In previous posts, I have mentioned using stub areas as a way to provide scalability in OSPF networks. Another way OSPF help us to achieve this is by doing summarization and/or filtering. Summarization can help to reduce the number of prefixes or routes that a router must maintain; this is done via aggregation of multiple prefixes into a single summary address.

Now, OSPF has certain limitations in terms of summarization. The easiest way to understand it is: Summarization can only be done in ABR or ASBR routers. This is because summarization is only possible when a given route or prefix-LSA is generated or translated into a different LSA type.

Another limitation that has to be mentioned is that in OSPF unlike other routing protocols, summarization has to be configured manually. There is no auto-summary functionality.

OSPF Inter-Area Route Summarization:

Inter-area route summarization is done in the ABR when converting intra-area routes (Type-1/Type-2) into inter-area routes (Type-3). To configure OSPF inter-area summarization, use the area {area-source} range {network} {subnet-mask} OSPF process command.

OSPF External Route Summarization:

External route summarization is typically done in the ASBR when redistributed routes are converted to external OSPF routes (Type-5 or Type-7), however, it can also be done in ABRs when generating Type-5 LSAs. To configure OSPF external route summarization, use the summary-address {network} {subnet-mask} OSPF process command.

The Discard Route:

When OSPF summarize prefixes, it installs a discard route in the routing table by default. You will find a route pointing to Null0 in the routing table. The Null0 interface is, in essence, a trash bin. All packets routed to Null0 will be dropped. The discard route works as a loop prevention mechanism. It prevents a router from send traffic to a network with a shorter match if a no more specific route exists in the routing table.

The discard-route is installed as an internal route and can be suppressed. To disable OSPF discard-route generation use the no discard-route {internal|external} OSPF process command.

Let’s use the following example to demonstrate OSPF summarization:

OSPF-SUMMARY-01

The relevant initial configuration files are as follows:

R1:

!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 30
!
interface Ethernet0/0
ip address 192.168.30.1 255.255.255.0
ip ospf 1 area 30
!
interface Serial1/0
ip address 192.168.16.1 255.255.255.252
serial restart-delay 0
!
router eigrp Branch-B
!
address-family ipv4 unicast autonomous-system 100
!
topology base
default-metric 10000 100 255 1 1500
redistribute ospf 1
exit-af-topology
network 192.168.16.0 0.0.0.3
eigrp router-id 1.1.1.1
exit-address-family
!
router ospf 1
router-id 0.0.0.1
redistribute eigrp 100 subnets
!

R2:

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.30.2 255.255.255.0
ip ospf 1 area 30
!
interface Ethernet0/1
ip address 192.168.10.2 255.255.255.0
ip ospf 1 area 0
!
router ospf 1
router-id 0.0.0.2
area 30 nssa
!

R3:

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.30.3 255.255.255.0
ip ospf 1 area 30
!
interface Ethernet0/1
ip address 192.168.10.3 255.255.255.0
ip ospf 1 area 0
!
router ospf 1
router-id 0.0.0.3
area 30 nssa
!

R4:

!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Loopback1
ip address 10.0.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Loopback2
ip address 10.0.2.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback3
ip address 10.0.3.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback4
ip address 10.0.4.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback5
ip address 10.0.5.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback6
ip address 10.0.6.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback7
ip address 10.0.7.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback8
ip address 10.0.8.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback9
ip address 10.0.9.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback10
ip address 10.0.10.1 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/0
ip address 192.168.20.4 255.255.255.0
ip ospf 1 area 20
!
interface Ethernet0/1
ip address 192.168.10.4 255.255.255.0
ip ospf 1 area 0
!
interface Ethernet0/2
ip address 192.168.254.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 192.168.254.1
!
router ospf 1
router-id 0.0.0.4
area 20 stub
network 10.0.0.0 0.0.255.255 area 0
default-information originate
!

R5:

!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
ip ospf 1 area 20
!
interface Loopback1
ip address 10.5.1.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback2
ip address 10.5.2.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback3
ip address 10.5.3.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback4
ip address 10.5.4.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback5
ip address 10.5.5.1 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/0
ip address 192.168.20.5 255.255.255.0
ip ospf 1 area 20
!
router ospf 1
router-id 0.0.0.5
area 20 stub
network 10.5.0.0 0.0.255.255 area 20
!

R6:

!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
ip address 172.16.2.1 255.255.255.0
!
interface Loopback3
ip address 172.16.3.1 255.255.255.0
!
interface Loopback4
ip address 172.16.4.1 255.255.255.0
!
interface Loopback5
ip address 172.16.5.1 255.255.255.0
!
interface Loopback6
ip address 172.16.6.1 255.255.255.0
!
interface Loopback7
ip address 172.16.7.1 255.255.255.0
!
interface Loopback8
ip address 172.16.8.1 255.255.255.0
!
interface Loopback9
ip address 172.16.9.1 255.255.255.0
!
interface Loopback10
ip address 172.16.10.1 255.255.255.0
!
interface Serial1/0
ip address 192.168.16.2 255.255.255.252
serial restart-delay 0
!
router eigrp Branch-B
!
address-family ipv4 unicast autonomous-system 100
!
topology base
exit-af-topology
network 6.6.6.6 0.0.0.0
network 172.16.0.0
network 192.168.16.0 0.0.0.3
eigrp router-id 6.6.6.6
exit-address-family
!

