Wednesday, April 25, 2012

Notes on Cisco IOS Interface Order of Operations

Part of being a good network engineer is having the ability to effectively troubleshoot problems and answer questions without ambiguity. For the entry level networking technician (CCENT/CCNA), the implementation and troubleshooting tasks may not be involved enough to require detailed knowledge of how a router handles packets from ingress to egress. For intermediate network engineers (those at the CCNP level), this knowledge is important and as an individual transitions from the intermediate level to the advanced level (CCIE), this type of knowledge is extremely important to quickly isolate, identify, and solve issues in an enterprise network.

There are a lot of different manipulations that can happen with a router, including manipulations like tunneling/IPSec encryption, network address translation (NAT), policy routing, and Quality of Service (QoS) manipulation. Understanding the order that these happen is important for designing and troubleshooting different flows through a network. Cisco has published a couple of Technology Notes on the order of operations involving NAT and QoS and these same steps are in the CCNP TSHOOT study guides.

Here are the order of operations for interfaces involved with NAT

Inside to Outside  Outside to Inside
Input Access Control List (ACL) for Encrypted Packet same
IPSec Decryption same
Input ACL for Decrypted Packet same
Input QoS same
Input Accounting same
Web Cache Redirection same
Policy Routing NAT inside global to inside local translation
Routing Policy Routing
NAT inside local to inside global translation Routing
Crypto Map (mark for encryption) same
Output ACL same
IP Inspection (a.k.a Context Based Access Control [CBAC], Stateful IOS firewall)  same
TCP Intercept same
IPSec Encryption same
Output QoS and Queuing same

The logic is fairly simple for NAT, it is impossible to make a forwarding decision without performing an inside global to inside local address translation. Without NAT, the NAT step above simply disappears and the order of operations are the same. Additionally, any features that are not configured drop out of the steps above. In the simplest case, the only action is routing.

I was working through a CCIE lab exam study guide and it posed an interesting question that got me thinking more about order of operations. The question asked to set different QoS markings (DSCP values) based on packet length. With regular class based marking this is not possible, but it is possible to match length using a route map. I was curious to see which would take precedence, DSCP set using a route map or a DSCP set using an egress policy map. I set up a really simple lab below in Dynamips/GNS3 using Cisco c3725 routers:



The idea is that I want to change the DSCP for ICMP traffic that is being NAT'd from 10.0.0.1 to 192.168.0.3. I configured a policy map on the NAT router that set the DSCP to AF21 on egress via fa0/0. I set up a route-map that set the appropriate IP precedence (3/immediate) and TOS (2/max-reliability) to support a combined DSCP of AF31. Important configuration pieces on the NAT router are below (MQC commands are in green and policy routing related commands are in blue):

!
class-map match-all match-echo
 match protocol icmp

!
!
policy-map set-icmp
 class match-echo
  set ip dscp af21

!
!
interface FastEthernet0/0
 ip address 192.168.0.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip policy route-map set-icmp-dscp
 duplex auto
 speed auto
 service-policy output set-icmp
!
!
access-list 101 permit icmp any any
!
!
!
route-map set-icmp-dscp permit 10
 match ip address 101
 set ip precedence immediate
 set ip tos max-reliability

!


The final question that we really have to look at on the outside router is what DSCP values are received for the ICMP traffic (ping in this case)? This can be found by setting an extended access list that matches one or more DSCP values and the correct source/destination addresses:

access-list 101 permit ip any host 192.168.0.1 dscp af21

And then we watch for packets that match that ACL:

debup ip packet 101

Performing a ping to the outside router indicates that the traffic is received with DSCP AF21. This indicates that the egress marking takes precedence over marking that happens due to policy routing.

Outside(config)#do debug ip packet 101
IP packet debugging is on for access list 101
*Mar  1 00:25:06.879: IP: tableid=0, s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), routed via RIB
*Mar  1 00:25:06.883: IP: s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), len 100, rcvd 3
*Mar  1 00:25:06.959: IP: tableid=0, s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), routed via RIB
*Mar  1 00:25:06.959: IP: s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), len 100, rcvd 3
*Mar  1 00:25:07.003: IP: tableid=0, s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), routed via RIB
*Mar  1 00:25:07.003: IP: s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), len 100, rcvd 3
*Mar  1 00:25:07.043: IP: tableid=0, s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), routed via RIB
*Mar  1 00:25:07.043: IP: s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), len 100, rcvd 3
*Mar  1 00:25:07.087: IP: tableid=0, s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), routed via RIB
*Mar  1 00:25:07.087: IP: s=192.168.0.3 (FastEthernet0/0), d=192.168.0.1 (FastEthernet0/0), len 100, rcvd 3


If there was no marking occurring on egress, then the policy routing marking would take precedence.

See Also,
The Road to the CCIE

Monday, April 16, 2012

Configuring Cisco On-Demand Routing (ODR)

One of the goals at the CCIE level is to gain a mastery of the configuration of most of the features on the Cisco IOS platform. On Demand Routing (ODR) is not often used and not often tested and covered superficially on lower level certifications like the CCNP and CCNA.

ODR is primarily applicable in a hub and spoke network where CDP can be used and it is not desirable to add the overhead of a routing protocol like RIP, EIGRP, or OSPF. The main idea is that the prefixes can be exchanged from the spoke routers (also known as stub routers) to the hub router and the hub router can advertise a default route to the spoke routers. Prefixes learned via ODR can be redistributed into another routing protocol to enure full end-to-end connectivity with other parts f the network.

ODR relies on Cisco Discovery Protocol (CDP), so only networks that support CDP can be part of an ODR configuration. This immediately eliminates Frame Relay with point-to-multipoint subinterfaces interfaces and other non-broadcast topologies.

The following topologies show demonstrations of ODR using IPv4. IPv6 is not currently supported in ODR. This lab is built on Dynamips/GNS3 using Cisco c7200 routers running the Advanced Enterprise Services release of 15.0(1)M4. 



ODR is only enabled on the hub router with the router odr command. On ASBR_HUB, we configure ODR and redistribution into OSPF:

router odr
!
router ospf 1
 log-adjacency-changes
 redistribute odr subnets
 network 10.0.0.0 0.0.0.255 area 0
!


