Scenario:
You are the senior network engineer for a company that runs the show “Two and a half Router”. To increase OSPF performance your colleague has implemented a NSSA area and some prefix filters. Strangely enough you now have problems with reachability. Let’s see what you can do about it.
Goal:
- All IP addresses have been preconfigured for you.
- Configure OSPF and use the correct areas. Ensure Area 1 is a NSSA.
- Configure RIP between router Charlie and Evelyn.
- Create a loopback0 interface on router Evelyn with IP address 1.1.1.1 /24 and advertise it in RIP.
- Redistribute between RIP and OSPF.
- Configure a prefix-list on router Jake which filters network 192.168.13.0 /24.
- Ensure you can still reach network 1.1.1.0 /24 from all routers without removing the prefix-list. You are only allowed to use OSPF commands.
IOS:
c3640-jk9s-mz.124-16.bin
Topology:
Configuration Files
You need to register to download the GNS3 topology file. (Registration is free!)Once you are logged in you will find the configuration files right here.
Do you want your CCNA or CCNP Certificate?
The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.
Written by René Molenaar - CCIE #41726
Hi Rene,Can i get the answer/steps for this lab?
This one is a bit tricky, I don’t have time now to post the video/solution but I’ll help you a little here.
Once you have configured everything you’ll notice you have reachability issues. You can confirm why this is happening by using the [b]show ip ospf database external[/b] command. Look for the advertising router and the forward address. This should tell you what is going wrong.
You can solve it by suppressing the forward address. It’s a little tricky where to find the command but look in the direction of the [b]area nssa translate type7[/b] command.
Good luck!
I think I have this, but I dont have the routes.
1. For filtering I’ve configured a prefix list to deny 192.168.13.0/24, and then associated this with a distribute list in on my ospf process.
2. I’ve then checked both the route table and my OSPF DB, and I can still see i’m referencing the 13.3 router – so all good to this point, it wont work I’m happy.
3. I then apply the supress forwarding, on jake – I can see that my advertising router is 13.1 which is alan, and my forwarding address is 0.0.0.0 but i still have no route.
What am I missing? give me a clue and not the answer – I want to figure this out.
sorry my supress fowarding is on alan not jake, as I’ve stated above.
I think you need to apply the route-map to filter incoming updates not ‘out’ in the ospf process on Jake.
I stil don’t understand.
This is my config from Jake. Once I apply the filter in the area router Berta no longer see the RIP network. Therefore Berta cannot ping 1.1.1.1.
hostname Jake
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet1/0
ip address 192.168.24.2 255.255.255.0
ip ospf 1 area 2
!
router ospf 1
area 0 filter-list prefix filter out
!
ip prefix-list filter seq 10 deny 192.168.13.0/24
ip prefix-list filter seq 20 permit 0.0.0.0/0 le 32
There’s a certain trick to this lab to finish it. I’m a little busy but I’ll try to record the solution asap.
Hi,
i have solved this lab by using clue given by Rene. Configured area 1 nssa translate type7 suppress-fa command in Alan after configuring prefix list in Jake. It had made forwarding address to 0.0.0.0 and then router Berta is able to ping 1.1.1.1
Configured mutual redistribution between ospf and rip on Charlie and it worked out.
Hi I was wondering if you could do only the solution you have added or you have add both yours and Anjelo’s solution which is above yours. I tried only Ajelo’s solution by it self and it did work. I tried your solution by its self and yours failed pls advise. Cheers !!!
Thanks guys for your help.. I eventually had time to come back and do the lab again. This was a good lab… I don’t think it will be on the CCNP lab.
Hi Guys,
Good to hear you figured it out. I’ve been so busy that I didn’t have time to record the video yet. This one is way above CCNP level, it’s CCIE ;D
Rene
Please record the video
Hi,
I tried this topology and was successfull but i have some doubts.
