Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

OSPF

Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) used to exchange routing information between routers within a single autonomous system (AS). OSPF calculates the best path based on true costs using a metric assigned by a network administrator. RIP, the oldest IGP protocol chooses the least-cost path based on hop count. OSPF is more efficient than RIP, has a quicker convergence, and provides equal-cost multipath routing where packets to a single destination can be sent using more than one interface. OSPF is suitable for complex networks with a large number of routers. It can coexist with RIP on a network.

Gaia supports OSPFv2, which supports IPv4 addressing.

You can run OSPF over a route-based VPN by enabling OSPF on a virtual tunnel interface (VTI).

Related Topics

Types of Areas

Area Border Routers

High Availability Support for OSPF

Configuring OSPF - WebUI

Configuring OSPF - CLI (ospf)

Types of Areas

Routers using OSPF send packets called Link State Advertisements (LSA) to all routers in an area. Areas are smaller groups within the AS that you can design to limit the flooding of an LSA to all routers. LSAs do not leave the area from which they originated, thus increasing efficiency and saving network bandwidth.

You must specify at least one area in your OSPF network—the backbone area, which has the responsibility to propagate information between areas. The backbone area has the identifier 0.0.0.0.

You can designate other areas, depending on your network design, of the following types:

  • Normal Area — Allows all LSAs to pass through. The backbone is always a normal area.
  • Stub Area — Stub areas do not allow Type 5 LSAs to be propagated into or throughout the area and instead depends on default routing to external destinations. You can configure an area as a stub to reduce the number of entries in the routing table (routes external to the OSPF domain are not added to the routing table).
  • NSSA (Not So Stubby Area) — Allows the import of external routes in a limited fashion using Type-7 LSAs. NSSA border routers translate selected Type 7 LSAs into Type 5 LSAs which can then be flooded to all Type-5 capable areas. Configure an area as an NSSA if you want to reduce the size of the routing table, but still want to allow routes that are redistributed to OSPF.

It is generally recommended that you limit OSPF areas to about 50 routers based on the limitations of OSPF (traffic overhead, table size, convergence, and so on).

All OSPF areas must be connected to the backbone area. If you have an area that is not connected to the backbone area, you can connect it by configuring a virtual link, enabling the backbone area to appear contiguous despite the physical reality.

Note - If you need to connect two networks that both already have backbone areas and you do not want to reconfigure one to something other than 0.0.0.0, you can connect the two backbone areas using a virtual link.

Each router records information about its interfaces when it initializes and builds an LSA packet. The LSA contains a list of all recently seen routers and their costs. The LSA is forwarded only within the area it originated in and is flooded to all other routers in the area. The information is stored in the link-state database, which is identical on all routers in the AS.

Area Border Routers

Routers called Area Border Routers (ABR) have interfaces to multiple areas. ABRs compact the topological information for an area and transmit it to the backbone area. Check Point supports the implementation of ABR behavior as outlined in the Internet draft of the Internet Engineering Task Force (IETF). The definition of an ABR in the OSPF specification as outlined in RFC 2328 does not require a router with multiple attached areas to have a backbone connection. However, under this definition, any traffic destined for areas that are not connected to an ABR or that are outside the OSPF domain is dropped. According to the Internet draft, a router is considered to be an ABR if it has more than one area actively attached and one of them is the backbone area. An area is considered actively attached if the router has at least one interface in that area that is not down.

Rather than redefine an ABR, the Check Point implementation includes in its routing calculation summary LSAs from all actively attached areas if the ABR does not have an active backbone connection, which means that the backbone is actively attached and includes at least one fully adjacent neighbor. You do not need to configure this feature; it functions automatically under certain topographies.

OSPF uses the following types of routes:

  • Intra-area—Have destinations within the same area.
  • Interarea—Have destinations in other OSPF areas.
  • Autonomous system external (ASE)—Have destinations external to the autonomous system (AS). These are the routes calculated from Type 5 LSAs.
  • NSSA ASE Router—Have destinations external to AS. These are the routes calculated from Type 7 LSAs.

All routers on a link must agree on the configuration parameters of the link. All routers in an area must agree on the configuration parameters of the area. A separate copy of the SPF algorithm is run for each area. Misconfigurations prevent adjacencies from forming between neighbors, and routing black holes or loops can form.