After the network converges and routes are communicated via CDP, we can see the default route advertised via ODR on any spoke router:

Stub2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.0.2.1 to network 0.0.0.0

o*    0.0.0.0/0 [160/1] via 10.0.2.1, 00:00:56, FastEthernet0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.2.0/30 is directly connected, FastEthernet0/0
L        10.0.2.2/32 is directly connected, FastEthernet0/0
      192.168.1.0/32 is subnetted, 1 subnets
C        192.168.1.1 is directly connected, Loopback0



On the hub router, we see the networks connected to the spoke routers advertised via CDP and included in the routing table as ODR routes:

ASBR_HUB#show ip route odr
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route


Gateway of last resort is not set

      192.168.0.0/32 is subnetted, 1 subnets
o        192.168.0.1 [160/1] via 10.0.1.2, 00:00:59, FastEthernet0/1
      192.168.1.0/32 is subnetted, 1 subnets
o        192.168.1.1 [160/1] via 10.0.2.2, 00:00:39, FastEthernet1/0
      192.168.2.0/32 is subnetted, 1 subnets
o        192.168.2.1 [160/1] via 10.0.3.2, 00:00:59, FastEthernet1/1

With the redistribution into OSPF, we can confirm end-to-end connectivity from the OSPF router and from one of the spoke routers:

Area0#ping 192.168.1.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/74/92 ms

Stub2#ping 172.16.1.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/57/76 ms


Troubleshooting ODR isn't very complicated compared to other protocols because there is not a lot of complexity. 90% of troubleshooting ODR is making sure CDP is functioning properly and ensuring that it is not disabled globally or on the interfaces that are propagating routes.

Most often, people don;t know which router(s) to configure the router odr command on (since it is only enabled on the hub router). Using the debug cdp ip command helps to identify possible issues if the routing tables are not being populated.

ASBR_HUB#debug cdp ip
CDP IP info debugging is on


*Apr 16 11:54:29.915: CDP-IP: IP TLV length (4) invalid for IP prefixes.
                      Expecting IP prefix from stub router

The message above indicates that more than one hub has been configured. Removing the router odr command from the misconfigured spoke router should resolve this issue. Proper operation shows the hub router writing default routes to the spoke routers and updating routes from spoke-connected networks:

*Apr 16 11:57:29.703: CDP-IP: Writing default route 10.0.1.1 for FastEthernet0/1
*Apr 16 11:57:29.703: CDP-IP: Writing default route 10.0.2.1 for FastEthernet1/0
*Apr 16 11:57:29.707: CDP-IP: Writing default route 10.0.3.1 for FastEthernet1/1
ASBR_HUB#
*Apr 16 11:57:30.651: CDP-IP: Writing default route 10.0.0.2 for FastEthernet0/0
ASBR_HUB#
*Apr 16 11:57:34.951: CDP-IP: Aging routes
ASBR_HUB#
*Apr 16 11:57:38.511: CDP-IP: Reading prefix 192.168.1.1/32 source 10.0.2.2 via FastEthernet1/0
*Apr 16 11:57:38.511: CDP-IP: Updating prefix 192.168.1.1/32 in routing table


Routing updates can be controlled using distribute lists and timers can be configured using the timers router command. By default, ODR sends updates every 60 seconds. If updates are not received in 180 seconds, routes are marked as invalid and flushed after 240 seconds.

The Road to the CCIE

Wednesday, April 11, 2012

OSPF Virtual Links

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up OSPF virtual links to support a non-contiguous backbone area. This lab is built using Dynamips/GNS3 utilizing Cisco c3725 routers.

Virtual links are designed to allow the backbone area (area 0) to be noncontiguous. They can also be used for non-backbone areas to protect against loss of end-to-end connectivity if an area is partitioned. In this example, the parts of the backbone area have no direct connection, OSPF brings up a virtual interface to allow the two separated routers in area 0 to share a common link and transmit LSAs. The following topology shows how virtual links are applied:



In order to ensure continuity in area 0, type 1 and type 2 LSAs are transmitted between routers 2.2.2.2 and 4.4.4.4. to allow all of the routers in area 0 to have a complete topology view. Type 3 (network summary) LSAs are transferred into area 0 at the two ABRs.

Virtual links can only be created over regular areas, when an area containing a virtual link is changed to a stub area or NSSA, the change fails with the following:

ABR_1_0(config-router)#area 1 nssa
% OSPF: Area cannot be nssa as it contains a virtual link


ABR_1_0(config-router)#area 1 stub
% OSPF: Area cannot be a stub as it contains a virtual link


Attempting to create a virtual link through a stub area fails

ABR_0_1(config-router)#area 1 virtual-link 4.4.4.4
% OSPF: Area 1 is a stub or nssa so virtual links are not allowed


Configuration is fairly straightforward. The area virtual-link router-id is used on the ABRs. The transit area specified is the area that divides the area involved with the virtual link (typically area 0, but other areas are also possible) and the router ID is the router ID of the ABR on the other side of the virtual link. In this example the transit area is area 1 and the virtual links are between routers 4.4.4.4 and 2.2.2.2 On the ABRs:

On ABR_0_1:

router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 1 virtual-link 4.4.4.4
 network 10.0.0.0 0.0.0.3 area 0
 network 10.0.1.0 0.0.0.3 area 1
!

On ABR_1_0:

router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 1 virtual-link 2.2.2.2
 network 10.0.2.0 0.0.0.3 area 1
 network 10.0.3.0 0.0.0.3 area 0
!


OSPF hello packets are not sent periodically over virtual links and all of the received LSAs are marked with the DNA (do not age) bit. In a stable network, this is not a problem, but LSAs marked with the do not age bit are not refreshed every 30 minutes and they are not automatically timed out and deleted. Here is an example of the OSPF database for area 0 on ABR_1_0:

ABR_1_0#show ip ospf database

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         27    (DNA) 0x8000001F 0x00D21B 1
2.2.2.2         2.2.2.2         1     (DNA) 0x8000002A 0x00C9CD 2

4.4.4.4         4.4.4.4         7           0x80000025 0x00CBC0 2
5.5.5.5         5.5.5.5         634         0x8000001E 0x00FDC8 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.1        1.1.1.1         27    (DNA) 0x80000001 0x0069B8
10.0.3.2        5.5.5.5         634         0x8000001C 0x007C5E

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.1.0        2.2.2.2         39    (DNA) 0x80000003 0x000E13
10.0.1.0        4.4.4.4         372         0x8000001A 0x0008EF
10.0.2.0        2.2.2.2         1     (DNA) 0x80000001 0x006BAC
10.0.2.0        4.4.4.4         119         0x8000001C 0x00946A

...


