- OSPF
- Messages
- Link-state database (LSDB)
- Best path selection
- Algorithm tweaks
- Summary
- Redistribute
- Design
- Graceful restart
- Graceful shutdown
- Tunnel
- NX-OS CLI
- VRF & MPLS
- Loop-free alternative (LFA)
OSPF
- IP89, CS6, TTL = 1
- 224.0.0.5, 0100.5e00.0005 – all SPF routers
- 224.0.0.6, 0100.5e00.0006 – DR and BDR
- secondary address is announced only if primary address participates in OSPF process
- AD = 110
- if changed, RIB entries get new value immediately
- several OSPF processes with same AD
- bad design
- preference: lowest cost (OSPF RIB ≡ according to OSPF rules) → lowest process number
; resolve addresses and RID to DNS names
(config)# ip ospf name-lookup
; AD for routes, created from LSA, that are announced by RID + WILDCARD
(config-router)# distance <AD> <RID> <WILDCARD> [<ACL>]
; enabled by default, calculates cost, using interface BW (otherwise always 10)
(config-router)# auto-cost
; 255 default, sends packets with TTL while ignoring lower values (except for VL)
; does not trigger ICMP error, mcast is always sent with TTL = 255
(config-router)# ttl-security all-interfaces [hops <TTL>]
; has more priority over network command
(config-if)# ip ospf <PROCESS> area <N>
; on loopback to transmit actual mask instead of /32
(config-if)# ip ospf network point-to-point
(config-if)# ip ospf ttl-security [disable|hops <TTL>]
RID selection
- priotity
- manual
- loopback:
- IOS: largest address from up/up loopback
- NX-OS: loopback0
- largest address from non-loopback not in admin-down (down/down – valid!)
- if several processes are configured, order of RID selection per VRF – according to the order in config
- NX-OS: if blank loopback0 is assigned address – reset OSPF process to get RID from loopback0
Neighbourship
- must match:
- subnets (masks have to match, exception – P2P link)
- area number
- hello and dead timers
- MTU (otherwise stuck in EXSTART/EXCHANGE)
- stub bit
- NSSA bit
- must differ: RID
- for NBMA network config on one peer is enough (the other peer would accept session)
- between primary addresses (secondary – stub links, do not form neighbourship)
; does not process Hello through INTF, does not add prefix to process without network command
(config-router)# passive-interface <INTF>
; default: PRIO = 0, POLL = 120s, C = egress interface cost
; Hello is not sent to neighbours with PRIO = 0, because DR would communicate with them
(config-router)# neighbor <IP> [priority <PRIO>] [poll-interval <POLL>] [cost <COST>]
; lists passive interfaces
# show ip ospf interface
Multiarea adjacency
- RFC 5185
- P2P interfaces only
- MA logical interface inherits parameters from primary interface
- several area per link
(config-if)# ip ospf network point-to-point
(config-if)# ip ospf multi-area <N> [cost <COST>]
Timers
- hello
- 10s for bcast, P2P
- 30s for NBMA, P2M
- 0 ≡ timer ignored (Fast Hello)
- dead
- 40s for bcast, P2P
- 120s for NBMA, P2M
- adjusted to hello automatically
- retransmit
- 5s
- LSA, DBD retransmit
- must be longer than RTT
- wait
- = dead
- delay before DR/BDR election to discover all neighbours or an active DR
- no LSU exchange
- DR/BDR fields in Hello = 0.0.0.0
- interface status – WAITING
- skipped if DR or BDR are already elected (non-zero values in Hello)
- poll
- 120s default
- NBMA only
- how ofter Hello is sent to neighbours in DOWN state
Type | DR/BDR | Hello | mcast |
---|---|---|---|
bcast | + | 10s | + |
P2P | – | 10s | + |
NBMA | + | 30s | – |
P2M | – | 30s | + |
P2M NBMA | – | 30s | – |
; dead = 1s, hello = 1/N s, hello timer in Hello message = 0, N does not have to match
(config-if)# ip ospf dead-interval minimal hello-multiplier <N>
States
- DOWN
- no Hello longer than dead timer
- ATTEMPT
- for manually configured neighbours
- after interface → up (P2M) or receiving DR/BDR role (NBMA)
- INIT
- received Hello
- own RID not listed
- parameters mismatch
- received Hello
- 2WAY
- received Hello with own RID and parameters match
- decision point of whether to exchange LSAs
- if no DR is to be elected, LSA are always exchanged
- EXSTART
- master/slave election
- DD sequence numbers negotiation
- EXCHANGE
- exchange DD
- LOADING
- DD exchange finished
- exchange LSR, LSU
- FULL
- peers consider their LSDB to be equal
Master/slave
- master sends DD, slave responds
- master increases sequence number, slave responds with the same number
- master = max RID (no priority)
- on role negotiation master sets init flag, slave clears it on response
- process
- send DD to 224.0.0.5
- switch to EXSTART
- elect master
- switch to EXCHANGE
- exchange DD with LSID until headers are the same
- switch to LOADING
- send LSR with necessary LSID
- send LSU with necessary LSID
- LSAck or same LSA in LSU
- switch to FULL
- after initial exchange DBD is not used – LSU and LSAck only in FULL
; list of requested LSA
# show ip ospf request-list
Multicast OSPF (MOSPF)
- if LSA6 is received, syslog is generated
- not supported by IOS
