OSPF in Depth

OSPF DR/BDR Election

Before going on reading this article, please read my article “OSPF Explained” first. OSPF uses a
DR (Designated Router) and BDR (Backup Designated Router) on each multi-access network. Most CCNA
students think that this DR/BDR election is done per area but this is incorrect. I’ll show you how the
election is done and how you can influence it. This is the topology we’ll use:

Here’s an example of a network with 3 OSPF routers on a FastEthernet network. They are connected to the
same switch (multi-access network) so there will be a DR/BDR election. OSPF has been configured so all
routers have become OSPF neighbors, let’s take a look:

Nancy#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.123.2 1 FULL/BDR 00:00:32 192.168.123.2
FastEthernet0/0
192.168.123.3 1 FULL/DR 00:00:31 192.168.123.3
FastEthernet0/0

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

From router Nancy’s perspective, router Susan is the BDR and Donna is the DR.

Donna#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.123.1 1 FULL/DROTHER 00:00:36 192.168.123.1
FastEthernet0/0
192.168.123.2 1 FULL/BDR 00:00:39 192.168.123.2
FastEthernet0/0

When a router is not the DR or BDR it’s called a DROTHER. I have no idea if we have to pronounce it
like “BROTHER with a D” or “DR-OTHER” Here we can see that router Nancy is a DROTHER.
Susan#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.123.1 1 FULL/DROTHER 00:00:31 192.168.123.1
FastEthernet0/0
192.168.123.3 1 FULL/DR 00:00:32 192.168.123.3
FastEthernet0/0

And router Susan (the BDR) sees the DR and DROTHER.

Of course we can change which router becomes the DR/BDR by playing with the priority. Let’s turn router
Nancy in the DR:

Nancy(config)#interface fastEthernet 0/0

Nancy(config-if)#ip ospf priority 200

You change the priority if you like by using the ip ospf priority command:
 The default priority is 1.
 A priority of 0 means you will never be elected as DR or BDR.
 You need to use clear ip ospf process before this change takes effect.
Nancy#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.123.2 1 FULL/BDR 00:00:31 192.168.123.2
FastEthernet0/0
192.168.123.3 1 FULL/DR 00:00:32 192.168.123.3
FastEthernet0/0

As you can see router Donna is still the DR, we need to reset the OSPF neighbor adjacencies so that we’ll
elect the new DR and BDR.

Donna#clear ip ospf process

Reset ALL OSPF processes? [no]: yes
Susan#clear ip ospf process
Reset ALL OSPF processes? [no]: yes

I’ll reset all the OPSF neighbor adjacencies.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

Nancy#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.123.2 1 FULL/DROTHER 00:00:36 192.168.123.2
FastEthernet0/0
192.168.123.3 1 FULL/BDR 00:00:30 192.168.123.3
FastEthernet0/0

Now you can see router Nancy is the DR because the other routers are DROTHER and BDR.

Donna#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.123.1 200 FULL/DR 00:00:30 192.168.123.1
FastEthernet0/0
192.168.123.2 1 FULL/DROTHER 00:00:31 192.168.123.2
FastEthernet0/0

Or we can confirm it from router Donna, you’ll see that router Nancy is the DR and that the priority is 200.
Something you need to be aware of is that the DR/BDR election is per multi-access segment…not per
area!). Let me give you an example:

In the example above we have 2 multi-access segments. Between router Donna and Nancy, and between
router Donna and Susan. For each segment there will be a DR/BDR election.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

Donna#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.23.3 200 FULL/DR 00:00:36 192.168.23.3
FastEthernet1/0
192.168.12.1 200 FULL/DR 00:00:37 192.168.12.1
FastEthernet0/0

In the example above you can see that router Nancy is the DR for the 192.168.12.0/24 segment and router
Susan is the DR for the 192.168.13.0/24 segment.

Last but not least let me show you an example where we don’t have a DR/BDR election:

Nancy#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address

Interface
192.168.12.2 0 FULL/ - 00:00:36 192.168.12.2
Serial0/0
Susan#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address

Interface
192.168.12.1 0 FULL/ - 00:00:34 192.168.12.1
Serial0/0

Here’s an example of a point-to-point link running HDLC. You can see that we have a neighbor but we
didn’t do an election for DR or BDR. Makes sense because there is always only one router on the other
side.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

OSPF Default Route Configuration
With OSPF it is no problem to configure a default route. There are a couple of options if you want
to do this. Here’s an example:

R1(config)#router ospf 1
R1(config-router)#default-information originate ?
always Always advertise default route
metric OSPF default metric
metric-type OSPF metric type for default routes
route-map Route-map reference
<cr>

There are a number of things. We can change the metric or metric type but the most important thing most
people forget is the always keyword.
If you use the default-information originate you can advertise a default route in OSPF. OSPF won’t
advertise a default route if you don’t already have it in your routing table. If you add the always keyword
it will advertise the default route even if you don’t have it in the routing table. Once you have advertised
the default route it will look like this on other routers:

R2#show ip ospf database | begin Type-5

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.0 172.16.3.1 59 0x80000001 0x008D64 1
R2#show ip route ospf
O*E2 0.0.0.0/0 [110/1] via 192.168.12.1, 00:00:24, FastEthernet0/0

It will show up as a LSA type 5 external route.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

Configuring OSPF Plain Text Authentication
All routing protocols can be protected by using authentication and OSPF is no exception. There are
two options for authentication:

 Plain text authentication

 MD5 authentication
Each OSPF packet will be authenticated if you enable any form of authentication. In this article we’ll take a
look at how to configure plain text authentication for OSPF. Here’s the topology that we’ll use:

Above you see the topology I’m going to use for authentication. Just two routers but we can use it to check
all different methods of authentication.

