OSPF

General Notes

• AD 110 for internal & external
• Multicast 224.0.0.5 for all OSPF routers, 224.0.0.6 for all DR/BDRs, port number 89
• Advertises all routes to all nodes in area to build a topology before deciding best path
• Hello and hold timers must match for adjacency (unlike EIGRP)
• Adjacency formed, DBD (database descriptor) packet sent describing LSDB (link-state database)
  • Once other neighbor determines which LSAs they’re missing, LSR (link-state request) packet sent to ask for missing LSAs and sync database
  • All OSPF routers in an area must share a common view of the database for OSPF to function
• DR/BDR Election
  • No real prepending - the only way to ensure a node does not become DR is by removing it from the election
  • This is done with ip ospf priority 0 under the interface you don’t want to become DR/BDR
• OSPF LSA Types
  • Type 1 - Router LSA
    • Generated by all OSPF routers, advertised intra-area, describes routers’ own interfaces, neighbors
  • Type 2 - Network LSA
    • Generated by DRs, advertised intra-area, describes routers on its segment
  • Type 3 - Summary LSA
    • Generated by ABRs, advertised inter-area to describe reachable networks to another area
  • Type 4 - ASBR Summary LSA
    • Generated by ABRs, adverised inter-area to describe how to reach an ASBR advertising external networks
  • Type 5 - External Summary LSA
    • Generated by ASBRs, advertised inter-area to describe external routes
  • Type 7 - NSSA External Summary LSA
    • Same as above but generated in a NSSA where Type 5 LSAs are not allowed, reflooded as a Type 5 LSA if recieved by an ABR
• Use show ip ospf border-routers to see both ABRs, ASBRs in the OSPF process
• For point-to-point links, add ip ospf network point-to-point under interface to save overhead on DR/BDR election
  • Null output after the slash in State column of show ip ospf neighbor indicates point-to-point link
• Loopbacks automatically advertised as /32s regardless of subnet mask
  • Can make the loopback point-to-point to advertise the full subnet
• By default all links greater than 100Mbps will have the same reference cost
  • To change this, change reference bandwidth under router ospf config with auto-cost reference bandwidth <value>
  • This should match on all devices in topology to prevent loops, but is not required for adjacency
• Metric can be modified directly with cost on interface (ip ospf cost <cost>), or indirectly by changing interface bandwidth
• Cost can also be configured per-neighbor under router ospf with neighbor <ip> cost <cost>
• To form a neighborship, area, SN mask, stub flag, authentication and hello/dead timers must match
• Neighborships in a good state in 2-way for drothers on broadcast segments or Full for all other links
  • All other states indicate an issue if they persist
  • Stuck in ExStart, Exchange states usually indicates an MTU issue

---

Features

Authentication

• Supports plaintext (pointless), MD5 & HMAC-SHA auth
• HMAC-SHA configuration done with key chain in global config
• MD5 configuration done under interface or for an entire area under router ospf
• Key-id numbers must match for successful auth

key chain OSPF_KEYS
 key 1
  key-string <psk>
  cryptographic-algorithm hmac-sha-256
!
int gi0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 <psk>
!
int gi0/1
ip ospf authentication key-chain OSPF_KEYS

Summarization

• Possible only at ABRs, ASBRs
• To summarize LSA 3 as originated by ABR, use area <area#> range <ip & mask>
  • The area used in the above command is the area the prefix is originated in - the summary will apply to all areas aside from this
  • Can add not-advertise prefix to prevent advertising prefixes in range, form of route filtering ^ffa496
• To summarize LSA 5 at ASBR, use summary-address <ip & mask>
• Leak map can be used to leak longer mask prefixes included in summary
  • summary-address 0.0.0.0 0.0.0.0 leak-map <route-map>
• Null0 installed on router to match summary address for both LSA 3 and LSA 5 summaries

Route filtering

• Inter-area filtering possible only at ABRs, filtering LSA3s
• Performed with area <area#> filter-list prefix <prefix-list> [in|out]
• Inter-area filtering also possible with area range and not-advertise flag as described above
• Can also use distribute lists to filter inbound into the RIB, not the OSPF database
  • Can match on many values with route-maps, such as interface, ip address, ip next-hop, ip route-source, metric, route-type and tag
  • For example:

  access-list 3 permit 155.1.146.0
  access-list 4 permit 155.1.0.4
  !
  route-map DENY_VLAN146_FROM_R4 deny 10
   match ip address 3
   match ip next-hop 4
  !         
  route-map DENY_VLAN146_FROM_R4 permit 20
  !
  router ospf 1
   distribute-list route-map DENY_VLAN146_FROM_R4 in

  • Note again distribute-lists ONLY AFFECTS LOCAL RIB, not OSPF database
  • Easy to create traffic black holes if not careful with this feature

Default routing

• Can be advertised with default-information originate [always]
• always flag allows advertisement even if default not in local route table

Stub areas

• Two types, stubby and totally stubby
  • Stubby prevents advertisement of LSA 5 (Externals) into the area
    • Configured with area <area#> stub under router ospf
  • Totally stubby prevents advertisements of LSA 3 (summary) & LSA 5 into the area
    • Configured with area <area#> stub no-summary under router ospf
      • Only ABR needs no-summary, rest of area just stub
• ABR advertises default route into stub area for reachability
• Must be configured on all routers in stub area

NSSA

• Two types, NSSA and totally NSSA
  • NSSA prevents LSA5 advertisements but allows redistribution of externals
    • Configured with area <area#> nssa under router ospf
    • Does not advertise default route from ABR by default
    • Can use area <area#> nssa default-information-originate to advertise default
  • Totally NSSA prevents LSA3, 5 but allows redistribution of externals
    • Configured with area <area#> nssa no-summary under router ospf
    • Advertises default route from ABR
• Externals originated in these areas will be LSA7s instead of LSA5s, translated to LSA5 at ABR

Virtual links

• Can be used to repair discontiguous networks or for traffic engineering
• Under OSPF, configure area <area#> virtual-link <neighbor RID> on both nodes
• The IP used is the router ID, not the address used for OSPF peering
• To keep virtual-links stable, it’s a good idea to manually define the router ID (as is best practice anyways)
• See Redistribution page for details on that

---

Useful debugs/show commands

• show ip ospf interface brief - Displays interfaces participating in OSPF, areas, cost, etc
• show ip ospf neighbors - Displays neighbors and neighbor states
• show ip ospf database - Displays OSPF database information
• show ip ospf database router self-originate - Useful to see routes advertised by local device
• show ip ospf - Displays detailed information about OSPF protocols, timers, metric reference values, etc
• show ip protocols - Shows various information about active routing protocols
• debug ip ospf adj - OSPF adjacency formation
• debug ip ospf packet - All OSPF packets

---

Standard OSPF Config

int gi0
ip ospf network point-to-point
ip ospf 1 area 0

router ospf 1
 router-id 1.1.1.1
 passive-interface default
 no passive-interface gi0
 network 150.1.5.0 0.0.0.255 area 0