High Availability Support for OSPF

Gaia supports the OSPF protocol in clusters configured either via VRRP or ClusterXL.

In this configuration, the cluster becomes a virtual router, which is seen by neighboring routers as a single router that has an IP address that is the same as the virtual IP address of the cluster. Each member of the cluster runs the OSPF task, but only the member which is designated as primary or master actively participates in the network and exchanges routing information with neighbor routers. When a failover occurs, the standby member of the cluster becomes the master and its OSPF task becomes the active participant in protocol exchanges with neighbor routers.

Gaia also supports the OSPF protocol over VPN tunnels which terminate in the VRRP or ClusterXL cluster.

VRRP

Gaia supports the advertising of the virtual IP address of the VRRP virtual router. You can configure OSPF to advertise the virtual IP address rather than the actual IP address of the interface.

If you enable this option, OSPF runs only on the master of the virtual router; on a failover, OSPF stops being active on the old master and then starts becoming active on the new master. Because the OSPF routes database of the master is not synchronized across all members of the cluster, a traffic break may occur during the time it takes the VRRP to become active and the OSPF protocol to learn routes again. The larger the network, the more time it takes OSPF to synchronize its database and install routes again.

Note - You must use monitored-circuit VRRP, not VRRP v2, when configuring virtual IP support for OSPF or any other dynamic routing protocol.

ClusterXL

Gaia ClusterXL advertises the virtual IP address of the ClusterXL virtual router. The OSPF routes database of the master is synchronized across all members of the cluster. The OSPF task of each standby member obtains routing state and information from the master and installs the routes in the kernel as the master does. On a failover, one of the standby members becomes the new master and then continues where the old master failed. During the time that the new master resynchronizes routes database with the neighbor routers, traffic forwarding continues using the old kernel routes until OSPF routes are fully synchronized and pushed into the kernel.

Configuring OSPF - WebUI

To configure OSPF:

  1. In the Network Management > Network interfaces page of the WebUI, configure Ethernet Interfaces and assign an IP address to the interface.
  2. Open the Advanced Routing > OSPF page of the WebUI.
  3. Define other Global settings, including the Router ID.
  4. Optional: Define additional OSPF areas (in addition to the backbone area).
  5. Optional: For each area, you can add one or more address ranges if you want to reduce the number of routing entries that the area advertises into the backbone.

    Note - To prevent an address range from being advertised into the backbone, select Restrict for the address range

  6. Configure OSPF Interfaces.
  7. Configure virtual links for any area that does not connect directly to the backbone area.

Configuring Global Settings

The following table shows the global settings that you can specify for OSPF. Configure these settings by clicking OSPF under Configuration > Routing Configuration in the tree view and scrolling down to these fields.

Global Settings for OSPF

Parameter

Description

Router ID

The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). In a cluster, you must select a router ID and make sure that it is the same on all cluster members.

  • Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
  • Default: The interface address of one of the local interfaces.

RFC1583 Compatibility

This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility.

  • Default: Selected

SPF Delay

Specifies the time in seconds the system will wait to recalculate the OSPF routing table after a change in topology.

  • Default: 2.
  • Range: 1-60.

SPF Hold Time

Specifies the minimum time in seconds between recalculations of the OSPF routing table.

  • Default:5.
  • Range: 1-60.

Default ASE Route Cost

Specifies a cost for routes redistributed into OSPF as ASEs. Any cost previously assigned to a redistributed routed overrides this value.

Default ASE Route Type

Specifies a route type for routes redistributed into OSPF as ASEs, unless these routes already have a type assigned.

There are two types:

  • Type 1 external: Used for routes imported into OSPF which are from IGPs whose metrics are directly comparable to OSPF metrics. When a routing decision is being made, OSPF adds the internal cost to the AS border router to the external metric.
  • Type 2 external: Used for routes whose metrics are not comparable to OSPF internal metrics. In this case, only the external OSPF cost is used. In the event of ties, the least cost to an AS border router is used.

Graceful Restart Helper

When a router running OSPF restarts, all the routing peers detect that the session failed and recovered. This transition results in a routing flap. It causes routes to be recomputed, updates to be generated, and unnecessary churn to the forwarding tables.

