Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring OSPF
Downloads: This chapterpdf (PDF - 317.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring OSPF

Table Of Contents

Configuring OSPF

Information About OSPF

Licensing Requirements for OSPF

Guidelines and Limitations

Configuring OSPF

Customizing OSPF

Redistributing Routes Into OSPF

Configuring Route Summarization When Redistributing Routes into OSPF

Add a Route Summary Address

Add/Edit OSPF Summary Address

Configuring Route Summarization Between OSPF Areas

Configuring OSPF Interface Parameters

Configuring OSPF Area Parameters

Configuring OSPF NSSA

Defining Static OSPF Neighbors

Configuring Route Calculation Timers

Logging Neighbors Going Up or Down

Configuring Filtering in OSPF

Configuring a Virtual Link in OSPF

Restarting the OSPF Process

Configuration Example for OSPF

Monitoring OSPF

Feature History for OSPF


Configuring OSPF


This chapter describes how to configure the adaptive security appliance to route data, perform authentication, and redistribute routing information, using the Open Shortest Path First (OSPF) routing protocol.

The chapter includes the following sections:

Information About OSPF

Licensing Requirements for OSPF

Guidelines and Limitations

Configuring OSPF

Customizing OSPF

Monitoring OSPF

Configuration Example for OSPF

Feature History for OSPF

Information About OSPF

OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements rather than routing table updates. Because only LSAs are exchanged instead of the entire routing tables, OSPF networks converge more quickly than RIP networks.

OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors.

The advantages of OSPF over RIP include the following:

OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out.

Routing decisions are based on cost, which is an indication of the overhead required to send packets across a certain interface. The adaptive security appliance calculates the cost of an interface based on link bandwidth rather than the number of hops to the destination. The cost can be configured to specify preferred paths.

The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.

The adaptive security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.

You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces.

The adaptive security appliance supports the following OSPF features:

Support of intra-area, interarea, and external (Type I and Type II) routes.

Support of a virtual link.

OSPF LSA flooding.

Authentication to OSPF packets (both password and MD5 authentication).

Support for configuring the adaptive security appliance as a designated router or a designated backup router. The adaptive security appliance also can be set up as an ABR.

Support for stub areas and not-so-stubby-areas.

Area boundary router Type-3 LSA filtering.

OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.

If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processes—one process for the public areas and one for the private areas.

A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).

An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR Type 3 LSA filtering, you can have separate private and public areas with the adaptive security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.


Note Only Type 3 LSAs can be filtered. If you configure the adaptive security appliance as an ASBR in a private network, it will send Type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas.


If NAT is employed but OSPF is only running in public areas, then routes to public networks can be redistributed inside the private network, either as default or Type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the adaptive security appliance. Also, you should not mix public and private networks on the same adaptive security appliance interface.

You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the adaptive security appliance at the same time.

Licensing Requirements for OSPF

Model
License Requirement

All models

Base License.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single context mode.

Firewall Mode Guidelines

Supported in routed mode only. Transparent mode is not supported.

IPv6 Guidelines

Does not support IPv6.

Configuring OSPF

This section describes how to enable an OSPF process on your system.

After you enable OSPF, you need to define a route map. For more information, see the "Defining Route Maps" section on page 20-1. Then you generate a default route. For more information, see the "Configuring Static and Default Routes" section on page 19-2.

After you have defined a route map for the OSPF process, you can customize the OSPF process to suit your particular needs, To learn how to customize the OSPF process on your system, see the "Customizing OSPF" section.

To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.

You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.

To enable OSPF, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

In the OSPF Setup pane, you can enable OSPF processes, configure OSPF areas and networks, and define OSPF route summarization.

The three tabs in ASDM used to enable OSPF are as follows:

Process Instances tab—This tab allows you to enable up to two OSPF process instances. Once you check the Enable Each OSPF Process check box, you can enter a unique identifier numeric identifier for that OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices; valid values are from 1 to 65535. Each OSPF process has its own associated areas and networks.
If you choose Advanced, you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for each OSPF process. See the "Configuring Route Calculation Timers" section for more information.

