OSPF

OSPF, or Open Shortest Path First, F irst, is a link-state, open-standard, dynamic routing  protocol. OSPF uses an algorithm known as SPF, or Dijkstra‟s Shortest Path First, to compute internally the best path to any given route. OSPF is classless and converges fairly quickly, using cost as it‟s metric. A router running OSPF creates its own database which contains information on the entire OSPF network, not simply neighbor‟s routes like EIGRP. This allows the router to make intelligent choices about path selection on its own instead of relying exclusively on neighbor information. OSPF routers do form neighbor relationships relationships though. They exchange hellos with neighboring routers and in the process learn their neighbor‟s Ro uter ID (R ID) ID) and cost. Those values are then sent to the adjacency table. Every router is responsible for computing its own best paths to all destinations within an OSPF domain. Once the SPF algorithm selects the best paths, they are then then eligible to be added to the routing table.

Link State Database Once a router has exchanged exchan ged hellos with its neighbors and captured Ro uter IDs and cost information, it begins sending LSAs, LSAs, or Link State Advertisements. Advertisements. LSAs contain the RID and costs to the router‟s neighbors. LSAs are shared with every other router in the OSPF domain. A router stores all of its LSA information (including info it receives from incoming LSAs) in the Link State Database (LSDB). I apologize if the acronyms are starting to pile pile up. OSPF, architecturally speaking, is more complicated than its counterpart EIGRP –  EIGRP –  and  and the long list of o f acronyms and definitions is part of that.

Areas OSPF is different from from EIGRP in that it uses areas to segment routing domains. This helps  partition routers into manageable groups if the layer 3 network begins to get large. It all starts starts with area 0. Every OSPF network must contain an area 0, sometimes referred to to as the backbone area and every additional area must be physically connected to area 0. From there, other areas are optional.  Note that the SPF algorithm only runs within a single area, so routers only compute paths within their own area. Inter-area routes are passed using border routers.

All link state databases must match within an OSPF area. This means that the more OSPFenabled routers are configured for the same a rea, the more LSA advertisements that must be sent out. After you reach about 50 routers, the high levels of LSA traffic and numerous routing table entries can become a problem. That is why Cisco recommends limiting an OSPF area to no more than 50-100 routers. The following three factors determine the maximum number of routers:   

How easily the area‟s subnets can be summarized The type of areas being used The number of external LSAs being injected

An added bonus of partitioning out your OSPF network into areas is that it is a natural fit for a hierarchical IP scheme.

Area Types Backbone area Another name for area 0 Regular area  Non-backbone area, with both internal and external routes

Stub area Contains only internal routes and a default route Totally Stubby Area Cisco proprietary option for a stub area Not-So-Stubby area (NSSA) Contains internal routes, redistributed routes, and optionally a default route Totally Stubby NSSA Cisco proprietary option for NSSA

Router Roles Internal: All interfaces in a single area (routers 1, 4, 5 in diagram above) Backbone: At least one interface assigned to area 0 (routers 1, 2 ,3 in diagram above) Area Border Router (ABR): Have interfaces in two or more areas (routers 2 and 3 in diagram above) ABRs contain a separate Link State Database, separating LSA flooding between areas, optionally summarizing routes, and optionally sourcing default routes. Autonomous System Boundary Router (ASBR): Has at least one interface in an OSPF area and at least one interface outside of an OSPF area.

OSPF Metric Each interface is assigned a cost value based purely on bandwidth. The formula is:

Cost = (100Mbs/bandwidth) H igh er bandwidth m eans a lower cost.

Let‟s run through some common examples quickly: T1 line | 100,000 / 1544 = 64 10 Mbps | 100,000 / 10,000 = 10 100 Mbps | 100,000 / 100,000 = 1

1000 Mbps | 100,000 / 1,000,000 = .1 1(OSPF still uses 1 for this, see explanation below)

The cost is then accrued at each hop along the path based on the link‟s  bandwidth. Unfortunately, OSFP was written when 100Mbs was considered fast. Because of that, it assigns the same cost to any interface with speeds higher than 100Mbs. To OSPF, a Fast Ethernet interface is weighted the same as a Gigabit Ethernet interface, both a cost of 1 . To fix that problem, you can use the auto-cost command under the OSPF process. R1(config-router)# auto-cost reference-bandwidth

1000

Another option is to simply change the cost on a per-interface basis with the ip ospf cost  command (using any number between 1-65,535). R1(config-if)# ip ospf cost

35

Link State Advertisements LSAs contain a sequence number and a Router ID. Sequence numbers are 32 bits, starting with 0×80000001. The sequence number increases if:  

a route is added or deleted a LSA ages out

The largest sequence number is always the most current. The default time that LSAs are aged out is 30 minutes. When an LSA enters a router, it checks it against its internal Link State Database (LSDB).  



If it is new, it is added to the LSDB and the SPF algorithm is re-run. If it contains a Router ID (RID) that is already in the database, entries with an older sequence number are discarded. If it receives an older version (according to its sequence n umber), it discards the LSA and sends back the newer version to the original sender.

The command show ip ospf database   will display the sequence numbers and age (in seconds) for each entry.

LSDB Overload In large OSPF networks, if major network changes occur, a flood of LSAs will immediately hit the entire network. The number of incoming LSAs to each router could be substantial and bring the CPU and memory to its knees.

To mitigate that scenario, Cisco offers what it refers to as Link Sate Database Overload Protection. Once enabled, if the defined threshold is exceeded over one-minute time period, the router will enter the ignore state –  dropping all adjacencies and clearing the OSPF database. Know that this is a drastic response because routing will be disrupted during that period. R1(config-router)# max-lsa

number 

LSA Definitions

OSPF Messaging OSPF uses several different types of messages to maintain neighbo r relationships and correct routing information.

OSPF Packet Types

Hello Discovers neighbors and works as a keepalive. Link State Request (LSR) Requests a Link State Update (LSU), see below. Database Description (DBD) Contains a summary of the LSDB, including RIDs and sequence numbers. Link State Update (LSU) Contains one or more complete LSAs. Link State Acknowledgement (LSAck) Acknowledges all other OSPF packets (except hellos). OSPF sends the five packet types listed above over IP directly, using IP port 89 with an OSPF packet header. Multicast address 224.0.0.5 is used if sending to all routers, address 224.0.0.6 is used for sending to all OSPF DRs.

OSPF Neighbors Hellos are sent out periodically using multicast on OSPF enabled routers. The router forms an adjacency with a peer router when it sees its own Router ID in the neighbor field of another router‟s hello message. That indicates there is direct, bi-directional communication on the same subnet.  Note: On multi-access links, adjacencies are only formed between the router and the DR and  BDR. All of the following fields in an OSPF hello message must match for an adjacency to form:      

hello timer dead timer area ID authentication type  password stub area flag

As with many network protocols, hellos act as a form of keepalive or heartbeat. With OSPF, if four consecutive hellos are not received (the dead time), the router is considered down. Point point interfaces: hellos every 10 seconds, 40 second dead timer  Nonbroadcast multiaccess (NBMA) interfaces: hellos every 30 seconds, 120 second dead timer

OSPF States There are 7 different OSPF states when forming neighbor relationships. Take the time to learn the states and their corresponding functions.

Down This is the first OSPF neighbor state. It means that no information (hellos) has been received from this neighbor, but hello packets can still be sent to the neighbor in this state. During the fully adjacent neighbor state, if a router doesn‟t receive hello packet from a neighbor within the RouterDeadInterval time (RouterDeadInterval = 4*HelloInterval by default) or if the manually configured neighbor is being removed from the configuration, then the neighbo r state changes from Full to Down.

Attempt This state is only valid for manually configured ne ighbors in an NBMA environment. In Attempt state, the router sends unicast hello packets every poll interval to the neighbor, from which hellos have not been received within the dead interval.

