Solved: OSPF totally NSSA and route redistribution

nicovpp10 · ‎09-22-2015

Hi,

I am trying ton convert a standard working OSPF area into a totally NSSA area but I do have problem with route metric.

I do not know if it is a design limit (or a bad design from myself..)

Thanks !

Here is the network diagram :

OSPF STANDARD AREA

Using GNS3 & C3725

R1# (ABR)

interface FastEthernet0/0

ip address 10.40.24.1 255.255.255.0

duplex auto

speed auto

no shut

!

interface FastEthernet0/1

ip address 10.25.2.2 255.255.255.0

duplex auto

speed auto

no shut

!

router ospf 252

router-id 0.0.252.2

log-adjacency-changes

auto-cost reference-bandwidth 10000

network 10.25.2.0 0.0.0.255 area 0

network 10.40.24.0 0.0.0.255 area 324

R8# (ABR)

interface FastEthernet0/0

ip address 10.30.24.1 255.255.255.0

duplex auto

speed auto

no shut

!

interface FastEthernet0/1

ip address 10.25.2.1 255.255.255.0

duplex auto

speed auto

no shut

!

router ospf 252

router-id 0.0.252.1

log-adjacency-changes

auto-cost reference-bandwidth 10000

network 10.25.2.0 0.0.0.255 area 0

network 10.30.24.0 0.0.0.255 area 324

R2# (ASBR with redistribute static)

interface FastEthernet0/0

ip address 10.40.24.29 255.255.255.0

ip ospf priority 0

duplex auto

speed auto

no shut

!

interface FastEthernet0/1

ip address 10.30.24.29 255.255.255.0

ip ospf priority 0

duplex auto

speed auto

no shut

!

interface FastEthernet1/0

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

no shut

!

router ospf 10

router-id 0.3.24.29

log-adjacency-changes

auto-cost reference-bandwidth 10000

redistribute static metric-type 1 subnets

network 10.30.24.0 0.0.0.255 area 324

network 10.40.24.0 0.0.0.255 area 324

!

ip route 71.71.71.0 255.255.255.0 10.10.10.2

R3# (ASBR with redistribute static)

interface FastEthernet0/0

ip address 10.40.24.39 255.255.255.0

ip ospf priority 0

duplex auto

speed auto

no shut

!

interface FastEthernet0/1

ip address 10.30.24.39 255.255.255.0

ip ospf priority 0

duplex auto

speed auto

no shut

!

interface FastEthernet1/0

ip address 10.20.10.1 255.255.255.0

duplex auto

speed auto

no shut

!

router ospf 10

router-id 0.3.24.39

log-adjacency-changes

auto-cost reference-bandwidth 10000

redistribute static metric-type 1 subnets

network 10.30.24.0 0.0.0.255 area 324

network 10.40.24.0 0.0.0.255 area 324

!

ip route 72.72.72.0 255.255.255.0 10.20.10.2

From R1 & R8, routes are OK

R1#sh ip route ospf

71.0.0.0/24 is subnetted, 1 subnets

O E1 71.71.71.0 [110/1020] via 10.40.24.29, 00:10:40, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

O 10.30.24.0 [110/2000] via 10.40.24.39, 00:10:50, FastEthernet0/0

[110/2000] via 10.40.24.29, 00:10:50, FastEthernet0/0

72.0.0.0/24 is subnetted, 1 subnets

O E1 72.72.72.0 [110/1020] via 10.40.24.39, 00:10:40, FastEthernet0/0

R8#sh ip route ospf

71.0.0.0/24 is subnetted, 1 subnets

O E1 71.71.71.0 [110/1020] via 10.30.24.29, 00:11:19, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

O 10.40.24.0 [110/2000] via 10.30.24.39, 00:11:19, FastEthernet0/0

[110/2000] via 10.30.24.29, 00:11:19, FastEthernet0/0

72.0.0.0/24 is subnetted, 1 subnets

O E1 72.72.72.0 [110/1020] via 10.30.24.39, 00:11:19, FastEthernet0/0

OSPF TOTALLY NSSA AREA

Add following config :

R1 & R8#

router ospf 252

area 324 nssa no-summary

R2 & R3#

router ospf 10

area 324 nssa

From R1 & R8, routes are E1 instead of N1, duplicate / NOK / wrong metric

R8#sh ip route ospf

71.0.0.0/24 is subnetted, 1 subnets

O E1 71.71.71.0 [110/2020] via 10.30.24.39, 00:00:31, FastEthernet0/0

[110/2020] via 10.30.24.29, 00:00:31, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

