What is OSPFv3 IPsec authentication? How to configure OSPFv3 authentication?

 If you're coming from an OSPFv2 world, you're used to typing in a simple {IP OSPF AUTHENTICATION-KEY} command. When you jump to IPv6 OSPFv3, you might look for the equivalent command and be surprised to find it's not there.

How does OSPFv3 secure its neighbour relationships and routing updates? The answer is a fundamental shift in design: OSPFv3 relies on IPsec authentication. OSPFv3 doesn't include any authentication capabilities of its own. The OSPFv3 authentication field has been removed from OSPFv3 packet headers. OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header to ensure the integrity, authentication, and confidentiality of routing exchanges.

What are the benefits?

This approach has several benefits:

1. No more cleartext passwords
2. Stronger crypto (SHA-256, AES)
3. Leverages existing infrastructure 
4. Standardization

How does it work?

OSPFv3 supports two methods to implement IPsec.

1. Manual- this is the most straightforward and commonly used method, you manually configure a security policy index (SPI) and a pre-shared key on both routers.

The building blocks:

•  SPI- a number that uniquely identifies the security policy to both routers. It must match on both sides.
• Authentication algorithm- the hashing algorithm to use ( SHA1, SHA256).
• Encryption key- the actual pre-shared password. It must match on both sides.

2. IPsec profile ( the scalable method)

• For larger networks, manually configuring keys on every interface becomes a management headache. This is where the IPsec profile comes in.

• An IPsec profile defines the security policy (algorithms, keys, etc) and is then applied to an OSPFv3 process. This applies the policy to all OSPFv3 interfaces, making it much more scalable.
• This method is complex to set up, but it is the recommended way for large-scale deployments.

Let's see the configuration- So, we are going to configure OSPv3 authentication interface, and the area authentication.

Topology:-

Goal: ensure the integrity, authentication, and confidentiality of routing exchanges.

• Configure the topology as per the diagram 
• Configure the IPv6 addresses as per the topology
• Configure OSPFv3, and both routers are in area 0
• Configure OSPFv3 authentication on the interfaces
• erase the previous configuration 
• Reconfigure OSPFv3 authentication for the entire OSPFv3 area 0
• Verify with show commands and messages.

R1(config)#interface fastethernet 0/0

R1(config-if)#ipv6 address 2001:1212:12:12::1/64

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface fastethernet 2/0

R1(config-if)#ipv6 address fc00:1111:1111:1111::1/64

R1(config-if)#no shutdown

R1(config-if)#exit

R2(config)#interface fastethernet 0/0

R2(config-if)#ipv6 address 2001:1212:12:12::2/64

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface fastethernet 2/0

R2(config-if)#ipv6 address fc00:2222:2222:2222::1/64

R2(config-if)#no shutdown

R2(config-if)#exit

R1(config)#ipv6 unicast-routing

R1(config)#ipv6 router ospf 100

R1(config-rtr)#router-id 10.10.10.10

R1(config-rtr)#exit

R1(config)#interface fastethernet 0/0

R1(config-if)#ipv6 ospf 100 area 0

R1(config-if)#exit

R1(config)#interface fastethernet 2/0

R1(config-if)#ipv6 ospf 100 area 0

R1(config-if)#exit

R2(config)#ipv6 unicast-routing

R2(config)#ipv6 router ospf 100

R2(config-rtr)#router-id 20.20.20.20

R2(config-rtr)#exit

R2(config)#interface fastethernet 0/0

R2(config-if)#ipv6 ospf 100 area 0

R2(config-if)#exit

R2(config)#interface fastethernet 2/0

R2(config-if)#ipv6 ospf 100 area 0

R2(config-if)#exit

 %OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from LOADING to FULL, Loading Done

%OSPFv3-5-ADJCHG: Process 100, Nbr 10.10.10.10 on FastEthe rnet0/0 from LOADING to FULL, Loading Done 

R1(config)#interface fastethernet 0/0

R1(config-if)#IPv6 ospf authenticationb ipsec spi 499 md5 abcdef1234567890abcded1234567890

R1(config-if)#end

%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet. (ip) dest_addr= FF02::5, src_addr= FE80::C802:63FF:FE30:0, prot= 89

 %OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSECv6 packet.

