, main routing table version 33
7 network entries using 896 bytes of memory
7 path entries using 364 bytes of memory
4/4 BGP path/bestpath attribute entries using 496 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1804 total bytes of memory
BGP activity 18/11 prefixes, 19/12 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.13.1     4          100      44      44       33    0    0 00:35:47        5

R3#sh ip bgp
BGP table version is 33, local router ID is 172.16.13.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      0.0.0.0                  0         32768 i
*> 10.3.2.0/24      0.0.0.0                  0         32768 i
*> 10.4.1.0/24      172.16.13.1                            0 100 444 i
*> 10.4.2.0/24      172.16.13.1                            0 100 444 i
r> 172.16.13.0/24   172.16.13.1              0             0 100 ?
*> 172.16.24.0/24   172.16.13.1                            0 100 ?
*> 192.168.1.0      172.16.13.1                            0 100 444 i

R3#sh ip route bgp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.4.1.0/24 [20/0] via 172.16.13.1, 00:02:43
B        10.4.2.0/24 [20/0] via 172.16.13.1, 00:02:43
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        172.16.24.0/24 [20/0] via 172.16.13.1, 00:02:43
B     192.168.1.0/24 [20/0] via 172.16.13.1, 00:02:43

But we are receiving more prefix (all prefix advertised by R4) than our requirement.
We can use route-map with import-map under VRF to filter prefix as per our requirement.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list R4-SELECTIVE-PREFIX seq 5 permit 10.4.2.0/24
R1(config)#
R1(config)#route-map AAA-VRF-IMPORT permit 10
R1(config-route-map)#match ip address prefix-list R4-SELECTIVE-PREFIX
R1(config-route-map)#exit
R1(config)#
R1(config)#vrf definition AAA
R1(config-vrf)#address-family ipv4
R1(config-vrf-af)#import map AAA-VRF-IMPORT
R1(config-vrf-af)#end
R1#
R1#clear bgp vpnv4 unicast * soft

Let’s do the same for import prefix from VRF CCC.

R1#
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list R6-SELECTIVE-PREFIX seq 5 permit 10.6.1.0/24
R1(config)#
R1(config)#route-map AAA-VRF-IMPORT permit 20
R1(config-route-map)#match ip address prefix-list R6-SELECTIVE-PREFIX
R1(config-route-map)#
R1(config-route-map)#vrf definition AAA
R1(config-vrf)#address-family ipv4
R1(config-vrf-af)#route-target import 666:6
R1(config-vrf-af)#end
R1#
R1#clear bgp vpnv4 unicast * soft 
R1#

 Verify BGP table for VRF AAA on R1. Now it has imported only specific routes which are permitted by route-map.

R1#sh bgp vpnv4 unicast vrf AAA 
BGP table version is 20, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3 (default for vrf AAA)
*> 10.3.1.0/24      172.16.13.3              0             0 333 i
*> 10.3.2.0/24      172.16.13.3              0             0 333 i
*>i10.4.2.0/24      172.16.0.2               0    100      0 444 i
*>i10.6.1.0/24      172.16.0.2               0    100      0 666 i
*> 172.16.13.0/24   0.0.0.0                  0         32768 ?

Verify BGP table and Routing table on R3:

R3#sh ip bgp
BGP table version is 37, local router ID is 172.16.13.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      0.0.0.0                  0         32768 i
*> 10.3.2.0/24      0.0.0.0                  0         32768 i
*> 10.4.2.0/24      172.16.13.1                            0 100 444 i
*> 10.6.1.0/24      172.16.13.1                            0 100 666 i
r> 172.16.13.0/24   172.16.13.1              0             0 100 ?

R3#sh ip route bgp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.4.2.0/24 [20/0] via 172.16.13.1, 00:17:51
B        10.6.1.0/24 [20/0] via 172.16.13.1, 00:02:51

We have the route to reach remote networks of R4 and R6. Can we ping them?

R3#ping 10.4.2.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
.....
Success rate is 0 percent (0/5)

No, WHY?
Because R4 and R6 don’t have route for R3’s networks to sent traffic back to R3.

R4#sh ip route 10.3.1.0
% Subnet not in table

We have to import VRF AAA’s routes into VRF BBB and CCC to get end-to-end reachability for these networks.
Apply below configuration on R2:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#vrf definition BBB
R2(config-vrf)#address-family ipv4
R2(config-vrf-af)#route-target import 333:3
R2(config-vrf-af)#
R2(config-vrf-af)#vrf definition CCC
R2(config-vrf)#address-family ipv4
R2(config-vrf-af)#route-target import 333:3
R2(config-vrf-af)#end
R2#
R2#clear bgp vpnv4 unicast * soft 
R2#
R2#

R2 is showing prefixes of VRF AAA imported into vrf BBB and CCC.

R2#sh bgp vpnv4 unicast all         
BGP table version is 18, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3
*>i10.3.1.0/24      172.16.0.1               0    100      0 333 i
*>i10.3.2.0/24      172.16.0.1               0    100      0 333 i
*>i172.16.13.0/24   172.16.0.1               0    100      0 ?
Route Distinguisher: 444:4 (default for vrf BBB)
*>i10.3.1.0/24      172.16.0.1               0    100      0 333 i
*>i10.3.2.0/24      172.16.0.1               0    100      0 333 i
*> 10.4.1.0/24      172.16.24.4              0             0 444 i
*> 10.4.2.0/24      172.16.24.4              0             0 444 i
*>i172.16.13.0/24   172.16.0.1               0    100      0 ?
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*> 192.168.1.0      172.16.24.4              0             0 444 i
Route Distinguisher: 666:6 (default for vrf CCC)
*>i10.3.1.0/24      172.16.0.1               0    100      0 333 i
*>i10.3.2.0/24      172.16.0.1               0    100      0 333 i
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.6.1.0/24      172.16.26.6              0             0 666 i
*> 10.6.2.0/24      172.16.26.6              0             0 666 i
*>i172.16.13.0/24   172.16.0.1               0    100      0 ?
*> 172.16.26.0/24   0.0.0.0                  0         32768 ?
*> 192.168.1.0      172.16.26.6              0             0 666 i
R2#

Let’s verify BGP table and Route table of R4 and R6.

R4#sh ip bgp
BGP table version is 34, local router ID is 172.16.24.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      172.16.24.2                            0 100 333 i
*> 10.3.2.0/24      172.16.24.2                            0 100 333 i
*> 10.4.1.0/24      0.0.0.0                  0         32768 i
*> 10.4.2.0/24      0.0.0.0                  0         32768 i
*> 172.16.13.0/24   172.16.24.2                            0 100 ?
r> 172.16.24.0/24   172.16.24.2              0             0 100 ?
*> 192.168.1.0      0.0.0.0                  0         32768 i
R4#sh ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.3.1.0/24 [20/0] via 172.16.24.2, 00:01:59
B        10.3.2.0/24 [20/0] via 172.16.24.2, 00:01:59
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        172.16.13.0/24 [20/0] via 172.16.24.2, 00:01:59
R4#sh ip route 10.3.1.0
Routing entry for 10.3.1.0/24
  Known via "bgp 444", distance 20, metric 0
  Tag 100, type external
  Last update from 172.16.24.2 00:02:05 ago
  Routing Descriptor Blocks:
  * 172.16.24.2, from 172.16.24.2, 00:02:05 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 100
      MPLS label: none
R4#


R6#sh ip bgp
BGP table version is 36, local router ID is 172.16.26.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      172.16.26.2                            0 100 333 i
*> 10.3.2.0/24      172.16.26.2                            0 100 333 i
*> 10.6.1.0/24      0.0.0.0                  0         32768 i
*> 10.6.2.0/24      0.0.0.0                  0         32768 i
*> 172.16.13.0/24   172.16.26.2                            0 100 ?
r> 172.16.26.0/24   172.16.26.2              0             0 100 ?
*> 192.168.1.0      0.0.0.0                  0         32768 i
R6#
R6#sh ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.3.1.0/24 [20/0] via 172.16.26.2, 00:02:29
B        10.3.2.0/24 [20/0] via 172.16.26.2, 00:02:29
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        172.16.13.0/24 [20/0] via 172.16.26.2, 00:02:29
R6#

Now check end-to-end connectivity with Ping from R3 to R4 and R6 networks.

R3#ping 10.4.2.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/51/76 ms

R3#ping 10.6.1.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/52/64 ms

 Everything looks fine so far.

We got another requirement. On Router R1, VRF AAA has to import prefix 192.168.1.0/24 from VRF BBB.

Currently we are using below prefix-list and route-map:

R1#sh run | s prefix-list|route-map
ip prefix-list R4-SELECTIVE-PREFIX seq 5 permit 10.4.2.0/24
ip prefix-list R6-SELECTIVE-PREFIX seq 5 permit 10.6.1.0/24
route-map AAA-VRF-IMPORT permit 10
 match ip address prefix-list R4-SELECTIVE-PREFIX
route-map AAA-VRF-IMPORT permit 20
 match ip address prefix-list R6-SELECTIVE-PREFIX

If we create another prefix list entry to permit 192.168.1.0/24, We should be all set.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip prefix-list R4-SELECTIVE-PREFIX seq 10 permit 192.168.1.0/24
R1(config)#end
R1#

Let’s verify routing table on R3. We have route for 192.168.1.0/24 now.

R3#sh ip route bgp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.4.2.0/24 [20/0] via 172.16.13.1, 00:41:07
B        10.6.1.0/24 [20/0] via 172.16.13.1, 00:26:07
B     192.168.1.0/24 [20/0] via 172.16.13.1, 00:00:06

And we can ping remote network also.

R3#ping 192.168.1.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/39/56 ms

Everything looks fine.

Let’s goto Router R4 and shutdown interface Loopback 192 which is used for network 192.168.1.0/24

R4#sh run int l192
Building configuration...

Current configuration : 67 bytes
!
interface Loopback192
 ip address 192.168.1.1 255.255.255.0
end

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int l192
R4(config-if)#shut
R4(config-if)#
R4(config-if)#
*Jun  4 19:29:03.474: %LINK-5-CHANGED: Interface Loopback192, changed state to administratively down
*Jun  4 19:29:04.474: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback192, changed state to down
R4(config-if)#

Now goto Router R3 and try to ping 192.168.1.1 again. It should not be working, right?
But it can still ping it 🙂

Let’s see who is this 192.168.1.1 device.

R3#192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password: 
R6#

 Hmm..we are receiving 192.168.1.0/24 prefix from R6(VRF CCC).

Let’s enable interface loopback192 on R4.

R4(config-if)#no shut
R4(config-if)#end
R4#
*Jun  4 19:31:05.626: %LINK-3-UPDOWN: Interface Loopback192, changed state to up
*Jun  4 19:31:06.490: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Jun  4 19:31:06.626: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback192, changed state to up
R4#

Let’s see what is happening on Router R1 for importing routes from other VRFs.

R1#sh bgp vpnv4 unicast all    
BGP table version is 24, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3 (default for vrf AAA)
*> 10.3.1.0/24      172.16.13.3              0             0 333 i
*> 10.3.2.0/24      172.16.13.3              0             0 333 i
*>i10.4.2.0/24      172.16.0.2               0    100      0 444 i
*>i10.6.1.0/24      172.16.0.2               0    100      0 666 i
*> 172.16.13.0/24   0.0.0.0                  0         32768 ?
* i192.168.1.0      172.16.0.2               0    100      0 444 i
*>i                 172.16.0.2               0    100      0 666 i
Route Distinguisher: 444:4
*>i10.4.1.0/24      172.16.0.2               0    100      0 444 i
*>i10.4.2.0/24      172.16.0.2               0    100      0 444 i
*>i172.16.24.0/24   172.16.0.2               0    100      0 ?
*>i192.168.1.0      172.16.0.2               0    100      0 444 i
Route Distinguisher: 666:6
*>i10.6.1.0/24      172.16.0.2               0    100      0 666 i
   Network          Next Hop            Metric LocPrf Weight Path
*>i10.6.2.0/24      172.16.0.2               0    100      0 666 i
*>i172.16.26.0/24   172.16.0.2               0    100      0 ?
*>i192.168.1.0      172.16.0.2               0    100      0 666 i
R1#

It has imported this route from two different VRFs (BBB and CCC)

R1#sh bgp vpnv4 unicast vrf AAA 192.168.1.0
BGP routing table entry for 333:3:192.168.1.0/24, version 23
Paths: (2 available, best #2, table AAA)
  Advertised to update-groups:
     5         
  444, imported path from 444:4:192.168.1.0/24
    172.16.0.2 (metric 2) from 172.16.0.2 (172.16.0.2)
      Origin IGP, metric 0, localpref 100, valid, internal
      Extended Community: RT:444:4
      mpls labels in/out nolabel/21
  666, imported path from 666:6:192.168.1.0/24
    172.16.0.2 (metric 2) from 172.16.0.2 (172.16.0.2)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:666:6
      mpls labels in/out nolabel/38

This is not our requirement. We want to import it only from VRF BBB.

We have to match prefix along with extended community value to achieve this goal.

Create extended-community list and match it inside route-map.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip extcommunity-list standard FROM-R4 permit rt 444:4
R1(config)#ip extcommunity-list standard FROM-R6 permit rt 666:6
R1(config)#
R1(config)#route-map AAA-VRF-IMPORT permit 10
R1(config-route-map)#match extcommunity FROM-R4
R1(config-route-map)#route-map AAA-VRF-IMPORT permit 20
R1(config-route-map)#match extcommunity FROM-R6        
R1(config-route-map)#end
R1#

We have this configuration now:

R1#sh run | s prefix|extcommunity-list|route-map
ip extcommunity-list standard FROM-R4 permit rt 444:4
ip extcommunity-list standard FROM-R6 permit rt 666:6
ip prefix-list R4-SELECTIVE-PREFIX seq 5 permit 10.4.2.0/24
ip prefix-list R4-SELECTIVE-PREFIX seq 10 permit 192.168.1.0/24
ip prefix-list R6-SELECTIVE-PREFIX seq 5 permit 10.6.1.0/24
route-map AAA-VRF-IMPORT permit 10
 match ip address prefix-list R4-SELECTIVE-PREFIX
 match extcommunity FROM-R4
route-map AAA-VRF-IMPORT permit 20
 match ip address prefix-list R6-SELECTIVE-PREFIX
 match extcommunity FROM-R6
R1#

Here route-map would use Boolean AND logic and permit prefix if it is matched by BOTH conditions, prefix-list and extended-community value.

Route-map sequence #10 will match prefixes 10.4.2.0/24 and 192.168.1.0/24 if they have RT extended-community value 444:4 only.

Similarily Route-map sequence #20 will match prefixes 10.6.1.0/24 if it has RT extended-community value 666:6 only.

Verify VRF AAA BGP table now on Router R1.

R1#sh bgp vpnv4 unicast vrf AAA
BGP table version is 25, local router ID is 172.16.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:3 (default for vrf AAA)
*> 10.3.1.0/24      172.16.13.3              0             0 333 i
*> 10.3.2.0/24      172.16.13.3              0             0 333 i
*>i10.4.2.0/24      172.16.0.2               0    100      0 444 i
*>i10.6.1.0/24      172.16.0.2               0    100      0 666 i
*> 172.16.13.0/24   0.0.0.0                  0         32768 ?
*>i192.168.1.0      172.16.0.2               0    100      0 444 i

R1#sh bgp vpnv4 unicast vrf AAA 192.168.1.0
BGP routing table entry for 333:3:192.168.1.0/24, version 25
Paths: (1 available, best #1, table AAA)
  Advertised to update-groups:
     5         
  444, imported path from 444:4:192.168.1.0/24
    172.16.0.2 (metric 2) from 172.16.0.2 (172.16.0.2)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:444:4
      mpls labels in/out nolabel/21

Verify BGP table, reachability from R3 for all remote networks.

R3#sh ip bgp
BGP table version is 40, local router ID is 172.16.13.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.3.1.0/24      0.0.0.0                  0         32768 i
*> 10.3.2.0/24      0.0.0.0                  0         32768 i
*> 10.4.2.0/24      172.16.13.1                            0 100 444 i
*> 10.6.1.0/24      172.16.13.1                            0 100 666 i
r> 172.16.13.0/24   172.16.13.1              0             0 100 ?
*> 192.168.1.0      172.16.13.1                            0 100 444 i


R3#sh ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
B        10.4.2.0/24 [20/0] via 172.16.13.1, 01:02:20
B        10.6.1.0/24 [20/0] via 172.16.13.1, 00:47:20
B     192.168.1.0/24 [20/0] via 172.16.13.1, 00:08:19


R3#ping 10.4.2.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/60 ms

R3#ping 10.6.1.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/49/64 ms

R3#ping 192.168.1.1 source 10.3.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/45/72 ms

Final Configuration on R1 and R2.

R1:

vrf definition AAA
rd 333:3
!
address-family ipv4
import map AAA-VRF-IMPORT
route-target export 333:3
route-target import 333:3
route-target import 444:4
route-target import 666:6
exit-address-family
!
interface Loopback0
ip address 172.16.0.1 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
ip address 172.16.12.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
mpls ip
!
interface FastEthernet1/0
vrf forwarding AAA
ip address 172.16.13.1 255.255.255.0
speed 100
duplex full
!
router ospf 1
log-adjacency-changes
!
router bgp 100
bgp router-id 172.16.0.1
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 172.16.0.2 remote-as 100
neighbor 172.16.0.2 update-source Loopback0
!
address-family ipv4
no synchronization
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 172.16.0.2 activate
neighbor 172.16.0.2 send-community extended
exit-address-family
!
address-family ipv4 vrf AAA
no synchronization
redistribute connected
neighbor 172.16.13.3 remote-as 333
neighbor 172.16.13.3 activate
exit-address-family
!
!
ip extcommunity-list standard FROM-R4 permit rt 444:4
ip extcommunity-list standard FROM-R6 permit rt 666:6
!
ip prefix-list R4-SELECTIVE-PREFIX seq 5 permit 10.4.2.0/24
ip prefix-list R4-SELECTIVE-PREFIX seq 10 permit 192.168.1.0/24
!
ip prefix-list R6-SELECTIVE-PREFIX seq 5 permit 10.6.1.0/24
!
route-map AAA-VRF-IMPORT permit 10
match ip address prefix-list R4-SELECTIVE-PREFIX
match extcommunity FROM-R4
!
route-map AAA-VRF-IMPORT permit 20
match ip address prefix-list R6-SELECTIVE-PREFIX
match extcommunity FROM-R6
!

