Fortinet white logo
Fortinet white logo

Administration Guide

OSPF

OSPF

NOTE: You must have an advanced features license to use OSPF routing.

Open shortest path first (OSPF) is a link-state interior routing protocol that is widely used in large enterprise organizations. OSPF provides routing within a single autonomous system (AS). This differs from BGP, which provides routing between autonomous systems.

An OSPF AS can contain only one area, or it can consist of a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is located between an OSPF autonomous system and a non-OSPF network. Routing information is contained in a link-state database. Routing information is communicated between routers using link-state advertisements (LSAs).

The main benefit of OSPF is that it detects link failures in the network quickly and converges network traffic successfully within seconds without any network loops. Also, OSPF has features to control which routes are propagated to contain the size of the routing tables.

You can enable bidirectional forwarding detection (BFD) with OSPF. BFD is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is declared to be down. BFD then communicates this information to OSPF, and the routing information is updated.

NOTE: OSPF MIBs are not supported in this release.

For additional information about OSPF routing, see the OSPF section of the FortiOS Administration Guide.

How OSPF works

Areas

An OSPF implementation consists of one or more areas. An area consists of a group of contiguous networks. If you configure more than one area, Area Zero is always the backbone area. An ABR links one or more areas to the OSPF backbone area.

The FortiSwitch unit supports different types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A stub area is an interface without a default route configured. NSSA is a type of stub area that can import AS external routes and send them to the backbone but cannot receive AS external routes from the backbone or other areas. All other areas are considered regular areas.

Adjacencies

When an OSPF router boots up, it sends OSPF Hello packets to find neighbors on the same network. Neighbors exchange information, and the link-state databases of both neighbors are synchronized. At this point, these neighbors are said to be adjacent.

For two OSPF routers to become neighbors, the following conditions must be met:

  • The subnet number and subnet mask for the interface must match in both routers.
  • The Hello interval and Dead interval values must match.
  • The routers must have the same OSPF area ID.
  • If authentication is used, they must pass authentication checks.

In OSPF, routing protocol packets are only passed between adjacent routers.

Route summarization

Using route summarization reduces the number of LSAs being sent between routers. OSPF offers two types of route summarization:

  • Between areas through an ABR. This method summarizes routes in the area configuration.
  • config area

    edit <area_IPv4_address>

    config range

    edit <id>

    set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

    next

    end

    next

    end

  • Between an OSPF AS and a non-OSPF network through an ASBR. This method summarizes external routes when you redistribute them.
  • config summary-address

    edit <id>

    set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

    next

    end

Graceful restart helper mode

Starting in FortiSwitchOS 6.4.3, the FortiSwitch unit enters the helper (neighbor) mode when a neighboring router sends a grace LSA before it restarts. The FortiSwitch unit keeps the restarting router in the forwarding path for OSPF routing, as long as there are no network topology changes. After the restarting router completes its graceful restart, the FortiSwitch unit exits the helper mode.

This feature is always enabled.

Database overflow protection

When the OSPF link-state database is large, some routers do not have enough resources to store the complete link-state database. To prevent database overflow, you can limit the number of AS-external-LSAs in the link-state database. When the maximum number of AS-external-LSAs is reached, the router deletes all AS-external-LSAs that it originated and stops originating AS-external-LSAs for the specified number of seconds.

By default, this feature is disabled.

Use the following commands to configure database overflow protection:

config router ospf

set database-overflow enable

set database-overflow-max-external-lsa <0-2147483647>

set database-overflow-time-to-recover <0-65535>

end

Configuring OSPF

Using the GUI:
  1. Create a switch virtual interface. See Switch virtual interfaces .
  2. Go to Router > Config > OSPF > Settings.
    1. Enter a unique 32-bit number in dotted decimal format for the router identifier. NOTE: Without a router identifier, OSPF routing will not work.
    2. If you are going to advertise default routes within OSPF, configure the default route option and enter the routing metric (cost) for other routing protocols.
    3. If you want to redistribute non-OSPF routes, select Enabled under Connected, Static, RIP, BGP, or ISIS and then enter the routing metric in the Metric field.
    4. Select Update.
  3. Got to Router > Config > OSPF > Areas and select Add OSPF Area.
    1. Enter the area IP address.
    2. Select if the area is a stub area, NSSA, or a regular area.
    3. Select Add.
  4. Go to Router > Config > OSPF > Networks and select Add Network.
    1. Enter the network identifier.
    2. Enter the IP address and netmask, separated with a space. Use an IP address that includes the switch virtual interface.
    3. Select the area that you created.
    4. Select Add.
  5. Go to Router > Config > OSPF > Interfaces and select Configure OSPF Interface.
    1. Select the same type of authentication that you selected for the area.
    2. If you want static bidirectional forwarding detection, select Enable or Global.
    3. Enter the maximum transmission unit.
    4. Enter the cost.
    5. Enter the number of seconds between Hello packets being sent.
    6. Enter the number of seconds that a Hello packet is not received before the OSPF router decides that a neighbor has failed.
    7. Select Add.
Using the CLI:

Configuring OSPF using IPv4 on the FortiSwitch unit includes the following major steps:

  1. Entering the OSPF configuration mode.
  2. Setting the router identifier.

    Each router must have a unique 32-bit number. NOTE: Without a router identifier, OSPF routing will not work.

  3. Creating an area .

    You must create at least one area.

  4. Configuring the network.

    Attach one or more networks to each area.

  5. Configuring the OSPF interface.
  6. Redistributing non-OSPF routes.

    Advertise these non-OSPF routes within OSPF.

  7. Checking the OSPF configuration.

NOTE:

  • You can also configure OSPF using IPv6 with the config router ospf6 command.
  • Starting in FortiSwitchOS 7.0.0, OSPF supports VRF. To create multiple routing tables within the same router, use the config vrf command under config router ospf.

Entering the OSPF configuration mode

Enter the OSPF configuration mode to access all of the OSPF configuration commands:

# config router ospf

Setting the router identifier

Each router within an area must have a unique 32-bit number. The router identifier is written in dotted decimal format, but it is not an IPv4 address. NOTE: Without a router identifier, OSPF routing will not work.

set router-id <router-id>

For example:

# config router ospf

(ospf) # set router-id 1.1.1.2

Creating an area

You must create at least one area. The area number is written in dotted decimal format (for example, configure area 100 as 0.0.0.100).

config area

edit <area number>

set shortcut (default | disable | enable)

set type {nssa | regular | stub}

end

For example:

(ospf) # config area

(area) # edit 0.0.0.4

(0.0.0.4) # set type nssa

Configuring the network

Use this subcommand to identify the OSPF-enabled interfaces. The prefix length in the interface must be equal or larger than the prefix length in the network statement.

config network

edit <network number>

set area <area>

set prefix <network prefix> <mask>

For example:

(ospf) # config network

(network) # edit 1

(1) # set area 0.0.0.4

(1) # set prefix 10.1.1.0 255.255.255.0

Configuring the OSPF interface

Configure interface-related OSPF settings. Enter a descriptive name for the OSPF interface name.

config interface

edit <OSPF_interface_name>

set priority <1-255>

For example:

(ospf) # config interface

(ospf-interface) # edit oi1

(oi1) # set priority 255

NOTE: The following values must match for an adjacency to form:

  • area type and number
  • interface subnet and mask
  • hello interval
  • dead interval

Redistributing non-OSPF routes

Redistribute non-OSPF routes (directly connected or static routes) within OSPF:

config redistribute {bgp | connected | isis | rip | static}

set status enable

set metric <integer>

set metric-type {1 | 2}

end

Add route summarization:

config summary-address

edit <id>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

next

end

For example:

(ospf) # config redistribute connected

(connected) # set status enable

(connected) # end

(ospf) # config summary-address

(summary-address) # edit 1

new entry '1' added

(1) # set prefix 10.1.0.0 255.255.0.0

(1) # next

(summary-address) # end

Checking the OSPF configuration

The get router info ospf command has options to display different aspects of the OSPF configuration and status. For example:

get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

get router info ospf database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

Example configuration

The following example shows a very simple OSPF network with one area. FortiSwitch 1 has one OSPF interface to FortiSwitch 2:

Configuring system interfaces

These are the same configuration steps as for static routing.

