dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
890
share rss forum feed


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

[Config] OSPF double check

Can I do network summarization on the network statements for OSPF? and I only need to put in the directly connected networks on a given router right?

IE so I could do the following
on my router
Network 10.254.254.0/28
(to cover 10.254.254.0/30 ,10.254.254.4/30, 10.254.254.8, and 10.254.254.12/30)

or should I enter in each of those 4 network statements?

and then on my intervlan routing device do
Network 10.0.0.0/21
(to cover 10.0.0.0/24, 10.0.1.0/24, through 10.0.7.0/24)

also is there any issue in doing area 0 for all of these as they're linked via gig?

basically I'm just doubting myself a little.

and then can I do similar summarization for IPv6 OSPF?
if so I'm thinking of doing
network 2001:xxxx:xxxx:FFFF::/124
(to cover 2001:xxxx:xxxx:FFFF::1/127 through 2001:xxxx:xxxx:FFFF::8/127) (as IPv6 doesn't have network and broadcast addresses, or would I be able to shift that 1 to 0? if so then would I do /125? to cover 4x 2 ip nets?)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


markysharkey
Premium
join:2012-12-20
united kingd

In OSPF you advertise each route explicitly within the same area and summarise those routes on ABR's.
--
Binary is as easy as 01 10 11


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

If you are talking OSPF networks that will be producing LSA Type 1 and/or Type 2, then summarization of them can only be done on ABR. Should you decide to do such, make sure the same summarization take place at all ABR in given area.

When networks are OSPF external, the summarization take place in ASBR. There should be no need to summarize external OSPF networks at ABR though you have option to do so.



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Ok so given my network as follows

router connected to the internet, lets call it router 1
then 3x L3 switches, lets call them Switch 1~4 (skipping 2)

on the router I have
gi 1/0 - link to switch 1
gi 2/0 - link to internet
gi 3/0 - link to switch 3
gi 4/0 - link to switch 4

so the interfaces are something like the following
gi 1/0
ip address 10.254.254.1 /30

gi 2/0
ip address "static 1"
ip address "static 2" secondary
ip address "static 3" secondary
ip address "static 4" secondary

gi 3/0
ip address 10.254.254.9/30

gi 4/0
ip address 10.254.254.13/30

with the 3 switch links set to distribute ospf and the ISP link set to OSPF passive

so on the router can I do the following?
router ospf 1
network 10.254.254.0/28 area 0
ospf default info originate

or do I need to keep it as
router ospf 1
network 10.254.254.0/30 area 0
network 10.254.254.4/30 area 0 (planned net)
network 10.254.254.8/30 area 0
network 10.254.254.12/30 area 0
ospf redistribute static

then on each L3 switch have the following
gi 1/0/1
switchport access vlan 25x (where x is the switch number)

interface vlan 25x
ip address 10.254.254.y/30 (where y varies based on which one it is)

interface vlan 250
ip address 10.254.254.xx/29 (where xx varies based on which one and starts at 17)

then
router ospf 1
network 10.254.254.y/30 area 0
network 10.254.254.16/29 area 0 (or just merge those 2 into 0/28)
then
network 10.0.0.0/21 area 0 (to cover 10.0.0.0~10.0.7.0/24)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


markysharkey
Premium
join:2012-12-20
united kingd

As it's all area 0 I would keep the routes specific. As both Aryoba and myself have stated, you usually only summarise on an ABR or an ASBR.
--
Binary is as easy as 01 10 11



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

ok, next should I be putting all of the networks on each device?

meaning say the router has 10.254.254.x but should it also have network statements for 10.0.x.0 ? I mean it should learn about those via the neighbors.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

Perhaps I should clarify the concept of OSPF summarization before going further. OSPF summarization is to be used as network simplification when some networks are introduced into an area; either as ABR or ASBR summarization. From your description, it looks like you are interested in ABR summarization; so I will further describe with it.

ABR summarization only matters to areas that are outside of the originating networks. Here is an illustration. Say you have Area 0, 1, and 2. You want to summarize networks that are sitting in Area 2. The summarization matters then only in Areas 0 and 1. There is no summarization within the Area 2 itself.

Further, say you want to summarize 10.254.254.x IP subnets into 10.254.254.0/24 summary. This means that all IP subnets that fall into 10.254.254.x must be sitting in one area, say Area 2. Other areas such as Areas 0 and 1 can never have 10.254.254.x sitting in them. With that in mind, Areas 0 and 1 must consist IP subnets other than 10.254.254.x; such as 10.254.252.x and 10.254.253.x IP subnets.

You only want to summarize 10.254.254.x IP subnet in Area 2 where there are multiple small subnets (smaller than /24 such as /30 and /29) that fall within 10.254.254.x IP subnet. Once the summarization is in place, networks sitting in Areas 0 and 1 will see all of those small subnets of 10.254.254.x/30 and /29 as single 10.254.254.0/24 subnet.

From different perspective, I usually like to dedicate 172.16.0.0/12 for end hosts such as PC, printers, and servers; while dedicate 10.0.0.0/8 for network stuff such as Loopback interfaces, point-to-point interfaces, and router ID. In OSPF perspective, I dedicate say 172.16.0.0/16 for Area 1, 172.17.0.0/16 for Area 2, and 172.18.0.0/16 for Area 3 while say I keep 10.0.0.0/24 as Router ID, 10.0.1.0/24 as Loopback interfaces, and 10.0.2.0/24 as point-to-point interfaces. To summarize, I set 172.x.0.0/16 on relevant ABR. As to the 10.x.x.x network, I do not summarize point-to-point 10.x.x.x network between ABR to non-ABR router; so only those of Loopback interfaces as part of the ABR summarization.



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

sounds like summarizing the network statements wouldn't be useful to me

It was mostly a thought of trying to make the config smaller and remove unneeded lines and condense it.

and I don't think my home net is large enough to have more areas.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

said by aryoba:

while dedicate 10.0.0.0/8 for network stuff such as Loopback interfaces, point-to-point interfaces, and router ID.

why waste routable space on the router-id? while its nice to have your loopback and rid correlate -- you could just as easily do 0.0.0.1 for your rid. you could do "site.device" or "region.site.device" and not work within the construct of ip address space.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

In my experience, usually network gears will need Private subnet assignment more than end hosts. As illustration, end hosts (i.e. PC, servers, printers) at some point will end up using Internet-routable IP subnets even in private network (not public-accessible from the Internet) while network gears do not need to.

As to Router ID assignment, I definitely can use random 4-tuple numbers outside traditional IPv4 range. In some companies, I think the reason of using actual/valid IPv4 for Router ID is due to us network engineers getting used to look at IP address rather than some random numbers


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

said by DarkLogix:

sounds like summarizing the network statements wouldn't be useful to me

It was mostly a thought of trying to make the config smaller and remove unneeded lines and condense it.

and I don't think my home net is large enough to have more areas.

If you are trying to build a home lab, then there is no such thing as "my home net is not large enough to have more areas". I believe a home lab should be designed as close as possible to the real network design out there in the field, which contains lots of IP addresses and perhaps OSPF areas. The idea is to get used to the mindset of network engineers and architects in regards of OSPF design.

My 2c

markysharkey
Premium
join:2012-12-20
united kingd

Agreed. Across my 5 routers I have labbed with each one as a different area and also added in some EIGRP/OSPF redistribution for good measure. Then there's the whole virtual-links fun to have. And don't forget that on some IOS versions, sho ip ospf route is a hidden command!
--
Binary is as easy as 01 10 11



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to aryoba

Well my aim is in the imagination that my home lab if it were one site of a large network.

with 10.254.254.x/24 and through 10.255.255.x/24 reserved for point to point ip links

and with the setup of 10.x.y.z where x=site code, y=vlan, z=host

if you imagine its just one of many sites then would you make each site an area and then maybe the site to site links another area?

then likely use the 172 private range for site to site (obviously that doesn't exist at this time) so then I could say the 172 range would be one area and all non-local 10 ranges can be reached via the 172 area.

so with the imagination that there are other sites how would you do what I've done?

though if I can't get a good price for my 3745 then I might see if I might put my 3745 in our DRC and actually have a remote site. (ya right I doubt that would get approved.)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to aryoba

sounds like you need to hire new engineers.

;-P

q.



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

said by tubbynet:

sounds like you need to hire new engineers.

;-P

q.

You replying to me or aryoba?
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

said by DarkLogix:

Well my aim is in the imagination that my home lab if it were one site of a large network.

with 10.254.254.x/24 and through 10.255.255.x/24 reserved for point to point ip links

and with the setup of 10.x.y.z where x=site code, y=vlan, z=host

I have worked in an environment like that where the manager liked to dedicate third and fourth octets to something such as VLAN ID or anything that came to his mind. In small environment where all RFC-1918 IP address range is sufficient, it may work well to some extent. In larger environment where you are forced to use Internet-routable (non RFC-1918) IP addresses in private networks (not publicly-accessible from the Internet) or you have to re-use the IP addresses in some VRF-based environment, such mindset will not be applicable anymore


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 recommendation

reply to DarkLogix

said by DarkLogix:

You replying to me or aryoba?




you tell me.

q.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

said by tubbynet:

said by DarkLogix:

You replying to me or aryoba?



you tell me.

q.

Well I think aryoba but sometimes people miss-reply so I wasn't sure.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

said by DarkLogix:

Well my aim is in the imagination that my home lab if it were one site of a large network.

if you imagine its just one of many sites then would you make each site an area and then maybe the site to site links another area?

Depending on comfort level of the network architect, you can stay with multiple-area OSPF design or prepare to embrace BGP in addition to run OSPF as IGP. For those who like to stay in OSPF where each site has its own area, I have seen site-to-site links to have additional ABR to incorporate point-to-point links to keep simple OSPF design.

I personally would go with BGP in such case since you will limit your option when you insist to keep one area for each site.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

1 edit
reply to aryoba

if you're using non RFC-1918 (IE real public IP's) then why would you make them non-internet reachable? sounds like a waste of public IP's

I'd stick with 10.x.y.z and keep public IP's on the edge, then use the 172 for site to site and 192 for special use.

then layer an IPv6 /48 over it as such
2001:470:b801:XXYY::/64

and of course reserve some space for point to point and special links
(speaking of which I think I might redo my 10.254.254.x to 10.255.255.x so it'll line up better with how I'm going to redo my ipv6) (255=FF))
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to tubbynet

said by tubbynet:

sounds like you need to hire new engineers.

;-P

q.

I do need people to do my work so I can relax and enjoy life

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to DarkLogix

said by DarkLogix:

if you're using non RFC-1918 (IE real public IP's) then why would you make them non-internet reachable? sounds like a waste of public IP's

In large environment, they usually consist of multiple "independent" entities which from network perspective are seen as different company. Where each entity is seen as their own company, each entity has their use of RFC-1918 IP addresses which may overlap or contradict with other entity's policy. All of the entities however still prefer to have the same global IT support across the entire company. With that in mind, it is considered normal practices to have non-RFC-1918 IP addresses assigned to end hosts such as PC, server, and printer.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to DarkLogix

said by DarkLogix:

if you're using non RFC-1918 (IE real public IP's)

Private, non-publicly-routeable address space isnt just limited to RFC1918. In theory, one way or another, the following subnets are all available for private network use:

10.0.0.0/8 Private-Use (RFC1918)
100.64.0.0/10 Shared Address Space (RFC6598)
169.254.0.0/16 Link Local (RFC3927)
172.16.0.0/12 Private-Use (RFC1918)
192.0.2.0/24 Documentation (TEST-NET-1) (RFC5737)
192.168.0.0/16 Private-Use (RFC1918)
198.18.0.0/15 Benchmarking (RFC2544)
198.51.100.0/24 Documentation (TEST-NET-2) (RFC5737)
203.0.113.0/24 Documentation (TEST-NET-3) (RFC5737)

Suffice to say, they will all route. With possibly the exception of 169.254.0.0/16 you could be reasonably assured that none of these addresses will (should) ever exist in your routing table unless youve configured them somewhere.

Source: »www.iana.org/assignments/iana-ip···ry.xhtml


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Arrg I'm starting to consider redoing my IP setup again

for some reason I'm debating the use of the zero subnet on vlan 1
I think I'd be happier with it being 10.0.vlan number.x
then swap in 10.0.0.x for the special links (IE what I have 10.255.255.x for atm) arrg why can't we have a vlan 0? (oh wait I bet if that frame header is 0 its untagged right?)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

Not necessarily.

The native VLAN is untagged, usually thats VLAN 1 but it can be any number within the VLAN ID range.

But why tie subnetting to VLAN numbers?



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

For good organization

Well the native would be untagged and could be any number 1-4096 (or is it 4095)
so in the frame header would 0=untaged=native or is 0=1?



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Ok just went to refresh and found this

»en.wikipedia.org/wiki/IEEE_802.1Q

so a VID of 0 is special and shows no vlan membership and vlan 4095 is also reserved so its 4094 usable-ish (got those pesky fiddi and token ones)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

2 edits

Yeah, 1-4094. Those FDDI and token ring VLANs are a Cisco specific legacy thing. I wish they would die as well.

The VLAN ID is stored in 12 bits, which gives a range of 0-4095, but with 0 and 4095 off limits that leaves you with 1-4094.

An untagged frame doesnt contain a VLAN header with 0 in it, it just doesnt have a VLAN header. So a tagged frame will be 4 bytes longer than an untagged one.

After a quick read around it seems that VLAN 0 can be considered untagged as well, but strictly speaking its still tagged IMO. :-P

A tagged frame also has a different ethertype. 0x8100 indicates an ethernet frame with a VLAN header, anything else represents an ethernet frame with X payload type.

»en.wikipedia.org/wiki/EtherType

So a device receiving a frame with ethertype 0x8100 then needs to remove the VLAN header to get to the original ethertype which will identify the type of payload. Armed with the info from the VLAN header it can then keep the frame within the boundaries of where it is allowed to go.

Then theres Q-in-Q with an entirely different ethertype again, but we'll leave that for another time.



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Ya its just been awhile since I thought about the frame composition.

though when watching a review video the other week I was getting ticked when the person said tagged packet and never talked about the different transmission units for layers 2 and 3

so based on how a given switch deals with vid=0 0 and the native could end up being the same or would most gear just drop 0 tagged, sounds like an attack vector.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

I think its best never to use the native VLAN anyway. As an untagged VLAN you cant really control where its frames go like you can with tagged VLAN IDs.

And if VLAN ID 0 is treated as an untagged frame I dont really see how its any more of an attack vector as sending in traditionally untagged frames.