Area/Networks tab—This tab allows you to display the areas, and the networks they contain, for each OSPF process on the adaptive security appliance. From this tab you can display the area ID, the area type, the type of authentication set for the area. To add or edit the OSPF area or network, see the "Configuring OSPF Area Parameters" section for more information.

Route Summarization tab—This tab allows you to configure an ABR. In OSPF, an ABR will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the ABR to advertise a summary route that covers all the individual networks within the area that fall into the specified range. See the "Configuring Route Summarization Between OSPF Areas" section for more information.


Customizing OSPF

This section explains how to customize the OSPF process and includes the following topics:

Redistributing Routes Into OSPF

Configuring OSPF Interface Parameters

Configuring Route Summarization Between OSPF Areas

Configuring OSPF Interface Parameters

Configuring OSPF Area Parameters

Configuring OSPF NSSA

Configuring Route Calculation Timers

Defining Static OSPF Neighbors

Logging Neighbors Going Up or Down

Configuring Filtering in OSPF

Configuring a Virtual Link in OSPF

Restarting the OSPF Process

Redistributing Routes Into OSPF

The adaptive security appliance can control the redistribution of routes between OSPF routing processes.


Note If you want to redistribute a route by defining which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process, you must first generate a default route. See the "Configuring Static and Default Routes" section on page 19-2 and then define a route map according to the "Defining a Route Map" section on page 20-4.


To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Redistribution.

The Redistribution pane displays the rules for redistributing routes from one routing process into an OSPF routing process. You can redistribute routes discovered by RIP and OSPF into the EIGRP routing process. You can also redistribute static and connected routes into the EIGRP routing process. You do not need to redistribute static or connected routes if they fall within the range of a network that has been configured through the Setup > Networks tab.

Step 2 Choose Add or Edit.

Alternatively, double-clicking a table entry in the Redistribution pane (if any) opens the Add/Edit OSPF Redistribution Entry dialog box for the selected entry.


Note All steps that follow are optional.


The Add/Edit OSPF Redistribution Entry dialog box lets you add a new redistribution rule to or edit an existing redistribution rule in the Redistribution table. Some of the redistribution rule information cannot be changed when you are editing an existing redistribution rule.

Step 3 Choose the OSPF process associated with the route redistribution entry. If you are editing an existing redistribution rule, you cannot change this setting.

Step 4 Choose the source protocol from which the routes are being redistributed. You can choose one of the following options:

Static—Redistribute static routes to the OSPF routing process.

Connected—Redistribute connected routes (routes established automatically by virtue of having IP enabled on the interface) to the OSPF routing process. Connected routes are redistributed as external to the AS.

OSPF—Redistribute routes from another OSPF routing process. Choose the OSPF process ID from the list. If you choose this protocol, the Match options on this dialog box become visible. These options are not available when redistributing static, connected, RIP, or EIGRP routes. Skip to Step 5.

RIP—Redistribute routes from the RIP routing process.

EIGRP—Redistribute routes from the EIGRP routing process. Choose the autonomous system number of the EIGRP routing process from the list.

Step 5 If you have chosen OSPF for the source protocol, choose the conditions used for redistributing routes from another OSPF routing process into the selected OSPF routing process. These options are not available when redistributing static, connected, RIP, or EIGRP routes. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

Internal—The route is internal to a specific AS.

External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Step 6 In the Metric Value field, enter the metric value for the routes being redistributed. Valid values range from 1 to 16777214.

When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified.

Step 7 Choose the Metric Type.

Choose "1" if the metric is a Type 1 external route, or "2" if the metric is a Type 2 external route.

Step 8 Enter the tag value in the Tag Value field.

The tag value is a 32-bit decimal value attached to each external route that is not used by OSPF itself, but may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Step 9 Check the Use Subnets check box to enable the redistribution of subnetted routes. Uncheck this check box to cause only routes that are not subnetted to be redistributed.