None of the area 0 type-1 or type2 LSAs show up in Area 1. Instead, the database shows type-3 network summary LSAs originating from area 0:

Area1#show ip ospf database

            OSPF Router with ID (10.0.2.1) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         184         0x80000022 0x00AF2B 1
4.4.4.4         4.4.4.4         184         0x8000002B 0x001FA0 1
10.0.2.1        10.0.2.1        199         0x80000029 0x00DBBE 2

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.1.2        10.0.2.1        194         0x80000003 0x0040CB
10.0.2.1        10.0.2.1        1133        0x8000001A 0x007577

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.0        2.2.2.2         200         0x8000001B 0x00E821
10.0.3.0        4.4.4.4         550         0x8000001E 0x008576



If the ABR attached to the virtual link fails, it's LSAs will continue to exist on the other area routers; however the routes will eventually disappear from the routing table. Looking that the database, OSPF picks up that the advertising router is not reachable and removes the route from the routing table, but the LSA remains in the database, Here is an example of a type-1 (router) LSA in the unreachable part of the backbone area after the virtual link goes down:

ABR_1_0#show ip ospf database router 1.1.1.1

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 0)

  Adv Router is not-reachable
  LS age: 27 (DoNotAge)
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 1.1.1.1
  Advertising Router: 1.1.1.1
  LS Seq Number: 8000001F
  Checksum: 0xD21B
  Length: 36
  Number of Links: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.0.0.1
     (Link Data) Router Interface address: 10.0.0.1
      Number of TOS metrics: 0
       TOS 0 Metrics: 10


Virtual links shouldn't exist in well designed OSPF networks. The main applications for using virtual links are to prevent connectivity loss for partitioned areas and utilizing a physically separated backbone area. For using a physically separated backbone area, this most often occurs during a merger/acquisition and the decision has been made to use a single OSPF routing domain instead of redistribution.

See Also:
The Road to the CCIE









Tuesday, April 10, 2012

The OSPF Totally Not-So-Stubby-Area (NSSA)

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up a totally NSSA OSPF area. This lab is built using Dynamips/GNS3 utilizing Cisco c3725 routers.

The OSPF implementation in Cisco IOS recognizes 5 main classifications of areas:
Similar to the totally stubby area, the totally NSSA is not a standard area defined in the RFC specifications for OSPF. Vendors including Microsoft, Cisco, Juniper, and others have implemented these areas as their own custom extensions to the OSPF protocol.

The design principles around totally NSSAs are similar to totally stubby areas, with the exception that the underlying assumptions are relaxed to indicate that the routers that are internal to the totally NSSAs need to have no knowledge of subnets outside of the area (with the exception of the routes injected by the NSSA ASBRs).

The following topology provides everything necessary to examine the mechanics of the totally NSSA:



Here we have E1 and E2 routes created by the ASBR in area 0 and N1 and N2 routes created by the ASBR in area 1 (the totally NSSA). The configuration of the ASBR and NSSA_ASBR routers follows a similar configuration to the NSSA example.
On ASBR:

router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map redist-lo-into-ospf
 network 10.0.0.0 0.0.0.255 area 0
!
ip prefix-list lo-into-ospf-e1 seq 5 permit 172.16.1.0/24
!
ip prefix-list lo-into-ospf-e2 seq 5 permit 172.16.2.0/24
!
! **Make 172.16.1.0/24 an E1 route**
!
route-map redist-lo-into-ospf permit 10
 match ip address prefix-list lo-into-ospf-e1
 set metric-type type-1
!
! **Make 172.16.2.0/24 an E2 route**
!
route-map redist-lo-into-ospf permit 20
 match ip address prefix-list lo-into-ospf-e2
 set metric-type type-2
!


On NSSA_ASBR:

router ospf 1
 log-adjacency-changes
 area 1 nssa no-summary
 redistribute connected subnets route-map lo-to-ospf
 network 192.168.1.0 0.0.0.255 area 1
!
ip prefix-list lo-to-ospf-t1 seq 5 permit 192.168.100.0/24
!
ip prefix-list lo-to-ospf-t2 seq 5 permit 192.168.200.0/24
!
route-map lo-to-ospf permit 10
 match ip address prefix-list lo-to-ospf-t1
 set metric-type type-1
!
route-map lo-to-ospf permit 20
 match ip address prefix-list lo-to-ospf-t2
 set metric-type type-2
!


For ABRs that have interfaces in area 1, the area nssa no-summary command is required to identify the area as a totally NSSA. The no-summary option instructs the ABRs not to propagate type-3 LSAs into the totally NSSAs. The no-summary option is also only required on ABRs, as there are no other sources of type 3 LSAs. Type-5 LSAs are not propagated into stub or NSSA areas.

The area 1 ABRs still create type-3 summary LSAs and type 5 external LSAs (from the type-7 NSSA external LSAs) and propagate these into the backbone area and other type-5 capable areas.

Let's examine the routing table and OSPF database on the internal area 1 router and the internal area 0 router. Since area 1 is totally NSSA, we would only expect to find networks advertised in area 1 and the external routes from NSSA_ASBR:

Area1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 192.168.0.1 to network 0.0.0.0

O N2 192.168.200.0/24 [110/20] via 192.168.1.2, 20:17:53, Serial0/1
C    192.168.0.0/24 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/1
O N1 192.168.100.0/24 [110/84] via 192.168.1.2, 20:17:53, Serial0/1
O*IA 0.0.0.0/0 [110/65] via 192.168.0.1, 10:06:39, Serial0/0


Similar to the stub and totally stubby areas, the default route is propagated as a type-3 LSA originating from the ABR and there are no other LSAs advertising routes/networks from outside of area 1:

Area1#show ip ospf database

            OSPF Router with ID (192.168.1.1) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.0.1     192.168.0.1     1434        0x8000002B 0x002A33 2
192.168.1.1     192.168.1.1     1046        0x80000029 0x009A1E 4
192.168.200.1   192.168.200.1   656         0x80000027 0x00418C 2

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         192.168.0.1     661         0x80000013 0x0003B6

                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
192.168.100.0   192.168.200.1   656         0x80000025 0x004F36 0
192.168.200.0   192.168.200.1   656         0x80000025 0x00821E 0


In the backbone area, the routing table shows all of the networks that are advertised into OSPF (either through redistribution or OSPF configuration):

Area0#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O E1    172.16.1.0 [110/84] via 10.0.0.1, 16:28:13, Serial0/0
O E2    172.16.2.0 [110/20] via 10.0.0.1, 16:28:13, Serial0/0

O E2 192.168.200.0/24 [110/20] via 10.0.1.2, 16:28:33, Serial0/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Serial0/0
C       10.0.1.0 is directly connected, Serial0/1

O IA 192.168.0.0/24 [110/128] via 10.0.1.2, 16:32:30, Serial0/1
O IA 192.168.1.0/24 [110/192] via 10.0.1.2, 16:32:30, Serial0/1
O E1 192.168.100.0/24 [110/212] via 10.0.1.2, 16:28:34, Serial0/1


Looking at Area 0, we see type 5 LSAs for the external routes advertised by NSSA_ASBR and we see type 3 LSAs for the networks that are internal to area 1:

Area0#show ip ospf database


            OSPF Router with ID (10.0.1.1) (Process ID 1)


                Router Link States (Area 0)


Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        933         0x8000004F 0x0074D3 4
172.16.2.1      172.16.2.1      1063        0x8000004E 0x00F9BA 2
192.168.0.1     192.168.0.1     1748        0x8000002A 0x00F38B 2

                Summary Net Link States (Area 0)


Link ID         ADV Router      Age         Seq#       Checksum
192.168.0.0     192.168.0.1     1748        0x80000025 0x00FF05
192.168.1.0     192.168.0.1     1748        0x80000025 0x00774C



                Type-5 AS External Link States


Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.1.0      172.16.2.1      1305        0x8000004A 0x009ABF 0
172.16.2.0      172.16.2.1      1316        0x8000004A 0x0013C5 0

192.168.100.0   192.168.0.1     1759        0x80000025 0x0061F6 0
192.168.200.0   192.168.0.1     1759        0x80000025 0x0094DE 0



See Also,
The Road to the CCIE



Are Cloud Services Highly Available?

Businesses, governments, an non-profit organizations are relying more and more on the use of externally hosted cloud services for email, web hosting, applications, and more. From a business unit perspective, these services require little more than an internet connection and a client software installation (in some cases). Some companies are even reducing or eliminating their datacenter space in favor of emerging cloud technologies like virtual private server hosting (VPS). Unfortunately, the correct pieces of the IT department might not be involved until after a contract is signed and critical damage is done to the organization's high availability strategy.

Cloud services are hosted by all kinds of people and organizations nowadays. Some organizations offer very highly available systems that could withstand the failure of an entire part of the country while others are offered out of a person's basement (really... an old boss of mine hosted a "cloud" service out of his basement). Some providers even cater to niche markets like the eco-friendly market by offering green cloud services, green virtual private server hosting, and green web hosting. Although good for marketing, niche factors don't determine what a "good" cloud provider really offers.

Utilizing cloud services is a form of outsourcing, so the primary business drivers are reducing total cost of ownership and not negatively impacting the quality of the IT service delivered. For the most part, organizations are most successful with outsourcing business support processes while keeping the IT infrastructure and applications for core business services maintained internally.

When evaluating competing cloud services, it is important to look at what the hosting organization provides in terms of the service offered and the availability/performance guarantee. If the hosting company stores your organization's data in a single datacenter at a single site, then this creates a risk of loss in the event of a catastrophic failure or natural disaster at the service provider's datacenter. Perhaps the provider has multiple sites, but relies on tape backup and restore in the event of a failure at the primary site.

Other factors around availability, performance, and overall service quality need to be considered before signing a contract with a cloud provider. When you trust your data to a cloud provider, you are only as highly available as they are. Furthermore, in the event of a disaster affecting a service provider, their internal DR plan will probably be to restore the biggest and highest paying company's data first, so smaller organizations could be at a bigger disadvantage.

The business case for cloud services exists because an organization can manage their IT costs as operational expenses rather than capital expenses and the total cost of ownership (TCO) goes down in some instances (though not as often as you might think). Unfortunately, the use of some cloud technologies can cause an organization's IT service to be less highly available than if it were offered internally by the organization's IT staff.

See Also,
High Availability, Business Continuity Planning, and Disaster Recovery

Monday, April 9, 2012

The OSPF Not-So-Stubby Area (NSSA)

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up a totally stubby OSPF area. This lab is built using Dynamips/GNS3 utilizing Cisco c3725 routers.

The OSPF implementation in Cisco IOS recognizes 5 main classifications of areas:
The NSSA Option for OSPF areas is defined in RFC 1587. The NSSA option partially undoes a portion of what the stub area is designed to do. The OSPF stub area eliminates the propagation of external routes in an area by creating a default route that is propagated into the NSSA by the ABR. The NSSA standard creates a new type of LSA, the type 7 (NSSA External) LSA, and floods that through the NSSA. ABRs for the NSSA translate type 7 LSAs and propagate them to the backbone area and other type-5-LSA capable areas as type 5 (external) LSAs. ASBRs in the NSSA are not actually advertised into the backbone area as type 4 (ASBR summary) LSAs.


From a network design standpoint, NSSAs have a limited application to large enterprise networks and service providers using OSPF as an interior gateway protocol. The idea centers on the assumption that there are non-transit networks that are candidates to be connected to a stub area, but are not part of the OSPF routing domain. In a way, these external networks and the OSPF area that they are connected to can be considered a leaf in the larger spanning tree developed by the other OSPF areas.

The following topology shows everything that we will need to explore the not-so-stubby area in Cisco's OSPF implementation.





The ASBRs create both E1 (N1) and E2 (N2) routes. Remember that paths to E2/N2 routes are evaluated only on the external cost. E1/N1 costs are determined by a combination of the external and internal (to the OSPF routing domain) costs to reach a subnet. E2/N2 networks are considered higher cost than E1/N1 networks, regardless of whether the E2/N2 metric is actually lower than the E1/N1 metric.