1. When i make a filter list on Jake still i can see the route of 192.168.13.0 in the routing table of jake and i can reach 1.1.1.1.My Filter is mentioned below
area 0 filter-list prefix filter in
ip prefix-list filter seq 10 deny 192.168.13.0/24
ip prefix-list filter seq 20 permit 0.0.0.0/0 le 32
I think the route should not be there……
2. When i enable suppress forward address on the Alan i see in the ospf external database that the forward address is changed to 0.0.0.0 but my question is why i suppress the forward address even i can reach 1.1.1.1
I can ping 1.1.1.1 while filtering 192.168.13.0/24 via this config:
On ALAN:
router ospf 1
log-adjacency-changes
area 1 nssa translate type7 suppress-fa
network 192.168.12.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 1
On Jake:
router ospf 1
log-adjacency-changes
network 192.168.12.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 2
distribute-list prefix 10 in
!
!
ip prefix-list 10 seq 15 deny 192.168.13.0/24
ip prefix-list 10 seq 20 permit 0.0.0.0/0 le 32
Hello all!
Good lab! From my understanding the filter-list on Jake should be applied "out" of area 0 – anything leaving area 0 and going into any other area, in this case there is only area 2 connected to Jake. The same should be achieved by a filter-list "in" on area 2.
As I understand, forward suppression on Alan, causes the "Forward Address" on the ospf database external to point to 0.0.0.0, which in turn means: when looking for the prefix 1.1.1.0/24 (external network) go to the advertising OSPF router, which is the ABR router translating Type7 LSAs into Type5 (namely Jake).
Agree with Dardoufa @The same should be achieved by a filter-list "in" on area 2.
This will have the effect of removing the 1.0.0.0/24 route on Berta.
The area nssa translate type7 command should make it reappear on Berta, which is the objective.
Keep up a good work man. These labs have been really helpful.
Hi Rene, please coujld you post the video solution to this lab. Ur labs are helping alot. Thanks
Thanks Renee, great lab. It clarified some of the OSPF concepts that I "know", but did not really understand. For example, the rule that requires that the database has to be the same for all routers in an area. So in this example, you can’t filter this route inbound on area 0 on Jake. If you could, then Jake would have a different database than Alan. Instead, you have to filter outbound from area 0, or you could filter inbound to area 2.
Also, I noticed the following at the top of the "sh ip ospf database external 1.1.1.0" command before the routes were filtered, and 1.1.1.0 was in the routing table:
Routing Bit Set on this LSA
After filtering, but before suppressing FA, this was missing from the same command output, and the route was not in the table. Once FA was suppressed, the route was back in the table, and the "Routing Bit Set on this LSA" returned. So it looks like this output is telling us whether or not the LSA is actually being placed in the routing table.
Hey Rene,, great work.. nice lab..
Please advise if I can these commands on Jake.
Jake#sh run
router ospf 1
log-adjacency-changes
area 0 filter-list prefix Block13 out
network 192.168.12.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 3
default-information originate always seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/84/116 ms
it is also a OSPF command so i gues you can use it, i tried it on my lab and it worked just fine without the area 1 nssa translate type7 suppress-fa
i cound find the video for this lab sir.. please upload it.. thanks in advance
regards,
sanjeev
Hi Rene,
after configuring i am able to ping 1.1.1.1 from each router, i have just configured alen and charlie routers in nssa . and also redistributed the rip and ospf in each other on router charlie.
i can see in alen’s routing table the networks 1.1.1.0 and 192.168.35.0 as lsa 7 (N2). and same routes as E2 in routing table of jake and berta. i cant find any issue regarding reachability.help me if i am wrong in configuration.
