Unanswered Question
Jul 25th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the interior dynamic routing protocols, RIPv2, OSPF and EIGRP with Cisco expert Edison Ortiz. Edison is a Network Consulting Engineer with the Advanced Services team. His team concentrates on supporting the New York Financial companies in terms of network design, deployment and troubleshooting.

Remember to use the rating system to let Edison know if you have received an adequate response.

Edison might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (14 ratings)

Hello Edison and thank you for taking the time to host this "ask the experts" forum.

I have two questions related to OSPF.

1. How do large enterprises often handle the placement of Area 0 (backbone)?

I have heard differing opinions from engineers who have worked on larger OSPF networks than I have had a chance to. Such suggestions include making the WAN area 0, as it could possibly be the only central area capable of being a backbone, etc.

2. How often in production do companies actually utilize the OSPF areas other than standard and the backbone area, such as STUB, NSSA, and the STUB and NSSA totally?

Thank you,


Edison Ortiz Sat, 07/26/2008 - 09:10

Hi Joe,

Good to see you here other than groupstudy :)

1. Area 0 placement is often driven by customer requirement.

If the WAN service is reliable and fast, extending Area 0 to the remote WAN router interface is often recommended. This router can act as ABR with its LAN interface running a non-zero area so summarization and filtering can be perform there.

If the WAN service isn't reliable, Area 0 is often limited to the LAN (DataCenter) and the WAN router at the DataCenter acting as ABR/ASBR.

With today's merging and acquisitions, you can also find large networks with several area 0, that are redistributed into another routing protocol (usually BGP). I haven't seen virtual-link or GRE tunneling to fix this design issue.

In short, when you see an enterprise design, you have to know the history of that enterprise to understand why OSPF was configured that way.


I've seen stub, nssa and stub-nssa in several networks. As I mentioned, virtual link is one of the OSPF features that isn't used as much.




faisal_ghaus Sat, 07/26/2008 - 06:11


Recently one of our service provider has started to provide us high speed E1 links on MPLS network .Our network is running OSPF as a routing protocol with area 0 ip addressing 10.175.x.x what the SP is asking us to create a new AREA 0 for super AREa 0 for MPLS can you please advise some easy and best practise to make this possible

Edison Ortiz Sat, 07/26/2008 - 09:16

Hi Faisal,

I hope you are doing well.

Your query is more inclined towards MPLS Best Practice and I'm afraid I'm not such an expert on MPLS at the moment :)

However, I've been reading a little bit on MPLS and MPLS VPN superbackbone can be accomplished with OSPF Sham Link.

I hope this URL

can offer some idea regarding the ISP requirement.




Giuseppe Larosa Mon, 08/04/2008 - 12:34

Hello Edison and Faisal,

in order to be able to build a so called Superbackbone area 0 the service provider needs to use the same OSPF process-id on all VPN sites and PE-CE links are in area 0.

Most of the complexity is on the service provider side.

OSPF LSAs are carried inside special BGP extended communities in MP-BGP.

On the customer side configuration is straightforward with the links to the PE(s) being in area 0.

If all is well configured is possible to see other VPN sites routes as O and O IA as they were connected through the backbone area.

OSPF sham-link is something more complex that helps to deal with horizontal inter-site links, between otherwise separated VPN sites.

They are a derivation of virtual-links in the way they are configured.

Hope to help


Giuseppe Larosa Wed, 08/06/2008 - 07:29

Hello Edison,

I hadn't seen that in another post you had explained the usage of sham-links

Best Regards


Edison Ortiz Wed, 08/06/2008 - 07:33

Hi Giuseppe,

Not a problem. Again, thanks for your contribution.



rdanu Sat, 07/26/2008 - 13:16

I am in the process of deploying a BGP core MPLS network with OSPF LANS at 5 locations. Each LAN location has Internet access, also.

I would like to deploy an IPSEC tunnel to each location, via the Internet lines, keeping the IPSEC network OSPF 0 Area; my dilema is to prefer the BGP redistribution point for primary traffic preference, not the IPsec TUN pipes. Of course the TUN pipes would be in place for redundancy purposes only

I'd like to see what your thoughts on this was.


Edison Ortiz Sat, 07/26/2008 - 13:52

I understand your dilemma.

The IPSec Tunnel traffic will be preferred since they are intra-area routes vs external routes that are learned via the MPLS network.