R2:

vrf definition BBB
rd 444:4
!
address-family ipv4
route-target export 444:4
route-target import 444:4
route-target import 333:3
exit-address-family
!
vrf definition CCC
rd 666:6
!
address-family ipv4
route-target export 666:6
route-target import 666:6
route-target import 333:3
exit-address-family
!
interface Loopback0
ip address 172.16.0.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
ip address 172.16.12.2 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
mpls ip
!
interface FastEthernet1/0
vrf forwarding BBB
ip address 172.16.24.2 255.255.255.0
!
interface FastEthernet1/1
vrf forwarding CCC
ip address 172.16.26.2 255.255.255.0
!
router ospf 1
log-adjacency-changes
!
router bgp 100
bgp router-id 172.16.0.2
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 172.16.0.1 remote-as 100
neighbor 172.16.0.1 update-source Loopback0
!
address-family ipv4
no synchronization
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 172.16.0.1 activate
neighbor 172.16.0.1 send-community extended
exit-address-family
!
address-family ipv4 vrf BBB
no synchronization
redistribute connected
neighbor 172.16.24.4 remote-as 444
neighbor 172.16.24.4 activate
exit-address-family
!
address-family ipv4 vrf CCC
no synchronization
redistribute connected
neighbor 172.16.26.6 remote-as 666
neighbor 172.16.26.6 activate
exit-address-family

Packet Flow through Cisco ASA Firewall

Cisco ASA Packet Process Algorithm

The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces.

Here is a diagram of how the Cisco ASA processes the packet that it receives:

asa-packet-flow-2

Here are the individual steps in detail:

1. Packet is reached at the ingress interface.

2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

Additional Security-Checks will be implemented if a CSC module is involved.

7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.

10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11. The packet is transmitted on wire, and Interface counters increment on the egress interface.

Show Commands

Here are some useful commands that help in tracking the packet flow details at different stages of processing:

Show interface
Show conn
Show access-list
Show xlate
Show service-policy inspect
Show run static
Show run nat
Show run global
Show nat
Show route
Show arp

Syslog Messages

Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference:

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from
IP_address/port to IP_address/port flags tcp_flags on interface
interface_name

Syslog message when the packet is denied by an access-list:

%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port by access_group
acl_ID

Syslog message when there is no translation rule is found:

%ASA-3-305005: No translation group found for protocol
src interface_name: source_address/source_port dst interface_name:
dest_address/dest_port

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from
outside_address/outside_port to inside_address/inside_port before
SETUP

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for
protocol from src interface:src IP/src port to dest interface:dest IP/dest
port

JUNOS OSPF Configuration

We will discuss these topics in this session:

1. OSPF configuration
2. OSPF passive interface
3. OSPF Virtual Link
4. OSPF interface network type
5. OSPF interface cost manipulation
6. OSPF Authentication

This is the network topology for these configurations:

juniper-ospf

This is the initial configuration on these routers:

set version 10.1R1.8
set system host-name R1
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.12.1/24
set interfaces em1 unit 0 family inet address 1.1.21.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set routing-options router-id 1.1.1.1

set version 10.1R1.8
set system host-name R2
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.12.2/24
set interfaces em1 unit 0 family inet address 1.1.21.2/24
set interfaces em3 unit 0 family inet address 1.1.23.2/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set routing-options router-id 2.2.2.2

set version 10.1R1.8
set system host-name R3
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.34.3/24
set interfaces em3 unit 0 family inet address 1.1.23.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set routing-options router-id 3.3.3.3

set version 10.1R1.8
set system host-name R4
set system root-authentication encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."
set system login user amolak uid 2000
set system login user amolak class super-user
set system login user amolak authentication encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 1.1.34.4/24
set interfaces lo0 unit 0 family inet address 4.4.4.4/32
set routing-options router-id 4.4.4.4

## Router-ID is already configured on all routers with below command.

    set routing-options router-id x.x.x.x

1. OSPF configuration

– Configure OSPF area on router interfaces as per drawing. Configure loopback interface as passive interface.

R1:

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set protocols ospf area 0 interface em0.0 
amolak@R1# set protocols ospf area 0 interface em1.0 
amolak@R1# set protocols ospf area 0 interface lo0.0 passive 
amolak@R1# commit and-quit 

R2:

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 interface em0.0 
amolak@R2# set protocols ospf area 0 interface em1.0    
amolak@R2# set protocols ospf area 0 interface lo0.0 passive 
amolak@R2# set protocols ospf area 1 interface em3.0 
amolak@R2# commit and-quit 

R3:

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 
amolak@R3# set protocols ospf area 2 interface em0.0 
amolak@R3# set protocols ospf area 1 interface lo0.0 passive 
amolak@R3# commit and-quit 