Enabling this option minimizes the negative effects caused by peer routers restarting by causing the Check Point system to maintain the forwarding state advertised by peer routers even when they restart.

Configuring OSPF Areas

The following table lists the parameters for areas and global settings that you use when configuring OSPF on your system. As you add areas, each is displayed with its own configuration parameters under the Areas section.

  • Area: Choose an IPv4 address (preferred) or an integer.

OSPF Normal Type Area Configuration Parameters

Parameter

Description

Add Address Range

You can configure any area with any number of address ranges. Use these ranges to reduce the number of routing entries that a given area emits into the backbone and thus all areas. If a given IPv4 address aggregates a number of more specific IPv4 addresses within an area, you can configure an address that becomes the only IPv4 address advertised into the backbone. You must be careful when configuring an address range that covers parts of an IPv4 address not contained within the area. By definition, an address range consists of a IPv4 address and a mask length.

Note: To prevent a specific IPv4 address from being advertised into the backbone, select Restrict.

Add Stub Network

OSPF can advertise reachability to IPv4 addresses that are not running OSPF using a stub network. The advertised IPv4 address appears as an OSPF internal route and can be filtered at area borders with the OSPF area ranges. The IPv4 address must be directly reachable on the router where the stub network is configured; that is, one of the router's interface addresses must fall within the IPv4 address to be included in the router-LSA. You configure stub hosts by specifying a mask length of 32.

This feature also supports advertising an IPv4 address and mask that can be activated by the local address of a point-to-point interface. To advertise reachability to such an address, enter an IP address and a cost with a value other than zero.

Area Type

For descriptions of area types, see Types of Areas.

Options: Normal/Stub/NSSA.

Stub Area Parameters

The following table stub areas configuration parameters appear if you define the area as a stub area.

Parameter

Description

Cost for Default Route

Enter a cost for the default route to the stub area.

  • Range: 1-16777215.
  • Default: No default.

Import Summary Routes

Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.

  • Default: Selected.

NSSA (Not So Stubby Area) Parameters

The following table describes the configuration parameters for NSSA areas. These fields appear if you define the area as an NSSA (Not So Stubby Area). For more information on NSSA, see RFC 3101.

Parameter

Description

Translator Role

Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. If this NSSA router is not a border router, then this option has no effect.

  • Default: Candidate.

Translator Stability Interval

Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. This field appears only if an area is defined as an NSSA with translator role as Candidate.

  • Default: 40 seconds.

Import Summary Routes

Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.

  • Default: On.

Cost for Default Route

Enter a cost associated with the default route to the NSSA.

Default Route Type

Specifies the route type associated with the Type-7 default route for an NSSA when routes from other protocols are redistributed into OSPF as ASEs. If a redistributed route already has a route type, this type is maintained. If summary routes are imported into an NSSA, only then a Type-7 default route is generated (otherwise a Type-3 default route is generated). This field appears only if an area is defined as an NSSA into which summary routes are imported.

The route type can be either 1 or 2. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.

  • Default: 1

Redistribution

Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this router. This option will have effect only if this router is an NSSA border router and this router is an AS border router.

  • Default: On

Type 7 Address Ranges

An NSSA border router that performs translation duties translates Type-7 LSAs to Type-5 LSAs. An NSSA border router can be configured with Type-7 address ranges. Use these ranges to reduce the number of Type-5 LSAs. Many separate Type-7 networks may fall into a single Type-7 address range. These Type-7 networks are aggregated and a single Type-5 LSA is advertised. By definition, a Type-7 address range consists of a prefix and a mask length.

Note: To prevent a specific prefix from being advertised, select On in the Restrict field next to the entry for that prefix.

Configuring OSPF Virtual Links

You must configure a virtual link for any area that does not connect directly to the backbone area. You configure the virtual link on both the ABR for the discontiguous area and another ABR that does connect to the backbone.

The virtual link acts like a point-to-point link. The routing protocol traffic that flows along the virtual link uses intra-area routing only.