Init This state specifies that the router has received a hello packet from its neighbor, but the receiving router‟s ID was not included in the hello packet. When a router receives a hello packet from a neighbor, it should list the sender‟s router ID in its hello packet as an acknowledgment that it received a valid hello packet.

2-Way This state designates that bi-directional communication has been established between two routers. Bi-directional means that each router has seen the other‟s hello packet. This state is attained when the router receiving the hello packet sees its own Router ID within the received hello packet‟s neighbor field. At this state, a router decides whether to become adjacent with this neighbor. On broadcast media and non-broadcast multiaccess networks, a router becomes full only with the designated router (DR) and the backup designated router (BDR); it stays in the 2 way state with all other neighbors. On Point -to-point and Point-to-multipoint networks, a router  becomes full with all connected routers. At the end of this stage, the DR and BDR for broadcast and non-broadcast multiacess networks are elected. For more information on the DR election process, refer to DR Election.  Note: Receiving a Database Descriptor (DBD) packet from a neighbor in the init state will also a cause a transition to 2-way state.

Exstart Once the DR and BDR are elected, the actual process of exchanging link state information can start between the routers and their DR and BDR. In this state, the routers and their DR and BDR establish a master-slave relationship and choose the initial sequence number for adjacency formation. The router with the higher router ID  becomes the master and starts the exchange, and as such, is the only router that can increment the sequence number. Note that one would logically conclude that the DR/BDR with the highest router ID will become the master during this process of master-slave relation. Remember that the DR/BDR election might be purely by virtue of a higher priority configured on the router instead of highest router ID. Thus, it is possible that a DR plays the role of slave. And also note that master/slave election is on a per-neighbor basis.

Exchange In the exchange state, OSPF routers exchange database descriptor (DBD) packets. Database descriptors contain link-state advertisement (LSA) headers only and describe the contents of the entire link-state database. Each DBD packet has a sequence number which can be incremented only by master which is explicitly acknowledged by slave. Routers also send link-state request  packets and link-state update packets (which contain the entire LSA) in this state. The contents of the DBD received are compared to the information contained in the routers link-state database to check if new or more current link-state information is available with the neighbor. Loading In this state, the actual exchange of link state information occurs. Based on the information  provided by the DBDs, routers send link-state request packets. The neighbor then provides the requested link-state information in link-state update packets. During the ad jacency, if a router receives an outdated or missing LSA, it requests that LSA by sending a link-state request packet. All link-state update packets are acknowledged.

Full In this state, routers are fully adjacent with each o ther. All the router and network LSAs are exchanged and the routers‟ databases are fully synchronized. Full is the normal state for an OSPF router. If a router is stuck in another state, it‟s an indication that there are problems in forming adjacencies. Th e only exception to this is the 2-way state, which is normal in a broadcast network. Rou ters achieve the full state with their DR an d BDR only. Neighbors always see each other as 2-way.

OSPF Configuration OSPF configuration is not too complicated, but has some important syntax distinctions from EIGRP. First, it is configured from router configuration mode and requires a process ID appended to the router ospf command. The process ID is only locally significant, so don‟t worry

if it doesn‟t match on other OSPF routers. R1(config)# router ospf  process-id  The next step is to determine which router interfaces you want participating in OSPF. Just like EIGRP, the network statements define which local router interfaces will participate. R1(config)# router ospf 10 R1(config-router)# network 10.1.1.0 0.0.0.255 area 0 R1(config-router)# network 10.9.9.0 0.0.0.255 area 1

In the example above, interfaces in the 10.1.1.0/24 subnet will participate in OSPF area 0. Interfaces in the 10.9.9.0/24 subnet will participate in OSPF area 1. Unlike EIGRP, the subnet wildcard mask in the network statement is not optional because OSPF is classless by default. Let‟s do another example. R1 has six interfaces, all within area 0:      

GigabitEthernet 0/0: 192.168.100.1/24 GigabitEthernet 0/1: 192.168.101.1/24 GigabitEthernet 0/2: 192.168.102.1/24 GigabitEthernet 0/3: 192.168.103.1/24 Serial 1/0: 10.100.100.1/30 Serial 1/1: 10.100.100.5/30

The simplest way to configure OSPF an all interfaces into area 0 would be to use this command: R1(config-router)# network 0.0.0.0 255.255.255.255 area 0

A second option is to break up the 10. and 192. networks into different statements: R1(config-router)# network 10.0.0.0 0.255.255.255 area 0 R1(config-router)# network 192.168.100.0 0.0.3.255 area 0

The third way to configure the interfaces to participate in OSPF: R1(config-router)# network R1(config-router)# network R1(config-router)# network R1(config-router)# network R1(config-router)# network R1(config-router)# network

10.100.100.1 0.0.0.0 area 0 10.100.100.5 0.0.0.0 area 0 192.168.100.1 0.0.0.0 area 0 192.168.101.1 0.0.0.0 area 0 192.168.102.1 0.0.0.0 area 0 192.168.103.1 0.0.0.0 area 0

All three approaches achieve the exact same result. The configuration you choose is up to you.

Interface Configuration An alternative configuration option is to configure an interface to participate in OSPF directly. The [ ip ospf  process-id area   area-id ] command takes precedence over the more common network commands. R1(config)# int gig 0/1 R1(config-if)# ip ospf 10 area 0

Router ID The SPF algorithm uses a Router ID to identify hops along a path. The problem, of course, is that routers don‟t have a generic “router ID” built in. The designers of OSPF decided to use the highest IP address assigned to a loopback interface as the Router ID (RID) by default. If no loopback is configured, it will use the highest IP address assigned to an active interface when the OSPF process begins. OSPF will not change the RID, even if another interface with a higher IP address comes online unless the OSPF process is restarted. This helps keep the network stable and happy.  Note: The clear ip ospf process  command will also force the OSPF process to restart, but will cause an outage –  so use it with caution. Loopbacks are preferred for use as a router ID because they are virtual interfaces and are not affected by links going up and down. To configure a loopback interface, first create it and assign it an IP address. R1(config)# int loopback 0 R1(config-if)# ip address 10.100.100.1 255.255.255.255

Static RIDs It is also possible to manually define a static Router ID within OSPF with the router-id  command. R1(config)# router ospf 10 R1(config-router)# router-id 10.100.100.1

DRs & BDRs SPF works by mapping all paths to every destination on each router. It uses the RID to identify hops along each path and uses bandwidth as a metric between those hops. This whole system works really well when routers are connected with point-to-point links and OSPF traffic is simply sent using multicast address 224.0.0.5. It doesn‟t work well, however, when a router is connecting to multiaccess networks like an Ethernet VLAN. Multiaccess OSPF links require a Designated Router (DR) be elected to represent the entire segment. Another router is then elected as the Backup Designated Router, or BDR. On that specific multiaccess segment, routers only form adjacencies with the DR and BDR.

The DR uses type 2, network LSAs to advertise the segment over multicast a ddress 224.0.0.5. The Non-Designated routers then use IP address 224.0.0.6 to communicate directly with the DR.

Elections

1. When the OSPF process on a router starts up, it listens for hellos. If it does not receive any within its dead time, it elects itself the DR. 2. If hellos are received before the dead time expires, the router with the highest OSPF priority is elected as the DR. Next, the same process happens to elect the BDR. Note:  If a router’s OSPF  priority is set to 0, it will not participate in the elections. 3. If two routers happen to have the same OSPF priority, the router with the highest Router ID will become DR. The same is true for BDR.

Once a DR is elected, elections cannot take place again until either the DR or BDR go down. This essentially means that there is no OSPF DR preemption if another router comes online with a higher OSPF priority. In the case that the DR goes down, the BDR automatically is assigned the DR role and a new BDR election occurs. Be aware that a router with a non-zero priority that happens to boots first can become the DR just  because it did not receive any hellos when the OSPF process was started –  even though it may have a low OSPF priority. The default OSPF priority is 1 and Cisco recommends manually changing that on routers you want to become the DR and BDR. Remember that DRs are only used on multiaccess links, so they are only significant on an interface level. A router with two different interfaces connected to two different multiaccess links will have separate DR elections for each segment. To set the OPSF priority, use the ip ospf priority command on the interface connected to the multiaccess segment. Values can be between 0-255. R1(config)# int gig 0/1 R1(config-if)# ip ospf priority 255

OSPF over the WAN Routing protocols assume both broadcast capabilities and full mesh connectivity on multiaccess networks. For OSPF, there are a few points to consider: 

Full mesh environments can use physical interfaces, but often times subinterfaces are used

 

 

Partial mesh environments should be configured using po int-to-point subinterfaces Hub-and-spoke environments should elect the hub as the DR or use point-to-point subinterfaces – which don‟t require a DR  Frame Relay and ATM maps should include the broadcast attribute In multiaccess environments, the DR and BDR should have full virtual circuit connectivity to all other routers

Summarization First, it‟s important to note that running the SPF algorithm on a r outer is extremely taxing on CPU resources and can easily consume them all. The reason is because OSPF has to compute the best path to every destination within its area. Avoiding running the alogrithm whenever it isn‟t required is a big win. Summarization has two important benefits for OSPF. It prevents topology changes from being passed outside an area –  thus reducing the number of routers rerunning the SPF algorithm. It also consolidates many routes in to a single statement, reducing the memory load and database size on OSPF-enabled routers. There are two types of route sumarization, inter-area  and external .

Inter-area Summarization (LSA Type 3) This occurs on ABRs to summarize routes between areas. This really only works well if the networks contained within an area are subnetted contiguously so that they can be easily summarized into a single statement. The new summary route‟s cost will be equal to the lowest cost route within the summary range. After the command is entered, the router will automaticlly create a static route pointing to Null0. Example: ABR-R1(config)# router ospf 10 ABR-R1(config-router)# area 2 range 10.100.0.0 255.255.0.0

In this example, the summary network 10.100.0.0 /16 is summarized from area 2.

External Summarization (LSA Type 5) This occurs on ASBRs for routes that are injected into OSPF via route redistribution. After the command is entered, the router will automatically create a static route pointing to Null0. Example: ASBR-R1(config)# router ospf 10 ASBR-R1(config-router)# summary-address 192.168.0.0 255.255.0.0

In this example, an external network has been summarized into 192.168.0.0/16 and is injected into OSPF via a single type 5 LSA.

OSPF Passive Interfaces Like EIGRP, OSPF supports the use of passive interfaces. The passive-interface   interface command disables OSPF hellos from being sent o ut, thus disabling the interface from forming adjacencies out that interface.

OSPF Default Routes Default routes are injected into OSPF via type 5 LSAs. There are multiple ways to inject default routes into OSPF, but Cisco recommends using the defaul t-inf ormation ori ginate command under the OSPF routing process. R1(config)# router ospf 10 R1(config-router)# default-information originate [always]   [metric

metric]

If the always keyword is not used, OSPF will advertise a default route learned from anothe r source, like a static route. If the always keyword is present, a default route will be advertised regardless if the route exists in the routing table. Another option is to use the area r ange   and summary-address commands discussed in the summarization section above. Using these will result in the router advertising a default route  pointing to itself.

Stub and Not-So-Stubby Areas

Stub areas are another way to simplify route information that gets advertised. Area 2 in the diagram above shows an example.

The ABR in a stub area drops all external routes and instead uses a default route of 0.0.0.0 (R3 in this example). That is, they do not know about any non-OSPF route information outside their own area. A Cisco proprietary version of a stub area is a Totally Stubby Area , or TSA. TSAs do not accept any external routes from non-OSPF sources AND they do not accept routes from other areas within their OSPF autonomous system. If a router needs to send traffic to a route outside of its own area, it sends the traffic using a default route. ABRs use default routes in Stub and Totally Stubby areas.