Step 10 Choose the name of the route map to apply to the redistribution entry from the Route Map drop-down list.

Step 11 If you need to add or configure a route map, click Manage.

The Configure Route Map dialog box appears. Click Add or Edit to define which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. For more information, see the "Defining a Route Map" section on page 20-4.

Step 12 Click OK.


Configuring Route Summarization When Redistributing Routes into OSPF

When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the adaptive security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.

Routes that match the specified IP Address mask pair can be suppressed. The Tag value can be used as a match value for controlling redistribution through route maps.

There are two areas that you can configure for route summarization:

Add a Route Summary Address

Add/Edit OSPF Summary Address

Add a Route Summary Address

The Summary Address pane displays information about the summary addresses configured for each OSPF routing process.

Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.

Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.


Note OSPF does not support summary-address 0.0.0.0 0.0.0.0.


To configure the software advertisement on one summary route for all redistributed routes covered by a network address and mask, perform the following steps:


Step 1 In the main ASDM home page, choose Configuration > Device Setup > Routing > OSPF > Summary Address.

Step 2 Choose Add.

The Add OSPF Summary Address Entry dialog box appears. This allows you to add new entries to existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.

Step 3 Choose the specified OSPF Process ID associated with the summary address from the OSPF Process drop-down list. You cannot change this information when editing an existing entry.

Step 4 Enter the IP address of the summary address in the IP Address field. You cannot change this information when editing an existing entry.

Step 5 Choose the network mask for the summary address from the Netmask drop-down list. You cannot change this information when editing an existing entry.

Step 6 Check or uncheck the Advertise check box to advertise the summary route. Uncheck this check box to suppress routes that fall under the summary address. By default this check box is checked.

Step 7 The Tag value displays a 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs.

Step 8 Click OK.


Add/Edit OSPF Summary Address

To add or edit OSPF summary address setting, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Route Summarization tab.

The Add/Edit a Route Summarization Entry dialog box appears.

The Add/Edit a Route Summarization Entry dialog box allows you to add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.

Step 3 Choose the specified OSPF Process ID associated with the summary address from the OSPF Process drop-down list. You cannot change this information when editing an existing entry.

Step 4 Enter the IP address of the summary address in the IP Address field. You cannot change this information when editing an existing entry.

Step 5 Enter the network mask for the summary address from the Netmask drop-down list. You cannot change this information when editing an existing entry.

Step 6 Check or uncheck the Advertise check box to advertise the summary route. Uncheck this check box to suppress routes that fall under the summary address. By default this check box is checked.


Configuring Route Summarization Between OSPF Areas

Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.

To define an address range for route summarization, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Route Summarization tab.

The Add/Edit a Route Summarization Entry dialog box appears.

The Add/Edit a Route Summarization Entry dialog box allows you to add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.

Step 3 Enter the OSPF Area ID in the Area ID field. You cannot change this information when editing an existing entry.

Step 4 Enter the IP address of the summary address in the IP Address field. You cannot change this information when editing an existing entry.


Configuring OSPF Interface Parameters

You can alter some interface-specific OSPF parameters as necessary.

Prerequisites

You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: the Hello interval, the Dead interval and the Authentication key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values.

To configure OSPF interface parameters, perform the following steps:

In ASDM, the Interface pane lets you configure interface-specific OSPF routing properties, such as OSPF message authentication and properties. There are two tabs that help you configure interfaces in OSPF:

Authentication tab—The Authentication tab displays the OSPF authentication information for the adaptive security appliance interfaces.

Properties tab—The Properties tab displays the OSPF properties defined for each interface in a table format.


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Interface.

Step 2 Click the Authentication tab.

This tab displays the authentication information for the adaptive security appliance interfaces. Double-clicking a row in the table opens the dialog for the selected interface.

Step 3 Click Edit.

The Edit OSPF Authentication Interface dialog box appears and opens for the selected interface. The Edit OSPF Interface Authentication dialog box lets you configure the OSPF authentication type and parameters for the selected interface.