To configure a virtual link:

  1. Create a Normal Type area (which does not connect directly to the backbone area) and configure an interface to be in that area.
  2. In the Virtual Links section, click Add.
  3. In the Add Virtual Link window, enter the Remote Router ID of the remote endpoint of the virtual link.
  4. Select the Transit Area. This is the area that connects both to the backbone and to the discontiguous area.
  5. Configure the following parameters for the virtual link:
    • Hello interval—Length of time, in seconds, between hello packets that the router sends on the interface. For a given link, this field must be the same on all routers or adjacencies do not form.
      • Default: 30.
    • Dead Interval—Number of seconds after the router stops receiving hello packets that it declares the neighbor is down. Typically, the value of this field should be four times that of the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form. The value must not be zero.
      • Range: 1-65535.
      • Default: 120.
    • Retransmit Interval—Specifies the number of seconds between LSA retransmissions for adjacencies belonging to this interface. This value is also used when retransmitting database description and link state request packets. Set this value well above the expected round-trip delay between any two routers on the attached network. Be conservative when setting this value to prevent unnecessary retransmissions.
      • Range: 1-65535 in number of seconds.
      • Default: 5.
    • Auth Type—Type of authentication scheme to use for a given link. In general, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. This feature guarantees that routing information is accepted only from trusted routers.
      • Options: None / Simple / MD5.
      • Default: None.
  6. If you selected MD5 for the auth type, you must also configure the following parameters:
    • Add MD5 Key— If the Auth type selected is MD5, the MD5 List appears. Click Add and specify the MD5 Key ID and its corresponding MD5 key. If you configure multiple Key IDs, the Key ID with the highest value is used to authenticate outgoing packets. All keys can be used to authenticate incoming packets.
    • Key ID—The Key ID is included in the outgoing OSPF packets to enable the receivers to use the appropriate MD5 secret to authenticate the packet.
      • Range: 0-255.
      • Default: None
    • MD5 Secret—The MD5 secret is included in encrypted form in outgoing packets to authenticate the packet. Range: 1-16 alphanumeric characters. Default: None
  7. Repeat this procedure on both the ABR for the discontiguous area and an ABR that connects to the backbone area.

Configuring OSPF Interfaces

To configure an OSPF interface:

  1. In the Edit Interface window, assign the appropriate Area to each interface by selecting the OSPF area that this interface participates in.

    The OSPF interface configuration parameters are displayed showing the default settings. If you want to accept the default settings for the interface, no further action is necessary.

  2. (Optional) Change any configuration parameters for the interface.

    Note - The hello interval, dead interval, and authentication method must be the same for all routers on the link.

Configuration Parameters for OSPF Interfaces

Parameter

Description

Area

The drop-down list displays all of the areas configured and enabled on your platform. An entry for the backbone area is displayed even if it is disabled.

An OSPF area defines a group of routers running OSPF that have the complete topology information of the given area. OSPF areas use an area border router (ABR) to exchange information about routes. Routes for a given area are summarized into the backbone area for distribution into other non‑backbone areas. An ABR must have at least two interfaces in at least two different areas.

For information on adding an area Configuring OSPF Areas and Global Settings.

Hello interval

Specifies the length of time in seconds between hello packets that the router sends on this interface. For a given link, this value must be the same on all routers, or adjacencies do not form.

  • Range: 1-65535 in seconds
  • Default: For broadcast interfaces, the default hello interval is 10 seconds. For point-to-point interfaces, the default hello interval is 30 seconds.

Dead interval

Specifies the number of seconds after the router stops receiving hello packets that it declares the neighbor is down.

  • Recommended value: Four times the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form. The value must not be 0.
  • Range: 1-65535 in seconds.
  • Default: For broadcast interfaces, the default dead interval is 40 seconds. For point-to-point interfaces, the default dead interval is 120 seconds.

Retransmit interval

Specifies the number of seconds between LSA retransmissions for this interface. This value is also used when retransmitting database description and link state request packets. Set this value well above the expected round-trip delay between any two routers on the attached network. Be conservative when setting this value to prevent necessary retransmissions.

  • Range: 1-65535 in seconds.
  • Default: 5.

OSPF cost

Specifies the weight of a given path in a route. The higher the cost you configure, the less preferred the link as an OSPF route. For example, you can assign different relative costs to two interfaces to make one more preferred as a routing path. You can explicitly override this value in route redistribution.

  • Range: 1-65535.
  • Default: 1.

Election priority

Specifies the priority for becoming the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins. If there is a current DR on the link, it remains the DR regardless of the configured priority. This feature prevents the DR from changing too often and applies only to a shared-media interface, such as Ethernet. A DR is not elected on point-to-point type interfaces. A router with priority 0 is not eligible to become the DR.

