OSPF multi-area link configuration

What is OSPF Multi-area feature?

basically as the name indicates, it will make one interface work and form multiple OSPF adjacencies
over a single link

for example, consider the below topology:

as you can see, we need to make the link between R4-R3 to work in backbone area and another two area's ( Area 101, Area 999)

ok, how to configure this?
well, simply by going to interface level and use the command #ip ospf multi-area xx

where X is the new Area number.
ok lets configure it:

R3:
interface Ethernet0/0
 ip address 43.0.0.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf multi-area 999
 ip ospf multi-area 101
 ip ospf 1 area 0
 ip ospf cost 1
end
R4:
 interface Ethernet0/0
 ip address 43.0.0.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf multi-area 999
 ip ospf multi-area 101
 ip ospf 1 area 0
end

Note: IP OSPF NETWORK POINT-TO-POINT is a must.

ok, how to verify this is working or not?
well, the multi-area command should create a new virtual link that can be seen using:

R3#show ip ospf inter br
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Lo0               1     0               3.3.3.3/32         1     LOOP  0/0
Et0/0             1     0               43.0.0.3/24        1     P2P   1/1
MA1             1     101             Unnumbered Et0/0   1     P2P   1/1
Et0/1             1     101             73.0.0.3/24        1     P2P   1/1
MA2             1     999             Unnumbered Et0/0   1     P2P   1/1

also in OSPF neighbor command:

R3#show ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:39    43.0.0.4        Ethernet0/0
4.4.4.4           0   FULL/  -        00:00:39    43.0.0.4        OSPF_MA1
7.7.7.7           0   FULL/  -        00:00:32    73.0.0.7        Ethernet0/1
4.4.4.4           0   FULL/  -        00:00:38    43.0.0.4        OSPF_MA2



 and in here:
#show ip ospf

OSPF_MA2 is up, line protocol is up
  Interface is unnumbered. Using address of Ethernet0/0 (43.0.0.3), Area 999, Attached via Multi-area
  Process ID 1, Router ID 3.3.3.3, Network Type POINT_TO_POINT, Cost: 1

OK, So now why we need to use this feature?

OK, one of the reasons is that, OSPF prefer routes learned internally over the routes learned from other area, for example: R2 will prefer the routes coming from R4 over the routes coming from R6 via R3 border router, even if the metric is much better, OSPF will use the routes learned from (O over O IA.)

So what to do in this case?
well, we can configure the OSPF Multi-area command on R4-R3 link to make it work in Area 101,
in this case R2 will compare the metric and choose the best one to reach R5 loopback

lets check the routing table:
 R2#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "ospf 1", distance 110, metric 20
  Tag 111111, type extern 2, forward metric 4
  Last update from 26.0.0.6 on Ethernet0/2, 00:19:39 ago
  Routing Descriptor Blocks:
  * 26.0.0.6, from 4.4.4.4, 00:19:39 ago, via Ethernet0/2
      Route metric is 20, traffic share count is 1
      Route tag 111111
R2#



a trace route from R1:
R1#traceroute 5.5.5.5 num
Type escape sequence to abort.
Tracing the route to 5.5.5.5
VRF info: (vrf in name/id, vrf out name/id)
  1 12.0.0.2 0 msec 0 msec 1 msec
  2 26.0.0.6 1 msec 0 msec 0 msec  (R6)
  3 67.0.0.7 1 msec 1 msec 1 msec (R7)
  4 73.0.0.3 1 msec 1 msec 1 msec (R3)
  5 43.0.0.4 2 msec 1 msec 1 msec (R4)
  6 192.168.1.5 2 msec *  2 msec (R5)
R1#


 I hope this was useful!


Samer R. Saleem

OSPF MTU ignore feature

In this article we are going to check how MTU can affect OSPF adjacency establishment

first let us write what are the conditions for two neighbor routers to become OSPF adjacent routers

1. subnet mask ( they have to be on same network)
2.same area
3.authentication
4.MTU
5.hello time
6.stub flags (one router in area x which is stub and its neighbor in same area must be also configured to be stub)

ok, so we have the MTU that has to match on both routers, I'm going to configure two routers with different MTU's
simple lab here:

I'm going to configure one router to be using the default MTU (1500), and change the other router to 1400 MTU

R2 Configs:
!
router osp 1
router-id 200.200.200.200
interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip mtu 1400
 ip ospf 1 area 0
end

R1 Configs:
!
router ospf 1
router-id 100.100.100.100
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip mtu 1500
ip ospf 1 area 0
end

========================================


Ok, first thing you will notice that you will not get log for OSPF status changing to FULL
and if you use the command
#show ip ospf neighbor

you will see the process is stuck at Exchange
R2#
R2#show ip os nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
100.100.100.100   1   EXSTART/BDR     00:00:36    192.168.1.1     Ethernet0/0
R2#

Ok, so now let's see some debug on R1

#debug ip ospf adj
R1>
*Nov 14 06:04:37.604: OSPF-1 HELLO Et0/0: Send hello to 224.0.0.5 area 0 from 192.168.1.1
*Nov 14 06:04:38.184: OSPF-1 ADJ   Et0/0: Rcv DBD from 200.200.200.200 seq 0x2A2 opt 0x52 flag 0x7 len 32  mtu 1400 state EXCHANGE
*Nov 14 06:04:38.184: OSPF-1 ADJ   Et0/0: Nbr 200.200.200.200 has smaller interface MTU
*Nov 14 06:04:38.184: OSPF-1 ADJ   Et0/0: Send DBD to 200.200.200.200 seq 0x2A2 opt 0x52 flag 0x2 len 52
R1>

the output is very clear, we have smaller MTU coming from R2
ok, so what is our options to solve this?
1. make both values equal (set both to 1500 or 1400)
2. ignore this value, ok how?

Note: this must be done on both routers and under interface level

#ip ospf mtu-ignore

now let us see the logs change on R1
R1(config-if)#

*Nov 14 06:07:05.456: OSPF-1 ADJ   Et0/0: Rcv DBD from 200.200.200.200 seq 0x1E02 opt 0x52 flag 0x1 len 52  mtu 1400 state EXCHANGE
*Nov 14 06:07:05.456: OSPF-1 ADJ   Et0/0: Exchange Done with 200.200.200.200
*Nov 14 06:07:05.456: OSPF-1 ADJ   Et0/0: Send LS REQ to 200.200.200.200 length 36 LSA count 1
*Nov 14 06:07:05.456: OSPF-1 ADJ   Et0/0: Send DBD to 200.200.200.200 seq 0x1E02 opt 0x52 flag 0x0 len 32
*Nov 14 06:07:05.457: OSPF-1 ADJ   Et0/0: Rcv LS UPD from 200.200.200.200 length 76 LSA count 1
*Nov 14 06:07:05.457: OSPF-1 ADJ   Et0/0: Synchronized with 200.200.200.200, state FULL
*Nov 14 06:07:05.457: %OSPF-5-ADJCHG: Process 1, Nbr 200.200.200.200 on Ethernet0/0 from LOADING to FULL, Loading Done




R1#show ip os nei

Neighbor ID         Pri   State                 Dead Time   Address         Interface
200.200.200.200   1   FULL/DR         00:00:38    192.168.1.2     Ethernet0/0
R1#


I hope this was helpful

Redistribution and Optimal path selection

Hi,

So, today I'm going to create lab showing how redistribution may effect the optimal path selection, first lets understand what does optimal path means?
Optimal means the one best route from A to B

Ok, so I'm using the following topology:

here you can see  ip address used and X is the router number

R5,R7,R4 are in EIGRP domain, and R3,R1,R2,R7,R4(interfaces) in OSPF domain.

 on R7,R4 we will do mutual redistribution in order to get the routes to R5
after doing the above this is what routing table of R5 looks like:

R5 routing table has two paths to all destinations in OSPF domain, coming from both gateways (75.0.0.7 and 45.0.0.4)

ok, so what to do in order to reach R3 loopback (3.3.3.3) using only one best route (optimal path)?

Ok, I will create a route map on both R4 and R7 that matches OSPF metric cost and if it is equal to (21) I will redistribute it with bandwidth (10000) else it will be redistribute with bandwidth (1000)

Ok lets configure it:

R7,R4

#route-map METRIC permit 10
#match metric 10 +- 11
# set metric 10000 10 255 10 1500
#route-map METRIC permit 20
#set metric 1000 10 255 10 1500

#router eigrp 100
#redistribute OSPF 1 route-map METRIC

Now checking R5 routing table to R3 loopback:

R5#show ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "eigrp 100", distance 170, metric 284160, type external
  Redistributing via eigrp 100
  Last update from 45.0.0.4 on Ethernet0/1, 00:00:43 ago
  Routing Descriptor Blocks:
  * 45.0.0.4, from 45.0.0.4, 00:00:43 ago, via Ethernet0/1
      Route metric is 284160, traffic share count is 1
      Total delay is 1100 microseconds, minimum bandwidth is 10000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 10/255, Hops 1
R5#

R5 now is using the best route which is via R4 as its only 21 cost to R3 loopback!

