ospf part 6: how ospf works? ospf process & Hello content

Hey there! To learn a protocol, always asks how it works. Always remember, protocol is  a set of procedures or set of rules. In ospf, there are actually 7 process or steps to achieve neighbor adjacency. Let us first enumerate those processes.

1.) Down

2.) INIT

3) 2-way

4.) Exstart

5.) Exhange

6.) Loading

7.) Full

1.) DOWN- There will be only two reasons why an ospf network would go down

a.)When an interface is configured with an stafic ospf neighbor

  • this will be topic which is covered on CCNP – route wherein instead that a hello message is sent to a multicast address, it will be sent to just unicast address

 

b.) When hello timer expires and then dead timer takes place.

For us to easily understand, those timers and multicast address that I am telling you. We will discuss first hello message content and its timer.

Hello Message Contents:

1.) Router-ID of local router- router-id of the router which will send hello message

2.) Area-ID- area id of the interface of the local router

3.) Address & Subnet Mask – address & subnet mask of the interface

4.) Authentication type- the password or passive interface configured on the router interface

5.) Hello & Dead Interval – there dyou go!- Hello and dead interval are check alive timers. Hello interval is a message sent by local router to check if neighbor routers are still alive. If neighbor routers did not response after  the default value of 10 seconds, it will wait for 40 seconds for it to declare that the neighbor is officially down. Please take note that 40 seconds is just the default value of ospf dead timer. The values can be also configured.

6.) Router interface priority – likewise I mentioned on the previous blog, priority is used on election of master-slave router. We will further discuss this as we  go on, but just to give you a hint, priority value is used who will be the first router to send its LSDB

7.) DR  & BDR information – let us make it simple, these can be compared to the master-slave routers. DR stands for designated router and BDR stands for back-up designated router. We will dig deeper on this on the next blog pages

8.) Router-ID of the local router’s neighbor – this appears on the neighbor table of the local router

Alright so those are the contents of the hello message which will be sent by the local router to the neighbor router and also the local router should expect those information to be sent by neighbor router to him.

Always remember mate, that there can be multiple protocols which also sends information like hello message or its counterpart. So, the question is how will a router knows that the hello message  is supposed to be sent to him.

17A1

On the image above, the question is how will neighbor router will know that it is that he is the recipient of the hello message? Also how will R3 would know that since EIGRP is configured to him, he is not recipient of the hello message? The message is sent with destination address of 224.0.0.5 which is a multicast address. I mean to say that the hello message is broadcast to the network but intended only to the group of routers that run OSPF protocol.

Let us say that R3 drops the packet since he is not the recipient of the hello message and R1, the neighbor router received the hello message of R2. What will happen next?

R1 will counter check the hello sent by R2. And the following should match:

1.) Area ID – if R1 is on area 0, R2 must be also on area 0

2.) Area type – we will discuss this further but just to give you a hint these are normal, stubby, not so stubby area., sounds very complex but we will discuss this as we go on

3.)Network address & Submet mask

4.) Hello & Dead intervals

5.) Authentication information

6.)Router-ID must be unique

***********************************************************************

OSPF STAGE 2: INIT

How we will transition from DOWN state to INIT ?

 

Here’s how it goes! Let play a scenario wherein R1 and R2 is trying to establish neighbor adjacency

Step1 ospf interface of R1 got activated,  R1 will create its own LSA, remember LSA? HEHE,  R1 will send hello message to its neighbor but since no neighbor routers got ospf activated, hello timer will expire and will proceed to dead timer.

Step2  ospf interface of R2 once got activated,R2 will create its own LSA, R2 will send hello to R1. (

Step3 R1 will counter check the hello message sent of R2

Step 4 once all the parameters are achieved, R1 will add R2 as its neighbor and then the OSPF  process will transition from DOWN to INIT, so let us define INIT stage

INIT STAGE – is when all hello parameters are and then the neighbor router is added on neighbor table of R1, it will remain on INIT stage until it received a hello with its own router-ID. Sound confusing? we will explain that further as we transition to 2-way

Step 5 – Since R1 already added R2 as its own neighbor, R1 will send hello message once again to R2 with hello message wherein the neighbor is R2. Since the hello message has R2’s router-id which will be sent to R2, therefore it is now the time to transition to 2-WAY

***********************************************************************

2-WAY –>  If a router received a hello from a neighbor and sees its own router-id

is included in the list of neighbor

Step 6

18a.png

Let us have a recap from step 5, since R1 is on INIT state and sent hello to R2 with its neighbor router-id as hello content, R2 will add R1 as its neighbor router and will skip to 2-way, Step 6  would be R2 will send hello to R1 with its R1’s router-id as hello content then  R1 will transition to 2-WAY. Once both routers are on 2-way state, it will transition to EXSTART

***********************************************************************

EXSTART – the process of election on routers who will send its DBD

DBD – database descriptor – summary of router-ids of all LSAs inside LSDB

Step 7 Election will be on master-slave process

Master- highest router -id

Slave – lowest router-id

***********************************************************************

EXCHANGE – when we already figured out the master and the slave among routers.

Step 8 On our case, R2 will be the one who will send DBDs. R1 will just confirm that R1 & R2 share the same DBD as a reply ro R2

***********************************************************************

LOADING – it is the process of checking the LSDB of those routers involved to verify that they share the same LSDB

Step 9 After exchange of DBDs , if there are some neighbor information that they missed, master router will send a link state request which will lead to link state update and link state acknowledgment. Here’s how it goes!

Let’s say:

R2 ( master) : hi R1 here  is my ospf database

R1 ( slave) : Got it master!  I will try to counter-check and double check it!

