Configuring OSPF
This chapter describes how to configure the ASA to route data, perform authentication, and redistribute routing information, using the Open Shortest Path First (OSPF) routing protocol.
This chapter includes the following sections:
•
Overview
Overview
•Licensing Requirements for OSPF
Licensing Requirements for OSPF
•Guidelines and Limitations
Guidelines and Limitations
•Enabling OSPF
Enabling OSPF
•Customizing OSPF
Customizing OSPF
•Monitoring OSPF
Monitoring OSPF
•Configuration Example for OSPF
Configuration Example for OSPF
•Feature History for OSPF
Feature History for OSPF
•Additional References
Additional ReferencesOverview
OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements rather than routing table updates. Because only LSAs are exchanged instead of the entire routing tables, OSPF networks converge more quickly than RIP networks.
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
•OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out.
OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out.
•Routing decisions are based on cost, which is an indication of the overhead required to send packets across a certain interface. The ASA calculates the cost of an interface based on link bandwidth rather than the number of hops to the destination. The cost can be configured to specify preferred paths.
Routing decisions are based on cost, which is an indication of the overhead required to send packets across a certain interface. The ASA calculates the cost of an interface based on link bandwidth rather than the number of hops to the destination. The cost can be configured to specify preferred paths.
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
The ASA can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The ASA supports the following OSPF features:
•Support of intra-area, interarea, and external (Type I and Type II) routes.
Support of intra-area, interarea, and external (Type I and Type II) routes.
•Support of a virtual link.
Support of a virtual link.
•OSPF LSA flooding.
OSPF LSA flooding.
•Authentication to OSPF packets (both password and MD5 authentication).
Authentication to OSPF packets (both password and MD5 authentication).
•Support for configuring the ASA as a designated router or a designated backup router. The ASA also can be set up as an ABR.
Support for configuring the ASA as a designated router or a designated backup router. The ASA also can be set up as an ABR.
•Support for stub areas and not-so-stubby-areas.
Support for stub areas and not-so-stubby-areas.
Area boundary router type-3 LSA filtering.
OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.
If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processes—one process for the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the ASA acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.
Note Only type 3 LSAs can be filtered. If you configure the ASA as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas.
Only type 3 LSAs can be filtered. If you configure the ASA as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas.
If NAT is employed but OSPF is only running in public areas, then routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the ASA. Also, you should not mix public and private networks on the same ASA interface.
You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the ASA at the same time.
Licensing Requirements for OSPF
Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
Context Mode Guidelines
Supported in single context mode.
Firewall Mode Guidelines
Supported in routed firewall mode only. Transparent mode is not supported.
IPv6 Guidelines
Does not support IPv6.
Configuring OSPF
This section explains how to enable and restart the OSPF process on your system. After enabling see the section, to learn how to customize the OSPF process on your system.
•Enabling OSPF
Enabling OSPF
•Restarting the OSPF Process
Restarting the OSPF ProcessEnabling OSPF
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.
To enable OSPF, perform the following detailed steps:
Detailed Steps
Restarting the OSPF Process
This step allows you to remove the entire OSPF configuration you have enabled. Once this is cleared, you must reconfigure OSPF again using the router ospf command, perform the following step:
Customizing OSPF
This section explains how to customize the OSPF process and includes the following topics:
•Redistributing Routes Into OSPF
Redistributing Routes Into OSPF
•Generating a Default Route
Generating a Default Route
•Configuring OSPF Interface Parameters
Configuring OSPF Interface Parameters
•Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization Between OSPF Areas
•Configuring OSPF Interface Parameters
Configuring OSPF Interface Parameters
•Configuring OSPF Area Parameters
Configuring OSPF Area Parameters
•Configuring OSPF NSSA
Configuring OSPF NSSA
•Configuring Route Calculation Timers
Configuring Route Calculation Timers
•Defining Static OSPF Neighbors
Defining Static OSPF Neighbors
•Logging Neighbors Going Up or Down
Logging Neighbors Going Up or DownRedistributing Routes Into OSPF
The ASA can control the redistribution of routes between OSPF routing processes. The ASA matches and changes routes according to settings in theredistribute command or by using a route map.
If you want to redistribute a route by defining which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process, you must firstgenerate a default map and then define a route map.
Note (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process. SeeChapter 20 "Defining Route Maps." Also, see the "Generating a Default Route" section for another use for route maps.
(Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process. SeeChapter 20 "Defining Route Maps." Also, see the "Generating a Default Route" section for another use for route maps.
To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:
Detailed Steps
Generating a Default Route
You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.
To generate a default route, perform the following steps:
Detailed Steps
Configuring Route Summarization When Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the ASA to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a network address and mask, perform the following steps:
Detailed Steps
Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:
Detailed Steps
Configuring OSPF Interface Parameters
You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values.
To configure OSPF interface parameters, perform the following steps:
Detailed Steps
Configuring OSPF Area Parameters
You can configure several area parameters. These area parameters (shown in the following task table) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub command on the ABR to prevent it from sending summary link advertisement (LSA Type 3) into the stub area.
To specify area parameters for your network, perform the following steps:
Detailed Steps
Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.
NSSA importsType 7 autonomous system external routes within an NSSA area by redistribution. These Type 7 LSAs are translated into Type 5 LSAs by NSSA ABRs, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as an OSPF stub area because routes for the remote site could not be redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.
Before you use this feature, consider these guidelines:
–You can set a Type 7 default route that can be used to reach external destinations. When configured, the router generates a Type 7 default into the NSSA or the NSSA area boundary router.
You can set a Type 7 default route that can be used to reach external destinations. When configured, the router generates a Type 7 default into the NSSA or the NSSA area boundary router.
–Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate.
Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate.
To specify area parameters for your network as needed to configure OSPF NSSA, perform the following steps:
Detailed Steps
Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.Defining Static OSPF Neighbors
You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast network. This lets you broadcast OSPF advertisements across an existing VPN connection without having to encapsulate the advertisements in a GRE tunnel.
Before you begin, you must create a static route to the OSPF neighbor. See the chapter, `Configuring Static and Default Routes' for more information about creating static routes.
To define a static OSPF neighbor, perform the following tasks:
Detailed Steps
Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:
Detailed Steps
Logging Neighbors Going Up or Down
By default, the system sends a system message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ospf adjacency command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.
To log neighbors going up or down, perform the following steps:
Detailed Steps
Note Logging must be enabled for the the neighbor up/down messages to be sent.
Logging must be enabled for the the neighbor up/down messages to be sent.Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can also use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
To monitor or display various OSPF routing statistics, perform one of the following tasks:
Configuration Example for OSPF
The following example shows how to enable and configure OSPF with various optional processes:
Step 1 Enable OSPF.
Enable OSPF.hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0
Step 2 Redistribute routes from one OSPF process to another OSPF process (optional):
Redistribute routes from one OSPF process to another OSPF process (optional):hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2
Step 3 Configure OSPF interface parameters (optional):
Configure OSPF interface parameters (optional):hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest
Step 4 Configure OSPF area parameters (optional):
Configure OSPF area parameters (optional):hostname(config)# router ospf 2
hostname(config-router)# area 0 authentication
hostname(config-router)# area 0 authentication message-digest
hostname(config-router)# area 17 stub
hostname(config-router)# area 17 default-cost 20
Step 5 Configure the route calculation timers and show the log neighbor up/down messages (optional):
Configure the route calculation timers and show the log neighbor up/down messages (optional):hostname(config-router)# timers spf 10 120
hostname(config-router)# log-adj-changes [detail]
Step 6 Restart the OSPF process .
Restart the OSPF process .hostname(config)# clear ospf pid {process | redistribution | counters
[neighbor [neighbor-interface] [neighbor-id]]}
Step 7 Show the results of your OSPF configuration (optional):
Show the results of your OSPF configuration (optional):
The following is sample output from the show ospf command:
hostname(config)# show ospf
Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Feature History for OSPF
Table 21-1 lists the release history for this feature.
Additional References
For additional information related to routing, see the following:
•Related Documents
Related Documents
No comments:
Post a Comment