Tuesday, 22 May 2012

HOW TO DO SSH AND ACS 5.2 IN CISCO SWITCHES

HOW TO DO SSH AND ACS 5.2 AUTHENTICATION IN CISCO SWITCHES

Step-by-Step:

1) First activate the aaa new-model for authentication

(Config)#aaa new-model

2) Then put either tacacs+ and Radius as your authentication server. In my case i will be using radius

(Config)#Radius-server host X.X.X.X (your Radius Server IP)

3) After this put the shared key that will authenticate between Radius-Server and ACS 5.2

radius-server host 10.241.10.100 key cisco

4) Then from ACS 5.2 Go to Network Devices .

-> then Network Devices and AAA Client

-> Click Create

-> Host Name of the Switch

-> Ip address of the Switch

-> Radius Servers put the Shared Key

These cmds are compulsory and few optional are also there which you want you can do it.

5) Now test from the switch whether it is authenticating with ACS 5.2

test aaa group radius Username Password legacy

6) Now do the authentication cmds.

aaa authentication login default group radius local none

7) For SSH use this 2 Cmds

ip domain-name xxx.xx

crypto key gen rsa

8) Now go to Line Vty

(Config)#line vty 0 15

(Config)#password XXXX

(Config)#transport input ssh.

Saturday, 19 May 2012

Root Guard feature

The Root Guard feature guards a port or ports against such an occurrence by moving the port into a root inconsistent state based on the receipt of one of these superior BPDUs.

SW3(config)#int range fa0/19 - 24
SW3(config-if-range)#spanning-tree guard root

Verification of the feature is immediate thank to system meggasing. For example:

00:38:23: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/20.

Now that we have the feature enabled, let us test it and see what happens. Notice I will visit a device that is connected and issue superior BPDUs to the root bridge (SW3):

SW4(config)#spanning-tree vlan 1 priority 0

This triggers a new system message on SW3:

1d19h: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/19 on VLAN0001.

We can see that the Root Guard feature has done its job! Now, in the event that you missed that console message, here is an excellent verification command for this feature:

SW3#show spanning-tree inconsistentports
Name                 Interface              Inconsistency
-------------------- ---------------------- ------------------
VLAN0001             FastEthernet0/19       Root Inconsistent
VLAN0001             FastEthernet0/20       Root Inconsistent
VLAN0001             FastEthernet0/21       Root Inconsistent

Cisco Interview Question & Answer

What is a “floating static” route?

By default, static routes have an AD of one, which gives them precedence over routes from dynamic routing protocols. When you increase the administrative distance to a value greater than that of a dynamic routing protocol, the static route can be a safety net in the event that dynamic routing fails. For example, (IGRP) have a default AD of 100. I

This kind of static route is called "floating" static. It is installed in the routing table only when the preferred route disappears. For example, ip route 172.31.10.0 255.255.255.0 10.10.10.2 101.

Observe the following static route:?

ip route 192.168.1.0 255.255.255.0 Gig1/1
What is an advantage of referencing interface Gig1/1 instead of a next-hop?
What is a disadvantage.

If you point a static route to a broadcast interface, For eg, ip route 0.0.0.0 0.0.0.0 Ethernet0.

the route is inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface.

Tuesday, 15 May 2012

Understanding BPDU Guard & BPDU Filter

Understanding BPDU Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard
default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred.

At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.

Understanding BPDU Filtering

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default

global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.

Caution

Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.

You can enable the BPDU filtering feature for the entire switch or for an interface.

Monday, 14 May 2012

Cisco Password Recovery for Switches

Cisco Password Recovery for Switches

Problem
The title is a bit of a misnomer, we are not going to recover the password, we are simply going to change the password to one we know.
Solution
Note: This procedure works on models, 2900, 2940, 2950, 2955, 3500XL, and 3550. Before you start connect the the device with a console cable and terminal emulation software, the procedure is the same as the one I've outlined here. 1. Power the switch off >press and hold the "Mode" button > Power on the switch. 2. For 2900, 3500XL and 3550 Switches release the mode button when the 1x LED light goes out (all the other port lights will remain lit). For a 2940 and 2950 Switch release the mode button after the "Stat" LED goes out. For a 2955 switch press CTRL+BREAK. 3. On screen you should see the following.
Base ethernet MAC Address: 00:0b:be:78:a2:00 Xmodem file system is available. The password-recovery mechanism is enabled. The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software: flash_init boot
4. Type "flash_init" then when it has ran type "load_helper"
switch: flash_init Initializing Flash... flashfs[0]: 18 files, 3 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 15998976 flashfs[0]: Bytes used: 4386304 flashfs[0]: Bytes available: 11612672 flashfs[0]: flashfs fsck took 17 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 switch: load_helper
5. Next we need to make sure that the config.text file is in flash memory type "dir flash:" Note: don't forget the colon on the end or it will error and say "Permission Denied".
switch: dir flash: Directory of flash:/ 2 drwx 192 <date> c3550-i9q3l2-mz.121-11.EA1a 17 -rwx 255 <date> info 18 -rwx 255 <date> info.ver 19 -rwx 5448 <date> config.text 20 -rwx 5 <date> private-config.text 21 -rwx 2364 <date> vlan.dat 11612672 bytes available (4386304 bytes used)
6. We are now going to change the name of the config file so when the switch boots it will start with no configuration, then we can boot the switch.
switch: rename flash:config.text flash:config.backup switch: boot
7. Eventually when the switch boots it will ask if you want to configure it, say no.
Model revision number: G0 Motherboard revision number: A0 Model number: WS-C3550-24-SMI System serial number: CAT0650Y1VR --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no
8. At this point we can go to enable mode, change the name of the config.text file back again, and load it into memory (press Enter to accept the default filenames).
Switch>enable Switch#rename flash:config.backup config.text Destination filename [config.text]? Switch#copy flash:config.text system:running-config Destination filename [running-config]? 5448 bytes copied in 0.728 secs
9. Finally you can remove the password, and reset it to whatever you want, and save the new config.
HostName#conf t Enter configuration commands, one per line. End with CNTL/Z. HostName(config)#no enable secret HostName(config)#enable password thisisthenewpassword HostName#wr mem Building configuration... [OK] HostName#

Wednesday, 9 May 2012

Inter-VRF Routing with VRF Lite

By stretch | Monday, March 29, 2010 at 4:29 a.m. UTC

In Intro to VRF lite, we looked at how virtual routing and forwarding (VRF) instances can be employed to logically separate the layer three topologies of unrelated entities sharing a single physical infrastructure. VRFs work at layer three much like VLANs work at layer two, by assigning interfaces to a virtual domain isolated from other virtual domains at the same layer. This is a simple concept to grasp so long as each of the VRFs are maintained in isolation. However, things get a bit more complex when you need to route traffic from one VRF to another.