R4:

amolak@R4> configure 
Entering configuration mode

[edit]
amolak@R4# set protocols ospf area 2 interface em0.0 
amolak@R4# set protocols ospf area 2 interface lo0.0 passive 
amolak@R4# commit and-quit
Verification:

amolak@R1> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0

amolak@R1> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
1.1.12.2         em0.0                  Full      2.2.2.2          128    34
1.1.21.2         em1.0                  Full      2.2.2.2          128    38

amolak@R1> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *1.1.1.1          1.1.1.1          0x80000005   130  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000004   131  0x22 0x3b69  60
Network  1.1.12.2         2.2.2.2          0x80000002   131  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   131  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   166  0x22 0x3edb  28
Summary  3.3.3.3          2.2.2.2          0x80000001   102  0x22 0xcc5b  28

amolak@R1> show route protocol ospf 

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:01:21, metric 2
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
2.2.2.2/32         *[OSPF/10] 00:01:21, metric 1
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
3.3.3.3/32         *[OSPF/10] 00:00:55, metric 2
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
224.0.0.5/32       *[OSPF/10] 00:02:32, metric 1
                      MultiRecv

amolak@R2> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
em3.0               DR      0.0.0.1         2.2.2.2         3.3.3.3            1

amolak@R2> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
1.1.12.1         em0.0                  Full      1.1.1.1          128    33
1.1.21.1         em1.0                  Full      1.1.1.1          128    35
1.1.23.3         em3.0                  Full      3.3.3.3          128    35

amolak@R2> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   1.1.1.1          1.1.1.1          0x80000005   135  0x22 0xd7da  60
Router  *2.2.2.2          2.2.2.2          0x80000004   134  0x22 0x3b69  60
Network *1.1.12.2         2.2.2.2          0x80000002   134  0x22 0x26ee  32
Network *1.1.21.2         2.2.2.2          0x80000002   134  0x22 0xc249  32
Summary *1.1.23.0         2.2.2.2          0x80000002   169  0x22 0x3edb  28
Summary *3.3.3.3          2.2.2.2          0x80000001   105  0x22 0xcc5b  28

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *2.2.2.2          2.2.2.2          0x80000004   112  0x22 0xa246  36
Router   3.3.3.3          3.3.3.3          0x80000002   108  0x22 0xcef6  48
Network *1.1.23.2         2.2.2.2          0x80000001   112  0x22 0x13ef  32
Summary *1.1.1.1          2.2.2.2          0x80000001   129  0x22 0x2907  28
Summary *1.1.12.0         2.2.2.2          0x80000002   169  0x22 0xb76d  28
Summary *1.1.21.0         2.2.2.2          0x80000002   169  0x22 0x54c7  28
Summary  1.1.34.0         3.3.3.3          0x80000002   103  0x22 0xa664  28
Summary *2.2.2.2          2.2.2.2          0x80000002   169  0x22 0xee3d  28
Summary  4.4.4.4          3.3.3.3          0x80000001    64  0x22 0x809f  28

amolak@R2> show route protocol ospf 

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:33, metric 1
                    > to 1.1.12.1 via em0.0
                      to 1.1.21.1 via em1.0
3.3.3.3/32         *[OSPF/10] 00:01:09, metric 1
                    > to 1.1.23.3 via em3.0
224.0.0.5/32       *[OSPF/10] 00:02:24, metric 1
                      MultiRecv

amolak@R3> show ospf interface 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               BDR     0.0.0.1         2.2.2.2         3.3.3.3            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1

amolak@R3> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.23.2         em3.0                  Full      2.2.2.2          128    38
1.1.34.4         em0.0                  Full      4.4.4.4          128    39

amolak@R3> show ospf database 

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   2.2.2.2          2.2.2.2          0x80000004   131  0x22 0xa246  36
Router  *3.3.3.3          3.3.3.3          0x80000002   125  0x22 0xcef6  48
Network  1.1.23.2         2.2.2.2          0x80000001   131  0x22 0x13ef  32
Summary  1.1.1.1          2.2.2.2          0x80000001   148  0x22 0x2907  28
Summary  1.1.12.0         2.2.2.2          0x80000002   188  0x22 0xb76d  28
Summary  1.1.21.0         2.2.2.2          0x80000002   188  0x22 0x54c7  28
Summary *1.1.34.0         3.3.3.3          0x80000002   120  0x22 0xa664  28
Summary  2.2.2.2          2.2.2.2          0x80000002   188  0x22 0xee3d  28
Summary *4.4.4.4          3.3.3.3          0x80000001    80  0x22 0x809f  28

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *3.3.3.3          3.3.3.3          0x80000004    85  0x22 0x6167  36
Router   4.4.4.4          4.4.4.4          0x80000002    84  0x22 0xdcc5  48
Network *1.1.34.3         3.3.3.3          0x80000002    85  0x22 0xc326  32
Summary *1.1.23.0         3.3.3.3          0x80000002   120  0x22 0x20f5  28
Summary *3.3.3.3          3.3.3.3          0x80000002   120  0x22 0xa281  28

amolak@R3> show route protocol ospf   

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
1.1.12.0/24        *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
1.1.21.0/24        *[OSPF/10] 00:01:15, metric 2
                    > to 1.1.23.2 via em3.0
2.2.2.2/32         *[OSPF/10] 00:01:15, metric 1
                    > to 1.1.23.2 via em3.0
4.4.4.4/32         *[OSPF/10] 00:00:35, metric 1
                    > to 1.1.34.4 via em0.0
224.0.0.5/32       *[OSPF/10] 00:01:25, metric 1
                      MultiRecv

amolak@R4> show ospf interface 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.2         3.3.3.3         4.4.4.4            1
lo0.0               DRother 0.0.0.2         0.0.0.0         0.0.0.0            0

amolak@R4> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.34.3         em0.0                  Full      3.3.3.3          128    36

amolak@R4> show ospf database 

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   3.3.3.3          3.3.3.3          0x80000004    96  0x22 0x6167  36
Router  *4.4.4.4          4.4.4.4          0x80000002    92  0x22 0xdcc5  48
Network  1.1.34.3         3.3.3.3          0x80000002    96  0x22 0xc326  32
Summary  1.1.23.0         3.3.3.3          0x80000002   131  0x22 0x20f5  28
Summary  3.3.3.3          3.3.3.3          0x80000002   131  0x22 0xa281  28

amolak@R4> show route protocol ospf 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:00:42, metric 2
                    > to 1.1.34.3 via em0.0
3.3.3.3/32         *[OSPF/10] 00:00:42, metric 1
                    > to 1.1.34.3 via em0.0
224.0.0.5/32       *[OSPF/10] 00:00:52, metric 1
                      MultiRecv

amolak@R1> ping 3.3.3.3 source 1.1.1.1 
PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=63 time=0.856 ms
64 bytes from 3.3.3.3: icmp_seq=1 ttl=63 time=0.704 ms
^C
--- 3.3.3.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.704/0.780/0.856/0.076 ms

amolak@R1> ping 2.2.2.2 source 1.1.1.1    
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=0.552 ms
^C
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.552/0.552/0.552/nan ms

3. OSPF Virtual Link

As per OSPF requirement, All Areas should be connected to backbone Area0. Here Area2 is not connected to Area0, because of this design issue Area0 and Area2 routers are not having each others advertised LSA in their ospf database. We need to create a virtual link to fix this issue.