The configuration of the ASBR and NSSA_ASBR redistribution is most easily accomplished using a route map that matches prefix lists for the routes:


On ASBR:

router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map redist-lo-into-ospf
 network 10.0.0.0 0.0.0.255 area 0
!
ip prefix-list lo-into-ospf-e1 seq 5 permit 172.16.1.0/24
!
ip prefix-list lo-into-ospf-e2 seq 5 permit 172.16.2.0/24
!
! **Make 172.16.1.0/24 an E1 route**
!
route-map redist-lo-into-ospf permit 10
 match ip address prefix-list lo-into-ospf-e1
 set metric-type type-1
!
! **Make 172.16.2.0/24 an E2 route**
!
route-map redist-lo-into-ospf permit 20
 match ip address prefix-list lo-into-ospf-e2
 set metric-type type-2
!




On NSSA_ASBR:

router ospf 1
 log-adjacency-changes
 area 1 nssa default-information-originate
 redistribute connected subnets route-map lo-to-ospf
 network 192.168.1.0 0.0.0.255 area 1
!
ip prefix-list lo-to-ospf-t1 seq 5 permit 192.168.100.0/24
!
ip prefix-list lo-to-ospf-t2 seq 5 permit 192.168.200.0/24
!
route-map lo-to-ospf permit 10
 match ip address prefix-list lo-to-ospf-t1
 set metric-type type-1
!
route-map lo-to-ospf permit 20
 match ip address prefix-list lo-to-ospf-t2
 set metric-type type-2
!


For routers attached to the NSSA, the area nssa router configuration command is required to set the correct flag in the OSPF hello packet. All routers in the area have to agree that the particular area is an NSSA area, otherwise they will not be able to form adjacencies. A special issue for NSSAs is also that the ABR does not generate a default route unless the default-information-originate option is used.


We know from previous examples that the ABRs have full databases for all of the areas that they are connected to, so let's look at the routing tables and OSPF databases on Area0 and Area1. Area1 is an internal router for area 1, meaning that all of it's OSPF-enabled interfaces are in area 1, the NSSA. In this case, we see the two external routes for the networks advertised by NSSA_ASBR and  the default route advertised by the ABR (unlike a stub area, this is originated by the ABR as a type 7 LSA):


Area1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 192.168.0.1 to network 0.0.0.0

O N2 192.168.200.0/24 [110/20] via 192.168.1.2, 03:24:47, Serial0/1
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.0.0.0 [110/192] via 192.168.0.1, 03:28:20, Serial0/0
O IA    10.0.1.0 [110/128] via 192.168.0.1, 03:28:20, Serial0/0

C    192.168.0.0/24 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/1
O N1 192.168.100.0/24 [110/84] via 192.168.1.2, 03:24:47, Serial0/1

O*N2 0.0.0.0/0 [110/1] via 192.168.0.1, 00:02:47, Serial0/0



The OSPF database from Area1 is shown below, LSAs for networks originating from area 0 are green and LSAs for networks originating in area 1 are blue. The special type-7 LSA for the default route is purple.:


Area1#show ip ospf database

            OSPF Router with ID (192.168.1.1) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.0.1     192.168.0.1     785         0x8000000D 0x006615 2
192.168.1.1     192.168.1.1     589         0x8000000B 0x00D6FF 4
192.168.200.1   192.168.200.1   390         0x80000009 0x007D6E 2


                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.0        192.168.0.1     785         0x80000007 0x0093A8
10.0.1.0        192.168.0.1     785         0x80000007 0x000675


                Type-7 AS External Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         192.168.0.1     359         0x80000001 0x00FA4C 0
192.168.100.0   192.168.200.1   390         0x80000007 0x008B18 0
192.168.200.0   192.168.200.1   390         0x80000007 0x00BEFF 0



Area0 is an internal router for the backbone area. In this case, the LSAs originating in area 1 for the external 192.168.100.0 and 192.168.200.0 networks are converted to type-5 LSAs for any other areas in the OSPF routing domain that are type-5 capable. The routing table shows that the N1 routes have been converted to E1 and the N2 routes have nbeen converted to E2.


Area0#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O E1    172.16.1.0 [110/84] via 10.0.0.1, 1d00h, Serial0/0
O E2    172.16.2.0 [110/20] via 10.0.0.1, 1d00h, Serial0/0

O E2 192.168.200.0/24 [110/20] via 10.0.1.2, 03:37:32, Serial0/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Serial0/0
C       10.0.1.0 is directly connected, Serial0/1

O IA 192.168.0.0/24 [110/128] via 10.0.1.2, 03:41:43, Serial0/1
O IA 192.168.1.0/24 [110/192] via 10.0.1.2, 03:40:23, Serial0/1

O E1 192.168.100.0/24 [110/212] via 10.0.1.2, 03:37:34, Serial0/1



In the OSPF database, we also see that there are no type 7 LSAs and the LSAs advertising the 192.168.100 and 192.168.200 external networks are now type 5 LSAs. The same coloring scheme is used here as the example above,


Area0#show ip ospf database

            OSPF Router with ID (10.0.1.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
10.0.1.1        10.0.1.1        1748        0x8000002E 0x009ECA 4
172.16.2.1      172.16.2.1      898         0x8000002F 0x00389B 2

192.168.0.1     192.168.0.1     1573        0x8000000C 0x00306D 2

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.0.0     192.168.0.1     1573        0x80000007 0x003CE6
192.168.1.0     192.168.0.1     1330        0x80000007 0x00B32E


                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.16.1.0      172.16.2.1      898         0x8000002C 0x00D6A1 0
172.16.2.0      172.16.2.1      898         0x8000002C 0x004FA7 0

192.168.100.0   192.168.0.1     1330        0x80000007 0x009DD8 0
192.168.200.0   192.168.0.1     1330        0x80000007 0x00D0C0 0



This post showed basic configuration and mechanics of a NSSA in Cisco's OSPF implementation.

See Also,
The Road to the CCIE





Thursday, April 5, 2012

Overclocking is a Bad Idea

I see a lot of forums issues related to problems that are ultimately traced back to overclocking on systems. Overclocking is probably the single worst thing you can do for the lifespan of your PC and the instability caused by overclocking far outweighs any possible performance gains. Professional systems engineers don't overclock systems, and home users shouldn't either for a vast number of reasons. I'll go through a few of them in this post.

