Fortinet black logo

Handbook

OSPF

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:394152
Download PDF

OSPF

Open Shortest Path First (OSPF) is a link-state interior routing protocol that is widely used in large enterprise organizations. It only routes packets within a single autonomous system (AS). This is different from BGP, because BGP can communicate between ASs.

OSPF version 2 (OSPFv2) was defined in 1998 in RFC 2328. OSPF was designed to support classless IP addressing and variable subnet masks. This was a shortcoming of the earlier RIP protocols.

Updates to OSPFv2 are included in OSPF version 3 (OSPFv3), defined in 2008 in RFC 5340. OSPFv3 includes support for IPv6 addressing, where OSPF2 only supports IPv4 addressing.

The main benefit of OSPF is that it detects link failures in the network quickly and within seconds, has converged network traffic successfully without any networking loops. Also, OSPF has many features to control which routes are propagated and which are not, maintaining smaller routing tables. OSPF can also provide better load-balancing on external links than other interior routing protocols.

The parts and terminology of OSPF

The parts and terminology of OSPF include the following sections.

OSPFv3 and IPv6

OSPF version 3 (OSPFv3) includes support for IPv6, configurable from the CLI only. Generally, all IP addresses are in IPv6 format instead of IPv4. However, OSPFv3 area numbers use the same 32-bit numbering system as OSPFv2, as described in RFC 2740. Likewise, the router ID and area ID are in the same format as OSPFv2.

For IPv6, the main difference in OSPFv3 is that rather than using a network statement to enable OSPFv3 on an interface, you define OSPF6 (OSPF for IPv6) interfaces, which are bound to the interface and area. This configuration must be done in the CLI, as follows (with sample interfaces and addresses):

config router ospf6

config area

edit 0.0.0.0

next

end

config ospf6-interface

edit "tunnel"

set interface "to_FGT300A-7"

next

edit "internal_lan"

set interface "port1"

next

set router-id 10.174.0.113

end

Note that OSPFv3 neighbors use link-local IPv6 addresses, but with broadcast and point-to-point network types, and neighbors are automatically discovered. You only have to manually configure neighbors when using non-broadcast network types.

Router ID

In OSPF, each router has a unique 32-bit number that is called its router ID. Often, this 32-bit number is written the same as a 32-bit IPv4 address would be written in dotted decimal notation. However, some brands of routers, such as Cisco routers, support a router ID entered as an integer instead of an IP address.

It's a good idea not to use an IP address for the router ID that is already in use on the router. The router ID doesn't have to be a particular IP address on the router. By choosing a different number, it's harder to get confused about which number you're looking at. It's a good idea to use as many of the area's numbers as possible. For example, if you have 15 routers in area 0.0.0.0, they could be numbered from 0.0.0.1 to 0.0.0.15. If you have an area 1.1.1.1, then routers in that area could start at 1.1.1.10.

You can manually set the router ID on a FortiGate:

To manually set an OSPF router ID of 0.0.1.1 - GUI:
  1. Go to Network > OSPF.
  2. For Router ID, enter 0.0.1.1.
  3. Select Apply.
To manually set an OSPF router ID of 0.0.1.1 - CLI:

config router ospf

set router-id 0.0.1.1

end

Adjacency

In an OSPF routing network, an OSPF router sends out OSPF hello packets when it boots up, to try to find any neighbors (routers that have access to the same network as the router booting up). Once neighbors are discovered and Hello packets are exchanged, updates are sent and the link state databases of both neighbors are synchronized. At this point, these neighbors are said to be adjacent.

For two OSPF routers to become neighbors, the following conditions must be met:

  • The subnet mask used on both routers must be the same subnet.
  • The subnet number derived using the subnet mask and each router's interface IP address must match.
  • The hello interval and the dead interval must match.
  • The routers must have the same OSPF area ID. If they're in different areas, they're not neighbors.
  • If authentication is used, they must pass authentication checks.

If any of these parameters are different between the two routers, the routers do not become OSPF neighbors and can't be adjacent. If the routers become neighbors, they're adjacent.

Adjacency and neighbors

Neighbor routers can be in a two-way state, and not be adjacent. Adjacent routers normally have a neighbor state of FULL. Neighbors only exchange hello packets and don't exchange routing updates. Adjacent routers exchange LSAs (LSDB information) as well as hello packets. A good example of an adjacent pair of routers is the designated router (DR) and backup designated router (BDR).

You can check on the state of an OSPF neighbor using the CLI get router info ospf neighbor all command. For more information, see Checking the state of OSPF neighbors.

Why adjacency is important

It's important to have adjacent pairs of routers in the OSPF routing domain because routing protocol packets are only passed between adjacent routers. This means adjacency is required for two OSPF routers to exchange routes.

If there's no adjacency between two routers, such as one on the 172.20.120.0 network and another on the 10.11.101.0 network, the routers don't exchange routes. This makes sense because if all OSPF routers on the OSPF domain exchanged updates, it would flood the network.

Also, it's better for updates to progress through adjacent routers to ensure there are no outages along the way. Otherwise, updates could skip over routers that are potentially offline, causing longer routing outages and delays, while the OSPF domain learns of this outage later on.

If the OSPF network has multiple border routers and multiple connections to external networks, the designated router (DR) determines which router pairs become adjacent. The DR can accomplish this because it maintains the complete topology of the OSPF domain, including which router pairs are adjacent.

The backup designated router (BDR) also has this information in case the DR goes offline.

Designated router and backup router

In OSPF, a router can have a number of different roles to play.

A designated router (DR) is the designated broadcasting router interface for an AS. It looks after all of the initial contact and other routing administration traffic. Having only one router do all of this this greatly reduces the network traffic and collisions.

If something happens and the designated router goes offline, the backup designated router (BDR) takes over. An OSPF interface on a FortiGate can become either a DR or BDR. Both the DR and the BDR cover the same area and are elected at the same time. The election process doesn't have many rules, but the exceptions can become complex.

Benefits

The OSPF concept of the designated router is a big step above RIP. With all RIP routers doing their own updates all the time, RIP suffers from frequent and sometimes unnecessary updates that can slow down your network. With OSPF, not only do routing changes only happen when a link state changes instead of any tiny change to the routing table, but the designated router reduces this overhead traffic even more.

