OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) used to exchange routing information between routers within a single autonomous system (AS). OSPF calculates the best path based on true costs using a metric assigned by a network administrator. RIP, the oldest IGP protocol chooses the least-cost path based on hop count. OSPF is more efficient than RIP, has a quicker convergence, and provides equal-cost multipath routing where packets to a single destination can be sent using more than one interface. OSPF is suitable for complex networks with a large number of routers. It can coexist with RIP on a network.
Gaia supports OSPFv2, which supports IPv4 addressing.
You can run OSPF over a route-based VPN by enabling OSPF on a virtual tunnel interface (VTI).
Types of Areas
Routers using OSPF send packets called Link State Advertisements (LSA) to all routers in an area. Areas are smaller groups within the AS that you can design to limit the flooding of an LSA to all routers. LSAs do not leave the area from which they originated, thus increasing efficiency and saving network bandwidth.
You must specify at least one area in your OSPF network—the backbone area, which has the responsibility to propagate information between areas. The backbone area has the identifier 0.0.0.0.
You can designate other areas, depending on your network design, of the following types:
- Normal Area — Allows all LSAs to pass through. The backbone is always a normal area.
- Stub Area — Stub areas do not allow Type 5 LSAs to be propagated into or throughout the area and instead depends on default routing to external destinations. You can configure an area as a stub to reduce the number of entries in the routing table (routes external to the OSPF domain are not added to the routing table).
- NSSA (Not So Stubby Area) — Allows the import of external routes in a limited fashion using Type-7 LSAs. NSSA border routers translate selected Type 7 LSAs into Type 5 LSAs which can then be flooded to all Type-5 capable areas. Configure an area as an NSSA if you want to reduce the size of the routing table, but still want to allow routes that are redistributed to OSPF.
It is generally recommended that you limit OSPF areas to about 50 routers based on the limitations of OSPF (traffic overhead, table size, convergence, and so on).
All OSPF areas must be connected to the backbone area. If you have an area that is not connected to the backbone area, you can connect it by configuring a virtual link, enabling the backbone area to appear contiguous despite the physical reality.
|
Note - If you need to connect two networks that both already have backbone areas and you do not want to reconfigure one to something other than 0.0.0.0, you can connect the two backbone areas using a virtual link.
|
Each router records information about its interfaces when it initializes and builds an LSA packet. The LSA contains a list of all recently seen routers and their costs. The LSA is forwarded only within the area it originated in and is flooded to all other routers in the area. The information is stored in the link-state database, which is identical on all routers in the AS.
Area Border Routers
Routers called Area Border Routers (ABR) have interfaces to multiple areas. ABRs compact the topological information for an area and transmit it to the backbone area. Check Point supports the implementation of ABR behavior as outlined in the Internet draft of the Internet Engineering Task Force (IETF). The definition of an ABR in the OSPF specification as outlined in RFC 2328 does not require a router with multiple attached areas to have a backbone connection. However, under this definition, any traffic destined for areas that are not connected to an ABR or that are outside the OSPF domain is dropped. According to the Internet draft, a router is considered to be an ABR if it has more than one area actively attached and one of them is the backbone area. An area is considered actively attached if the router has at least one interface in that area that is not down.
Rather than redefine an ABR, the Check Point implementation includes in its routing calculation summary LSAs from all actively attached areas if the ABR does not have an active backbone connection, which means that the backbone is actively attached and includes at least one fully adjacent neighbor. You do not need to configure this feature; it functions automatically under certain topographies.
OSPF uses the following types of routes:
- Intra-area—Have destinations within the same area.
- Interarea—Have destinations in other OSPF areas.
- Autonomous system external (ASE)—Have destinations external to the autonomous system (AS). These are the routes calculated from Type 5 LSAs.
- NSSA ASE Router—Have destinations external to AS. These are the routes calculated from Type 7 LSAs.
All routers on a link must agree on the configuration parameters of the link. All routers in an area must agree on the configuration parameters of the area. A separate copy of the SPF algorithm is run for each area. Misconfigurations prevent adjacencies from forming between neighbors, and routing black holes or loops can form.
High Availability Support for OSPF
Gaia supports the OSPF protocol in clusters configured either via VRRP or ClusterXL.
In this configuration, the cluster becomes a virtual router, which is seen by neighboring routers as a single router that has an IP address that is the same as the virtual IP address of the cluster. Each member of the cluster runs the OSPF task, but only the member which is designated as primary or master actively participates in the network and exchanges routing information with neighbor routers. When a failover occurs, the standby member of the cluster becomes the master and its OSPF task becomes the active participant in protocol exchanges with neighbor routers.
Gaia also supports the OSPF protocol over VPN tunnels which terminate in the VRRP or ClusterXL cluster.
VRRP
Gaia supports the advertising of the virtual IP address of the VRRP virtual router. You can configure OSPF to advertise the virtual IP address rather than the actual IP address of the interface.
If you enable this option, OSPF runs only on the master of the virtual router; on a failover, OSPF stops being active on the old master and then starts becoming active on the new master. Because the OSPF routes database of the master is not synchronized across all members of the cluster, a traffic break may occur during the time it takes the VRRP to become active and the OSPF protocol to learn routes again. The larger the network, the more time it takes OSPF to synchronize its database and install routes again.
|
Note - You must use monitored-circuit VRRP, not VRRP v2, when configuring virtual IP support for OSPF or any other dynamic routing protocol.
|
ClusterXL
Gaia ClusterXL advertises the virtual IP address of the ClusterXL virtual router. The OSPF routes database of the master is synchronized across all members of the cluster. The OSPF task of each standby member obtains routing state and information from the master and installs the routes in the kernel as the master does. On a failover, one of the standby members becomes the new master and then continues where the old master failed. During the time that the new master resynchronizes routes database with the neighbor routers, traffic forwarding continues using the old kernel routes until OSPF routes are fully synchronized and pushed into the kernel.
Configuring OSPF - WebUI
To configure OSPF:
- In the page of the WebUI, configure Ethernet Interfaces and assign an IP address to the interface.
- Open the page of the WebUI.
- Define other Global settings, including the
- Optional: Define additional OSPF areas (in addition to the backbone area).
- Optional: For each area, you can add one or more address ranges if you want to reduce the number of routing entries that the area advertises into the backbone.
|
Note - To prevent an address range from being advertised into the backbone, select for the address range
|
- Configure OSPF Interfaces.
- Configure virtual links for any area that does not connect directly to the backbone area.
Configuring Global Settings
The following table shows the global settings that you can specify for OSPF. Configure these settings by clicking OSPF under Configuration > Routing Configuration in the tree view and scrolling down to these fields.
Global Settings for OSPF
Parameter
|
Description
|
|
|
The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). In a cluster, you must select a router ID and make sure that it is the same on all cluster members.
- Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
- Default: The interface address of one of the local interfaces.
|
|
|
This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility.
|
|
|
Specifies the time in seconds the system will wait to recalculate the OSPF routing table after a change in topology.
|
|
|
Specifies the minimum time in seconds between recalculations of the OSPF routing table.
|
|
|
Specifies a cost for routes redistributed into OSPF as ASEs. Any cost previously assigned to a redistributed routed overrides this value.
|
|
|
Specifies a route type for routes redistributed into OSPF as ASEs, unless these routes already have a type assigned.
There are two types:
- Type 1 external: Used for routes imported into OSPF which are from IGPs whose metrics are directly comparable to OSPF metrics. When a routing decision is being made, OSPF adds the internal cost to the AS border router to the external metric.
- Type 2 external: Used for routes whose metrics are not comparable to OSPF internal metrics. In this case, only the external OSPF cost is used. In the event of ties, the least cost to an AS border router is used.
|
|
|
When a router running OSPF restarts, all the routing peers detect that the session failed and recovered. This transition results in a routing flap. It causes routes to be recomputed, updates to be generated, and unnecessary churn to the forwarding tables.
Enabling this option minimizes the negative effects caused by peer routers restarting by causing the Check Point system to maintain the forwarding state advertised by peer routers even when they restart.
|
Configuring OSPF Areas
The following table lists the parameters for areas and global settings that you use when configuring OSPF on your system. As you add areas, each is displayed with its own configuration parameters under the Areas section.
