Introducing OSPF
Open Shortest Path First is a link-state routing protocol. You can think of a link as an interface on a router. The state of the link is a description of that interface and of its relationship to its neighboring routers. A description of the interface would include, for example, the IP address of the interface, the subnet mask, the type of network to which it is connected, the routers that are connected to that network, and so on. The collection of all of these link states forms a link-state database.
A router sends link-state advertisement (LSA) packets to advertise its state periodically (every 30 minutes) and immediately when the router state changes. Information about attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate linkstate information, they use the shortest path first (SPF) algorithm to calculate the shortest path to each node.
A topological (link-state) database is, essentially, an overall picture of networks in relation to routers. The topological database contains the collection of LSAs received from all routers in the same area. Because routers within the same area share the same information, they have identical topological databases.
OSPF can operate within a hierarchy. The largest entity within the hierarchy is the autonomous system, which is a collection of networks under a common administration that share a common routing strategy. An autonomous system can be divided into a number of areas, which are groups of contiguous networks and attached hosts. Figure 4-1 shows an example of an OSPF hierarchy.
Figure 4-1 OSPF Hierarchy
OSPF uses a two-layer network hierarchy that has two primary elements:
- Autonomous system: An autonomous system consists of a collection of networks under a common administration that share a common routing strategy. An autonomous system, sometimes called a domain, can be logically subdivided into multiple areas.
- Area: An area is a grouping of contiguous networks. Areas are logical subdivisions of the autonomous system.
Within each autonomous system, a contiguous backbone area must be defined. All other nonbackbone areas are connected off the backbone area. The backbone area is the transition area because all other areas communicate through it. For OSPF, the nonbackbone areas can be additionally configured as stub areas, totally stubby areas, or not-so-stubby areas (NSSA) to help reduce the link-state database and routing table size.
OSPF special areas such as NSSAs, totally stubby, and stub areas are beyond the scope of this text. Routers that operate within the two-layer network hierarchy have different routing entities and different functions in OSPF. The following are some examples based on Figure 4-1: - Router B is the backbone router. The backbone router provides connectivity between different areas.
- Routers C, D, and E are area border routers (ABR). ABRs attach to multiple areas, maintain separate link-state databases for each area to which they are connected, and route traffic destined for or arriving from other areas.
- Routers F, G, and H are nonbackbone, internal routers. Nonbackbone, internal routers are aware of the topology within their respective areas and maintain identical link-state databases about the areas.
- Depending on the configuration of the OSPF nonbackbone area (stub area, totally stubby area, or NSSA) the ABR advertises a default route to the nonbackbone, internal, router. The nonbackbone, internal router uses the default route to forward all interarea or interdomain traffic to the ABR router.
- Router A is the autonomous system boundary router (ASBR) that connects to an external routing domain, or autonomous system.
- Router I is a router that belongs to another routing domain, or autonomous system.
Establishing OSPF Neighbor Adjacencies
Neighbor OSPF routers must recognize each other on the network before they can share information because OSPF routing depends on the status of the link between two routers. This process is done using the Hello protocol. The Hello protocol establishes and maintains neighbor relationships by ensuring bidirectional (two-way) communication between neighbors. Bidirectional communication occurs when a router recognizes itself listed in the hello packet received from a neighbor. Figure 4-2 illustrates the hello packet.
Figure 4-2 OSPF Hello
Each interface that is participating in OSPF uses IP multicast address 224.0.0.5 to periodically send hello packets. A hello packet contains the following information:
- Router ID: The router ID is a 32-bit number that uniquely identifies the router. The highest IP address on an active interface is chosen by default, unless a loopback interface or the router ID is configured; for example, IP address 172.16.12.1 would be chosen over 172.16.1.1. This identification is important in establishing and troubleshooting neighbor relationships and coordinating route exchanges.
- Hello and dead intervals: The hello interval specifies the frequency in seconds at which a router sends hello packets. The default hello interval on multiaccess networks is 10 seconds. The dead interval is the time in seconds that a router waits to hear from a neighbor before declaring the neighboring router out of service. By default, the dead interval is four times the hello interval. These timers must be the same on neighboring routers; otherwise, an adjacency will not be established.
- Neighbors: The Neighbors field lists the adjacent routers with established bidirectional communication. This bidirectional communication is indicated when the router recognizes itself listed in the Neighbors field of the hello packet from the neighbor.
- Area ID: To communicate, two routers must share a common segment, and their interfaces must belong to the same OSPF area on that segment. The neighbors must also share the same subnet and mask. All these routers will have the same link-state information.
- Router priority: The router priority is an 8-bit number that indicates the priority of a router. OSPF uses the priority to select a designated router (DR) and a backup DR (BDR).
- DR and BDR IP addresses: These are the IP addresses of the DR and BDR for the specific network, if they are known.
- Authentication password: If router authentication is enabled, two routers must exchange the same password. OSPF has three types of authentication: Null (no authentication), simple (plain-text passwords), and MD5. Authentication is not required, but if it is enabled, all peer routers must have the same password.
- Stub area flag: A stub area is a special area. Designating a stub area is a technique that reduces routing updates by replacing them with a default route. Two routers must agree on the stub area flag in the hello packets.
SPF Algorithm
The SPF algorithm places each router at the root of a tree and calculates the shortest path to each node, using Dijkstra’s algorithm, based on the cumulative cost that is required to reach that destination. LSAs are flooded throughout the area using a reliable algorithm, which ensures that all routers in an area have the same topological database. Each router uses the information in its topological database to calculate a shortest path tree, with itself as the root. The router then uses this tree to route network traffic. Figure 4-3 represents the Router A view of the network, where Router A is the root and calculates pathways assuming this view.
Each router has its own view of the topology, even though all of the routers build a shortest-path tree using the same link-state database.
The cost, or metric, of an interface is an indication of the overhead that is required to send packets across a certain interface. The interface cost is inversely proportional to the bandwidth, so a higher bandwidth indicates a lower cost. There is more overhead, higher cost, and more time delays involved in crossing a T1 serial line than in crossing a 10-Mbps Ethernet line.
Figure 4-3 SPF Algorithm for Route Selection
The formula used to calculate OSPF cost is as follows:
cost = reference bandwidth / interface bandwidth (in bps) The default reference bandwidth is 108, which is 100,000,000 or the equivalent of the bandwidth of FastEthernet. Therefore, the default cost of a 10-Mbps Ethernet link will be 108 / 107 = 10, and the cost of a T1 link
will be 108 / 1,544,000 = 64.
To adjust the reference bandwidth for links with bandwidths greater than FastEthernet, use the ospf auto-cost reference-bandwidth ref-bw command configured in the OSPF routing process configuration mode.
Configuring and Verifying OSPF
The router ospf command uses a process identifier as an argument. The process ID is a unique, arbitrary number that you select to identify the routing process. The process ID does not need to match the OSPF process ID on other OSPF routers.
The network command identifies which IP networks on the router are part of the OSPF network. For each network, you must also identify the OSPF area to which the networks belong. The network command takes the three arguments listed in Table 4-1. The table defines the parameters of the network command.
Table 4-1 network Command Parameters
Calculating wildcard masks on non-8-bit boundaries can be prone to error. You can avoid calculating wildcard masks by having a network statement that matches the IP address on each interface and uses the 0.0.0.0 mask.
Figure 4-4 shows an example of a single-area OSPF configuration on Router B. Figure 4-4 Single-Area OSPF
Loopback Interfaces
The OSPF router ID is used to uniquely identify each router in the OSPF network. By default, this ID is selected by the operating system from the configured IP addresses on the router. To modify the OSPF router ID to use a loopback address, first define a loopback interface with the following command:
RouterX(config)# interface loopback number
The highest IP address, used as the router ID by default, can be overridden by configuring an IP address on a loopback interface. OSPF is more reliable if a loopback interface is configured because the interface is always active and cannot be in a down state like a “real” interface can. For this reason, the loopback address should be used on all key routers. If the loopback address is going to be published with the network area command, using a private IP address will save on registered IP address space. Note that a loopback address requires a different subnet for each router, unless the host address is advertised.
Using an address that is not advertised saves real IP address space, but unlike an address that is advertised, the unadvertised address does not appear in the OSPF table and thus cannot be accessed across the network. Therefore, using a private IP address represents a trade-off between the ease of debugging the network and conservation of address space. Figure 4-5 highlights some of the advantages and disadvantages of using advertised and unadvertised loopback addresses.
Figure 4-5 Loopback Addresses
Verifying the OSPF Configuration
You can use any one of a number of show commands to display information about an OSPF configuration. The show ip protocols command displays parameters about timers, filters, metrics, networks, and other information for the entire router.
The show ip route command displays the routes that are known to the router and how they were learned. This command is one of the best ways to determine connectivity between the local router and the rest of the internetwork. Example 4-1 shows the output from the show ip route command for a router running OSPF.
Example 4-1 Displaying Routes Known by Router
RouterX#show ip route Codes: I - IGRP derived, R - RIP derived, O - OSPF derived, C - connected, S - static, E - EGP derived, B - BGP derived, * - candidate default route, IA - OSPF inter area route, i - IS-IS derived, ia - IS-IS, U - per-user static route, o - on-demand routing, M - mobile, P - periodic downloaded static route, D - EIGRP, EX - EIGRP external, E1 - OSPF external type 1 route, E2 - OSPF external type 2 route, N1 - OSPF NSSA external type 1 route, N2 - OSPF NSSA external type 2 route Gateway of last resort is 10.119.254.240 to network 10.140.0.0 O 10.110.0.0 [110/5] via 10.119.254.6, 0:01:00, Ethernet2 O IA 10.67.10.0 [110/10] via 10.119.254.244, 0:02:22, Ethernet2 O 10.68.132.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2 O 10.130.0.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2 O E2 10.128.0.0 [170/10] via 10.119.254.244, 0:02:22, Ethernet2
Table 4-2 describes the significant fields shown in the show ip route display.
Table 4-2 IP Routing Table Fields
Use the show ip ospf command to verify the OSPF router ID. This command also displays OSPF timer settings and other statistics, including the number of times the SPF algorithm has been executed. In addition, this command has optional parameters so you can further specify the information that is to be displayed.
Example 4-2 shows the output from this command when it is executed on Router X.
Example 4-2 show ip ospf Command Output
RouterX#show ip ospf Routing Process “ospf 50" with ID 10.64.0.2 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 Area BACKBONE(0) Area BACKBONE(0) Area has no authentication SPF algorithm last executed 00:01:25.028 ago SPF algorithm executed 7 times Area ranges are Number of LSA 6. Checksum Sum 0x01FE3E Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
The show ip ospf interface command verifies that interfaces have been configured in the intended areas. If no loopback address is specified, the interface with the highest address is chosen as the router ID. This command also displays the timer intervals, including the hello interval, and shows the neighbor adjacencies. Example 4-3 demonstrates output from the show ip ospf interface command.
Example 4-3 show ip ospf interface Command Output
RouterX#show ip ospf interface ethernet 0 Ethernet 0 is up, line protocol is up Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0 AS 201, Router ID 192.168.99.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State OTHER, Priority 1 Designated Router id 192.168.254.10, Interface address 192.168.254.10 Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28 Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5 Hello due in 0:00:05 Neighbor Count is 8, Adjacent neighbor count is 2 Adjacent with neighbor 192.168.254.28 (Backup Designated Router) Adjacent with neighbor 192.168.254.10 (Designated Router)
Table 4-3 describes the output for the show ip ospf interface command.
Table 4-3 show ip ospf interface Output
The show ip ospf neighbor command displays OSPF neighbor information on a per-interface basis. Example 4-4 shows output from the show ip ospf neighbor command, with a single line of summary information for each neighbor in the output.
Example 4-4 show ip ospf neighbor Command Output
RouterX# show ip ospf neighbor ID Pri State Dead Time Address Interface 10.199.199.137 1 FULL/DR 0:00:31 192.168.80.37 FastEthernet0/0 172.16.48.1 1 FULL/DROTHER 0:00:33 172.16.48.1 FastEthernet0/1 172.16.48.200 1 FULL/DROTHER 0:00:33 172.16.48.200 FastEthernet0/1 10.199.199.137 5 FULL/DR 0:00:33 172.16.48.189 FastEthernet0/1
For more specific information about a given neighbor, use the same command, but specify the address of a given neighbor. Example 4-5 shows how to get specific information for the neighbor 190.199.199.137.
Example 4-5 show ip ospf neighbor Command Output for a Specific Neighbor
RouterX#show ip ospf neighbor 1 0. 1 99. 1 99. 1 37 Neighbor 10.199.199.137, interface address 192.168.80.37 In the area 0.0.0.0 via interface Ethernet0 Neighbor priority is 1, State is FULL Options 2 Dead timer due in 0:00:32 Link State retransmission due in 0:00:04 Neighbor 10.199.199.137, interface address 172.16.48.189 In the area 0.0.0.0 via interface Fddi0 Neighbor priority is 5, State is FULL Options 2 Dead timer due in 0:00:32 Link State retransmission due in 0:00:03
Table 4-4 describes the significant fields for the show ip ospf neighbor command output.
Table 4-4 show ip ospf neighbor Output
Using OSPF debug Commands
The debug ip ospf events output shown in Example 4-6 might appear if any of the following situations occur:
- The IP subnet masks for the routers on the same network do not match.
- The OSPF hello interval for the router does not match the OSPF hello interval that is configured on a neighbor.
- The OSPF dead interval for the router does not match the OSPF dead interval that is configured on a neighbor.
If a router that is configured for OSPF routing is not seeing an OSPF neighbor on an attached network, perform the following tasks:
- Ensure that both routers have been configured with the same IP subnet mask and that the OSPF hello interval and dead intervals match on both routers.
- Ensure that both neighbors are part of the same area number and area type.
- Ensure that authentication type and passwords match.
In Example 4-6, which shows output from the debug ip ospf events command, the neighbor router and this router are not part of a stub area, denoted by the mismatched E bit. That is, one router is configured for the area to be a transit area, and the other router is configured for the area to be a stub area, as explained in RFC 2328.
Example 4-6 debug ip ospf events Command Output
RouterX#debug ip ospf events OSPF:hello with invalid timers on interface Ethernet0 hello interval received 10 configured 10 net mask received 255.255.255.0 configured 255.255.255.0 dead interval received 40 configured 30 OSPF: hello packet with mismatched E bit
To display information about each OSPF packet that is received, use the debug ip ospf packet privileged EXEC command. The no form of this command disables the debugging output.
The debug ip ospf packet command produces one set of information for each packet that is received. The output varies slightly depending on which authentication is used. The table shows sample output from the debug ip ospf packet command when Message Digest 5 (MD5) authentication is used. Example 4-7 shows an OSPF message received and displayed when using this debug command.
Example 4-7 debug ip ospf packet Command Output
RouterX# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
Table 4-5 describes the significance of the fields in this output.
Table 4-5 debug ip ospf packet Fields
Load Balancing with OSPF
Load balancing is a standard functionality of Cisco IOS Software that is available across all router platforms. It is inherent to the forwarding process in the router, and it enables a router to use multiple paths to a destination when it forwards packets. The number of paths used is limited by the number of entries that the routing protocol puts in the routing table. Four entries is the default in Cisco IOS Software for IP routing protocols except for BGP. BGP has a default of one entry. The maximum number of paths you can configure is 16.
Figure 4-6 shows an example of configuring an OSPF router to load balance across six equal-cost paths.
Figure 4-6 OSPF Equal-Cost Load Balancing
The cost (or metric) of an interface in OSPF indicates the overhead that is required to send packets across a certain interface. The cost of an interface is inversely proportional to its bandwidth. A higher bandwidth indicates a lower cost. By default, Cisco routers calculate the cost of an interface based on the bandwidth. However, you can force the cost of an interface with the command ip ospf cost { value} in interface configuration mode.
If equal-cost paths exist to the same destination, the Cisco implementation of OSPF can keep track of up to 16 next hops to the same destination in the routing table (which is called load balancing).
By default, the Cisco router supports up to four equal-cost paths to a destination for OSPF. Use the maximum-paths command under the OSPF router process configuration mode to set the number of equal-cost paths in the routing table, as shown in Example 4-8.
Example 4-8 Setting the Number of Equal-Cost Paths in the Routing Table
RouterX(config)#router ospf 1 RouterX(config-router)#maximum- paths ? <1-16> Number of paths RouterX(config-router)#maximum- paths 3
You can use the show ip route command to find equal-cost routes. Following is an example of the show ip route command output for a specific subnet that has multiple routes available in the routing table. Example 4-9 shows three equal-cost paths to the 194.168.20.0 network.