Consider the following topology, which might be found at a small business park or college campus.

The network pictured serves three customers: we'll call them customers Red, Green, and Blue. Each customer has its own Internet connection, housed in building one. Customer Green has employees in building two, customer Blue has employees in building three, and customer Red has employees in both buildings two and three. Additionally, VOIP service and connection to the PSTN (represented for now by a loopback interface) will be provided in the future by the network operator to customers Red and Green, but not Blue.

Buildings two and three are connected to building one via 802.1Q trunk links. All three customers rely on the same physical network infrastructure for connectivity, but the traffic from each customer must be isolated from the others for security reasons. The IP prefixes in use are as follows:

Red: 172.16.0.0/16
Green: 172.17.0.0/16
Blue: 172.18.0.0/16
VOIP Services: 192.168.99.0/24

The design question posed by this scenario is as follows: how can we provide local VOIP connectivity to some customers while keeping all of the customers isolated from one another?

Modifying the Multilayer Switches' SDM Template

Before we can implement VRFs on our multilayer switches (Catalyst 3550s, in this case), we have to modify how the internal ternary content-addressable memory (TCAM) is partitioned to store IP routes. Observe what happens if we attempt to enable VRF with the default SDM template:

S1(config)# ip routing
S1(config)# ip vrf Red
S1(config-vrf)#
%L3TCAM-3-SIZE_CONFLICT: VRF requires enabling extended routing

VRF routes require that an additional unique identifier, a route distinguisher, is prepended to each VRF route in the routing table (we'll cover this in more detail shortly). To accommodate for this, the TCAM must be repartitioned. (This step is only necessary when configuring VRFs on certain multilayer switches.)

S1(config)# sdm prefer extended-match
Changes to the running SDM preferences have been stored, but cannot take effect 
until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.
S1(config)# ^Z
S1# show sdm prefer
 The current template is the default template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1K VLANs.

number of unicast mac addresses:   5K
 number of igmp groups:             1K
 number of qos aces:                1K
 number of security aces:           1K
 number of unicast routes:          8K
 number of multicast routes:        1K

The template stored for use after the next reload
 is the default extended-match template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1K VLANs.

number of unicast mac addresses:   5K
 number of igmp groups:             1K
 number of qos aces:                1K
 number of security aces:           1K
 number of unicast routes:          4K
 number of multicast routes:        1K

Note that the supported number of unicast routes has been halved from 8K to 4K.

We need to apply this change to and reload all three switches before proceeding.

Creating VRFs

We need to create four VRFs on S1: one for each of the three customers, and one for the shared VOIP network. Each VRF must be assigned a unique route distinguisher. A route distinguisher is simply a unique number stored beside each route in the routing table to associate it with its VRF and maintain uniqueness should two or more VRFs have overlapping address space (for example, if all three of our customers were addressed out of the 10.0.0.0/8 network).

There are two formats in which we can define a route distinguisher: <ASN>:<number> or <IP address>:<number>, where number is an arbitrary decimal number. Which method we choose is arbitrary. While the format of route distinguishers is an important design consideration in "real" VPNs, in VRF lite (i.e. VRFs without MPLS) it is only a locally-significant value. We'll use the <ASN>:<number> format with the private ASN 65000 (which will also be used for our BGP configuration later in the article) and number customers sequentially beginning from 1.

S1

ip routing
!
ip vrf Red
 rd 65000:1
!
ip vrf Green
 rd 65000:2
!
ip vrf Blue
 rd 65000:3
!
ip vrf Shared
 rd 65000:99

Next, we assign the physical and logical interfaces to VRFs and address them appropriately. We're using a loopback interface in place of a physical interface on S1 to emulate the shared VOIP network, however there is no effective difference with regard to VRF configuration. Note that interfaces must be assigned to a VRF before being addressed; assigning an interface to a VRF wipes any IP addresses already configured on that interface.

S1

vlan 16
vlan 17
vlan 18
!
interface Loopback99
 description VOIP Services
 ip vrf forwarding Shared
 ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet0/1
 no switchport
 ip vrf forwarding Red
 ip address 172.16.1.2 255.255.255.252
!
interface FastEthernet0/3
 no switchport
 ip vrf forwarding Green
 ip address 172.17.1.2 255.255.255.252
!
interface FastEthernet0/5
 no switchport
 ip vrf forwarding Blue
 ip address 172.18.1.2 255.255.255.252
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/16
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan16
 ip vrf forwarding Red
 ip address 172.16.0.1 255.255.255.0
!
interface Vlan17
 ip vrf forwarding Green
 ip address 172.17.0.1 255.255.255.0
!
interface Vlan18
 ip vrf forwarding Blue
 ip address 172.18.0.1 255.255.255.0

The physical trunk interfaces F0/13 and F0/16 are not assigned to a VRF, because they are not routed interfaces. VRF configuration is only relevant at layer three.

We can use show ip vrf to examine the VRFs and their assigned interfaces:

S1# show ip vrf
  Name                             Default RD          Interfaces
  Blue                             65000:3             Fa0/5                  
                                                       Vl18
  Green                            65000:2             Fa0/3                  
                                                       Vl17
  Red                              65000:1             Fa0/1                  
                                                       Vl16
  Shared                           65000:99            Lo99                   
S1# show ip vrf interfaces
Interface              IP-Address      VRF                              Protocol
Fa0/5                  172.18.1.2      Blue                             up      
Vl18                   172.18.0.1      Blue                             up      
Fa0/3                  172.17.1.2      Green                            up      
Vl17                   172.17.0.1      Green                            up      
Fa0/1                  172.16.1.2      Red                              up      
Vl16                   172.16.0.1      Red                              up      
Lo99                   192.168.99.1    Shared                           up

We only need to create two VRFs on each of the two other switches, as each connects only two customers, and assign the appropriate interfaces.

