-
OSPF, or Open Shortest Path First, is a link-state,
open-standard, dynamic routing
protocol. OSPF uses an algorithm known as SPF, or Dijkstras
Shortest Path First, to compute internally the best path to any
given route.
OSPF is classless and converges fairly quickly, using cost as
its metric. A router running OSPF creates its own database which
contains information on the entire OSPF network, not simply
neighbors routes like EIGRP. This allows the router to make
intelligent choices about path selection on its own instead of
relying exclusively on neighbor information.
OSPF routers do form neighbor relationships though. They
exchange hellos with neighboring
routers and in the process learn their neighbors Router ID (RID)
and cost. Those values are then sent to the adjacency table.
Every router is responsible for computing its own best paths to
all destinations within an OSPF
domain. Once the SPF algorithm selects the best paths, they are
then eligible to be added to the
routing table.
Link State Database
Once a router has exchanged hellos with its neighbors and
captured Router IDs and cost
information, it begins sending LSAs, or Link State
Advertisements. LSAs contain the RID and
costs to the routers neighbors. LSAs are shared with every other
router in the OSPF domain. A router stores all of its LSA
information (including info it receives from incoming LSAs) in
the
Link State Database (LSDB).
I apologize if the acronyms are starting to pile up. OSPF,
architecturally speaking, is more
complicated than its counterpart EIGRP and the long list of
acronyms and definitions is part of that.
Areas
OSPF is different from EIGRP in that it uses areas to segment
routing domains. This helps
partition routers into manageable groups if the layer 3 network
begins to get large. It all starts
with area 0. Every OSPF network must contain an area 0,
sometimes referred to as the backbone
area and every additional area must be physically connected to
area 0. From there, other areas
are optional.
Note that the SPF algorithm only runs within a single area, so
routers only compute paths within
their own area. Inter-area routes are passed using border
routers.
-
All link state databases must match within an OSPF area. This
means that the more OSPF-
enabled routers are configured for the same area, the more LSA
advertisements that must be sent
out. After you reach about 50 routers, the high levels of LSA
traffic and numerous routing table
entries can become a problem. That is why Cisco recommends
limiting an OSPF area to no
more than 50-100 routers.
The following three factors determine the maximum number of
routers:
How easily the areas subnets can be summarized The type of areas
being used
The number of external LSAs being injected
An added bonus of partitioning out your OSPF network into areas
is that it is a natural fit for a
hierarchical IP scheme.
Area Types
Backbone area
Another name for area 0
Regular area
Non-backbone area, with both internal and external routes
-
Stub area
Contains only internal routes and a default route
Totally Stubby Area
Cisco proprietary option for a stub area
Not-So-Stubby area (NSSA)
Contains internal routes, redistributed routes, and optionally a
default route
Totally Stubby NSSA
Cisco proprietary option for NSSA
Router Roles
Internal: All interfaces in a single area (routers 1, 4, 5 in
diagram above)
Backbone: At least one interface assigned to area 0 (routers 1,
2 ,3 in diagram above)
Area Border Router (ABR): Have interfaces in two or more areas
(routers 2 and 3 in diagram
above) ABRs contain a separate Link State Database, separating
LSA flooding between areas,
optionally summarizing routes, and optionally sourcing default
routes.
Autonomous System Boundary Router (ASBR): Has at least one
interface in an OSPF area
and at least one interface outside of an OSPF area.
OSPF Metric
Each interface is assigned a cost value based purely on
bandwidth. The formula is:
Cost = (100Mbs/bandwidth)
Higher bandwidth means a lower cost.
Lets run through some common examples quickly:
T1 line | 100,000 / 1544 = 64
10 Mbps | 100,000 / 10,000 = 10
100 Mbps | 100,000 / 100,000 = 1
-
1000 Mbps | 100,000 / 1,000,000 = .1 1(OSPF still uses 1 for
this, see explanation below)
The cost is then accrued at each hop along the path based on the
links bandwidth. Unfortunately, OSFP was written when 100Mbs was
considered fast. Because of
that, it assigns the same cost to any interface with speeds
higher than 100Mbs. To OSPF, a Fast
Ethernet interface is weighted the same as a Gigabit Ethernet
interface, both a cost of 1. To fix
that problem, you can use the auto-cost command under the OSPF
process.