Donna(config)#router ospf 1
Donna(config-router)#network 192.168.12.0 0.0.0.255 area 0
Mary(config)#router ospf 1
Mary(config-router)#network 192.168.12.0 0.0.0.255 area 0

First I’ll enable OSPF, nothing fancy here.

Donna(config)#interface fastEthernet 0/0

Donna(config-if)#ip ospf authentication
Donna(config-if)#ip ospf authentication-key MYPASS
Mary(config)#interface fastEthernet 0/0
Mary(config-if)#ip ospf authentication
Mary(config-if)#ip ospf authentication-key MYPASS

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

By using the ip ospf authentication command we enable plain text authentication on the interface level. I
configured the password MYPASS by using the ip ospf authentication-key command.

Donna(config)#router ospf 1
Donna(config-router)#area 0 authentication

If you have a lot of interfaces you probably don’t want to enable OSPF authentication for each interface.
You can also enable area-wide authentication by using the area authentication command. In my example
above I enabled authentication for area 0.

Donna#show ip ospf interface fastEthernet 0/0

FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
Backup Designated router (ID) 192.168.12.1, Interface address
192.168.12.1
Flush timer for old DR LSA due in 00:01:49
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.12.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

If you use the show ip ospf interface command you can see OSPF information per interface. You can also
check if authentication is enabled. You can see the neighbor count is 1 and simple password authentication
is enabled.

Donna#debug ip ospf packet

OSPF packet debugging is on

OSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2

aid:0.0.0.0 chk:B9F0 aut:1 auk: from FastEthernet0/0

I love debugs…when it comes to Cisco not Google but debug is your friend. It gives you so much
information. If you use debug ip ospf packet you can see that authentication is enabled. In my example I
receive a packet and it says aut:1 which means that plain text authentication is enabled.
 Aut:0 is no authentication.
 Aut:1 is plain text authentication.
 Aut:2 is MD5 authentication.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR

Configuring OSPF MD5 Authentication
Let’s have a look at MD5 authentication. The idea is the same but some of the commands are
different. Anyway here is the topology that we will use:

Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:

Donna(config)#interface fastEthernet 0/0

Donna(config-if)#ip ospf message-digest-key 1 md5 MYPASS
Donna(config-if)#ip ospf authentication message-digest
Mary(config)#interface fastEthernet 0/0
Mary(config-if)#ip ospf message-digest-key 1 md5 MYPASS
Mary(config-if)#ip ospf authentication message-digest

For MD5 authentication you need different commands. First use ip ospf message-digest-key X md5 to
specify the key number and a password. It doesn’t matter which key number you choose but it has to be the
same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-
digest.
Donna(config)#router ospf 1
Donna(config-router)#area 0 authentication message-digest

If you don’t want to enable OSPF authentication per interface you can use the area authentication
message-digest command.
Donna#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
Backup Designated router (ID) 192.168.12.1, Interface address
192.168.12.1
Flush timer for old DR LSA due in 00:01:53
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
OSPF IN DEPTH CNE - MAHER ABDELSHKOUR
 Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.12.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

Using show ip ospf interface we see MD5 authentication is enabled and we are using key ID 1. We have a
neighbor so it seems to be working.
Donna#debug ip ospf packet
OSPF packet debugging is on

OSPF: rcv. v:2 t:1 l:48 rid:192.168.12.2

aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7EC653 from
FastEthernet0/0

Debug shows us that MD5 authentication is enabled (aut:2) and we are using key ID 1. Debug is also great
to fix authentication errors, here’s why:

Donna(config)#interface fastEthernet 0/0

Donna(config-if)#no ip ospf message-digest-key 1 md5 MYPASS
Donna(config-if)#ip ospf message-digest-key 1 md5 MYWRONGPASS

First we’ll enter a wrong password…

Donna#debug ip ospf adj

OSPF adjacency events debugging is on
Donna#clear ip ospf process
Reset ALL OSPF processes? [no]: yes

I’ll debug the OSPF neighbor adjacency and reset the OSPF neighbors.

Donna#
OSPF: Rcv pkt from 192.168.12.2, FastEthernet0/0 : Mismatch
Authentication Key - Message Digest Key 1

Somewhere in the debug you’ll see the message above. This means that we are using MD5 key ID 1 on
both sides but that the password is incorrect.

That’s all I wanted to show you for now. I hope you enjoyed reading this article.

OSPF IN DEPTH CNE - MAHER ABDELSHKOUR