Monday, April 9, 2012

The OSPF Not-So-Stubby Area (NSSA)

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up a totally stubby OSPF area. This lab is built using Dynamips/GNS3 utilizing Cisco c3725 routers.

The OSPF implementation in Cisco IOS recognizes 5 main classifications of areas:
The NSSA Option for OSPF areas is defined in RFC 1587. The NSSA option partially undoes a portion of what the stub area is designed to do. The OSPF stub area eliminates the propagation of external routes in an area by creating a default route that is propagated into the NSSA by the ABR. The NSSA standard creates a new type of LSA, the type 7 (NSSA External) LSA, and floods that through the NSSA. ABRs for the NSSA translate type 7 LSAs and propagate them to the backbone area and other type-5-LSA capable areas as type 5 (external) LSAs. ASBRs in the NSSA are not actually advertised into the backbone area as type 4 (ASBR summary) LSAs.


From a network design standpoint, NSSAs have a limited application to large enterprise networks and service providers using OSPF as an interior gateway protocol. The idea centers on the assumption that there are non-transit networks that are candidates to be connected to a stub area, but are not part of the OSPF routing domain. In a way, these external networks and the OSPF area that they are connected to can be considered a leaf in the larger spanning tree developed by the other OSPF areas.

The following topology shows everything that we will need to explore the not-so-stubby area in Cisco's OSPF implementation.





The ASBRs create both E1 (N1) and E2 (N2) routes. Remember that paths to E2/N2 routes are evaluated only on the external cost. E1/N1 costs are determined by a combination of the external and internal (to the OSPF routing domain) costs to reach a subnet. E2/N2 networks are considered higher cost than E1/N1 networks, regardless of whether the E2/N2 metric is actually lower than the E1/N1 metric.

The configuration of the ASBR and NSSA_ASBR redistribution is most easily accomplished using a route map that matches prefix lists for the routes:


On ASBR:

router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map redist-lo-into-ospf
 network 10.0.0.0 0.0.0.255 area 0
!
ip prefix-list lo-into-ospf-e1 seq 5 permit 172.16.1.0/24
!
ip prefix-list lo-into-ospf-e2 seq 5 permit 172.16.2.0/24
!
! **Make 172.16.1.0/24 an E1 route**
!
route-map redist-lo-into-ospf permit 10
 match ip address prefix-list lo-into-ospf-e1
 set metric-type type-1
!
! **Make 172.16.2.0/24 an E2 route**
!
route-map redist-lo-into-ospf permit 20
 match ip address prefix-list lo-into-ospf-e2
 set metric-type type-2
!




On NSSA_ASBR:

router ospf 1
 log-adjacency-changes
 area 1 nssa default-information-originate
 redistribute connected subnets route-map lo-to-ospf
 network 192.168.1.0 0.0.0.255 area 1
!
ip prefix-list lo-to-ospf-t1 seq 5 permit 192.168.100.0/24
!
ip prefix-list lo-to-ospf-t2 seq 5 permit 192.168.200.0/24
!
route-map lo-to-ospf permit 10
 match ip address prefix-list lo-to-ospf-t1
 set metric-type type-1
!
route-map lo-to-ospf permit 20
 match ip address prefix-list lo-to-ospf-t2
 set metric-type type-2
!


For routers attached to the NSSA, the area nssa router configuration command is required to set the correct flag in the OSPF hello packet. All routers in the area have to agree that the particular area is an NSSA area, otherwise they will not be able to form adjacencies. A special issue for NSSAs is also that the ABR does not generate a default route unless the default-information-originate option is used.


We know from previous examples that the ABRs have full databases for all of the areas that they are connected to, so let's look at the routing tables and OSPF databases on Area0 and Area1. Area1 is an internal router for area 1, meaning that all of it's OSPF-enabled interfaces are in area 1, the NSSA. In this case, we see the two external routes for the networks advertised by NSSA_ASBR and  the default route advertised by the ABR (unlike a stub area, this is originated by the ABR as a type 7 LSA):


Area1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 192.168.0.1 to network 0.0.0.0

O N2 192.168.200.0/24 [110/20] via 192.168.1.2, 03:24:47, Serial0/1
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.0.0.0 [110/192] via 192.168.0.1, 03:28:20, Serial0/0
O IA    10.0.1.0 [110/128] via 192.168.0.1, 03:28:20, Serial0/0

C    192.168.0.0/24 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/1
O N1 192.168.100.0/24 [110/84] via 192.168.1.2, 03:24:47, Serial0/1

O*N2 0.0.0.0/0 [110/1] via 192.168.0.1, 00:02:47, Serial0/0



The OSPF database from Area1 is shown below, LSAs for networks originating from area 0 are green and LSAs for networks originating in area 1 are blue. The special type-7 LSA for the default route is purple.:


Area1#show ip ospf database

            OSPF Router with ID (192.168.1.1) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.0.1     192.168.0.1     785         0x8000000D 0x006615 2
192.168.1.1     192.168.1.1     589         0x8000000B 0x00D6FF 4
192.168.200.1   192.168.200.1   390         0x80000009 0x007D6E 2


                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.0        192.168.0.1     785         0x80000007 0x0093A8
10.0.1.0        192.168.0.1     785         0x80000007 0x000675


                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         192.168.0.1     359         0x80000001 0x00FA4C 0
192.168.100.0   192.168.200.1   390         0x80000007 0x008B18 0
192.168.200.0   192.168.200.1   390         0x80000007 0x00BEFF 0



Area0 is an internal router for the backbone area. In this case, the LSAs originating in area 1 for the external 192.168.100.0 and 192.168.200.0 networks are converted to type-5 LSAs for any other areas in the OSPF routing domain that are type-5 capable. The routing table shows that the N1 routes have been converted to E1 and the N2 routes have nbeen converted to E2.


Area0#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O E1    172.16.1.0 [110/84] via 10.0.0.1, 1d00h, Serial0/0
O E2    172.16.2.0 [110/20] via 10.0.0.1, 1d00h, Serial0/0

O E2 192.168.200.0/24 [110/20] via 10.0.1.2, 03:37:32, Serial0/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Serial0/0
C       10.0.1.0 is directly connected, Serial0/1

O IA 192.168.0.0/24 [110/128] via 10.0.1.2, 03:41:43, Serial0/1
O IA 192.168.1.0/24 [110/192] via 10.0.1.2, 03:40:23, Serial0/1

O E1 192.168.100.0/24 [110/212] via 10.0.1.2, 03:37:34, Serial0/1



In the OSPF database, we also see that there are no type 7 LSAs and the LSAs advertising the 192.168.100 and 192.168.200 external networks are now type 5 LSAs. The same coloring scheme is used here as the example above,


Area0#show ip ospf database

            OSPF Router with ID (10.0.1.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        1748        0x8000002E 0x009ECA 4
172.16.2.1      172.16.2.1      898         0x8000002F 0x00389B 2

192.168.0.1     192.168.0.1     1573        0x8000000C 0x00306D 2

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.0.0     192.168.0.1     1573        0x80000007 0x003CE6
192.168.1.0     192.168.0.1     1330        0x80000007 0x00B32E


                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.1.0      172.16.2.1      898         0x8000002C 0x00D6A1 0
172.16.2.0      172.16.2.1      898         0x8000002C 0x004FA7 0

192.168.100.0   192.168.0.1     1330        0x80000007 0x009DD8 0
192.168.200.0   192.168.0.1     1330        0x80000007 0x00D0C0 0



This post showed basic configuration and mechanics of a NSSA in Cisco's OSPF implementation.

See Also,
The Road to the CCIE





1 comment: