OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) that is most often used to dynamically manage network routes in large enterprise network. It determines routes dynamically by obtaining information from other routers and advertising routes to other routers by way of Link State Advertisements (LSAs). The information gathered from the LSAs is used to construct a topology map of the network. This topology map is shared across routers in the network and used to populate the IP routing table with available routes.
Changes in the network topology are detected dynamically and used to generate a new topology map within seconds. A shortest path tree is computed of each route. Metrics associated with each routing interface are used to calculate the best route. These can include distance, network throughput, link availability etc. Additionally, these metrics can be configured statically to direct the outcome of the OSPF topology map.
Palo Alto networks implementation of OSPF fully supports the following RFCs:
RFC 2328 (for IPv4) RFC 5340 (for IPv6)
The following topics provide more information about the OSPF and procedures for configuring OSPF on the firewall:
OSPF Concepts
The following topics introduce the OSPF concepts you will need to understand in order to configure the firewall to participate in an OSPF network:
OSPFv3
OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support for IPv6 addresses and prefixes. It retains most of the structure and functions in OSPFv2 (for IPv4) with some minor changes. The following are some of the additions and changes to OSPFv3:
Support for multiple instances per link —With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID. Protocol Processing Per-link —OSPFv3 operates per-link instead of per-IP-subnet as on OSPFv2. Changes to Addressing —IPv6 addresses are not present in OSPFv3 packets, except for LSA payloads within link state update packets. Neighboring routers are identified by the Router ID. Authentication Changes —OSPFv3 doesn't include any authentication capabilities. Configuring OSPFv3 on a firewall requires an authentication profile that specifies Encapsulating Security Payload (ESP) or IPv6 Authentication Header (AH).The re-keying procedure specified in RFC 4552 is not supported in this release. Support for multiple instances per-link —Each instance corresponds to an instance ID contained in the OSPFv3 packet header. New LSA Types —OSPFv3 supports two new LSA types: Link LSA and Intra Area Prefix LSA.
All additional changes are described in detail in RFC 5340.
OSPF Neighbors
Two OSPF-enabled routers connected by a common network and in the same OSPF area that form a relationship are OSPF neighbors. The connection between these routers can be through a common broadcast domain or by a point-to-point connection. This connection is made through the exchange of hello OSPF protocol packets. These neighbor relationships are used to exchange routing updates between routers.
OSPF Areas
OSPF operates within a single autonomous system (AS). Networks within this single AS, however, can be divided into a number of areas. By default, Area 0 is created. Area 0 can either function alone or act as the OSPF backbone for a larger number of areas. Each OSPF area is named using a 32-bit identifier which in most cases is written in the same dotted-decimal notation as an IP4 address. For example, Area 0 is usually written as 0.0.0.0.
The topology of an area is maintained in its own link state database and is hidden from other areas, which reduces the amount of traffic routing required by OSPF. The topology is then shared in a summarized form between areas by a connecting router.
OSPF Area Type Description
Backbone Area The backbone area (Area 0) is the core of an OSPF network. All other areas are connected to it and all traffic between areas must traverse it. All routing between areas is distributed through the backbone area. While all other OSPF areas must connect to the backbone area, this connection doesn’t need to be direct and can be made through a virtual link.
Normal OSPF Area In a normal OSPF area there are no restrictions; the area can carry all types of routes.
Stub OSPF Area A stub area does not receive routes from other autonomous systems. Routing from the stub area is performed through the default route to the backbone area.
NSSA Area The Not So Stubby Area (NSSA) is a type of stub area that can import external routes, with some limited exceptions.
OSPF Router Types
Within an OSPF area, routers are divided into the following categories.
Internal Router —A router with that has OSPF neighbor relationships only with devices in the same area. Area Border Router (ABR) —A router that has OSPF neighbor relationships with devices in multiple areas. ABRs gather topology information from their attached areas and distribute it to the backbone area. Backbone Router —A backbone router is any OSPF router that is attached to the OSPF backbone. Since ABRs are always connected to the backbone, they are always classified as backbone routers. Autonomous System Boundary Router (ASBR) —An ASBR is a router that attaches to more than one routing protocol and exchanges routing information between them.
Configure OSPF
OSPF determines routes dynamically by obtaining information from other routers and advertising routes to other routers by way of Link State Advertisements (LSAs). The router keeps information about the links between it and the destination and can make highly efficient routing decisions. A cost is assigned to each router interface, and the best routes are determined to be those with the lowest costs, when summed over all the encountered outbound router interfaces and the interface receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be advertised and the associated LSAs. Because OSPF dynamically processes a considerable amount of route information, it has greater processor and memory requirements than does RIP.
Configure OSPF
Configure general virtual router configuration settings. See Virtual Routers for details.
Enable OSPF. Select the OSPF tab. Select Enable to enable the OSPF protocol. ( Optional ) Enter the Router ID. Select Reject Default Route if you do not want to learn any default routes through OSPF. This is the recommended default setting. De-select Reject Default Route if you want to permit redistribution of default routes through OSPF.
Configure Areas - Type for the OSPF protocol. On the Areas tab, click Add. Enter an Area ID for the area in x.x.x.x format. This is the identifier that each neighbor must accept to be part of the same area. On the Type tab, select one of the following from the area Type drop-down: Normal —There are no restrictions; the area can carry all types of routes. Stub —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following: Accept Summary —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs. Advertise Default Route —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255. NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If selected, configure Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following: Type —Select either Ext 1 or Ext 2 route type to advertise the default LSA. Ext Ranges —Click Add in the section to enter ranges of external routes that you want to enable or suppress advertising for. Priority —Enter the OSPF priority for this interface (0-255). This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR. Auth Profile —Select a previously-defined authentication profile. Timing —It is recommended that you keep the default timing settings. Neighbors —For p2pmp interfaces, enter the neighbor IP address for all neighbors that are reachable through this interface. Select normal, passive or send-only as the Mode. Click OK.
Configure Areas - Range for the OSPF protocol On the Range tab, click Add to aggregate LSA destination addresses in the area into subnets. Advertise or Suppress advertising LSAs that match the subnet, and click OK. Repeat to add additional ranges.
Configure Areas - Interfaces for the OSPF protocol On the Interface tab, click Add and enter the following information for each interface to be included in the area: Interface —Select an interface from the drop-down. Enable —Selecting this option causes the OSPF interface settings to take effect. Passive —Select if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database. Link type —Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for p2mp mode. Metric —Enter an OSPF metric for this interface (range is 0-65535; default is 10). Priority —Enter an OSPF priority for this interface. This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) (range is 0-255; default is 1). If zero is configured, the router will not be elected as a DR or BDR. Auth Profile —Select a previously-defined authentication profile. Timing —Modify the timing settings if desired (not recommended). For details on these settings, refer to the online help. If p2mp is selected for Link Type interfaces, enter the neighbor IP addresses for all neighbors that are reachable through this interface. Click OK.
Configure Areas - Virtual Links. On the Virtual Link tab, click Add and enter the following information for each virtual link to be included in the backbone area: Name —Enter a name for the virtual link. Neighbor ID —Enter the router ID of the router (neighbor) on the other side of the virtual link. Transit Area —Enter the area ID of the transit area that physically contains the virtual link. Enable —Select to enable the virtual link. Timing —It is recommended that you keep the default timing settings. Auth Profile —Select a previously-defined authentication profile. Click OK.
( Optional ) Configure Auth Profiles. By default, the firewall does not use OSPF authentication for the exchange between OSPF neighbors. Optionally, you can configure OSPF authentication between OSPF neighbors by either a simple password or using MD5 authentication. MD5 authentication is recommended; it is more secure than a simple password. Simple Password OSPF authentication On the Auth Profiles tab, click Add. Enter a name for the authentication profile to authenticate OSPF messages. Select Simple Password as the Password Type. Enter a simple password and then confirm. MD5 OSPF authentication On the Auth Profiles tab, click Add. Enter a name for the authentication profile to authenticate OSPF messages. Select MD5 as the Password Type. Click Add. Enter one or more password entries, including: Key-ID (range is 0-255) Key Select the Preferred option to specify that the key be used to authenticate outgoing messages. Click OK. Click OK again in the Virtual Router - OSPF Auth Profile dialog box.
Configure Advanced OSPF options. On the Advanced tab, select RFC 1583 Compatibility to ensure compatibility with RFC 1583. Configure a value for the SPF Calculation Delay (sec) timer. This timer allows you to tune the delay time between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should be tuned in a similar manner to optimize convergence times. Configure a value for the LSA Interval (sec) time. This timer specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
Configure OSPFv3
OSPF supports both IPv4 and IPv6. You must use OSPFv3 if you are using IPv6.
Configure OSPFv3
Configure general virtual router configuration settings. See Virtual Routers for details.
Configure general OSPF configuration settings. Select the OSPF tab. Select Enable to enable the OSPF protocol. Select Reject Default Route if you do not want to learn any default routes through OSPF. This is the recommended default setting. Clear Reject Default Route if you want to permit redistribution of default routes through OSPF.
Configure general OSPFv3 configuration settings. Select the OSPFv3 tab. Select Enable to enable the OSPF protocol. Select Reject Default Route if you do not want to learn any default routes through OSPFv3 This is the recommended default setting. Clear Reject Default Route if you want to permit redistribution of default routes through OSPFv3.
Configure Auth Profile for the OSPFv3 protocol. While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPsec to secure communications between neighbors. When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (which is recommended) or IPv6 Authentication Header (AH). ESP OSPFv3 authentication On the Auth Profiles tab, click Add. Enter a name for the authentication profile to authenticate OSPFv3 messages. Specify a Security Policy Index ( SPI). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF. Select ESP for Protocol. Select a Crypto Algorithm from the drop-down. You can enter none or one of the following algorithms: SHA1, SHA256, SHA384, SHA512 or MD5. If a Crypto Algorithm other than none was selected, enter a value for Key and then confirm. AH OSPFv3 authentication On the Auth Profiles tab, click Add. Enter a name for the authentication profile to authenticate OSPFv3 messages. Specify a Security Policy Index ( SPI). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF. Select AH for Protocol. Select a Crypto Algorithm from the drop-down. You must enter one of the following algorithms: SHA1, SHA256, SHA384, SHA512 or MD5. Enter a value for Key and then confirm. Click OK. Click OK again in the Virtual Router - OSPF Auth Profile dialog.
Configure Areas - Type for the OSPF protocol. On the Areas tab, click Add. Enter an Area ID. This is the identifier that each neighbor must accept to be part of the same area. On the General tab, select one of the following from the area Type drop-down: Normal —There are no restrictions; the area can carry all types of routes. Stub —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following: Accept Summary —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs. Advertise Default Route —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255. NSSA (Not-So-Stubby Area)—The firewall can only leave the area by routes other than OSPF routes. If selected, configure Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following: Type —Select either Ext 1 or Ext 2 route type to advertise the default LSA. Ext Ranges —Click Add in the section to enter ranges of external routes that you want to enable or suppress advertising for.
Associate an OSPFv3 authentication profile to an area or an interface. To an Area On the Areas tab, select an existing area from the table. On the General tab, select a previously defined Authentication Profile from the Authentication drop-down. Click OK. To an Interface On the Areas tab, select an existing area from the table. Select the Interface tab and click Add. Select the authentication profile you want to associate with the OSPF interface from the Auth Profile drop-down.
( Optional ) Configure Export Rules On the Export tab, click Add. Select Allow Redistribute Default Route to permit redistribution of default routes through OSPFv3. Select the name of a redistribution profile. The value must be an IP subnet or valid redistribution profile name. Select a metric to apply for New Path Type. Specify a New Tag for the matched route that has a 32-bit value. Assign a metric for the new rule (range is 1 - 65535). Click OK.
Configure Advanced OSPFv3 options. On the Advanced tab, select Disable Transit Routing for SPF Calculation if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic. Configure a value for the SPF Calculation Delay (sec) timer. This timer allows you to tune the delay time between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should be tuned in a similar manner to optimize convergence times. Configure a value for the LSA Interval (sec) time. This timer specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur. ( Optional ) Configure OSPF Graceful Restart.
Configure OSPF Graceful Restart
OSPF Graceful Restart directs OSPF neighbors to continue using routes through a device during a short transition when it is out of service. This behavior increases network stability by reducing the frequency of routing table reconfiguration and the related route flapping that can occur during short periodic down times.
For a Palo Alto Networks firewall, OSPF Graceful Restart involves the following operations:
Firewall as a restarting device —In a situation where the firewall will be down for a short period of time or is unavailable for short intervals, it sends Grace LSAs to its OSPF neighbors. The neighbors must be configured to run in Graceful Restart Helper mode. In Helper Mode, the neighbors receive the Grace LSAs that inform it that the firewall will perform a graceful restart within a specified period of time defined as the Grace Period. During the grace period, the neighbor continues to forward routes through the firewall and to send LSAs that announce routes through the firewall. If the firewall resumes operation before expiration of the grace period, traffic forwarding will continue as before without network disruption. If the firewall does not resume operation after the grace period has expired, the neighbors will exit helper mode and resume normal operation, which will involve reconfiguring the routing table to bypass the firewall. Firewall as a Graceful Restart Helper —In a situation where neighboring routers may be down for a short periods of time, the firewall can be configured to operate in Graceful Restart Helper mode. If configured in this mode, the firewall will be configured with a Max Neighbor Restart Time. When the firewall receives the Grace LSAs from its OSPF neighbor, it will continue to route traffic to the neighbor and advertise routes through the neighbor until either the grace period or max neighbor restart time expires. If neither expires before the neighbor returns to service, traffic forwarding continues as before without network disruption. If either period expires before the neighbor returns to service, the firewall will exit helper mode and resume normal operation, which will involve reconfiguring the routing table to bypass the neighbor.
Configure OSPF Graceful Restart
Select Network > Virtual Routers and select the virtual router you want to configure.
Select OSPF > Advanced.
Verify that the following are selected (they are enabled by default): Enable Graceful Restart Enable Helper Mode Enable Strict LSA checking These should remain selected unless required by your topology.
Configure a Grace Period in seconds.
Configure a Max Neighbor Restart Time in seconds.
Confirm OSPF Operation
Once an OSPF configuration has been committed, you can use any of the following operations to confirm that OSPF is operating:
View the Routing Table
By viewing the routing table, you can see whether OSPF routes have been established. The routing table is accessible from either the web interface or the CLI. If you are using the CLI, use the following commands:
show routing route show routing fib
If you are using the web interface to view the routing table, use the following workflow:
View the Routing Table
Select Network > Virtual Routers and in the same row as the virtual router you are interested in, click the More Runtime Stats link.
Select Routing > Route Table and examine the Flags column of the routing table for routes that were learned by OSPF.
Confirm OSPF Adjacencies
Use the following workflow to confirm that OSPF adjacencies have been established:
View the Neighbor Tab to Confirm OSPF Adjacencies
Select Network > Virtual Routers and in the same row as the virtual router you are interested in, click the More Runtime Stats link.
Select OSPF > Neighbor and examine the Status column to determine if OSPF adjacencies have been established.
Confirm that OSPF Connections are Established
View the System log to confirm that the firewall has established OSPF connections.
Examine the System Log
Select Monitor > System and look for messages to confirm that OSPF adjacencies have been established.
Select OSPF > Neighbor and examine the Status column to determine if OSPF adjacencies have been established (are full).

Related Documentation