O 10.40.24.0 [110/2000] via 10.30.24.39, 00:00:31, FastEthernet0/0

[110/2000] via 10.30.24.29, 00:00:31, FastEthernet0/0

72.0.0.0/24 is subnetted, 1 subnets

O E1 72.72.72.0 [110/2020] via 10.30.24.39, 00:00:31, FastEthernet0/0

[110/2020] via 10.30.24.29, 00:00:31, FastEthernet0/0

R1#sh ip route ospf

71.0.0.0/24 is subnetted, 1 subnets

O N1 71.71.71.0 [110/1020] via 10.40.24.29, 00:00:16, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

O 10.30.24.0 [110/2000] via 10.40.24.39, 00:00:16, FastEthernet0/0

[110/2000] via 10.40.24.29, 00:00:16, FastEthernet0/0

72.0.0.0/24 is subnetted, 1 subnets

O N1 72.72.72.0 [110/1020] via 10.40.24.39, 00:00:16, FastEthernet0/0

Rolf Fischer · ‎09-23-2015

Hi,

as far as I know, the OSPFv2 implementation in IOS still follows the preference rules defined in (obsolete) RFC 1587:

When a type-5 LSA and a type-7 LSA are found to have the same type and an equal distance,
the following priorities apply (listed from highest to lowest) for breaking the tie.

a. Any type 5 LSA.
b. A type-7 LSA with the P-bit set and the forwarding address non-zero.
c. Any other type-7 LSA.

That's why R8 installs the E1 route instead of the N1.

But that doesn't mean that traffic for this destination is forwarded to the originator of that E1 route (R1), as the exit-interfaces of the E1 route demonstrate (Fa0/0 => R2/R3 NSSA).

The path (and the metric) is calculated by evaluating the path to the forwarding address of the external LSA.

As far as I see, the corresponding IP interfaces of the next hops for the static routes are not OSPF enabled, so the ASBRs have to chose the IP of another OSPF enabled interface as forwarding address (FA). You can check the FA with 'show ip ospf database [nssa-]external'. Then, a 'show ip route <forwarding-address>', will show you where the cost of the external routes come from. An interesting debug-command (for R8) is 'debug ip ospf spf external'.

Just paste the relevant output of the two show-commands if it's stil unclear; I guess it's easier to explain with a concrete example.

HTH

Rolf

View solution in original post

paul driver · ‎09-22-2015

Hello

When you changed to a NSSA no summary you are saying this area should maitain and and propergate LSA types 1,2,7 and a default route

This area shoult NOT maintain INTER-AREA routes but must have the ability to connect to them.which where the default route is injected.

Also the ABR will convert LSA type 7 (n) to type 5.(e), hence why you see E routes instead of N routes.

sh ip ospf database nssa-external | in Link State

sh ip ospf database external | in Link State

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nicovpp10 · ‎09-23-2015

Hello Paul,

Thanks for your reply. I agree with you for the totally NSSA specifications.

R1 has :

- N1 routes

- Highest router ID (0.0.252.2 for R1 instead 0.0.252.1 for R8) => so responsible for translating lsa 7 (N1) in lsa 5 (E1) => sent it back to R8

What I still do not understand (all interfaces have a cost of 1000)

E1 and N1 are both External Type-1 routes, so R8 should have :

- N1 routes in its routing table (lowest metric 1020)

- E1 routes in database only (highest metric 2020)

Also, based on the previous network diagram :
- If I stop R1, routing tables on R8 are still wrong (clear ip ospf process made on all routers) :

R8#sh ip route ospf
     71.0.0.0/24 is subnetted, 1 subnets
O N1    71.71.71.0 [110/2020] via 10.30.24.39, 00:00:40, FastEthernet0/0
                   [110/2020] via 10.30.24.29, 00:00:40, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.40.24.0 [110/2000] via 10.30.24.39, 00:00:40, FastEthernet0/0
                   [110/2000] via 10.30.24.29, 00:00:40, FastEthernet0/0
     72.0.0.0/24 is subnetted, 1 subnets
O N1    72.72.72.0 [110/2020] via 10.30.24.39, 00:00:40, FastEthernet0/0
                   [110/2020] via 10.30.24.29, 00:00:40, FastEthernet0/0

- If I make a "full mesh" topology (connect R8 on SW1 with subnet 10.40.24.0/24 & R1 on SW3 with subnet 10.30.24.0/24) routing tables are OK.

