Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
688
Views
0
Helpful
0
Comments

OSPF Multi-Area Design in LAN Campus - Traffic Hijacking Issue

Meddane
VIP
VIP
‎11-30-2023 03:15 AM

In a LAN Campus architecture, designing OSPF Multi area must be done carefully to avoid undesirable suboptimal and asymmetric routing which can cause bad experience from the users's perspective in terme of slow connection.

Because the complexity of OSPF, especially the path selection which can breaks the cost-based logic in other words selection of best route based on other criterias rather than the cost, the design becomes essential and must be taken into consideration before going to implementation in order to provide optimal routing and also the best scalable solution.

So let me show with an example.

In this topology, a company has two internet connections with different speed and BGP peering with two ISPs. In order to provide internet connectivity, we need to advertise a default route from the edge routers into OSPF domain, and for better user experience, the path through ISP1 should be preferred. To do that, the router R5 is configured to inject a Type-5 LSA with a metric 10 while R6 advertises a Type-5 LSA with a metric 20, making R5's default route the preferred one.

All links from the access layer to the core layer has a cost of 20, except for the link between R3 and R4 which has a cost of 10.

A vlan subnet 10.1.1.0/24 behind the access router R1.

For scalability and optimization, we decide to move to multi-area design, where the core network with routers R3, R4, R5 and R6 are in the backbone area, while the routers R1, R2, R3 and R4 are in area 1, making the distribution routers R3 and R4 the ABRs.

When designing this type of architecture with full layer 3 between the access, distribution and core layers, the link that connects directly the two ABRs must be designed carefully. The question that arises, where we can put the link R3-R4? in area 0 or area 1?

topo.png

The first scenario with link R3-R4 in area 0.

topology.png

Analyzing the outbound traffic from R1 to Internet when the link between R1 and R3 is down.

R1 and all routers receives the Type-5 LSA default route from R5 and R6, because the external metric of R5's Type-5 LSA is better, the Type-5 LSA's R5 is always preferred.

Now R1 will look the best path to reach the ASBR R5. For this the SPF calculation is based on the Type-4 LSAs receives from the ABRs R3 and R4.

  • R3 advertises a Type-4 LSA with metric 20.
  • R4 advertises a Type-4 LSA with metric 30.

R1 will look the best path to the ABR.

  • The ABR R3 is reachable with a metric 60 (R4-R2-R3).
  • The ABR R4 is reachable directly with a metric 20.

Now R1 calculates the total cost to the ASBR R5 by adding the cost toward the ABR to the cost listed in the Type-4 LSA of this ABR.

  • Using the Type-4 LSA of R3, the total cost is 60+20=80.
  • Using the Type-4 LSA of R4, the total cost is 20+30=30.

We can see that the best computed path is through R4-R3-R5.

R1 installs an external default route with next-hop R4 since this is the unique exit point to reach external destinations.

Now let's move to R4 and let's see how the default route is selected.

From R4's perspective, R4 has two intra-area paths to reach the ASBR R5.

  • Through R3 with a metric 30.
  • Through R6 with a metric 40.

The intra-area route through R3 is better. R4 will install an external default route with next-hop R3.

Finally packet sent from 10.1.1.0/24 to Internet takes the path R1-R4-R3-R5 which is the optimal and correct computed path by R1.

Meddane_1-1701342496620.png

Analyzing the inbound traffic from Internet to R1's network 10.1.1.0/24 when the link between R1 and R3 is down.

Let's start with R5.

R5 learns two Type-3 LSAs for the subnet 10.1.1.0/24 from the ABRs R3 and R4.

  • R3 advertises a Type-3 LSA with a metric 60 (R2-R4-R1) + 1 the cost of the interface connecting to 10.1.1.0/24) = 61.
  • R4 advertises a Type-3 LSA with a metric 20 + 1 the cost of the interface connecting to 10.1.1.0/24) = 21

R5 looks at the cost to reach both ABRs.

  • The metric to reach the ABR R3 is 20 directly.
  • The metric to reach the ABR R4 is 30 via R3.
  • The total cost to reach the subnet 10.1.1.0/24 through R3 is 61+20 = 81.
  • The total cost to reach the subnet 10.1.1.0/24 through R4 is 21+30 = 51.

Therefore R5 installs an inter-area route 10.1.1.0/24 in the routing table with a metric of 51 via R3 as the next-hop.

Now let's move on to R3.

R3 has two paths to reach the subnet 10.1.1.0/24.

  • An inter-area route through R4.
  • An intra-area route through R2.

Since both inter-area and intra-area routes point to the same destination 10.1.1.0/24. The intra-area route is always preferred than the inter-area route, according to the definition of OSPF path preference defined on both RFC 1583 and 2328.

RFC 1583 section 11.  The Routing Table Structure

Path-type

        There are four possible types of paths used to route traffic to

        the destination, listed here in order of preference: intra-area,

        inter-area, type 1 external or type 2 external.  Intra-area

        paths indicate destinations belonging to one of the router's

        attached areas.  Inter-area paths are paths to destinations in

        other OSPF areas.  These are discovered through the examination

        of received summary link advertisements.  AS external paths are

        paths to destinations external to the AS.  These are detected

        through the examination of received AS external link

        advertisements.

 

RFC 2328 section 11.  The Routing Table Structure

Path-type

        There are four possible types of paths used to route traffic to

        the destination, listed here in decreasing order of preference:

        intra-area, inter-area, type 1 external or type 2 external.

        Intra-area paths indicate destinations belonging to one of the

        router's attached areas.  Inter-area paths are paths to

        destinations in other OSPF areas.  These are discovered through

        the examination of received summary-LSAs.  AS external paths are

        paths to destinations external to the AS.  These are detected

        through the examination of received AS-external-LSAs.

Finally R3 prefers the intra-area route through R2 over the inter-area route through R4, causing a suboptimal routing in the inbound traffic, the inbound packet from Internet to 10.1.1.0/24 will take the path R5-R3-R2-R4-R1, instead of R5-R3-R4-R1.

While the computed path from R5’s perspective is R5-R3-R4-R1, the router R3 is hijacking the traffic because the independent SPF computation and route lookup that intercept the packet.

Meddane_2-1701342496639.png

The second scenario with link R3-R4 in area 1.

topology area 1.png

 

Analyzing the outbound traffic from R1 to Internet when the link between R1 and R3 is down.

From R1's perspective.

  • R3 advertises a Type-4 LSA with metric 20.
  • R4 advertises a Type-4 LSA with metric 40.

R1 will look the best path to the ABR.

  • The ABR R3 is reachable with a metric 30 (R4-R3).
  • The ABR R4 is reachable directly with a metric 20.

Now R1 calculates the total cost to the ASBR R5 by adding the cost toward the ABR to the cost listed in the Type-4 LSA of this ABR.

  • Using the Type-4 LSA of R3, the total cost is 20+30=50.
  • Using the Type-4 LSA of R4, the total cost is 40+20=60.

We can see that the best computed path is through R4-R3-R5.

R1 installs an external default route with next-hop R4 since this is the unique exit point to reach external destinations but with the computed path R4-R3-R5.

Now let's move to R4 and let's see how the default route is selected.

From R4's perspective, R4 has two paths to reach the ASBR R5.

  • Inter-area route through R3 with a metric 30.
  • Intra-area route through R6 with a metric 40.

Since both intra-area route and inter-area route point to the same ASBR. The intra-area is preferred according to RFC 1583 and RFC 2328 section 11. The Routing Table Structure

R4 will install an external default route with next-hop R6. The outbound packet from 10.1.1.0/24 to Internet will take the path R1-R4-R6 then to ISP2 with low speed causing a suboptimal routing.

While the computed path from R1’s perspective is R4-R3-R5, the router R4 is hijacking the traffic because the independent SPF computation and route lookup that intercept the packet.

Meddane_4-1701342496676.png

Analyzing the inbound traffic from Internet to R1's network 10.1.1.0/24 when the link between R1 and R3 is down.

Let's start with R5.

R5 learns two Type-3 LSAs for the subnet 10.1.1.0/24 from the ABRs R3 and R4.

  • R3 advertises a Type-3 LSA with a metric 30 (R3-R4-R1) + 1 the cost of the interface connecting to 10.1.1.0/24) = 31.
  • R4 advertises a Type-3 LSA with a metric 20 + 1 the cost of the interface connecting to 10.1.1.0/24) = 21

R5 looks at the cost to reach both ABRs.

  • The metric to reach the ABR R3 is 20.
  • The metric to reach the ABR R4 is 40.

The total cost to reach the subnet 10.1.1.0/24 through R3 is 51.

The total cost to reach the subnet 10.1.1.0/24 through R4 is 61.

Therefore R5 installs an inter-area route 10.1.1.0/24 in the routing table with a metric of 51 via R3 as the next-hop with the computed path R3-R4-R1.

Now let's move on to R3.

R3 has two paths to reach the subnet 10.1.1.0/24.

  • An intra-area route through R4 with a metric 30+1 = 31.
  • An intra-area route through R2 with a metric 60+1 = 61.

The intra-area route through R4 is better, the inbound packet from internet to 10.1.1.0/24 will take the path R5-R3-R4-R1 which is the optimal and correct optimal path.

Meddane_5-1701342496707.png

As you can see on both scenarios, putting the link between R3-R4 in area 0 or in area 1 causes a suboptimal and asymmetric routing.

So how to solve this issue with this kind of design or architecture ?

We have many option, either a virtual-link between R3 and R4, a GRE tunnel between R3-R4, or the best solution, the most scalable and the most simple option is the OSPF Multi-area Adjacency defined in RFC 5185. The OSPFv2 Multiarea Adjacency feature is introduced, this feature allows you to configure a link on the primary interface to enable optimized routing in multiple areas.

By default, an interface can only belong to one OSPF Area. When Multi-Area Adjacency is configured on an interface, the OSPF routers form more than one Adjacency (ADJ) over that link. The Multi-Area interface is a logical, point-to-point interface over which the ADJ is formed.

On both routers keep R3 and R4 in area 0 and configure multi-area adjacency with area 1.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents