myITmicroblog

This is third post about OSPF and today I will present totally stub and what each router can see: In this scenario routers R6, R7 and R8 don't have information how to reach R10.  R8 and R9 routers (in area 1) can't see area 0 prefixes, only default gateway:   R6#sh ip route       10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C        10.0.0.0/24 is directly connected, FastEthernet0/0 L        10.0.0.6/32 is directly connected, FastEthernet0/0 O IA     10.1.0.0/24 [110/2] via 10.0.0.7, 00:14:18, FastEthernet0/0 O IA     10.2.0.0/24 [110/3] via 10.0.0.7, 00:00:07, FastEthernet0/0 C        10.10.10.0/24 is directly connected, Loopback0 L        10.10.10.6/32 is directly connected, Loopback0 R6#sh ip ospf database database-summary             OSPF Router with ID (10.10.10.6) (Process ID 10) Area 0 database summary   LSA Type      Count    Delete   Maxage   Router        2        0        0   Network       1        0        0   Summary Net   2        0        0   Su

This is second post about OSPF and today I will review how stub area behaves comparing to normal area (from previous post).   In this scenario R6, R7 and R8 can't reach R10's prefixes because LSA5 is not allowed withing a stub area. R6#sh ip route       10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C        10.0.0.0/24 is directly connected, FastEthernet0/0 L        10.0.0.6/32 is directly connected, FastEthernet0/0 O IA     10.1.0.0/24 [110/2] via 10.0.0.7, 00:14:18, FastEthernet0/0 O IA     10.2.0.0/24 [110/3] via 10.0.0.7, 00:00:07, FastEthernet0/0 C        10.10.10.0/24 is directly connected, Loopback0 L        10.10.10.6/32 is directly connected, Loopback0 R6#sh ip ospf database database-summary             OSPF Router with ID (10.10.10.6) (Process ID 10) Area 0 database summary   LSA Type      Count    Delete   Maxage   Router        2        0        0   Network       1        0        0   Summary Net   2        0        0   Summary ASBR 

I decided to review what I know about OSPF areas and what types of LSA are exchanged inside each type of areas. The first one is a normal area (not the backbone one). Over the next few posts I’m going to change area 1 type to see what is the difference. Below you can see what I see on every router. R6#sh ip route       10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C        10.0.0.0/24 is directly connected, FastEthernet0/0 L        10.0.0.6/32 is directly connected, FastEthernet0/0 O IA     10.1.0.0/24 [110/2] via 10.0.0.7, 03:17:09, FastEthernet0/0 O IA     10.2.0.0/24 [110/3] via 10.0.0.7, 02:41:26, FastEthernet0/0 C        10.10.10.0/24 is directly connected, Loopback0 L        10.10.10.6/32 is directly connected, Loopback0       172.16.0.0/24 is subnetted, 2 subnets O E2     172.16.3.0 [110/200] via 10.0.0.7, 02:41:26, FastEthernet0/0 O E2     172.16.4.0 [110/200] via 10.0.0.7, 02:41:26, FastEthernet0/0 R6# R6#sh ip ospf database database-summary

After suggestions I received I decided to rewrite my last script and use some functions. I know the code is not very long or complex so using functions seems to be unnecessary. From the other side you should improve your code, so I decided to try. The main 3 functions I added: Open file:     #function definition - open file def openfile(p1,p2): f = open(p1, p2) return f   Read file:     #function definition - read file def readfile(filen,objecttype,objectstart,objectend,linelenght,tabletmp): for line in filen: eol = len(line)-1 if line[objectstart:objectend] == objecttype: onn = line[linelenght:eol] tabletmp.append([onn]) if debugmode == "on": print line[objectstart:objectend] + ' ->' + objecttype + ' ' + onn return tabletmp     Remove duplicates:     #function definition - remove duplicates def removeduplicates(tab1,tab2): for i in tab1: if debugmode == "on": # print (str(tab1) +" i\n") print i[0]+

My next Python project can help you find non-used objects in your ASA configuration. I saw it’s very common to update ASA’s configuration, add network objects, modify ACLs but no one remember about objects which are not used anymore. The only one time when people review the config is migration from one vendor to another one. My script can help you in keeping config clean from non-used objects. This is a config I will work with: [hzw@zeus oof]$ cat acl2.txt object network 172.16.0.0_16 subnet 172.16.0.0 255.255.0.0 object network 192.168.1.0_24 subnet 192.168.1.0 255.255.254.0 object network 192.168.1.0_23 subnet 192.168.1.0 255.255.254.0 object network 172.16.250.5 host 172.16.250.5 object network 172.16.250.0_24 subnet 172.16.250.0 255.255.255.0 object network 172.16.250.5_ host 172.16.250.5 object network 172.16.250.110 host 172.16.250.110 object network 10.10.0.100_h host 10.10.0.100 object-group network TEST1 network-object object 172.16.250.5 network-object ob

Recently I worked on one problem related with asymmetric VPN traffic. It was caused by misconfiguration of encryption domain. We fixed the problem and I would like to document the scenario. My previous post is about my first python script which helped to find issues, more details here . This is a scenario I will work with: [rA]g0/1-------g0/2[asaC]g0/1-----------g0/1[asaD]g0/2-------g0/1[rB] | VPN TUNNEL | ======================== 10.1.0.2 - 10.1.0.1[ ]10.0.0.1 10.0.0.2[ ]10.2.0.1 - 10.2.0.2 LAN1: LAN2: 10.1.1.0/24 10.2.1.0/24 10.1.2.0/24 10.2.2.0/24         Traffic from 10.1.1.0/24 and 10.1.2.0/24 should go through VPN tunnel set up between two ASAs: ‘asaC’ and ‘asaD’ This is an access list I created. They were implemented in the same way (order too!). As y

I decided to learn Python a bit but I prefer real problems not 'courses' way of learning as I'm too fast bored. Hopefully I worked on one issue where VPN (site-to-site) worked very unstable. Sometimes everything was fine, sometimes some hosts couldn't pass through. I discovered that the problem is related with overlapping encryption domains. There were some 'host' and 'network' entries which were added over the time when the project went from development to production phase. The only one problem was the old entries were not removed. Once all overlapping entries were removed everything works fine. I tried to find a way how to check configuration for all remaining tunnels but not to spend too much time on it. So I thought about Python then... This is the configuration part which I want to work on: object network 172.16.0.0_16 subnet 172.16.0.0 255.255.0.0 object network 192.168.1.0_24 subnet 192.168.1.0 255.255.254.0 object network 192.168.1.0_23 s