– Configure OSPF virtual link between R2 and R3.

 amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 virtual-link neighbor-id 3.3.3.3 transit-area 1

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 0 virtual-link neighbor-id 2.2.2.2 transit-area 1

## 'neighbor-id' is the peer router's router-id ##

Verification:

amolak@R2> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
em1.0               DR      0.0.0.0         2.2.2.2         1.1.1.1            1
lo0.0               DRother 0.0.0.0         0.0.0.0         0.0.0.0            0
vl-3.3.3.3          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1
em3.0               DR      0.0.0.1         2.2.2.2         3.3.3.3            1

amolak@R2> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.12.1         em0.0                  Full      1.1.1.1          128    33
1.1.21.1         em1.0                  Full      1.1.1.1          128    34
1.1.23.3         vl-3.3.3.3             Full      3.3.3.3            0    32
1.1.23.3         em3.0                  Full      3.3.3.3          128    33

amolak@R3> show ospf interface    
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               BDR     0.0.0.1         2.2.2.2         3.3.3.3            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1
vl-2.2.2.2          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

amolak@R3> show ospf neighbor     
Address          Interface              State     ID               Pri  Dead
1.1.23.2         em3.0                  Full      2.2.2.2          128    33
1.1.34.4         em0.0                  Full      4.4.4.4          128    34
1.1.23.2         vl-2.2.2.2             Full      2.2.2.2            0    37

Now R3 is connected to Area0 via virtual-link and become ABR for Area0,Area1 and Area2. 
Area0 and Area2 router should have each others prefix in their databases.

amolak@R3> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   1.1.1.1          1.1.1.1          0x80000005   414  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000007    78  0x22 0x9dca  72
Router  *3.3.3.3          3.3.3.3          0x80000003    77  0x22 0xd51c  36
Network  1.1.12.2         2.2.2.2          0x80000002   413  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   413  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   448  0x22 0x3edb  28
Summary *1.1.23.0         3.3.3.3          0x80000001    77  0x22 0x22f4  28
Summary *1.1.34.0         3.3.3.3          0x80000001    77  0x22 0xa863  28
Summary  3.3.3.3          2.2.2.2          0x80000001   384  0x22 0xcc5b  28
Summary *3.3.3.3          3.3.3.3          0x80000001    77  0x22 0xa480  28
Summary *4.4.4.4          3.3.3.3          0x80000001    77  0x22 0x809f  28

    OSPF database, Area 0.0.0.1
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   2.2.2.2          2.2.2.2          0x80000006    78  0x22 0xaa38  36
Router  *3.3.3.3          3.3.3.3          0x80000004    77  0x22 0xd6e8  48
Network  1.1.23.2         2.2.2.2          0x80000001   393  0x22 0x13ef  32
Summary  1.1.1.1          2.2.2.2          0x80000001   410  0x22 0x2907  28
Summary  1.1.12.0         2.2.2.2          0x80000002   450  0x22 0xb76d  28
Summary  1.1.21.0         2.2.2.2          0x80000002   450  0x22 0x54c7  28
Summary *1.1.34.0         3.3.3.3          0x80000002   382  0x22 0xa664  28
Summary  2.2.2.2          2.2.2.2          0x80000002   450  0x22 0xee3d  28
Summary *4.4.4.4          3.3.3.3          0x80000001   342  0x22 0x809f  28

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *3.3.3.3          3.3.3.3          0x80000005    77  0x22 0x5f68  36
Router   4.4.4.4          4.4.4.4          0x80000002   346  0x22 0xdcc5  48
Network *1.1.34.3         3.3.3.3          0x80000002   347  0x22 0xc326  32
Summary *1.1.1.1          3.3.3.3          0x80000001    77  0x22 0x1516  28
Summary *1.1.12.0         3.3.3.3          0x80000001    77  0x22 0xa57b  28
Summary *1.1.21.0         3.3.3.3          0x80000001    77  0x22 0x42d5  28
Summary *1.1.23.0         3.3.3.3          0x80000002   382  0x22 0x20f5  28
Summary *2.2.2.2          3.3.3.3          0x80000001    77  0x22 0xdc4b  28
Summary *3.3.3.3          3.3.3.3          0x80000002   382  0x22 0xa281  28

amolak@R4> show ospf database 

    OSPF database, Area 0.0.0.2
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router   3.3.3.3          3.3.3.3          0x80000005    68  0x22 0x5f68  36
Router  *4.4.4.4          4.4.4.4          0x80000002   344  0x22 0xdcc5  48
Network  1.1.34.3         3.3.3.3          0x80000002   348  0x22 0xc326  32
Summary  1.1.1.1          3.3.3.3          0x80000001    68  0x22 0x1516  28
Summary  1.1.12.0         3.3.3.3          0x80000001    68  0x22 0xa57b  28
Summary  1.1.21.0         3.3.3.3          0x80000001    68  0x22 0x42d5  28
Summary  1.1.23.0         3.3.3.3          0x80000002   383  0x22 0x20f5  28
Summary  2.2.2.2          3.3.3.3          0x80000001    68  0x22 0xdc4b  28
Summary  3.3.3.3          3.3.3.3          0x80000002   383  0x22 0xa281  28

amolak@R4> show route protocol ospf   

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.12.0/24        *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.21.0/24        *[OSPF/10] 00:01:08, metric 3
                    > to 1.1.34.3 via em0.0
1.1.23.0/24        *[OSPF/10] 00:05:40, metric 2
                    > to 1.1.34.3 via em0.0
2.2.2.2/32         *[OSPF/10] 00:01:08, metric 2
                    > to 1.1.34.3 via em0.0
3.3.3.3/32         *[OSPF/10] 00:05:40, metric 1
                    > to 1.1.34.3 via em0.0
224.0.0.5/32       *[OSPF/10] 00:05:50, metric 1
                      MultiRecv

amolak@R1> show ospf database 

    OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len 
Router  *1.1.1.1          1.1.1.1          0x80000005   402  0x22 0xd7da  60
Router   2.2.2.2          2.2.2.2          0x80000007    70  0x22 0x9dca  72
Router   3.3.3.3          3.3.3.3          0x80000003    71  0x22 0xd51c  36
Network  1.1.12.2         2.2.2.2          0x80000002   403  0x22 0x26ee  32
Network  1.1.21.2         2.2.2.2          0x80000002   403  0x22 0xc249  32
Summary  1.1.23.0         2.2.2.2          0x80000002   438  0x22 0x3edb  28
Summary  1.1.23.0         3.3.3.3          0x80000001    71  0x22 0x22f4  28
Summary  1.1.34.0         3.3.3.3          0x80000001    71  0x22 0xa863  28
Summary  3.3.3.3          2.2.2.2          0x80000001   374  0x22 0xcc5b  28
Summary  3.3.3.3          3.3.3.3          0x80000001    71  0x22 0xa480  28
Summary  4.4.4.4          3.3.3.3          0x80000001    71  0x22 0x809f  28

amolak@R1> show route protocol ospf        

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.23.0/24        *[OSPF/10] 00:07:00, metric 2
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
1.1.34.0/24        *[OSPF/10] 00:01:33, metric 3
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
2.2.2.2/32         *[OSPF/10] 00:07:00, metric 1
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
3.3.3.3/32         *[OSPF/10] 00:06:34, metric 2
                    > to 1.1.12.2 via em0.0
                      to 1.1.21.2 via em1.0
4.4.4.4/32         *[OSPF/10] 00:01:33, metric 3
                      to 1.1.12.2 via em0.0
                    > to 1.1.21.2 via em1.0
224.0.0.5/32       *[OSPF/10] 00:08:11, metric 1
                      MultiRecv

Let's check end to end connectivity.

amolak@R1> ping 4.4.4.4 source 1.1.1.1 
PING 4.4.4.4 (4.4.4.4): 56 data bytes
64 bytes from 4.4.4.4: icmp_seq=0 ttl=62 time=0.696 ms
64 bytes from 4.4.4.4: icmp_seq=1 ttl=62 time=0.816 ms
64 bytes from 4.4.4.4: icmp_seq=2 ttl=62 time=0.815 ms
^C
--- 4.4.4.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.696/0.776/0.816/0.056 ms

4. OSPF interface network type

All the links are actually connected between two routers only, i.e, point-to-point link. But ethernet interface has default ospf network type is LAN that requires DR/BDR election and LSA type 2 in the OSPF database.

– Configure interface type as point-to-point between R2 and R3.

Interface type before this configuration:

amolak@R3> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               DR      0.0.0.1         3.3.3.3         0.0.0.0            1
  Type: LAN, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.23.3, Priority: 128
  Adj count: 0
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 1 interface em3.0 interface-type p2p 
amolak@R2# commit and-quit 

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 interface-type p2p 
amolak@R3# commit and-quit 
commit complete
Exiting configuration mode

amolak@R3> show ospf interface em3.0 detail    
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R3> show ospf interface   
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
lo0.0               DRother 0.0.0.1         0.0.0.0         0.0.0.0            0
em0.0               DR      0.0.0.2         3.3.3.3         4.4.4.4            1
vl-2.2.2.2          PtToPt  0.0.0.0         0.0.0.0         0.0.0.0            1

 

5. OSPF interface cost manipulation

There are two equal cost paths on R1 to reach rest of the network. Change ospf cost on interface so that the interface em0 link should be prefer path and em1 should be backup path.

When evaluating the cost of individual network segments, OSPF evaluates the reference bandwidth. For any link faster than 100 Mbps, the default cost metric is 1. To control the cost of the network segment, you can modify the metric value on an individual interface.

amolak@R1> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
  Type: LAN, Address: 1.1.12.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.12.2, BDR addr: 1.1.12.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R1> show ospf interface em1.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em1.0               BDR     0.0.0.0         2.2.2.2         1.1.1.1            1
  Type: LAN, Address: 1.1.21.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.21.2, BDR addr: 1.1.21.1, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
  Protection type: None
  Topology default (ID 0) -> Cost: 1

Let's increase the cost of interface em1.0 to make it as less prefered path.

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set protocols ospf area 0 interface em1.0 metric 2 
amolak@R1# commit and-quit 

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 0 interface em1.0 metric 2 
amolak@R2# commit and-quit 

amolak@R1> show route 2.2.2.2 

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[OSPF/10] 00:01:30, metric 1
                    > to 1.1.12.2 via em0.0

If em0.0 goes down.

amolak@R1> configure 
Entering configuration mode

[edit]
amolak@R1# set interfaces em0.0 disable 

[edit]
amolak@R1# commit 
commit complete

[edit]
amolak@R1# run show route 2.2.2.2 

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[OSPF/10] 00:00:01, metric 2
                    > to 1.1.21.2 via em1.0

[edit]
amolak@R1# run ping 2.2.2.2 source 1.1.1.1 
PING 2.2.2.2 (2.2.2.2): 56 data bytes
64 bytes from 2.2.2.2: icmp_seq=0 ttl=64 time=0.521 ms
^C
--- 2.2.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.521/0.521/0.521/nan ms

[edit]
amolak@R1# delete interfaces em0.0 disable 

[edit]
amolak@R1# commit and-quit 
commit complete
Exiting configuration mode

6. OSPF Authentication

All OSPFv2 protocol exchanges can be authenticated to guarantee that only trusted routing devices participate in the autonomous system’s routing. By default, OSPFv2 authentication is disabled.

Simple authentication – Authenticates by using a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Simple authentication uses a plain-text password that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. Plain-text passwords are not encrypted and might be subject to packet interception.