C 192.168.12.0/24 is directly connected, FastEthernet1/0
O N2 1.0.0.0/8 [110/20] via 192.168.13.3, 00:24:30, FastEthernet0/0
C 192.168.13.0/24 is directly connected, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.12.2, 00:24:30, FastEthernet1/0
O N2 192.168.35.0/24 [110/20] via 192.168.13.3, 00:24:30, FastEthernet0/0
Alan#
………………………………
C 192.168.12.0/24 is directly connected, FastEthernet0/0
O E2 1.0.0.0/8 [110/20] via 192.168.12.1, 00:25:28, FastEthernet0/0
O IA 192.168.13.0/24 [110/2] via 192.168.12.1, 00:25:33, FastEthernet0/0
C 192.168.24.0/24 is directly connected, FastEthernet1/0
O E2 192.168.35.0/24 [110/20] via 192.168.12.1, 00:25:28, FastEthernet0/0
Jake#
……………………………………….
O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 01:17:21, FastEthernet0/0
O E2 1.0.0.0/8 [110/20] via 192.168.24.2, 00:26:07, FastEthernet0/0
O IA 192.168.13.0/24 [110/3] via 192.168.24.2, 00:26:12, FastEthernet0/0
C 192.168.24.0/24 is directly connected, FastEthernet0/0
O E2 192.168.35.0/24 [110/20] via 192.168.24.2, 00:26:07, FastEthernet0/0
Berta#
………………………………………………………..
R 192.168.12.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
R 192.168.13.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
R 192.168.24.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
C 192.168.35.0/24 is directly connected, Serial0/0
Evelyn#
………………………………………………..
Gateway of last resort is not set
O IA 192.168.12.0/24 [110/2] via 192.168.13.1, 00:27:30, FastEthernet0/0
R 1.0.0.0/8 [120/1] via 192.168.35.5, 00:00:12, Serial1/0
C 192.168.13.0/24 is directly connected, FastEthernet0/0
O IA 192.168.24.0/24 [110/3] via 192.168.13.1, 00:27:30, FastEthernet0/0
C 192.168.35.0/24 is directly connected, Serial1/0
Charlie#
……………………………………………..
For this Lab keep in mind that:
"The distribute-list and distance commands do not affect link state packet progagation"
Here is what I have as the solution:
[b]Router Alan#[/b]
interface FastEthernet0/0
ip address 192.168.13.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
[b] area 1 nssa translate type7 suppress-fa[/b]
network 192.168.12.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 1
!
=======================================================================
[b]Router Jake#[/b]
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.24.2 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.12.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 2
[b]distribute-list prefix DENY_192.168.13.0 in FastEthernet0/0[/b]
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
!
!
!
[b]ip prefix-list DENY_192.168.13.0 seq 5 deny 192.168.13.0/24[/b]
[b]ip prefix-list DENY_192.168.13.0 seq 10 permit 0.0.0.0/0 le 32[/b]
=========================================================================
[b]Router Charlie#[/b]
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.35.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
area 1 nssa
redistribute rip subnets
network 192.168.13.0 0.0.0.255 area 1
!
router rip
version 2
redistribute ospf 1 metric 2
network 192.168.35.0
no auto-summary
!
===================================================================
[b]Router Evelyn#[/b]
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.35.5 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router rip
version 2
network 1.0.0.0
network 192.168.35.0
no auto-summary
!
===================================================================
[b]Router Berta#[/b]
interface FastEthernet0/0
ip address 192.168.24.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.24.0 0.0.0.255 area 2
!
=================================================================
[b]Here is the ip route table after the config:[/b]
Berta#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 00:35:09, FastEthernet0/0
1.0.0.0/24 is subnetted, 1 subnets
O E2 1.1.1.0 [110/20] via 192.168.24.2, 00:10:18, FastEthernet0/0
C 192.168.24.0/24 is directly connected, FastEthernet0/0
O E2 192.168.35.0/24 [110/20] via 192.168.24.2, 00:11:28, FastEthernet0/0
Berta#
Berta#
Berta#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/84/92 ms
Berta#
Awesome David Rogers Many Thanks to your solution !!!