=> Looks like there are specific topology requirements for totally NSSA areas but I wasn't able to find some documentation on this

Rolf Fischer · ‎09-23-2015

Hi,

as far as I know, the OSPFv2 implementation in IOS still follows the preference rules defined in (obsolete) RFC 1587:

When a type-5 LSA and a type-7 LSA are found to have the same type and an equal distance,
the following priorities apply (listed from highest to lowest) for breaking the tie.

a. Any type 5 LSA.
b. A type-7 LSA with the P-bit set and the forwarding address non-zero.
c. Any other type-7 LSA.

That's why R8 installs the E1 route instead of the N1.

But that doesn't mean that traffic for this destination is forwarded to the originator of that E1 route (R1), as the exit-interfaces of the E1 route demonstrate (Fa0/0 => R2/R3 NSSA).

The path (and the metric) is calculated by evaluating the path to the forwarding address of the external LSA.

As far as I see, the corresponding IP interfaces of the next hops for the static routes are not OSPF enabled, so the ASBRs have to chose the IP of another OSPF enabled interface as forwarding address (FA). You can check the FA with 'show ip ospf database [nssa-]external'. Then, a 'show ip route <forwarding-address>', will show you where the cost of the external routes come from. An interesting debug-command (for R8) is 'debug ip ospf spf external'.

Just paste the relevant output of the two show-commands if it's stil unclear; I guess it's easier to explain with a concrete example.

HTH

Rolf

Rolf Fischer · ‎09-23-2015

As far as I know, the OSPFv2 implementation in IOS still follows the
preference rules defined in (obsolete) RFC 1587.

After a quick research I found this:

In Cisco IOS Release 15.1(2)S and later releases, RFC 3101 replaces RFC 1587, 
and RFC 3101 behavior is automatically enabled. 
You can choose the route selection behavior by configuring a router
to run as RFC 3101 or RFC 1587 compatible.

R1#show ip ospf
 (...)
 Supports NSSA (compatible with RFC 3101)

With such a release both ABRs would install N1 routes.

However, the route to the FA is still evaluated to calculate the path. This is by the way not NSSA-specific, Type-5 LSAs are processed the same way. "Exception": When the FA is set to 0.0.0.0 (rather the rule than the exception), the path to the originating ASBR is evaluated instead.

Jon Marshall · ‎09-24-2015

Rolf

That would explain why I was seeing N1 routes on both ABRs when I did a quick lab for this.

As always thanks for my continuing education in OSPF :-)

Jon

Rolf Fischer · ‎09-24-2015

Good evening Jon,

believe it or not: I learned many new things about OSPF today too ;-)

Rolf

nicovpp10 · ‎09-24-2015

Hi Rolf,

Thanks for your reply, for sure that helps.

You are right, I have checked on R8, the FA to subnet 71.71.71.0/24 is 10.40.24.29 & 72.72.72.0/24 is 10.40.24.39

R8#sh ip ospf database external

OSPF Router with ID (0.0.252.1) (Process ID 252)

Type-5 AS External Link States

Routing Bit Set on this LSA
LS age: 1131
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 71.71.71.0 (External Network Number )
Advertising Router: 0.0.252.2
LS Seq Number: 80000003
Checksum: 0x845E
Length: 36
Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 20
        Forward Address: 10.40.24.29
        External Route Tag: 0

Routing Bit Set on this LSA
LS age: 1114
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 72.72.72.0 (External Network Number )
Advertising Router: 0.0.252.2
LS Seq Number: 80000003
Checksum: 0xECE8
Length: 36
Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 20
        Forward Address: 10.40.24.39
        External Route Tag: 0

R8#sh ip ospf database nssa-external

OSPF Router with ID (0.0.252.1) (Process ID 252)

Type-7 AS External Link States (Area 324)

LS age: 1140
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 71.71.71.0 (External Network Number )
Advertising Router: 0.3.24.29
LS Seq Number: 80000003
Checksum: 0x7728
Length: 36
Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 20
        Forward Address: 10.40.24.29
        External Route Tag: 0

LS age: 1123
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 72.72.72.0 (External Network Number )
Advertising Router: 0.3.24.39
LS Seq Number: 80000003
Checksum: 0xA3E4
Length: 36
Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        TOS: 0
        Metric: 20
        Forward Address: 10.40.24.39
        External Route Tag: 0

And the route to network 10.40.24.0/24 is the following :

R8#sh ip route 10.40.24.29
Routing entry for 10.40.24.0/24
Known via "ospf 252", distance 110, metric 2000, type intra area
Last update from 10.30.24.39 on FastEthernet0/0, 00:19:35 ago
Routing Descriptor Blocks:
    10.30.24.39, from 0.0.252.2, 00:19:35 ago, via FastEthernet0/0
      Route metric is 2000, traffic share count is 1
* 10.30.24.29, from 0.0.252.2, 00:19:35 ago, via FastEthernet0/0
      Route metric is 2000, traffic share count is 1

Debug command is really long (I can paste if you think it's useful)

If have also tried to enable OSPF on interfaces where static routes are pointing / redistributed. After that routing tables are OK. The only problem is that I do not want to enable OSPF on these interfaces (in real network it represents fortigate firewalls which redistribute static routing to a blackhole interface... something useful for NAT purpose). I will check if there is an other way.

Thanks again

Nicolas

nicovpp10 · ‎09-24-2015

And I suppose that the non null forwarding address for the LSA is a NSSA / totally NSSA only behaviour (as documented here https://tools.ietf.org/html/rfc3101)

That is why it is working for a standard OSPF area but not a totally NSSA area ?

Rolf Fischer · ‎09-24-2015

Again, I wouldn't say it's not working.

It's just another way OPSF calculates the path for external prefixes - originally in order to avoid unnecessary extra-hops in multiaccess networks, in the case of NSSAs for reasons of path-optimization when more than one NSSABR exist (because only one of them translates Type-7 to Type-5).

nicovpp10 · ‎09-24-2015

Rolf,

Thanks again for all these informations and great explanations.

It is indeed working (not as I expected) but the more important is that I know why it happens like that.

Rolf Fischer · ‎09-24-2015

Nicolas,

thanks for the feedback.

I will check if there is an other way.

Well, like mentioned before, there is nothing wrong with you routing. NSSAs generally set the forwarding-address to a non-zero value and if a [nssa] external LSA contains such a non-zero FA, the path to that IP address is evaluated. So the costs are higher as they were in your previous setup (regular area 324), but this is just because the FA of the Type-5 LSAs were set to 0.0.0.0 in this case. The path for forwarding packets to the external networks is still the same.

Regarding the route types I did some testing with a 15.2(4)S IOS:

R8#show ip route ospf
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O        10.40.24.0/24 [110/110] via 10.30.24.39, 00:00:16, FastEthernet1/0
      71.0.0.0/24 is subnetted, 1 subnets
O E1     71.71.71.0 [110/130] via 10.30.24.39, 00:00:16, FastEthernet1/0
      72.0.0.0/24 is subnetted, 1 subnets
O E1     72.72.72.0 [110/130] via 10.30.24.39, 00:00:15, FastEthernet1/0

R8#show ip ospf database external

            OSPF Router with ID (0.0.252.1) (Process ID 252)

                Type-5 AS External Link States

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 191
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 71.71.71.0 (External Network Number )
  Advertising Router: 0.0.252.2
  LS Seq Number: 80000001
  Checksum: 0x885C
  Length: 36
  Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        MTID: 0
        Metric: 20
        Forward Address: 10.40.24.29
        External Route Tag: 0

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 48
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 72.72.72.0 (External Network Number )
  Advertising Router: 0.0.252.2
  LS Seq Number: 80000001
  Checksum: 0xF0E6
  Length: 36
  Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        MTID: 0
        Metric: 20
        Forward Address: 10.40.24.39
        External Route Tag: 0

R8#
R8#s ip route 10.40.24.39
Routing entry for 10.40.24.0/24
  Known via "ospf 252", distance 110, metric 110, type intra area
  Last update from 10.30.24.39 on FastEthernet1/0, 00:01:06 ago
  Routing Descriptor Blocks:
  * 10.30.24.39, from 0.0.252.2, 00:01:06 ago, via FastEthernet1/0
      Route metric is 110, traffic share count is 1



R8#s ip ospf | i RFC
 Supports NSSA (compatible with RFC 1587) ! Non-Default setting!



R8(config)#router ospf 252
R8(config-router)#no compatible rfc1587 ! Default for this recent IOS.