- Configure Simple Authentication between R3 and R4. Use password key '@SIMPLE'

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 2 interface em0.0 authentication simple-password @SIMPLE
amolak@R3# commit and-quit 

amolak@R4> configure 
Entering configuration mode

[edit]
amolak@R4# set protocols ospf area 2 interface em0.0 authentication simple-password @SIMPLE    
amolak@R4# commit and-quit 

amolak@R3> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               BDR     0.0.0.2         4.4.4.4         3.3.3.3            1
  Type: LAN, Address: 1.1.34.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.34.4, BDR addr: 1.1.34.3, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: Password
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R4> show ospf interface em0.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em0.0               DR      0.0.0.2         4.4.4.4         3.3.3.3            1
  Type: LAN, Address: 1.1.34.4, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  DR addr: 1.1.34.4, BDR addr: 1.1.34.3, Priority: 128
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: Password
  Protection type: None
  Topology default (ID 0) -> Cost: 1

MD5 authentication – Authenticates by using an encoded MD5 checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet. MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. The receiving routing device uses an authentication key (password) to verify the packet.

You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.

For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the OSPF packet uses the ID to determine which key to use for authentication.

– Configure MD5 Authentication between R2 and R3.Use password key ‘@OSPFMD5′

amolak@R3> configure 
Entering configuration mode

[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 ?
Possible completions:
  <key-id>             Key ID for MD5 authentication (0..255)
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 ?
Possible completions:
  key                  MD5 authentication key value
  start-time           Start time for key transmission (YYYY-MM-DD.HH:MM)
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5 ?         
Possible completions:
  <[Enter]>            Execute this command
  start-time           Start time for key transmission (YYYY-MM-DD.HH:MM)
  |                    Pipe through a command
[edit]
amolak@R3# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5    

[edit]
amolak@R3# commit and-quit 

amolak@R2> configure 
Entering configuration mode

[edit]
amolak@R2# set protocols ospf area 1 interface em3.0 authentication md5 1 key @OSPFMD5           

[edit]
amolak@R2# commit and-quit 

amolak@R2> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.2, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 1

amolak@R3> show ospf interface em3.0 detail 
Interface           State   Area            DR ID           BDR ID          Nbrs
em3.0               PtToPt  0.0.0.1         0.0.0.0         0.0.0.0            1
  Type: P2P, Address: 1.1.23.3, Mask: 255.255.255.0, MTU: 1500, Cost: 1
  Adj count: 1
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 1, Start time: 1970 Jan  1 00:00:00 UTC
  Protection type: None
  Topology default (ID 0) -> Cost: 1

Here is the final configuration on all routers:

R1:

amolak@R1> show configuration 
## Last commit: 2014-05-11 09:19:56 UTC by amolak
version 10.1R1.8;
system {
    host-name R1;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.12.1/24;
            }
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 1.1.21.1/24;
            }
        }
    }
    lo0 {
        unit 0 {                        
            family inet {
                address 1.1.1.1/32;
            }
        }
    }
}
routing-options {
    router-id 1.1.1.1;
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface em0.0;
            interface em1.0 {
                metric 2;
            }
        }
    }
}

amolak@R1> 

R2:

amolak@R2> show configuration 
## Last commit: 2014-05-11 09:26:23 UTC by amolak
version 10.1R1.8;
system {
    host-name R2;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.12.2/24;
            }
        }
    }
    em1 {
        unit 0 {
            family inet {
                address 1.1.21.2/24;
            }
        }
    }
    em3 {
        unit 0 {                        
            family inet {
                address 1.1.23.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 2.2.2.2/32;
            }
        }
    }
}
routing-options {
    router-id 2.2.2.2;
}
protocols {
    ospf {
        area 0.0.0.0 {
            virtual-link neighbor-id 3.3.3.3 transit-area 0.0.0.1;
            interface em0.0;
            interface em1.0 {
                metric 2;               
            }
            interface lo0.0 {
                passive;
            }
        }
        area 0.0.0.1 {
            interface em3.0 {
                interface-type p2p;
                authentication {
                    md5 1 key "$9$3Mtqn6CrlvL7dikTFnC0OEhSrWL"; ## SECRET-DATA
                }
            }
        }
    }
}

amolak@R2> 

R3:

amolak@R3> show configuration 
## Last commit: 2014-05-11 09:26:30 UTC by amolak
version 10.1R1.8;
system {
    host-name R3;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.34.3/24;
            }
        }
    }
    em3 {
        unit 0 {
            family inet {
                address 1.1.23.3/24;
            }
        }
    }
    lo0 {
        unit 0 {                        
            family inet {
                address 3.3.3.3/32;
            }
        }
    }
}
routing-options {
    router-id 3.3.3.3;
}
protocols {
    ospf {
        area 0.0.0.1 {
            interface em3.0 {
                interface-type p2p;
                authentication {
                    md5 1 key "$9$NG-dwkqPQ3/ylL7-w4oUDik5Q"; ## SECRET-DATA
                }
            }
            interface lo0.0 {
                passive;
            }
        }
        area 0.0.0.2 {                  
            interface em0.0 {
                authentication {
                    simple-password "$9$8w8LXNbsgoJUz3hyrvXxbwY"; ## SECRET-DATA
                }
            }
        }
        area 0.0.0.0 {
            virtual-link neighbor-id 2.2.2.2 transit-area 0.0.0.1;
        }
    }
}

 amolak@R3> 

R4:

amolak@R4> show configuration 
## Last commit: 2014-05-11 09:26:59 UTC by amolak
version 10.1R1.8;
system {
    host-name R4;
    root-authentication {
        encrypted-password "$1$xWlYH6tk$VKHjArc1AcBtkzma6DOB9."; ## SECRET-DATA
    }
    login {
        user amolak {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$avCx48qv$IoOMsiL/nUI1mDD6v4nJy0"; ## SECRET-DATA
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;         
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    em0 {
        unit 0 {
            family inet {
                address 1.1.34.4/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 4.4.4.4/32;
            }
        }
    }
}
routing-options {                       
    router-id 4.4.4.4;
}
protocols {
    ospf {
        area 0.0.0.2 {
            interface em0.0 {
                authentication {
                    simple-password "$9$61fb/9tO1Ecyebs.f5F9COBI"; ## SECRET-DATA
                }
            }
            interface lo0.0 {
                passive;
            }
        }
    }
}

 amolak@R4>