OSPF sham link – LAB

What is OSPF sham link?

It is similar to virtual link, it is a multi-hop unicast adjacency which is used for traffic engineering purposes.

Why is it needed?

It is needed when there is MPLS L3-VPN using OSPF between PE-CE in two customers’ sites and there is also a backbone link between these two sites.

By default, OSPF prefers Intra routes over Inter over External over NSSA routes regardless of metrics.

So when a CE router, receives OSPF route from a PE, this route is considered as Inter area route because of the behavior of OSPF superbackbone of MPLS cloud, as long as the OSPF domain-id are same for both sites in BGP VPNVv4 route. If domain-id doesn’t match, the route will be external route.

So in both cases the backbone link will be preferred as the route will be intra route. In order to have the ability to prefer the MPLS cloud, we must first convert the routes coming from the MPLS cloud to be intra routes as same as the backbone link. This is what the sham link does, it extends area 0 so that PE routers will be acting as internal routers not ABR or ASBR.

Then we can increase the cost of the backbone link to prefer the MPLS cloud.

Let us check the routing table of R1 before configuring sham link.

R1#sh ip route ospf

Gateway of last resort is not set

7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/2] via 10.1.7.7, 00:43:25, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.1.67.0/24 [110/2] via 10.1.7.7, 00:43:25, FastEthernet0/0

———————————————————

Site 2 routes are received as intra route from R7 through the backbone link.

Let us first shut down the backbone link and check the routes coming from the MPLS cloud. They should be Inter route LSA-type 3.

R1(config)#int fa0/0
R1(config-if)#shut

R1#sh ip route ospf

Gateway of last resort is not set

7.0.0.0/32 is subnetted, 1 subnets
O IA 7.7.7.7 [110/3] via 10.1.2.2, 00:00:20, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA 10.1.7.0/24 [110/1002] via 10.1.2.2, 00:00:20, FastEthernet0/1
O IA 10.1.67.0/24 [110/2] via 10.1.2.2, 00:00:21, FastEthernet0/1

————————————————————————————

It is received from R2-PE-1 as Inter route, because the domain-ids are same for both sites in BGP VPNv4 routes.

R2_PE-1#sh bgp vpnv4 uni all 7.7.7.7/32
BGP routing table entry for 17:17:7.7.7.7/32, version 37
Paths: (1 available, best #1, table Cust_A, RIB-failure(17) – next-hop mismatch)
Not advertised to any peer
Local
6.6.6.6 (metric 5) from 6.6.6.6 (6.6.6.6)
Origin incomplete, metric 2, localpref 100, valid, internal, best
Extended Community: RT:17:17 OSPF DOMAIN ID:0x0005:0x000000110200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.1.67.6:0
mpls labels in/out 30/24

—————————-

R6_PE-2#sh bgp vpnv4 uni all 7.7.7.7/32
BGP routing table entry for 17:17:7.7.7.7/32, version 12
Paths: (1 available, best #1, table Cust_A)
Advertised to update-groups:
2
Local
10.1.67.7 from 0.0.0.0 (6.6.6.6)
Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
Extended Community: RT:17:17 OSPF DOMAIN ID:0x0005:0x000000110200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.1.67.6:0
mpls labels in/out 24/nolabel

———————————————————————————-

Then configure Sham link between R2-PE-1 and R6-PE-2:

To do so, we need a /32 IP (loopback) to be advertised through BGP address family vrf.

On R2-PE-1:

interface Loopback1
vrf forwarding Cust_A
ip address 22.22.22.22 255.255.255.255

router bgp 100

address-family ipv4 vrf Cust_A

net 22.22.22.22 mask 255.255.255.255

router ospf 17 vrf Cust_A

area 0 sham-link 22.22.22.22 66.66.66.66

————————————————————

On R6-PE-2:

interface Loopback1
vrf forwarding Cust_A
ip address 66.66.66.66 255.255.255.255

router bgp 100

address-family ipv4 vrf Cust_A

net 66.66.66.66 mask 255.255.255.255

router ospf 17 vrf Cust_A

area 0 sham-link 66.66.66.66 22.22.22.22

————————————————————

R2_PE-1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

3.3.3.3 1 FULL/BDR 00:00:35 4.4.23.3 GigabitEthernet1/0
10.1.67.6 0 FULL/ – 00:00:06 66.66.66.66 OSPF_SL0
1.1.1.1 1 FULL/DR 00:00:30 10.1.2.1 FastEthernet0/0
R2_PE-1#

———————————————————–

There is a direct neighbor between the PE routers, this extends area 0 and make PE routers appears as if they are internal routers inside area 0 and not ABR or ASBR.

Does this mean that we should receive intra routes from MPLS cloud now? Let’s check the routing table of R1.

Remember backbone link is still down.

R1#sh ip route ospf

Gateway of last resort is not set

7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/4] via 10.1.2.2, 00:03:39, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.1.7.0/24 [110/1003] via 10.1.2.2, 00:03:39, FastEthernet0/1
O 10.1.67.0/24 [110/3] via 10.1.2.2, 00:03:39, FastEthernet0/1
22.0.0.0/32 is subnetted, 1 subnets
O E2 22.22.22.22 [110/1] via 10.1.2.2, 00:07:03, FastEthernet0/1
66.0.0.0/32 is subnetted, 1 subnets
O E2 66.66.66.66 [110/1] via 10.1.2.2, 00:03:47, FastEthernet0/1
R1#

—————————————————-

R1 is receiving Site 2 routes as intra routes coming from MPLS cloud.

Let us open the backbone link and increase the cost to make sure that MPLS cloud will be always preferred.

On R1:

int fa0/0

no shut

ip ospf cost 1000

———————–

Also on R7:

interface FastEthernet1/0
ip ospf cost 1000

————————-

Check R1 routing table after opening the backbone and increasing its cost.

R1#sh ip route ospf

Gateway of last resort is not set

7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/4] via 10.1.2.2, 00:01:21, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 10.1.67.0/24 [110/3] via 10.1.2.2, 00:01:21, FastEthernet0/1
22.0.0.0/32 is subnetted, 1 subnets
O E2 22.22.22.22 [110/1] via 10.1.2.2, 00:11:50, FastEthernet0/1
66.0.0.0/32 is subnetted, 1 subnets
O E2 66.66.66.66 [110/1] via 10.1.2.2, 00:01:27, FastEthernet0/1

——————–

R1 still prefers MPLS cloud and backbone link will be backup.

Monitor changes in network configuration files.

Controlling your configuration files is a very important task nowadays, as many engineers are working on the environment and you must monitor what they are doing.

Sometimes, you need to revert to the previous configuration file before the last change. You need to maintain a backup of your network devices configuration files, also you need to be alerted whenever there is a change in configuration.

There are many software that can do that, but here I will show you how you let Cisco router sends you an email containing the configuration file, whenever there is a change in configuration file.

All you have to do is to save it in a secure location, so you can get back to it when you needed.

——————————————————————————–

event manager applet CONF_CHANGE
event syslog pattern “.*%SYS-5-CONFIG_I.*”
action 1.0 cli command “enable”
action 2.0 cli command “terminal monitor”
action 3.0 syslog msg “New config file, maybe same as old one, please refer to NOC engineer”
action 4.0 cli command “terminal length 0”
action 5.0 cli command “show run”
action 6.0 mail server “mail.itexpert.com” from “Router11@itexpert.com” to “Network@itexpert.com” cc “Netmanager@itexpert.com” subject “New configuration file for below device” body “$_cli_result”

The tale of CISCO priority command

Sometimes, I am thinking that Cisco wants us to be confused. I don’t know why they use the priority command every time differently. Sometimes, they said higher priority is better, sometimes lower is better.

This is so confusing….

That is why I was thinking to create this table to make it easier for us to memorize, wish it could be helpful.

Technology	Preferred priority
Spanning tree protocol (STP)	Lower
LACP etherchannel	Lower
Open shortest path first (OSPF) DR/BDR election	Higher
Protocol Independent Multicast(PIM) DR election	Higher

I wish Cisco will take a decision, higher or lower is better.

ISIS – taming the monster

Most of network engineers avoid using ISIS because they think it is difficult to understand, and they love to use OSPF.

Admit it.

At this post we will approve that ISIS is an easy protocol, as long as you understand the OSPF protocol.

Face your fears, face the monster.

Here are some similarities and differences between ISIS and OSPF.

Level-2 routers are the backbone routers and should be contiguous. Level-1 routers are as same as stub area routers, they have only level-1 routes and default route to the level-1-2 router which act as same as ABR concept in OSPF. Level-1-2 router connects level-1 routers to the outside world (level-2).

Level-2 adjacency could be between routers with different areas or same area.

Level-1 adjacency must be between routers with same area only.

NET address:

Area is 49.0001

System ID: 0000.0000.1111 it should be unique for each router in one area.

Nselector is always 00

Example of enabling ISIS on your router:

———————————————————————————————————————————

R1(config)#router isis

R1(config-router)#net 49.0001.0000.0000.1111.00

R1(config)#exit

R1(config)#interface loopback0

R1(config-if)#ip router isis

R1(config-if)#interface fa1/0

R1(config-if)#ip router isis

R1(config-if)#end

R1#

——————————————————————————————————————————–

Why do we need LSA type 4?

LSA type 4 the confusing part in OSPF, they keep telling us that this LSA is generated by the ABR and is sent to internal routers in same area of ABR telling them if you need to reach an ASBR outside your area, please come to me.

Well, let us take a close look at the OSPF database and see what is going on there. First, type 1 and 2 are used for building the topology inside the area. In other words, all routers in the same area knows how to reach to each other and build their tree using the router IDs.

So when any router inside the area advertises a network with its RID (this includes the ASBR inside the same area), all other routers inside this area know how to reach this advertising router using type 1 LSA, so no problem about that.

But this is not the case for other areas. For an example; routers in area 0 don’t know the router IDs and network links (LSA type 1 and 2) of area 1. The ABR of area 0 sends LSA type 3 to routers in area 0, telling them “I know how to reach these networks, just come to me. You don’t have to worry about that”.

So if you have an ASBR in area 1 which advertises a LSA type 5 route and its router ID is 10.10.10.10 which is its loopback interface that is also advertised in OSPF. This route will be advertised as LSA type 3 in area 0 via the ABR, so that routers in area 0 can reach this subnet.

Astonished? Does this mean we don’t need LSA type 4, because we can reach the ASBR outside our area using LSA type 3? Well, this is the confusing part, unfortunately we still need LSA type 4.

That is because LSA type 3 is describing how to reach 10.10.10.10/32 as a subnet. But the router ID is a label in an IP address format. You can even set the RID as an IP address which is not configured on any interface and OSPF still works and even LSA type 5 will still be reachable, this is because of LSA type 4.

Think about LSA type 4 as a name resolver. Because the router ID can be any label or name (in IP format) which doesn’t exist on the router, we do need the LSA type 4 to tell routers in area 0 how to reach ASBRs in area 1.

The sequence will be as following:

Internal router in area 0 checks how to reach LSA type 5 and it is pointing to a RID of an ASBR in area 1.
The internal router in area 0 checks for LSA type 4 matches the ASBR RID and it is pointing to area 0 ABR.
The ABR checks for LSA type 1 in area 1 database matching the ASBR RID.

Monitor BGP peers using EEM

A well-known problem in monitoring is when you have a fiber link connected to a modem, this modem is connected to your router via Ethernet cable, you cannot monitor this fiber link.

Because you are monitoring the router using your great monitoring tool, not the modem. Some modems doesn’t support SNMP or even you don’t have full administration of it. And if the fiber link is down, the router will not feel anything because the Ethernet link will be always up.

So one of the solutions of this problem – if you are using BGP on this link between you and your service provider– is to monitor the BGP peer. Knowing the fact that Cisco IOS generates a SYSLOG message when a BGP peer status is changed:

%BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification sent

%BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

You can use this event to let the router itself alerts you whenever there is a change in BGP peer status using an embedded feature in the IOS called EEM (embedded event manager).

Here are an example for the configuration you can use to let the router sends you an email whenever there is a change in BGP neighbor status:

Configure terminal

event manager applet BGP
event syslog pattern “.*%BGP-5-ADJCHANGE:.*”
action 1.0 cli command “enable”
action 2.0 cli command “sh ip bgp nei | in BGP nei|BGP state|Desc”
action 3.0 mail server “mail.ITexpert.com” from “Router11@ITexpert.com” to “Network@ITexpert.com” subject “Router11 BGP peer status Modified” body “$_cli_result”

—————————————————

You will receive an e mail like this if the peer is down:

BGP neighbor is 1.1.1.1, remote AS 65323, external link

Description: AT&T

BGP state = Closing

R11#

And like this when the peer is up again:

BGP neighbor is 1.1.1.1, remote AS 65323, external link

Description: AT&T

BGP state = Established, up for 00:00:00

How to choose the right routing protocol?

First you must know what you need from the routing protocol, and what is suitable for your environment.

IGP protocols are meant for reachability.

BGP is meant for reachability and policy.

Traffic engineering is meant for policy.

No perfect routing protocol for all networks. You have to choose what is suitable for your network. Here are some pros and cons of some popular IGPs.

RIPv2:

Pros:

Ideal for small networks which aren’t very dynamic.
Very easy to be managed.
Doesn’t utilize routers resources.

Cons:

Uses hop counts for best path selection (maximum 15 hops).
Slow convergence (takes 30 seconds).
No knowledge about bandwidth.
Doesn’t support load balance between two paths.
Utilize the network as it sends the whole routing table.

EIGRP:

Pros:

Uses complex metric(Delay, bandwidth, reliability, and load).
Ideal for any network, small to large networks.
Doesn’t require high routers resources.
Fast convergence (send immediate update whenever there is a change).
Easy to be managed.
Can load balance between unequal paths.

Cons:

Now it is still Cisco proprietary (all routers should be Cisco) but IEEE is working to make it an open protocol.

OSPF:

Pros:

Chooses the best path depending on bandwidth of the paths.
Fast convergence (sends update immediately whenever there is a change).
Ideal for any network (small to large but perfect for large).
Can load balance between equal paths only.

Cons:

Complex to understand and to be managed.

Bottom of line: It is your decision according to your needs. If you need fast convergence with the ability of load balancing, you can choose OSPF or EIGRP. Taking into consideration that EIGRP is CISCO proprietary.

If you need simple protocol for your small network and you can wait 30 seconds for your network to be converged, RIP is fine.