S2

ip routing
!
ip vrf Red
 rd 65000:1
!
ip vrf Green
 rd 65000:2
!
vlan 16
vlan 17
vlan 216
vlan 217
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan16
 ip vrf forwarding Red
 ip address 172.16.0.2 255.255.255.0
!
interface Vlan17
 ip vrf forwarding Green
 ip address 172.17.0.2 255.255.255.0
!
interface Vlan216
 ip vrf forwarding Red
 ip address 172.16.2.1 255.255.255.0
!
interface Vlan217
 ip vrf forwarding Green
 ip address 172.17.2.1 255.255.255.0

S3

ip routing
!
ip vrf Red
 rd 65000:1
!
ip vrf Blue
 rd 65000:3
!
vlan 16
vlan 18
vlan 316
vlan 318
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan16
 ip vrf forwarding Red
 ip address 172.16.0.3 255.255.255.0
!
interface Vlan18
 ip vrf forwarding Blue
 ip address 172.18.0.3 255.255.255.0
!
interface Vlan316
 ip vrf forwarding Red
 ip address 172.16.3.1 255.255.255.0
!
interface Vlan318
 ip vrf forwarding Blue
 ip address 172.18.3.1 255.255.255.0

Configuring OSPF

Next we'll configure OSPF to exchange routes among the three buildings. Three independent OSPF processes are to be run, one per customer VRF. OSPF configuration here is pretty straight forward, as we can simply place all interfaces in area 0 within each VRF.

S1

router ospf 1 vrf Red
 network 0.0.0.0 255.255.255.255 area 0
!
router ospf 2 vrf Green
 network 0.0.0.0 255.255.255.255 area 0
!
router ospf 3 vrf Blue
 network 0.0.0.0 255.255.255.255 area 0

S2

router ospf 1 vrf Red
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Vlan216
!
router ospf 2 vrf Green
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Vlan217
!

S3

router ospf 1 vrf Red
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Vlan316
!
router ospf 3 vrf Blue
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Vlan318

We can verify that OSPF adjacencies have been appropriately established with show ip ospf neighbor. Note that this command is not VRF-specific.

S1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.18.3.1        1   FULL/DR         00:00:31    172.18.0.3      Vlan18
172.17.2.1        1   FULL/DR         00:00:32    172.17.0.2      Vlan17
172.16.2.1        1   FULL/BDR        00:00:32    172.16.0.2      Vlan16
172.16.3.1        1   FULL/DR         00:00:31    172.16.0.3      Vlan16

At this point, all customers in all buildings should have full connectivity within their respective VRFs.

S2# show ip route vrf Red

Routing Table: Red
...

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C       172.16.0.0/24 is directly connected, Vlan16
O       172.16.1.0/30 [110/2] via 172.16.0.1, 00:00:31, Vlan16
C       172.16.2.0/24 is directly connected, Vlan216
O       172.16.3.0/24 [110/2] via 172.16.0.3, 00:00:31, Vlan16
S2# show ip route vrf Green

Routing Table: Green
...

172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
O       172.17.1.0/30 [110/2] via 172.17.0.1, 00:00:37, Vlan17
C       172.17.0.0/24 is directly connected, Vlan17
C       172.17.2.0/24 is directly connected, Vlan217

S3# show ip route vrf Red

Routing Table: Red
...

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C       172.16.0.0/24 is directly connected, Vlan16
O       172.16.1.0/30 [110/2] via 172.16.0.1, 00:01:04, Vlan16
O       172.16.2.0/24 [110/2] via 172.16.0.2, 00:01:04, Vlan16
C       172.16.3.0/24 is directly connected, Vlan316
S3# show ip route vrf Blue

Routing Table: Blue
...

172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.18.3.0/24 is directly connected, Vlan318
C       172.18.0.0/24 is directly connected, Vlan18
O       172.18.1.0/30 [110/2] via 172.18.0.1, 00:01:05, Vlan18

Configuring Multiprotocol BGP

Multiprotocol BGP (MP-BGP or BGP-MP) will be used only to exchange routes between VRFs, and therefore needs to be configured only on S1. We'll use the private AS number 65000 for the BGP process.

Because all of our routed interfaces on S1 have been assigned to VRFs, we'll create a loopback interface not in a VRF to keep BGP from complaining about not being able to find a router ID. (In the real world, one might consider using the IP of a management interface as the BGP router ID.) A router ID can also be configured per BGP address family.

S1(config)# interface loopback0
S1(config-if)# ip address 192.0.2.1 255.255.255.255

To configure MP-BGP, we configure a separate address family within BGP for each VRF and simply redistribute all connected and OSPF-learned routes within that VRF.

S1

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf Red
  redistribute connected
  redistribute ospf 1 vrf Red
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf Green
  redistribute connected
  redistribute ospf 2 vrf Green
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf Blue
  redistribute connected
  redistribute ospf 3 vrf Blue
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf Shared
  redistribute connected
  no synchronization
 exit-address-family

We can verify that each BGP address family now maintains routes for its respective VRF. (To view the BGP routes for only a specific VRF, use the commandshow ip bgp vpnv4 vrf.)

S1# show ip bgp vpnv4 all
BGP table version is 47, local router ID is 192.0.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf Red)
*> 172.16.0.0/24    0.0.0.0                  0         32768 ?
*> 172.16.1.0/30    0.0.0.0                  0         32768 ?
*> 172.16.2.0/24    172.16.0.2               2         32768 ?
*> 172.16.3.0/24    172.16.0.3               2         32768 ?
Route Distinguisher: 65000:2 (default for vrf Green)
*> 172.17.0.0/24    0.0.0.0                  0         32768 ?
*> 172.17.1.0/30    0.0.0.0                  0         32768 ?
*> 172.17.2.0/24    172.17.0.2               2         32768 ?
Route Distinguisher: 65000:3 (default for vrf Blue)
*> 172.18.0.0/24    0.0.0.0                  0         32768 ?
*> 172.18.1.0/30    0.0.0.0                  0         32768 ?
*> 172.18.3.0/24    172.18.0.3               2         32768 ?
Route Distinguisher: 65000:99 (default for vrf Shared)
*> 192.168.99.0     0.0.0.0                  0         32768 ?

