OSPF
NOTE: You must have an advanced features license to use OSPF routing.
Open shortest path first (OSPF) is a link-state interior routing protocol that is widely used in large enterprise organizations. OSPF provides routing within a single autonomous system (AS). This differs from BGP, which provides routing between autonomous systems.
An OSPF AS can contain only one area, or it can consist of a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is located between an OSPF autonomous system and a non-OSPF network. Routing information is contained in a link-state database. Routing information is communicated between routers using link-state advertisements (LSAs).
The main benefit of OSPF is that it detects link failures in the network quickly and converges network traffic successfully within seconds without any network loops. Also, OSPF has features to control which routes are propagated to contain the size of the routing tables.
You can enable bidirectional forwarding detection (BFD) with OSPF. BFD is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is declared to be down. BFD then communicates this information to OSPF, and the routing information is updated.
NOTE: OSPF MIBs are not supported in this release.
For additional information about OSPF routing, see the OSPF section of the FortiOS Administration Guide.
How OSPF works
Areas
An OSPF implementation consists of one or more areas. An area consists of a group of contiguous networks. If you configure more than one area, Area Zero is always the backbone area. An ABR links one or more areas to the OSPF backbone area.
The FortiSwitch unit supports different types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A stub area is an interface without a default route configured. NSSA is a type of stub area that can import AS external routes and send them to the backbone but cannot receive AS external routes from the backbone or other areas. All other areas are considered regular areas.
Adjacencies
When an OSPF router boots up, it sends OSPF Hello packets to find neighbors on the same network. Neighbors exchange information, and the link-state databases of both neighbors are synchronized. At this point, these neighbors are said to be adjacent.
For two OSPF routers to become neighbors, the following conditions must be met:
- The subnet number and subnet mask for the interface must match in both routers.
- The Hello interval and Dead interval values must match.
- The routers must have the same OSPF area ID.
- If authentication is used, they must pass authentication checks.
In OSPF, routing protocol packets are only passed between adjacent routers.
Route summarization
Using route summarization reduces the number of LSAs being sent between routers. OSPF offers two types of route summarization:
- Between areas through an ABR. This method summarizes routes in the area configuration.
- Between an OSPF AS and a non-OSPF network through an ASBR. This method summarizes external routes when you redistribute them.
config area
edit <area_IPv4_address>
config range
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
next
end
config summary-address
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
Graceful restart helper mode
Starting in FortiSwitchOS 6.4.3, the FortiSwitch unit enters the helper (neighbor) mode when a neighboring router sends a grace LSA before it restarts. The FortiSwitch unit keeps the restarting router in the forwarding path for OSPF routing, as long as there are no network topology changes. After the restarting router completes its graceful restart, the FortiSwitch unit exits the helper mode.
This feature is always enabled.
Database overflow protection
When the OSPF link-state database is large, some routers do not have enough resources to store the complete link-state database. To prevent database overflow, you can limit the number of AS-external-LSAs in the link-state database. When the maximum number of AS-external-LSAs is reached, the router deletes all AS-external-LSAs that it originated and stops originating AS-external-LSAs for the specified number of seconds.
By default, this feature is disabled.
Use the following commands to configure database overflow protection:
config router ospf
set database-overflow enable
set database-overflow-max-external-lsa <0-2147483647>
set database-overflow-time-to-recover <0-65535>
end
Configuring OSPF
Using the GUI:
- Create a switch virtual interface. See Switch virtual interfaces .
- Go to Router > Config > OSPF > Settings.
- Enter a unique 32-bit number in dotted decimal format for the router identifier. NOTE: Without a router identifier, OSPF routing will not work.
- If you are going to advertise default routes within OSPF, configure the default route option and enter the routing metric (cost) for other routing protocols.
- If you want to redistribute non-OSPF routes, select Enabled under Connected, Static, RIP, BGP, or ISIS and then enter the routing metric in the Metric field.
- Select Update.
- Got to Router > Config > OSPF > Areas and select Add OSPF Area.
- Enter the area IP address.
- Select if the area is a stub area, NSSA, or a regular area.
- Select Add.
- Go to Router > Config > OSPF > Networks and select Add Network.
- Enter the network identifier.
- Enter the IP address and netmask, separated with a space. Use an IP address that includes the switch virtual interface.
- Select the area that you created.
- Select Add.
- Go to Router > Config > OSPF > Interfaces and select Configure OSPF Interface.
- Select the same type of authentication that you selected for the area.
- If you want static bidirectional forwarding detection, select Enable or Global.
- Enter the maximum transmission unit.
- Enter the cost.
- Enter the number of seconds between Hello packets being sent.
- Enter the number of seconds that a Hello packet is not received before the OSPF router decides that a neighbor has failed.
- Select Add.