Thanks, I hope this was useful!

Good Luck!

OSPF Path Selection types

Hi,

In this post I would like to give a simple note about OSPF path selection

some engineers wondering which one is correct?

RFC (1587)
Intra-Area(O) over Inter-Area(O IA) over External type (E1) over N1 over E2 over N2


OR


RFC (3101)
O over O IA over N1 over E1 over N2 over E2

well, both are correct, but according to your router ios version, because since (15.2S), Cisco started to use RFC3101 which uses O over O IA over N1 over E1 over N2 over E2 

while earlier software versions will use the Intra-Area(O) over Inter-Area(O IA) over External type (E1) over N1 over E2 over N2



Thanks

My first second and last CCIE attempt story

So this is my first attempt for CCIE, I didn't pass the exam, I would not call that was a fail, I learned something very important that day, which was I'm not ready yet!

so this is what happened, I booked for my exam in Dubai UAE, for July, the weather is really hot and since its a city near the sea, humidity was really high....

I booked in a hotel that is 2 minutes walking from Cisco exam center, yet these two minutes walking was like a marathon in Dubai weather.

anyhow, I arrived UAE three days before exam, which was really boring thing to do but this is what happens when you live in a country that doesnt have flights on daily basis to UAE.

Feelings before exam:
I was really clam and relaxed and that's what I thought before the exam, but after the exam I realized I was panicked but my brain managed to keep me clam somehow, until the moment the exam started.

so I arrived at Cisco building at 07:00 AM exactly, according to the recommendation, but we had to wait until 07:40AM until the proctor came, and the waiting is one of the factors that will start the panic process, the proctor took us to the exam room and it was a normal office, with normal temperature not like many people say that its cold.

the proctor didn't say that much, he seemed very quite.

btw, what I learned, you shouldnt need the proctor if you are really ready and really a CCIE, you should get into the exam, and you shouldnt have any question to be asked to proctor or tasks to be explained, you should sit and start solving the tasks until you finish it all.

anyhow, exam was really hard, the time was flying and I could solve almost nothing, I was surprised how people told me the exam is easy while what I saw was really different.

I learnt that you must be a CCIE before going into that room, passing the exam is just part of the process, its something that you have to do, the exam is really a test for your speed in
1. understand tasks
2. typing commands
3. understanding traffic flow and the idea behind the whole lab
4.time management
5. self-control

I passed one of the three sections only, which is (Diagnostic) while I failed the other two
the TSHOOT was the panic attack and I was all over the place, I forgot where to start and how to trace the problem which caused me failing this part

the Config section I remember wasting two hours in Layer2 config only.

then wasting another hour and a half on IGP


then I decided to give up and end the exam session, all I was thinking of was my wife and my kids, I missed them a lot, and it was really bad feeling watching all the time I did studying going like this in the exam
Ok, I walked out that building and I felt such satisfaction that I didnt understand why.
was is because of the pressure I put myself into? or was it because I did the exam and even if I failed I was ready that I will pass next time and the important thing is that I sat the exam and saw the exam?



I tried to enjoy Dubai until the flight date, I was really excited to go home and see my family.

the next thing to do was to set a new plan, I wanted to conquer CCIE and be a real one.

I started viewing my weak points, and set a plan to fill the gaps, until next attempt I must be 100% ready to pass the exam, no excuses and no panic

Next Attempt? February 2019.

 

update to this, I did not pass my second attempt in Feb. 2019, and I tried again few months later specifically in June 2019 and I passed the exam this time.

the feelings after passing the exam are unexplained, worked very hard to pass this monster exam.

it is time to move on now to learn more and prove myself as an expert and help others and payback the community.

Thanks

Samer R. Saleem

EIGRP Metric Calculation

In this post I will explain about EIGRP metric calculation, and explain what is the meaning of "EIGRP calculates the minimum bandwidth along the path"

in the following topology:

 we are running EIGRP all over the network above, R2 wants to reach loopback of R6 (6.6.6.6/32)

there are two paths, however they are not equal in metric, since EIGRP selects the best metric "lowest metric", then this will mean EIGRP will have a specific way of calculating this metric which is using  two things (delay, Bandwidth)
these two will be put into EIGRP metric calculation formula, and the lowest metric value between the two paths will be installed in the routing table, the second best route will be used as backup and will be installed in EIGRP topology table.

