ccie blog

Understanding Default Routing With OSPF NSSAs

Default routing in NSSA’s needs a little bit of thinking about before you do it. The reason why is because you can generate a type 5 LSA or a type 7 LSA for your default route depending on the command you input, and obviously the type 5 default won’t go into the NSSA. There is some other really interesting factors that you also should take into consideration too, and I will talk about these in this post. The topology I will use is shown below.

OSPF_Understanding Default Routing

Assume Mutual redistribution is done between EIGRP and OSPF on both R2 and R4. No default routing has been configured yet.

Take the scenario above. Let’s assume ISP1 is primary, and ISP2 is used in case the connection to ISP1 fails. It means that we would want to generate a default route into the OSPF domain that sends traffic via ISP1 as the best path, and a default route via ISP2 as a backup path. So let’s think about that for a second. So R2 could easily generate a default route into the OSPF domain and make all routers inside of the OSPF domain use it as the primary path. However, when R4 creates the backup default route and distributes it into the OSPF domain, R2 would not be able to install it. The reason why, is because R4 always uses a type 5 LSA when generating an OSPF default route. Since R2 sits inside of an NSSA it never receives a type 5 LSA from anywhere inside of the OSPF domain.
Let’s have a look at the state of the network as it stands currently.

On R5, we can see we have routes to all subnets

R5#sh ip route | b Gate
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.0.12.0 [170/2588160] via 10.0.45.4, 00:02:41, FastEthernet0/1
D EX    10.0.23.0 [170/2588160] via 10.0.45.4, 00:02:41, FastEthernet0/1
C       10.0.45.0 is directly connected, FastEthernet0/1
D EX    10.0.34.0 [170/2588160] via 10.0.45.4, 00:02:41, FastEthernet0/1

And now let’s check R2’s routing table, since this is where we would expect to see reachability issues since R2 cannot learn about the type 5 LSA’s for the EIGRP 2 domain

R2#sh ip route | b Gate
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 3 subnets
C       10.0.12.0 is directly connected, FastEthernet0/0
C       10.0.23.0 is directly connected, FastEthernet0/1
O IA    10.0.34.0 [110/20] via 10.0.23.3, 00:08:00, FastEthernet0/1

So it’s behaving as we would expect. External EIGRP 2 routes could not get into the OSPF NSSA because they are redistributed as type 5 LSAs, which are not allowed into an NSSA. So R2 could therefore not learn about these routes.

So let’s fix this problem by making a default route that points towards ISP 2 (i.e. the backup ISP first).

R4(config)#router ospf 1
R4(config-router)#default-information originate always

This is gonna generate an LSA type 5 default route into the OSPF domain for all routers except those strictly just inside of the NSSA only, i.e. R2. So let’s confirm the default route reached as far as R3.

R3#sh ip ospf database external 0.0.0.0

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 191
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000001
  Checksum: 0xC2DF
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 1

So we can see that the type 5 LSA reached R3, and the routing bit was set (meaning we can route to it). Now the goal is to get this default route into the NSSA so that R2 can use it. Technically you can’t pass the default route into the NSSA because you can’t do a type 5 to type 7 translation, but what you do is make R3 generate it’s OWN default route for the NSSA. To do this we need to apply some configuration to R3. We have a two options that we can use, as shown by the highlighted commands below.

R3(config-router)#area 1 nssa ?
  default-information-originate  Originate Type 7 default into NSSA area
  no-redistribution              No redistribution into this NSSA area
  no-summary                     Do not send summary LSA into NSSA
  translate                      Translate LSA

The first option is the simplest and generates a type 7 default into the NSSA. And the second highlighted option, although it’s not very obvious, can also be used to generate a type 3 default route into the NSSA. I’m going to show examples of both. Let’s start by configuring the first option.

R3(config-router)#area 1 nssa default-information-originate

Now let’s check R2’s OSPF database received the default route.

R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         343         0x80000004 0x00E9BB 2
3.3.3.3         3.3.3.3         498         0x80000005 0x008A14 2

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         3.3.3.3         3608        0x80000002 0x00D257
10.0.34.0       3.3.3.3         9           0x80000001 0x003FB5

                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         3.3.3.3         6           0x80000001 0x00770A 0
10.0.12.0       2.2.2.2         344         0x80000002 0x00C48F 0

And it did. Ok let’s try that second option on R3 now.

R3(config-router)#no area 1 nssa default-information-originate
R3(config-router)#area 1 nssa no-summary

I expect to now see an LSA type 3 default route on R2.

R2#sh ip ospf da

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         118         0x80000004 0x00E9BB 2
3.3.3.3         3.3.3.3         272         0x80000005 0x008A14 2

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         3.3.3.3         124         0x80000001 0x00DE4B

                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.12.0       2.2.2.2         118         0x80000002 0x00C48F 0

And we do. What’s happened here is that R3 has now summarised all of the links in the OSPF domain into a single LSA type 3 default route and forwarded this to R2. The impact of this is that R2 no longer has a route to the 10.0.34.0 network because R3 has summarised this into just a default route. You can see this if you compare this database output against the previous one that we did above on R2 (i.e. 10.0.34.0 has gone from the “Summary Net Link States”).

Ok this is the backup default route configuration complete. Let’s now look at creating the other default route that goes via ISP 1.

On R2 we can’t use the command “default-information originate always” because this generates an LSA type 5 default route, and the NSSA will not allow type 5 LSAs in the area. The actual command we need to use is below.

R2(config-router)#area 1 nssa default-information-originate

//I will explain why I also need this extra config below
R1(config)#int fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
!this is the interface facing R2

Looking at the first line of this config, you can’t actually configure the keyword “always” at the end. We would therefore need a default route in the RIB so that R2 can distribute his own default route into the OSPF domain. Now since there is this reliance, I would not want to rely on R3 advertising R2 this default route in order for R2 to advertise his own default route via router 1. It doesn’t make sense. You would want to know that you can reach the external networks via R1 AND THEN advertise a default route towards the OSPF domain. So this is why I created this EIGRP summary route & redistributed it into OSPF. This way, as long as R1 is advertising R2 a default route, then R2 will advertise his own default route towards the OSPF domain.

So let’s check on R3 now, to see if he received this default route from R2.

R3#sh ip ospf database

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
3.3.3.3         3.3.3.3         1766        0x80000005 0x00A0E5 2
4.4.4.4         4.4.4.4         1655        0x80000005 0x003D45 2

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.23.0       3.3.3.3         1766        0x80000002 0x0011F3

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         1613        0x80000004 0x00E9BB 2
3.3.3.3         3.3.3.3         1766        0x80000005 0x008A14 2

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         3.3.3.3         77          0x80000001 0x00DE4B

                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         2.2.2.2         608         0x80000001 0x000F6F 0
10.0.12.0       2.2.2.2         1614        0x80000002 0x00C48F 0

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         4.4.4.4         898         0x80000002 0x00C0E0 1
10.0.12.0       3.3.3.3         1521        0x80000002 0x003B1F 0
10.0.45.0       4.4.4.4         1657        0x80000002 0x00F95E 0

So from the output we can see R2 is advertising an LSA type 7 default route to R3, and we can see R4 has advertised an LSA type 5 default route to R3. So let’s check the routing table to see which one has been preferred.

R3# sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 1, candidate default path
  Tag 1, type extern 2, forward metric 10
  Last update from 10.0.34.4 on FastEthernet0/0, 00:07:13 ago
  Routing Descriptor Blocks:
  * 10.0.34.4, from 4.4.4.4, 00:07:13 ago, via FastEthernet0/0
      Route metric is 1, traffic share count is 1
      Route tag 1

So R3 is preferring the default route via R4. Presumably because an E2 route is always preferred over an N2 route? In this case yes. But it’s not because an E2 route is ALWAYS preferred over an N2 route. It’s because the cost’s to reach either ASBR is tied (and this is why the books are all wrong), and in this case an E2 route is always preferred. So let me try and explain this more clearly using a demonstration. To do this we must look cloesly at the database for these two default routes on R3.

R3#sh ip ospf database external 0.0.0.0

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Type-5 AS External Link States

  Routing Bit Set on this LSA
  LS age: 1616
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000002
  Checksum: 0xC0E0
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 1
R3#
R3#sh ip ospf database nssa-external 0.0.0.0

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Type-7 AS External Link States (Area 1)

  LS age: 1389
  Options: (No TOS-capability, Type 7/5 translation, DC)
  LS Type: AS External Link
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 2.2.2.2
  LS Seq Number: 80000001
  Checksum: 0xF6F
  Length: 36
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 1
        Forward Address: 10.0.23.2
        External Route Tag: 0

What we can see here is on the first entry, the metric is 1. What this means is that the ASBR’s cost to reach the default route is actually 1. So to work out the end to end cost to reach the default route you have to work out the cost to the forwarding address. In the first output this is simple because the forward address is 0.0.0.0, which means that R3 must work out the cost to router (4.4.4.4). Since R3 and R4 share the same area, I could just check the router LSA that R3 generated when describing his link towards router 4 in order to find the cost.

R3#sh ip ospf database router self-originate

            OSPF Router with ID (3.3.3.3) (Process ID 1)

                Router Link States (Area 0)

  LS age 1796
  Options (No TOS-capability, DC)
  LS Type Router Links
  Link State ID 3.3.3.3
  Advertising Router 3.3.3.3
  LS Seq Number 80000011
  Checksum 0x88F1
  Length 48
  Area Border Router
  AS Boundary Router
  Number of Links 2

    Link connected to another Router (point-to-point)
     (Link ID) Neighboring Router ID 4.4.4.4
     (Link Data) Router Interface address 10.0.34.3
      Number of TOS metrics 0
       TOS 0 Metrics 10

So the forward metric to R4 (the ASBR) is just 10. This means the total end to end cost to reach the default route is 10 + 1 (because R4 told us that his cost to the default route is 1). If we do the same thing for the nssa-external default route this time the calculation is very slightly different because the forwarding address is a non-zero value (specifically 10.0.23.2). Normally you would check the routing table for this forwarding address IP, but since that IP is actually just directly connected to R3, we can just do this:

R3#sh ip ospf int brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Fa0/0        1     0               10.0.34.3/24       10    P2P   0/1
Fa0/1        1     1               10.0.23.3/24       10    P2P   1/1

So the forward metric is actually just 10. This means that the total end to end cost to reach the destination via the NSSA external default route is actually 10 + 1. So because both of the default routes have EQUAL forward metrics (10) to reach the forward address, it means the E2 route is preferred over the N2 default route. I can prove this by reducing the link cost towards the NSSA-External to 9. This would make forward metric 9 via the Type 7 default route, vs 10 via the type 5 default route. I will do that now.

R3(config)#int fa0/1
R3(config-if)#ip ospf cost 9
R3(config-if)#end
R3#
R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "ospf 1", distance 110, metric 1, candidate default path, type NSSA extern 2, forward metric 9
  Last update from 10.0.23.2 on FastEthernet0/1, 00:00:10 ago
  Routing Descriptor Blocks:
  * 10.0.23.2, from 2.2.2.2, 00:00:10 ago, via FastEthernet0/1
      Route metric is 1, traffic share count is 1

So now you can see that because the forward metric to the forwarding address is now 9, the N2 route has been preferred vs the E2 route, and we have created the desired topology.

1 Comment

KamilSeptember 10th, 2015 at 11:41 am

Simply great scenario and troubleshooting process. Would like to have similar scenarios to be seen in Cisco books.

Thanks,

Leave a comment

Your comment