However, smaller network topologies may have only a couple of routers besides the designated router. This may seem excessive, but it maintains the proper OSPF form and it still reduces the administration traffic, but to a lesser extent than on a large network. Also, your network topology is ready whenever you choose to expand your network.

DR and BDR election

An election chooses DR and BDR from all the available routers. The election is primarily based on the priority setting of the routers, where the highest priority becomes the DR and the second highest becomes the BDR. To resolve any ties, the router with the highest router ID wins. For example, a router with a router ID of 192.168.0.1 would win over a router with a router ID of 10.1.1.2.

The router priority can vary from 0 to 255, but at 0 a router won't become a DR or BDR. If a router with a higher priority comes online after the election, it must wait until the DR and BDR go offline before it becomes the DR.

If the original DR goes offline, but is then available when the BDR goes offline later on, the original DR will be promoted back to DR without an election leaving the new BDR as it is.

With the FortiGate, to configure the port1 interface to be a potential OSPF DR or BDR called ospf_DR on the network, you need to raise the priority of the router to a very high number, such as 250 out of 255. This ensures the interface has a chance to be a DR, but won't guarantee that it'll be one. To help ensure it becomes a DR, you should give the interface a low numbered IP address, such as 10.1.1.1 instead of 192.168.1.1 (but that isn't part of this example). Enter the following command:

config router ospf

config ospf-interface

edit "ospf_DR"

set priority 250

next

end

Area

An OSPF area is a smaller part of the larger OSPF AS. Areas are used to limit the link state updates that are sent out. The flooding used for these updates would overwhelm a large network, so it's divided into these smaller areas for manageability.

If there are two or more routers that are viable within an area, there will always be a designated router (DR) and a backup designated router (BDR). For more information about these router roles, see Designated router and backup router.

Defining a private OSPF area involves the following:

  • Assigning a 32-bit number to the area that is unique on your network
  • Defining the characteristics of one or more OSPF areas
  • Creating associations between the OSPF areas that you defined and the local networks to include in the OSPF area
  • Adjusting the settings of OSPF-enabled interfaces, if required

IPv6 OSPF area numbers use the same 32-bit number notation as IPv4 OSPF.

If you are using the GUI to perform these tasks, follow the procedures summarized below.

FortiGate devices support the four main types of OSPF areas: backbone, stub, not-so-stubby, and regular.

Backbone area

Every OSPF network has at least one AS and every OSPF network has a backbone area. The backbone is the main area, and possibly the only area. All other OSPF areas are connected to a backbone area. This means if two areas want to pass routing information back and forth, that routing information will go through the backbone on its way between those areas. For this reason, the backbone not only has to connect to all other areas in the network, but also has to be uninterrupted in order to be able to pass traffic to all points of the network.

The backbone area is referred to as area 0 because it has an IP address of 0.0.0.0.

Stub area

A stub area is an OSPF area that receives no outside routes advertised into it. All routing in it is based on a default route. This essentially isolates it from outside areas.

Stub areas are useful for small networks that are part of a larger organization, especially if the networking equipment can't handle routing large amounts of traffic passing through, or if there are other reasons to prevent outside traffic, such as security. For example, most organizations don't want their accounting department to be the center of their network with everyone’s traffic passing through there. It increases the security risks, slows down the network, and it generally doesn't make sense.

A variation on the stub area is the totally stubby area. It's a stub area that doesn't allow summarized routes.

NSSA

A not-so-stubby-area (NSSA) is a stub area that allows for external routes to be injected into it. While it still doesn't allow routes from external areas, it's not limited to using only the default route for internal routing.

Regular area

A regular area is what all the other ASs are, all the non-backbone, non-stub, and non-NSSA areas. A regular area generally has a connection to the backbone, does receive advertisements of outside routes, and doesn't have an area number of 0.0.0.0.

Authentication

In the OSPF packet header, there are two authentication-related fields: AuType and Authentication.

All OSPF packet traffic is authenticated. Multiple types of authentication are supported in OSPFv2. However, in OSPFv3, there's no authentication built-in but it's assumed that IPsec is used for authentication instead.

Packets that fail authentication are discarded.

Null authentication

Null authentication indicates there's no authentication being used. In this case, the 16-byte authentication field isn't checked, and can be any value. However, checksumming is still used to locate errors. On a FortiGate, this is the none option for authentication.

Simple password authentication

Simple password refers to a standard plain text string of characters. The same password is used for all transactions on a network. The main use for this type of authentication is to prevent routers from accidently joining the network. Simple password authentication is vulnerable to many forms of attack, and isn't recommended as a secure form of authentication.

Cryptographic authentication

Cryptographic authentication involves the use of a shared secret key to authenticate all router traffic on a network. The key is never sent over the network in the clear. A packet is sent and a condensed and encrypted form of the packet is appended to the end of the packet. A non-repeating sequence number is included in the OSPF packet to protect against replay attacks that could try to use already sent packets to disrupt the network. When a packet is accepted as authentic, the authentication sequence number is set to the packet sequence number. If a replay attack is attempted, the packet sent will be out of sequence and ignored.

A FortiGate supports all three levels of authentication through the authentication keyword associated with creating an OSPF interface .

For example, to create an OSPF interface called Accounting on the port1 interface that is a broadcast interface, has a hello interval of 10 seconds, has a dead interval of 40 seconds, uses text authentication (simple password) with a password of “ospf_test”, enter the following CLI commands:

config router ospf

config ospf-interface

edit Accounting

set interface port1

set network-type broadcast

set hello-interval 10

set dead-interval 40

set authentication text

set authentication-key ospf_test

next

end

Hello and dead intervals

The OSPF Hello protocol is used to discover and maintain communications with neighboring routers.

Hello packets are sent out at a regular interval for this purpose. The DR sends out the hello packets. In a broadcast network, the multicast address of 224.0.0.5 is used to send out hello packets. New routers on the network listen for and reply to these packets to join the OSPF area. If a new router never receives a hello packet, other routers won't know it is there and won't communicate with it. However, once a new router is discovered, the DR adds it to the list of routers in that area and it's integrated into the routing calculations.

Dead interval is the time other routers wait before declaring a neighbor dead (offline). It's very important to set a reasonable dead interval. If this interval is too short, routers will be declared offline when they are just slow or momentarily inaccessible, and link state updates will happen more than they need to, using more bandwidth. If the dead interval is too long, it will slow down network traffic overall if online routers attempt to contact offline ones instead of re-routing traffic.

FortiOS also supports OSPF fast-hello, which provides a way to send multiple hello packets per second. This is achieved by setting a dead-interval to one second. The hello-multiplier, which can be any number between 4 and 10, determines the number of hello packets that will be sent every second. The CLI syntax for OSPF fast-hello is the following:

config ospf-interface

edit ospf1

set interface port1

set network-type broadcast

set dead-interval 1

set hello-multiplier 4

next

end

Access lists

Access lists are filters used by OSPF routing on a FortiGate. An access list provides a list of IP addresses and the action to take for them. An access list essentially makes it easy to group addresses that will be treated the same into the same group, independent of their subnets or other matching qualities. You add a rule for each address or subnet that you want to include, specifying the action to take for it. For example, if you want all traffic from one department to be routed a particular way, even in different buildings, you can add all the addresses to an access list and then handle that list all at once.

Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.

The FortiGate attempts to match a packet against the rules in an access list, starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found, the default action is deny.

Access lists greatly speed up configuration and network management. When there is a problem, you can check each list instead of individual addresses. It also eases troubleshooting because if all addresses on one list have problems, it eliminates many possible causes right away.

If you are using the OSPF+ IPv6 protocols, you will need to use access-list6, the IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.

For example, if you want to create an access list called test_list that only allows an exact match of 10.10.10.10 and 11.11.11.11, enter the following CLI commands:

config router access-list

edit test_list

config rule

edit 1

set prefix 10.10.10.10 255.255.255.255

set action allow

set exact-match enable

next

edit 2

set prefix 11.11.11.11 255.255.255.255

set action allow

set exact-match enable

next

next

end

Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6 equivalents of 10.10.10.10 and 11.11.11.11, enter the following access-list6 CLI commands:

config router access-list6

edit test_list_ip6

config rule

edit 1

set prefix6 2002:A0A:A0A:0:0:0:0:0:/48

set action deny

next

edit 2

set prefix6 2002:B0B:B0B:0:0:0:0:0/48

set action deny

next

next

end

To use an access_list, you must call it from a routing protocol such as RIP. The following example uses the access_list from the earlier example called test_list to match routes coming in on the port1 interface. When there's a match, it'll add 3 to the hop count metric for those routes to artificially decrease their priority. Enter the following CLI commands:

config router ospf

config distribute-list

edit 5

set access-list test_list

set protocol connected

next

end

If you're setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route 0.0.0.0/0 can't be matched exactly with an access-list. A prefix-list must be used for this purpose.

How OSPF works

An OSPF installation consists of one or more areas. An OSPF area is typically divided into logical areas linked by Area Border Routers (ABR). A group of contiguous networks form an area. An ABR links one or more areas to the OSPF network backbone (area ID 0). For more information, see Dynamic routing.

OSPF is an interior routing protocol. It includes a backbone AS and possibly additional ASs. The DR and BDR are elected from potential routers with the highest priorities. The DR handles much of the administration to lower the network traffic required. New routers are discovered through hello packets sent from the DR using the multicast address of 224.0.0.5. If the DR goes offline at any time, the BDR has a complete table of routes that it uses when it takes over as the DR router.

OSPF doesn't use UDP or TCP, but is encapsulated directly in IP datagrams as protocol 89. This is in contrast to RIP and BGP. OSPF handles its own error detection and correction functions.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).

Other important parts of how OSPF works include:

OSPF router discovery

OSPF-enabled routers generate link state advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, LSAs between OSPF neighbors don't occur. An LSA identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated.

When a network of OSPF routers comes online, the following steps occur:

  1. When OSPF routers come online, they send out hello packets to find other OSPF routers on their network segment.
  2. When they discover other routers on their network segment, they generally become adjacent. Adjacent routers can exchange routing updates. For more information, see Adjacency.
  3. A DR and BDR are elected from the available routers using priority settings and router ID. See Designated router and backup router, and DR and BDR election issues.
  4. Link state updates are sent between adjacent routers to map the topology of the OSPF area.
  5. Once complete, the DR floods the network with the updates to ensure all OSPF routers in the area have the same OSPF route database. After the initial update, there are very few required updates if the network is stable.

How OSPF works on FortiGate devices

When a FortiGate interface is connected to an OSPF area, that unit can participate in OSPF communications. FortiGate devices use the OSPF hello protocol to acquire neighbors in an area. A neighbor is any router that's directly connected to the same area as the FortiGate and is ideally adjacent with a state of Full. After initial contact, the FortiGate exchanges hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached.

The number of routes that a FortiGate can learn through OSPF depends on the network topology. A single unit can support tens of thousands of routes if the OSPF network is configured properly.

External routes

OSPF is an internal routing protocol. OSPF external routes are routes where the destination is using a routing protocol other than OSPF. OSPF handles external routes by adjusting the cost of the route to include the cost of the other routing protocol. There are two methods of calculating this cost, which are used for OSPF external1 (E1) and OSPF external2 (E2).

OSPF E1

In OSPF E1, the destination is outside the OSPF domain. This requires a different metric to be used beyond the normal OSPF metrics. The new metric of a redistributed route is calculated by adding the external cost and the OSPF cost together.

OSPF E2

OSPF E2 is the default external type when routes are redistributed outside of OSPF. With OSPF E2, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost. Dropping the OSPF portion can be useful in a number of situations, for example, on border routers that have no OSPF portion or where the OSPF routing cost is negligible compared to the external routing cost.

Comparing E1 and E2

The best way to understand OSPF E1 and E2 routes is to check routing tables on OSPF routers. If you look at the routes on an OSPF border router, the redistributed routes will have an associated cost that represents only the external route, as there is no OSPF cost to the route due to it already being on the edge of the OSPF domain. However, if you look at that same route on a different OSPF router inside the OSPF routing domain, it has a higher associated cost, essentially the external cost plus the cost over the OSPF domain to that border router. The border router uses OSPF E2, where the internal OSPF router uses OSPF E1 for the same route.

Viewing external routes

When you're trying to determine the costs for routes in your network to predict how traffic will be routed, you need to see the external OSPF routes and their associated costs. On a FortiGate, you can use the CLI to find this information.