  • Range: 0-255.
  • Default: 1.

Passive

Specifies that the interface does not send hello packets, which means that the link does not form any adjacencies. This mode enables the network associated with the interface to be included in the intra-area route calculation rather than redistributing the network into OSPF and having it as an ASE. In passive mode, all interface configuration information, with the exception of the associated area and the cost, is ignored.

  • Options: On or Off.
  • Default: Off.

Use Virtual Address

Makes OSPF run only on the VRRP Virtual IP address associated with this interface. If this router is not a VRRP master, then OSPF will not run if this option is On. It will only run on the VRRP master. You must also configure VRRP to accept connections to VRRP IPs. For more information, see Configuring Monitored-Circuit VRRP.

  • Options: On or Off.
  • Default: Off

Authorization Type

Specifies which type of authentication scheme to use for a given link. In general, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. This feature guarantees that routing information is accepted only from trusted routers.

Options are:

  • None: Does not authenticate packets.

    This is the default option.

  • Simple: Uses a key of up to eight characters. Provides little protection because the key is sent in the clear, and it is possible to capture packets from the network and learn the authentication key.
  • MD5: Uses a key of up to 16 characters. Provides much stronger protection, as it does not include the authentication key in the packet. Instead, it provides a cryptographic hash based on the configured key. The MD5 algorithm creates a crypto checksum of an OSPF packet and an authentication key of up to 16 characters. The receiving router performs a calculation using the correct authentication key and discards the packet if the key does not match. In addition, a sequence number is maintained to prevent the replay of older packets.

Configuring OSPF - CLI (ospf)

Use the following group of commands to set and view parameters for OSPF. This syntax is shown below for each set of commands.

Note - Gaia does not have CLI commands for route filtering and redistribution. You must configure inbound routing policies and redistribution of routes through the WebUI. You can configure route maps and route aggregation using CLI commands. Route map configuration done through the CLI takes precedence over route filtering and redistribution configured in the WebUI. For example if OSPF uses route maps for inbound filtering, anything configured on the WebUI page for inbound route filters for OSPF is ignored. You can still use the WebUI to configure route redistribution into OSPF.

When you do initial configuration, set the router ID. You can also use the following commands to change the router ID.

set router‑id
	default
	ip_address

Parameter

Description

router‑id default

Selects the highest interface address when OSPF is enabled.

router‑id ip_address

Specifies a specific IP address to assign as the router ID. Do not use 0.0.0.0 as the router ID address. Check Point recommends setting the router ID rather than relying on the default setting. Setting the router ID prevents the ID from changing if the default interface used for the router ID goes down.

The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). In a cluster, you must select a router ID and make sure that it is the same on all cluster members.

  • Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
  • Default: The interface address of one of the local interfaces.

OSPF Global Settings

Use the following commands to configure setting that apply to all configured OSPF areas, including the backbone and stub areas.

For OSPFv2 use the following commands:

set ospf
	rfc1583‑compatibility <on | off>
	spf‑delay <1‑60>
	spf‑delay default
	spf‑holdtime <1‑60>
	spf‑holdtime default
	default‑ase‑cost <1‑677215>
	default‑ase‑type <1 | 2>
	graceful-restart-helper <on | off>

Parameter

Description

rfc1583‑compatibility <on | off>

The Check Point implementation of OSPF is based on RFC 2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation runs in an environment with OSPF implementations based on RFC 1583 or earlier, enable this option, which is on by default. Setting compatibility with RFC 1583 ensures backward compatibility.

on

spf‑delay <1‑60>

Specifies the time, in seconds, to wait before recalculating the OSPF routing table after a change in the topology.

spf‑delay default

Specifies an spf‑delay time of 2 seconds.

spf‑holdtime <1‑60>

Specifies the minimum time, in seconds, between recalculations of the OSPF routing table.

spf‑holdtime default

Specifies an spf‑holdtime of 5 seconds.

default‑ase‑cost <1‑6777215>

Specifies the cost assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a cost already specified, that cost takes precedent.

1

default‑ase‑type <1 | 2>

Specifies the type assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a type already specified, that type takes precedent.