(config-router)# ignore lsa mospf
Messages
- types
- Hello
- establish 2-way neighbourship
- track peers’ responsiveness
- Database description (DD/DBD)
- information about available LSAs
- Link-state request (LSR)
- LSID to be received
- Link-state update (LSU)
- update + hello functions
- LSAck
- acknowledge LSU receipt + hello function
- explicit (implicit ≡ same LSA in LSU)
- delayed and direct
- unicast only
- on receiving duplicate LSA
- on receiving LSA with MaxAge, that is absent from LSDB
- Hello
- interval between messages is at least 33ms (hardcoded)
; mismatch timers, stub type, subnet mask
# debug ip ospf hello
; mismatch area, authC type
# debug ip ospf adj
OSPFv2 header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type | Packet length (bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Area |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Authentication Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
- 1: Hello
- 2: DBD
- 3: LSR
- 4: LSU
- 5: LSAck
Authentication Type
- 0: null
- 1: clear text
- 2: MD5
Packet length and Checksum account for header as well.
Hello packet data
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Hello interval | Options | Router prio |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Router Dead interval |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DR IP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| BDR IP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Neighbour RID 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Neighbour RID n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Authentication
- most recently configured key is used for egress by default
- key number must match
- ingress messages are authenticated using all keys
- rollover:
- if hash with old key is received
- mcast messages are sent for each valid key, including old key
- stops when all peers use new key ⇒ old key should be removed
- change of authC type causes reset after dead timer expires
- key-chain key preference
- longer lifetime
- larger key ID
; mandatory, otherwise not used
(config-keychain-key)# cryptographic-algorithm <ALGO>
; ignores MD5 keys on interface
(config-if)# ip ospf authentication key-chain <NAME>
; clear-text authC
(config-if)# ip ospf authentication-key <PASSWORD>
MD5 authentication
; authC on all interfaces within area N
(config-router)# area <N> authentication [message-digest]
; null by default
(config-if)# ip ospf authrntication [message-digest]
(config-if)# ip ospf message-digest <N> <PASSWORD>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x0000 | Key ID | Auth Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Crypto Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
MD5 hash is appended at the end of the packet, it’s not considered to be part of OSPF packet.
Authentication Data Length: bytes, MD5 hash length
DBD
- contain MTU, if mismatched – stuck in EXSTART → peer reset (too many retransmissions)
- virtual link MTU = 0x0000
- exchange
- empty during master/slave negotiation: RID, flags Init and Master
- Init is cleared during headers’ exchange
- finished, when both Master and Slave clear More flag
- DBD retransmission is always unicast
(config)# ip ospf mtu-ignore
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Interface MTU | Options | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DD Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ LSA headers /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags:
- 0x01: master/slave (1/0)
- 0x02: more, 0 ≡ no further information, last packet
- 0x04: init, 1 ≡ first packets negotiating master/slave
LSR packet data
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Link state type {1} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Link state ID {1} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising router RID {1} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Link state type {n} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Link state ID {n} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising router RID {n} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LSU packet data
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Number of LSAs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ LSA /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LSAck packet data
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| LSA header {1} |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| LSA header {n} |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Link-state database (LSDB)
- LSA numbers begin with 0x80000001 on creation; number is increased with each LSA change
- unknown LSAs are discarded
- types:
- router: each router in area
- network: created by DR
- network summary: created by ABR for routes from another area
- ASBR summary: ASBR-to-ABR mapping
- AS external: created by ASBR
- group membership: MOSPF, deprecated
- NSSA external: created by ASBR in NSSA, ≈ LSA5