What is overclocking?


Overclocking refers to modifying a computer system component in a way that it is operating at a higher frequency/clock rate, voltage, or other measure of performance. Most overclocking is done by people who are conducting experiments with hardware to determine the maximum stress point that a motherboard, processor (CPU), system bus, graphics processing unit (GPU), system memory (RAM), or hard drive can handle before reaching a failure point.

Some misguided individuals overclock their systems and use the overclocked state for their standard configuration. These individuals typically feel the pain shortly after overclocking and they tend to go running to the various hardware forums on the Internet to say that their system is acting up.

Why is overclocking good?


To show the other side of the story, overclocked systems typically have a higher level of performance than their non-overclocked counterparts. These systems typically process numeric calculations, graphics operations, and other system functions at higher rates and appear more responsive to the end user. This comes at a major cost to the system's stability and

Why is overclocking bad?


It immediately voids your warranty for most components. Hardware vendors don't support running system components above their default thresholds. They set these limits after doing numerous tests to determine the right mix between component longevity, performance, and failure rate. Most vendors can detect if a component was overclocked when it failed, and if it happens, it typically voids an RMA request or a warranty repair and the component has to be repurchased by the end user. 

Think about it in the context of how a car operates. Overclocking runs a component at or above the "redline" RPM level for an extended period of time. Even with appropriate cooling, this substantially increases component wear and exponentially increases the probability of component failure. For a car running above the "redline" level, the engine will seize after a short  period of time, even with appropriate cooling and lubrication.

Overclocking throws off the system timing, increasing the probability of memory, hard drive, and processor cache/instruction corruption. The system is designed to have the processor and bus communicate with the other components at a specified rate, increasing the rate of operation can potentially overrun other system components and cause corruptions in calculations performed by the system and sent to/from other components.

Some components cannot be overclocked effectively. An example is a graphics processing unit. Although AMD (ATI) and Nvidia have developed experimental applications for overclocking a GPU, this causes increased stress on a system that does not have adequate dedicated cooling to begin with. Additionally, GPUs have a poor track record of enhancing system stability and adding nonstandard timings/voltage creates another variable that can contribute to increased timeout detection and recovery (TDR) activity/failures in Windows and general GPU related hangs and system failures in Linux/UNIX.

The bottom line is simple... don't overclock your system. The risks outweigh the benefits and overclocking often creates more problems than it solves. If you do overclock and break something, then don't go crying to anyone else because you ultimately did something stupid and received a fair reward. Don't ask the manufacturer for help, because they will find out that you overclocked and that your warranty/support agreement is void.

For end users... don't buy an overclocked system. This is a dangerous scenario if you are storing important documents and potentially irreplaceable data like family pictures on the system. Some unscrupulous computer people will sell these "gaming" systems to you, but if you want faster hardware, then buy faster hardware instead of overclocking cheaper and error-prone hardware. The cost difference typically pays itself back when it is compared to the downtime that overclocking typically causes.

Real computing professionals don't overclock systems. They know the risks and know that the risks outweigh the rewards. Those who do overclock typically have a spare system that they use for experiments, but don't store any real data on because of the increased risk of failure. Overclocked systems are mainly used to answer "what if" type questions and if you really need to have an extra system and willingness to lose this system (or parts of it) to answer these questions.

See Also,
How to Rescue Files From a Damaged Account

Windows Crash Dump Analysis
0x124 WHEA_UNCORRECTABLE_ERROR
0x9C MACHINE_CHECK_EXCEPTION.
Troubleshooting Memory Errors
How to Detect a Failing Hard Drive
Stress Testing a CPU to Detect Hardware Failure
Stress Testing a Video Card

How much interest are you paying?

Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. I received an MBA in accounting and now I use my knowledge to help others. People and businesses have a lot of difficulty managing cash flow. Most people don't have visibility into the interest that they are paying. Even though they enacted a law that requires financial institutions to disclose more about interest on credit cards, most consumers don't have a full grasp of the true magnitude of interest, especially on longer term loans like mortgages and some car loans.

The only two forms of robbery that are worse than interest on loans are armed robbery and rent payments. In the former, you are losing something you have and get nothing in return. In the latter, you are basically throwing cash away every month.

Smart financial people never pay more interest than they have to, and they tend to engage in good financial habits like keeping balances low and paying off loans well before their due date. Why? It's how interest works. In most cases, you are charged interest on the unpaid portion of the principal (the amount that you originally borrowed). Each month a portion of your minimum payment goes towards interest and a portion goes towards principal. What no one ever tells you is how much goes each way. Creditors don't want you to know, because if the average American (or anyone in any other country) understood this there would be a very violent revolution against both the creditors (banks, credit unions, mortgage companies, etc) and the government (for letting it happen).

You typically have to pursue a finance or accounting degree in college to learn how to calculate interest on a loan.  I received an MBA specializing in accounting and dealt extensively with loan calculations, and I'm mortified on a daily basis at how much people pay in interest on a 4% home loan (typically over 30 years) or a 6% student loan (typically over 10 years) . Auto loans are also very expensive (typically 5-10 years to pay off). What about "no interest" loans? This is the worst kind of loan because the interest is included in the principal, so there is no way to save money by paying it off early.

The idea behind most loans is that the interest accrues at specific intervals (typically daily, monthly, quarterly, or annually) and is a function of the interest rate and the unpaid principal amount. Most loan disclosure documents give the interest rate in annual terms, so when you receive a 4% mortgage, you will pay roughly 4% of the principal in interest payments over the course of a year, and these interest payments will be calculated (compounded) according to the loan agreement. To initially calculate a loan payment, you need access to a present value calculator to avoid doing a lengthy manual calculation. Every present value calculator has 3 main inputs and an output consisting of the following:
  • PV -  Present Value (the amount you are borrowing)
  • INT - Interest Rate
  • N - Number of Periods to compound interest rate
  • FV - Future Value (Value at the end of the period)
  • PMT - The payment paid or received
By convention, PV and FV are positive if you are receiving cash and are negative if you are giving cash. If you have any 3 of these, you can calculate the 4th with a present value calculator. Back in college, it would have been normal to use a TI BAII+ or an HP 12C, but with any computer running Microsoft Excel or OpenOffice.org Calc, the functions of a financial calculator are built in. I will build the demonstration spreadsheet with Microsoft Excel.