Stubby areas are made into Totally Stubby Areas by appending the no-summary  keyword to the ABR. Example: R3(config)# router ospf 10 R3(config-router)# area 2 stub no-summary R3(config-router)# area 2 stub default-cost 8

The example above sets area 2 as a totally stubby area. The default-cost command is optional and in this case changed the default route cost from 1 to 8.

Stub Limitations    

Virtual links cannot be included Cannot include an ASBR The stub configuration must be applied to every router within the stubby area Area 0 cannot be a stub

Bullet point 3 is extremely important! If two routers are connected, but one does not have the stub statement configured, the hello packets will be dropped and they will not form a neighbor adjacency.

Not-So-Stubby Areas , or NSSAs were an addendum to the original OSPF RFC and defined a new special LSA, type 7. NSSAs are very similar to stubby areas, but they allow the use of ASBRs in the area –  something stub areas prohibit.

External routes are advertised by the ASBR as type 7 LSAs and the ABR then converts them into type 5 external LSAs when it advertises them to adjacent areas.  NSSA is configured using the area   area-number nssa   command as can been seen in the example  below. Using the no-summary keyword turns the area into a Totally Stubby NSSA. A Totally Stubby NSSA does not accept external or summary routes from other areas. Lastly, the NSSA ABR does not by default advertise a default route back into the area. The default-information-originate option does just that. R4(config)# router ospf 10 R4(config-router)#area 1 nssa [no-summary] [default-information-originate]

OSPF Virtual Links OSPF has strict rules around how areas connect and where they can be located. More specifically, every area must be physically connected to area 0 and area zero must be „contiguous‟ –  meaning it cannot broken into multiple, connected area 0s. Virtual links were developed as a band -aid to situations that temporarily must violate those requirements. Virtual links connect areas that do not connect directly to area 0. It can also connect two area 0s together! Keep in mind that Cisco recommends virtual links be a temporary workaround to a short-term  problem, not a permanent design.

The diagram below illustrates an example when a virtual link could be used. Let‟s pretend Company ABC and Company XYZ just announced a merger and now their corporate networks must do the same. In this case, both routers R1 and R2 have now become ABRs and the virtual link configuration will be applied to them. The command area   area-number virtual-link   routerid is applied to each ABR.  Note that the area used in the command is the transit area that the virtual link resides in. Also, the RID identifies the RID of the OTHER router at the end of the link! Example: R1(config)# router ospf 20 R1(config-router)# area 1 virtual-link 10.30.30.30 R2(config)# router ospf 20 R2(config-router)# area 1 virtual-link 10.50.50.50

OSPF Authentication Out of the box, OSPF does not authenticate its protocol‟s messages or route upd ates.  OSPF does, however, support two message authentication options:  

Simple Authentication - using plaintext keys MD5 Authentication

Matching authentication methods and keys must configured on each interface on a segment. Theoretically, different passwords could be applied to different router interfaces –  the routers on the other ends of those links would just be required to have matching information.

Simple Authentication Example R1(config)# int fa0/1

R1(config-if)# ip ospf authentication-key KEY123 R1(config-if)# ip ospf authentication R1(config-if)# exit R1(config)# router ospf 10 R1(config-router)# area 0 authentication

MD5 Authentication Example R1(config)# int fa0/1 R1(config-if)# ip ospf message-digest-key 1 md5 KEY123 R1(config-if)# ip ospf authentication message-digest R1(config-if)# exit R1(config)# router ospf 10 R1(config-router)# area 0 authentication message-digest

** The 1 in theip ospf message-digest-key 1 md5 KEY123 statement above is a key number.

OSPF Verification The OSPF neighbor table can be viewed using the show i p ospf n eighbor command. It shows the status of the OSPF database loading process, status of neighbor adjacencies, as well as DR and BDR assignments. To show which OSPF routers are being used by the routing table, issue the show i p route ospf  command. The show ip ospf command displays the RID, counters, and timers. To see which router interfaces are participating in OSPF (and their area assignments), use the  command show i p ospf i nterf ace