I hate being repetitive :) but the OSPF Sham Link addresses this issue.

I'm currently reading MPLS Fundamentals and there is a chapter on that book that addresses this scenario. I highly recommend you taking a look.




rdanu Sat, 07/26/2008 - 15:48

Thank you for your prompt response! The links will solve my requirement!


Edison Ortiz Sat, 07/26/2008 - 16:19


I'm glad I was able to help. Feel free to come back if you have any other questions.




dhanasekaran.r Mon, 07/28/2008 - 12:15

Hi Edison,

Recently we installed ATM to frame-relay link on 3845 router with 12.4(17). The EIGRP did not establish. We were asked to change the MTU size to 1500 and EIGRP started working.

Can you please help me to understand the logic, why we need to change MTU size

Edison Ortiz Mon, 07/28/2008 - 12:34

Hi Dhanasekaran,

It's very odd that you encountered a problem with MTU and EIGRP as the routing protocol.

EIGRP, unlike OSPF, does not use MTU for neighbor adjacency.

I tried to lab it up and see if it breaks and I unable to duplicate your problem.

I configured 2 routers in Frame-Relay and changed the IP MTU and interface MTU size on R1, see below:

interface Serial1/0

mtu 1400

ip address

encapsulation frame-relay

serial restart-delay 0

frame-relay map ip 102 broadcast

no frame-relay inverse-arp

Rack1R1#sh ip int s1/0 | i MTU

MTU is 1400 bytes


Rack1R1#sh int s1/0 | i MTU

MTU 1400 bytes, BW 1544 Kbit, DLY 20000 usec,


interface Serial1/0

ip address

encapsulation frame-relay

serial restart-delay 0

frame-relay map ip 201 broadcast

no frame-relay inverse-arp


Rack1R2#sh int s1/0 | i MTU

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,


Rack1R2#sh ip int s1/0 | i MTU

MTU is 1500 bytes


Rack1R2#sh ver | i IOS

Cisco IOS Software, 3600 Software (C3640-IK9S-M), Version 12.4(17), RELEASE SOFTWARE (fc1)


Rack1R2#sh ip eigrp ne

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 Se1/0 167 00:05:49 1249 5000 0 6


Rack1R2#sh ip route eigrp is subnetted, 1 subnets

D [90/2297856] via, 00:06:02, Serial1/0




dhanasekaran.r Mon, 07/28/2008 - 13:03

Hi Edison,

Thanks for your Inputs. The problem of MTU occurs only when we have an ATM to Frame relay connection and not on Frame relay to frame relay

To be more specific it happens when we have a T3 card for ATM. We have faced the same problem in more than 1 occassion.

We make the eigrp to establish only by adding the MTU size. Hope I am more specific now on my problem.

Edison Ortiz Mon, 07/28/2008 - 13:23

Hi Dhanasekaran,

Thanks for supplying the additional information.

The ATM MTU (4470) is larger than the traditional Frame-Relay MTU (1500) and due to this default behavior, the hellos are being fragmented when going from large MTU to lower MTU.

The correct configuration is having the MTU set the same at both ends in order to avoid fragmentation.




Edison Ortiz Mon, 07/28/2008 - 13:42

Hi Dhanasekaran,

I'm glad that I was able to describe the behavior on EIGRP problem.

Please come back if you have any other questions.




thomas.chen Fri, 08/01/2008 - 09:50

Hi Edison,

I have a router in my segment that is not on the same subnet. I want this router to receive updates, how can I make this work?



Mark Yeates Fri, 08/01/2008 - 17:23

Hello Edison,

Thanks for taking time to host this event! My question is how do you usually recommend securing a routing protocol, and its functionality? I know authentication is a pretty common method but what about using ACL's and/or QoS? Is this a common practice or just going overboard?



Edison Ortiz Sat, 08/02/2008 - 18:50

Hi Mark,

Authentication is the recommended best practice for securing routing protocols. If you want to add an additional level of security, you can have the IGP configured for unicast instead of multicast by using the neighbor command under the routing process.




Marwan ALshawi Tue, 08/05/2008 - 21:56

if i have ospf

and laso i have

ip route [next hop]

when i redistribute the static default route

dose not apear on the ospf routing table even not as a default route

unless i use default information originate

any idea ?

Edison Ortiz Wed, 08/06/2008 - 06:30

Hi Marwan,

The redistribution of a static default route into OSPF is not allowed by the protocol.