R8#show ip route ospf
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O        10.40.24.0/24 [110/110] via 10.30.24.39, 00:04:51, FastEthernet1/0
      71.0.0.0/24 is subnetted, 1 subnets
O N1     71.71.71.0 [110/130] via 10.30.24.39, 00:01:54, FastEthernet1/0
      72.0.0.0/24 is subnetted, 1 subnets
O N1     72.72.72.0 [110/130] via 10.30.24.39, 00:01:54, FastEthernet1/0

R8#show ip ospf database nssa-external

            OSPF Router with ID (0.0.252.1) (Process ID 252)

                Type-7 AS External Link States (Area 324)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 501
  Options: (No TOS-capability, Type 7/5 translation, DC, Upward)
  LS Type: AS External Link
  Link State ID: 71.71.71.0 (External Network Number )
  Advertising Router: 0.3.24.29
  LS Seq Number: 80000001
  Checksum: 0x7B26
  Length: 36
  Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        MTID: 0
        Metric: 20
        Forward Address: 10.40.24.29
        External Route Tag: 0

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 320
  Options: (No TOS-capability, Type 7/5 translation, DC, Upward)
  LS Type: AS External Link
  Link State ID: 72.72.72.0 (External Network Number )
  Advertising Router: 0.3.24.39
  LS Seq Number: 80000001
  Checksum: 0xA7E2
  Length: 36
  Network Mask: /24
        Metric Type: 1 (Comparable directly to link state metric)
        MTID: 0
        Metric: 20
        Forward Address: 10.40.24.39
        External Route Tag: 0

R8#show ip route 10.40.24.39
Routing entry for 10.40.24.0/24
  Known via "ospf 252", distance 110, metric 110, type intra area
  Last update from 10.30.24.39 on FastEthernet1/0, 00:05:27 ago
  Routing Descriptor Blocks:
  * 10.30.24.39, from 0.0.252.2, 00:05:27 ago, via FastEthernet1/0
      Route metric is 110, traffic share count is 1

As you can see, the route type has changed, however, the calculated paths to the external networks are the same.

Rolf

nicovpp10 · ‎09-24-2015

Rolf,

Thanks for theses tests and your time.

In your setup, you have the following routes :

R8#show ip route ospf
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O        10.40.24.0/24 [110/110] via 10.30.24.39, 00:00:16, FastEthernet1/0
      71.0.0.0/24 is subnetted, 1 subnets
O E1     71.71.71.0 [110/130] via 10.30.24.39, 00:00:16, FastEthernet1/0
      72.0.0.0/24 is subnetted, 1 subnets
O E1     72.72.72.0 [110/130] via 10.30.24.39, 00:00:15, FastEthernet1/0

The "problem" is that 71.71.71.0/24 next hop should be 10.30.24.29 (which make the static redistribution of this subnet) to be optimized (or maybe I missed something)

Nicolas

Rolf Fischer · ‎09-24-2015

The "problem" is that 71.71.71.0/24 next hop should be 10.30.24.29 (which make the static redistribution of this subnet) to be optimized (or maybe I missed something)

Don't mix up FA and next-hop. The FAs are different, but the result of the routing-table lookups for both FAs is the same in this case (as they belong to the same IP subnet and the lookup is recursive):

R8#show ip ospf database nssa-external | i Link State ID|Forward Address
  Link State ID: 71.71.71.0 (External Network Number )
        Forward Address: 10.40.24.29
  Link State ID: 72.72.72.0 (External Network Number )
        Forward Address: 10.40.24.39
R8#
R8#s ip route 10.40.24.29
Routing entry for 10.40.24.0/24
  Known via "ospf 252", distance 110, metric 110, type intra area
  Last update from 10.30.24.39 on FastEthernet1/0, 00:02:15 ago
  Routing Descriptor Blocks:
  * 10.30.24.39, from 0.0.252.2, 00:02:15 ago, via FastEthernet1/0
      Route metric is 110, traffic share count is 1
R8#show ip route  10.40.24.39
Routing entry for 10.40.24.0/24
  Known via "ospf 252", distance 110, metric 110, type intra area
  Last update from 10.30.24.39 on FastEthernet1/0, 00:02:23 ago
  Routing Descriptor Blocks:
  * 10.30.24.39, from 0.0.252.2, 00:02:23 ago, via FastEthernet1/0
      Route metric is 110, traffic share count is 1

paul driver · ‎09-24-2015

Hello

What I still do not understand (all interfaces have a cost of 1000)

E1 and N1 are both External Type-1 routes, so R8 should have :

- N1 routes in its routing table (lowest metric 1020)

- E1 routes in database only (highest metric 2020)

This is what i can see -
As far as I can see the N1 routes are on the ABR of area 324 which router R1 this is also the DR for the backbone area 0 ( between R1- R8)

So the N1 routes R1 receives is then advertiesed to R8 as a type 5 with an added cost of its physical interface.

When you stop R1 do you mean diasble all links?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul