Open Shortest Path First (OSPF)

To view external routes – CLI

You can view the whole routing table using get router info routing-table all to see all the routes including the OSPF external routes, or for a shorter list you can use the command get router info

routing-table ospf. The letter at the left will be either E1 or E2 for external OSPF routes. The output of will look similar to the following, depending on what routes are in your routing table.

FGT620B# get router info routing-table all

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

O*E2  0.0.0.0/0 [110/10] via 10.1.1.3, tunnel_wan2, 00:02:11

O     10.0.0.1/32 [110/300] via 10.1.1.3, tunnel_wan2, 00:02:11

S     0.0.0.0/0 [10/0] via 192.168.183.254, port2

S     1.0.0.0/8 [10/0] via 192.168.183.254, port2

 

Linkstate Database (LSDB) and route updates

OSPF is based on links. The links between adjacent neighbor routers allow updates to be passed along the network. Network links allow the DR to flood the area with Link-state database (LSDB) updates. External links allow the OSPF area to connect to destinations outside the OSPF autonomous system. Information about these links is passed throughout the OSPF network as link-state updates.

 

The LSDB contains the information that defines the complete OSPF area, but the LSDB is not the routing table. It contains the information from all the link-state updates passed along the network. When there are no more changes required, and the network is stable then the LSDB on each router in the network will be the same. The DR will flood the LSDB to the area to ensure each router has the same LSDB.

To calculate the best route (shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF) algorithm, based on Dijkstra’s algorithm, to the accumulated link-state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but is typically the bandwidth of the path, how fast traffic will get from one point to another.

The path cost, similar to “distance” for RIP, imposes a penalty on the outgoing direction of a FortiGate unit interface. The path cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to the destination. The lowest overall path cost indicates the best route, and generally the fastest route. Some brands of OSPF routers, such as Cisco, implement cost as a direct result of bandwidth between the routers. Generally this is a good cost metric because larger bandwidth means more traffic can travel without slowing down. To achieve this type of cost metric on FortiGate units, you need to set the cost for each interface manually in the CLI.

The inter-area routes may not be calculated when a Cisco type ABR has no fully adja- cent neighbor in the backbone area. In this situation, the router considers summary-LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).

The FortiGate unit dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate unit routing table may include:

  • The addresses of networks in the local OSPF area (to which packets are sent directly)
  • Routes to OSPF area border routers (to which packets destined for another area are sent)
  • If the network contains OSPF areas and non-OSPF domains, routes to area boundary routers, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.

 

OSPF Route updates

Once the OSPF domain is established, there should be few updates required on a stable network. When updates occur and a decision is required concerning a new route, this is the general procedure.

Our router gets a new route, and needs to decide if it should go in the routing table.

The router has an up to date LSDB of the entire area, containing information about each router, the next hop to it, and most importantly the cost to get there.

Our router, turns the LSDB into a shortest path first (SPF) tree using Dijkstra’s algorithm. It doesn’t matter if there is more than one path to a router on the network, the SPF tree only cares about the shortest path to that router.

Once the SPF tree has been created, and shows the shortest paths to all the OSPF routers on the network, the work is done. If the new route is the best route, it will be part of that tree. If it is not the shortest route, it will not be included in the LSDB.

If there has been a change from the initial LSDB to the new SPF tree, a link state update will be sent out to let the other routers know about the change so they can update their LSDBs as well. This is vital since all routers on the OSPF area must have the same LSDB.

If there was no change between the LSDB and the SPF tree, no action is taken.

 

OSPF packets

Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of information or more. The header contains all the information necessary to determine whether the packet should be accepted for further processing.