- external attributes: imported from BGP
- grace LSA: link-local scope
- opaque: area scope
- opaque: AS scope, not passed to stub areas
- LSA retransmission is always unicast
- LSA are equal if match: LSID, type, origin RID
LSA header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Age | Options | Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Link State ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising router RID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Length: accounts for header
Age MSB bit ≡ DoNotAge bit (1 ≡ do not age)
Checksum: does not account for Age
LSA1
- LSID = RID
- area scope, sent by every router
- unnumbered interace address = interface index
- change triggers SPF
- Nt bit
- 1 ≡ unconditional NSSA translator
- RFC 3101, incompatible with RFC 1587
# show ip ospf database router <RID>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 000 |N|W|V|E|B| 0x00 | Number of links |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+----------------+
| Link ID | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Link Data | \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > link
| Link type | Number of TOS | Metric | / info
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+ |
| TOS | 0x00 | TOS Metric | > deprecated |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-------------+
Flags:
- N: NSSA tranlator
- W: wildcard mcast receiver
- V: virtual link endpoint
- E: external (ASBR)
- B: border (ABR)
TOS: deprecated, Cisco – only TOS = 0 ⇒ Number of TOS = 0 ≡ not included
Link type value | Link Type | Link ID value | Link value |
---|---|---|---|
1 | P2P | neighbour RID | originating router IP (unnumbered – IfIndex) |
2 | transit | DR IP address | originating router IP |
3 | stub | subnet | subnet mask |
4 | virtual link | neighbour RID | MIB-II IfIndex |
Link type
- P2P
- transit
- stub
- virtual link
Link ID:
- neighbour RID
- DR IP address
- subnet
- neighbour RID
LSA2
- pseudonode for transit segment
- LSA1 references LSA2
- LSID = DR IP
- area scope, sent by DR
- DR sends updates to 224.0.0.5, non-DR – 224.0.0.6 ≡ pseudonode emulation
- change triggers SPF
- reduces initial flooding from n² to 1
- increases subsequent flooding from 1 to 2 (to DR and from DR)
# show ip ospf database network <SUBNET_DR>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attached router RID {1} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attached router RID {n} |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DR/BDR
- election
- larger priority
- larger RID
- no reelection (≠ preemption during WAITING!): DR/BDR is accepted from Hello in WAITING state
- election is triggered for at least 2 neighbours
- preemption:
- DR role: between DRs
- BDR role: between BDRs (losing DR does not become BDR)
- BDR is elected before DR (DR ≡ promoted BDR)
- hub & spoke:
- if spoke – DR, flooding is impossible
- LSA1 references LSA2 ⇒ LSA2 has no two-way reference in NBMA
LSA3
- every inter-area route
- LSID = subnet
- distance-vector logic
- created using LSDB (not RIB!)
- ABR ignores LSA3, received not from area 0
- ABR may not have an interface in area 0 (RFC)
- Cisco ABR: at least one interface must be in area 0 and be up/up
# show ip ospf database summary <SUBNET>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | Metric |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
| TOS | TOS metric | > deprecated,
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+ not included
LSA4
- created by ABR when LSA5/LSA7 is received
- LSID = ASBR RID
- indication LSA
- ABR signals that there are routers in attached area, not supporting DNA processing
- LSID = ABR RID, cost = LSInfinity, DC-bit clear
- not originated into area with DC-incapable routers
- if several LSAs present, higher RID has priority and other LSA are purged
# show ip ospf database asbr-summary <RID>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00000000 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x00 | Metric |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
| TOS | TOS metric | > deprecated,
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+ not included
LSA5
- created by ASBR for every external subnet
- LSID = subnet
- types
- type 1 (E1):
- internal cost within AS is added to prefix cost: external + to ASBR + to ABR
- type 2 (E2):
- metric is not changed (internal cost is not added)
- routed to the nearest ASBR that announces lowest cost
- type 1 is prefered over type 2
- type 1 (E1):
- change does not trigger SPF (leaf nodes) ⇒ can be used for routes that change often
# show ip ospf database external
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Network mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|E| 0x00 | Metric |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Forwarding address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External route tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