1

graceful-restart-helper <on | off>

Specifies whether the Check Point system should maintain the forwarding state advertised by peer routers even when they restart to minimize the negative effects caused by peer routers restarting.

OSPF Interfaces

Use the following commands to configure a backbone and other areas, such as stub areas, for specified interfaces.

For OSPFv2 use the following commands:

set ospf
	area <backbone | ospf_area> range ip_prefix <on | off>
	area <backbone | ospf_area> range ip_prefix restrict <on | off>
	stub‑network ip_prefix <on | off>
	stub‑network ip_prefix stub‑network‑cost <1‑677722>
	
set ospf interface if_name 
	area <backbone | ospf_area> <on | off>
	hello‑interval <1‑65535>
	hello‑interval default
	dead‑interval <1‑65535>
	dead‑interval default
	retransmit‑interval <1‑65535>
	retransmit‑interval default
	cost <1‑65535>
	priority <0‑255>
	passive <on | off>
	virtual-address <on | off>
	authtype none
	simple password
	md5 key authorization key id secret md5 secret
	md5 key authorization key id

Parameter

Description

area <backbone | ospf_area> range ip_prefix <on | off>

Select an area from the areas already configured.
Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.

area <backbone | ospf_area> range ip_prefix restrict <on | off>

Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.

stub‑network ip_prefix <on | off>

Specifies a stub network to which the specified interface range belongs. Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.

stub‑network ip_prefix stub‑network‑cost <1‑677722>

Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.

interface if_name area <backbone | ospf area> <on | off>

Specifies the OSPF area to which the specified interface belongs.

interface if_name hello‑interval <1‑65535>

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.

interface if_name hello‑interval default

Specifies the default value for the hello interval, which is 10 seconds.

interface if_name dead‑interval <1‑65535>

Specifies the number of seconds after which a router stops receiving hello packets that it declares the peer down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

interface if_name dead‑interval default

Specifies the default value for the dead interval, which is 40 seconds

interface if_name retransmit‑interval <1‑65535>

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.

interface if_name retransmit‑interval default

Specifies the default for the retransmit interval, which is 5 seconds.

interface if_name cost <1‑65535>

Specifies the weight of the given path in a route. The higher the cost, the less preferred the link. To use one interface over another for routing paths, assign one a higher cost.

interface if_name priority <0‑255>

Specifies the priority for becoming the designated router (DR) on the specified link. When two routers attached to a network attempt to become a designated router, the one with the highest priority wins. This option prevents the DR from changing too often. The DR option applies only to a share‑media interface, such as Ethernet or FDDI; a DR is not elected on a point‑to‑point type interface. A router with a priority of 0 is not eligible to become the DR.

interface if_name passive <on | off>

Enabling this option puts the specified interface into passive mode; that is, hello packets are not sent from the interface. Putting an interface into passive mode means that no adjacencies are formed on the link. This mode enables the network associated with the specified interface to be included in intra‑area route calculation rather than redistributing the network into OSPF and having it function as an autonomous system external.

off

interface if_name authtype none

Specifies not to use an authentication scheme for the specified interface.

interface if_name authtype simple password

Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

interface if_name authtype md5 key authorization key id secret md5 secret

Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

OSPF Virtual Links

Use the following commands to configure OSPF virtual links. Configure a virtual link if the router is a border router that does not have interfaces in the backbone area. The virtual link is effectively a tunnel across an adjacent non‑backbone area whose endpoint must be any of the adjacent area’s border routers that has an interface in the backbone area.

For OSPFv2 use the following commands:

set ospf area backbone virtual‑link ip_address
 	transit‑area ospf_area <on | off>
	transit‑area ospf_area hello‑interval <1‑65535>
	transit‑area ospf_area hello‑interval default
	transit‑area ospf_area dead interval <1‑4294967295>
	transit‑area ospf_area dead interval default
	transit‑area ospf_area retransmit‑interval <1‑4294967295>
	transit‑area ospf_area retransmit‑interval default
	transit‑area ospf_area authtype none
	transit‑area ospf_area authtype simple password
	transit‑area ospf_area authtype md5 key authorization key id secret md5 key
	transit‑area ospf_area authtype md5 key authorization key id off

Parameter

Description

ip_address transit‑area ospf_area <on | off>

Specifies the IP address of the remote endpoint of the virtual link and transit area, which is a specified ospf area you configure using the set ospf area command. Configure the ospf area you are using as the transit area before you configure the virtual link. The transit area is the area shared by the border router on which you configure the virtual link and the router with an interface in the backbone area. Traffic between the endpoints of the virtual link flow through this area. The virtual link IP address functions as the router ID of the remote endpoint of the virtual link.

ip_address transit‑area ospf_area hello‑interval <1‑65535>

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.

ip_address transit‑area ospf_area hello‑interval default

Specifies an interval of 10 seconds.

ip_address transit‑area ospf_area dead‑interval <1‑4294967295>

Specifies the number of seconds after which a router stops receiving hello packets that it declares the neighbor down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

ip_address transit‑area ospf_area dead‑interval default

Specifies a value of 40 seconds.

ip_address transit‑area ospf_area retransmit‑interval <1‑4294967295>

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.

ip_address transit‑area ospf_area retransmit‑interval default

Specifies a value of 5 seconds.

ip_address transit‑area ospf_area authtype none

Specifies not to use an authentication scheme for the specified interface.

ip_address transit‑area ospf_area authtype simple password

Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

ip_address transit‑area ospf_area authtype md5 key authorization key id secret MD5 secret

Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

OSPF Areas

Use the following commands to configure OSPF areas, including the backbone and stub areas.

For OSPFv2, use the following commands.

set ospf area backbone <on | off>
 
set ospf area ospf_area
	<on| off>
	stub <on | off>
	stub default‑cost <1‑677215>
	stub summary <on | off>
	nssa <on | off>
	nssa default-cost <1-677215>
	nssa default-metric-type <1-2>
	nssa import-summary-routes <on | off>
	nssa translator-role <always | candidate>
	nssa translator-stability-interval <1-65535>
	nssa redistribution <on |off>
	nssa range ip_addr [restrict] <on | off>

Parameter

Description

backbone <on | off>

Specifies whether to enable or disable the backbone area. By default, the backbone area is enabled. You can disable the backbone area if the system does not have interfaces on the backbone area.

<on | off>

Specifies the area ID for a new OSPF area. Check Point recommends that you enter the area ID as a dotted quad, but you can use any integer as the area ID. The area ID 0.0.0.0 is reserved for the backbone.

stub <on | off>

Specifies the area ID for a stub area. Stub areas are areas that do not have AS external routes.

Note: The backbone area cannot be a stub area.

stub default‑cost <1‑677215>

Specifies a default route into the stub area with the specified cost.

stub summary <on | off>

Specifies the OSPF area as totally stubby, meaning that it does not have any AS external routes and its area border routers do not advertise summary routes.

nssa <on | off>

Specifies the area ID for an NSSA.

Note: The backbone area cannot be an NSSA area.

nssa default-cost <1-677215>

Specifies the cost associated with the default route to the NSSA.

nssa default-metric-type <1-2>

Specifies the type of metric. The default, type 1, is equivalent to the Default ASE Route Type on the OSPF WebUI page. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.

nssa import-summary-routes <on | off>

Specifies if summary routes (summary link advertisements) are imported into the NSSA.

nssa translator-role <always | candidate>

Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties.

nssa translator-stability-interval <1-65535>

Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. Default: 40 seconds.

nssa redistribution <on |off>

Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this NSSA border router.

nssa rangeip_addr[restrict] <on | off>

Specify the range of addresses to reduce the number of Type-5 LSAs for the NSSA border router. To prevent a specific prefix from being advertised, use the restrict argument.

OSPF Show Commands

Use the following commands to monitor and troubleshoot your OSPF implementation.

To view a summary of your OSPF implementation, including the number of areas configured and the number of interfaces configured within each area, use:

  • For OSPFv2: show ospf

For OSPFv2 use the following commands:

show ospf
	neighbors
	neighbor ip_address
	interfaces
	interfaces stats
	interfaces detailed
	interface ifname
	interface ifname stats
	interface ifname detailed
	packets
	errors
	errors dd
	errors hello
	errors ip
	errors lsack
	errors lsr
	errors lsu
	errors protocol
	events
	border‑routers
	database
	database areas
	database area ospf_area
	database asbr‑summary-lsa
	database checksum
	database database‑summary
	database detailed
	database external-lsa
	database network-lsa
	database router-lsa
	database summary-lsa
	database type <1 | 2 | 3 | 4 |5 | 7> [detailed]
	database nssa-external-lsa [detailed]
	summary

Parameter

Description

neighbors

The IP addresses of neighboring interfaces, their priority and status, and the number of errors logged for each interface.

neighbor ip_address

The priority, status, and number of errors logged for the specified IP address.

interface ifname <on | off>

The use of the VRRP virtual link-local address as the source of its control packets

interfaces

The names of all configured logical interfaces, their corresponding IP addresses, to area to which each interface is assigned, each interface’s status and the IP addresses of each logical interface’s designated router and backup designated router.

interfaces stats

The number of each type of error message logged for each OSPF interface as well as the number of link state advertisements sent by each interface.

interfaces detailed

Displays detailed information about each OSPF interface, including the authentication type configured if any, the router IDs and IP addresses of the designated router and backup designated router, the timer intervals configured for hello wait, dead, and retransmit messages, and the number of neighbors for each interface.

interface if_name

The IP address, area ID, status, number of errors logged, and the IP address of the designated router and backup designated router for the specified interface.

interface if_name stats

The number of each type of error message logged by the specified interface as well as the number of link‑state advertisements sent by the specified interface.

interface if_name detailed

Displays detailed information about the specified interface, including the authentication type configured if any, the router IDs and IP addresses of the designated router and backup designated router, the timer intervals configured for hello wait, dead, and retransmit messages, and the number of neighbors for each interface

packets

The number of each type of packet sent, including hello packets, link‑state update packets, and link‑state acknowledgment and link‑state request packets.

errors

The number of each type of error message sent, including hello protocol errors, database description errors, protocol errors, link‑state acknowledgment errors, link‑state request errors, link‑state update errors, and IP errors.

errors dd

The number of each type of database‑ description error messages only.

errors hello

The number of each type of hello‑ error message only.

errors ip

The number of each type of IP‑errors message only.

errors lsack

The number of each type of link‑state acknowledgment error message only.

errors lsu

The number of each type of link‑state update error message only

errors lsr

The number of each type of link‑state request error messages only.

errors protocol

The number of each type of protocol error message only.

border‑routers

The IP address of each area border router, the OSPF area of each border router, and the cost associated with each IP address.

database

Router‑link state and network‑link sate statistics for each OSPF area. Also The checksum, sequence number, and link count of each OSPF interface.

database areas

Router‑link state, network‑link state, AS‑border‑router link state, AS‑external link state, and summary‑link state statistics for each OSPF area. Also The checksum, sequence number, and link count of each OSPF interface.

database area ospf_area

Displays router‑link state, network‑link state, AS‑border‑router‑link state, AS‑ external‑link state, and summary‑link state statistics for the specified OSPF area. Also The checksum, sequence number, and link count of each IP address configured within the specified OSPF area.

database asbr‑summary

A summary of AS‑border‑router link state statistics for each OSPF area. For OSPFv2 only.

database external

Displays AS‑external‑link state statistics for each OSPF area.

database database‑summary

A summary of router‑link‑state, network‑link state, summary‑link‑state, and AS‑border‑router‑link state statistics.

database network

Network‑link‑state statistics, including the advertised router, sequence number, and checksum of each OSPF interface. For OSPFv2 only.

database nssa-external-lsa [detailed]

Type 7 LSAs (NSSA). This argument applies only to OSPF v2.

database router-lsa

Displays router‑link‑state statistics, including the advertised router, sequence number, checksum, and link count, of each OSPF interface. For OSPFv2 only.

database summary-lsa

A summary of link‑state statistics for each OSPF area. For OSPFv2 only.

database type <1 | 2 | 3 | 4 |5 | 7> [detailed]

Displays link‑state statistics associated with the specified number:

1—router‑link‑state statistics.

2—network‑link‑state statistics.

3—summary‑link‑state statistics.

4—AS‑border‑router‑link‑state statistics.

5—AS‑external‑link‑state statistics.

7—NSSA. This option applies only to OSPF v2.

events

The number of interface up/down events; virtual interface up/down events; designated router election events; router ID changes; area border router changes; AS border router changes, and link state advertisement messages.

 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print