R1(config-router)# auto-cost reference-bandwidth 1000
Another option is to simply change the cost on a per-interface
basis with the ip ospf cost
command (using any number between 1-65,535).
R1(config-if)# ip ospf cost 35
Link State Advertisements
LSAs contain a sequence number and a Router ID. Sequence numbers
are 32 bits, starting with
080000001. The sequence number increases if:
a route is added or deleted
a LSA ages out
The largest sequence number is always the most current. The
default time that LSAs are aged
out is 30 minutes. When an LSA enters a router, it checks it
against its internal Link State
Database (LSDB).
If it is new, it is added to the LSDB and the SPF algorithm is
re-run.
If it contains a Router ID (RID) that is already in the
database, entries with an older
sequence number are discarded.
If it receives an older version (according to its sequence
number), it discards the LSA and
sends back the newer version to the original sender.
The command show ip ospf database will display the sequence
numbers and age (in seconds) for
each entry.
LSDB Overload
In large OSPF networks, if major network changes occur, a flood
of LSAs will immediately hit
the entire network. The number of incoming LSAs to each router
could be substantial and bring
the CPU and memory to its knees.
-
To mitigate that scenario, Cisco offers what it refers to as
Link Sate Database Overload
Protection. Once enabled, if the defined threshold is exceeded
over one-minute time period, the
router will enter the ignore state dropping all adjacencies and
clearing the OSPF database.
Know that this is a drastic response because routing will be
disrupted during that period.
R1(config-router)# max-lsa number
LSA Definitions
OSPF Messaging
OSPF uses several different types of messages to maintain
neighbor relationships and correct
routing information.
OSPF Packet Types
-
Hello
Discovers neighbors and works as a keepalive.
Link State Request (LSR)
Requests a Link State Update (LSU), see below.
Database Description (DBD)
Contains a summary of the LSDB, including RIDs and sequence
numbers.
Link State Update (LSU)
Contains one or more complete LSAs.
Link State Acknowledgement (LSAck)
Acknowledges all other OSPF packets (except hellos). OSPF sends
the five packet types listed
above over IP directly, using IP port 89 with an OSPF packet
header. Multicast address
224.0.0.5 is used if sending to all routers, address 224.0.0.6
is used for sending to all OSPF DRs.
OSPF Neighbors
Hellos are sent out periodically using multicast on OSPF enabled
routers. The router forms an
adjacency with a peer router when it sees its own Router ID in
the neighbor field of another
routers hello message. That indicates there is direct,
bi-directional communication on the same subnet.
Note: On multi-access links, adjacencies are only formed between
the router and the DR and
BDR.
All of the following fields in an OSPF hello message must match
for an adjacency to form:
hello timer
dead timer
area ID
authentication type
password
stub area flag
As with many network protocols, hellos act as a form of
keepalive or heartbeat. With OSPF, if
four consecutive hellos are not received (the dead time), the
router is considered down. Point-
point interfaces: hellos every 10 seconds, 40 second dead
timer
Nonbroadcast multiaccess (NBMA) interfaces: hellos every 30
seconds, 120 second dead timer
-
OSPF States
There are 7 different OSPF states when forming neighbor
relationships. Take the time to learn
the states and their corresponding functions.
Down
This is the first OSPF neighbor state. It means that no
information (hellos) has been received
from this neighbor, but hello packets can still be sent to the
neighbor in this state.
During the fully adjacent neighbor state, if a router doesnt
receive hello packet from a neighbor within the RouterDeadInterval
time (RouterDeadInterval = 4*HelloInterval by default) or if
the
manually configured neighbor is being removed from the
configuration, then the neighbor state
changes from Full to Down.
Attempt
This state is only valid for manually configured neighbors in an
NBMA environment. In Attempt
state, the router sends unicast hello packets every poll
interval to the neighbor, from which hellos
have not been received within the dead interval.