OSPF packet

 

 

1-byte Version field

 

1-byte Type field

 

2-byte Packet length

 

3-byte Router ID

 

4-byte Area ID

 

2-byte Checksum

 

2-byte Auth Type

 

8-byte Authentication

 

4-byte Network Mask

 

2-byte Hello interval

 

1-byte Options field

 

1-byte Router Priority

 

4-byte Dead Router inter val

 

–   4-byte DR field

 

4-byte BDR field

 

4-byte Neighbor ID

The following descriptions summarize the OSPF packet header fields.

Version field — The OSPF version number. This specification documents version 2 of the protocol.

Type field — There are 5 OSPF packet types. From one to five, respectively, they are Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment.

Packet length — The length of the OSPF protocol packet in bytes. This length includes the standard OSPF 24- byte header, so all OSPF packets are at 24-bytes long.

Router ID — The Router ID of the packet’s source.

Area ID — A 32-bit number identifying the area that this packet belongs to. All OSPF packets are associated with a single area. Most travel a single hop only. Packets travelling over a virtual link are labelled with the backbone Area ID of 0.0.0.0.

 

Checksum — The standard IP checksum of the entire contents of the packet, starting with the OSPF packet header but excluding the 64-bit authentication field. This checksum is calculated as the 16-bit one’s complement of the one’s complement sum of all the 16-bit words in the packet, excepting the authentication field. If the packet’s length is not an integral number of 16-bit words, the packet is padded with a byte of zero before checksumming. The checksum is considered to be part of the packet authentication procedure; for some authentication types the checksum calculation is omitted.

 

Auth Type — Identifies the authentication procedure to be used for the packet. Authentication types include Null authentication (0), Simple password (1), Cryptographic authentication (2), and all others are reserved for future use.

 

Authentication — A 64-bit field for use by the authentication scheme. When AuType indicates no authentication is being used, the Authentication fields is not checked and can be any value. When AuType is set to 2 (Cryptographic authentication), the 64-bit authentication field is split into the following four fields: Zero field, Key ID field, Authentication data length field, and Cryptographic sequence field.

The Key ID field indicates the key and algorithm used to create the message digest appended to the packet. The authentication data length field indicates how many bytes long the message digest is, and the cryptographic sequence number is at non-decreasing number that is set when the packet is received and authenticated to prevent replay attacks.

Network Mask — The subnet where this packet is valid.

Hello interval — The period of time between sending out Hello packets. See Hello and dead intervals on page 383.

Options field — The OSPF protocol defines several optional capabilities. A router indicates the optional capabilities that it supports in its OSPF Hello packets, Database Description packets and in its LSAs. This enables routers supporting a mix of optional capabilities to coexist in a single Autonomous System.

Router priority — The priority between 0 and 255 that determines which routers become the DR and BDR. See Designated router (DR) and backup router (BDR) on page 380.

Dead router interval — The period of time when there is no response from a router before it is declared dead. See Hello and dead intervals on page 383.

DR and BDR fields — The DR and BDR fields each list the router that fills that role on this network, generally the routers with the highest priorities. See Designated router (DR) and backup router (BDR) on page 380.

Neighbor ID — The ID number of a neighboring router. This ID is used to discover new routers and respond to them.

Troubleshooting OSPF

As with other dynamic routing protocols, OSPF has some issues that may need troubleshooting from time to time. For basic troubleshooting, see the FortiOS Handbook Troubleshooting chapter.

The more common issues include:

  • Clearing OSPF routes from the routing table
  • Checking the state of OSPF neighbors
  • Passive interface problems
  • Timer problems
  • Bi-directional Forwarding Detection (BFD)
  • Authentication issues
  • DR and BDR election issues

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

One thought on “Open Shortest Path First (OSPF)

  1. Pratik

    I was configuring OSPF for Kotak Team, On fortigate firewall for Ranchi Location and I have done below things-

    • Specified Loopback Network,
    • LAN network,
    • WAN Network with local firewall Is connected to Its peer.
    • I have also configured Policy and Static route

    After that Im able to ping neighbor IP from firewall but Neighbor Is not established, Please Kind me In this case to overcome this Issue.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.