Never mix end user trafc with control and management trafc

Use VLAN 1 for all control and management trafc while placing end-user trafc in other VLANs (VLANs 21000). Use VLAN 1 for control trafc, another VLAN (such as VLAN 2) for management trafc, and the remaining VLAN for end-user trafc (such as VLAN 31000). Distance vector protocol (Bellman-Ford) - Each router along a route plays a part in route calculation. This can easily be wrong if one router is mistaken. - A route can't update its neighbors about a route until it has performed its own route calculation. This takes much time - If a destination is not directly connected, all a router knows about the destination is what a directly connected neighbor tells it. This type of protocol is susceptible to incremental corruption of information, THis include routing loops. Split horizon dictate that updates can only be send downstream, away from the original source, rather than upstream. Holddown timer works by ignoring updates for a particular route (when the route has innite metric) UNLESS: - Original neighbor (from which route was heard) announce other new information about that route - Another neighbor advertising a route to the destination with a distance equal or less than distance of the original route.

OSPF passes the update to neighbors THEN perform route calculation. This means routers can converge as fast as they can route. Route Calculation is independent of each other and no router is altering the update in any way. Route update must be the same for each and every router inside the same area to prevent disagreement in how the update is presented. However, note that during calculation, not all routers have identical LSDB. Each router must not only identify itself and its directly connected links, but must also identify any directly connected neighboring routers on those links. Neighbors are easily identied if every router transmits messagesHello messageson its links announcing

its presence, and listening for Hellos from neighboring routers on the links. As long as the Hellos are never forwarded off of a local link, receiving routers can be sure Hellos are from neighbors. RID must be consistent. Hello messages are not forwarded beyond the neighbor; this is done by TTL of 1 (which is not suitable for loopback address) or use a multicast frame. OSPF never broadcast a message. OSPF messages have a high priority value to ensure they function correctly during congested times. IS-IS has more problem identifying its messages with high priority. It usually needs to utilize an internal system to do so. IS-IS has a potential problem when used with ATM. OSPF is subject to various type of DoS attacks, therefore, ltering and security is important. IS-IS, on the other hand, need a direct link for an attack to occur. OSPF messages are constraint in pre-dened, set-length elds, and therefore, is very difcult to extend. Opaque LSA is used to solve this problem. Upon receipt of Hello message, if the network is point-to-point or virtual link, the network mask eld is ignored, while for other types of network, this eld must match. An ASBR can be located anywhere in the routing domain. The most important thing you should know about link state protocol is that its only link state within an area, inter-area behavior still remain distance vector. Always start with area 0, then expand further. A good implementation practice is to have all areas touch area 0, but this is not necessarily the absolute truth. The design suggestion is that OSPF should utilize less than 5% of the bandwidth, with a normal range of less than 1% A design is only considered redundant when 2 link failures doesnt segregate an area or corrupt the design. The number of routers within an OSPF area is determined by the router with the least memory or processing power. Stability is another factor Low-bandwidth link limit the amount of LSA you can send to that router. Manageability is one the most difcult decision. Too many routers can be complicated and difcult to predict. Determining how to present the external interfaces can be challenging, most use either passive interface (use T1 LSA) or redistribute connected (T5 LSA). Passive interface provide less stability, while redistribute connected takes a large amount of memory due to its policy calculation. The most likely reason of long delay in OSPF processing is the excessive number of T5 LSA. This may not be coincidental, the culprit can be - A faulty routing policy that redistributed prexes from BGP to IGP - Redistribution of a large number of static routes into the IGP - Redistribution of a large number of directly connected prexes into IGP

Two routers are neighbors if they should be exchanging route information using a common routing protocol. If two routers have identied each other as neighbors, each has veried that the other is aware of this neighborship, and both have veried that no condition exists that would prevent the exchange of route information, the neighbors are adjacent. Router A know Router B is aware of it by seeing As RID on the Bs Hello message. Both sides must have this done, and this is known as three-way handshaking. 3 mechanisms ensure a reliable ooding process: - Aging eld that include a value for which an LSA/P is invalid; its not a timer. When the time is up, LSA/P can be safely deleted. If router distributing this LSA/P is up, it should send out a refresh before current LSA/P expires. The timer can be counting up (0 to max) or counting down (max to 0), with latter more exible. - Sequence number to indicate the update is new or old. Note there is a limit, for which the sequence number wrap back to its original starting point, 1. At this point, the router may assume the 1-LSA/P is actually less accurate than the highest sequence number. There are a few solutions: 1) simply wait for the old LSA/P to age out, 2) issue another copy of the same LSA/P with Aging = 0 or MaxAge (depending on timer) to age out the LSA/P, 3) preventing an end by using a circular sequence number. But this caused 1980 ARPANET meltdown and therefore, is not employed. Note: another caveat happens when an OSPF router restarts, meaning it will now distribute LSA/P starting with sequence number 1. The old LSA/P is now clearly more recent (to routers logic), but its not. The solution here is for the recipient router to send back the LSA/P it think is the most recent and the originating router now start using a sequence number greater than that. - Checksum allow the entire frame except age eld to be valid. Route cost is determined by adding all the interface cost along the downstream side of the route. Note that the costs on both ends of a link doesnt have to be equal, meaning you can create an asymmetric network. Link state protocol calculate destination based on step-by-step tree that has no loop in the process. IS-IS have message subtypes for L1 and L2, it has 3 message types, but 9 subtypes: - L1 LAN IIH (used for both L1 and L2 hello) - L2 LAN IIH - PtP IIH - L1 CSNP - L2 CSNP - L1 PSNP - L2 PSNP