the formula is as this:
256  x  [ (10^7 / minimum bandwidth through the destination)  X   ( Sum of delays / 10 )]


ok, but what is the meaning of minimum bandwidth? well, when EIGRP calculate the metric it will choose the lowest metric to be calculated on the best path selected, for example, the best path in our topology is (R2-R4-R5-R6)

R2 will check the lowest bandwidth on the two paths and then calculate the composite metric using the formula, even if its other interface via R3 had a better Bandwidth configured, the reason is the link from R4 to R5 has a better metric (5500Kbps), this same value which is the minimum bandwidth on the path will be used for the calculation, check highlighted below:

R2#show ip eigrp topology 6.6.6.6/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(2.2.2.2) for 6.6.6.6/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 670208
  Descriptor Blocks:
  24.0.0.4 (Ethernet0/2), from 24.0.0.4, Send flag is 0x0
      Composite metric is (670208/644608), route is Internal
      Vector metric:
        Minimum bandwidth is 5500 Kbit
        Total delay is 8000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 3
        Originating router is 6.6.6.6
  23.0.0.3 (Ethernet0/1), from 23.0.0.3, Send flag is 0x0
      Composite metric is (716800/691200), route is Internal
      Vector metric:
        Minimum bandwidth is 5000 Kbit
        Total delay is 8000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 3
        Originating router is 6.6.6.6



===============================
below displays interface bandwidth, even though E0/1 that goes to R3 has a better bandwidth, R2 will use the better reported distance value
interface Ethernet0/1
Description TO-R3
 bandwidth 7000
 ip address 23.0.0.2 255.255.255.0
end

R2#show run inter e0/2
Building configuration...

Current configuration : 80 bytes
!
interface Ethernet0/2
Description TO-R4
 bandwidth 6000
 ip address 24.0.0.2 255.255.255.0
end

R2#

So again, R2 will take the minimum bandwidth from each of the paths it has to the destination, then put them separately into the formula mentioned above then the results will be compared and the lowest will be chosen. 


NOTE: it's recommended to use DELAY in the path manipulation in EIGRP instead of Bandwidth for the reasons mentioned above. 

I hope this was helpful.

Cisco Firepower Task Scheduling

Cisco Firepower can be scheduled to do tasks automatically; this is very useful tool to help managing the Firepower in following items:

1. Backup
2. Updating CRL
3. Deploy Policies
4.NMAP Scan
5. Reporting
6.Downloading latest updates
7. Installing latest updates
8.Push Latest Updates
9.Update URL filtering database

For each item, you can use Firepower Scheduling tool to create a task that run for once or recurring

In this example I will create a Task that make a backup on Weekly basis, ok let's begin:

1. Login to Firepower
2. Go to System > Tools > Scheduling

3. Click Add Task
4. From the drop list select (Backup)
5. Filling the following information:

6. A backup profile can be created by going to System> tools >backup/restore > Backup Profile> create profile :  the profile will contain the remote server that you will use for your scheduled backups, for example below image, I have Storage path created in (System>Configuration>Remote Storage Device), and select backup configuration, and other options like email notification when backup is done is really good

7. Save and Go back to Schedule, you will see the task is created and added to the Calendar.

I hope this was helpful.

Firepower Automatic Reporting to Email

In this post I'm going to show you how to create automated  reports that will be sent from Fire sight management system to your email periodically

First we have to create a schedule:

Go to system >  Tools > scheduling










  

Click on Add Task, fill the job name, choose recurring and the starting date, select the repeat option and the time you want to the report to start run and the day
then from Report Template (Firepower Report) from the drop list

fill the email address of the status of the job you want to create, and tick the last option as well.




Ok, now lets go and edit the report that we want to get on weekly basis:

you can click on the edit on the Report template or you can go to Overview > reporting > Report Templates

in here you select the report template (Firepower Report: $<Customer Name> in order to edit

then click on Generate




A window will open that you can edit:
1. choose output format
2. the ip address of your exchange server should be already configured and in my case its 10.211.0.30
3.Customer name (this name will be showing in the created Report that you will receive)
4.choose Network that you will get the report for and I will choose all the network (0.0.0.0/0)
5. email options: send email must be selected
6. fill the recipient list, fill the subject and the body of the message
7. click on Close and then the save, don't click on generate unless you want to get report manually.

check below settings for the mentioned steps above:



Usually the time is inherited and I think it will be report for the last hour, which is not good, you can edit all the report by scrolling down and changing the time window as in the picture below:






I hope this was helpful.

you can test the report by making the task run in near time.

Good luck!