Enabling VRF Route Import and Export

Our final task is to configure route import and export among the Red, Green, and Shared VRFs. VRF route import and export are configured as two explicit, independent functions. Under VRFs Red and Green, we need to:

Export local routes
Import routes from VRF Shared

Under VRF Shared:

Export local routes
Import routes from VRFs Red and Green

To do this, we configure each VRF with import and export route targets. A route target is similar in format to a route distinguisher, but serves a different purpose. Whereas any given VRF route in our scenario has exactly one route distinguisher to uniquely identify it, a route can have zero or more route targets as arbitrary identifiers for reference by import and export policies. This allows for much greater flexibility than if only the route distinguisher was used. Although used only locally in our example, route targets are communicated with MP-BGP neighbors as extended communities.

Route targets can be defined in the same formats as route distinguishers. Here each route target will reuse the same format and value of its VRF's route distinguisher, just to keep things simple. However, remember that there is no direct relation between the two. Additionally, although each VRF is exporting only one route-target in our example, multiple route-targets can be exported simultaneously (resulting in multiple communities attached to an MP-BGP route).

ip vrf Blue
 rd 65000:3
!
ip vrf Green
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:99
!
ip vrf Red
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:99
!
ip vrf Shared
 rd 65000:99
 route-target export 65000:99
 route-target import 65000:1
 route-target import 65000:2

Now VRF Shared has routes from VRFs Red and Green, and VRFs Red and Green each have the route from VRF Shared (it may take a minute for the routes to appear in the table):

S1# show ip route vrf Shared

Routing Table: Shared
...

172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
B       172.17.1.0/30 is directly connected, 00:00:24, FastEthernet0/3
B       172.17.0.0/24 is directly connected, 00:00:24, Vlan17
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
B       172.16.0.0/24 is directly connected, 00:00:24, Vlan16
B       172.16.1.0/30 is directly connected, 00:00:24, FastEthernet0/1
C    192.168.99.0/24 is directly connected, Loopback99
S1# show ip route vrf Red

Routing Table: Red
...

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C       172.16.0.0/24 is directly connected, Vlan16
C       172.16.1.0/30 is directly connected, FastEthernet0/1
O       172.16.2.0/24 [110/2] via 172.16.0.2, 00:05:38, Vlan16
O       172.16.3.0/24 [110/2] via 172.16.0.3, 00:05:38, Vlan16
B    192.168.99.0/24 is directly connected, 00:00:44, Loopback99
S1# show ip route vrf Green

Routing Table: Green
...

172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.17.1.0/30 is directly connected, FastEthernet0/3
C       172.17.0.0/24 is directly connected, Vlan17
O       172.17.2.0/24 [110/2] via 172.17.0.2, 00:05:43, Vlan17
B    192.168.99.0/24 is directly connected, 00:00:49, Loopback99

VRF Blue, however, still contains only its own routes, as we did not configure import or export for this VRF:

S1# show ip route vrf Blue

Routing Table: Blue
...

172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
O       172.18.3.0/24 [110/2] via 172.18.0.3, 00:06:02, Vlan18
C       172.18.0.0/24 is directly connected, Vlan18
C       172.18.1.0/30 is directly connected, FastEthernet0/5

Lastly, we need to configure the VRF OSPF processes to redistribute BGP-learned routes to OSPF peers on S1:

S1(config)# router ospf 1 vrf Red
S1(config-router)# redistribute bgp 65000 subnets
S1(config-router)# router ospf 2 vrf Green
S1(config-router)# redistribute bgp 65000 subnets

These routes are now propagated via OSPF to S2 and S3 within their respective VRFs. On S3, we can verify that VLAN 316 (VRF Red) has access to the VOIP network, but VLAN 318 (VRF Blue) does not:

S3# show ip route vrf Red

Routing Table: Red
...

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C       172.16.0.0/24 is directly connected, Vlan16
O       172.16.1.0/30 [110/2] via 172.16.0.1, 00:10:15, Vlan16
O       172.16.2.0/24 [110/2] via 172.16.0.2, 00:10:15, Vlan16
C       172.16.3.0/24 is directly connected, Vlan316
O E2 192.168.99.0/24 [110/1] via 172.16.0.1, 00:10:15, Vlan16
S3# show ip route vrf Blue

Routing Table: Blue
...

172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       172.18.3.0/24 is directly connected, Vlan318
C       172.18.0.0/24 is directly connected, Vlan18
O       172.18.1.0/30 [110/2] via 172.18.0.1, 00:25:17, Vlan18
S3# ping vrf Red 192.168.99.1 source vlan316

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
S3# ping vrf Blue 192.168.99.1 source vlan318

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:
Packet sent with a source address of 172.18.3.1 
.....
Success rate is 0 percent (0/5)

The final configurations of all three switches are made available here:

Tuesday, 8 May 2012

Autonegotiation valid configuration

There is a lot of confusion about auto negotiation. Here is a chart that will help bring things into perspective.
Autonegotiation Valid Configuration

Configuration NIC (Speed/Duplex)	Configuration Switch (Speed/Duplex)	Resulting NIC Speed/Duplex	Resulting Catalyst Speed/Duplex	Comments
AUTO	AUTO	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Assuming maximum capability of Catalyst switch, and NIC is 1000 Mbps, full-duplex.
1000 Mbps, Full-duplex	AUTO	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Link is established, but the switch does not see any autonegotiation information from NIC. Since Catalyst switches support only full-duplex operation with 1000 Mbps, they default to full-duplex, and this happens only when operating at 1000 Mbps.
AUTO	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Assuming maximum capability of NIC is 1000 Mbps, full-duplex.
1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Correct Manual Configuration
100 Mbps, Full-duplex	1000 Mbps, Full-duplex	No Link	No Link	Neither side establishes link, due to speed mismatch
100 Mbps, Full-duplex	AUTO	100 Mbps, Full-duplex	100 Mbps, Half-duplex	Duplex Mismatch ¹
AUTO	100 Mbps, Full-duplex	100 Mbps, Half-duplex	100 Mbps, Full-duplex	Duplex Mismatch ¹
100 Mbps, Full-duplex	100 Mbps, Full-duplex	100 Mbps, Full-duplex	100 Mbps, Full-duplex	Correct Manual Configuration²
100 Mbps, Half-duplex	AUTO	100 Mbps, Half-duplex	100 Mbps, Half-duplex	Link is established, but switch does not see any autonegotiation information from NIC and defaults to half-duplex when operating at 10/100 Mbps.
10 Mbps, Half-duplex	AUTO	10 Mbps, Half-duplex	10 Mbps, Half-duplex	Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex.
10 Mbps, Half-duplex	100 Mbps, Half-duplex	No Link	No Link	Neither side establishes link, due to speed mismatch.
AUTO	100 Mbps, Half-duplex	100 Mbps, Half-duplex	100 Mbps, Half-duplex	Link is established, but NIC does not see any autonegotiation information and defaults to 100 Mbps, half-duplex.
AUTO	10 Mbps, Half-duplex	10 Mbps, Half-duplex	10 Mbps, Half-duplex	Link is established, but NIC does not see FLP and defaults to 10 Mbps, half-duplex.

Display interface bandwidth

quick tip: display interface bandwidth

To display bandwidths of all interfaces configured on the router use show interface | include protocol|BW command.
Here is a sample printout:

Rtr#show interface | include protocol|BW
FastEthernet0/0 is administratively down, line protocol is down
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
Serial1/0 is up, line protocol is up
  MTU 1500 bytes, BW 2000 Kbit, DLY 20000 usec,
Serial1/1 is up, line protocol is up
  MTU 1500 bytes, BW 2000 Kbit, DLY 20000 usec,
Serial1/2 is up, line protocol is up
  MTU 1500 bytes, BW 2000 Kbit, DLY 20000 usec,
Serial1/3 is administratively down, line protocol is down
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
Loopback0 is up, line protocol is up
  MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,

You could define an alias to create a new IOS command generating this printout (for example,alias exec bw show interface | include protocol|BW). You could also write a simple Tcl script that would accept an interface name and display the bandwidth of that interface.

CPU ROUTER COMMANDS

display top cpu processes on the router

I've almost started writing a Tcl procedure to display top-10 CPU-intensive processes on a router ... and then discovered the sorted option of the show processes cpu command. Even more, starting in IOS release 12.2T, the show processes cpu history command gives you a nice CPU utilization graph.

Sample printouts are included below:

router#show processes cpu sorted 1min
CPU utilization for five seconds: 1%/0%; one minute: 2%; five minutes: 2%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   5      180080      9762      18447  0.00%  1.75%  1.73%   0 Check heaps
  62         648       181       3580  0.00%  0.31%  0.12%   2 Virtual Exec
  25        4116       173      23791  0.49%  0.05%  0.00%   0 Per-minute Jobs
  30         848      1172        723  0.00%  0.01%  0.00%   0 IP Input
  81          12       357         33  0.08%  0.00%  0.00%   0 CEF Scanner
   6           8         2       4000  0.00%  0.00%  0.00%   0 Pool Manager
   4           0        86          0  0.00%  0.00%  0.00%   0 DHCPD Timer
   3           4        27        148  0.00%  0.00%  0.00%   0 CRYPTO IKMP IPC
   9           0         1          0  0.00%  0.00%  0.00%   0 AAA high-capacit
  10          52       238        218  0.00%  0.00%  0.00%   0 ARP Input
... rest deleted ...
router#show processes cpu history
                22222
    22          11111          11111
100
 90
 80
 70
 60
 50
 40
 30
 20             *****
 10             *****
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)

cisco best practice - turn off http, telnet and enable https, ssh

ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh

SSO STATES IN SUPERVISOR ENGINE BETWEEN TWO SUPERVISOR ENGINE

enable stateful switchover (sso) on cisco switch supervisor modules

Stateful Switchover (SSO) synchronizes process and configuration information between supervisor modules to enable a fast transparent failover.

Router(config)# redundancy
Router(config-red)# mode sso
Router(config-red)# end

Router# show redundancy states

my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Primary
Unit ID = 5

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Split Mode = Disabled
Manual Swact = Enabled
Communications = Up

client count = 29
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0
Router#

Tuesday, 1 May 2012

CCNA CCNP CCIE OSPF: Frequently Interview Asked Questions

Why are loopbacks advertised as /32 host routes in OSPF?
How do I change the reference bandwidth in OSPF?
How does OSPF calculate its metric or cost?
Are OSPF routing protocol exchanges authenticated?
What is the link−state retransmit interval, and what is the command to set it?
What is the purpose of the variable IP−OSPF−Transmit−Delay?
Is it true that only the static option of the virtual link in OSPF allows discontiguous
networks, regardless of the mask propagation properties?
Are the multicast IP addresses mapped to MAC−level multicast addresses?
Does the Cisco OSPF implementation support IP TOS−based routing?
Does the offset−list subcommand work for OSPF?
Can an OSPF default be originated into the system based on external information on a
router that does not itself have a default?
Can I use the distribute−list in/out command with OSPF to filter routes?
How can I give preference to OSPF interarea routes over intra−area routes?
Do I need to manually set up adjacencies for routers on the Switched Multimegabit Data
Service (SMDS) cloud with the OSPF neighbor subcommand?
When routes are redistributed between OSPF processes, are all shortest path first
algorithm (SPF) metrics preserved, or is the default metric value used?
How does Cisco accommodate OSPF routing on partial−mesh Frame Relay networks?
Which address−wild−mask pair should I use for assigning an unnumbered interface to
an area?
Can I have one numbered side and leave the other side unnumbered in OSPF?
Why do I receive the "cannot allocate router id" error message when I configure Router
OSPF One?
Why do I receive the "unknown routing protocol" error message when I configure
Router OSPF One?
What do the states DR, BDR, and DROTHER mean in show ip ospf interface command
output?
When I issue the show ip ospf neighbor command, why do I only see FULL/DR and
FULL/BDR, with all other neighbors showing 2−WAY/DROTHER?
Why do I not see OSPF neighbors as FULL/DR or FULL/BDR on my serial link?
Do I need any special commands to run OSPF over BRI/PRI links?
Do I need any special commands to run OSPF over asynchronous links?
Which Cisco IOS Software release began support for per−interface authentication type
in OSPF?
Can I control the P−bit when importing external routes into a not−so−stubby area
(NSSA)?
Why are OSPF show commands responding so slowly?
What does the clear ip ospf redistribution command do?
Does OSPF form adjacencies with neighbors that are not on the same subnet?
How often does OSPF send out link−state advertisements (LSAs)?
How do I stop individual interfaces from developing adjacencies in an OSPF network?
When I have two type 5 link−state advertisements (LSAs) for the same external network
in the OSPF database, which path should be installed in the IP routing table?
Why is it that my Cisco 1600 router does not recognize the OSPF protocol?
Why is it that my Cisco 800 router does not run OSPF?
Should I use the same process number while configuring OSPF on multiple routers
within the same network?
I have a router that runs Cisco Express Forwarding (CEF) and OSPF, who does
load−balancing when there are multiple links to a destination?
How does OSPF use two Multilink paths to transfer packets?
How can you detect the topological changes rapidly?
Does the 3825 Series Router support the OSPF Stub feature?
What does the error message %OSPF−4−FLOOD_WAR: Process process−id
re−originates LSA ID ip address type−2 adv−rtr ip address in area area id means?
Can we have OSPF run over a GRE tunnel?