Switch 1

config system interface

edit vlan10-p3

set ip 30.1.1.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 10

next

edit vlan40-p4

set ip 10.11.101.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 40

end

config switch interface

edit "port3"

set native-vlan 10

next

edit "port4"

set native-vlan 40

next

end

Switch 2

config system interface

edit vlan20-p8

set ip 20.50.1.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 20

next

edit vlan40-p4

set ip 10.11.101.2 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 40

end

config switch interface

edit "port8"

set native-vlan 20

next

edit "port4"

set native-vlan 40

next

end

Configuring the OSPF router

Configure OSPF with the following:

  1. Set the router ID.
  2. Create the area.
  3. Create the network (set network prefix and associate with an area).
  4. Configure the OSPF interface.
Switch 1

config router ospf

set router-id 10.11.101.1

config area

edit 0.0.0.0

next

end

config network

edit 1

set area 0.0.0.0

set prefix 10.11.101.0 255.255.255.0

next

end

config interface

edit vlan40

set cost 100

set priority 100

next

end

config redistribute connected

set status enable

end

end

Switch 2

config router ospf

set router-id 10.11.101.2

config area

edit 0.0.0.0

next

end

config network

edit 1

set area 0.0.0.0

set prefix 10.11.101.0 255.255.255.0

next

end

config interface

edit vlan40

set cost 100

set priority 100

next

end

config redistribute connected

set status enable

end

end

Verifying OSPF neighbors

get router info ospf neighbor all

Verifying OSPF routes

get router info ospf route

OSPF

OSPF

NOTE: You must have an advanced features license to use OSPF routing.

Open shortest path first (OSPF) is a link-state interior routing protocol that is widely used in large enterprise organizations. OSPF provides routing within a single autonomous system (AS). This differs from BGP, which provides routing between autonomous systems.

An OSPF AS can contain only one area, or it can consist of a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). An autonomous system boundary router (ASBR) is located between an OSPF autonomous system and a non-OSPF network. Routing information is contained in a link-state database. Routing information is communicated between routers using link-state advertisements (LSAs).

The main benefit of OSPF is that it detects link failures in the network quickly and converges network traffic successfully within seconds without any network loops. Also, OSPF has features to control which routes are propagated to contain the size of the routing tables.

You can enable bidirectional forwarding detection (BFD) with OSPF. BFD is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is declared to be down. BFD then communicates this information to OSPF, and the routing information is updated.

NOTE: OSPF MIBs are not supported in this release.

For additional information about OSPF routing, see the OSPF section of the FortiOS Administration Guide.

How OSPF works

Areas

An OSPF implementation consists of one or more areas. An area consists of a group of contiguous networks. If you configure more than one area, Area Zero is always the backbone area. An ABR links one or more areas to the OSPF backbone area.

The FortiSwitch unit supports different types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A stub area is an interface without a default route configured. NSSA is a type of stub area that can import AS external routes and send them to the backbone but cannot receive AS external routes from the backbone or other areas. All other areas are considered regular areas.

Adjacencies

When an OSPF router boots up, it sends OSPF Hello packets to find neighbors on the same network. Neighbors exchange information, and the link-state databases of both neighbors are synchronized. At this point, these neighbors are said to be adjacent.

For two OSPF routers to become neighbors, the following conditions must be met:

  • The subnet number and subnet mask for the interface must match in both routers.
  • The Hello interval and Dead interval values must match.
  • The routers must have the same OSPF area ID.
  • If authentication is used, they must pass authentication checks.

In OSPF, routing protocol packets are only passed between adjacent routers.