Init
This state specifies that the router has received a hello packet
from its neighbor, but the receiving
routers ID was not included in the hello packet. When a router
receives a hello packet from a neighbor, it should list the senders
router ID in its hello packet as an acknowledgment that it received
a valid hello packet.
2-Way
This state designates that bi-directional communication has been
established between two
routers. Bi-directional means that each router has seen the
others hello packet. This state is attained when the router
receiving the hello packet sees its own Router ID within the
received
hello packets neighbor field. At this state, a router decides
whether to become adjacent with this neighbor. On broadcast media
and non-broadcast multiaccess networks, a router becomes full
only with the designated router (DR) and the backup designated
router (BDR); it stays in the 2-
way state with all other neighbors. On Point-to-point and
Point-to-multipoint networks, a router
becomes full with all connected routers.
At the end of this stage, the DR and BDR for broadcast and
non-broadcast multiacess networks
are elected. For more information on the DR election process,
refer to DR Election.
Note: Receiving a Database Descriptor (DBD) packet from a
neighbor in the init state will also a
cause a transition to 2-way state.
-
Exstart
Once the DR and BDR are elected, the actual process of
exchanging link state information can
start between the routers and their DR and BDR.
In this state, the routers and their DR and BDR establish a
master-slave relationship and choose
the initial sequence number for adjacency formation. The router
with the higher router ID
becomes the master and starts the exchange, and as such, is the
only router that can increment the
sequence number. Note that one would logically conclude that the
DR/BDR with the highest
router ID will become the master during this process of
master-slave relation. Remember that the
DR/BDR election might be purely by virtue of a higher priority
configured on the router instead
of highest router ID. Thus, it is possible that a DR plays the
role of slave. And also note that
master/slave election is on a per-neighbor basis.
Exchange
In the exchange state, OSPF routers exchange database descriptor
(DBD) packets. Database
descriptors contain link-state advertisement (LSA) headers only
and describe the contents of the
entire link-state database. Each DBD packet has a sequence
number which can be incremented
only by master which is explicitly acknowledged by slave.
Routers also send link-state request
packets and link-state update packets (which contain the entire
LSA) in this state. The contents
of the DBD received are compared to the information contained in
the routers link-state database
to check if new or more current link-state information is
available with the neighbor.
Loading
In this state, the actual exchange of link state information
occurs. Based on the information
provided by the DBDs, routers send link-state request packets.
The neighbor then provides the
requested link-state information in link-state update packets.
During the adjacency, if a router
receives an outdated or missing LSA, it requests that LSA by
sending a link-state request packet.
All link-state update packets are acknowledged.
Full
In this state, routers are fully adjacent with each other. All
the router and network LSAs are
exchanged and the routers databases are fully synchronized.
Full is the normal state for an OSPF router. If a router is
stuck in another state, its an indication that there are problems
in forming adjacencies. The only exception to this is the 2-way
state,
which is normal in a broadcast network. Routers achieve the full
state with their DR and BDR
only. Neighbors always see each other as 2-way.
OSPF Configuration
OSPF configuration is not too complicated, but has some
important syntax distinctions from
EIGRP. First, it is configured from router configuration mode
and requires a process ID
appended to the router ospf command. The process ID is only
locally significant, so dont worry
-
if it doesnt match on other OSPF routers. R1(config)# router
ospf process-id The next step is to determine which router
interfaces you want participating in OSPF. Just like EIGRP, the
network
statements define which local router interfaces will
participate.
R1(config)# router ospf 10
R1(config-router)# network 10.1.1.0 0.0.0.255 area 0
R1(config-router)# network 10.9.9.0 0.0.0.255 area 1
In the example above, interfaces in the 10.1.1.0/24 subnet will
participate in OSPF area
0. Interfaces in the 10.9.9.0/24 subnet will participate in OSPF
area 1. Unlike EIGRP, the
subnet wildcard mask in the network statement is not optional
because OSPF is classless by
default. Lets do another example.
