OSPF LSA's

-

 *There are more LSA's than what I will cover but for most of us we will only deal with 6 of the LSA's.





The nature of a Link State Routing Protocol is that each router has a full "map" of the network (within an area). In order for each router to have a full map of the network it needs to know about every other routers links and the states of those links and if there are any other OSPF neighbors on those links. This is the purpose of the Type 1 LSA - The Router LSA. The mechanism by which OSPF accomplishes this is by flooding. Type 1 LSA's are flooded to all routers within the area they were originated.


Router#show ip ospf database router

            OSPF Router with ID (0.0.0.2) (Process ID 100)

Router Link States (Area 0)

  LS age: 397

  Options: (No TOS-capability, DC)

  LS Type: Router Links

  Link State ID: 0.0.0.1

  Advertising Router: 0.0.0.1

  LS Seq Number: 80000005

  Checksum: 0x85C8

  Length: 48

  Number of Links: 2

    Link connected to: a Stub Network

     (Link ID) Network/subnet number: 1.1.1.1

     (Link Data) Network Mask: 255.255.255.255

      Number of MTID metrics: 0

       TOS 0 Metrics: 1

    Link connected to: a Transit Network

     (Link ID) Designated Router address: 192.168.245.1

     (Link Data) Router Interface address: 192.168.245.1

      Number of MTID metrics: 0

       TOS 0 Metrics: 10

*The rest of the output omitted

As you can see, there is a lot of information given inside the Link State Database (LSDB). For the Router LSA, this particular LSA shows that it is from another router with router-id 0.0.0.1 and it has 2 links (or interfaces) it's telling me about. This information tells us what networks or prefixes are local to that router. I'll address the second link (Transit Network) in the next LSA. The first link describes its link as a "Stub Network". This is because the default behavior of OSPF for Loopback Interfaces is set like this. 

The Type 2 LSA - The Network LSA's purpose is to allow a pseudo-node (or DR) to represent the multi-access network and all the attached routers. Just like the router LSA, the network LSA is also flooded to all routers within the originating area. As you can see in the example above (Green highlighted section), we have a single type 2 LSA that was generated from our OSPF neighbor. This LSA mostly used for multi-access networks, when you have more than two routers on the same network segment. By default, on ethernet links, the network type is broadcast. This causes the router to generate a type 2 LSA for its transit link to its neighbor even though there are only two routers on this segment. Since there is no need for a DR/BDR on links with only two routers, you can change this default behavior by going to the interface and entering:

Router#(config-if)ip ospf network point-to-point  

 *this is not the only network type that will not generate a type 2 LSA.

The first two LSA's we addressed are considered "intra-area LSA's", which means that they are confined to a single area. So, what happens if we have a bigger topology and need multiple areas? There comes in the Type 3 LSA - The Network Summary LSA. The network LSA serves a very specific purpose. In OSPF every router within an area MUST have an identical LSDB. This is not true for routers that live outside of that area. Therefore, topology information is lost because you have routers that don't have an identical database to the backbone area. Remember that when a router is configured for OSPF it will advertise its links with Type 1 & 2 LSA's. These LSA's are only flooded within an area. This is why we need a Type 3 LSA, so that the prefixes from the backbone area are advertised to non-backbone areas and vice versa. These routes will show up in the routing table as O IA routes or inter-area routes.

O IA     10.10.10.0 [110/20] via 192.168.245.2, 01:34:43, GigabitEthernet0/0

Router#sh ip ospf database summary 

            OSPF Router with ID (0.0.0.2) (Process ID 100)

Summary Net Link States (Area 0)

  LS age: 283

  Options: (No TOS-capability, DC, Upward)

  LS Type: Summary Links(Network)

  Link State ID: 10.10.10.0 (summary Network Number)

  Advertising Router: 0.0.0.2

  LS Seq Number: 80000001

  Checksum: 0x789A

  Length: 28

  Network Mask: /24

MTID: 0 Metric: 10 

Summary Net Link States (Area 2)

  LS age: 283

  Options: (No TOS-capability, DC, Upward)

  LS Type: Summary Links(Network)

  Link State ID: 1.1.1.1 (summary Network Number)

  Advertising Router: 0.0.0.2

  LS Seq Number: 80000001

  Checksum: 0xBD6E

  Length: 28

  Network Mask: /32

MTID: 0 Metric: 11 

As you can see, I've added a third router and second area (area 2). Now that there are two areas, the router that sits between both areas (and has links in both areas) becomes the Area Border Router (ABR). Because there are two areas, this ABR will generate Type 3 LSA's for the prefixes in area 0 to inform the router in area 2 how to reach those networks. The ABR will also generate Type 3 LSA's for the prefixes in area 2 to inform the routers in area 0 how to reach those prefixes. Type 3 LSA's are the first "inter-area" LSA's which means that these are the only ones so far that traverse beyond the area boundary. 