        (ip) dest_addr= FF02::5, src_addr= FE80::C802:63FF:FE30:0, prot= 89

R2(config)#interface fastethernet 0/0

R2(config-if)#IPv6 ospf authenticationb ipsec spi 499 md5 abcdef1234567890abcded1234567890

R2(config-if)#end

%OSPFv3-5-ADJCHG: Process 100, Nbr 10.10.10.10 on FastEthernet0/0 from LOADING to FULL, Loading Done

%OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from LOADING to FULL, Loading Done

R1#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface

20.20.20.20       1   FULL/DR         00:00:33    4               FastEthernet0/                                                                                                                                   0

R1#show ipv6 route ospf

IPv6 Routing Table - 7 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

       U - Per-user Static route

       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

O   FC00:2222:2222:2222::/64 [110/2]

     via FE80::C802:63FF:FE30:0, FastEthernet0/0

R2#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface

10.10.10.10       1   FULL/BDR        00:00:34    4               FastEthernet0/                                                                                                                                   0

R2#show ipv6 route ospf

IPv6 Routing Table - 7 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

       U - Per-user Static route

       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

O   FC00:1111:1111:1111::/64 [110/2]

     via FE80::C801:3AFF:FE14:0, FastEthernet0/0

IPv6 Static, Default, and Dynamic routing lab

 In this lab, we see the configuration of  IPv6 static, default, and dynamic routing protocols. This lab is divided into three labs:

• IPv6 Static routing
• IPv6 Default routing
• IPv6 Dynamic routing

- starting with IPv6 Static routing

Topology:-

• Configure the topology as per the picture.
• Configure the IPv6 address as per the topology
• Configure IPv6 Static routing 
• Verify the configuration with ping and show commands

R1(config)#ipv6 unicast-routing

R1(config)#interface fastethernet 0/0
R1(config-if)#ipv6 address 2001:1234:1234:1234::1/64
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 2/0
R1(config-if)#ipv6 address fc00:1111:1111:1111::1/64
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#ipv6 unicast-routing
R2(config)#interface fastethernet 0/0
R2(config-if)#ipv6 address 2001:1234:1234:1234::2/64
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 2/0
R2(config-if)#ipv6 address fc00:1111:1111:2222::2/64
R2(config-if)#no shutdown
R2(config-if)#exit

R1#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::C801:3FFF:FE40:0
    2001:1234:1234:1234::1
ATM1/0                     [administratively down/down]
FastEthernet2/0            [up/up]
    FE80::C801:3FFF:FE40:38
    FC00:1111:1111:1111::1
GigabitEthernet3/0         [administratively down/down]
FastEthernet4/0            [administratively down/down]
FastEthernet4/1            [administratively down/down]

R2#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::C802:6CFF:FE10:0
    2001:1234:1234:1234::2
ATM1/0                     [administratively down/down]
FastEthernet2/0            [up/up]
    FE80::C802:6CFF:FE10:38
    FC00:1111:1111:2222::2
GigabitEthernet3/0         [administratively down/down]
FastEthernet4/0            [administratively down/down]
FastEthernet4/1            [administratively down/down]

PC2> ip auto
GLOBAL SCOPE      : fc00:1111:1111:1111:2050:79ff:fe66:6801/64
ROUTER LINK-LAYER : ca:01:3f:40:00:38

PC7> ip auto
GLOBAL SCOPE      : fc00:1111:1111:2222:2050:79ff:fe66:6805/64
ROUTER LINK-LAYER : cc:04:3e:ac:00:00

R1(config)#ipv6 route fc00:1111:1111:2222::/64 2001:1234:1234:1234::2
R1(config)#end

R2(config)#ipv6 route fc00:1111:1111:1111::/64 2001:1234:1234:1234::1
R2(config)#end

R1#show ipv6 route static
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   FC00:1111:1111:2222::/64 [1/0]
     via 2001:1234:1234:1234::2

R2#show ipv6 route static
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   FC00:1111:1111:1111::/64 [1/0]
     via 2001:1234:1234:1234::1

R1#ping fc00:1111:1111:2222::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FC00:1111:1111:2222::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/64 ms

