OSPF

From VyOS Wiki
Jump to: navigation, search

OSPF does mean "Open Shortest Path First" and is a routing protocol targeting internal networks. For IPv4 and IPv6 the protocol and logic behind is pretty much the same. Nevertheless there are two non compatible versions OSPFv2 (only IPv4) and v3 (only IPv6).

OSPF is always organized in Areas. An area is a network where Link-State-Advertisements (LSA) are distributed to each router and is identified by a 4-byte integer, some times displayed like an IPv4-address (Pitfall!). A link-state advertisement contains any change of a routed interface making OSPF a candidate for quick converging routing. A router containing interfaces in multiple areas is called Border Router (BR) and summarizes the announced networks to each other area. OSPF has always a central area called backbone identified by area id 0 (or 0.0.0.0). Each router is identified also by an 4-byte integer mostly also in IPv4-notation (also in OSPFv3).

IPv4

A typical configuration using 2 nodes, redistribute loopback address and the node 1 sending the default route:

Node 1:

set interfaces loopback lo address 1.1.1.1/32 
set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf default-information originate always
set protocols ospf default-information originate metric 10
set protocols ospf default-information originate metric-type 2
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 1.1.1.1
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT
set policy route-map CONNECT rule 10 action permit
set policy route-map CONNECT rule 10 match interface lo

Node 2:

set interfaces loopback lo address 2.2.2.2/32 
set protocols ospf area 0 network 192.168.0.0/24 
set protocols ospf log-adjacency-changes 
set protocols ospf parameters router-id 2.2.2.2 
set protocols ospf redistribute connected metric-type 2 
set protocols ospf redistribute connected route-map CONNECT 
set policy route-map CONNECT rule 10 action permit 
set policy route-map CONNECT rule 10 match interface lo 

IPv6

A typical configuration using 2 nodes. Note that vyos needs for IPv6 the area notation like an IPv4-Address.

Node 1:

set protocols ospfv3 area 0.0.0.0 interface eth1 
set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64 
set protocols ospfv3 parameters router-id 192.168.1.1 
set protocols ospfv3 redistribute connected 

Node 2:

set protocols ospfv3 area 0.0.0.0 interface eth1 
set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64 
set protocols ospfv3 parameters router-id 192.168.2.1 
set protocols ospfv3 redistribute connected 

Filtering Redistributed Routes

It is only possible to filter type 2 redistributed routes. For example, it is quite common to not want to advertise Static routes to other OSPF nodes. If you didn't want to advertise any static route in the 10.0.0.0/8 network, you could do this:

set protocols static route 10.1.2.0/24 next-hop 192.168.5.2
set protocols static route 172.16.7.0/24 next-hop 192.168.5.2
set protocols static route 192.168.77.0/24 next-hop 192.168.5.2
set protocols ospf redistribute static metric-type 2
set policy access-list 100 rule 50 action permit
set policy access-list 100 rule 50 destination any
set policy access-list 100 rule 50 source network 10.0.0.0
set policy access-list 100 rule 50 source inverse-mask 0.255.255.255
set route-map TENFILTER 100 action deny
set route-map TENFILTER 100 match ip address access-list 100
set route-map TENFILTER 900 action permit
set protocols ospf redistribute static route-map TENFILTER

Note that access-lists have an implicit DENY, which is why it is not required. The 'human' version of this is:

  • Static route 10.1.2.0/24, 172.16.7.0/24, and 192.168.77.0/24 to 192.168.5.2
  • Redistribute all static routes as a type 2 LSA
  • Create access-list 100 that will return a positive match on any host or network inside 10.0.0.0/8
  • Create a route-map called TENFILTER that will block anything that matches access-list 100
  • Only redistribute static routes that are permitted by TENFILTER

The end result is that only 172.16.7.0/24 and 192.168.77.0/24 will be injected into OSPF.

This is normally not recommended and should only be done with care, when there is only one path to a network and you are certain that you do not want it to be available to other networks.