R1 has six interfaces, all within area 0:
GigabitEthernet 0/0: 192.168.100.1/24
GigabitEthernet 0/1: 192.168.101.1/24
GigabitEthernet 0/2: 192.168.102.1/24
GigabitEthernet 0/3: 192.168.103.1/24
Serial 1/0: 10.100.100.1/30
Serial 1/1: 10.100.100.5/30
The simplest way to configure OSPF an all interfaces into area 0
would be to use this command:
R1(config-router)# network 0.0.0.0 255.255.255.255 area 0
A second option is to break up the 10. and 192. networks into
different statements:
R1(config-router)# network 10.0.0.0 0.255.255.255 area 0
R1(config-router)# network 192.168.100.0 0.0.3.255 area 0
The third way to configure the interfaces to participate in
OSPF:
R1(config-router)# network 10.100.100.1 0.0.0.0 area 0
R1(config-router)# network 10.100.100.5 0.0.0.0 area 0
R1(config-router)# network 192.168.100.1 0.0.0.0 area 0
R1(config-router)# network 192.168.101.1 0.0.0.0 area 0
R1(config-router)# network 192.168.102.1 0.0.0.0 area 0
R1(config-router)# network 192.168.103.1 0.0.0.0 area 0
All three approaches achieve the exact same result. The
configuration you choose is up to you.
Interface Configuration
An alternative configuration option is to configure an interface
to participate in OSPF
directly. The [ ip ospf process-id area area-id ] command takes
precedence over the more
common network commands.
R1(config)# int gig 0/1
R1(config-if)# ip ospf 10 area 0
-
Router ID
The SPF algorithm uses a Router ID to identify hops along a
path. The problem, of course, is
that routers dont have a generic router ID built in.
The designers of OSPF decided to use the highest IP address
assigned to a loopback interface as
the Router ID (RID) by default. If no loopback is configured, it
will use the highest IP address
assigned to an active interface when the OSPF process
begins.
OSPF will not change the RID, even if another interface with a
higher IP address comes online
unless the OSPF process is restarted. This helps keep the
network stable and happy.
Note: The clear ip ospf process command will also force the OSPF
process to restart, but will
cause an outage so use it with caution.
Loopbacks are preferred for use as a router ID because they are
virtual interfaces and are not
affected by links going up and down. To configure a loopback
interface, first create it and assign
it an IP address.
R1(config)# int loopback 0
R1(config-if)# ip address 10.100.100.1 255.255.255.255
Static RIDs
It is also possible to manually define a static Router ID within
OSPF with the router-id
command.
R1(config)# router ospf 10
R1(config-router)# router-id 10.100.100.1
DRs & BDRs
SPF works by mapping all paths to every destination on each
router. It uses the RID to identify
hops along each path and uses bandwidth as a metric between
those hops. This whole system
works really well when routers are connected with point-to-point
links and OSPF traffic is
simply sent using multicast address 224.0.0.5.
It doesnt work well, however, when a router is connecting to
multiaccess networks like an Ethernet VLAN. Multiaccess OSPF links
require a Designated Router (DR) be elected to
represent the entire segment. Another router is then elected as
the Backup Designated Router, or
BDR. On that specific multiaccess segment, routers only form
adjacencies with the DR and
BDR.
-
The DR uses type 2, network LSAs to advertise the segment over
multicast address
224.0.0.5. The Non-Designated routers then use IP address
224.0.0.6 to communicate directly
with the DR.
Elections
1. When the OSPF process on a router starts up, it listens for
hellos. If it does not receive any
within its dead time, it elects itself the DR.
2. If hellos are received before the dead time expires, the
router with the highest OSPF priority is
elected as the DR. Next, the same process happens to elect the
BDR. Note: If a routers OSPF priority is set to 0, it will not
participate in the elections.
3. If two routers happen to have the same OSPF priority, the
router with the highest Router ID
will become DR. The same is true for BDR.
Once a DR is elected, elections cannot take place again until
either the DR or BDR go
down. This essentially means that there is no OSPF DR preemption
if another router comes
online with a higher OSPF priority. In the case that the DR goes
down, the BDR automatically is
assigned the DR role and a new BDR election occurs.
Be aware that a router with a non-zero priority that happens to
boots first can become the DR just
because it did not receive any hellos when the OSPF process was
started even though it may have a low OSPF priority.
The default OSPF priority is 1 and Cisco recommends manually
changing that on routers you
want to become the DR and BDR.
Remember that DRs are only used on multiaccess links, so they
are only significant on an
interface level. A router with two different interfaces
connected to two different multiaccess
links will have separate DR elections for each segment. To set
the OPSF priority, use the ip ospf
priority command on the interface connected to the multiaccess
segment. Values can be between
0-255.
R1(config)# int gig 0/1
R1(config-if)# ip ospf priority 255
OSPF over the WAN
Routing protocols assume both broadcast capabilities and full
mesh connectivity on multiaccess
networks. For OSPF, there are a few points to consider:
Full mesh environments can use physical interfaces, but often
times subinterfaces are
used
-
Partial mesh environments should be configured using
point-to-point subinterfaces
Hub-and-spoke environments should elect the hub as the DR or use
point-to-point
subinterfaces which dont require a DR Frame Relay and ATM maps
should include the broadcast attribute
In multiaccess environments, the DR and BDR should have full
virtual circuit
connectivity to all other routers
Summarization
First, its important to note that running the SPF algorithm on a
router is extremely taxing on CPU resources and can easily consume
them all. The reason is because OSPF has to compute
the best path to every destination within its area. Avoiding
running the alogrithm whenever it
isnt required is a big win. Summarization has two important
benefits for OSPF. It prevents topology changes from being passed
outside an area thus reducing the number of routers re-running the
SPF algorithm. It also consolidates many routes in to a single
statement, reducing
the memory load and database size on OSPF-enabled routers. There
are two types of route
sumarization, inter-area and external.
Inter-area Summarization (LSA Type 3)
This occurs on ABRs to summarize routes between areas. This
really only works well if the
networks contained within an area are subnetted contiguously so
that they can be easily
summarized into a single statement. The new summary routes cost
will be equal to the lowest cost route within the summary range.
After the command is entered, the router will automaticlly
create a static route pointing to Null0.
Example:
ABR-R1(config)# router ospf 10
ABR-R1(config-router)# area 2 range 10.100.0.0 255.255.0.0
In this example, the summary network 10.100.0.0/16 is summarized
from area 2.
External Summarization (LSA Type 5)
This occurs on ASBRs for routes that are injected into OSPF via
route redistribution. After the
command is entered, the router will automatically create a
static route pointing to Null0.
Example:
ASBR-R1(config)# router ospf 10
ASBR-R1(config-router)# summary-address 192.168.0.0
255.255.0.0
-
In this example, an external network has been summarized into
192.168.0.0/16 and is injected
into OSPF via a single type 5 LSA.
OSPF Passive Interfaces
Like EIGRP, OSPF supports the use of passive interfaces. The
passive-interface interface
command disables OSPF hellos from being sent out, thus disabling
the interface from forming
adjacencies out that interface.
OSPF Default Routes
Default routes are injected into OSPF via type 5 LSAs. There are
multiple ways to inject default
routes into OSPF, but Cisco recommends using the
default-information originate command
under the OSPF routing process.
R1(config)# router ospf 10
R1(config-router)# default-information originate [always]
[metric metric]
If the always keyword is not used, OSPF will advertise a default
route learned from another
source, like a static route. If the always keyword is present, a
default route will be advertised
regardless if the route exists in the routing table.
Another option is to use the area range and summary-address
commands discussed in the
summarization section above. Using these will result in the
router advertising a default route
pointing to itself.
Stub and Not-So-Stubby Areas
-
Stub areas are another way to simplify route information that
gets advertised. Area 2 in the
diagram above shows an example.
The ABR in a stub area drops all external routes and instead
uses a default route of 0.0.0.0 (R3 in
this example). That is, they do not know about any non-OSPF
route information outside their
own area.
A Cisco proprietary version of a stub area is a Totally Stubby
Area, or TSA. TSAs do not
accept any external routes from non-OSPF sources AND they do not
accept routes from other
areas within their OSPF autonomous system. If a router needs to
send traffic to a route outside
of its own area, it sends the traffic using a default route.
ABRs use default routes in Stub and Totally Stubby areas.