ANSWERS FOR THE ABOVE QUESTIONS

Introduction
The document addresses the most frequently asked questions (FAQ) associated with Open Shortest Path First
(OSPF). The document covers OSPF version 2 only. OSPF version 3, introduced in Cisco IOS® Software
Releases 12.0(24)S, 12.2(18)S, and 12.2(15)T, is used for distributing IP version 6 routing information; it is
not explicitly covered in this document. In the scope of this document, "OSPF" refers to OSPF version 2 and
"IP" refers to IP version 4.
Q. Why are loopbacks advertised as /32 host routes in OSPF?
A. Loopbacks are considered host routes in OSPF, and they are advertised as /32. For more
information, refer to section 9.1 of RFC 2328 . In Cisco IOS Software Releases 11.3T and
12.0, if the ip ospf network point−to−point command is configured under loopbacks, OSPF
advertises the loopback subnet as the actual subnet configured on loopbacks. ISDN dialer
interface advertises /32 subnet instead of its configured subnet mask. This is an expected
behavior if ip ospf network point−to−multipoint is configured.
Q. How do I change the reference bandwidth in OSPF?
A. You can change the reference bandwidth in Cisco IOS Software Release 11.2 and later
using the ospf auto−cost reference−bandwidth command under router ospf. By default,
reference bandwidth is 100 Mbps.
Q. How does OSPF calculate its metric or cost?
A. OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to
calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the
case of Ethernet, it is 100 Mbps / 10 Mbps = 10.
Note: If ip ospf cost cost is used on the interface, it overrides this formulated cost.
Q. Are OSPF routing protocol exchanges authenticated?
A. Yes, OSPF can authenticate all packets exchanged between neighbors. Authentication may
be through simple passwords or through MD5 cryptographic checksums. To configure simple
password authentication for an area, use the command ip ospf authentication−key to assign
a password of up to eight octets to each interface attached to the area. Then, issue the area x
authentication command to the OSPF router configuration to enable authentication. (In the
command, x is the area number.)
Cisco IOS Software Release 12.x also supports the enabling of authentication on a
per−interface basis. If you want to enable authentication on some interfaces only, or if you
want different authentication methods on different interfaces that belong to the same area, use
the ip ospf authentication interface mode command.
Q. What is the link−state retransmit interval, and what is the command to
set it?
A. OSPF must send acknowledgment of each newly received link−state advertisement (LSA).
It does this by sending LSA packets. LSAs are retransmitted until they are acknowledged.
The link−state retransmit interval defines the time between retransmissions. You can use the
command ip ospf retransmit−interval to set the retransmit interval. The default value is 5
seconds.
Q. What is the purpose of the variable IP−OSPF−Transmit−Delay?
A. This variable adds a specified time to the age field of an update. If the delay is not added
before transmission over a link, the time in which the link−state advertisement (LSA)
propagates over the link is not considered. The default value is 1 second. This parameter has
more significance on very low−speed links.
Q. Is it true that only the static option of the virtual link in OSPF allows
discontiguous networks, regardless of the mask propagation
properties?
A. No, virtual links in OSPF maintain connectivity to the backbone from nonbackbone areas,
but they are unnecessary for discontiguous addressing. OSPF provides support for
discontiguous networks because every area has a collection of networks, and OSPF attaches a
mask to each advertisement.
Q. Are the multicast IP addresses mapped to MAC−level multicast
addresses?
A. OSPF sends all advertisements using multicast addressing. Except for Token Ring, the
multicast IP addresses are mapped to MAC−level multicast addresses. Cisco maps Token
Ring to MAC−level broadcast addresses.
Q. Does the Cisco OSPF implementation support IP TOS−based routing?
A. Cisco OSPF only supports TOS 0. This means that routers route all packets on the TOS 0
path, eliminating the need to calculate nonzero TOS paths.
Q. Does the offset−list subcommand work for OSPF?
A. The offset−list command does not work for OSPF. It is used for distance vector protocols
such as Interior Gateway Routing Protocol (IGRP), Routing Information Protocol (RIP), and
RIP version 2.