Step 4 Choose the Authentication type from the Authentication drop-down list. Options include:

None—Choose this option to disable OSPF authentication.

Authentication Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Area—(Default) Choose this option to use the authentication type specified for the area (see the "Configuring OSPF Area Parameters" section for information about configuring area authentication). Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication.

Step 5 Click the radio button in the Authentication Password area.

This area includes the settings for entering the password when password authentication is enabled. The following fields are editable:

Enter Password—Enter a text string of up to eight characters.

Re-enter Password—Reenter the password.

Step 6 Choose the settings for MD5 IDs and Keys in the ID area.

This area includes the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID. Options and fields include:

Key ID—Enter a numerical key identifier. Valid values range from 1 to 255. This field also displays the Key ID for the interface selected.

Key—An alphanumeric character string of up to 16 bytes. This field also displays the Key ID for the interface selected.

Click the Add or Delete button to add or delete the specified MD5 key to the MD5 ID and Key table.

Step 7 Click OK.

Step 8 Click the Properties tab.

Step 9 Choose the interface that you want to edit. Double-clicking a row in the table opens the Properties tab dialog box for the selected interface.

Step 10 Click Edit.

The Interface text field displays the name of the interface for which you are configuring OSPF properties. You cannot edit this field.

Step 11 Check or uncheck the Broadcast check box to specify that the interface is a broadcast interface.

By default, this check box is selected for Ethernet interfaces. Uncheck this check box to designate the interface as a point-to-point, non-broadcast interface. Specifying an interface as point-to-point, non-broadcast lets you transmit OSPF routes over VPN tunnels.

When an interface is configured as point-to-point, non-broadcast, the following restrictions apply:

You can define only one neighbor for the interface.

You need to manually configure the neighbor. (See the "Defining Static OSPF Neighbors" section.)

You need to define a static route pointing to the crypto endpoint. (See the "Configuring Static and Default Routes" section on page 19-2.)

If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router cannot be run on the same interface.

You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

Step 12 Configure the following options:

Enter a value in the Cost field which determines the cost of sending a packet through the interface. The default value is 10.

In the Priority field, enter the OSPF router priority value.

When two routers connect to a network, both attempt to become the designated router. The devices with the higher router priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router.

Valid values for this setting range from 0 to 255. The default value is 1. Entering 0 for this setting makes the router ineligible to become the designated router or backup designated router. This setting does not apply to interfaces that are configured as point-to-point non-broadcast interfaces.

Check or uncheck the MTU Ignore check box.

OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange DBD packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.

Check or uncheck the Database filter check box.

This check box to filter outgoing LSA interface during synchronization and flooding. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. In a fully meshed topology, this can waste bandwidth and lead to excessive link and CPU usage. Checking this check box prevents flooding OSPF LSA on the selected interface.

Step 13 (Optional) Click Advanced to edit the OSPF Interface Advanced Properties.

The Edit OSPF Interface Advanced Properties dialog box lets you change the values for the OSPF hello interval, retransmit interval, transmit delay, and dead interval. Typically, you only need to change these values from the defaults if you are experiencing OSPF problems on your network.

Step 14 Enter values for the following:

Hello Interval—Specifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval—Specifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay—Specifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.


Configuring OSPF Area Parameters

You can configure several OSPF area parameters. These area parameters (shown in the following task list) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.

Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area.

To specify area parameters for your network, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Area/Networks tab.

The Add OSPF Area dialog box appears.

Step 3 Select one of the Area Type options.

Options include:

Normal—Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub—Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you have the option of preventing summary LSAs (Type 3 and 4) from being flooded into the area by unchecking the Summary check box.

Summary—When the area being defined is a stub area, unchecking this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA—Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate.

Step 4 Enter the IP address in the IP Address field of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only enter 0.0.0.0 in one area.

Step 5 Enter the network mask in the Network Mask field for the IP address or host to be added to the area. If adding a host, choose the 255.255.255.255 mask.