R1#traceroute fc00:1111:1111:2222::2
Type escape sequence to abort.
Tracing the route to FC00:1111:1111:2222::2
  1 FC00:1111:1111:2222::2 36 msec 32 msec 56 msec
PC2> ping 2001:1234:1234:1234::1/64
2001:1234:1234:1234::1 icmp6_seq=1 ttl=64 time=32.271 ms
2001:1234:1234:1234::1 icmp6_seq=2 ttl=64 time=32.632 ms
2001:1234:1234:1234::1 icmp6_seq=3 ttl=64 time=32.318 ms
2001:1234:1234:1234::1 icmp6_seq=4 ttl=64 time=32.362 ms
2001:1234:1234:1234::1 icmp6_seq=5 ttl=64 time=32.418 ms
PC2> ping 2001:1234:1234:1234::2/64
2001:1234:1234:1234::2 icmp6_seq=1 ttl=63 time=128.036 ms
2001:1234:1234:1234::2 icmp6_seq=2 ttl=63 time=79.702 ms
2001:1234:1234:1234::2 icmp6_seq=3 ttl=63 time=95.755 ms
2001:1234:1234:1234::2 icmp6_seq=4 ttl=63 time=80.116 ms
2001:1234:1234:1234::2 icmp6_seq=5 ttl=63 time=80.655 ms
PC2> ping fc00:1111:1111:2222::2/64
fc00:1111:1111:2222::2 icmp6_seq=1 ttl=63 time=80.813 ms
fc00:1111:1111:2222::2 icmp6_seq=2 ttl=63 time=63.469 ms
fc00:1111:1111:2222::2 icmp6_seq=3 ttl=63 time=80.616 ms
fc00:1111:1111:2222::2 icmp6_seq=4 ttl=63 time=64.005 ms
fc00:1111:1111:2222::2 icmp6_seq=5 ttl=63 time=79.650 ms

What is an Offset-list? How to configure EIGRP Offset-list?

 What is an Offset-list?

An Offset-list is an EIGRP and RIPv2 feature that allows you to add a fixed value (an “offset”) to the composite metric of a route that matches an access control list (ACL). You can apply this to inbound (IN) and outbound (OUT) routing updates.

By increasing the metric of a route, you make it less preferable. EIGRP will always choose the path with the lower composite metric. It’s a simple yet powerful way to de-prioritize a path without using a route filter to deny it entirely. Offset value to add to the matric (1-2147483647)

Why would you use one?

Common use cases include:

• ·        Basic load balance: making a primary link preferred while keeping a backup link active by making its metric slightly worse.
• ·        Policy-based routing: influencing outbound traffic to take a specific path based on network policy.
• ·        Cost engineering: simulating a longer path for a route learned from one neighbor compared to another.

 let's see the configuration:-

Topology:-

• Configure the topology as per the diagram
• Configure the IP addresses as per the topology 
• Configure EIGRP 100 to advertise directly connected interfaces
• Configure access-list standard permit 30.1.1.1 network
• Make sure router 1 will use the serial 5/0 to reach the 30.1.1.1/8 network
• Ensure no load balancing is used with the offset list; add 5000 metrics to the serial 5/3 route.

R1(config)#interface serial 5/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface serial 5/3
R1(config-if)#ip address 4.4.4.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no keepalive
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 5/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 5/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no keepalive
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 5/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 5/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface FastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no keepalive
R3(config-if)#no shutdown
R3(config-if)#exit

R4(config)#interface serial 5/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface serial 5/3
R4(config-if)#ip address 4.4.4.1 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface FastEthernet 0/0
R4(config-if)#ip address 40.1.1.1 255.0.0.0
R4(config-if)#no keepalive
R4(config-if)#no shutdown
R4(config-if)#exit