Q. Can an OSPF default be originated into the system based on external
information on a router that does not itself have a default?
A. OSPF generates a default only if it is configured using the command default−information
originate and if there is a default network in the box from a different process. The default
route in OSPF is 0.0.0.0. If you want an OSPF−enabled router to generate a default route even
if it does not have a default route itself, use the command default−information originate
always.
Q. Can I use the distribute−list in/out command with OSPF to filter
routes?
A. The distribute−list commands are supported in OSPF but work differently than
distance−vector routing protocols such as Routing Information Protocol (RIP) and Enhanced
Interior Gateway Routing Protocol (EIGRP). OSPF routes cannot be filtered from entering
the OSPF database. The distribute−list in command only filters routes from entering the
routing table; it does not prevent link−state packets from being propagated. Therefore, this
command does not help conserve router memory, and it does not prohibit a router from
propagating filtered routes to other routers.
Caution: Use of the distribute−list in command in OSPF may lead to routing loops in
the network if not implemented carefully.
The command distribute−list out works only on the routes being redistributed by the
Autonomous System Boundary Routers (ASBRs) into OSPF. It can be applied to external
type 2 and external type 1 routes, but not to intra−area and interarea routes.
Q. How can I give preference to OSPF interarea routes over intra−area
routes?
A. According to section 11 of RFC 2328 , the order of preference for OSPF routes is:
¨ intra−area routes, O
¨ interarea routes, O IA
¨ external routes type 1, O E1
¨ external routes type 2, O E2
This rule of preference cannot be changed. However, it applies only within a single OSPF
process. If a router is running more than one OSPF process, route comparison occurs. With
route comparison, the metrics and administrative distances (if they have been changed) of the
OSPF processes are compared. Route types are disregarded when routes supplied by two
different OSPF processes are compared.
Q. Do I need to manually set up adjacencies for routers on the Switched
Multimegabit Data Service (SMDS) cloud with the OSPF neighbor
subcommand?
A. In Cisco IOS Software releases earlier than Cisco IOS Software Release 10.0, the
neighbor command was required to establish adjacencies over nonbroadcast multiaccess
(NBMA) networks (such as Frame Relay, X.25, and SMDS). With Cisco IOS Software
Release 10.0 and later, you can use the ip ospf network broadcast command to define the
network as a broadcast network, eliminating the need for the neighbor command. If you are not using a fully meshed SMDS cloud, you must use the ip ospf network
point−to−multipoint command.
Q. When routes are redistributed between OSPF processes, are all
shortest path first algorithm (SPF) metrics preserved, or is the default
metric value used?
A. The SPF metrics are preserved. The redistribution between them is like redistribution
between any two IP routing processes.
Q. How does Cisco accommodate OSPF routing on partial−mesh Frame
Relay networks?
A. You can configure OSPF to understand whether it should attempt to use multicast facilities
on a multi−access interface. Also, if multicast is available, OSPF uses it for its normal
multicasts.
Cisco IOS Software Release 10.0 includes a feature called subinterfaces. You can use
subinterfaces with Frame Relay to tie together a set of virtual circuits (VCs) to form a virtual
interface, which acts as a single IP subnet. All systems within the subnet should be fully
meshed. With Cisco IOS Software Releases 10.3, 11.0 and later, the ip ospf
point−to−multipoint command is also available.
Q. Which address−wild−mask pair should I use for assigning an
unnumbered interface to an area?
A. When an unnumbered interface is configured, it references another interface on the router.
When enabling OSPF on the unnumbered interface, use the address−wild−mask pair of
interfaces to which the unnumbered interface is pointing.
Q. Can I have one numbered side and leave the other side unnumbered
in OSPF?
A. No, OSPF does not work if you have one side numbered and the other side unnumbered.
This creates a discrepancy in the OSPF database that prevents routes from being installed in
the routing table.
Q. Why do I receive the "cannot allocate router id" error message when I
configure Router OSPF One?
A. OSPF picks up the highest IP address as a router ID. If there are no interfaces in up/up
mode with an IP address, it returns this error message. To correct the problem, configure a
loopback interface.
Q. Why do I receive the "unknown routing protocol" error message when
I configure Router OSPF One?
A. Your software may not support OSPF. This error message occurs most frequently with the
Cisco 1600 series routers. If you are using a 1600 router, you need a Plus image to run OSPF.

Q. What do the states DR, BDR, and DROTHER mean in show ip ospf
interface command output?
A. DR means designated router. BDR means backup designated router. DROTHER indicates a
router that is neither the DR or the BDR. The DR generates a Network Link−State
Advertisement, which lists all the routers on that network.
Q. When I issue the show ip ospf neighbor command, why do I only see
FULL/DR and FULL/BDR, with all other neighbors showing
2−WAY/DROTHER?
A. To reduce the amount of flooding on broadcast media, such as Ethernet, FDDI, and Token
Ring, the router becomes full with only designated router (DR) and backup designated router
(BDR), and it shows 2−WAY for all other routers.
Q. Why do I not see OSPF neighbors as FULL/DR or FULL/BDR on my
serial link?
A. This is normal. On point−to−point and point−to−multipoint networks, there are no
designated routers (DRs) or backup designated routers (BDRs).
Q. Do I need any special commands to run OSPF over BRI/PRI links?
A. In addition to the normal OSPF configuration commands, you should use the dialer map
command. When using the dialer map command, use the broadcast keyword to indicate that
broadcasts should be forwarded to the protocol address.
Q. Do I need any special commands to run OSPF over asynchronous
links?
A. In addition to the normal OSPF configuration commands, you should use the async
default routing command on the asynchronous interface. This command enables the router to
pass routing updates to other routers over the asynchronous interface. Also, when using the
dialer map command, use the broadcast keyword to indicate that broadcasts should be
forwarded to the protocol address.
Q. Which Cisco IOS Software release began support for per−interface
authentication type in OSPF?
A. Per−interface authentication type, as described in RFC 2178 , was added in Cisco IOS
Software Release 12.0(8).
Q. Can I control the P−bit when importing external routes into a
not−so−stubby area (NSSA)?
A. When external routing information is imported into an NSSA in a type 7 link−state
advertisement (LSA), the type 7 LSA has only area flooding scope. To further distribute the
external information, type 7 LSAs are translated into type 5 LSAs at the NSSA border. The
P−bit in the type 7 LSA Options field indicates whether the type 7 LSA should be translated.
Only those LSAs with the P−bit set are translated. When you redistribute information into the NSSA, the P−bit is automatically set. A possible workaround applies when the Autonomous
System Boundary Router (ASBR) is also an Area Border Router (ABR). The NSSA ASBR
can then summarize with the not−advertise keyword, which results in not advertising the
translated type 7 LSAs.
Q. Why are OSPF show commands responding so slowly?
A. You may experience a slow response when issuing OSPF show commands, but not with
other commands. The most common reason for this delay is that you have the ip ospf
name−lookup configuration command configured on the router. This command causes the
router to look up the device Domain Name System (DNS) names for all OSPF show
commands, making it easier to identify devices, but resulting in a slowed response time for
the commands. If you are experiencing slow response on commands other than just OSPF
show commands, you may want to start looking at other possible causes, such as the CPU
utilization.
Q. What does the clear ip ospf redistribution command do?
A. The clear ip ospf redistribution command flushes all the type 5 and type 7 link−state
advertisements (LSAs) and scans the routing table for the redistributed routes. This causes a
partial shortest path first algorithm (SPF) in all the routers on the network that receive the
flushed/renewed LSAs. When the expected redistributed route is not in OSPF, this command
may help to renew the LSA and get the route into OSPF.
Q. Does OSPF form adjacencies with neighbors that are not on the same
subnet?
A. The only time that OSPF forms adjacencies between neighbors that are not on the same
subnet is when the neighbors are connected through point−to−point links. This may be
desired when using the ip unnumbered command, but in all other cases, the neighbors must
be on the same subnet.
Q. How often does OSPF send out link−state advertisements (LSAs)?
A. OSPF sends out its self−originated LSAs when the LSA age reaches the link−state refresh
time, which is 1800 seconds.
Q. How do I stop individual interfaces from developing adjacencies in an
OSPF network?
A. To stop routers from becoming OSPF neighbors on a particular interface, issue the
passive−interface command at the interface.
In Internet service provider (ISP) and large enterprise networks, many of the distribution
routers have more than 200 interfaces. Configuring passive−interface on each of the 200
interfaces can be difficult. The solution in such situations is to configure all the interfaces as
passive by default using a single passive−interface default command. Then, configure
individual interfaces where adjacencies are desired using the no passive−interface command.
For more information, refer to Default Passive Interface Feature.
There are some known problems with the passive−interface default command. Workarounds
are listed in Cisco bug ID CSCdr09263 ( registered customers only) .