- : Choose an IPv4 address (preferred) or an integer.
OSPF Normal Type Area Configuration Parameters
Parameter
|
Description
|
|
|
You can configure any area with any number of address ranges. Use these ranges to reduce the number of routing entries that a given area emits into the backbone and thus all areas. If a given IPv4 address aggregates a number of more specific IPv4 addresses within an area, you can configure an address that becomes the only IPv4 address advertised into the backbone. You must be careful when configuring an address range that covers parts of an IPv4 address not contained within the area. By definition, an address range consists of a IPv4 address and a mask length.
Note: To prevent a specific IPv4 address from being advertised into the backbone, select .
|
|
|
OSPF can advertise reachability to IPv4 addresses that are not running OSPF using a stub network. The advertised IPv4 address appears as an OSPF internal route and can be filtered at area borders with the OSPF area ranges. The IPv4 address must be directly reachable on the router where the stub network is configured; that is, one of the router's interface addresses must fall within the IPv4 address to be included in the router-LSA. You configure stub hosts by specifying a mask length of 32.
This feature also supports advertising an IPv4 address and mask that can be activated by the local address of a point-to-point interface. To advertise reachability to such an address, enter an IP address and a cost with a value other than zero.
|
|
|
For descriptions of area types, see Types of Areas.
Options: Normal/Stub/NSSA.
|
Stub Area Parameters
The following table stub areas configuration parameters appear if you define the area as a stub area.
Parameter
|
Description
|
|
|
Enter a cost for the default route to the stub area.
- Range: 1-16777215.
- Default: No default.
|
|
|
Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.
|
NSSA (Not So Stubby Area) Parameters
The following table describes the configuration parameters for NSSA areas. These fields appear if you define the area as an NSSA (Not So Stubby Area). For more information on NSSA, see RFC 3101.
Parameter
|
Description
|
|
|
Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. If this NSSA router is not a border router, then this option has no effect.
|
|
|
Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. This field appears only if an area is defined as an NSSA with translator role as Candidate.
|
|
|
Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.
|
|
|
Enter a cost associated with the default route to the NSSA.
|
|
|
Specifies the route type associated with the Type-7 default route for an NSSA when routes from other protocols are redistributed into OSPF as ASEs. If a redistributed route already has a route type, this type is maintained. If summary routes are imported into an NSSA, only then a Type-7 default route is generated (otherwise a Type-3 default route is generated). This field appears only if an area is defined as an NSSA into which summary routes are imported.
The route type can be either 1 or 2. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.
|
|
|
Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this router. This option will have effect only if this router is an NSSA border router and this router is an AS border router.
|
|
|
An NSSA border router that performs translation duties translates Type-7 LSAs to Type-5 LSAs. An NSSA border router can be configured with Type-7 address ranges. Use these ranges to reduce the number of Type-5 LSAs. Many separate Type-7 networks may fall into a single Type-7 address range. These Type-7 networks are aggregated and a single Type-5 LSA is advertised. By definition, a Type-7 address range consists of a prefix and a mask length.
Note: To prevent a specific prefix from being advertised, select On in the Restrict field next to the entry for that prefix.
|
Configuring OSPF Virtual Links
You must configure a virtual link for any area that does not connect directly to the backbone area. You configure the virtual link on both the ABR for the discontiguous area and another ABR that does connect to the backbone.
The virtual link acts like a point-to-point link. The routing protocol traffic that flows along the virtual link uses intra-area routing only.
To configure a virtual link:
- Create a Normal Type area (which does not connect directly to the backbone area) and configure an interface to be in that area.
- In the section, click .
- In the window, enter the of the remote endpoint of the virtual link.
- Select the . This is the area that connects both to the backbone and to the discontiguous area.
- Configure the following parameters for the virtual link:
- —Length of time, in seconds, between hello packets that the router sends on the interface. For a given link, this field must be the same on all routers or adjacencies do not form.
- —Number of seconds after the router stops receiving hello packets that it declares the neighbor is down. Typically, the value of this field should be four times that of the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form. The value must not be zero.
- Range: 1-65535.
- Default: 120.
- —Specifies the number of seconds between LSA retransmissions for adjacencies belonging to this interface. This value is also used when retransmitting database description and link state request packets. Set this value well above the expected round-trip delay between any two routers on the attached network. Be conservative when setting this value to prevent unnecessary retransmissions.
- Range: 1-65535 in number of seconds.
- Default: 5.
- —Type of authentication scheme to use for a given link. In general, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. This feature guarantees that routing information is accepted only from trusted routers.
- Options: None / Simple / MD5.
- Default: None.
- If you selected MD5 for the auth type, you must also configure the following parameters:
- — If the Auth type selected is MD5, the appears. Click Add and specify the MD5 Key ID and its corresponding MD5 key. If you configure multiple Key IDs, the Key ID with the highest value is used to authenticate outgoing packets. All keys can be used to authenticate incoming packets.
- —The Key ID is included in the outgoing OSPF packets to enable the receivers to use the appropriate MD5 secret to authenticate the packet.
- Range: 0-255.
- Default: None
- —The MD5 secret is included in encrypted form in outgoing packets to authenticate the packet. Range: 1-16 alphanumeric characters. Default: None
- Repeat this procedure on both the ABR for the discontiguous area and an ABR that connects to the backbone area.
Configuring OSPF Interfaces
To configure an OSPF interface:
- In the window, assign the appropriate to each interface by selecting the OSPF area that this interface participates in.
The OSPF interface configuration parameters are displayed showing the default settings. If you want to accept the default settings for the interface, no further action is necessary.
- (Optional) Change any configuration parameters for the interface.
|
Note - The hello interval, dead interval, and authentication method must be the same for all routers on the link.
|
Configuration Parameters for OSPF Interfaces
Parameter
|
Description
|
|
|
The drop-down list displays all of the areas configured and enabled on your platform. An entry for the backbone area is displayed even if it is disabled.
An OSPF area defines a group of routers running OSPF that have the complete topology information of the given area. OSPF areas use an area border router (ABR) to exchange information about routes. Routes for a given area are summarized into the backbone area for distribution into other non‑backbone areas. An ABR must have at least two interfaces in at least two different areas.
For information on adding an area Configuring OSPF Areas and Global Settings.
|
|
|
Specifies the length of time in seconds between hello packets that the router sends on this interface. For a given link, this value must be the same on all routers, or adjacencies do not form.
- Range: 1-65535 in seconds
- Default: For broadcast interfaces, the default hello interval is 10 seconds. For point-to-point interfaces, the default hello interval is 30 seconds.
|
|
|
Specifies the number of seconds after the router stops receiving hello packets that it declares the neighbor is down.
- Recommended value: Four times the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form. The value must not be 0.
- Range: 1-65535 in seconds.
- Default: For broadcast interfaces, the default dead interval is 40 seconds. For point-to-point interfaces, the default dead interval is 120 seconds.
|
|
|
Specifies the number of seconds between LSA retransmissions for this interface. This value is also used when retransmitting database description and link state request packets. Set this value well above the expected round-trip delay between any two routers on the attached network. Be conservative when setting this value to prevent necessary retransmissions.
- Range: 1-65535 in seconds.
- Default: 5.
|
|
|
Specifies the weight of a given path in a route. The higher the cost you configure, the less preferred the link as an OSPF route. For example, you can assign different relative costs to two interfaces to make one more preferred as a routing path. You can explicitly override this value in route redistribution.
- Range: 1-65535.
- Default: 1.
|
|
|
Specifies the priority for becoming the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins. If there is a current DR on the link, it remains the DR regardless of the configured priority. This feature prevents the DR from changing too often and applies only to a shared-media interface, such as Ethernet. A DR is not elected on point-to-point type interfaces. A router with priority 0 is not eligible to become the DR.
- Range: 0-255.
- Default: 1.
|
|
|
Specifies that the interface does not send hello packets, which means that the link does not form any adjacencies. This mode enables the network associated with the interface to be included in the intra-area route calculation rather than redistributing the network into OSPF and having it as an ASE. In passive mode, all interface configuration information, with the exception of the associated area and the cost, is ignored.
- Options: On or Off.
- Default: Off.
|
|
|
Makes OSPF run only on the VRRP Virtual IP address associated with this interface. If this router is not a VRRP master, then OSPF will not run if this option is On. It will only run on the VRRP master. You must also configure VRRP to accept connections to VRRP IPs. For more information, see Configuring Monitored-Circuit VRRP.
- Options: On or Off.
- Default: Off
|
|
|
Specifies which type of authentication scheme to use for a given link. In general, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. This feature guarantees that routing information is accepted only from trusted routers.
Options are:
|
Configuring OSPF - CLI (ospf)
Use the following group of commands to set and view parameters for OSPF. This syntax is shown below for each set of commands.
|
Note - Gaia does not have CLI commands for route filtering and redistribution. You must configure inbound routing policies and redistribution of routes through the WebUI. You can configure route maps and route aggregation using CLI commands. Route map configuration done through the CLI takes precedence over route filtering and redistribution configured in the WebUI. For example if OSPF uses route maps for inbound filtering, anything configured on the WebUI page for inbound route filters for OSPF is ignored. You can still use the WebUI to configure route redistribution into OSPF.
|
When you do initial configuration, set the router ID. You can also use the following commands to change the router ID.
set router‑id
default
ip_address
|
Parameter
|
Description
|
router‑id default
|
Selects the highest interface address when OSPF is enabled.
|
router‑id ip_address
|
Specifies a specific IP address to assign as the router ID. Do not use 0.0.0.0 as the router ID address. Check Point recommends setting the router ID rather than relying on the default setting. Setting the router ID prevents the ID from changing if the default interface used for the router ID goes down.
The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). In a cluster, you must select a router ID and make sure that it is the same on all cluster members.
- Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
- Default: The interface address of one of the local interfaces.
|
OSPF Global Settings
Use the following commands to configure setting that apply to all configured OSPF areas, including the backbone and stub areas.
For OSPFv2 use the following commands:
set ospf
rfc1583‑compatibility <on | off>
spf‑delay <1‑60>
spf‑delay default
spf‑holdtime <1‑60>
spf‑holdtime default
default‑ase‑cost <1‑677215>
default‑ase‑type <1 | 2>
graceful-restart-helper <on | off>
|
Parameter
|
Description
|
rfc1583‑compatibility <on | off>
|
The Check Point implementation of OSPF is based on RFC 2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation runs in an environment with OSPF implementations based on RFC 1583 or earlier, enable this option, which is on by default. Setting compatibility with RFC 1583 ensures backward compatibility.
on
|
spf‑delay <1‑60>
|
Specifies the time, in seconds, to wait before recalculating the OSPF routing table after a change in the topology.
|
spf‑delay default
|
Specifies an spf‑delay time of 2 seconds.
|
spf‑holdtime <1‑60>
|
Specifies the minimum time, in seconds, between recalculations of the OSPF routing table.
|
spf‑holdtime default
|
Specifies an spf‑holdtime of 5 seconds.
|
default‑ase‑cost <1‑6777215>
|
Specifies the cost assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a cost already specified, that cost takes precedent.
1
|
default‑ase‑type <1 | 2>
|
Specifies the type assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a type already specified, that type takes precedent.
1
|
graceful-restart-helper <on | off>
|
Specifies whether the Check Point system should maintain the forwarding state advertised by peer routers even when they restart to minimize the negative effects caused by peer routers restarting.
|
OSPF Interfaces
Use the following commands to configure a backbone and other areas, such as stub areas, for specified interfaces.
For OSPFv2 use the following commands:
set ospf
area <backbone | ospf_area> range ip_prefix <on | off>
area <backbone | ospf_area> range ip_prefix restrict <on | off>
stub‑network ip_prefix <on | off>
stub‑network ip_prefix stub‑network‑cost <1‑677722>
set ospf interface if_name
area <backbone | ospf_area> <on | off>
hello‑interval <1‑65535>
hello‑interval default
dead‑interval <1‑65535>
dead‑interval default
retransmit‑interval <1‑65535>
retransmit‑interval default
cost <1‑65535>
priority <0‑255>
passive <on | off>
virtual-address <on | off>
authtype none
simple password
md5 key authorization key id secret md5 secret
md5 key authorization key id
|
Parameter
|
Description
|
area <backbone | ospf_area> range ip_prefix <on | off>
|
Select an area from the areas already configured.
Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.
|
area <backbone | ospf_area> range ip_prefix restrict <on | off>
|
Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.
|
stub‑network ip_prefix <on | off>
|
Specifies a stub network to which the specified interface range belongs. Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.
|
stub‑network ip_prefix stub‑network‑cost <1‑677722>
|
Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.
|
interface if_name area <backbone | ospf area> <on | off>
|
Specifies the OSPF area to which the specified interface belongs.
|
interface if_name hello‑interval <1‑65535>
|
Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.
|
interface if_name hello‑interval default
|
Specifies the default value for the hello interval, which is 10 seconds.
|
interface if_name dead‑interval <1‑65535>
|
Specifies the number of seconds after which a router stops receiving hello packets that it declares the peer down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.
|
interface if_name dead‑interval default
|
Specifies the default value for the dead interval, which is 40 seconds
|
interface if_name retransmit‑interval <1‑65535>
|
Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.
|
interface if_name retransmit‑interval default
|
Specifies the default for the retransmit interval, which is 5 seconds.
|
interface if_name cost <1‑65535>
|
Specifies the weight of the given path in a route. The higher the cost, the less preferred the link. To use one interface over another for routing paths, assign one a higher cost.
|
interface if_name priority <0‑255>
|
Specifies the priority for becoming the designated router (DR) on the specified link. When two routers attached to a network attempt to become a designated router, the one with the highest priority wins. This option prevents the DR from changing too often. The DR option applies only to a share‑media interface, such as Ethernet or FDDI; a DR is not elected on a point‑to‑point type interface. A router with a priority of 0 is not eligible to become the DR.
|
interface if_name passive <on | off>
|
Enabling this option puts the specified interface into passive mode; that is, hello packets are not sent from the interface. Putting an interface into passive mode means that no adjacencies are formed on the link. This mode enables the network associated with the specified interface to be included in intra‑area route calculation rather than redistributing the network into OSPF and having it function as an autonomous system external.
off
|
interface if_name authtype none
|
Specifies not to use an authentication scheme for the specified interface.
|
interface if_name authtype simple password
|
Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.
|
interface if_name authtype md5 key authorization key id secret md5 secret
|
Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.
|
OSPF Virtual Links
Use the following commands to configure OSPF virtual links. Configure a virtual link if the router is a border router that does not have interfaces in the backbone area. The virtual link is effectively a tunnel across an adjacent non‑backbone area whose endpoint must be any of the adjacent area’s border routers that has an interface in the backbone area.
For OSPFv2 use the following commands:
set ospf area backbone virtual‑link ip_address
transit‑area ospf_area <on | off>
transit‑area ospf_area hello‑interval <1‑65535>
transit‑area ospf_area hello‑interval default
transit‑area ospf_area dead interval <1‑4294967295>
transit‑area ospf_area dead interval default
transit‑area ospf_area retransmit‑interval <1‑4294967295>
transit‑area ospf_area retransmit‑interval default
transit‑area ospf_area authtype none
transit‑area ospf_area authtype simple password
transit‑area ospf_area authtype md5 key authorization key id secret md5 key
transit‑area ospf_area authtype md5 key authorization key id off
|
Parameter
|
Description
|
ip_address transit‑area ospf_area <on | off>
|
Specifies the IP address of the remote endpoint of the virtual link and transit area, which is a specified ospf area you configure using the set ospf area command. Configure the ospf area you are using as the transit area before you configure the virtual link. The transit area is the area shared by the border router on which you configure the virtual link and the router with an interface in the backbone area. Traffic between the endpoints of the virtual link flow through this area. The virtual link IP address functions as the router ID of the remote endpoint of the virtual link.
|
ip_address transit‑area ospf_area hello‑interval <1‑65535>
|
Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.
|
ip_address transit‑area ospf_area hello‑interval default
|
Specifies an interval of 10 seconds.
|
ip_address transit‑area ospf_area dead‑interval <1‑4294967295>
|
Specifies the number of seconds after which a router stops receiving hello packets that it declares the neighbor down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.
|
ip_address transit‑area ospf_area dead‑interval default
|
Specifies a value of 40 seconds.
|
ip_address transit‑area ospf_area retransmit‑interval <1‑4294967295>
|
Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.
|
ip_address transit‑area ospf_area retransmit‑interval default
|
Specifies a value of 5 seconds.
|
ip_address transit‑area ospf_area authtype none
|
Specifies not to use an authentication scheme for the specified interface.
|
ip_address transit‑area ospf_area authtype simple password
|
Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.
|
ip_address transit‑area ospf_area authtype md5 key authorization key id secret MD5 secret
|
Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.
|
OSPF Areas
Use the following commands to configure OSPF areas, including the backbone and stub areas.
For OSPFv2, use the following commands.
set ospf area backbone <on | off>
set ospf area ospf_area
<on| off>
stub <on | off>
stub default‑cost <1‑677215>
stub summary <on | off>
nssa <on | off>
nssa default-cost <1-677215>
nssa default-metric-type <1-2>
nssa import-summary-routes <on | off>
nssa translator-role <always | candidate>
nssa translator-stability-interval <1-65535>
nssa redistribution <on |off>
nssa range ip_addr [restrict] <on | off>
|
Parameter
|
Description
|
backbone <on | off>
|
Specifies whether to enable or disable the backbone area. By default, the backbone area is enabled. You can disable the backbone area if the system does not have interfaces on the backbone area.
|
<on | off>
|
Specifies the area ID for a new OSPF area. Check Point recommends that you enter the area ID as a dotted quad, but you can use any integer as the area ID. The area ID 0.0.0.0 is reserved for the backbone.
|
stub <on | off>
|
Specifies the area ID for a stub area. Stub areas are areas that do not have AS external routes.
Note: The backbone area cannot be a stub area.
|
stub default‑cost <1‑677215>
|
Specifies a default route into the stub area with the specified cost.
|
stub summary <on | off>
|
Specifies the OSPF area as totally stubby, meaning that it does not have any AS external routes and its area border routers do not advertise summary routes.
|
nssa <on | off>
|
Specifies the area ID for an NSSA.
Note: The backbone area cannot be an NSSA area.
|
nssa default-cost <1-677215>
|
Specifies the cost associated with the default route to the NSSA.
|
nssa default-metric-type <1-2>
|
Specifies the type of metric. The default, type 1, is equivalent to the Default ASE Route Type on the OSPF WebUI page. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.
|
nssa import-summary-routes <on | off>
|
Specifies if summary routes (summary link advertisements) are imported into the NSSA.
|
nssa translator-role <always | candidate>
|
Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties.
|
nssa translator-stability-interval <1-65535>
|
Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. Default: 40 seconds.
|
nssa redistribution <on |off>
|
Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this NSSA border router.
|
nssa rangeip_addr[restrict] <on | off>
|
Specify the range of addresses to reduce the number of Type-5 LSAs for the NSSA border router. To prevent a specific prefix from being advertised, use the restrict argument.
|
OSPF Show Commands
Use the following commands to monitor and troubleshoot your OSPF implementation.
To view a summary of your OSPF implementation, including the number of areas configured and the number of interfaces configured within each area, use:
For OSPFv2 use the following commands:
show ospf
neighbors
neighbor ip_address
interfaces
interfaces stats
interfaces detailed
interface ifname
interface ifname stats
interface ifname detailed
packets
errors
errors dd
errors hello
errors ip
errors lsack
errors lsr
errors lsu
errors protocol
events
border‑routers
database
database areas
database area ospf_area
database asbr‑summary-lsa
database checksum
database database‑summary
database detailed
database external-lsa
database network-lsa
database router-lsa
database summary-lsa
database type <1 | 2 | 3 | 4 |5 | 7> [detailed]
database nssa-external-lsa [detailed]
summary
|
Parameter
|
Description
|
neighbors
|
The IP addresses of neighboring interfaces, their priority and status, and the number of errors logged for each interface.
|
neighbor ip_address
|
The priority, status, and number of errors logged for the specified IP address.
|
interface ifname <on | off>
|
The use of the VRRP virtual link-local address as the source of its control packets
|
interfaces
|
The names of all configured logical interfaces, their corresponding IP addresses, to area to which each interface is assigned, each interface’s status and the IP addresses of each logical interface’s designated router and backup designated router.
|
interfaces stats
|
The number of each type of error message logged for each OSPF interface as well as the number of link state advertisements sent by each interface.
|
interfaces detailed
|
Displays detailed information about each OSPF interface, including the authentication type configured if any, the router IDs and IP addresses of the designated router and backup designated router, the timer intervals configured for hello wait, dead, and retransmit messages, and the number of neighbors for each interface.
|
interface if_name
|
The IP address, area ID, status, number of errors logged, and the IP address of the designated router and backup designated router for the specified interface.
|
interface if_name stats
|
The number of each type of error message logged by the specified interface as well as the number of link‑state advertisements sent by the specified interface.
|
interface if_name detailed
|
Displays detailed information about the specified interface, including the authentication type configured if any, the router IDs and IP addresses of the designated router and backup designated router, the timer intervals configured for hello wait, dead, and retransmit messages, and the number of neighbors for each interface
|
packets
|
The number of each type of packet sent, including hello packets, link‑state update packets, and link‑state acknowledgment and link‑state request packets.
|
errors
|
The number of each type of error message sent, including hello protocol errors, database description errors, protocol errors, link‑state acknowledgment errors, link‑state request errors, link‑state update errors, and IP errors.
|
errors dd
|
The number of each type of database‑ description error messages only.
|
errors hello
|
The number of each type of hello‑ error message only.
|
errors ip
|
The number of each type of IP‑errors message only.
|
errors lsack
|
The number of each type of link‑state acknowledgment error message only.
|
errors lsu
|
The number of each type of link‑state update error message only
|
errors lsr
|
The number of each type of link‑state request error messages only.
|
errors protocol
|
The number of each type of protocol error message only.
|
border‑routers
|
The IP address of each area border router, the OSPF area of each border router, and the cost associated with each IP address.
|
database
|
Router‑link state and network‑link sate statistics for each OSPF area. Also The checksum, sequence number, and link count of each OSPF interface.
|
database areas
|
Router‑link state, network‑link state, AS‑border‑router link state, AS‑external link state, and summary‑link state statistics for each OSPF area. Also The checksum, sequence number, and link count of each OSPF interface.
|
database area ospf_area
|
Displays router‑link state, network‑link state, AS‑border‑router‑link state, AS‑ external‑link state, and summary‑link state statistics for the specified OSPF area. Also The checksum, sequence number, and link count of each IP address configured within the specified OSPF area.
|
database asbr‑summary
|
A summary of AS‑border‑router link state statistics for each OSPF area. For OSPFv2 only.
|
database external
|
Displays AS‑external‑link state statistics for each OSPF area.
|
database database‑summary
|
A summary of router‑link‑state, network‑link state, summary‑link‑state, and AS‑border‑router‑link state statistics.
|
database network
|
Network‑link‑state statistics, including the advertised router, sequence number, and checksum of each OSPF interface. For OSPFv2 only.
|
database nssa-external-lsa [detailed]
|
Type 7 LSAs (NSSA). This argument applies only to OSPF v2.
|
database router-lsa
|
Displays router‑link‑state statistics, including the advertised router, sequence number, checksum, and link count, of each OSPF interface. For OSPFv2 only.
|
database summary-lsa
|
A summary of link‑state statistics for each OSPF area. For OSPFv2 only.
|
database type <1 | 2 | 3 | 4 |5 | 7> [detailed]
|
Displays link‑state statistics associated with the specified number:
1—router‑link‑state statistics.
2—network‑link‑state statistics.
3—summary‑link‑state statistics.
4—AS‑border‑router‑link‑state statistics.
5—AS‑external‑link‑state statistics.
7—NSSA. This option applies only to OSPF v2.
|
events
|
The number of interface up/down events; virtual interface up/down events; designated router election events; router ID changes; area border router changes; AS border router changes, and link state advertisement messages.
|
|
|