Step 6 Choose the OSPF Authentication type.

Choices include:

None—This option disables OSPF area authentication. This is the default setting.

Password—This option provides a clears text password for area authentication. This option is not recommended where security is a concern.

MD5—This option allows MD5 authentication.

Step 7 Enter a value in the Default Cost field to specify a default cost for the OSPF area.

Valid values range from 0 to 65535. The default value is 1.

Step 8 Click OK.


Configuring OSPF NSSA

The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood Type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.

NSSA imports Type 7 autonomous system external routes within an NSSA area by redistribution. These Type 7 LSAs are translated into Type 5 LSAs by NSSA ABRs, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.

You can simplify administration if you are an ISP or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.

Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as an OSPF stub area because routes for the remote site could not be redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.

Before you use this feature, consider these guidelines:

You can set a Type 7 default route that can be used to reach external destinations. When configured, the router generates a Type 7 default into the NSSA or the NSSA area boundary router.

Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate.

To specify area parameters for your network as needed to configure OSPF NSSA, perform the following steps:


Step 1 From the main ASDM home page, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Area/Networks tab.

Step 3 Click Add.

The Add OSPF Area dialog box appears.

Step 4 Choose NSSA in the Area Type area.

Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate.

Step 5 Enter the IP address in the IP Address field of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only enter 0.0.0.0 in one area.

Step 6 Enter the network mask in the Network Mask field for the IP address or host to be added to the area. If adding a host, choose the 255.255.255.255 mask.

Step 7 In the Authentication area, click None.

Choices include:

None—This option disables OSPF area authentication. This is the default setting.

Password—This option provides a clears text password for area authentication. This option is not recommended where security is a concern.

MD5—This option allows MD5 authentication.

Step 8 Enter a value in the Default Cost field to specify a default cost for the OSPF area.

Valid values range from 0 to 65535. The default value is 1.

Step 9 Click OK.


Defining Static OSPF Neighbors

You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast network. This lets you broadcast OSPF advertisements across an existing VPN connection without having to encapsulate the advertisements in a GRE tunnel.

Before you begin, you must create a static route to the OSPF neighbor. See Chapter 19, "Configuring Static and Default Routes," for more information about creating static routes.

To define a static OSPF neighbor, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Static Neighbor.

Step 2 Click the Area/Networks tab.

The Add/Edit OSPF Neighbor Entry dialog box appears. This dialog box lets you define a new static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface. Note the following restrictions:

You cannot define the same static neighbor for two different OSPF processes.

You need to define a static route for each static neighbor.

Step 3 From the OSPF Process drop-down list, choose the OSPF process associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.

Step 4 In the Neighbor field, enter the IP address of the static neighbor.

Step 5 In the Interface field, choose the interface associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.

Step 6 Click OK.


Configuring Route Calculation Timers

You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations.

To configure route calculation timers, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Process Instances tab.

Step 3 Choose the OSPF process that you want to edit, then click Advanced.

The Edit OSPF Process Advanced Properties dialog box appears.

Step 4 In the Timers area, enter the following values:

The Timers area allows you to modify the settings that are used to configure LSA pacing and SPF calculation timers.

SPF Delay Time—Specifies the time between when OSPF receives a topology change and when the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.

SPF Hold Time—Specifies the hold time between consecutive SPF calculations.Valid values range from 1 to 65534. The default value is 10.

LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, check summed, or aged. Valid values range from 10 to 1800. The default value is 240.

Step 5 Click OK.


Logging Neighbors Going Up or Down

By default, a system message is generated when an OSPF neighbor goes up or down.

To log neighbors going up or down, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Process Instances tab.

Step 3 Click Advanced from the OSPF process you want to edit.

The Edit OSPF Process Advanced Properties dialog box appears.

Step 4 In the Adjacency Changes area, enter the following values:

The Adjacency Changes area includes settings that define the adjacency changes that cause system log messages to be sent.

Log Adjacency Changes—Check this check box to cause the adaptive security appliance to send a system log message whenever an OSPF neighbor goes up or down. This setting is selected by default.

Log Adjacency Changes Detail—Check this check box to cause the adaptive security appliance to send a system log message whenever any state change occurs, not just when a neighbor goes up or down. This setting is unchecked by default.

Step 5 Click OK.


Note Logging must be enabled for the neighbor up/down messages to be sent.



Configuring Filtering in OSPF

The Filtering pane displays the ABR Type 3 LSA filters that have been configured for each OSPF process.

ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.


Note Only Type 3 LSAs that originate from an ABR are filtered.


To configure filtering in OSPF, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Filtering.

Step 2 Click Add or Edit.

The Add/Edit Filtering Entry dialog box lets you add new filters to the Filter table or to modify an existing filter. Some of the filter information cannot be changed when you edit an existing filter.

Step 3 Choose the OSPF process that is associated with the filter entry from the OSPF Process drop-down list.

Step 4 Choose the Area ID that is associated with the filter entry from the Area ID drop-down list. If you are editing an existing filter entry, you cannot modify this setting.

Step 5 In the Filtered Network field, enter the address and mask of the network being filtered using CIDR notation (a.b.c.d/m).

Step 6 Choose the traffic direction being filtered from the Traffic Direction drop-down list.

Choose "Inbound" to filter LSAs coming into an OSPF area, or "Outbound" to filter LSAs coming out of an OSPF area. If you are editing an existing filter entry, you cannot modify this setting.

Step 7 In the Sequence # field, enter a sequence number for the filter.

Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Step 8 Choose either Permit or Deny from the Action drop-down list.

Choose Permit to allow the LSA traffic or Deny to block the LSA traffic.

Step 9 In the Optional area, choose the following filtering options:

Lower Range—Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.

Upper Range—Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.

Step 10 Click OK.


Configuring a Virtual Link in OSPF

If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.

The Add/Edit Virtual Link dialog box lets you define new virtual links or change the properties of existing virtual links.


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Virtual Link.

Step 2 Choose Add or Edit.

The Add/Edit OSPF Virtual Link dialog box appears, which allows you to define new virtual links or change the properties of existing virtual links.

Step 3 Choose the OSPF process ID that is associated with the virtual link from the OSPF Process drop-down list. If you are editing an existing virtual link entry, you cannot modify this setting.

Step 4 Choose the Area ID that is associated with the virtual link from the Area ID drop-down list.

Choose the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a Stub area. If you are editing an existing virtual link, you cannot change this value. If you are editing an existing virtual link entry, you cannot modify this setting.

Step 5 In the Peer Router ID field, enter the router ID of the virtual link neighbor.

If you are editing an existing virtual link entry, you cannot modify this setting.

Step 6 Choose Advanced to edit advanced virtual link properties,

The Advanced OSPF Virtual Link Properties dialog box appears. You can configure the OSPF properties for the virtual link in this area. These properties include authentication and packet interval settings

Step 7 In the Authentication area, choose the Authentication type by clicking the radio button next to your choice. OSPF authentication options include:

None—Choose this option to disable OSPF authentication.

Authentication Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Area—(Default) Choose this option to use the authentication type specified for the area (see the "Configuring OSPF Area Parameters" section for information about configuring area authentication). Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication.

Step 8 In the Authentication Password area enter and re-enter a password when password authentication is enabled from Step 7. Passwords must be a text string of up to 8 characters.

Step 9 In the MD5 IDs and Keys area, enter the MD5 keys and parameters when MD5 authentication is enabled from Step 7. All devices on the interface using OSPF authentication must use the same MD5 key and ID. Fields include:

Key ID—Enter a numerical key identifier. Valid values range from 1 to 255. This field also displays the Key ID for the interface selected.

Key—An alphanumeric character string of up to 16 bytes. This field also displays the Key ID for the interface selected.

Click the Add or Delete button to add or delete the specified MD5 key to the MD5 ID and Key table.