R1(config)#router eigrp 100

R1(config-router)#network 10.0.0.0

R1(config-router)#network 1.0.0.0

R1(config-router)#network 4.0.0.0

R1(config-router)#no auto-summary

R1(config-router)#exit

R2(config)#router eigrp 100

R2(config-router)#network 20.0.0.0

R2(config-router)#network 1.0.0.0

R2(config-router)#network 2.0.0.0

R2(config-router)#no auto-summary

R2(config-router)#exit

R3(config)#router eigrp 100

R3(config-router)#network 30.0.0.0

R3(config-router)#network 3.0.0.0

R3(config-router)#network 2.0.0.0

R3(config-router)#no auto-summary

R3(config-router)#exit

R4(config)#router eigrp 100

R4(config-router)#network 40.0.0.0

R4(config-router)#network 3.0.0.0

R4(config-router)#network 4.0.0.0

R4(config-router)#no auto-summary

R4(config-router)#exit

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial5/0

D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:26:52, Serial5/0

D    3.0.0.0/8 [90/2681856] via 4.4.4.1, 00:26:52, Serial5/3

C    4.0.0.0/8 is directly connected, Serial5/3

D    20.0.0.0/8 [90/2172416] via 1.1.1.2, 00:26:52, Serial5/0

D    40.0.0.0/8 [90/2172416] via 4.4.4.1, 00:26:52, Serial5/3

C    10.0.0.0/8 is directly connected, FastEthernet0/0

D    30.0.0.0/8 [90/2684416] via 4.4.4.1, 00:24:15, Serial5/3

                [90/2684416] via 1.1.1.2, 00:24:15, Serial5/0

R1#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 4.4.4.1 48 msec

    1.1.1.2 28 msec

    4.4.4.1 28 msec

  2 2.2.2.2 80 msec

    3.3.3.1 80 msec

    2.2.2.2 80 msec

R1#show ip route 30.1.1.1 255.0.0.0

Routing entry for 30.0.0.0/8

  Known via "eigrp 100", distance 90, metric 2684416, type internal

  Redistributing via eigrp 100

  Last update from 4.4.4.1 on Serial5/3, 00:01:28 ago

  Routing Descriptor Blocks:

    4.4.4.1, from 4.4.4.1, 00:01:28 ago, via Serial5/3

      Route metric is 2684416, traffic share count is 1

      Total delay is 40100 microseconds, minimum bandwidth is 1544 Kbit

      Reliability 255/255, minimum MTU 1500 bytes

      Loading 1/255, Hops 2

  * 1.1.1.2, from 1.1.1.2, 00:01:28 ago, via Serial5/0

      Route metric is 2684416, traffic share count is 1

      Total delay is 40100 microseconds, minimum bandwidth is 1544 Kbit

      Reliability 255/255, minimum MTU 1500 bytes

      Loading 1/255, Hops 2

(as you can see, both route metrics are the same. So now we are going to add 5000 metric to the serial 5/3 route.

R1(config)#ip access-list standard Offset

R1(config-std-nacl)#permit 30.0.0.0 0.255.255.255

R1(config-std-nacl)#exit

R1(config)#router eigrp 100

R1(config-router)#offset-list Offset in  5000 serial 5/3

R1(config-router)#end

*Aug 30 16:14:11.471: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 4.4.4.1 (Serial5/3) is resync: route configuration changed

R1#clear ip route *

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial5/0

D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:00:39, Serial5/0

D    3.0.0.0/8 [90/2681856] via 4.4.4.1, 00:00:39, Serial5/3

C    4.0.0.0/8 is directly connected, Serial5/3

D    20.0.0.0/8 [90/2172416] via 1.1.1.2, 00:00:39, Serial5/0

D    40.0.0.0/8 [90/2172416] via 4.4.4.1, 00:00:39, Serial5/3

C    10.0.0.0/8 is directly connected, FastEthernet0/0

D    30.0.0.0/8 [90/2684416] via 1.1.1.2, 00:00:39, Serial5/0

R1#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 1.1.1.2 40 msec 32 msec 32 msec

  2 2.2.2.2 76 msec 56 msec 72 msec

R1#show ip route 30.1.1.1 255.0.0.0

Routing entry for 30.0.0.0/8

  Known via "eigrp 100", distance 90, metric 2684416, type internal

  Redistributing via eigrp 100

  Last update from 1.1.1.2 on Serial5/0, 00:01:57 ago

  Routing Descriptor Blocks:

  * 1.1.1.2, from 1.1.1.2, 00:01:57 ago, via Serial5/0

      Route metric is 2684416, traffic share count is 1

      Total delay is 40100 microseconds, minimum bandwidth is 1544 Kbit

      Reliability 255/255, minimum MTU 1500 bytes

      Loading 1/255, Hops 2

R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(10.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 1.0.0.0/8, 1 successors, FD is 2169856
        via Connected, Serial5/0
P 2.0.0.0/8, 1 successors, FD is 2681856
        via 1.1.1.2 (2681856/2169856), Serial5/0
P 3.0.0.0/8, 1 successors, FD is 2681856
        via 4.4.4.1 (2681856/2169856), Serial5/3
P 4.0.0.0/8, 1 successors, FD is 2169856
        via Connected, Serial5/3
P 10.0.0.0/8, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 20.0.0.0/8, 1 successors, FD is 2172416
        via 1.1.1.2 (2172416/28160), Serial5/0
P 30.0.0.0/8, 1 successors, FD is 2684416
        via 1.1.1.2 (2684416/2172416), Serial5/0
        via 4.4.4.1 (2689416/2177416), Serial5/3
P 40.0.0.0/8, 1 successors, FD is 2172416
        via 4.4.4.1 (2172416/28160), Serial5/3

 ( as you can see, the metric has been increased to 2177416, and previously this metric was 2172416)

I hope you like this lab. Please visit our YouTube channel https://www.youtube.com/@internetworkss

What is IP prefix-list? How to configure IP prefix-list?

 IP Prefix List

An IP prefix list is a network filtering tool used primarily in routing protocols to control which routes are accepted or rejected based on their network prefixes.

Key Characteristics

·        Prefix-based filtering: Matches routes based on their network address and prefix length.

·        Ordering processing: Entries are processed top-down until a match is found.

·        Implicit deny: if no match is found, the prefix is denied by default

 

R1(config)#ip prefix-list NAME seq 10 deny 192.168.1.1/24?

  ge  Minimum prefix length to be matched

  le  Maximum prefix length to be matched

  <cr>

Parameters

·        Network/len: The network address and prefix length to match.

·        Ge: “greater than or equal to” – minimum prefix length to match.

·        Le: “less than or equal to” – maximum prefix length to match.

·        Seq: optional sequence number for ordering entries.

Prefix lists are widely used in routing protocols like BGP, OSPF, and EIGRP for precise control over route advertisements and redistributions. 

Topology:-

Goal:.Configure the topology as per the diagram

1. Configure the IP addresses as per the topology
2. Configure IGP protocol EIGRP 100
3. Advertise the directly connected routes 
4. configure IP Prefix list name INTERNET
5. Deny 192.168.31.0/24 - 192.168.32.0/24
6. rest permit
7. deny 192.168.11.0/24 adjust the SEQ number.
8. make sure router 2 deny192.168.31.1/24 & 192.168.32.1/24 and 192.168.11.1/24 
9. change the SEQ

OSPF DR and BDR Explained: The Hidden Heroes of Network Efficiency.

In the world of networking, OSPF (Open Shortest Path First) is one of the most widely used dynamic routing protocols. But did you know that behind the scenes, two special routers —the **Designated Router (DR)** and **Backup Designated Router (BDR)** — work tirelessly to keep your network running smoothly?

In this blog post, we’ll uncover:

 

• 1.      What do DR and BDR do for our network?
• 2.      How do they get elected, and why is this election important?
• 3.      What are the Common mistakes in OSPF configuration?
• 4.      What are the best practices for optimizing DR/BDR selection?

 

Let's dive in-à

·        Why do we need DR and BDR?

Ø  Imagine a conference room where everyone is shouting updates at the same time--- chaos, right? That’s what happens in an OSPF multi-access network (Ethernet) without a DR and BDR.

 

·        The problem: toooo many LSAs*

Ø  Every OSPF router floods Link-State Advertisements (LSAs) to announce network changes. In a large network, this creates excessive traffic and inefficiency.

 

·        The Solution: DR and BDR to the Rescue**

>Designated Router DR -> becomes the central hub for LSA distribution.

> BDR Backup DR->  standby to take over if the DR fails.

> All the other routers (***DROTHERs***) only talk to the DR and BDR, reducing unnecessary chatter.

 

Ø  Result: A cleaner, more efficient OSPF network**

 

·        How does the DR and BDR election work?

Ø  Not every router gets to be the DR- there’s a strict election process.