- L1 LSP - L2 LSP
OSPF Message Hello Function Neighbor discovery Adjacency negotiation Adjacency keepalive Database Description Complete Sequence Number PDU Database synchronization (CSNP) Link State Request Partial Sequence Number PDU Database synchronization (PSNP) Link State Acknowledgement No equivalent message, although Database synchronization PSNPs are used as ACKs in some cases Link State Update Link State PDU Database synchronization and flooding IS-IS Message Hello

IS-IS functions has been classied into one of 2 categories by ISO: subnetwork dependent and subnetwork independent functions. Subnetwork dependent functions are functions between 2 neighboring router that can differ depending on the particular data link protocol connecting the routers: - Link demultiplexing: ability to recognize both ISO and IP packets - Multiple IP address per interface: unlike OSPF, IS-IS can have many or no IP address assigned to an interface - LAN, DR and pseudonodes - Maintaining router adjacencies - Forwarding to incompatible router: incompatible here may refer to different types of IP address or different unsupported feature Subnetwork independent functions refer to the same actions taken regardless of type of subnetwork: - Addresses and addressing routers in IS-IS packets refer to how routers are identied - Decision process - Update process - Forwarding process - Exchange of routing information is the action of including necessary IP routing information in IS-IS messages - Routing parameter - Hierarchical abbreviation of IP reachability information is the ability of summarizing reachability information in a lower-level area to a higher-level area - External links refer to the process of understanding redistributed routes - ToS routing - IP-only operation apply to IS-IS routers and deal with TLV that doesnt operate with IP routing. - Encapsulation - Authentication - Order of preference of routes / Dijkstra computation deals with selection of routes

For OSPF to start, it must have an up interface. If current RID (of a physical interface) is shut down, there are 2 possibilities of what will happen: - Ignore the shutdown and continue to use the address. However, this poses a problem if the address was intentionally removed to be assigned to another router. Then, these routers may have a duplicated RID problem - Another approach is force the router to pick out a new RID and advertise all LSA with that RID, causing SPF to be rerun in all routers (within the domain). Misconguring routers with duplicated RID in OSPF causes route apping. A good practice is to congure RID using the command. Try to use an IP address that usually wouldnt appear in your domain, such as the broadcast subnet or something like 0.0.0.0. RID is can be expressed in decimal or dotted-decimal format. JUNOS convert the number to IP address (dotted-decimal) format whereas Cisco keep it the way youve entered it. In IS-IS, MAC address or IP address can be used as System ID, but there is no limit to what addressing method you can use. DR and and BDR are not created due to large amount of adjacencies, but a mean to become more efcient. A pseudonode is used so that each router advertising the attached broadcast network and its adjacent neighbor on the link, a single advertisement can be ooded that species the link and lists the nodes attached to the links. The attached routers then advertise just an adjacency to the pseudonode rather than adjacencies to the other attached routers. The pseudonode shows a cost of 0, and maintain no extra hop because its a virtual router, it doesnt really exist, it just makes STP easier. DR is the router responsible for faking the pseudonode, its not the pseudonode, it just advertise (T2) LSA that is suppose to belong to the pseudonode. A DR is only elected at broadcast and NMBA networks. Since NMBA doesnt support multicast and broadcast, DR has to send LSA to neighbors using unicast. There are 2 solutions: - Manually specify how to reach each router. In frame relay, use mapping on multipoint interface. - If supported on router software, convert the interface to broadcast network type. Remember to add broadcast keyword to mapping as well. When an OSPF router becomes rst become active, it sets its DR and BDR eld to 0.0.0.0 and start a wait timer (equal to dead interval in value). Hellos are send, if neighbors reply with DR/BDR eld set, accept the values and wait timer is stopped. If no DR/BDR eld is heard before wait timer expires, DR election starts.

When you have a group of routers, OSPF rst elect the BDR based on priority and IP address, then check if any router claim they WERE the DR, if not, BDR becomes DR and a new BDR is elected. Always remember that DR and BDR cant be preempted unless one of them fail. OSPF support unnumbered interface on PtP network types. NMBA network type include Frame Relay, ATM, and X.25, or any network using virtual circuits whether its PVC or SVC. Routers connect to this network should be in the same IP subnet. Non-broadcast means a packet send by a router is probably not seen by all other connected routers, given that topology is not full mesh. One caveat about NMBA is that DR or BDR must have a direct PVC to every other router, other routers should be ineligible to become B/DR (set priority = 0) OSPF has 2 primary database, LSDB and interface database for which interface data structures are recorded. One feature can be found in the interface database is InfTransDelay, which the estimated number of seconds to transmit LSU to over the interface. Default to 1 second, every time a LSA pass through a router, its Age eld is incremented by InfTransDelay. Another feature is RxmtInterval, which is 5 seconds by default, specify the amount of time a router waits before retransmitting an LSA (or wait for an acknowledgement). An interface can be one of the following state: - Down: lower layers unusable. No packet send or received. All parameters are disabled, no timers, and no adjacencies - Loopback: for maintenance purpose, whether in hardware or software. No packet transmitted, include interface address in Router LSA. - Waiting: when the LSA still has an available wait timer - Point-to-point: for point-to-point and point-to-multipoint network type. Packets are send and received, if neighbor is available, try to form adjacency - DR Other: Packets are send and received, try to form adjacency with DR and synchronize database with DR - Backup: if the router is BDR for the network. Establish adjacency with all other routers but not performing database synchronization with them - DR: if the router is DR for the network. Establish adjacency with all other routers, perform database synchronization with them, and create Network LSA Note: only NMBA and point-to-multipoint are standard, all other network types are Cisco proprietary. An interface status change (event) can be: - InterfaceUp: indicate an interface has come alive, or if a virtual link interface, SPF calculation is done - WaitTimer: wait timer has expired - BackupSeen: Hello from neighbor with itself as the BDR or empty BDR eld (lled DR eld).

- NeighborChange: can be caused by 1) neighbor has heard local router, 2) local router lost neighbor, 3) neighbor is declaring itself as B/DR, 4) neighbor is no longer B/DR, 5) this event has triggered a B/DR election, or 6) neighbors priority has changed - LoopInd: this interface is looped back - UnLoopInd: interface loopback has been dropped - InterfaceDown: lower layers unusable An LSA is send when: - A new, unknown LSA is received from a neighbor - A more recent (higher sequence number) copy of an LSA is received - The refresh timer of a locally originated LSA expire - Adjacency or link changes state - Route metric or IP address changes - Router RID changes - Router is elected or removed as DR - Area ID is associated with one of the routers interface changes - LSR is received from a neighbor asking for a known copy of LSA Whenever a LSU is send, the LSA it contains must be acknowledged by the receiving neighbors to ensure reliable ooding. So when a LSA is send, its added to a retransmit list along with a congurable retransmit timer that defaults to 5 seconds. If a neighbor fails to acknowledge too many times, the LSA is removed and an error log is entered. Know that the acknowledgement can be explicit or implicit, delayed or direct. Explicit acknowledgement involves the sending of LSAck message, while implicit acknowledgement means simply sending back the same LSA to the originator. Implicit acknowledgement are most likely to be used during database synchronization (LSU are ooded to neighbors simultaneously), or ooding where 2 neighbors each receive a copy of the LSA from other neighbors and then send LSU to each other more or less simultaneously. A delayed acknowledgement means that an OSPF router waited for some time before sending the acknowledgement. There are several benets to this, but this delay should be no more than the retransmission timer: - Allow more LSAs to be acknowledged, thus reducing trafc - A single LSAck can acknowledge LSAs from different routers in a broadcast network - Help randomize transmission of message on multi-access network A direct acknowledgement means acknowledgement is received immediately and its send unicastly to the sender. This type of acknowledgement is preferred, but there are 2 cases for which it should ALWAYS be used: - Duplicate LSA is received from a neighbor - Received an LSA with Age eld set to maximum to age out the LSA Here is a summary of LSA and its LSID
Type Number 1 LSA Router LSA Link State ID Originating routers RID

2 3 4 5 6 7 8 9 10 11

Network LSA Network Summary LSA ASBR Summary LSA AS-External LSA Group Membership LSA NSSA External LSA External Attributes LSA Opaque LSA (link-local scope) Opaque LSA (area-local scope) Opaque LSA (AS scope)

IP interface address of the networks DR Destination networks IP address RID of the described AS boundary router Destination networks IP address Destination multicast group address Destination networks IP address Encoded BGP path attributes 8-bit opaque type + 24-bit opaque ID 8-bit opaque type + 24-bit Opaque ID 8-bit opaque type + 24-bit Opaque ID

OSPF internal route metric are expressed using 16 bits, and external route metric is expressed using 24 bits. Note about E1 and E2: - E1 routes are always preferred over E2 routes, regardless of metric - If 2 ASBRs advertise the same prex with same E2 cost, the cost of the internal paths to the ASBR is considered and the router through the lowest-cost ASBR is chosen. MaxAge in OSPF can be different because the same copy arrives at the router through different routes. To prevent the router make false judgements about LSA with different MaxAge, a constant called MaxAgeDiff is used to solve the problem. Its 15 minutes, this means if copies of the same LSA have a MaxAge difference less than 15 minutes, its considered the same LSA. To compare which LSA is more recent: - Latest sequence number - If sequence number equal, greater checksum is newer - LSA with a MaxAge is newer - If all criteria above are equal, shorter MaxAge is newer - If the sequence numbers and checksums are the same and neither age is MaxAge, and the ages differ by less than MaxAgeDiff, the LSAs are considered identical. LSA is ooded out the same interface from which it comes from if connected network is LAN or NMBA and router is DR, otherwise, its not ooded out the same interface (from which its received from). Non-backbone area arent allowed to exchange routing information directly. LSDB consistency depends on an unbroken series of adjacencies connecting all routers within an area. A database that is consistent mean all routers in an area share the same view, through database synchronization between neighbors. OSPF database synchronization:
Message Name/number Description

Hello (1)

Used to discover neighbors, supply information used to confirm two routers should be allowed to become neighbors, to bring a neighbor relationship to a 2-way state, and to monitor a neighbors responsiveness in case it fails Used to exchange LSA headers to let neighbor know what LSA a router has. Contain interface MTU to perform check A packet that lists the LSIDs of LSAs the sender of the LSR would like the receiver of the LSR to supply during database exchange; more than one can be used if there are many LSAs to request A packet that contains fully detailed LSAs, typically sent in response to an LSR message. Retransmit in 5 second if not acknowledged.

Database Description (DD or DBD) (2) Link-State Request (LSR) (3) Link-State Update (LSU) (4)

Link-State Acknowledgment Sent to confirm receipt of an LSU message. Contain common OSPF (LSAck) (5) header + list of LSA header

The option eld of the DD packet include: - O, on indicate support for opaque LSA, used to extend OSPF by routers supporting it - DC, on indicate a support for Demand Circuit and associated DNA LSA. Both router has to agree whether they can support DNA LSA or not. - EA, on indicate support for external attribute or T8 LSA; considered obsolete - N/P, on indicate support for NSSA. This bit cant be on with E bit at the same time, one has to be off. If routers disagree with bits, no adjacency can form - MC, on indicate support for Multicast OSPF to ood T6 LSA to MOSPF-capable routers - E, on indicate originating router support external routing capability or T5 LSA. If this bit is not agreed in Hello message, adjacency cant be formed - T bit indicate support for ToS; obsolete. DD packet contains several bits after the option eld: - I (init) and M (more) work together to indicate sequence of DD packets. If only one DD packet, I = 1; M = 0. First DD packet of a ow has I = 1; M = 1, subsequent packet has I = 0; M = 1, the last DD packet of the ow has I = 0, M = 0. - MS bit is used to indicate the role of sending router. 1 means router is the Master, while 0 is the Slave - DD Sequence number During database synchronization, 3 lists of LSAs are populated: - Link State Transmission List contains list of LSAs transmitted, but not acknowledged yet. Will be retransmitted every RxmtInterval - Database Summary List contains a list of all the LSAs in the LSDB for the area in which the neighbor is in. This list compiles what is to be transmitted in DD packets. Once transmitted, the LSA can be deleted from the list - LSR list contains a list of LSAs the local router doesnt know about but its neighbor know about. Removed from the list if LSR for the LSA is send Master is the router with higher RID, it should - Send the rst DD packet

- Increment (by 1) the sequence number for DD packets, slave cant do this - Ensure that only one DD packet at a time is outstanding - Retransmit DD packet if not acknowledged, slave cant do this The higher RID router will send the rst DD packet, which has no LSA header. The neighbor receiving the packet checks to conrm its the slave, then send a DD packet listing its LSAs to begin the exchange process. This packet has the same sequence number as the rst DD packet send by the master. However, if the neighbor disagree (neighbor think it should be the master), neighbor send back an empty DD packet with its own sequence number An OSPF router uses one of the following state to describe its relationship with its neighbor: - Down: no Hellos are heard. For NMBA networks, if a neighbor is down, local router still send Hello to it, but at PollInterval, by default, is 2 minutes. - Attempt: only occur in NMBA network for which neighbor have been manually congured to aggressively send Hellos every HelloInterval - Init: Hello have been received from the neighbor, but local routers RID is not on neighbor list - 2-Way: bidirectional communication is established with the presence of both RID on other routers neighbor list. Must be in this state or higher to participate in B/DR - ExStart: start of database synchronization process. Elect Master, and exchange rst DD packet and reply. All state above include this are considered adjacent - Exchange: sending DD packets. Can also send LSR - Loading: nished loading the database but not yet nished requesting LSA, this means LSR list is not yet empty - Full: neighbor are fully adjacent and this adjacency will appear in T1 and T2 LSA. These are the events that causes a state change: - HelloReceived A Hello has been received from the neighbor. - Start Hellos should be sent to neighbors at the Hello interval. This event is only generated for neighbors on NBMA networks. - 2-WayReceived The router sees its RID in the neighbors Hello, indicating that bidirectional communication is established. - NegotiationDone The master/slave negotiation is done. - ExchangeDone Both routers have nished describing their databases in DD packets. - BadLSRequest A Link State Request packet has been received requesting an LSA that is not in the database, indicating an error in the database exchange process. - LoadingDone The Link State Request list is emptied after database exchange process. - AdjOK? This is a decision point for whether an adjacency should be established and maintained with the neighbor. - SeqNumberMismatch A DD packet has been received that either has an unexpected (nonsequential) sequence number, an improperly set I bit, or an Options

eld value that is different from the Options eld in the last received DD packet. This event causes the database exchange process to be abandoned and restarted at the ExStart state. - 1-Way Bidirectional communication with the neighbor is lost, as indicated by the reception of a Hello from the neighbor in which the receiving routers RID is not in the Neighbor list. If the neighbor state is 2-Way or greater, the neighbor state is changed to Init. - KillNbr Communication with the neighbor is impossible, and results in a change of the neighbor state to Down. - InactivityTimer No Hellos have been seen from the neighbor in the last RouterDeadInterval; the state of the neighbor is changed to Down. - LLDown A lower-level protocol indicates that the neighbor is unreachable, resulting in a change of the neighbor state to Down.

The most obvious way an area will fail is through the failure of routers, therefore, redundancy is important, especially for router that connects an area together and the ABR.

Stub area: - Cant have any ASBR in the area since T5 LSA is prohibited - ABR advertise a default route - All routers in the area has to agree that they are stub and the specic type of stub - Area 0 cant be stub - Virtual link cant be congured over a stub area - E bit = 0, means doesnt support external routing. If disagree, then adjacency cant form. - Block T4, and T5 LSA Totally stubby eliminate all other T3 LSA except default route to ABR, so all trafc is directly toward ABR NSSA: - Allow (multiple) ASBR to reside within an area = allow redistributed routes as T7 LSA - Prevent ABR from distributing T5 LSA - T7 LSA has the same format as T5 LSA except Type = 7. T7 has area-ooding scope, meaning they are not permitted outside the area from which they are originated. - Forwarding address must be 1) external peers interface address, or 2) ASBRs interface address - N/P (N in T5 and P in T7) bit for NSSA is on by default, if P bit of T7 LSA is not on, its not translated into a T5 LSA by the ABR. If on, and there are multiple ABRs, the ABR with highest RID will perform 7 to 5 translation. - When ASR receives T7 LSA, it translates it into a T5 LSA, which has an AS ooding scope, meaning the prex is advertised throughout the domain. - All routes from other areas are advertised as T3 LSA into this area - ASBR can advertise a default route so if none of T3 LSA generated by ABR match, the packet can go through ASBR. - ABR can also advertise a default route, but this must be using T7 LSA because T3 LSA is internal, which means it will be preferred over T7 LSA. The P bit = 0 in this case because, if translated into a T5 LSA, this LSA might be translated by another ABR attached to the area back and set preference over current T7 LSA, causing inaccurate routing and probably loops - E bit = 0, doesnt support external routing - Block T5 and T4 LSA, but allow T3 LSA - Default route using area X nssa default-information-originate command. 1) default route must be in the routing table for ASBR, but from non-OSPF protocol, 2) default route doesnt have to be in the routing table for ABR. Note T5 LSA can have forwarding address of - 0.0.0.0, the packet to the advertised prex should be send to the originating ASBR - External neighbors interface if the connecting link is advertised into OSPF an internal route Totally NSSA:

- Allow only default route (T3 LSA) and lter everything else (T3, T4, T5, T7 LSA). An internal router cant summarize prexes in the same area to prevent confusion. ABR should summarize the routes contained in their individual area to reduce the LSDB for backbone routers. Ideally, there should be as many T3 LSA in the backbone as the number of ABR in the network. However, remember there is a price for the reduced memory, inaccurate routing. This is especially true when you have multiple ABR between that area and area 0. When this happens, routes to the same destination have multiple paths with no good indicator which path should be preferred. Only path with closer ABR is chosen. When virtual link is congured between ABRs, these routers attempt to form a virtual adjacency. When established, the network type is unnumbered point-to-point link. The link is included in backbone T1 LSA. Note: - Virtual link must congure through a single area, this means the 2 ABRs must share a common area, which cant be area 0 even though the link is considered a backbone link - Cost of the virtual link is not congurable, its always the cost of the intra-area path between the 2 ABR endpoints - The common area cant be a stub area - The ABR describes the neighboring ABR at the other end of a virtual link in its neighbor table by the neighbors RID - ABR then have at least one T1 LSA with V bit on (virtual link) - T5 LSA are never ooded over virtual links - Interface MTU in DD packet is always set to 0 - Theres no network address mask, therefore, the eld is equal to 0.0.0.0 - Hellos are send in unicast - Area ID in packets is equal to 0; this is the only situation in which an internal router can receive a packet of AID other than the area all of its interfaces are in - LSID in T1 LSA is the RID of neighbor ABR - Data Link eld in T1 LSA is the IP address of the originating routers interface associated with the virtual link - ABR gives the virtual link a Link Type 4 in T1 LSA - OSPF packet over the virtual link are routed within the links transit area as intra-area packets. This is the only time OSPF packets are not limited to directly connected neighbors. Warning: virtual link is no permanent solution to the network and add complexity to it as well. By default, SPF algorithm doesnt load balance, its the vendor xes that create such feature, whose name is equal-cost multipath (ECMP).

ECMP can occur in a per-packet basis, however, this approach doesn't count in for delay, link propagation and router latency, buffering, and link MTU. These factors can affect how TCP works and may cause reduced performance because TCP would requet re-transmits. A better approach is per-destination ECMP. It assigns different next-hop for all packets to different destination, allowing each destination to be routed differently. This differs from per-packet ECMP, which sets one next hop for each packet randomly or roundrobin-based. The disadvantage in this solution is that if a destination has heavy trafc, one route can be utilized more often than another. Per-ow load balancing distribute trafc based on source and destination IP address, but further features can be examined, such as port number, ToS value, etc. A peculiar case of multi-path load balancing can occur when 2 nodes are connected both by PtP links and Broadcast links. One of two things can happen depending on how SPF select the route: - Only the PtP link is used, no efciency - Both links are used To favor the latter situation, a simple rule is added to SPF algorithm: If there are multiple entries in the candidate database with equally low cost, and if at least one link is to a pseudonode and at least one link is to a router, always select the link to the pseudonode rst rather than randomly selecting among the links. Incremental SPF is the partial inuence of SPF when a topology change occur, such as that in the stub router or a remote link failure. In these cases, SPF is not run on all routers, just those that are affected by the change. Partial route calculation (PRC), prevent running SPF algorithm when an interface modies, add or delete an IP address by simply recording the address, this saves processing power because interface prexes are of little importance except indicating the destination. In OSPF, only T3, 4, 5, and 7 LSA carrying a different destination will trigger PRC, T1 LSA with different destination will trigger full SPF calculation as well as changing the RID of an OSPF process (you have to do it manually). Another feature that increased the efciency of SPF is SPF delay. Its a timer that indicate the minimum amount of time before the last SPF and the next SPF calculation; this is known as SPF holddown or SPF throttling. When large amount of different LSAs are ooded during current calculation, they are buffered in LSDB until the holddown timer expires and SPF reruns. This increases the convergence time Cisco has taken this approach to SPF delays by using an exponential backoff algorithm. Initial delay, delay increment, and maximum delay periods are congured. The router waits the initial delay period before rst running SPF. After the rst run, the

delay is increased by doubling the delay increment every time SPF runs. So for example, if the initial delay is 100ms and the delay increment is 1000ms, the router delays the rst SPF run by 100ms, the second by 1000ms, the third by 2000ms, the fourth by 4000ms, and so on. The maximum delay value species in seconds the largest value to which the delay can be incrementedan obvious necessity to prevent an unstable network from causing the SPF delay to increase so much that SPF does not run at all. When SPF has not run for twice the time specied by the maximum delay period, the router switches back to fast mode in which the initial delay period is used. This timer can be congured using (cong-router)#timers throttle spf command. Delay, pacing, throttling, whichever its called, delays the transmission of LSAs (whether locally generated, or forwarded) to prevent it from overwhelm a neighbor. Ciscos default LSA pacing timer is 4 minutes, but it can be changed between 10 - 1800 seconds using (cong-router)#timers pacing lsa-group command. This timer also applies to checksumming and aging. This feature has the greatest affect during LSA apping, the timer can cause the LSA to buffer, and when the timer is over, only the latest LSA is used. OSPF denes 2 constants: new instance of a given LSA cant be generated more frequently than 5 seconds (MinLSInterval) and new instance of a give LSA cant be received more frequently than 1 second (MinLSArrival). An OSPF router can also control the rate at which it oods neighbors LSA using (cong-router)#timers pacing ood command, default to 33 ms and can be change between 5 and 100 ms. 33 ms of ooding time means in one second, at most 33 Update packets can be ooded. Retransmission is another problem that, if a heavy ow of LSAs are ooded, the router might not be able to respond within the retransmission timer, causing the LSA to be retransmitted. Adjusting a bigger retransmission timer can solve the problem by ip ospf retransmit-interval command. Another possible ooding problem occur in full mesh topology with no DR present, multiple copies of the same LSA can be received and cause excessive trafc. Its not a very big problem for OSPF, because you can create different areas to deal with it.

If the memory allocated to LSDB is not enough, the OL bit is set for LSAs, this indicate that LSDB for a router has been overloaded. The router can still be used to reach other links, but no longer used as a transit router, essentially turning it into a stub router. Nowadays, no worry exist over such problem, but OL bit now serves another function: prevent unintentional blackholing of packets in BGP transit network.

In an AS, edge routers usually form iBGP neighbor adjacencies even though they are multiple routers away, they need to know: 1) how to reach iBGP peer, 2) how to reach the external AS connected to the iBGP peer. Even if the routers nd a route to each other, the transit routers of that AS dont understand BGP and therefore drop BGP packets. All these transit routers must be BGP enabled to be able to transit BGP packets, and full mesh is necessary between them. OSPF can create T1 LSA with metric of 0xFFFF (maximum) This metric indicates that the links are unreachable, so that the router is not included as a transit node on the SPF tree. Stub links connected to the router are advertised with their normal metrics, so that they are still reachable when the router is in overload. When OSPF packets have to pass links with low MTU, one of 3 things can relieve this: - Fragmentation - Perform path MTU discovery and adjust transmitted unit sizes; add complexity - Limit information units used to ensure it cant exceed any MTU size; not practical OSPF packets are encapsulated in IP packet, and therefore, by default, is fragmented appropriately. Demand circuit is the type of connection that can stop transmitting when its not necessary. An extension of OSPF makes this following modication: - Hellos are only send initially to bring up the circuit for initial database synchronization. After LSDB is the same, no Hellos are send - LSAs are ooded across the demand circuit during synchronization, but not periodically refreshed. Only changes to LSAs will trigger new LSAs to be ooded. This means DNA bit (highest bit of Age eld) of the (Hello or DD) packet must be set, to show a router is capable of accepting DNA packets, a router sets the DC bit in its packets. If one router in the area doesnt support DNA packets, all DNA LSAs are ushed from all LSDB in the area and the originating router has to reissue a new copy without the DNA bit set and continue to refresh it. DNA bit in a LSA means the LSA will not reach MaxAge, but it will still get incremented on its way to the destination, its just not incremented anymore at the destination. Having no Hello means the link cant detect neighbor failure. An extension of OSPF can detect failure of a neighbor using neighbor probing, which only occur when the link has already being brought up for other functions. LSAs are only ooded if: - LSAs Option eld changes - Length eld in LSA header changes

- New instance of LSA is received which has an age of MaxAge or DNA + MaxAge - Contents of LSA has changed, excluding 20-byte header (since sequence number and checksum can change frequently, they are not considered topology change) Running demand circuit in a modern network is not a very good option because a variety of problems can be created. One use of demand circuit is to limit overall ooding, using ip ospf ood-reduction command. Security refers to systems resistance to intentional harm and reliability concerns to a systems resistance to unintentional harm. Although the most common attacked protocol is BGP because its external, that doesnt mean your IGP is safe. In a sense, IGP may be more vulnerable because it trusts every router it peers with and trust all routers in the routing domain. An attack attempt to alter the normal behavior of a protocol in one of 4 ways: - Disclosure: obtain protocol data to study exploits in the systems weakness - Deception: target protocol is tricked to accept routing message from attacker and believe its from a legitimate peer - Disruption: preventing target protocol from functioning correctly by launching a DoS attack with ood of attacks - Usurpation: attacker gain control over the routing protocol in one or more routers. Above methods can be used to direct trafc to illegitimate device or creating a blockhole The attack can aim at one of the components: - Hello protocol: bogus Hello message pretending to come from legit peer with incompatible information, causing adjacency to fail - Flooding process: sending spoofed LSAs claiming to come from legitimate routers to trigger heavy ooding - LSDB: sending spoofed LSA and cause incorrect routing or memory overow - Aging: ushing LSAs from LSDB by sending spoofed aged LSAs - Sequence number: spoofed LSAs with maximum sequence number value, causing sequence number to rollover - DR process: bogus Hello with null or illegitimate DR/BDR eld, to cause normal routers to be out of sync with DR, accepting illegitimate information from DR, or cause link failure - Options ag: incompatible setting can cause adjacency to fail or allow illegitimate routers to inject misleading information Non-malicious threat are result of either misconguration or implementation problem. Here are some practices you can do to secure your network, but most important things are those that you practice everyday: - Redundancy in system components: power supply, route process module, cooling system, router

- Redundancy in network links, and network nodes - When connecting to a router outside of your administrative control, use either static route or BGP, never IGP. - Use unicast reverse path forwarding (uRPF) to ensure source address of incoming packets with unicast routing table to ensure packet is not spoofed. - Use packet ltering - Use rate limiting to keep router from getting bursted When OSPF receive unknown LSA, its dropped. However, when you want to implement optional LSAs, you can either make sure that all routers support it, or carefully design your network so that optional LSAs never need to be ooded through non-supportive router. Opaque LSAs are intended to add exibility to OSPF by creating generalized LSA that can disseminate undened data from router to router. Opaque LSAs provide information, using OSPF as a transport protocol, that is not available at time OSPF was dened and those features that are relevant to OSPF route calculation. There are 3 ooding scope for which an Opaque LSA can have: - Link-local scope is limited to a single link and never forwarded by routers, T9 LSA - Area-local scope is limited to a single area for which the ABR doesnt forward to other areas, T10 LSA - AS scope is limited to the AS local router reside in, not permitted in stub area, T11 LSA Opaque LSA has Type eld for which a decimal number denote the feature information contained in the LSA.
Type Value 1 2 Type Description Traffic Engineering LSA Used for MPLS-TE Sycamore Optical Used to communicate details of optical topologies such as switch Topology Descriptions capabilities and traffic engineering parameters for optical trunk groups and hybrid mesh-ring optical networks. Not discussed in this book. 3 Grace LSA Used for OSPF graceful restart 4 Router Information LSA Used for advertising optional capabilities 5127 Unassigned Can be allocated by the IANA through the OSPF working group for future Opaque LSA types. 128255 Reserved Set aside for private and experimental use.

Opaque ID eld uses 24 bits to present an unique ID for the specic LSA type. Opaque LSA is only ooded to neighbors that support it, indicated by O bit in Options eld. Router Information or RI Opaque LSA has been proposed to replace Opaque LSA using O bit and TLV added after the message to support for up to 32 capabilities. These capabilities are indicated in TLVs Capabilities eld that can be easily expanded
Bit 03 Capability Reserved

4 5 6 7 8 9 1031

OSPF graceful restart capable OSPF graceful restart helper Stub router support Traffic engineering support OSPF point-to-point over LAN OSPF path computation server discovery Future assignments

Route tag eld is present in T5 and T7 LSAs using 32 bits Multiprotocol label switching (MPLS) is the application of separating intelligence to forward packet and actual packet forwarding. Currently, MPLS is used to provide WAN access without the need of special infrastructure such as Frame Relay or ATM. A virtual circuit here refers to the series of forwarding table entries that switched a given packet across a path from an ingress point to an egress point. MPLS virtual circuit is called LSP or label-switched paths. MPLS is multiprotocol in that it can be used over any type of L2 and/or L3 protocols because MPLS resides between these layers. MPLS uses label, a 20-bit address to identify themselves, these labels have local signicance, and are represented in decimal format. When using MPLS with ATM, VPI and VCI elds are used as label Routers using MPLS are called label-switching routers (LSR). These routers have switching tables (depending on implementation, it may be a separate table or part of RIB) that map incoming labels with outgoing label/interfaces. Label of incoming packets are changed if the destination is not router itself. The router originating MPLS packet is known as ingress LSR and PUSH the label onto an IP packet by encapsulating it in MPLS header. The last router receiving the MPLS packet is known as egress LSR, which decapsulate, or POP MPLS header and forward packet inside it as normal packets. Routers that SWAP labels are known as transit LSR. A router can only be either ingress, egress, or transit LSR for a given unidirectional LSP. It can take different roles for a different LSP. So for 2 distant routers to communicate to each other, 2 LSPs are needed, one going to the destination, and one coming back to the source. When packets are forwarded in the same way (using the same label meaning going out the same interface, being in the same queue, have the same policy, etc) are said to be in the same forwarding equivalence class (FEC). In MPLS, the label is used to dene the outgoing interface. Using the same label means a set of packets will be forwarded with the same manner, therefore, this label is bound to a particular FEC describing how the packets should be forwarded.

A signaling protocol is used to establish LSP from ingress LSR to egress LSR. The ingress LSR rst send path request to address (usually loopback) of the egress LSR, which then issue path setup messages that are passed from the egress LSR to every hop on the path back to ingress LSR. Every transit LSR on the way dynamically assign an available label from its label pool to set up the incoming and outgoing label for the LSP. Eventually, when the path setup message reaches ingress LSR, the entire LSP should be set up, from the egress LSR to the ingress LSR. There are 3 signaling protocol: - LDP is a simple protocol used with MPLS-based VPN services and follow the shortest path provided by IGP routing protocol. Allow peer relationship with router that is or isnt a neighbor. Establish a session, exchange prex/FEC and label information. - CR-LDP allow trafc engineering and is used by Nortel - RSVP-TE perform same function as CR-LDP but adapted by Cisco and Juniper. Label requests are sent in PATH messages and binding is down with RESV messages. EXPLICIT-ROUTE denes path over which setup messages should be routed. A tag distribution protocol (TDP) is cisco proprietary used for cisco tag switching. Uses the same label but different message format than LDP. LDP and TDP can be supported on the same device. MPLS header is 4-byte and inserted between network and data link headers. It has: - Label (20 bits) - EXP (3 bits), experimental eld is used as CoS or ToS eld in IPv4 headers - S (1 bit), stack bit is used for label stacking, encapsulating one MPLS packet within another. Allow tunneling. If 0, this packet is stacked. If 1, this header is the only MPLS header - TTL (8 bits) works like TTL eld in IPv4. Copied from IPv4 header when IPv4 packet enters ingress LSR, the value is updated with the TTL eld in IPv4 header when Ipv4 packet leaves egress LSR. Note: TTL eld can be disabled so that it only get decremented only at the ingress router and again at the egress. This prevents the customers from seeing the cloud hops Trafc engineering allow more exible choice of routes between the ingress and egress LSR. LSP can be manipulated using: - Maximum bandwidth is the bandwidth of the interface. It can be the actual bandwidth of congured with bandwidth - Maximum reservable bandwidth specify the amount of available bandwidth a LSP can reserve - Unreserved bandwidth is the amount of remaining bandwidth - TE metric: same as IGP metric, 24 bit

- Administrative group: maximum 32 groups for which links can belong to. Usually named after colors, it can set the (constraint) accessibility of a link with the LSP. MPLS packets have a priority eld used to contend bandwidth. There are 8 levels, 0 to 7, with 0 being the highest. If link has being assign more load than it can handle (oversubscription), and all LSPs would like to use the link, some of them just cant. LSPs with lower priority cant win LSPs with higher priority and therefore, must seek an alternative path to the egress LSR. OSPF and IS-IS can transport and collect TE parameters and store them on local database called TED. Best MPLS paths are then worked out using a modied version of SPF called CSPF, C stand for constrained. This specication is then fed to the signaling protocol to establish the wanted LSP. TE parameters are carried using OSPF T10 LSA, which basically performs the same function as T1 LSA: identify originating router, routers neighbors, and TE parameters. T10 LSA has area ooding scope, meaning all routers in that area has to accept Opaque LSA. Its used along with local T2 LSA in CSPF. Opaque Type = 1 There are 2 types of TLV which T10 LSA can carry: - Router address TLV (TLV type 1) carries in its value eld an always-reachable IPv4 loopback address of the originating router. This address is normally also the RID of the originator, but of more importance here is that the address serves as the endpoint of any LSP egressing the originator. - Link TLV (TLV type 2) describes the TE parameters of a single link. The value of this TLV is a set of sub-TLVs. The format of a sub-TLV is the same as any other TLV; it is a sub-TLV only by virtue of the fact that it is in the value eld of another TLV. The sub-TLVs of the Link TLV, and their types, are as follows: - Link Type (type 1) carries as its value a 1-byte eld that species the type of link being described: point to point (link type 1) or multi-access (link type 2). - Link ID (type 2) serves the same purpose, and uses the same semantics, as the Link ID in Router LSAs: It identies the LSR at the other end of the link. If the link type is 1 (point-to-point link), the link ID is the RID of the neighbor. If the link type is 2 (multiaccess), the Link ID is the interface address of the DR. - Local Interface IP Address (type 3) species the IP address of the originators interface to the link. This sub-TLV can carry multiple IP addresses if the interface has more than one address. - Remote Interface IP Address (type 4) species the IP address or IP addresses of the neighbors interface to the link, if the link is point to point. If the link is multiaccess, the value of this sub-TLV is 0.0.0.0 or, alternatively, the sub-TLV is not included at all. - Trafc Engineering Metric (type 5) carries a 4-byte TE metric - Maximum Bandwidth (type 6) carries the maximum bandwidth. This is a 4-byte value specifying the bandwidth in bytes (not bits) per second.

- Maximum Reservable Bandwidth (type 7) carries the maximum reservable bandwidth. This is also a 4-byte value specifying the bandwidth in bytes per second. - Unreserved Bandwidth (type 8) carries the unreserved bandwidth for each of the eight setup priority levels 0 through 7, listed in the sub-TLV in order from 0 to 7. Because each bandwidth size is described by a 4-byte number (again in bytes per second), the total length of the value eld of this sub-TLV is 32 bytes. - Administrative Group (type 9) species the administrative group (link color) or groups to which the link is assigned. The value is a 32-bit eld, with each of the bits representing one of 32 possible administrative groups. If a bit is set, the link belongs to the group corresponding to that bit position. The most signicant bit corresponds to administrative group 31, and the least signicant bit to group 0. In Figure 11.7, the value of that links afnity bit (yet another name for administrative group) is 0x3, so the link belongs to administrative groups 1 and 0 (and hence to whatever colors the network administrator has associated with those two numbers). In Figure 11.8, this same TLV value is labeled as color, and the value of 0 indicates that the links in the database do not belong to any administrative groups. Every Link TLV must have type 1 and 2 sub-TLV, other sub-TLVs are optional.

Multi-topology routing is an efcient way to create multi-services. When you want to separate the processes, you can choose to use different instances to represent them, then segregate the different instances using different authentication for each separate instance. However, this is very inefcient in that multiple databases have to be created and multiple adjacencies may form across a single link. Extensions of OSPF support multiple topologies (MT): - Each logical topology is assigned a MT ID tagged onto the LSA - A separate SPF algorithm is ran for each topology - Each OSPF interface is assigned one or more MT ID to designate the route topology ran on that interface - Adjacency is established like only one instance of OSPF (as adjacency is not specic to any topology) is ran and Hello are send to neighbors regardless of the MT it belongs to. B/DR election is independent of individual topologies - Appropriate LSA must be ooded even though it may not be relevant to current MT the router runs. In other words, topology changes affect the default topology, therefore, routers using that topology (all routers) must acknowledge the change. - Route information for different MT is stored in different RIB. RFC propose to use obsolete ToS eld in LSA presenting the use of MT OSPF. T1 LSA originated by MT-OSPF router indicate the links that router has and which MT it belongs to. T3, 4, 5, 7 LSA also indicate the MT the prex it carries.

The default topology, MT ID 0, consists of all routers and links. Non-MT-OSPF routers doesnt understand MT OSPF interpret MT ID = 0 as ToS = 0, which is the default behavior, therefore, only use MT OSPF with routers that understand it. MT ID can range from 1 to 127, and use Link Metric eld to display the MT metrics instead. T1 LSA uses 16 bits metric, T4, T5 and T7 uses 24 bits metric. An exception can be made so a link can be exempted for SPF calculation in the default topology. All routers in the area has to support MT OSPF. This is done by turning on the MT bit in Hello, which is really just the old ToS bit. Then, this router can only form adjacency with routers that supports MT OSPF and has MT bit enabled, if not, that Hello is dropped. If disabled, this router can form adjacencies with any other OSPF router. Link wishing to be exempted from default topology also have the default Metric eld set to innity (0xFFFF) to be ignored in default topology.