Archive
RPF on the 7750
Burak recently asked for a post on RPF loose and strict modes and how they behave on the 7750. I have quit my job so I have been frantically trying to get things finished and handed over and haven’t had time to really test anything for my own amusement. As I will be finishing up tomorrow and won’t have access to any 7750 lab stuff this is a real quick thrown together post.
We will use a simple network of four routers. All routers have all interfaces in OSPF area 0 with the same cost of 10 on each link. OSPF preference (AD) on the 7750 is 10. We configure a static route on r1-rack3 pointing 1.2.3.4/32 out to r2-rack3, its preference is 5. r1-rack3 is at 10.9.254.28
So what does the topology look like from r1-rack3s perspective?
and what does r5-rack15 think?
r5-rack15 is going to send traffic on the direct path to r1-rack3 but r1-rack3 thinks 1.2.3.4 should be reachable via r2-rack3. Let’s enable RPF on the interface and see what happens (ignore the IntraAS in the name, it’s from another test).
I have now enabled loose mode RPF. Theoretically traffic should pass here as once the prefix is in the routing table it should be ok. First clear the statistics (you need to use the urpf-stats variable to clear RPF stats or they won’t clear down)
Now we send a ping from r5-rack15 sourced from 1.2.3.4/32.
As we can see the pings are successful. This is because even though r1-rack3 uses different egress than the received packets ingress, loose allows more flexibility in what the router will accept.
Happy days, our check fail stats have not increased. Now let’s enable strict mode and see it all fall apart. Strict mode means you MUST receive the packet over the interface you would use to transmit to the destination.
Now when we ping from r5-rack15 to r1-rack3 we should not see a response to our packets arrive.
In fact debug router ip icmp doesn’t even show up failed attempts. They’re just ignored.
Look at that, beautiful. OK so it’s not a very elegant way of showing how it works but it does. I haven’t found a debug for RPF fails or anything beyond show router interface statistics to display any further RPF information. If you know of any stick it in the comments and I’ll add it.
Configuring Basic OSPF in SROS
This post will cover setting up OSPF as your IGP, IS-IS will be covered separately.
First off we need to enable OSPF. Make sure you have your system interface configured before this point or your RID will be based on the base MAC of the chassis and will look like a public IP.
A:r2# show router interface "system" | match /32
2.2.2.2/32 n/a
If you forget or need to change the RID you need to config router ospf shut followed by config router ospf no shut. There is no command like clear ip ospf process in IOS.
So once we confirm this in place we can go ahead and enable OSPF so let’s do that.
The router will use the system address as the RID but we will statically configure one anyway. We will also make the routers an ASBR. This is quite important as simply redistributing prefixes in to OSPF with a policy doesn’t actually send any prefixes to OSPF without the ASBR command in place, the source of many an early days headaches. We will also enable traffic-engineering extensions so we can run MPLS TE, we will need it later.
BTW configuring something for the first time changes the prompt to $ but as I have already enabled OSPF and am just retyping commands the prompt appears as #
*A:r2# configure router ospf
*A:r2>config>router>ospf# router-id 2.2.2.2
*A:r2>config>router>ospf# traffic-engineering
*A:r2>config>router>ospf# asbr
*A:r2>config>router>ospf#
At this point OSPF will be up which you can verify through show router ospf status. If you failed to set your system interface address you will see your funny RID in here.
*A:r2>config>router>ospf# show router ospf status
OSPF Cfg Router Id : 2.2.2.2
OSPF Oper Router Id : 2.2.2.2
OSPF Version : 2
OSPF Admin Status : Enabled
OSPF Oper Status : Enabled
Graceful Restart : Enabled
GR Helper Mode : Enabled
Preference : 10
External Preference : 150
Backbone Router : True
Area Border Router : False
AS Border Router : True
Opaque LSA Support : True
Traffic Engineering Support : True
Now we want to configure some interfaces in to the process and we will start by creating area 0.0.0.0. This is where you should place your system interface unless you are a stub area router and not an ABR. The system interface is broadcast type by default and passive so I will set the interface type to point to point, and passive just to demonstrate the command.
*A:r2>config>router>ospf# area 0
*A:r2>config>router>ospf>area# interface "system"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# passive
*A:r2>config>router>ospf>area>if#
Now lets configure an interface in to area 0 and give it some meaningful configuration such as link cost/metric, bind it to the interface BFD instance and force authentication using the password mypassword
*A:r2>config>router>ospf>area# interface "tor3"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# metric 1001
*A:r2>config>router>ospf>area>if# bfd-enable
*A:r2>config>router>ospf>area>if# message-digest-key 1 md5 mypassword
*A:r2>config>router>ospf>area>if# authentication-type message-digest
Next we will configure a stub area, called area 5. In here we will put a link to r5
*A:r2>config>router>ospf# area 5
*A:r2>config>router>ospf>area# stub
*A:r2>config>router>ospf>area>stub# exit
*A:r2>config>router>ospf>area# interface "tor5"
*A:r2>config>router>ospf>area>if# interface-type point-to-point
*A:r2>config>router>ospf>area>if# metric 10101
*A:r2>config>router>ospf>area>if# bfd-enable
*A:r2>config>router>ospf>area>if# message-digest-key 1 md5 mypassword
*A:r2>config>router>ospf>area>if# authentication-type message-digest
To create a Totally Stub Area then we put the no summaries option under the stub configuration.