I typically need to answer the question of "If I buy this house, how much will my mortgage payment be?" In this case, we have to determine a payment given a present value, interest rate, and future value (which is 0).

To calculate a payment, we use the PMT(I,N,PV,FV) function. Most mortgages are compounded monthly, so we would need to divide the annual rate by 12. For a 30 year mortgage, the number of periods is 360, for a 15 year mortgage, the number of periods is 180. A couple of examples follow:


30 year mortgage, compounded monthly, interest rate of 6% annually and borrowing an amount of 200,000:

=pmt(.06/12,360,200000,0) = -$1199.10


15 year mortgage borrowing $500,000 at 7%

=pmt(.07/12,180,500000,0) = -$4494.14


Simple enough, now how do we determine the total amount of interest paid? Inititally, almost the entire loan payment is interest, and over time the balance shifts and the loan payment becomes more principal than interest. The below example shows how a $100,000 loan at 5% breaks down over the lifetime of the loan.





In order to calculate this, we take the values that we specified above for INT, PV, FV, N, and PMT and build a loan amortization schedule. This example will show the first few periods of a $100,000 loan at 5%.


Period Beginning Amount [BA] Payment [PMT] Interest Payment [IP]
Beginning Amount * INT
Principal Payment [PP]
PMT - Interest
Remaining Principal
BA - PP
1 100,000 536.82 416.67 120.15 99,879.85
2 99,879.85 536.82 416.17 120.66 99,759.19
3 99,759.19 536.82 415.66 121.16 99,638.03
... ... ... ... ... ...

Carrying this out to 360 periods, the remaining principal goes to zero and the loan is paid off. To determine the total interest paid on the loan, sum the interest payments column. For the example above, the interest paid on $100,000 at 5% over 30 years is 93,255.78, or almost 94% of the original amount borrowed over the life of the loan. What happens if we pay more than the minimum? Lets take the previous example, but pay $1,000/month instead of the minimum (536.82).


Period Beginning Amount [BA] Payment [PMT] Interest Payment [IP]
Beginning Amount * INT
Principal Payment [PP]
PMT - Interest
Remaining Principal
BA - PP
1 100,000 1000 416.67 583.33 99,416.67
2 99,416.67 1000 414.27 585.76 98,830.90
3 98,830.90 1000 411.80 588.20 98,242.7
... ... ... ... ... ...

In this case, the loan is paid off in 130 periods (just under 11 years) with a total interest amount of $29,628.96. That is a savings of $63,626.82 in interest. That's more than 63,000 that could be put elsewhere, such as paying the loan off even more quickly, investing in passive income sources, and saving additional money for retirement.


If you follow my personal bookkeeping example, you would make similar entries each period for the loan above (this is an example for period 1):

 
Mortgage                   $583.33 
Mortgage Interest Expense  $416.67
    Cash                            $1000  

The mortgage on the balance sheet reduces by the principal payment and cash decreases by $1,000 to cover the interest and principal payment. The mortgage interest is expensed on the income statement for the period as a cost of borrowing the money for the mortgage.

The moral of the story is to pay off loans as quickly as possible, because you'll pay a ton in interest if you don't. One of the less commonly known points of wisdom is that you have no business putting money into a savings/investment account that has a lower percentage return than the interest rate on your highest loan.

See Also
Retirement in the 21st Century

Wednesday, April 4, 2012

How to Save Money

Personal financial literacy is the first step towards developing true financial security and realizing a dream of quitting a job or having a comfortable retirement. I received an MBA in accounting and now I use my knowledge to help others. People and businesses have a lot of difficulty managing cash flow. Most people don't understand how to save money and illusions of financial security can further irritate the issue. The answer is really obvious... or is it?

The way to save money is to stop spending.

You are probably saying "duh... stupid." The catch here is that it isn't as straightforward as it sounds. If you have been following my series of posts so far, you may have built a personal balance sheet and income statement. You may have even looked at cash flow at this point. Going back in time, you probably have the same savings account that you have had since you got your first $100 as a kid. Over time, you have probably been taking part of your income and "saving" into this account. You have probably seen the balance increase over the years and have seen the interest payments come in at between 0.5% and 2% annually. You say to yourself "Cool, I'm covered because I have savings."

Since you started placing money into the account as a kid, I can guarantee you that you have immediately lost 2-5% annually due to inflation and missed out on returns between 3% and 20% due to missed opportunities. The problem with inflation too is that it has an exponential effect. Assume that you placed 100$ as a kid into the savings account. How much have you lost? It isn't a question of monetary loss because the amount has never gone down (in fact, it has probably gone up). What you have lost is purchasing power. Instead of being able to buy 100 gallons of gasoline (in the 1990s), you can now buy less than 30 (based on early 2012 prices). Ouch! So where does a 60% decline in purchasing power come from?

Most savings accounts produce returns of 0.5% to 1% annually. Cash produces a return of 0% annually. On average, the economy increases the costs of goods and services at a rate between 2.5% and 3.5% annually, with some sectors (ex. Oil and Gas) increasing faster than others. So in an average year, the "saver" loses 2.5-3% with their savings account.

In a way, 3.5% is really the new 0%...

This graph illustrates that even with 1% growth in the economy, you will still lose about 14% over 15 years. With 3.5% growth, you lose over 40%.



Another area where this bites people are periods of years where wage growth is negative or zero. If someone doesn't receive a raise of at least the inflation rate each year, then they are actually poorer every year by working with the same organization. Right now, it is widely agreed that the median income has dropped in both real (inflation adjusted) and nominal (non-inflation adjusted) terms. This illustrates one of the problems that the Occupy Wall Street movement was loosely against with the growing wealth gap. People with more wealth can generate the 3.5%+ returns required to keep a constant or increasing amount of wealth.

Another area that is painful for a lot of people is the amount of interest they are paying on debt. I cover loan and interest calculations in this post, but the average person paying the minimum amount on a 30 year mortgage pays at least 100% of the principal amount in interest over the life of the loan. The graph below shows the interest amount for a $100,000 mortgage at certain rates.



Remember that this chart only shows interest paid, so the unfortunate person who has an 8% home loan pays almost 175% of the principal in interest and the principal. In the $200,000 example, this is more than $550,000 paid to borrow $200,000. To save money, fight for every point of interest and negotiate hard to the bottom line value.

If home loans were credit card debt, you would be paying a ridiculous amount for interest. Over 30 years at 27% (a typical credit card rate), the individual would pay over $1.4 million in interest. With even relatively small balances on credit cards, the interest adds up.

To save money, pay off the highest interest loan as fast as you can (while paying the minimum amount on all other loans). When the highest interest amount is paid off, take the entire amount that was applied to the highest interest loan and apply it to the next highest interest loan. Continue this pattern and there is a high probability that the debt will vanish within a few short years, or at least significantly cripple the investor's return and minimize the total interest paid.

To further reduce expenses, identify all of your expenses and cut from both the top down and the bottom up. Make simpler meals at home, renegotiate your rent or mortgage payment or move closer to a job/school. Simplify and/or eliminate your cell phone plan (this was a big one for our family). Eliminate cable/satellite TV and use various streaming services or read more books (Our family successfully switched to Netflix from Comcast, and now we are looking at other streaming services to replace Netflix). Take the money that you are now saving and invest in sources of passive income (I'll describe how to set these up in future posts).

Other ways of saving money are to eliminate unneeded parts of health, life, and auto insurance policies. Take it from a money expert that most people overpay for car insurance and health insurance (especially through their employers).

Saving water and energy probably won't make a big difference financially (though most power companies and municipalities push this because of their capacity issues). Additionally, other "green" measures typically are not worth the investment unless they are heavily subsidized. People usually have a personal need to make their life "greener" to invest in measures like solar panels.

There are lots of ways to save money, but ultimately this involves reducing and eliminating both large and small expenses and applying cash to positive net present value (NPV) investments. I will cover these and other passive income activities in future posts.

Back to...
Retirement in the 21st Century




The OSPF Totally Stubby Area

The Open Shortest Path First routing protocol is a critical piece of knowledge for any networking professional working in an enterprise environment. Most major networking certifications covering routing and switching including the Cisco Certified Network Associate (CCNA), Cisco Certified Network Professional (CCNP), and Cisco Certified Internetwork Expert (CCIE) extensively test OSPF knowledge and skills. OSPF is the most popular dynamic routing protocol used in complex enterprise networks. This example will demonstrate the concepts and configuration involved with setting up a totally stubby OSPF area. This lab is built using Dynamips/GNS3 utilizing Cisco c3725 routers.

The OSPF implementation in Cisco IOS recognizes 5 main classifications of areas:
Let's start out with a simple true/false question:

True/false: The "totally stubby" area exists as part of the OSPFv2 standards.

The answer is false. The totally stubby area is not part of the RFCs that describe the OSPFv2 protocol; however many vendors including Microsoft, Cisco, Juniper, and others have implemented it and consider it a standard feature, even though it is not part of the Internet Engineering Task Force (IETF) standards. The same is true for the "totally NSSA," but I'll describe that area type and its configuration in a separate post. So, before we get started, you should already have knowledge of the OSPF stub area and the fact that it does not create nor propagate type 4 (ASBR Summary) or type 5 (external LSAs) and internal routers to stub areas have inter-area default routes that are originated by the area border routers (ABRs).

Totally stubby areas also filter type 3 (network summary) LSAs. In this case, routers that are totally internal to the totally stubby area have default routes for all networks that are outside of the area, including those that are in the same OSPF routing domain. Within the area, type 1 and type 2 LSAs are still propagated to describe the detailed topology of the totally stubby area, and a single type 3 LSA for the default route exists in the area. Area border routers still create type 3 LSAs describing the networks that are reachable in the totally stubby area and propagate these into the backbone area. Let's look at a similar topology to the stub area example, but in this case area 1 will be a totally stubby area:



Once again, the only interesting pieces of the configuration are on the ABR. In addition to the area stub command, the no-summary option needs to be specified for area 1:

router ospf 1
 log-adjacency-changes
 area 1 stub no-summary
 network 10.0.1.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.0.255 area 1
!


The routing table on Area1 shows the routes that are internal to area 1 and shows the default route propagated by the ABR:

Area1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C    192.168.0.0/24 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, Loopback0

O*IA 0.0.0.0/0 [110/65] via 192.168.0.1, 00:07:38, Serial0/0


The database is also simple, in this case we have no broadcast networks, so there are no type 2 LSAs. There are type 1 LSAs describing the routers and their link states and the single type-3 LSA for the default route:

Area1#show ip ospf database

            OSPF Router with ID (192.168.1.1) (Process ID 1)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.0.1     192.168.0.1     646         0x80000027 0x00A4C6 2
192.168.1.1     192.168.1.1     634         0x80000023 0x00BA38 3

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         192.168.0.1     651         0x80000025 0x005758


Looking on Area0, we still see the type 3 LSAs created by ABR for the routes in area 1 and we see the routes for area 1 present in the routing table.

Area0#show ip ospf database

            OSPF Router with ID (10.0.1.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         786         0x80000022 0x005206 2
10.0.1.1        10.0.1.1        785         0x80000029 0x008D9C 4
192.168.0.1     192.168.0.1     741         0x80000025 0x00F78E 2

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.0.0     192.168.0.1     741         0x8000001F 0x000CFE
192.168.1.0     192.168.0.1     726         0x80000001 0x0047DF

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
1.1.1.0         1.1.1.1         795         0x80000024 0x0082A3 0
10.0.0.0        1.1.1.1         794         0x80000002 0x0068D8 0


Area0#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
O E2    1.1.1.0 [110/100] via 10.0.0.1, 00:13:53, Serial0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Serial0/0
C       10.0.1.0 is directly connected, Serial0/1

O IA 192.168.0.0/24 [110/128] via 10.0.1.2, 00:13:12, Serial0/1
O IA 192.168.1.0/24 [110/129] via 10.0.1.2, 00:13:02, Serial0/1


Totally stubby areas in OSPF are useful when there is no reason to have anything besides a default route propagated into an area. This can be used effectively for hub and spoke topologies or areas where redundant ABRs have equal cost paths to other parts of the network.

See Also
The Road to the CCIE