Let’s say R2 has a new network configured to its interface and that network will be 10.0.21.0/24

R1 ( slave): R2 ( master ) , it seems like I don’t have yet the new network 10.0.21.0/24 configured to your interface, can I request to have that one . – THIS IS WHAT WE CALL LINK STATE REQUEST

R2( master) : Ohh oaah! I missed to inform you that, ok  no worries, I will provide you that network as LINK STATE UPDATE

R1( slave): Thank you so much master, I hope that you consider this one as LINK STATE ACKNOWLEGMENT to inform you that I already received the new neighbor information that you got.

***********************************************************************

FULL- we are now done with the final OSPF process wherein we have full neighbor adjacency. Loading state will be finished if all the routers have the same LSDB

***********************************************************************

Just a quick summary of OSPF process!

18b

Oh yeah! Apologies if it is very lengthy  and boring but I hope that I was able to educate you today!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

ospf part 4: ospf authentication

Hi there mate! This will be the last discussion on OSPF configuration. The rest of the OSPF topics will discuss how OSPF works and the content of Hello packet. The last topic that we had was configuring passive interfaces for security reasons. This time, we will configure OSPF with authentication using encrypted passwords. The need for configuring authentication is very simple, it is to provide security to active interfaces.  I mean active interface are those interfaces that receives and sends hello or OSPF updates. They cannot be a passive interface so authentication will be the best process to secure those interfaces.

Just come to imagine the scenario below wherein12a1

Instead that the interface serial 1/0 of router 1 is connected to router2. It was connected to hacking router so it will lead to security breach.

So let us get back to our original topology.

12a2.PNG

Authentication SYNTAX:

en 
conf t
router ospf {process#} <— process # 
area {area#} authentication message digest < — we set authentication on the entire area on specific router
exit
int serial x/x
ip ospf message-digest-key 1 md5 {password} <— the authentication used is MD5 , you can further check on google how it works 

Note: 1.) We set password on each interface since the security breach may happen on each                     interface

2.) We can set multiple passwords on each interface: the syntax will follow:

 

int serial x/x
ip ospf message-digest-key 1 md5 {password}
ip ospf message-digest-key 2 md5 {password}

Very easy configuration right? So let us try to check the configuration on each router.
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/0
ip ospf message-digest-key 1 md5 cisco

12a3

As we can see, opsf neighbor adjacency went down. It is for the reason that the neighbor router is not also configured with authentication and so they will not established neighbor relationship. Another way to verify: show ip ospf neighbor

12a4

So no neighbor relationship established. We can now continue with R2 authentication configuration:

@r2

en
conf t
router ospf 100
area 0 authentication message-digest
exit

12a5

As I go on, I can see that neighbor adjacency went down even without configuring the interfaces. It is for the reason that authentication was configured globally so it affects all the interfaces involved. We need to go by interfaces so that it would be more secured and to specify the password. How we will enter a locked door without a key? There should be a key. We need to specify the password / key-string. Below shows that no neighbor adjacency was established.

12a6

Let us continue the configuration:

int se 1/0
ip ospf message-digest-key 1 md5 cisco
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

Below is what happened when I configured authentication on R2. We can see that serial 1/0 went up since it is connected to R1 and R1 has already md5 configuration. We can see on neighbor table that only R1 exists since R3 doesnt have md5 configuration.

12a7.png

Below is the neighbor table of R1, it shows that he can now see R2

12a8

Lastly, let us configure R3:
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

12a9.png

Nothing much special with R3 configuration. We already discussed that serial 1/1 is possible to turn up since all routers has already md5 authentication and also router 2 appears on neighbor table. One thing that I can add to is that you alway see that term “from loading to FULL”. Those are stages of neighbor adjacency which we will discuss on the next topics.

I guess right now, you wonder how ospf works? We will discuss that on the next topic.

OSPF part 3: passive-interfaces

Hi mate! We are going to proceed with configuration of passive-interfaces. First, let me emphasize the need of passive-interfaces.  We configure passive-interfaces for security reasons. Imagine if an intruder tried to hack the network and the interface that it was connected is sending OSPF updates, so what will happen is the information that was advertised by neighbor routers will be shared to the hacking router. Let us check the scenario below:

12I

R1 is connected to a switch, when hacking router connects to a  switch, then OSPF updates will be provided by neighbor routers to hacking routers. There dyou go, the network may be manipulated by hacking router. To avoid this, let us disable the ospf advertisement on interfaces which are not needed.

SYNTAX:

en
conf t
router ospf {process#}
passive-interface default
no passive interface ( interface which should be active)
exit

configuration on each routers

@r1

en
conf t
router ospf 100
passive-interface default
no passive-interface serial 1/0
exit

@r2

en
conf t
router ospf 100
passive-interface default
no passive-interface serial 1/0
no passive-interface serial 1/1
exit

@r3
en
conf t
router ospf 100
passive-interface default
no passive-interface serial 1/1
exit

 

Verification:

You would see that the arrows are pointing on passive-interfaces

 

12k

In the event that the active interface became passive, it will not appear on  neighbor table. Below is the figure that proves that OSPF neighbor establishment has been configured smoothly. We will discuss neighbor table later as we go on.

12L

We will check R2

12m

In the event that the active interface became passive, it will not appear on  neighbor table. Below is the figure that proves that OSPF neighbor establishment has been configured smoothly. We will discuss neighbor table later as we go on.

12n

Let’s check R3

12o

In the event that the active interface became passive, it will not appear on  neighbor table. Below is the figure that proves that OSPF neighbor establishment has been configured smoothly. We will discuss neighbor table later as we go on.

12p

Allright, that is just one way to establish security on OSPF network. Next topic is establishing network security on OSPF network using encrypted key but first lemme take my lunch mate!