Nice lab mate. Learnt something new. Cisco has an article explaining this feature here – http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-mt/iro-15-mt-book/iro-for-add-sup.html
All…you may find this link helpful for the inbound route filtering:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-mt/iro-15-mt-book/iro-inbound.html
Hi! Rene, please upload the video of this! Need it ;(
i knew how to solve this just from experience… but i could not tell you the “why”.
after doing this lab, i now understand the “why”… good stuff 🙂
Jake#sh run | se router ospf
router ospf 1
router-id 2.2.2.2
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface FastEthernet0/1
network 192.168.12.2 0.0.0.0 area 0
network 192.168.24.2 0.0.0.0 area 2
Jake#sh ip ospf database external | i Adv|Link|Forward
Type-5 AS External Link States
LS Type: AS External Link
Link State ID: 1.1.1.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 192.168.13.3
LS Type: AS External Link
Link State ID: 192.168.35.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 192.168.13.3
Jake#sh ip cef 1.1.1.1
1.1.1.0/24
nexthop 192.168.12.1 FastEthernet0/0
Jake#sh ip cef 192.168.13.0/24
192.168.13.0/24
nexthop 192.168.12.1 FastEthernet0/0
Jake#debug ip routing
Jake(config)#router ospf 1
Jake(config-router)#distribute-list prefix FILTER in
Jake(config-router)#end
Jake(config-router)#distribute-list prefix FILTER in
Jake#
RT: delete route to 1.1.1.0/24
RT: delete route to 111.111.111.111/32
RT: delete route to 192.168.13.0/24
RT: delete route to 192.168.35.0/24
RT: updating ospf 111.111.111.111/32 (0x0):
via 192.168.12.1 Fa0/0 1048578
RT: add 111.111.111.111/32 via 192.168.12.1, ospf metric [110/2]
RT: rib validate nexthop return code: 3
Jake#sh ip ospf database external | i Adv|Link|Forward
Type-5 AS External Link States
LS Type: AS External Link
Link State ID: 1.1.1.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 192.168.13.3
LS Type: AS External Link
Link State ID: 192.168.35.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 192.168.13.3
Jake#sh ip cef 1.1.1.1
0.0.0.0/0
no route
Jake#sh ip cef 192.168.13.0/24
%Prefix not found
Alan#
Alan#conf t
Alan(config)#router ospf 1
Alan(config-router)#area 1 nssa translate type7 suppress-fa
Alan(config-router)#end
Alan#
Alan#
Jake#
Jake#
Jake#
RT: updating ospf 1.1.1.0/24 (0x0):
via 192.168.12.1 Fa0/0 1048578
RT: add 1.1.1.0/24 via 192.168.12.1, ospf metric [110/20]
RT: updating ospf 192.168.35.0/24 (0x0):
via 192.168.12.1 Fa0/0 1048578
RT: add 192.168.35.0/24 via 192.168.12.1, ospf metric [110/20]
Jake#
Jake#
Jake#
Jake#sh ip ospf database external | i Adv|Link|Forward
Type-5 AS External Link States
LS Type: AS External Link
Link State ID: 1.1.1.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 0.0.0.0
LS Type: AS External Link
Link State ID: 192.168.35.0 (External Network Number )
Advertising Router: 11.11.11.11
Forward Address: 0.0.0.0
Jake#sh ip cef 1.1.1.1
1.1.1.0/24
nexthop 192.168.12.1 FastEthernet0/0
Jake#sh ip cef 192.168.13.0/24
%Prefix not found
This is the best explanation i ever saw!! Excellent!
Thanks bro…Explained it nicely!
I configured all the routers with the right configuration. I can ping 1.1.1.1 from Berta. However, I cannot ping from Berta to Charlie and vice versa. Can anyone please tell why. Thx
My successful solution is as follows
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 192.168.12.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 2
distribute-list prefix FILTER in
!
!
ip prefix-list FILTER seq 5 deny 192.168.13.0/24
ip prefix-list FILTER seq 10 permit 0.0.0.0/0 le 32