R7:

!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
ip ospf 1 area 20
!
interface Loopback1
ip address 10.7.1.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback2
ip address 10.7.2.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback3
ip address 10.7.3.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback4
ip address 10.7.4.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback5
ip address 10.7.5.1 255.255.255.0
ip ospf network point-to-point
!
interface Ethernet0/0
ip address 192.168.20.7 255.255.255.0
ip ospf 1 area 20
!
interface Ethernet0/2
ip address 192.168.254.5 255.255.255.252
!
router ospf 1
router-id 0.0.0.7
area 20 stub
network 10.7.0.0 0.0.255.255 area 20
!

Let’s take a look to the routing table in R4:

OSPF-SUMMARY-02

As can be seen in the above output, R4 has full route visibility; it shows the external routes, so as well all intra and inter-area routes in the OSPF domain.

Now, let’s start by summarizing the inter-area routes coming from area 20 into two /21. 10.5.1.0/21 and 10.7.1.0/21 respectively and check out the result.

First, let’s take a look at the link-state database to see how these routes are represented in area zero.

OSPF-SUMMARY-03

Take a look at the above display, here goes a trick! The command show ip ospf 1 0 database will display only the link-state database of OSPF process 1 area 0. Now, take a look at the highlighted section. The ABR has generated summary LSAs corresponding to the loopback interfaces of R5 and R7 as expected. Now, let’s do the configuration.

As mentioned before, inter-area summarization must be done in the ABR. Thus, the configuration goes into R4 which is the ABR for area 20.

!
router ospf 1
area 20 range 10.5.0.0 255.255.248.0
area 20 range 10.7.0.0 255.255.248.0
!

OSPF-SUMMARY-04

At first sight, the routing table seems to be identical. However, you can see next to the red lines two discard routes with both summary addresses. You may think it didn’t work! What happened here is that R4 is an ABR, thus it also has an interface in Area 20; thus, it has 2 databases, one link-state database for Area 0 and other for area 20. As a matter of fact, it is expected to have the routes there because routers in the same area must have identical databases. Now let’s take a look at the link-state database.

OSPF-SUMMARY-05

Take a look at the above display, now the ABR has replaced the individual LSAs of the loopbacks in R5 and R7 for 2 summary LSAs corresponding to the summary addresses. These LSAs then were propagated to the routers within the area, R2 and R3 respectively.

Let’s take a look to R2 and R3 routing table:

OSPF-SUMMARY-06

OSPF-SUMMARY-07

R2 and R3 which are also ABRs for area 30 will advertise the summary routes to R1 and finally R1 will redistribute the summary to R6 in the EIGRP domain as shown next:

OSPF-SUMMARY-08

Now that we saw the inter-area summarization let’s summarize the external routes redistributed from the EIGRP domain. For this purpose let’s summarize the 172.16.0.0/24 loopback addresses of R6 into a full /16 range.

In R1 we will find these routes as Type-7 LSA in the link state database because R1 is part of an NSSA area:

OSPF-SUMMARY-09

Now, let’s recall a bit here. Type-7 LSAs are not allowed beyond the NSSA area. The ABRs translate Type-7 into Type-5 LSAs. In our example, there are two ABRs. One of them will be elected translator.

OSPF-SUMMARY-10

OSPF-SUMMARY-11

As seen in the above output, R3 was elected as “Translator”, and then the external routes were propagated to the OSPF domain as Type-5 LSA. Now, let’s summarize the routes and take a look at the results.

As mentioned before, external summarization must be done in the ASBR. Thus, the configuration goes into R1 which is the ASBR connecting OSPF and EIGRP.

!
router ospf 1
summary-address 172.16.0.0 255.255.0.0
!

Now, let’s take a look at the results in R2 and R3:

OSPF-SUMMARY-12

OSPF-SUMMARY-13

As expected, the external summarization works the same way as in inter-area summarization. The link-state database was reduced significantly as shown in R4.

OSPF-SUMMARY-14

To finish this long post I would like to suppress the discard route, just as a way to demonstrate that it can be done. However, I would not do it under normal circumstances.

First, let’s take a look at the discard route status:

OSPF-SUMMARY-15

Let’s suppress the discard route it in R1:

!
router ospf 1
no discard-route
!

Now let’s take a look at the discard route status:

OSPF-SUMMARY-16

As can be seen in the above output, after the configuration was done the discard route was suppressed from the routing table.

It is time to close this post. Thank you for visiting.