Default-information originate allows you to inject a default route into OSPF if the router has a route on its routing table.

If the router does not have a route on its routing table, you must use the command Default-information originate always




jahilnt10 Sat, 08/02/2008 - 01:42

I really need an expert opinion on this. What is the difference between these two topologies?




I understand LSA type 1,2,3 are area specific. Why should I change the Area numbers because the areas 1 are not directly connected.

Can someone describe this.

Edison Ortiz Sat, 08/02/2008 - 18:48

While the first example is not considered "Best Practice" in OSPF design, they both produce the same result.

In the first example, routes originated in the leftmost Area1 will be seen as LSA Type 3 routes (IA) in the rightmost Area1 and vice-versa as they are connected via a backbone area.

On the backbone area, the router(s) facing the leftmost Area1 will see routes from that area as intra-area route while the router(s) facing the rightmost Area1 will see the same routes as inter-area routes.

Here is a little example I put together in the lab:


I'm advertising loopback0 from R3 (

Rack1R2#sh ip route os

O IA [110/65] via, 00:09:59, Serial1/0 is subnetted, 1 subnets

O [110/65] via, 00:09:59, Serial1/1

Rack1R1#sh ip route os

O IA [110/128] via, 00:10:35, Serial1/0 is subnetted, 1 subnets

O IA [110/129] via, 00:10:25, Serial1/0

Rack1SW1#sh ip route os

O IA [110/65] via, 00:11:16, Vlan1

O IA [110/129] via, 00:11:16, Vlan1 is subnetted, 1 subnets

O IA [110/130] via, 00:10:58, Vlan1




gsantini Mon, 08/04/2008 - 10:21

Hi. Do you speak spanish? I have a question but my english is not good.

gsantini Mon, 08/04/2008 - 10:37

Muchas gracias.

Tengo una consulta puntual:

Tengo un router, con 2 WAN hacia 2 puntos distintos, ambas levantan EIGRP 100.

Ademas, este router tiene una lan local

En el proceso eigrp, basicamente puse esto:

router ei 100

red conn route-map CONECTADAS

network X.X.X.X A.A.A.B

network Y.Y.Y.Y A.A.A.B

no auto

route-map CONECTADAS permit 10

set tag 100

Basicamente lo que hago es que a las conectadas le ponga el tag 100, y despues poder usar esa info para filtrado, etc.

El punto es que al la LAN la veo con el TAG, pero a ninguna de las 2 WAN las veo con el TAG.

Si me paro en uno de los remotos de este equipo, y pregunto por la lan me dice que la ve via la serial XXXXX y tag 100, y el resto de las cosas.

Si pregunto por la WAN que los une, me dice que la ve directamente conectada sin el TAG.

Lo mas curuiso aun es que si pregunto por la WAN del remoto contra el otro router, me dice que la ve por EIGRP por la serial XXXXX pero sin el TAG.

Para probar que no sea un error de configuracion, a esta ultimna WAN (que no es la del router que estoyu parado) la saque del network de eigrp. Y ahi si, vi el TAG, que lo conozco via EIGRP por la WAN del router que estoy parado.

Obviamente, esto no me sirve, porque necesito que el eigrp esté levantado en ambas seriales.

La pregunta es como hago para ver el TAG de una conectada, cuando esta conectada está participando del proceso de EIGRP? O, CISCO boys, si la conectada es CONECTADA, por que cuando esa conectada está en un proceso EIGRP deja de tener ciertas características como, por ejemplo, lo del TAG.

Se entiende?

Espero no haberlos aburrido.

Grcs y slds

Edison Ortiz Mon, 08/04/2008 - 10:50

El WAN fue injectado con el comando

network X.X.X.X A.A.A.B

y el LAN fue injectado con el route-map.

El route-map tiene el tag y el network comando no tiene el tag.

Se entiende que el WAN is parte del 'connected' pero ya habia sido incluido en el 'network' comando.




gsantini Mon, 08/04/2008 - 11:08

Thank you. It's really clear.

And how can I do to see this network with the TAG? I need this tag for routing propuses.

I try to say that I need to see the "second" wan with the TAG in the "first" router.


Edison Ortiz Mon, 08/04/2008 - 11:25

No se puede hacer con EIGRP.

Con OSPF, tu puedes usar el domain-tag [tag #] comando el el proceso de routing.




richard.bennett... Tue, 08/05/2008 - 06:05

Hi Edison,

My question relates to the OSPF neigbor state machine & Cisco router logging.

On a broadcast network, if a DROTHER & DR are in the happy full state, until suddenly a one way congested link causes the DR to stop receiving hellos from DROTHER until the dead timer expires (but DROTHER is still receiving hellos as the link is not congested in that direction). At this point, the DR determines the DROTHER is unreachable & so moves the neighbor to the DOWN state & purges any entries from that neighbor etc. The next hello sent by the DR does not include the DROTHERs IP address in the list of neighbors it sees.

This is the first point the DROTHER is aware there is a problem - but what does he do now? Wait for 3 of these before marking the DR as INIT? Transition directly to the INIT state?

I am asking because I need to understand why in this situation, the DR logs the adjaceny as DOWN & then back UP again a few seconds later when the congestion clears, but the DROTHER only logs the adjaceny as UP (i.e. there is no entry to alert it has gone down). The IOS & logging config is identical.

I appreciate your assistance...

Edison Ortiz Tue, 08/05/2008 - 07:31

Hi Richard,

The network condition you've outlined is something I've never seen.

1) The DR is able to send hellos to DROTHERs but unable to receive hellos due to congestion? That's odd. Usually, on interface congestion - the delay is manifested on both send & receive.

2) You have a broadcast segment without a BDR? Again, not following Best Practices. If you have more than one OSPF speaking device in a broadcast segment, you should have a DR and BDR in addition to the DROTHERs.

3) I don't have an answer as to why the DROTHER never reported itself as down and I believe your scenario will be really hard for me to duplicate in a lab.

Are you able to duplicate this? Can you provide the logs and configs?




richard.bennett... Tue, 08/05/2008 - 08:16

Hi Edison,

Thanks for a prompt reply, its not an easy situation to explain but I'll do my best:

1) A server on the DROTHER end of the link is sending large bursts of traffic to a host on the DR's end of the link - that traffic is unidirectional and causes the link to be congested in one direction only. The congested link is a member of an etherchannel in an underlying switched network, so for me it is feasible that the DR does not receive the DROTHERS hellos but the DROTHER receives the DR's hellos.(i.e. the hellos from DR to allspfrouters traverse another member of the etherchannel due to different src mac & cisco load balancing algorithm)

2) I do have a BDR & there was no loss of adj on the BDR (the DROTHER & BDR connect to the same switch). The BDR's hellos traverse the second uncongested member of the etherchannel so the DR & BDR do not have any issues between them in either direction & the BDR to DROTHER do not either. (load balancing on the 2xFE etherchannel is src/dst mac).

3) I've since been digging around myself too & I'm thinking that adding the 'detail' tag to 'log adjaceny-changes' might confirm this but it is VERY difficult for me to test this change in live & can't create congestion in test.

I am hoping you can confirm that when the DROTHER receives the hello from the DR without its own IP address in there (due to reasons above) it will either transition immediately from FULL to INIT, or wait for dead time & then go to INIT and not log as DOWN (as it is not fully down) but will log as UP when the congestion is gone (transition from INIT to FULL)

I think the RFC2328 tries to explain this situation as follows:

Current State(s): 2-Way or greater

Event: 1-WayReceived

New state: Init

Action: The Link state retransmission list, Database summary

list and Link state request list are cleared of


Many thanks in advance,

Edison Ortiz Tue, 08/05/2008 - 16:26

1) Wow, that's an odd situation and very hard to duplicate. What are the odds, the OSPF Hellos are going via the same channel member as the traffic being sent by the server.

2)Perhaps the BDR is actually helping on this situation and the DROTHER is seeing its own IP in the packet.

3) you can add the detail option in the log-adjacencies, not sure what else to suggest.

I am hoping you can confirm that when the DROTHER receives the hello from the DR without its own IP address in there (due to reasons above) it will either transition immediately from FULL to INIT, or wait for dead time & then go to INIT and not log as DOWN (as it is not fully down) but will log as UP when the congestion is gone (transition from INIT to FULL)

I think the RFC2328 tries to explain this situation as follows:

Sorry, I can only confirm something if I can duplicate it. This scenario, I can't.



lamav Tue, 08/05/2008 - 16:44

Mr. Edison:

Glad to see you in the hot seat! :-)

Where would you say Cisco is in its development of OER and PfR?

