Version 4.1 - 1.5 Routing Protocols Part 2
This post is going to cover OSPF. Looking at the blueprint, if I was going to create a question on the 1.5 topic - I would probably pick something from OSPF or BGP. These are the more commonly used protocols in and around the security devices. At the enterprise level, you're going to see these protocols on the Infrastructure and Edge devices. The only place you'll see RIP/EIGRP (if at all) is in some corner case. So you should know it, but OSPF and BGP would be more likely to be on the list of job tasks. Remember these exams are derived from job surveys of people actually performing this work. And the question pool comes from people holding the certification.
The OSPF Design Guide is a solid and extensive treatment of the topic. OSPF is a link-state protocol that uses the Dijkstra algorithm to calculate the shortest path. It has to have an Area 0 - which is the backbone. Every area must be connected to Area 0 - either directly or through Virtual Links. It uses the concepts of ABR (Area Border Router) and ASBR (Autonomous System Border Router) to describe routers that connect areas to the backbone (ABR) or to other AS/routing protocols (ASBR). Don't forget the stubby, totally stubby and NSSA areas.
OSPF can use 3 types of authentication. [Type 0] Null authentication (default - no authentication), [Type 1] simple password authentication (clear text) and [Type 2] message digest authentication (md5) are the three types. Unlike EIGRP and RIP that use a key chain, OSPF uses a slightly different command.
[ ip ospf authentication-key key (this goes under the specific interface) ] - clear text
[ ip ospf message-digest-key key_id md5 key (used under the interface) ] - md5
Enable authentication for the area under the "router ospf" section.
Ex. area 6 authentication [message-digest]
For further detail, read the Sample Configuration for Authentication in OSPF in the Cisco Documentation.
Routers become neighbors as soon as they see themselves listed in the neighbor's Hello packet. This way, a two way communication is guaranteed. Neighbor negotiation applies to the primary address only. Routers can be a DR, BDR or DROTHER on a NBMA network. Point-to-point connections form an adjacency, but no DR election.
The process of building an adjacency:
Down > Attempt > Init > Two-way > Exstart > Exchange > Loading > Full
LSA Types:
Type 1 - Router LSA
Type 2 - Network LSA
Type 3 - Summary LSA (ABRs)
Type 4 - ASBR Summary LSA (ASBR - how do you get to me)
Type 5 - Autonomous System LSA (ASBRs advertise external links)
Type 6 - used in multicast OSPF applications
Type 7 - used in NSSA for external routes
Type 8 - OSPFv3 link local addresses
Type 9 - OSPFv3 intra-area prefixes
Type 10, 11 - opaque LSAs (for future extensions)
Here's a page to refresh your memory on OSPFv3 for IPv6. The document has a section on the differences between OSPV3 and OSPFv2. Interesting to note - The router ID and area ID are 32-bit numbers with no relationship to IPv6 addresses.
The document lists a Type 11 LSA as a Grace LSA. LSA sent by a restarting router, using a link-local flooding scope. This LSA is used for a graceful restart of OSPFv3.
OSPFv3 uses IPsec for Authentication Support.
You're also going to want to know about the OSPF TTL Security Check. Granted, I doubt there is going to be anything specific on this, but it's something you might want to know exists. You want to be able to recognize what is true/false or be able to confidently recognize distractor answers (versus just something you haven't seen before).
I think if you review those things about OSPF, you should be fine with any questions on the topic. I don't think they would ask you about anything to do with redistribution or timers, cost, priority, etc. Since this is the Security exam and not the Route/Switch exam, I think the emphasis would be on basic concepts relating to security. The next section will cover BGP and protocol-independent items.