OSPF This and That

OSPF Passive Interface

In Cisco IOS software, an interface is configured as passive by using the passive-interface [name] router configuration command. If there are multiple interfaces on the router that need to be configured as passive, the passive-interface default router configuration command should be used. This command configures all interfaces that fall within the configured network range on the router to be passive. Interfaces on which adjacencies or neighbor relationships should be allowed can then be configured using the passive-interface [name] router configuration command.

Passive interface configuration works the same for both OSPF and EIGRP in that if an interface is marked as passive, all neighbor relationships via that interface will be torn down and Hello packets will not send or receive packets via that interface. However, the interface will continue to be advertised based on the configured network statement configuration on the router.

Securing OSPF Messages

Unlike EIGRP, OSPF supports plain text and MD5 authentication. The authentication method used by OSPF is specified in the OSPF packet header in the 16-bit Auth Type field. This field may contain one of three codes. These three codes are:

  • Code 0 – Used to indicate that there is Null or no authentication
  • Code 1 – Used to indicate that the plain text authentication
  • Code 2 – Used to indicate Message Digest 5 (MD5) authentication

By default, an OSPF-enabled router uses Null authentication (Code 0) which means that routing exchanges over a network are not authenticated and are therefore prone to security attacks.

OSPF authentication can be configured for the entire OSPF area or on a per-interface basis.

To configure OSPF authentication for an Area you go under the OSPF route configuration:

Router(config-router)#area [area ID] authentication [message-digest]

After applying this command it must also be accompanied the interface commands;

Router(config-if)#ip ospf authentication-key [password]

Router(config-if)#ip ospf message-digest-key [key ID] md5 [password]

When configuring MD5 authentication, the key ID on both interfaces must match. The interfaces use the password configured in the lowest key ID when exchanging messages. Additionally, when configuring plain text authentication the password can be configured using any continuous string of characters that can be entered from the keyboard and can be up to 8 bytes in length. However, when configuring MD5 authentication, the password must be an alphanumeric password of up to 16 bytes in length.

When plain text authentication is enabled, the specified password is used as a key which is then inserted into the OSPF header when the router originates OSPF packets. A separate password can be assigned to each network on a per-interface basis. In other words, different subnets within the area can use different passwords. However, all neighboring routers on the same subnet must have the same password in order to be able to exchange OSPF routing information.

When configuring interface authentication you can chosse between plain text or MD5. Applying the following command enables plain text authentication;

Router(config-if)#ip ospf authentication [message-digest|null]

The message-digest keyword configures the interface to useMD5 authentication. The null keyword is used to specify that no authentication will be used for this interface. This is the default. Interface-based authentication provides flexibility in that authentication can be configured on some subnets and not others for routers residing in the same OSPF area.

OSPF over Non-Broadcast Networks

NMBA does not natively support Broadcast and Multicast packets. One of the most commonly implemented NBMA technologies is Frame Relay. When OSPF is enabled on a Frame Relay network, the default network type is Non-Broadcast. Unlike on Broadcast network types, Multicast Hello packets are not used for dynamic neighbor discovery on NBMA networks. OSPF can be implemented in three modes on NBMA networks:

  1. Simulated Broadcast Mode
  2. Point-to-Point Mode
  3. Point-to-Multipoint Mode

Simulated Broadcast mode simulates a traditional Broadcast model by electing a Designated Router and Backup Designated Router on the NBMA network. There are two ways in which OSPF can be implemented in simulated Broadcast mode for NBMA network types:

  1. Using the default network type and the neighbor router configuration command
  2. By changing the default network type to the broadcast network type

OSPF assumes that the underlying infrastructure of Frame Relay is incapable of sending and receiving Broadcast and Multicast packets, static neighbor configuration is required to allow the routers on the NBMA network to communicate using Unicast packets instead of Multicast packets. Static OSPF neighbors are defined using the router configuration command for each directly connected neighbor router.

Router(config-router)#neighbor [address] [priority <number>] [poll-interval <seconds>] [cost <number>] [database-filter all]

Point-to-point mode is perhaps the simplest method of implementing OSPF on NBMA network types. By default, OSPF uses Multicast on point-to-point network types for dynamic neighbor discovery, even on Frame Relay subinterfaces. When configuring point-to-point Frame Relay subinterfaces, the frame-relay interface-dlci subinterface configuration command must be used instead of the frame-relay map command.

A factor that should be taken into consideration is the size of the Link State Database. Although Type 2 LSAs are not generated for the point-to-point subnets, a Type 3 LSA is still generated by the ABR for each one.

Point-to-multipoint mode is a non-default OSPF mode. This configuration is used to treat the NBMA network as a collection of point-to-point connections or links. This mode allows all routers connected to each other to establish an adjacency without the need to elect a DR or BDR.  Point-to-point mode can be configured to allow OSPF to use either Multicast (default) or Unicast packets to establish adjacencies with other routers.

While the implementation of point-to-multipoint mode is very simple and straightforward, it is important to remember that a host route is generated for each of the interfaces connected to the NBMA network.

OSPF Cost Commands

There are a couple of ways we can configure the OSPF cost values. One is on the interface itself. This is a simple command ip ospf cost [cost]. This command will affect the cost value on the interface and any to any router downstream. The other way is under the router configuration command neighbor [address] cost <value>. This command allows administrators to manually specify a unique cost value for each OSPF neighbor and can be used only with point-to-multipoint (Non-Broadcast) mode.

OSPF Route Summarization

OSPF-enabled routers must be manually configured to summarize routes. Different commands must be used to summarize internal and external routing information.

In OSPF, ABRs are responsible for generating a single Type 3 Summary LSA for each intra-area route. Assuming that a hierarchical IP addressing scheme is in place, internal route summarization can implemented on the ABR, allowing it to generate a single Type 3 LSA to represent a collection of intra-area routes. Internal route summarization is configured by using the router configuration command on the Area Border Router (ABR):

Router(config-router)#area [area ID] range [<address> <mask> [advertise | not-advertise] [cost <cost>]

When configuring OSPF route summarization, internal route summarization is configured on the ABR; however, external route summarization must be configured on the ASBR. External route summarization in OSPF is configured using the router configuration command:

Router(config-router)#summary-address [<address> <mask> | prefix] [not-advertise] [tag <tag>] [nssa-only]

The important aspects to remember in regards to the area…range router configuration command are as follows:

  • This command is issued on the Area Border Router (ABR)
  • An intra-area route for the summary pointing to Null0 is installed into the routing table
  • The specific Type 3 entries in the LSDB are replaced by the single Type 3 LSA
  • The summary is not advertised if none of the contributing entries are in the routing table
  • The summary address metric can be set directly using this command
  • The summary metric is equal to the lowest metric of all contributing routes
  • This command can be used for OSPF route filtering

The important aspects to remember in regards to the summary-address router configuration command are as follows:

  • This command is issued on the Autonomous System Border Router (ASBR)
  • An intra-area route for the summary pointing to Null0 is installed into the routing table
  • The specific Type 5 entries in the LSDB are replaced by the single Type 5 LSA
  • The summary is not advertised if none of the contributing entries are in the routing table
  • The summary metric defaults to 20 for non-OSPF external routes
  • The summary metric uses the lowest contributing route metric for external OSPF routes
  • This command can be used for OSPF route filtering
  • The summary address metric cannot be set directly using this command