Ø  Only routers in ** multi-access networks*** (Ethernet, Frame Relay) elect a DR/BDR.

Ø  Point-to-point links (like PPP) don’t need DR/BDR.

 

 

·        What are the Election Rules?

Ø  OSPF Priority (0-255)

Ø  Default - ***1***

Ø  If OSPF priority is 0, it means the router is ineligible to be elected

Ø  If the priorities are equal, the router with the highest RID wins

Ø  Router ID is chosen from—manually configured RID, the highest loopback IP, highest active physical IP.

 

 

·        The surprising Truth: Elections are non-preemptive.

Ø  Once elected, the DR/BDR OSPF routers stay in power unless they fail.

Ø  A new router with a higher priority won't take over the current DR BDR. Unless the current DR/BDR fails.

 

·        Common DR/BDR configuration mistakes.

Ø  Ignoring priority setting > if all routers have default priority 1, the highest router ID wins, which may not be optimal. FIX – manually set priorities on critical routers.

Ø  Adding a new high-priority router won’t change the DR unless the current one fails. FIX restart OSPF on the interface if needed.

Ø  If router IDs are unstable, for example, if they're based on a physical interface, DR election can be unpredictable. FIX always set a STATIC router ID in OSPF configuration.

 

·        Best practice for DR/BDR optimization.

Ø  Set priority 100 on the routers you want as DR/BDR, and set priority 0 on routers that should never become DR.

Ø  Avoid DR on low power routers- the DR does extra work, do not make a weak router the DR.

Ø  Use the loopback interface for router-ID.

 

 Let's see the configuration=>https://www.youtube.com/@internetworkss

Topology:-

• Configure the topology as per the diagram
• Configure the IP addresses as per the topology 
• Configure OSPF 1 and advertise directly connected interfaces 
• Configure router 1 DR, router 2, and router 3 Drothers 
• Configure Router 4 as backup DR
• VERIFY THE CONFIGURATIONS.

What is OSPFv2 (Open Shortest Path First version 2) subcommand?

 OSPFv2 (Open Shortest Path First version 2 is a link-state routing protocol designed for IPv4 networks. It is defined in RFC 2328 and is widely used in enterprise and service provider networks due to its efficiency and scalability.

Key Features of OSPFv2:

1. Link-State Protocol:

• Maintains a complete topological map of the network (LSDB - Link-State Database).
• Uses the Dijkstra (SPF) algorithm to compute the shortest path to all destinations.

2. Hierarchical Routing (Areas):

• Divides networks into areas to reduce routing overhead.
• Backbone Area (Area 0) is mandatory; all other areas must connect to it.

Types of areas:

• Normal Areas (Standard areas)
• Stub Areas (Block external routes)
• Totally Stubby Areas (Block external and inter-area routes)
• Not-So-Stubby Areas (NSSA) (Allows limited external routes)

Metric (Cost):

• Calculated based on interface bandwidth (Cost = Reference BW / Interface BW, default Reference BW = 100 Mbps).

Packet Types:

• Hello (Discover/maintain neighbors)
• DBD (Database Description) (Exchange LSDB info)
• LSR (Link-State Request) (Request specific LSA)
• LSU (Link-State Update) (Send LSA updates)
• LSAck (Link-State Acknowledgment) (Acknowledge LSUs)

LSA Types (Link-State Advertisements):

• Type 1 (Router LSA) – Intra-area router info.
• Type 2 (Network LSA) – Multi-access network info.
• Type 3 (Summary LSA) – Inter-area routes (ABR-generated).
• Type 4 (ASBR Summary LSA) – Location of ASBR.
• Type 5 (External LSA) – Routes from other AS (redistributed).
• Type 7 (NSSA External LSA) – External routes in NSSA.

Neighbor States:

• Down → Init → 2-Way → ExStart → Exchange → Loading → Full

Authentication:

Supports plain-text, MD5, and SHA authentication for security.

Let's see the configuration of the OSPFv2 subcommand.

Topology:-

• Configure the topology as per the diagram
• Configure the IP addresses as per the topology 
• Configure OSPFv2 with the subcommand 
• advertise directly connected routes and loopbacks
• Make sure all the routes are exchanged 
• Verify with ping and show commands