|E| TOS | Metric | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Forwarding address | > deprecated,
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | not included
| External route tag | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
E: external metric
- 0: E1
- 1: E2
LSA7
- used in NSSA (≈ LSA5, same format)
- P bit
- permit LSA7 → LSA5
- not set, if same prefix generates LSA5 as well ≡ router is ABR in non-NSSA
# show ip ospf database nssa-external
Opaque LSA (LSA9-11)
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS Age | Options | Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Opaque type | Opaque ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising RID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Opaque type
- 1: TE extension
- 7: OSPFv2 extended prefix opaque LSA
- 8: OSPFv2 extended link opaque LSA
- 9: SID/label range TLV
TLV: type (2 byte) + length (2 byte)
- 1: OSPFv2 extended prefix TLV
- 2: OSPFv2 extended prefix range TLV
- 8: SR algorithm
- 9: SID/label range
- 14: SR local block
Sub-TLV:
- 1: SID/label
- 2: prefix-SID
OSPFv2 extended prefix TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV type (1) | TLV length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Route Type | Prefix Length | AF | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address Prefix (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Sub-TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Route type:
- 1: intra-area
- 3: inter-area
- 5: AS external
- 7: NSSA external
AF:
- 0: IPv4
Flags
- 0x80: attach, prefix is connected to ABR
- 0x40: node, global host prefix
OSPFv2 extended prefix range TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV type (2) | TLV length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix Length | AF | Range size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address Prefix (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Sub-TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags:
- 0x80: IA-flag, 1 ≡ inter-area
Prefix-SID sub-TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (2) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags | Reserved | MT-ID | Algorithm |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SID/Index/Label (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags:
- 0x40: NP-flag, 1 ≡ no PHP
- 0x20: M-flag, 1 ≡ advertised by SR mapping server
- 0x10: E-flag, 1 ≡ explicit NULL label instead of PHP
- 0x08: V-flag, 0 ≡ index, 1 ≡ absolute value
- 0x04: L-flag, 0 ≡ global, 1 ≡ local
SID/label sub-TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-TLV type (1) | Sub-TLV length (3) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SID/label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SR algorithm TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV type (8) | TLV length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Algorithm 1 | Algorithm 1 | ... | Algorithm n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SID/label range TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV type (9) | TLV length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Range size | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Sub-TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LSA Age: more recent version
- higher sequence number
- higher checksum
- Age = MaxAge
- younger LSA Age + Age difference ≥ MaxAgeDiff (15 mins, hardcoded)
- DNA bit is masked ⇒ LSA with DNA = 1 is usually younger
Options field
- in Hello, DBD, LSA header
- bits:
- 0x80: DN-bit, MPLS L3VPN loop prevention
- 0x40: opaque bit, support for LSA9-11
- 0x20: DC-bit, demand circuit and DNA bit processing support
- 0x10: EA-bit, external attributes support, LSA8
- 0x08: N/P-bit
- Hello message – N-bit: 1 ≡ NSSA area
- LSA7 – P-not: 1 ≡ LSA7 → LSA5 is allowed
- 0x04: mcast capable, MOSPF
- 0x02: E, external routing (0 ≡ stub area)
- 0x01: MT-bit, multitopology support
- if LSA with DC = 0 received
- flush all DNA LSA (even not self-originated)
- LSA originator should recreate at a later point same LSAs with DNA-bit = 0
Periodic flooding
- every 30 mins LSA number is increased (LSRefreshTimeout)
- if LSA reaches MaxAge (60 mins, hardcoded), LSA is removed from LSDB
- fail-safe against bugs
; 33ms default, interval between LSU on flooding
(config-router)# timers pacing flood <ms>
; transmits LSA with DNA-bit set (self-originated and now own as well)
(config-if)# ip ospf flood-reduction
; transmits LSA with DNA-bit set (self-originated and now own as well)
; on P2P and P2MP suppresses periodic Hello, enough on one peer only
(config-if)# ip ospf demand-circuit
; LSA that are waiting to be flooded through INTF
# show ip ospf flood-list <INTF>
Database filter
- decreases LSA flooding scale
- blocks transmitting LSA out of the interface
- error-prone
- useful in full-mesh – DR-like flood behaviour
(config-if)# ip ospf database-filter all out
Retransmit
; 66ms default, interval between LSU on retransmit, not between retransmissions
(config-router)# timers pacing retransmission <ms>
; 5s default, interval of DBD and LSA retransmission attempts
(config-if)# ip ospf retransmit-interval <sec>
; 1s default, LSA Age increase before transmission – account for travelling time on link
(config-if)# ip ospf transmit-delay <sec>
# show ip ospf retransmission-list
Flush LSA
- transmit LSA with LSA Age = 3600 ≡ all routers remove LSA
- valid reason: router received LSA, that it is responsible for, and router wants to purge LSA
- route is lost: LSA3, LSA5
- router stopped being DR: LSA2
- LSA2 with own LSID (subnet) is received, but Advertising Router is different: LSA2, might happen after reboot
- if two LSA5 are functionally the same
- highest RID LSA is used
- lower RIB LSA are flushed by originator
- duplicate RID (flood war)
- intra-area: routers flush LSA and reoriginate them constantly
- inter-area: external routes only
Max LSA
- limit number of received LSA (own LSA are not counted)
- on exceeding:
- log error at 75% of max (default)
- wait for 1 minute
- drop adjacency, clear LSDB → ignore state
- ignore state
- does not send/accept LSA during ignore time (5 mins default)
- increase ignore count, when switching to ignore state
- if ignore count exceeds threshold (5 default) → permanent ignore state (manual reset only)
- ignore count is reset after being normal for reset time (2 minutes default)
(config-router)# max-lsa <N> [ignore-count <M>] [ignore-time <mins>] [reset-time <mins>]
LSA arrival
- min interval between equal LSA
- drop if LSA arrive more frequent
- best practice – ≤ LSA generation hold timer
; 100ms by default
(config-router)# timers lsa arrival <ms>
LSA generation
- updated LSA creation – not more frequent than every 1s (RFC)
- Cisco: exponential backoff timers
- timers
- start
- 50ms default
- initial delay before generating LSA
- hold
- 200ms default
- interval between LSA generation
- multiplied by 2 at every LSA generation
- max
- 5000ms default
- max value for hold
- start
- timer reset
- no LSA is generated during 2 × exponential hold: reset to 0
- LSA is generated after exponential hold, but before 2 × exponential hold:
- initial delay = start
- next delay = not-reset exponential hold: not multiplied by 2, but not reset to initial value
; units – ms
(config-router)# timers throttle lsa <START> <HOLD> <MAX>
# debug ip ospf database-timer rate-limit
LSA group pacing
- every LSA has Age timer, if every LSA is refreshed according to the timer – high overhead
- groups LSA, scheduled for flooding because of LSAge, during defined time window, then send them all in a batch
; 240s default
(config-router)# timers pacing lsa-group <sec>
Filtering
- LSA1 and LSA2 filtering is prohibited
- LSA3 can be filtered on ABR
- LSA5 can be filtered on ASBR
- OSPF → RIB filter
; LSA3 filtering, in ≡ into area, out ≡ out of area
(config-router)# area <N> filter-list prefix <NAME> in|out
; alternative to out filtering
(config-router)# area <N> range <IP> <MASK> not-advertise
; out ≡ LSA5 filtering
; in ≡ OSPF → RIB filter
; INTF – compare next-hop egress intf, if match – apply NAME
(config-router)# area <N> distribute-list prefix <NAME> in|out [<INTF>]
Best path selection
- process
- intra-area
- inter-area
- E1/N1 over E2/N2
- RFC 2328: intra-area non-backbone external preferred, inter-area and backbone are equal
- cost
- E1, N1: if cost is the same, internal/external costs are not compared
- E2, N2: if cost is the same, compare internal cost to ASBR
- P-bit
- RFC 1587
- E1/E2
- LSA7 with P-bit = 1 and FA ≠ 0.0.0.0
- other LSA7
- RFC 3101
- LSA7 with P-bit set
- LSA5
- LSA with highest RID
- RFC 1587
- load-balancing: only intra-area internal
- if ABR has same internal prefix from different areas, larger area number is preferred
- if ABR has same external prefix from different areas – load-balance
- stability: older route preferred
- RID (lower ≡ better)
- if LSA5 FA ≠ 0.0.0.0, routing to next-hop = FA (ASBR cost → FA cost)
- RFC 1583: intra-area ASBR ≡ inter-area ASBR
- cost to ABR is not compared
- may result in routing loops
(config-router)# compatibility rfc1583
(config-router)# compatibility rfc1587
Algorithm tweaks
SPF throttle
- delay SPF – wait till all LSA arrive
- suppress SPF in case of flapping link
- timers
- start
- 50ms default
- initial SPF delay
- hold
- 200ms default
- active SPF delay
- multiplied by 2 after every SPF
- max
- 5s default
- max value for hold
- start
- timer reset
- no SPF is triggered during 2 × exponential hold: reset to 0
- SPF is triggered after exponential hold, but before 2 × exponential hold:
- initial delay = start
- next delay = not-reset exponential hold: not multiplied by 2, but not reset to initial value
; units – ms
(config-router)# timers throttle spf <START> <HOLD> <MAX>
# show ip ospf spf statistic
Prefix suppression
- remove connected prefixes from LSDB – decrease RIB size
- LSA1
- suppress stub networks: P2P, VL and transit remain
- no mask ≡ no prefix
- LSA2
- /32 mask specified
- RFC 6860: invalid mask for multiaccess → do not install in RIB
- no support for RFC 6860: install /32 route to DR – backwards compatibility
- preserves topology information
- exceptions: loopback, secondary IP, passive interfaces
(config-router)# prefix-suppression
(config-if)# ip ospf prefix-suppression [disable]
Forward address
- avoids having extra hop, when forwarding to external prefixes
- LSA5 field with next-hop address
- in order for route to be installed in RIB, FA must be
- reachable by internal OSPF route or connected route
- be in a regular area (not stub) for non-translated LSA5 (no LSA4 otherwise)
- originating router must be reachable within topology (LSA1 or LSA4)
- LSA5 FA = 0.0.0.0:
- OSPF is not enabled on egress interface
- interface is OSPF passive
- interface is P2P/P2M
NSSA FA
- if P-bit = 1 (LSA7 → LSA5 permitted), FA ≠ 0; otherwise all traffic would have gone through translating ABR as originator
- NSSA FA not in OSPF: FA selection in based upon order in show ip ospf interfaces brief
- IP address of first loopback
- IP address of first interface in NSSA
- NSSA FA in OSPF
- if FA should be non-zero, FA = selected next-hop
- if FA should be zero, FA = egress interface IP on ASBR
- OSPF is not enabled on egress interface
- interface is OSPF passive
- interface is P2P/P2M
; ABR config, LSA5 FA = 0 irrespective of LSA7 FA value
(config-router)# area <N> nssa translate type7 suppress-fa
Virtual link
- transit area cannot be stub
- connects ABR through non-backbone area: carries LSA1-3
- area 0 link (V-bit in LSA1)
- unicast messages, P2P
- DNA (Do Not Age) is set ≡ no reflood after 30 mins is required
- at least one peer must have a link in area 0 ≡ be true ABR
- no affected by TTL security
; n – transit area, RID ≠ IP, can be absent from RIB
(config-router)# area <N> virtual-link <RID>
# show ip ospf virtual-links
Transit capability
- OSPFv2 enchancement for inter-area non-backbone and intra-area backbone prefixes
- OSPFv1
- prefixes from virtual-link (VL) have X+Y cost, X – cost on ABR, Y – VL cost
- LSA3 are received in area 0 across VL → path through transit area along VL path
- conditions for non-backbone route to be used instead of VL path
- prefixes from VL and transit area match
- area is transit: V-bit set in all ABR LSA1 (including VL headend)
- cost through transit area is better than through VL
- can be broken on summarization (prefixes do not match)
- prohibits summarizing backbone prefixes, if VL is active in transit area (loop protection)
R1 selects route to R5 through R4 due to transit capability.
Without transit capability – routing loop
- R1 must forward along VL path (intra area)
- R2 selects closest ABR – R4
If R3/R4 could summarize backbone area prefixes, transit would be impossible (no match between prefixes from backbone area and area 1) ⇒ longest-match through VL preferred – loop
; enabled by default
(config-router)# capability transit
Stub router
- alternative to IS-IS OL-bit
- all non-stub interfaces are assigned LSInfinity metric (0xffff) ⇒ not used for transit if there is another path
- max metric for a route = 2²⁴-2 – directly connected prefixes reachability is not affected
; default cost = (2²⁴-1)-(2¹⁶-1)
(config-router)# max-metric router-lsa [summary-lsa|external-lsa [<COST>]]
(config-router)# max-metric router-lsa include-stub
(config-router)# max-metric router-lsa on-startup <sec>
; waitfor BGP to converge or 10 mins to timeout
(config-router)# max-metric router-lsa on-startup wait-for-bgp
Summary
; ABR and ASBR
# show ip ospf border-routers
ABR summary
- summary is created if at least one subordinate prefix exists
- aggregates only connected area (LSA3 are not summarized)
- aggregate route to Null0 is created by default – discard route
- subordinate prefixes are not announced
- summary metric
- RFC 1583: best subordinate metric; may lead to routing loop
- RFC 2328: worst subordinate metric
- protection against route flapping – set cost manually
- LSA3
- based on LSDB, not RIB
- extended ACL filtering matches on source IP + prefix
(config-router)# discard-route [internal <AD>]
; N – source area
(config-router)# area <N> range <PREFIX> [cost <M>]
ASBR summary
- summary is created if at least one subordinate prefix exists
- LSA5
- summary metric = best subordinate metric
- aggregate route to Null0 is created by default – discard route
- subordinate prefixes are not announced
- extended ACL filtering matches on prefix + mask
(config-router)# discard-route [external <AD>]
(config-router)# summary-address <PREFIX> [not-advertise]
; LSA5, cost = 1, E2
(config-router)# default-information originate [always]
; tracks only non-OSPF routes
(config-router)# default-information originate route-map <MAP>
; show all summaries, generated by ASBR
# show ip ospf summary-address
Redistribute
Defaults
- BGP: cost = MED, tag = last ASN from AS_PATH, eBGP only
- OSPF: cost and tag are imported
- IS-IS: L2 only
- other sources: cost = 20
- E2
- classful routes only
; only eBGP by default
(config-router)# redistribute bgp
; prefixes on IGP-enabled interfaces are also redistributed
(config-router)# redistribute <IGP> [subnet]
Stub area
- ABRs send 0.0.0.0/0 into area (LSA3)
- ABRs do not forward LSA5 into area
- routers in the area cannot redistribute (LSA5 required)
- totally stubby ≡ filters LSA3 as well
; 1 by default, 0.0.0.0/0 LSA3 cost
(config-router)# area <N> default-cost <COST>
; all routers in area
(config-router)# area <N> stub
; ABR only, totally stubby
(config-router)# area <N> stub no-summary
Not-so-stubby area (NSSA)
- totally NSSA filters LSA3 as well
- routers in the area can redistribute using LSA7
- ABR does not generate 0.0.0.0/0 by default (supposed to be done by ASBR)
- ABR translates LSA7 → LSA5, when forwarding to other areas, if route from LSA7 is in RIB
- ABR creates LSA5 ⇒ can filter LSA5
- if there are several ABRs, translation is done by router with largest RID by default
EIGRP → OSPF redistribution generates LSA7 as well – route is avaialble on R1
; all routers in area
(config-router)# area <N> nssa
; totally NSSA, on ABR, generates 0.0.0.0/0 by default
(config-router)# area <N> nssa no-summary
; on ABR/ASBR, generate 0.0.0.0/0 LSA7
(config-router)# area <N> nssa default-information originate
; override ABR election as translator ≡ set Nt bit in LSA1
(config-router)# area <N> nssa translate type7 always
; disable announce of LSA7 on ASBR+ABR
(config-router)# area <N> nssa no-redistribution
; clear P bit in LSA7 ≡ prefix remains within NSSA only
(config-router)# redistribute <SRC> nssa-only
Design
- max 3 areas per router
- max 50 routers per area
- max 60 peers per router
- distribute DR/BDR roles (1 router should not be DR for all segments)
- max 1 OSPF process on ABR
- convergence speed
- 1000 prefixes: 100ms
- 10k prefixes: 3-4s
Graceful restart
- RFC 3623
- SSO is required
- not supported: sham link, virtual link (Cisco, IETF supports VL)
- restart must not take longer than LSA refresh time, otherwise originated LSA would timeout
- grace LSA9 is sent before SSO to inform helper; never sets DNA bit, even through demand circuit
- if LSDB refresh happens in the area during restart, SSO fails
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS Age | Options | 0x09 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x03 | 0x000000 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising RID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS Sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS Checksum | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TLV: type, length – 2 bytes
- type 1:
- length = 4
- grace priod, seconds
- how long to announce peer as adjacent
- type 2:
- length = 1
- reason:
- 0: unknown
- 1: software restart
- 2: software reload/upgrade
- 3: switch to RP
(config-router)# nsf
(config-router)# nsf cisco|ietf helper [disable]
; default = max{40s, dead timer}
; time to waitfor peer to reach FULL, otherwise – drop adjacency
(config-if)# ip ospf resync-timeout <sec>
Link-local signalling (LLS)
- RFC 5613
- TLV in Hello and DBD at the end of packet
- used by NSF
; enabled by default
(config-router)# capability lls
LLS data block
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ TLV /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Length includes header (4) and TLV length.
Types:
- 1: extended options, length = 4
Extended options TLV
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags:
- 0x00000001: LSDB resync
- 0x00000002: restart bit (NSF)
Graceful shutdown
- drop own adjacency (on one or all interfaces)
- flush self-originated LSA – process-level shutdown
- flood updated LSA – interface-level shutdown
- send Hello with empty neighbour list and DR/BDR = 0.0.0.0 → reelection and reset adjacency to INIT
- does not process Hello
(config-router)# shutdown
(config-if)# ip ospf shutdown
Tunnel
- default tunnel cost = 1000
NBMA/bcast
- pros:
- simple IP addressing scheme
- small RIB
- cons:
- no spoke-to-spoke connectivity (FR)
- if spoke is not assigned priority = 0, it may break forwarding
P2M
- collection of P2P links
- no stub network with mask, only /32 for own address – next-hop through hub
- pros:
- simple IP addressing scheme
P2P
- pros:
- end-to-end link state tracking: possible to see that remote DLCI is down
- cons:
- large RIB and LSDB ⇒ worse scalability
- management overhead on hub
NX-OS CLI
(config)# feature ospf
(config-if)# ip router ospf <ID> area <N>
VRF & MPLS
- if OSPF is used as PE-CE IGP and several connections exists, BGP redistributed routes have to be marked and not reimported later
- tagging is not enough, because OSPF has better AD, than iBGP
- DN-bit
- download bit
- set in LSA3, LSA5, LSA7 on redistribute from BGP (SAFI does not matter)