Has Cisco has a hard time selling the idea of relying on a kind of artificial intelligence to make routing decisions, especially in the absence of what an IP routing protocol would normally categorize as a network event that would cause reconvergenece, such as a lost interface or failed link?

Do you find that many organizations have successfully deployed this technology in demanding environments, such as financial firms and banks?

Any insight would be appreciated.


Edison Ortiz Tue, 08/05/2008 - 17:57

Where would you say Cisco is in its development of OER and PfR?

Can't say for sure, OER/PfR is a total different division within Cisco. Be alert for any "Ask The Experts" session on that subject :)

There was one not so long ago

Has Cisco has a hard time selling the idea of relying on a kind of artificial intelligence to make routing decisions, especially in the absence of what an IP routing protocol would normally categorize as a network event that would cause reconvergence, such as a lost interface or failed link?

I haven't been involved on any discussion with my customers regarding the product. With that said, I'm sure there are plenty of companies out there piloting the technology or using it in their production environment.

With the evolving MPLS-VPN technology, a push towards OER/PfR will dramatically increase.



guruprasadr Tue, 08/05/2008 - 21:01

HI Edison,

Nice to see you on the Ask the Expert Topic.

My Question is regarding RIP Protocol:

Below provided are my Configurtion:

PE Side RIP Configuration:


router rip

version 2

timers basic 5 15 15 22


address-family ipv4 vrf 1008-OICL-Mesh



default-information originate

no auto-summary

CE Side RIP Configuration:


router rip

version 2

timers basic 5 15 15 22

redistribute connected route-map rip



no auto-summary

CE Side WAN Interface Configuration:


interface FastEthernet0/0.848

description ***connected to WAN***

encapsulation dot1Q xxx

ip address

ip rip advertise 5


PE Side WAN Interface Configuration:


interface GigabitEthernet0/2.848

description ***Connected to CE Router**

encapsulation dot1Q xxx

ip vrf forwarding xxxx-xxxxxxxxxx-xxxx

ip address

ip rip advertise 5




Even though my RIP Timers are same at PE & CE Routers (5 15 15 22) the hold-down Timer is expiring.

After adding "ip rip advertise 5" the problem is getting solved.

1. I would like know what could be the Issue with the Timers Configured on PE & CE Routers

2. What is the necessity of adding "ip rip advertise 5" and the usage + advantage of the command.

Thanks in Advance for your POST.

Best Regards,

Guru Prasad R

Edison Ortiz Wed, 08/06/2008 - 06:28

Hi Guru,

With a debug, can you verify the PE side is sending RIP hellos every 5 seconds without the ip rip advertise command in both routers?

If it's not sending the updates every 5 seconds, the CE router will expire its as the dead-timer is set to 15 seconds and RIP by default sends hello every 30 seconds.

In the PE, you have your network statement under the VRF, so I wonder if the address-family is not using the timers from the global routing process.

In the CE, the network statements are under the global routing process, so the timers are being implemented correctly.

Do a debug and let us know which router is not following the new timers setting.




ciscosupport99 Wed, 08/06/2008 - 04:10

Hello Edison,

I believe my question is relavent, if not please direct me to the correct entity.

We have a configuration wherein we communicate with a vendor group via 2 frame/atm links (2 7206 routers connected via frame/atm links their locations and locally to a 6509 and 6513 core switches) each statically configured to one of two locations, when one link has an issue we manually change the static route(s) on the core 6500 to point to the other location. We connot particpate in their eigrp topology.

My question is what mechanism can I deploy to have failover work automatically, I am considering using tracking and/or a route map or sorts. I can forward a visio if that would help. Thanks I look forward to your response!


Edison Ortiz Wed, 08/06/2008 - 06:34

My question is what mechanism can I deploy to have failover work automatically, I am considering using tracking and/or a route map or sorts.

ip route with a track should accomplish your needs.

You can setup the preferred route with the track and the backup route with a higher AD.

For instance:

ip route x.x.x.x y.y.y.y g.g.g.g track1

ip route x.x.x.x y.y.y.y g.g.g.g 10

If the track is active, the route will be installed in the routing table. The higher AD is there so you won't balance the routes between the 2 frame/atm links.




ciscosupport99 Wed, 08/06/2008 - 07:58

Thanks Edison - to be sure I understand, currently there is a static route in each of the 7206s pointing to it's respective atm link/location. I should configure static routes for both locations in each router with the track and AD ?

Routing Regards,


This Discussion