Example 4-9 Finding Equal-Cost Routes with the show ip route Command
RouterX#show ip route 1 94. 1 68. 20. 0 Routing entry for 194.168.20.0/24 Known via “ospf 1", distance 110, metric 74, type intra area Redistributing via ospf 1 Last update from 10.10.10.1 on Serial1, 00:00:01 ago Routing Descriptor Blocks: * 20.20.20.1, from 204.204.204.1, 00:00:01 ago, via Serial2 Route metric is 74, traffic share count is 1 30.30.30.1, from 204.204.204.1, 00:00:01 ago, via Serial3 Route metric is 74, traffic share count is 1 10.10.10.1, from 204.204.204.1, 00:00:01 ago, via Serial1 Route metric is 74, traffic share count is 1
Notice the three routing descriptor blocks. Each block is one available route. Also note the asterisk (*) next to one of the block entries. The asterisk corresponds to the active route that is used for new traffic. The term “new traffic” corresponds to a single packet or an entire flow to a destination, depending on whether the router is performing per-destination or per-packet load balancing.
OSPF Authentication
OSPF neighbor authentication (also called neighbor router authentication or route authentication) can be configured such that routers can participate in routing based on predefined passwords. When you configure neighbor authentication on a router, the router authenticates the source of each routing update packet that it receives. This authentication is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and receiving router.
Types of Authentication
By default, OSPF uses null authentication (Type 0), which means that routing exchanges over a network are not authenticated. OSPF supports two other authentication methods:
- Plaintext (or simple) password authentication (Type 1)
- MD5 authentication (Type 2)
OSPF MD5 authentication includes an increasing sequence number in each OSPF packet to protect against replay attacks.
Configuring Plaintext Password Authentication
To configure OSPF plaintext password authentication, complete the following steps:
Step 1 Use the interface level ip ospf authentication-key password command to assign a password to use with neighboring routers that use the OSPF simple password authentication. The password can be any continuous string of characters that can be entered from the keyboard, up to eight characters in length.
The password that is created by this command is used as a “key” that is inserted directly into the OSPF header when Cisco IOS Software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
Step 2 Specify the authentication type using the interface level ip ospf authentication command. Table 4-6 explains the parameters for this command.
Table 4-6 ip ospf authentication Command Parameters
For plaintext password authentication, use the ip ospf authentication command with no parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command.
The ip ospf authentication command was introduced in Cisco IOS
Release 12.0. For backward compatibility, the authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area is used. (The area default is null authentication.) To enable authentication for an OSPF area, use the area area-id authentication [message-digest] router configuration command. Table 4-7 explains the parameters for this command.
Table 4-7 area authentication Parameters
Example: Plaintext Password Authentication Configuration
Figure 4-7 shows the network that is used to illustrate the configuration, verification, and troubleshooting of plaintext password authentication.
Figure 4-7 Plaintext Password Authentication
Plaintext password authentication is configured on interface serial 0/0/1 with the ip ospf authentication command. The interface is configured with an authentication key of “plainpas.”
Notice that the connecting interfaces on both Router 1 and Router 2 are configured for the same type of authentication with the same authentication key.
Verifying Plaintext Password Authentication
Example 4-10 shows output from the show ip ospf neighbor and show ip route commands for a router that was configured with authentication.
Example 4-10 Verifying Authentication with the show ip ospf neighbor and show ip route Commands
RouterX#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.2.2.2 0 FULL/ 00:00:32 192.168.1.102 Serial0/0/1 RouterX#show ip route <output omitted> Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O 10.2.2.2/32 [110/782] via 192.168.1.102, 00:01:17, Serial0/0/1 C 10.1.1.0/24 is directly connected, Loopback0 192.168.1.0/27 is subnetted, 1 subnets C 192.168.1.96 is directly connected, Serial0/0/1
Notice that the neighbor state is FULL, indicating that the two routers have successfully formed an OSPF adjacency. The routing table verifies that the 10.2.2.2 address has been learned via OSPF over the serial connection.
The results of a ping to the Router Y loopback interface address are also displayed to illustrate that the link is working, as shown in Example 4-11.
Example 4-11 Using ping Output to Verify Link Operation
RouterX#ping 1 0. 2. 2. 2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
More Resources