When we advertise networks in OSPF using the process command network {ip-address} {wildcard-mask} area {area-id} or using the interface command ip ospf {process-id} area {area-id}, the selected network is not just advertised in OSPF, the corresponding interface will also try to form adjacencies in its network segment. This is a normal behavior; however enabling routing everywhere may increase the chances of the insertion of unauthorized devices. Another consideration is the possibility of an attack where an attacker could advertise fake routes to the OSPF domain and black hole traffic or even worst like crashing the router.

The following example may illustrate the problem:

OSPF-PassiveIF

First, let’s take a look at the segment 172.16.20.0/24 which corresponds to a group of users. The interface ethernet0/1 of R2 connects to a Layer-2 switch to provide connectivity to the users. No other router is connected to the segment.

R2 Configuration:

!
interface ethernet0/0
ip address 192.168.124.2 255.255.255.0
!
interface ethernet0/1
ip address 172.16.20.2 255.255.255.0
!
interface loopback0
ip address 2.2.2.2 255.255.255.255
!
router ospf 1
router-id 0.0.0.2
network 2.2.2.2 0.0.0.0 area 0
network 172.16.20.0 0.0.0.255 area 0
network 192.168.0.0 0.0.255.255 area 0
!

The above configuration enables OSPF in all 3 interfaces. The interface ethernet0/0 and 0/1 are by default OSPF network type BROADCAST. Therefore, by default both interfaces will try to form adjacencies. Let’s take a look at the interfaces and neighbor status.

OSPF-IF

For the interface ethernet0/0 it is ok because it belongs to a transit network which connects to other routers in the same segment (R1 and R4).

OSPF-IF-e-0-0

However, the interface ethernet0/1 connects to a stub network. This network is intended for user computers only and does not require adjacency forming capabilities. In other words, it is not required sending hello packets over this interface.

OSPF-IF-e-0-1

The above output shows the details of the OSPF process for the interface Ethernet0/1, as you can see the output is similar to the one for interface Ethernet0/0. This interface is also sending Hello packets with its default settings. With the configuration like this, an attacker connected to the switch could use software such as Loki to insert routes to OSPF domain. (You can watch an example here.)

To prevent this from happening, we can use the passive-interface {interface-id} process command.

!
router ospf 1
passive-interface Ethernet0/1
!

In the above example, setting the interface Ethernet0/1 as passive disables the sending of hello packets on that interface; hence, adjacencies will not be formed. However, the subnet 172.16.20.0/24 will continue to be advertised to other interfaces.

Let’s take a look at the result:

OSPF-IF-e-0-1-Passive

Now the output of show ip ospf interface E0/1 states that No Hellos are being sent on this interface and is a Passive interface.

You may be wondering what happens with the interface command ip ospf {process-id} area {area-id}?

Well, it is the same principle. Let’s take a look to R3 which was configured this way.

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.13.3 255.255.255.0
ip ospf 1 area 0
!
interface Ethernet0/1
ip address 172.16.30.3 255.255.255.0
ip ospf 1 area 0
!
router ospf 1
router-id 0.0.0.3
passive-interface Ethernet0/1
!

OSPF-R3-IF-e-0-1

As you can see the output of show ip ospf interface E0/1 display the same results as shown for R2. It states that No Hellos are being sent on this interface and is a Passive interface.

The Passive-Interface inverse logic:

You may well have a multi-layer switch with multiple VLAN-interfaces where you want to configure most or all of them as passive. In this case, would be more effective if all of the interfaces are set as passive and just enable the hello packets to the ones where is required instead go on setting the interfaces as passive one by one. (The inverse logic)

OSPF-IF-default

In this case, we can use the passive-interface default process command to disable Hello packets from all interfaces and then enable Hellos with the no passive-interface {interface-id} only on the desired interfaces.

Let’s take a look at the relevant Multi-Layer Switch configuration:

!
ip routing
!
interface Ethernet0/1
description UPLINK-to->R2
no switchport
ip address 192.168.50.2 255.255.255.252
!
interface vlan 10
ip address 10.0.10.254 255.255.255.0
!
interface vlan 20
ip address 10.0.20.254 255.255.255.0
!
interface vlan 30
ip address 10.0.30.254 255.255.255.0
!
interface vlan 40
ip address 10.0.40.254 255.255.255.0
!
interface vlan 50
ip address 10.0.50.254 255.255.255.0
!
interface loopback 0
ip address 50.50.50.50 255.255.255.255
!
router ospf 1
router-id 0.0.0.50
passive-interface default
no passive-interface Ethernet0/1
network 50.50.50.50 0.0.0.0 area 0
network 192.168.50.2 0.0.0.0 area 0
network 10.0.0.0 0.0.255.255 area 0
!

With the above configuration, we have enabled OSPF for the loopback interface, for the uplink interface between the switch and R2 and finally all of the SVI interfaces. The passive-interface default command has disabled sending hello packets in all of the OSPF-enabled interfaces. Finally, the no passive-interface Ethernet0/1 enables sending hello packets through that interface.

WARNING.!

The passive-interface default command will tear down all adjacencies almost immediately. So, consider how are you connected to the device.

It is time to close this long post. Thank you for visiting.

R&S Journey