Using the OSPF Forwarding Address for traffic-steering
In this fairly short post, id like to address a topic that came up on IRC (#cciestudy @ freenode.net). Its about how you select a route thats being redistributed into an OSPF NSSA area and comes into the OSPF backbone area 0.
For my post i will be using the very simple topology below. Nothing else is necessary to illustrate what is going on.
First off, id like to clarify a few things about what takes place when redistributing routes into an NSSA area.
What happens is that you have an external network, 4.4.4.4/32 in our example. This is _not_ part of the current area 1. When this network is being redistributed into area 1, its forwarding address will be set to the highest active interface of the redistributing router in the area (R4 in our case). The highest interface in the area local to the router is Loopback100 with an address of 44.44.44.44/32.
*A reader noted that a loopback address will beat a physical interface even if it has a lower address. This is true and goes for OSPF in general. Thanks!
Lets verify the configuration on R4 and the result of the redistribution to the OSPF database:
R4#sh run | sec router ospf router ospf 100 router-id 144.144.144.144 log-adjacency-changes area 1 nssa redistribute connected subnets network 10.2.0.0 0.0.255.255 area 1 network 10.3.0.0 0.0.255.255 area 1 network 44.44.44.44 0.0.0.0 area 1
So we are running Area 1 on three interfaces connecting to R2 and R3 along with a loopback100 interface.
And the output of the relevant section of the OSPF database is:
R4#sh ip os data nssa OSPF Router with ID (144.144.144.144) (Process ID 100) Type-7 AS External Link States (Area 1) LS age: 408 Options: (No TOS-capability, Type 7/5 translation, DC) LS Type: AS External Link Link State ID: 4.4.4.4 (External Network Number ) Advertising Router: 144.144.144.144 LS Seq Number: 80000001 Checksum: 0x4A49 Length: 36 Network Mask: /32 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 44.44.44.44 External Route Tag: 0
What we are verifying here is the fact that the FA is in fact set according to the forementioned rules, namely 44.44.44.44.
Lets take a look at the OSPF configuration of R2 and R3:
R2#sh run | sec router ospf router ospf 100 router-id 22.22.22.22 log-adjacency-changes area 1 nssa network 10.1.2.0 0.0.0.255 area 0 network 10.2.4.0 0.0.0.255 area 1
And R3:
R3#sh run | sec router ospf router ospf 100 log-adjacency-changes area 1 nssa network 10.1.3.0 0.0.0.255 area 0 network 10.3.4.0 0.0.0.255 area 1
Very straigh forward so far, with the exception to the fact that i have manually set R2’s router-id, to force it to be higher than R3. This is to prove the point below.
Now what we should ideally see, is that the ABR (R2 and R3) with the highest router-id will do the type-7 to type-5 translation and preserve the FA of the type-7. What we would like to see on R1, is a type 5 LSA with a Forwarding Address of 44.44.44.44, with the advertising router be R2 (22.22.22.22). Lets check it out:
R1#sh ip os data ex OSPF Router with ID (10.1.3.1) (Process ID 100) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 630 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 4.4.4.4 (External Network Number ) Advertising Router: 22.22.22.22 LS Seq Number: 80000001 Checksum: 0x394E Length: 36 Network Mask: /32 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 44.44.44.44 External Route Tag: 0 R1#sh ip route 4.4.4.4 Routing entry for 4.4.4.4/32 Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 3 Last update from 10.1.3.3 on FastEthernet1/1, 00:11:03 ago Routing Descriptor Blocks: 10.1.3.3, from 22.22.22.22, 00:11:03 ago, via FastEthernet1/1 Route metric is 20, traffic share count is 1 * 10.1.2.2, from 22.22.22.22, 00:11:03 ago, via FastEthernet1/0 Route metric is 20, traffic share count is 1
Very good, we are in fact seeing this LSA with the information we expected. We can also see something you might not expect, namely the fact that we have two paths installed in the RIB for 4.4.4.4/32. Why is that?
Well, what R1 really cares about is “how” it can get to the Forwarding Address of the route and in this case, it can get to 44.44.44.44/32 through 2 paths, R2 and R3.
Lets check out what happens if we block 44.44.44.44/32 going from Area 1 to Area 0 through R2.
R2#sh run | incl prefix-list ip prefix-list BLOCK-R4-LOOPBACK seq 5 deny 44.44.44.44/32 ip prefix-list BLOCK-R4-LOOPBACK seq 10 permit 0.0.0.0/0 le 32 R2#sh run | sec router ospf router ospf 100 router-id 22.22.22.22 log-adjacency-changes area 1 nssa area 1 filter-list prefix BLOCK-R4-LOOPBACK out network 10.1.2.0 0.0.0.255 area 0 network 10.2.4.0 0.0.0.255 area 1
Lets see what this does to the RIB of R1:
R1#sh ip route | beg Gateway Gateway of last resort is not set 4.0.0.0/32 is subnetted, 1 subnets O E2 4.4.4.4 [110/20] via 10.1.3.3, 00:16:43, FastEthernet1/1 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C 10.1.2.0/24 is directly connected, FastEthernet1/0 L 10.1.2.1/32 is directly connected, FastEthernet1/0 C 10.1.3.0/24 is directly connected, FastEthernet1/1 L 10.1.3.1/32 is directly connected, FastEthernet1/1 O IA 10.2.4.0/24 [110/2] via 10.1.2.2, 00:16:47, FastEthernet1/0 O IA 10.3.4.0/24 [110/2] via 10.1.3.3, 00:23:41, FastEthernet1/1 44.0.0.0/32 is subnetted, 1 subnets O IA 44.44.44.44 [110/3] via 10.1.3.3, 00:16:48, FastEthernet1/1
and the LSA is still the same as before:
R1#sh ip os data ex OSPF Router with ID (10.1.3.1) (Process ID 100) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 1027 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 4.4.4.4 (External Network Number ) Advertising Router: 22.22.22.22 LS Seq Number: 80000001 Checksum: 0x394E Length: 36 Network Mask: /32 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 44.44.44.44 External Route Tag: 0
So what this tells us, is that if the Forwarding Address is different than 0.0.0.0 (which we’ll cover in a minute) and you dont have reachability to whatever its set to, you cannot install this in the RIB.
In our case we still have one valid path through R3, so its still in the RIB, but not with load-balancing.
So to summarize what we have covered so far:
– Even though only 1 ABR creates the new type-5 (type-7 to type-5 translation), you can have load-balacing occuring.
– If you dont have a valid path to the Forwarding Address, you cannot install it in the RIB.
Lets revert our configuration on R2:
R2#sh run | sec router ospf router ospf 100 router-id 22.22.22.22 log-adjacency-changes area 1 nssa network 10.1.2.0 0.0.0.255 area 0 network 10.2.4.0 0.0.0.255 area 1
Now lets take a look at FA-Suppression!
What FA-Suppression does, is that instead of preserving the FA according to the previously mentioned rules, it sets the Forwarding Address to 0.0.0.0, indicating that the router originating the Type-5 should be used as the exit point.
We’ve already established that R2 is the router performing the Type-7 to Type-5 translation, so lets do the following configuration on R2:
R2(config-router)#area 1 nssa translate type7 suppress-fa
What does this do to our OSPF database on R1, specifically the Type-5 LSA:
R1#sh ip os data ext OSPF Router with ID (10.1.3.1) (Process ID 100) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 33 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 4.4.4.4 (External Network Number ) Advertising Router: 22.22.22.22 LS Seq Number: 80000002 Checksum: 0x96A0 Length: 36 Network Mask: /32 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0
Indeed the Forwarding Address has been set to 0.0.0.0, indicating that the Advertising Router (22.22.22.22) should be used as the exit point. This also has the effect of removing our load-balancing from occuring:
R1#sh ip route 4.4.4.4 Routing entry for 4.4.4.4/32 Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 1 Last update from 10.1.2.2 on FastEthernet1/0, 00:03:48 ago Routing Descriptor Blocks: * 10.1.2.2, from 22.22.22.22, 00:03:48 ago, via FastEthernet1/0 Route metric is 20, traffic share count is 1
So depending on how you want to “steer” your traffic, you might want to consider whether you allow the Forwarding Address through your topology and if you want to use FA suppression or not.
I hope its been useful to you!
Take care!