Q. When I have two type 5 link−state advertisements (LSAs) for the same
external network in the OSPF database, which path should be installed
in the IP routing table?
A. When you have two type 5 LSAs for the same external network in the OSPF database,
prefer the external LSA that has the shortest path to the Autonomous System Boundary
Router (ASBR) and install that into the IP routing table. Use the show ip ospf
border−routers command to check the cost to the ASBR.
Q. Why is it that my Cisco 1600 router does not recognize the OSPF
protocol?
A. Cisco 1600 routers require the Plus feature set image of Cisco IOS Software to run OSPF.
Refer to Table 3: Cisco 1600 Series Routers Feature Sets in the Release Notes for Cisco IOS
Release 11.2(11) Software Feature Packs for Cisco 1600 Series Routers for more information.
Q. Why is it that my Cisco 800 router does not run OSPF?
A. Cisco 800 routers do not support OSPF. However, they do support Routing Information
Protocol (RIP) and Enhanced Interior Gateway Routing Protocol (EIGRP). You can use the
Software Advisor ( registered customers only) tool for more information on feature support.
Q. Should I use the same process number while configuring OSPF on
multiple routers within the same network?
A. OSPF, unlike Border Gateway Protocol (BGP) or Enhanced Interior Gateway Routing
Protocol (EIGRP), does not check the process number (or autonomous system number) when
adjacencies are formed between neighboring routers and routing information is exchanged.
The only case in which the OSPF process number is taken into account is when OSPF is used
as the routing protocol on a Provider Edge to Customer Edge (PE−CE) link in a Multiprotocol
Label Switching (MPLS) VPN. PE routers mark OSPF routes with the domain attribute
derived from the OSPF process number to indicate whether the route originated within the
same OSPF domain or from outside it. If the OSPF process numbering is inconsistent on PE
routers in the MPLS VPN, the domain−id OSPF mode command should be used to mark that
the OSPF processes with different numbers belong to the same OSPF domain.
This means that, in many practical cases, you can use different autonomous system numbers
for the same OSPF domain in your network. However, it is best to use consistent
OSPF−process numbering as much as possible. This consistency simplifies network
maintenance and complies with the network designer intention to keep routers in the same
OSPF domain.
Q. I have a router that runs Cisco Express Forwarding (CEF) and OSPF,
who does load−balancing when there are multiple links to a destination?
A. CEF works by performing the switching of the packet based on the routing table which is
populated by the routing protocols such as OSPF. CEF does the load−balancing once the
routing protocol table has been calculated. For more details on load balancing, refer to How
does load−balancing work?

Q. How does OSPF use two Multilink paths to transfer packets?
A. OSPF uses the metric aCost, which is related to the bandwidth. If there are equal cost paths
(the same bandwidth on both multilinks), OSPF installs both routes in the routing table. The
routing table tries to use both links equally, regardless of the interface utilization. If one of the
links in the first multilink fails, OSPF does not send all the traffic down the second multilink.
If the first multilink peaks 100%, OSPF does not send any traffic down the second multilink
because OSPF tries to use both links equally, regardless of the interface utilization. The
second is used fully only when the first multilink goes down.
Q. How can you detect the topological changes rapidly?
A. In order to have a rapid fault detection of topology changes, the hello timer value needs to
be set to 1 second. The hold timer value, which is is four times that of the hello timer, also
needs to be configured. There is a possibility of more routing traffic if the hello and hold
timer values are reduced from their default values.
Q. Does the 3825 Series Router support the OSPF Stub feature?
A. Yes, the 3800 Series Router that runs Advanced IPServices image supports the OSPF Stub
feature.
Q. What does the error message %OSPF−4−FLOOD_WAR: Process
process−id re−originates LSA ID ip address type−2 adv−rtr ip address in
area area id means?
A. The error message is due to the some router that is flushing the network LSA because the
network LSA received by the router whose LSA ID conflicts with the IP address of one of the
router's interfaces and flushes the LSA out of the network. For OSPF to function correctly the
IP addresses of transit networks must be unique. If it is not unique the conflicting routers
reports this error message. In the error message the router with the OSPF router ID reported
as adv−rtr reports this message.
Q. Can we have OSPF run over a GRE tunnel?
A. Yes, refer to Configuring a GRE Tunnel over IPSec with OSPF.