Route summarization

Using route summarization reduces the number of LSAs being sent between routers. OSPF offers two types of route summarization:

  • Between areas through an ABR. This method summarizes routes in the area configuration.
  • config area

    edit <area_IPv4_address>

    config range

    edit <id>

    set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

    next

    end

    next

    end

  • Between an OSPF AS and a non-OSPF network through an ASBR. This method summarizes external routes when you redistribute them.
  • config summary-address

    edit <id>

    set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

    next

    end

Graceful restart helper mode

Starting in FortiSwitchOS 6.4.3, the FortiSwitch unit enters the helper (neighbor) mode when a neighboring router sends a grace LSA before it restarts. The FortiSwitch unit keeps the restarting router in the forwarding path for OSPF routing, as long as there are no network topology changes. After the restarting router completes its graceful restart, the FortiSwitch unit exits the helper mode.

This feature is always enabled.

Database overflow protection

When the OSPF link-state database is large, some routers do not have enough resources to store the complete link-state database. To prevent database overflow, you can limit the number of AS-external-LSAs in the link-state database. When the maximum number of AS-external-LSAs is reached, the router deletes all AS-external-LSAs that it originated and stops originating AS-external-LSAs for the specified number of seconds.

By default, this feature is disabled.

Use the following commands to configure database overflow protection:

config router ospf

set database-overflow enable

set database-overflow-max-external-lsa <0-2147483647>

set database-overflow-time-to-recover <0-65535>

end

Configuring OSPF

Using the GUI:
  1. Create a switch virtual interface. See Switch virtual interfaces .
  2. Go to Router > Config > OSPF > Settings.
    1. Enter a unique 32-bit number in dotted decimal format for the router identifier. NOTE: Without a router identifier, OSPF routing will not work.
    2. If you are going to advertise default routes within OSPF, configure the default route option and enter the routing metric (cost) for other routing protocols.
    3. If you want to redistribute non-OSPF routes, select Enabled under Connected, Static, RIP, BGP, or ISIS and then enter the routing metric in the Metric field.
    4. Select Update.
  3. Got to Router > Config > OSPF > Areas and select Add OSPF Area.
    1. Enter the area IP address.
    2. Select if the area is a stub area, NSSA, or a regular area.
    3. Select Add.
  4. Go to Router > Config > OSPF > Networks and select Add Network.
    1. Enter the network identifier.
    2. Enter the IP address and netmask, separated with a space. Use an IP address that includes the switch virtual interface.
    3. Select the area that you created.
    4. Select Add.
  5. Go to Router > Config > OSPF > Interfaces and select Configure OSPF Interface.
    1. Select the same type of authentication that you selected for the area.
    2. If you want static bidirectional forwarding detection, select Enable or Global.
    3. Enter the maximum transmission unit.
    4. Enter the cost.
    5. Enter the number of seconds between Hello packets being sent.
    6. Enter the number of seconds that a Hello packet is not received before the OSPF router decides that a neighbor has failed.
    7. Select Add.
Using the CLI:

Configuring OSPF using IPv4 on the FortiSwitch unit includes the following major steps:

  1. Entering the OSPF configuration mode.
  2. Setting the router identifier.

    Each router must have a unique 32-bit number. NOTE: Without a router identifier, OSPF routing will not work.

  3. Creating an area .

    You must create at least one area.

  4. Configuring the network.

    Attach one or more networks to each area.

  5. Configuring the OSPF interface.
  6. Redistributing non-OSPF routes.

    Advertise these non-OSPF routes within OSPF.

  7. Checking the OSPF configuration.

NOTE:

  • You can also configure OSPF using IPv6 with the config router ospf6 command.
  • Starting in FortiSwitchOS 7.0.0, OSPF supports VRF. To create multiple routing tables within the same router, use the config vrf command under config router ospf.