Using the CLI:
Configuring OSPF using IPv4 on the FortiSwitch unit includes the following major steps:
- Entering the OSPF configuration mode.
- Setting the router identifier.
Each router must have a unique 32-bit number. NOTE: Without a router identifier, OSPF routing will not work.
- Creating an area .
You must create at least one area.
- Configuring the network.
Attach one or more networks to each area.
- Configuring the OSPF interface.
- Redistributing non-OSPF routes.
Advertise these non-OSPF routes within OSPF.
- Checking the OSPF configuration.
NOTE:
- You can also configure OSPF using IPv6 with the
config router ospf6
command. - Starting in FortiSwitchOS 7.0.0, OSPF supports VRF. To create multiple routing tables within the same router, use the
config vrf
command underconfig router ospf
.
Entering the OSPF configuration mode
Enter the OSPF configuration mode to access all of the OSPF configuration commands:
# config router ospf
Setting the router identifier
Each router within an area must have a unique 32-bit number. The router identifier is written in dotted decimal format, but it is not an IPv4 address. NOTE: Without a router identifier, OSPF routing will not work.
set router-id <router-id>
For example:
# config router ospf
(ospf) # set router-id 1.1.1.2
Creating an area
You must create at least one area. The area number is written in dotted decimal format (for example, configure area 100 as 0.0.0.100).
config area
edit <area number>
set shortcut (default | disable | enable)
set type {nssa | regular | stub}
end
For example:
(ospf) # config area
(area) # edit 0.0.0.4
(0.0.0.4) # set type nssa
Configuring the network
Use this subcommand to identify the OSPF-enabled interfaces. The prefix length in the interface must be equal or larger than the prefix length in the network statement.
config network
edit <network number>
set area <area>
set prefix <network prefix> <mask>
For example:
(ospf) # config network
(network) # edit 1
(1) # set area 0.0.0.4
(1) # set prefix 10.1.1.0 255.255.255.0
Configuring the OSPF interface
Configure interface-related OSPF settings. Enter a descriptive name for the OSPF interface name.
config interface
edit <OSPF_interface_name>
set priority <1-255>
For example:
(ospf) # config interface
(ospf-interface) # edit oi1
(oi1) # set priority 255
NOTE: The following values must match for an adjacency to form:
- area type and number
- interface subnet and mask
- hello interval
- dead interval
Redistributing non-OSPF routes
Redistribute non-OSPF routes (directly connected or static routes) within OSPF:
config redistribute {bgp | connected | isis | rip | static}
set status enable
set metric <integer>
set metric-type {1 | 2}
end
Add route summarization:
config summary-address
edit <id>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
next
end
For example:
(ospf) # config redistribute connected
(connected) # set status enable
(connected) # end
(ospf) # config summary-address
(summary-address) # edit 1
new entry '1' added
(1) # set prefix 10.1.0.0 255.255.0.0
(1) # next
(summary-address) # end
Checking the OSPF configuration
The get router info ospf
command has options to display different aspects of the OSPF configuration and status. For example:
get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}
get router info ospf database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}
Example configuration
The following example shows a very simple OSPF network with one area. FortiSwitch 1 has one OSPF interface to FortiSwitch 2:
Configuring system interfaces
These are the same configuration steps as for static routing.
Switch 1
config system interface
edit vlan10-p3
set ip 30.1.1.1 255.255.255.0
set allowaccess ping https http ssh telnet
set vlanid 10
next
edit vlan40-p4
set ip 10.11.101.1 255.255.255.0
set allowaccess ping https http ssh telnet
set vlanid 40
end
config switch interface
edit "port3"
set native-vlan 10
next
edit "port4"
set native-vlan 40
next
end
Switch 2
config system interface
edit vlan20-p8
set ip 20.50.1.1 255.255.255.0
set allowaccess ping https http ssh telnet
set vlanid 20
next
edit vlan40-p4
set ip 10.11.101.2 255.255.255.0
set allowaccess ping https http ssh telnet
set vlanid 40
end
config switch interface
edit "port8"
set native-vlan 20
next
edit "port4"
set native-vlan 40
next
end
Configuring the OSPF router
Configure OSPF with the following:
- Set the router ID.
- Create the area.
- Create the network (set network prefix and associate with an area).
- Configure the OSPF interface.
Switch 1
config router ospf
set router-id 10.11.101.1
config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end
config interface
edit vlan40
set cost 100
set priority 100
next
end
config redistribute connected
set status enable
end
end
Switch 2
config router ospf
set router-id 10.11.101.2
config area
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.0
set prefix 10.11.101.0 255.255.255.0
next
end
config interface
edit vlan40
set cost 100
set priority 100
next
end
config redistribute connected
set status enable
end
end
Verifying OSPF neighbors
get router info ospf neighbor all
Verifying OSPF routes
get router info ospf route