Step 10 In the Interval area, choose the interval timing for the packet by choosing from the following options:

Hello Interval—Specifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval—Specifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay—Specifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.

Step 11 Click OK.


Restarting the OSPF Process

To remove the entire OSPF configuration that you have enabled, perform the following steps:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click Reset.


Configuration Example for OSPF

The following example shows how to enable and configure OSPF with various optional processes:


Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 2 Click the Process Instances tab and in the OSPF Process 1 field, type 2.

Step 3 Click the Area/Networks tab, and click Add.

Step 4 Enter 0 in the Area ID field.

Step 5 In the Area Networks area, enter 10.0.0.0 in the IP Address field.

Step 6 Choose 255.0.0.0 from the Netmask drop-down list.

Step 7 Click OK.

Step 8 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Redistribution.

Step 9 Click Add.

The Add/Edit OSPF Redistribution Entry dialog box appears.

Step 10 In the Protocol area, click the OSPF radio button to choose the source protocol the routes are being redistributed from. Choosing OSPF redistributes routes from another OSPF routing process.

Step 11 Choose the OSPF process ID from the OSPF Process drop-down list.

Step 12 In the Match area, check the Internal check box.

Step 13 In the Metric Value field, enter 5 for the metric value of for the routes being redistributed.

Step 14 From the Metric Type drop-down list, choose 1 for the Metric Type value.

Step 15 From the Route Map drop-down list, choose 1.

Step 16 Click OK.

Step 17 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Interface.

Step 18 From the Properties tab, choose the inside interface and click Edit.

The Edit OSPF Properties dialog box appears.

Step 19 In the Cost field, enter 20.

Step 20 Click Advanced.

Step 21 In the Retransmit Interval field, enter 15.

Step 22 In the Transmit Delay field, enter 20.

Step 23 In the Hello Interval field, enter 10.

Step 24 In the Dead Interval field, enter 40.

Step 25 Click OK.

Step 26 In the Edit OSPF Properties dialog box, enter 20 in the Priorities field, and click OK.

Step 27 Choose Configuration > Device Setup > Routing > OSPF > Interface.

Step 28 Click the Authentication tab.

The Edit OSPF Authentication dialog box appears.

Step 29 In the Authentication area, click on the MD5 radio button.

Step 30 In the MD5 and Key ID area, type cisco in the MD5 Key field, and type 1 in the MD5 Key ID field.

Step 31 Click OK.

Step 32 Choose Configuration > Device Setup > Routing > OSPF > Setup, and click the Area/Networks tab.

Step 33 Choose OSPF 2 process and click Edit.

The Edit OSPF Area dialog box appears.

Step 34 In the Area Type area, choose Stub.

Step 35 In the Authentication area, choose None, and enter 20 in the Default Cost field.

Step 36 Click OK.

Step 37 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup.

Step 38 Click the Process Instances tab and check the OSPF process 2 check box.

Step 39 Click Advanced.

The Edit OSPF Area dialog box appears.

Step 40 In the Timers area, enter 10 in the SPF Delay Time field and 20 in the SPF Hold Time field.

Step 41 In the Adjacency Changes area, check the Log Adjacency Change Details check box.

Step 42 Click OK.

Step 43 In the main ASDM window, choose Configuration > Device Setup > Routing > OSPF > Setup, then click Reset.


Monitoring OSPF

You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can also use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.

To monitor or display various OSPF routing statistics in ASDM, perform the following steps:


Step 1 In the main ASDM window, choose Monitoring > Routing.

Step 2 From here you can select and monitor the following:

OSPF LSAs Types 1 through 7

OSPF Neighbors


Feature History for OSPF

Table 21-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 21-1 Feature History for Static and Default Routes

Feature Name
Platform Releases
Feature Information

OSPF Support

7.0(1)

Support was added for route data, perform authentication, redistribute and monitor routing information, using the Open Shortest Path First (OSPF) routing protocol.

The Configuration > Device Setup > Routing > OSPF screen was introduced.