MTU obviously plays an important part in OSPF and every network engineer has been mind boggled by it at some stage in their career, exchange start anyone? To set it under an interface its simply mtu # where # is the value you apply. The maximum you can set is 9198, on my routers anyway.
A couple of miscellaneous commands now. If you wish to stop advertising subnet routes for an interface you configure no advertise-subnet if that floats your boat. Finally on the basics, if you have DR set up with type 2 LSAs for some reason (not a fan, it’s just messy), you can set the interface priority to bias the DR election. Simply configure the priority # command
Some useful show commands:
We have show router ospf status which we saw earlier
*A:r2# show router ospf neighbor
===============================================================================
OSPF Neighbors
===============================================================================
Interface-Name Rtr Id State Pri RetxQ TTL
Area-Id
-------------------------------------------------------------------------------
tor5 5.5.5.5 Full 1 0 35
0.0.0.0
tor4 4.4.4.4 Full 1 0 33
0.0.0.0
tor3_b 3.3.3.3 Full 1 0 34
0.0.0.0
-------------------------------------------------------------------------------
No. of Neighbors: 3
(Yep I didn’t actually configure area 5 for tor5 🙂 I’m running some tests at the moment so can’t be messin with that!)
show router ospf interface shows you which interfaces you have OSPF running on, the DR/BDR, area and interface type. Unlike show ip ospf interface brief in IOS it doesn’t give you the interface cost. For that you need to use the detail option, which can be for all interfaces or a single one if you specify it:
*A:r2# show router ospf interface "tor4" detail | match "Oper Metric"
Oper Metric : 100 Bfd Enabled : Yes
show router ospf database -or- show router ospf opaque-database (for the TED) gives you access to the OSPF database, strange huh!? You can use the usual qualifiers to get in to more detail on the LSA contents:
*A:r2# show router ospf database
- database [type {router|network|summary|asbr-summary|external|nssa|all}] [area ] [adv-router ]
[] [detail]
I’m not going to show the output of these commands cos it’s just too much space for a post.
So lets assume I have repeated this on 5 routers in the network. We should now have full reachability.
*A:r2# show router route-table
Route Table (Router: Base)
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/8 Remote OSPF 06d19h45m 150
24.24.24.4 1
1.1.1.1/32 Remote OSPF 01d17h10m 10
24.24.24.4 300
2.2.2.2.2/32 Local Local 31d18h16m 0
system 0
3.3.3.3/32 Remote OSPF 01d17h10m 10
24.24.24.4 200
4.4.4.4/32 Remote OSPF 06d19h45m 10
24.24.24.4 100
5.5.5.5/32 Remote OSPF 01d17h40m 10
25.25.25.5 100
13.13.13.0/24 Remote OSPF 01d17h10m 10
24.24.24.4 300
23.23.23.0/24 Local Local 01d18h11m 0
tor3 0
24.24.24.0/24 Local Local 06d19h45m 0
tor4 0
25.25.25.0/24 Local Local 01d19h55m 0
tor5 0
32.32.32.0/24 Local Local 01d17h51m 0
tor3_b 0
34.34.34.0/24 Remote OSPF 01d17h10m 10
24.24.24.4 200
35.35.35.0/24 Remote OSPF 01d17h10m 10
25.25.25.5 200
And we do…
*A:r2# ping 3.3.3.3
PING 3.3.3.3 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=1 ttl=63 time=5.44ms.
64 bytes from 3.3.3.3: icmp_seq=2 ttl=63 time=3.17ms.
^C
ping aborted by user
---- 3.3.3.3 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.17ms, avg = 4.30ms, max = 5.44ms, stddev = 1.13ms
*A:r2# ping 4.4.4.4
PING 4.4.4.4 56 data bytes
64 bytes from 4.4.4.4: icmp_seq=1 ttl=64 time=8.86ms.
64 bytes from 4.4.4.4: icmp_seq=2 ttl=64 time=3.33ms.
^C
ping aborted by user
---- 4.4.4.4 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.33ms, avg = 6.10ms, max = 8.86ms, stddev = 2.76ms
*A:r2# ping 1.1.1.1
PING 1.1.1.1 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=42.3ms.
64 bytes from 1.1.1.1: icmp_seq=2 ttl=62 time=3.43ms.
^C
ping aborted by user
---- 1.1.1.1 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.43ms, avg = 22.9ms, max = 42.3ms, stddev = 19.5ms
*A:r2# ping 5.5.5.5
PING 5.5.5.5 56 data bytes
64 bytes from 5.5.5.5: icmp_seq=1 ttl=64 time=4.92ms.
64 bytes from 5.5.5.5: icmp_seq=2 ttl=64 time=3.06ms.
^C
ping aborted by user
---- 5.5.5.5 PING Statistics ----
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min = 3.06ms, avg = 3.99ms, max = 4.92ms, stddev = 0.926ms
Next up is enabling LDP which is pretty straightforward. TTFN
iamjeffvader's studymotron and rantatorium 