Entering the OSPF configuration mode

Enter the OSPF configuration mode to access all of the OSPF configuration commands:

# config router ospf

Setting the router identifier

Each router within an area must have a unique 32-bit number. The router identifier is written in dotted decimal format, but it is not an IPv4 address. NOTE: Without a router identifier, OSPF routing will not work.

set router-id <router-id>

For example:

# config router ospf

(ospf) # set router-id 1.1.1.2

Creating an area

You must create at least one area. The area number is written in dotted decimal format (for example, configure area 100 as 0.0.0.100).

config area

edit <area number>

set shortcut (default | disable | enable)

set type {nssa | regular | stub}

end

For example:

(ospf) # config area

(area) # edit 0.0.0.4

(0.0.0.4) # set type nssa

Configuring the network

Use this subcommand to identify the OSPF-enabled interfaces. The prefix length in the interface must be equal or larger than the prefix length in the network statement.

config network

edit <network number>

set area <area>

set prefix <network prefix> <mask>

For example:

(ospf) # config network

(network) # edit 1

(1) # set area 0.0.0.4

(1) # set prefix 10.1.1.0 255.255.255.0

Configuring the OSPF interface

Configure interface-related OSPF settings. Enter a descriptive name for the OSPF interface name.

config interface

edit <OSPF_interface_name>

set priority <1-255>

For example:

(ospf) # config interface

(ospf-interface) # edit oi1

(oi1) # set priority 255

NOTE: The following values must match for an adjacency to form:

  • area type and number
  • interface subnet and mask
  • hello interval
  • dead interval

Redistributing non-OSPF routes

Redistribute non-OSPF routes (directly connected or static routes) within OSPF:

config redistribute {bgp | connected | isis | rip | static}

set status enable

set metric <integer>

set metric-type {1 | 2}

end

Add route summarization:

config summary-address

edit <id>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

next

end

For example:

(ospf) # config redistribute connected

(connected) # set status enable

(connected) # end

(ospf) # config summary-address

(summary-address) # edit 1

new entry '1' added

(1) # set prefix 10.1.0.0 255.255.0.0

(1) # next

(summary-address) # end

Checking the OSPF configuration

The get router info ospf command has options to display different aspects of the OSPF configuration and status. For example:

get router info ospf neighbor {<neighbor_ID> | all | detail | detail all | <interface_IP_address>}

get router info ospf database {brief | self-originate | router | network | summary | asbr-summary| external | nssa-external | opaque-link | opaque-area | opaque-as | max-age}

Example configuration

The following example shows a very simple OSPF network with one area. FortiSwitch 1 has one OSPF interface to FortiSwitch 2:

Configuring system interfaces

These are the same configuration steps as for static routing.

Switch 1

config system interface

edit vlan10-p3

set ip 30.1.1.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 10

next

edit vlan40-p4

set ip 10.11.101.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 40

end

config switch interface

edit "port3"

set native-vlan 10

next

edit "port4"

set native-vlan 40

next

end

Switch 2

config system interface

edit vlan20-p8

set ip 20.50.1.1 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 20

next

edit vlan40-p4

set ip 10.11.101.2 255.255.255.0

set allowaccess ping https http ssh telnet

set vlanid 40

end

config switch interface

edit "port8"

set native-vlan 20

next

edit "port4"

set native-vlan 40

next

end

Configuring the OSPF router

Configure OSPF with the following:

  1. Set the router ID.
  2. Create the area.
  3. Create the network (set network prefix and associate with an area).
  4. Configure the OSPF interface.
Switch 1

config router ospf

set router-id 10.11.101.1

config area

edit 0.0.0.0

next

end

config network

edit 1

set area 0.0.0.0

set prefix 10.11.101.0 255.255.255.0

next

end

config interface

edit vlan40

set cost 100

set priority 100

next

end

config redistribute connected

set status enable

end

end

Switch 2

config router ospf

set router-id 10.11.101.2

config area

edit 0.0.0.0

next

end

config network

edit 1

set area 0.0.0.0

set prefix 10.11.101.0 255.255.255.0

next

end

config interface

edit vlan40

set cost 100

set priority 100

next

end

config redistribute connected

set status enable

end

end

Verifying OSPF neighbors

get router info ospf neighbor all

Verifying OSPF routes

get router info ospf route