- PE ignore such an LSA in SPF
- replaces domain tag:
- 16-bit ASN: generated by default, 0xD000 || ASN
- 32-bit ASN
- manual assignment (RFC)
- own ASN (Cisco), overflowing MSB bits
- maintained along DN-bit for backwards compatibility with old RFC
- if tag = domain tag, prefix is not redistributed into BGP and not installed in RIB
- extended BGP community
- 0x0306: route type (OSPF RT)
- 0x8000 has same role (deprecated)
- area number:
- 4 bytes
- zero for LSA5
- LSA type:
- 1 byte
- 129 ≡ sham-link endpoint
- options:
- 1 byte
- 0x01: metric type E1/E2 (0 ≡ E1, 1 ≡ E2)
- does not duplicate LSA Options field
- 0x0107: OSPF RID
- 0x8001 has same role (deprecated)
- 0x0005, 0x0105, 0x0205: domain ID
- 0x8005 has same role (deprecated)
- equal to process ID by default
- if domain ID does not match OSPF process ID, all LSA – LSA5
- if domain ID matches OSPF process ID, internal routes – LSA3, external routes – LSA5
- 0x0306: route type (OSPF RT)
(config-router)# domain-id <N>
(config-router)# domain-tag <N>
VRF-lite
- Cisco VRF-enabled router considers itself as ABR (OSPF process in VRF), connected to MPLS Superbackbone
- announces LSA3
- ignores LSA3 from non-backbone areas
; stop considering itself as MPLS ABR for OSPF process in VRF
; ignore DN-bit, domain tag, do not set DN-bit
(config-router)# capability vrf-lite
Sham link
- control-plane tunnel over MPLS within specified area (≈ VL, no extra encapsulation)
- route towards endpoint must be known through BGP MPLS, otherwise – flap or down
- transports LSA1 and LSA2 over MPLS – bypass backdoor link
- unnumbered, P2P, intra-area, demand circuit, DNA-bit set
- prefixes, received via sham-link, are not imported into MP-BGP (RFC)
- OSPF → BGP is stiil required, because BGP assigns MPLS labels to VPN prefixes
- sham link triggers
- creation
- redistribution from BGP: empty redistribution with route-map is enough; otherwise after reload sham-link stays down (no route in BGP for endpoint when sham-link initializes)
; SRC, DST – IP addresses of endpoints
(config-router)# area <N> sham-link <SRC> <DST>
Loop-free alternative (LFA)
- one precalculated backup path in RIB and FIB
- link protection: D(N,D) < D(N,S) + D(S,D)
- downstream path: D(N,D) < D(S,D)
- node protection: D(N,D) < D(N,E) + D(E,D)
- tie-breakers
- SRLG
- 10 default
- primary path
- 20 default
- ECMP with primary path (even if installed in RIB)
- interface-disjoint
- 30 default
- lowest-metric
- 40 default
- linecard-disjoint
- 50 default
- node-protecting
- 60 default
- bcast-intf-disjoint
- 70 default
- load-sharing
- 255
- SRLG
- intra-area, inter-area and external prefixes
- backup path is calculated for best prefix: LSA1 is not compared to LSA3/5, backup path is calculated to LSA1
- secondary tie-breaker is useful, if remaining link cannot handle extra load
- global VRF only
- no supported on VL headend
- best practice: triangle topologies
; high: LFA for /32 prefixes are calculated first
(config-router)# fast-reroute per-prefix enable [area <N>] prefix-priority high|low
; required: becomes constraint instead of tie-breaker (e.g., SRLG)
(config-router)# fast-reroute per-prefix tie-breaker <MODE> [required] index <N>
; remote interface from LFA calculation
(config-if)# ip ospf fast-reroute per-prefix candidate disable
; save all LFA routes in OSPF RIB, only best backup is saved by default
(config-if)# ip ospf fast-reroute keep-all-paths
; OSPF RIB, lists LFA
# show ip ospf rib <PREFIX>
Remote LFA
- uses MPLS and tLDP to provision backup paths, that do not satisfy link protection
- spaces
- P – set of routers, that can be reached by S, not using failed link
- Q – set of routers, that can be reached by E, not using failed link
- PQ space = P ∩ Q
- if PQ has several routers, highest RID is selected as N node
- N node can be preempted by higher RID
- it is enough to consider E instead of D for link protection: if path from N to D would pass through repaired link and E, N would not be in Q space
- calculated per next-hop
(config)# mpls ldp discovery targeted-hello accept
(config-router)# fast-reroute per-prefix remote-lfa area <N> tunnel mpls-ldp
Topology-independent LFA (TI-LFA)
- segment routing
- P-extended and Q spaces to calculate backup route
- if PQ = ø, adjacency SID is appended to label stack ⇒ any topology covered
- if there are several valid backups, path with smaller label stack is selected
- if LFA path is available, TI-LFA is not triggered
- link and node protection
- spaces:
- extended P-space = {P-space} ∪ {neighbours’ P-space}
- PQ space = P-extended ∩ Q
- extended P-space allows using single Prefix-SID instead of Prefix-SID + Adj-SID
- newer IOS XR uses P-extended in lieu of P
- IOS XE uses regular P
- post-convergence path is calculated locally, then label stack is determined ⇒ always optimal route
- advantage over FRR: does not have to build tunnel to next-hop, uses optimal path immediately
(config-router)# fast-reroute per-prefix ti-lfa