The next LSA is the Type 4 LSA - The ASBR Summary LSA. Recall that an Autonomous System Boundary Router (ASBR) is a router that "injects" or "imports" routes from another routing domain. You can think about it as if you were redistributing routes from another protocol like BGP or EIGRP into OSPF. The ASBR summary LSA is basically the same as the type 3 LSA. The exception is that instead of advertising a destination network, the Type 4 LSA advertises the ASBR address. It identifies the address of the ASBR Router and thus how to reach the external routes. In our topology, I redistributed connected on the vIOS router in order to generate both Type 4 and Type 5 LSA's. 

Router#show ip ospf database asbr-summary 

            OSPF Router with ID (0.0.0.2) (Process ID 100)

Summary ASB Link States (Area 0)

  LS age: 267

  Options: (No TOS-capability, DC, Upward)

  LS Type: Summary Links(AS Boundary Router)

  Link State ID: 2.2.2.3 (AS Boundary Router address)

  Advertising Router: 0.0.0.2

  LS Seq Number: 80000001

  Checksum: 0x6DB9

  Length: 28

  Network Mask: /0

MTID: 0 Metric: 10 


The next LSA is the Type 5 LSA : The Autonomous System External LSA. These LSA's are originated by the ASBR and they advertise destinations that are external to the OSPF autonomous system. Notice also that the Type 5 LSA's do NOT belong to any particular area, they are flooded throughout the entire autonomous system. These routes will show up in the routing table as E2 routes. 

O E2     3.3.3.3 [110/20] via 10.10.10.2, 00:27:04, GigabitEthernet0/2

Router#show ip ospf database external 

            OSPF Router with ID (0.0.0.2) (Process ID 100)

Type-5 AS External Link States

  LS age: 75

  Options: (No TOS-capability, DC, Upward)

  LS Type: AS External Link

  Link State ID: 3.3.3.3 (External Network Number)

  Advertising Router: 2.2.2.3

  LS Seq Number: 80000001

  Checksum: 0x1B70

  Length: 36

  Network Mask: /32

Metric Type: 2 (Larger than any link state path)

MTID: 0 

Metric: 20 

Forward Address: 0.0.0.0

External Route Tag: 0

The last LSA is the Type 7 LSA - The NSSA External LSA. Type 7 LSA are generated by ASBR's within the not-so-stubby area (NSSA) types. The Type 7 LSA is almost identical to the Type 5 LSA except that the Type 7 LSA's are only flooded within the area and don't cross area boundaries like type 5 LSA's. You can use the command show ip ospf database nssa-external to view the LSA in the OSPF database.











Comments

Post a Comment

Popular posts from this blog

AWS Identity and Access Management(IAM)

-
Image
 IAM   With the cloud becoming more and more prevalent, how do we secure who can access cloud resources and which resources can speak to each other. This very important problem is solved with AWS Identity and Access Management(IAM) resource.  IAM enables you to control who can access your AWS environment, what actions they can perform, and which resources they can interact with. It allows you to set fine-grained permissions and policies to meet your security and compliance requirements. So what are the parts that make up Identity and Access Management(IAM) ? - User groups - Users - Roles - Policies - Identity Provider Lets go into more detail about each resource that makes up IAM. User groups are groups you can define to logically group users together that perform similar functions in job. This is kind of like having different groups for different job roles. Users are just the manually configured users created for use on the management console. This is where you define all the diffe
Read more

AWS Virtual Private Clouds(VPCs)

-
Image
   In the spirit of my last blog on cloud computing, we will discuss VPC's in this blog.  What are VPC's ? Before I answer this question I need to explain this picture and the terms used. In AWS(and other cloud providers) we have several things that make up the global cloud infrastructure. Those things are Regions, Availability Zones, and Edge Locations(not pictured). A region is a geographical area around the world that consist of multiple availability zones. An availability zone can be thought of as multiple discrete data centers that have separate power, cooling, networking, and housed in separate buildings. Edge locations are places where CloudFront caches your content to provide ultra-low latency delivery of your content. According to AWS they currently have 32 regions, 102 availability zones, and more than 550 PoP's(points of presence). These things together make it possible to create global resources in minutes that serve millions of customers.  A VPC or Virtual Pri
Read more

IPSec VPN - Fundamentals

-
A VPN, or Virtual Private Network, is a way to establish a tunnel between two endpoints, like two routers or two endpoints. VPN’s are used to provide a way of secure communication over an unsecure medium. A simple example would be secure communication between two branch offices over the unsecure internet. This is important because we need secure communication so that people can’t eavesdrop and steal important company information. Oftentimes, people misunderstand VPN's and think just because "private" is in the name that it's secure. This is not always the case, especially in the service provider world where there are different types of VPN's that do not provide any sort of encryption. IPSec VPN's do however provide encryption and other features. There are several different types of VPN’s that can be deployed. The most common ones are Site-To-Site and Remote Access, although there are many more and depending on the use case, the most common could be differe
Read more