Stubby areas are made into Totally Stubby Areas by appending the
no-summary keyword to the
ABR.
Example:
R3(config)# router ospf 10
R3(config-router)# area 2 stub no-summary
R3(config-router)# area 2 stub default-cost 8
The example above sets area 2 as a totally stubby area. The
default-cost command is optional
and in this case changed the default route cost from 1 to 8.
-
Stub Limitations
Virtual links cannot be included
Cannot include an ASBR
The stub configuration must be applied to every router within
the stubby area
Area 0 cannot be a stub
Bullet point 3 is extremely important! If two routers are
connected, but one does not have the
stub statement configured, the hello packets will be dropped and
they will not form a neighbor
adjacency.
Not-So-Stubby Areas, or NSSAs were an addendum to the original
OSPF RFC and defined a
new special LSA, type 7. NSSAs are very similar to stubby areas,
but they allow the use of
ASBRs in the area something stub areas prohibit.
External routes are advertised by the ASBR as type 7 LSAs and
the ABR then converts them into
type 5 external LSAs when it advertises them to adjacent
areas.
NSSA is configured using the area area-number nssa command as
can been seen in the example
below. Using the no-summary keyword turns the area into a
Totally Stubby NSSA. A Totally
Stubby NSSA does not accept external or summary routes from
other areas.
Lastly, the NSSA ABR does not by default advertise a default
route back into the area. The
default-information-originate option does just that.
R4(config)# router ospf 10
R4(config-router)#area 1 nssa [no-summary]
[default-information-originate]
OSPF Virtual Links
OSPF has strict rules around how areas connect and where they
can be located. More
specifically, every area must be physically connected to area 0
and area zero must be
contiguous meaning it cannot broken into multiple, connected
area 0s.
Virtual links were developed as a band-aid to situations that
temporarily must violate those
requirements. Virtual links connect areas that do not connect
directly to area 0. It can also
connect two area 0s together!
Keep in mind that Cisco recommends virtual links be a temporary
workaround to a short-term
problem, not a permanent design.
-
The diagram below illustrates an example when a virtual link
could be used. Lets pretend Company ABC and Company XYZ just
announced a merger and now their corporate networks
must do the same. In this case, both routers R1 and R2 have now
become ABRs and the virtual
link configuration will be applied to them. The command area
area-number virtual-link router-
id is applied to each ABR.
Note that the area used in the command is the transit area that
the virtual link resides in. Also,
the RID identifies the RID of the OTHER router at the end of the
link!
Example:
R1(config)# router ospf 20
R1(config-router)# area 1 virtual-link 10.30.30.30
R2(config)# router ospf 20
R2(config-router)# area 1 virtual-link 10.50.50.50
OSPF Authentication
Out of the box, OSPF does not authenticate its protocols
messages or route updates. OSPF does, however, support two message
authentication options:
Simple Authentication- using plaintext keys
MD5 Authentication
Matching authentication methods and keys must configured on each
interface on a
segment. Theoretically, different passwords could be applied to
different router interfaces the routers on the other ends of those
links would just be required to have matching information.
Simple Authentication Example
R1(config)# int fa0/1
-
R1(config-if)# ip ospf authentication-key KEY123
R1(config-if)# ip ospf authentication
R1(config-if)# exit
R1(config)# router ospf 10
R1(config-router)# area 0 authentication
MD5 Authentication Example
R1(config)# int fa0/1
R1(config-if)# ip ospf message-digest-key 1 md5 KEY123
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# exit
R1(config)# router ospf 10
R1(config-router)# area 0 authentication message-digest
** The 1 in theip ospf message-digest-key 1 md5 KEY123 statement
above is a key number.
OSPF Verification
The OSPF neighbor table can be viewed using the show ip ospf
neighbor command. It shows
the status of the OSPF database loading process, status of
neighbor adjacencies, as well as DR
and BDR assignments.
To show which OSPF routers are being used by the routing table,
issue the show ip route ospf
command.
The show ip ospf command displays the RID, counters, and
timers.
To see which router interfaces are participating in OSPF (and
their area assignments), use the
show ip ospf interface command