To view external routes - CLI:

You can view the whole routing table using the get router info routing-table all command to see all of the routes, including the OSPF external routes. To view a shorter list, you can use the get router info routing-table ospf command. The letter at the left will be either E1 or E2 for external OSPF routes. The output looks similar to the following, depending on what routes are in the routing table:

FGT620B# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

O*E2 0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11

O 10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11

S 0.0.0.0/0 [10/0] via 192.168.183.254, port2

S 1.0.0.0/8 [10/0] via 192.168.183.254, port2

Link state database and route updates

OSPF is based on links. The links between adjacent neighbor routers allow updates to be passed along the network. Network links allow the DR to flood the area with link state database (LSDB) updates. External links allow the OSPF area to connect to destinations outside the OSPF autonomous system. Information about these links is passed throughout the OSPF network as link state updates.

The LSDB contains the information that defines the complete OSPF area, but the LSDB isn't the routing table. It contains the information from all the link state updates passed along the network. When there are no more changes required and the network is stable, the LSDB on each router in the network is the same. The DR floods the LSDB to the area to ensure that each router has the same LSDB.

To calculate the best route (shortest path) to a destination, the FortiGate applies the Shortest Path First (SPF) algorithm, based on Dijkstra’s algorithm, to the accumulated link state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but it's typically the bandwidth of the path, which is how fast traffic will get from one point to another.

The path cost, similar to distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface. The path cost of a route is calculated by adding all of the costs associated with the outgoing interfaces along the path to the destination. The lowest overall path cost indicates the best route, and generally the fastest route. Some brands of OSPF routers, such as Cisco, implement cost as a direct result of bandwidth between the routers. Generally this is a good cost metric because larger bandwidth means more traffic can travel without slowing down. To achieve this type of cost metric on FortiGate devices, you need to set the cost for each interface manually in the CLI.

The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. In this situation, the router considers summary‑LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).

The FortiGate dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include:

  • The addresses of networks in the local OSPF area (to which packets are sent directly)
  • Routes to OSPF area border routers (to which packets destined for another area are sent)
  • Routes to area boundary routers, if the network contains OSPF areas and non-OSPF domains, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.

OSPF route updates

Once the OSPF domain is established, there should be few updates required on a stable network. When updates occur and a decision is required concerning a new route, this is the general procedure.

Our router gets a new route and needs to decide if it should go in the routing table.

The router has an up-to-date LSDB of the entire area, containing information about each router, the next hop to it, and most importantly the cost to get there.

Our router turns the LSDB into an SPF tree using Dijkstra’s algorithm. It doesn't matter if there's more than one path to a router on the network, the SPF tree only cares about the shortest path to that router.

Once the SPF tree has been created and shows the shortest paths to all the OSPF routers on the network, the work is done. If the new route is the best route, it'll be part of that tree. If it's not the shortest route, it won't be included in the LSDB.

If there has been a change from the initial LSDB to the new SPF tree, a link state update will be sent out to let the other routers know about the change so they can also update their LSDBs. This is vital since all routers on the OSPF area must have the same LSDB.

If there was no change between the LSDB and the SPF tree, no action is taken.

OSPF packets

Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of information or more. The header contains all the information necessary to determine whether the packet should be accepted for further processing.

OSPF packet

1-byte Version field

1-byte Type field

2-byte Packet length

3-byte Router ID

4-byte Area ID

2-byte Checksum

2-byte Auth Type

8-byte Authentication

4-byte Network Mask

2-byte Hello interval

1-byte Options field

1-byte Router Priority

4-byte Dead Router interval

4-byte DR field

4-byte BDR field

4-byte Neighbor ID

The following descriptions summarize the OSPF packet header fields:

Version field: The OSPF version number. This specification documents version 2 of the protocol.

Type field: There are 5 OSPF packet types. From one to five, respectively, they are Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment.

Packet length: The length of the OSPF protocol packet, in bytes. This length includes the standard OSPF 24-byte header, so all OSPF packets are at 24-bytes long.

Router ID: The Router ID of the packet's source.

Area ID: A 32-bit number identifying the area that this packet belongs to. All OSPF packets are associated with a single area. Most travel a single hop only. Packets travelling over a virtual link are labelled with the backbone Area ID of 0.0.0.0.

Checksum: The standard IP checksum of the entire contents of the packet, starting with the OSPF packet header but excluding the 64-bit authentication field. This checksum is calculated as the 16-bit one's complement of the one's complement sum of all the 16-bit words in the packet, excepting the authentication field. If the packet's length isn't an integral number of 16-bit words, the packet is padded with a byte of zero before checksumming. The checksum is considered to be part of the packet authentication procedure. For some authentication types, the checksum calculation is omitted.

Auth Type: Identifies the authentication procedure to be used for the packet. Authentication types include Null authentication (0), Simple password (1), Cryptographic authentication (2), and all others are reserved for future use.

Authentication: A 64-bit field for use by the authentication scheme. When AuType indicates no authentication is being used, the authentication field isn't checked and can be any value. When AuType is set to 2 (cryptographic authentication), the 64-bit authentication field is split into the following four fields: Zero field, Key ID field, Authentication data length field, and Cryptographic sequence field.

The Key ID field indicates the key and algorithm used to create the message digest appended to the packet. The Authentication data length field indicates how many bytes long the message digest is. The Cryptographic sequence field is a non-decreasing number that is set when the packet is received and authenticated to prevent replay attacks.

Network Mask: The subnet where this packet is valid.

Hello interval: The period of time between sending out hello packets. For more information, see Hello and dead intervals.

Options field: The OSPF protocol defines several optional capabilities. A router indicates the optional capabilities that it supports in its OSPF hello packets, database description packets and in its LSAs. This enables routers supporting a mix of optional capabilities to coexist in a single AS.

Router priority: The priority, between 0 and 255, that determines which routers become the DR and BDR. For more information, see Designated router and backup router.

Dead router interval: The period of time when there's no response from a router before it's declared dead. For more information, see Hello and dead intervals.

DR and BDR fields: The DR and BDR fields each list the router that fills that role on this network, generally the routers with the highest priorities. For more information, see Designated router and backup router.

Neighbor ID: The ID number of a neighboring router. This ID is used to discover new routers and respond to them.

OSPF and VRFs

You can configure OSPF support for multiple virtual routing and forwarding (VRFs) on a FortiGate.

To add VRFs for interfaces - CLI:

config system interface

edit <name>

set vrf <VRF ID>

next

end

where vrf is a value of 0 to 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

OSPF

Open Shortest Path First (OSPF) is a link-state interior routing protocol that is widely used in large enterprise organizations. It only routes packets within a single autonomous system (AS). This is different from BGP, because BGP can communicate between ASs.

OSPF version 2 (OSPFv2) was defined in 1998 in RFC 2328. OSPF was designed to support classless IP addressing and variable subnet masks. This was a shortcoming of the earlier RIP protocols.

Updates to OSPFv2 are included in OSPF version 3 (OSPFv3), defined in 2008 in RFC 5340. OSPFv3 includes support for IPv6 addressing, where OSPF2 only supports IPv4 addressing.

The main benefit of OSPF is that it detects link failures in the network quickly and within seconds, has converged network traffic successfully without any networking loops. Also, OSPF has many features to control which routes are propagated and which are not, maintaining smaller routing tables. OSPF can also provide better load-balancing on external links than other interior routing protocols.

The parts and terminology of OSPF

The parts and terminology of OSPF include the following sections.

OSPFv3 and IPv6

OSPF version 3 (OSPFv3) includes support for IPv6, configurable from the CLI only. Generally, all IP addresses are in IPv6 format instead of IPv4. However, OSPFv3 area numbers use the same 32-bit numbering system as OSPFv2, as described in RFC 2740. Likewise, the router ID and area ID are in the same format as OSPFv2.

For IPv6, the main difference in OSPFv3 is that rather than using a network statement to enable OSPFv3 on an interface, you define OSPF6 (OSPF for IPv6) interfaces, which are bound to the interface and area. This configuration must be done in the CLI, as follows (with sample interfaces and addresses):

config router ospf6

config area

edit 0.0.0.0

next

end

config ospf6-interface

edit "tunnel"

set interface "to_FGT300A-7"

next

edit "internal_lan"

set interface "port1"

next

set router-id 10.174.0.113

end

Note that OSPFv3 neighbors use link-local IPv6 addresses, but with broadcast and point-to-point network types, and neighbors are automatically discovered. You only have to manually configure neighbors when using non-broadcast network types.

Router ID

In OSPF, each router has a unique 32-bit number that is called its router ID. Often, this 32-bit number is written the same as a 32-bit IPv4 address would be written in dotted decimal notation. However, some brands of routers, such as Cisco routers, support a router ID entered as an integer instead of an IP address.

It's a good idea not to use an IP address for the router ID that is already in use on the router. The router ID doesn't have to be a particular IP address on the router. By choosing a different number, it's harder to get confused about which number you're looking at. It's a good idea to use as many of the area's numbers as possible. For example, if you have 15 routers in area 0.0.0.0, they could be numbered from 0.0.0.1 to 0.0.0.15. If you have an area 1.1.1.1, then routers in that area could start at 1.1.1.10.

You can manually set the router ID on a FortiGate:

To manually set an OSPF router ID of 0.0.1.1 - GUI:
  1. Go to Network > OSPF.
  2. For Router ID, enter 0.0.1.1.
  3. Select Apply.
To manually set an OSPF router ID of 0.0.1.1 - CLI:

config router ospf

set router-id 0.0.1.1

end

Adjacency

In an OSPF routing network, an OSPF router sends out OSPF hello packets when it boots up, to try to find any neighbors (routers that have access to the same network as the router booting up). Once neighbors are discovered and Hello packets are exchanged, updates are sent and the link state databases of both neighbors are synchronized. At this point, these neighbors are said to be adjacent.

For two OSPF routers to become neighbors, the following conditions must be met:

  • The subnet mask used on both routers must be the same subnet.
  • The subnet number derived using the subnet mask and each router's interface IP address must match.
  • The hello interval and the dead interval must match.
  • The routers must have the same OSPF area ID. If they're in different areas, they're not neighbors.
  • If authentication is used, they must pass authentication checks.

If any of these parameters are different between the two routers, the routers do not become OSPF neighbors and can't be adjacent. If the routers become neighbors, they're adjacent.

Adjacency and neighbors

Neighbor routers can be in a two-way state, and not be adjacent. Adjacent routers normally have a neighbor state of FULL. Neighbors only exchange hello packets and don't exchange routing updates. Adjacent routers exchange LSAs (LSDB information) as well as hello packets. A good example of an adjacent pair of routers is the designated router (DR) and backup designated router (BDR).

You can check on the state of an OSPF neighbor using the CLI get router info ospf neighbor all command. For more information, see Checking the state of OSPF neighbors.

Why adjacency is important

It's important to have adjacent pairs of routers in the OSPF routing domain because routing protocol packets are only passed between adjacent routers. This means adjacency is required for two OSPF routers to exchange routes.

If there's no adjacency between two routers, such as one on the 172.20.120.0 network and another on the 10.11.101.0 network, the routers don't exchange routes. This makes sense because if all OSPF routers on the OSPF domain exchanged updates, it would flood the network.

Also, it's better for updates to progress through adjacent routers to ensure there are no outages along the way. Otherwise, updates could skip over routers that are potentially offline, causing longer routing outages and delays, while the OSPF domain learns of this outage later on.

If the OSPF network has multiple border routers and multiple connections to external networks, the designated router (DR) determines which router pairs become adjacent. The DR can accomplish this because it maintains the complete topology of the OSPF domain, including which router pairs are adjacent.

The backup designated router (BDR) also has this information in case the DR goes offline.

Designated router and backup router

In OSPF, a router can have a number of different roles to play.

A designated router (DR) is the designated broadcasting router interface for an AS. It looks after all of the initial contact and other routing administration traffic. Having only one router do all of this this greatly reduces the network traffic and collisions.

If something happens and the designated router goes offline, the backup designated router (BDR) takes over. An OSPF interface on a FortiGate can become either a DR or BDR. Both the DR and the BDR cover the same area and are elected at the same time. The election process doesn't have many rules, but the exceptions can become complex.

Benefits

The OSPF concept of the designated router is a big step above RIP. With all RIP routers doing their own updates all the time, RIP suffers from frequent and sometimes unnecessary updates that can slow down your network. With OSPF, not only do routing changes only happen when a link state changes instead of any tiny change to the routing table, but the designated router reduces this overhead traffic even more.

However, smaller network topologies may have only a couple of routers besides the designated router. This may seem excessive, but it maintains the proper OSPF form and it still reduces the administration traffic, but to a lesser extent than on a large network. Also, your network topology is ready whenever you choose to expand your network.

DR and BDR election

An election chooses DR and BDR from all the available routers. The election is primarily based on the priority setting of the routers, where the highest priority becomes the DR and the second highest becomes the BDR. To resolve any ties, the router with the highest router ID wins. For example, a router with a router ID of 192.168.0.1 would win over a router with a router ID of 10.1.1.2.

The router priority can vary from 0 to 255, but at 0 a router won't become a DR or BDR. If a router with a higher priority comes online after the election, it must wait until the DR and BDR go offline before it becomes the DR.

If the original DR goes offline, but is then available when the BDR goes offline later on, the original DR will be promoted back to DR without an election leaving the new BDR as it is.

With the FortiGate, to configure the port1 interface to be a potential OSPF DR or BDR called ospf_DR on the network, you need to raise the priority of the router to a very high number, such as 250 out of 255. This ensures the interface has a chance to be a DR, but won't guarantee that it'll be one. To help ensure it becomes a DR, you should give the interface a low numbered IP address, such as 10.1.1.1 instead of 192.168.1.1 (but that isn't part of this example). Enter the following command:

config router ospf

config ospf-interface

edit "ospf_DR"

set priority 250

next

end

Area

An OSPF area is a smaller part of the larger OSPF AS. Areas are used to limit the link state updates that are sent out. The flooding used for these updates would overwhelm a large network, so it's divided into these smaller areas for manageability.

If there are two or more routers that are viable within an area, there will always be a designated router (DR) and a backup designated router (BDR). For more information about these router roles, see Designated router and backup router.

Defining a private OSPF area involves the following:

  • Assigning a 32-bit number to the area that is unique on your network
  • Defining the characteristics of one or more OSPF areas
  • Creating associations between the OSPF areas that you defined and the local networks to include in the OSPF area
  • Adjusting the settings of OSPF-enabled interfaces, if required

IPv6 OSPF area numbers use the same 32-bit number notation as IPv4 OSPF.

If you are using the GUI to perform these tasks, follow the procedures summarized below.

FortiGate devices support the four main types of OSPF areas: backbone, stub, not-so-stubby, and regular.

Backbone area

Every OSPF network has at least one AS and every OSPF network has a backbone area. The backbone is the main area, and possibly the only area. All other OSPF areas are connected to a backbone area. This means if two areas want to pass routing information back and forth, that routing information will go through the backbone on its way between those areas. For this reason, the backbone not only has to connect to all other areas in the network, but also has to be uninterrupted in order to be able to pass traffic to all points of the network.

The backbone area is referred to as area 0 because it has an IP address of 0.0.0.0.

Stub area

A stub area is an OSPF area that receives no outside routes advertised into it. All routing in it is based on a default route. This essentially isolates it from outside areas.

Stub areas are useful for small networks that are part of a larger organization, especially if the networking equipment can't handle routing large amounts of traffic passing through, or if there are other reasons to prevent outside traffic, such as security. For example, most organizations don't want their accounting department to be the center of their network with everyone’s traffic passing through there. It increases the security risks, slows down the network, and it generally doesn't make sense.

A variation on the stub area is the totally stubby area. It's a stub area that doesn't allow summarized routes.

NSSA

A not-so-stubby-area (NSSA) is a stub area that allows for external routes to be injected into it. While it still doesn't allow routes from external areas, it's not limited to using only the default route for internal routing.

Regular area

A regular area is what all the other ASs are, all the non-backbone, non-stub, and non-NSSA areas. A regular area generally has a connection to the backbone, does receive advertisements of outside routes, and doesn't have an area number of 0.0.0.0.

Authentication

In the OSPF packet header, there are two authentication-related fields: AuType and Authentication.

All OSPF packet traffic is authenticated. Multiple types of authentication are supported in OSPFv2. However, in OSPFv3, there's no authentication built-in but it's assumed that IPsec is used for authentication instead.

Packets that fail authentication are discarded.

Null authentication

Null authentication indicates there's no authentication being used. In this case, the 16-byte authentication field isn't checked, and can be any value. However, checksumming is still used to locate errors. On a FortiGate, this is the none option for authentication.

Simple password authentication

Simple password refers to a standard plain text string of characters. The same password is used for all transactions on a network. The main use for this type of authentication is to prevent routers from accidently joining the network. Simple password authentication is vulnerable to many forms of attack, and isn't recommended as a secure form of authentication.

Cryptographic authentication

Cryptographic authentication involves the use of a shared secret key to authenticate all router traffic on a network. The key is never sent over the network in the clear. A packet is sent and a condensed and encrypted form of the packet is appended to the end of the packet. A non-repeating sequence number is included in the OSPF packet to protect against replay attacks that could try to use already sent packets to disrupt the network. When a packet is accepted as authentic, the authentication sequence number is set to the packet sequence number. If a replay attack is attempted, the packet sent will be out of sequence and ignored.

A FortiGate supports all three levels of authentication through the authentication keyword associated with creating an OSPF interface .

For example, to create an OSPF interface called Accounting on the port1 interface that is a broadcast interface, has a hello interval of 10 seconds, has a dead interval of 40 seconds, uses text authentication (simple password) with a password of “ospf_test”, enter the following CLI commands:

config router ospf

config ospf-interface

edit Accounting

set interface port1

set network-type broadcast

set hello-interval 10

set dead-interval 40

set authentication text

set authentication-key ospf_test

next

end

Hello and dead intervals

The OSPF Hello protocol is used to discover and maintain communications with neighboring routers.

Hello packets are sent out at a regular interval for this purpose. The DR sends out the hello packets. In a broadcast network, the multicast address of 224.0.0.5 is used to send out hello packets. New routers on the network listen for and reply to these packets to join the OSPF area. If a new router never receives a hello packet, other routers won't know it is there and won't communicate with it. However, once a new router is discovered, the DR adds it to the list of routers in that area and it's integrated into the routing calculations.

Dead interval is the time other routers wait before declaring a neighbor dead (offline). It's very important to set a reasonable dead interval. If this interval is too short, routers will be declared offline when they are just slow or momentarily inaccessible, and link state updates will happen more than they need to, using more bandwidth. If the dead interval is too long, it will slow down network traffic overall if online routers attempt to contact offline ones instead of re-routing traffic.

FortiOS also supports OSPF fast-hello, which provides a way to send multiple hello packets per second. This is achieved by setting a dead-interval to one second. The hello-multiplier, which can be any number between 4 and 10, determines the number of hello packets that will be sent every second. The CLI syntax for OSPF fast-hello is the following:

config ospf-interface

edit ospf1

set interface port1

set network-type broadcast

set dead-interval 1

set hello-multiplier 4

next

end

Access lists

Access lists are filters used by OSPF routing on a FortiGate. An access list provides a list of IP addresses and the action to take for them. An access list essentially makes it easy to group addresses that will be treated the same into the same group, independent of their subnets or other matching qualities. You add a rule for each address or subnet that you want to include, specifying the action to take for it. For example, if you want all traffic from one department to be routed a particular way, even in different buildings, you can add all the addresses to an access list and then handle that list all at once.

Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.

The FortiGate attempts to match a packet against the rules in an access list, starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found, the default action is deny.

Access lists greatly speed up configuration and network management. When there is a problem, you can check each list instead of individual addresses. It also eases troubleshooting because if all addresses on one list have problems, it eliminates many possible causes right away.

If you are using the OSPF+ IPv6 protocols, you will need to use access-list6, the IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.

For example, if you want to create an access list called test_list that only allows an exact match of 10.10.10.10 and 11.11.11.11, enter the following CLI commands:

config router access-list

edit test_list

config rule

edit 1

set prefix 10.10.10.10 255.255.255.255

set action allow

set exact-match enable

next

edit 2

set prefix 11.11.11.11 255.255.255.255

set action allow

set exact-match enable

next

next

end

Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6 equivalents of 10.10.10.10 and 11.11.11.11, enter the following access-list6 CLI commands:

config router access-list6

edit test_list_ip6

config rule

edit 1

set prefix6 2002:A0A:A0A:0:0:0:0:0:/48

set action deny

next

edit 2

set prefix6 2002:B0B:B0B:0:0:0:0:0/48

set action deny

next

next

end

To use an access_list, you must call it from a routing protocol such as RIP. The following example uses the access_list from the earlier example called test_list to match routes coming in on the port1 interface. When there's a match, it'll add 3 to the hop count metric for those routes to artificially decrease their priority. Enter the following CLI commands:

config router ospf

config distribute-list

edit 5

set access-list test_list

set protocol connected

next

end

If you're setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route 0.0.0.0/0 can't be matched exactly with an access-list. A prefix-list must be used for this purpose.

How OSPF works

An OSPF installation consists of one or more areas. An OSPF area is typically divided into logical areas linked by Area Border Routers (ABR). A group of contiguous networks form an area. An ABR links one or more areas to the OSPF network backbone (area ID 0). For more information, see Dynamic routing.

OSPF is an interior routing protocol. It includes a backbone AS and possibly additional ASs. The DR and BDR are elected from potential routers with the highest priorities. The DR handles much of the administration to lower the network traffic required. New routers are discovered through hello packets sent from the DR using the multicast address of 224.0.0.5. If the DR goes offline at any time, the BDR has a complete table of routes that it uses when it takes over as the DR router.

OSPF doesn't use UDP or TCP, but is encapsulated directly in IP datagrams as protocol 89. This is in contrast to RIP and BGP. OSPF handles its own error detection and correction functions.

The OSPF protocol, when running on IPv4, can operate securely between routers, optionally using a variety of authentication methods to allow only trusted routers to participate in routing. OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies on IPv6 protocol security (IPsec).

Other important parts of how OSPF works include:

OSPF router discovery

OSPF-enabled routers generate link state advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, LSAs between OSPF neighbors don't occur. An LSA identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated.

When a network of OSPF routers comes online, the following steps occur:

  1. When OSPF routers come online, they send out hello packets to find other OSPF routers on their network segment.
  2. When they discover other routers on their network segment, they generally become adjacent. Adjacent routers can exchange routing updates. For more information, see Adjacency.
  3. A DR and BDR are elected from the available routers using priority settings and router ID. See Designated router and backup router, and DR and BDR election issues.
  4. Link state updates are sent between adjacent routers to map the topology of the OSPF area.
  5. Once complete, the DR floods the network with the updates to ensure all OSPF routers in the area have the same OSPF route database. After the initial update, there are very few required updates if the network is stable.

How OSPF works on FortiGate devices

When a FortiGate interface is connected to an OSPF area, that unit can participate in OSPF communications. FortiGate devices use the OSPF hello protocol to acquire neighbors in an area. A neighbor is any router that's directly connected to the same area as the FortiGate and is ideally adjacent with a state of Full. After initial contact, the FortiGate exchanges hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached.

The number of routes that a FortiGate can learn through OSPF depends on the network topology. A single unit can support tens of thousands of routes if the OSPF network is configured properly.

External routes

OSPF is an internal routing protocol. OSPF external routes are routes where the destination is using a routing protocol other than OSPF. OSPF handles external routes by adjusting the cost of the route to include the cost of the other routing protocol. There are two methods of calculating this cost, which are used for OSPF external1 (E1) and OSPF external2 (E2).

OSPF E1

In OSPF E1, the destination is outside the OSPF domain. This requires a different metric to be used beyond the normal OSPF metrics. The new metric of a redistributed route is calculated by adding the external cost and the OSPF cost together.

OSPF E2

OSPF E2 is the default external type when routes are redistributed outside of OSPF. With OSPF E2, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost. Dropping the OSPF portion can be useful in a number of situations, for example, on border routers that have no OSPF portion or where the OSPF routing cost is negligible compared to the external routing cost.

Comparing E1 and E2

The best way to understand OSPF E1 and E2 routes is to check routing tables on OSPF routers. If you look at the routes on an OSPF border router, the redistributed routes will have an associated cost that represents only the external route, as there is no OSPF cost to the route due to it already being on the edge of the OSPF domain. However, if you look at that same route on a different OSPF router inside the OSPF routing domain, it has a higher associated cost, essentially the external cost plus the cost over the OSPF domain to that border router. The border router uses OSPF E2, where the internal OSPF router uses OSPF E1 for the same route.

Viewing external routes

When you're trying to determine the costs for routes in your network to predict how traffic will be routed, you need to see the external OSPF routes and their associated costs. On a FortiGate, you can use the CLI to find this information.

To view external routes - CLI:

You can view the whole routing table using the get router info routing-table all command to see all of the routes, including the OSPF external routes. To view a shorter list, you can use the get router info routing-table ospf command. The letter at the left will be either E1 or E2 for external OSPF routes. The output looks similar to the following, depending on what routes are in the routing table:

FGT620B# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default

O*E2 0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11

O 10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11

S 0.0.0.0/0 [10/0] via 192.168.183.254, port2

S 1.0.0.0/8 [10/0] via 192.168.183.254, port2

Link state database and route updates

OSPF is based on links. The links between adjacent neighbor routers allow updates to be passed along the network. Network links allow the DR to flood the area with link state database (LSDB) updates. External links allow the OSPF area to connect to destinations outside the OSPF autonomous system. Information about these links is passed throughout the OSPF network as link state updates.

The LSDB contains the information that defines the complete OSPF area, but the LSDB isn't the routing table. It contains the information from all the link state updates passed along the network. When there are no more changes required and the network is stable, the LSDB on each router in the network is the same. The DR floods the LSDB to the area to ensure that each router has the same LSDB.

To calculate the best route (shortest path) to a destination, the FortiGate applies the Shortest Path First (SPF) algorithm, based on Dijkstra’s algorithm, to the accumulated link state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but it's typically the bandwidth of the path, which is how fast traffic will get from one point to another.

The path cost, similar to distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface. The path cost of a route is calculated by adding all of the costs associated with the outgoing interfaces along the path to the destination. The lowest overall path cost indicates the best route, and generally the fastest route. Some brands of OSPF routers, such as Cisco, implement cost as a direct result of bandwidth between the routers. Generally this is a good cost metric because larger bandwidth means more traffic can travel without slowing down. To achieve this type of cost metric on FortiGate devices, you need to set the cost for each interface manually in the CLI.

The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. In this situation, the router considers summary‑LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).

The FortiGate dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include:

  • The addresses of networks in the local OSPF area (to which packets are sent directly)
  • Routes to OSPF area border routers (to which packets destined for another area are sent)
  • Routes to area boundary routers, if the network contains OSPF areas and non-OSPF domains, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.

OSPF route updates

Once the OSPF domain is established, there should be few updates required on a stable network. When updates occur and a decision is required concerning a new route, this is the general procedure.

Our router gets a new route and needs to decide if it should go in the routing table.

The router has an up-to-date LSDB of the entire area, containing information about each router, the next hop to it, and most importantly the cost to get there.

Our router turns the LSDB into an SPF tree using Dijkstra’s algorithm. It doesn't matter if there's more than one path to a router on the network, the SPF tree only cares about the shortest path to that router.

Once the SPF tree has been created and shows the shortest paths to all the OSPF routers on the network, the work is done. If the new route is the best route, it'll be part of that tree. If it's not the shortest route, it won't be included in the LSDB.

If there has been a change from the initial LSDB to the new SPF tree, a link state update will be sent out to let the other routers know about the change so they can also update their LSDBs. This is vital since all routers on the OSPF area must have the same LSDB.

If there was no change between the LSDB and the SPF tree, no action is taken.

OSPF packets

Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of information or more. The header contains all the information necessary to determine whether the packet should be accepted for further processing.

OSPF packet

1-byte Version field

1-byte Type field

2-byte Packet length

3-byte Router ID

4-byte Area ID

2-byte Checksum

2-byte Auth Type

8-byte Authentication

4-byte Network Mask

2-byte Hello interval

1-byte Options field

1-byte Router Priority

4-byte Dead Router interval

4-byte DR field

4-byte BDR field

4-byte Neighbor ID

The following descriptions summarize the OSPF packet header fields:

Version field: The OSPF version number. This specification documents version 2 of the protocol.

Type field: There are 5 OSPF packet types. From one to five, respectively, they are Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment.

Packet length: The length of the OSPF protocol packet, in bytes. This length includes the standard OSPF 24-byte header, so all OSPF packets are at 24-bytes long.

Router ID: The Router ID of the packet's source.

Area ID: A 32-bit number identifying the area that this packet belongs to. All OSPF packets are associated with a single area. Most travel a single hop only. Packets travelling over a virtual link are labelled with the backbone Area ID of 0.0.0.0.

Checksum: The standard IP checksum of the entire contents of the packet, starting with the OSPF packet header but excluding the 64-bit authentication field. This checksum is calculated as the 16-bit one's complement of the one's complement sum of all the 16-bit words in the packet, excepting the authentication field. If the packet's length isn't an integral number of 16-bit words, the packet is padded with a byte of zero before checksumming. The checksum is considered to be part of the packet authentication procedure. For some authentication types, the checksum calculation is omitted.

Auth Type: Identifies the authentication procedure to be used for the packet. Authentication types include Null authentication (0), Simple password (1), Cryptographic authentication (2), and all others are reserved for future use.

Authentication: A 64-bit field for use by the authentication scheme. When AuType indicates no authentication is being used, the authentication field isn't checked and can be any value. When AuType is set to 2 (cryptographic authentication), the 64-bit authentication field is split into the following four fields: Zero field, Key ID field, Authentication data length field, and Cryptographic sequence field.

The Key ID field indicates the key and algorithm used to create the message digest appended to the packet. The Authentication data length field indicates how many bytes long the message digest is. The Cryptographic sequence field is a non-decreasing number that is set when the packet is received and authenticated to prevent replay attacks.

Network Mask: The subnet where this packet is valid.

Hello interval: The period of time between sending out hello packets. For more information, see Hello and dead intervals.

Options field: The OSPF protocol defines several optional capabilities. A router indicates the optional capabilities that it supports in its OSPF hello packets, database description packets and in its LSAs. This enables routers supporting a mix of optional capabilities to coexist in a single AS.

Router priority: The priority, between 0 and 255, that determines which routers become the DR and BDR. For more information, see Designated router and backup router.

Dead router interval: The period of time when there's no response from a router before it's declared dead. For more information, see Hello and dead intervals.

DR and BDR fields: The DR and BDR fields each list the router that fills that role on this network, generally the routers with the highest priorities. For more information, see Designated router and backup router.

Neighbor ID: The ID number of a neighboring router. This ID is used to discover new routers and respond to them.

OSPF and VRFs

You can configure OSPF support for multiple virtual routing and forwarding (VRFs) on a FortiGate.

To add VRFs for interfaces - CLI:

config system interface

edit <name>

set vrf <VRF ID>

next

end

where vrf is a value of 0 to 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.