OSPF

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

Open Shortest Path First[1] (OSPF) is an link-state routing protocol for Internet Protocol (IP) networks. Halon Security's implementation is based on, and slightly extends, OpenBSD's OpenOSPFD[2] which makes ospfd.conf's manual page[3] a great source of information. Currently, OSPF can only be configured by altering the clear-text configuration file.

Configuration

The following sub-chapters will describe, and provide examples for, a few common scenarios. The web administration's plain-text editor or the CLI configure command can be used to add the OSPF configuration to the configuration file.

Redundant firewalls

It's not unusual to have two redundant BGP routers and two redundant firewalls, connected using OSPF. In this example, we will show the configuration of an OSPF firewall. The firewall will make the redundant service available to the LAN using CARP. The configuration below are used on both firewalls, except the "advskew" value should be higher on the backup firewall. The firewall that is active will announce it's "LAN" (carp0) network to the routers. Likewise, if a firewall loses all OSPF connectivity, it will demote itself from being master.

interface em0 {
   description "LAN"
   interface carp0 {
      address 212.37.18.193/27
      advskew 1
   }
}
ospf {
   router-id X.X.X.X
   area 0.0.0.0 {
      auth-type crypt
      auth-md 1 "xxxxxx"
      auth-md-keyid 1
      demote carp
      interface emX
      # LAN, only announced if CARP master
      interface carp0
   }
}

Monitoring and administration

Most run-time information is viewed by using the ospfctl[4] command. For example, if you wish to show the status for OSPF neighbours you can issue the following command:

admin> ospfctl show nei
ID             Pri State        DeadTime Address        Iface     Uptime 
212.37.18.200  1   FULL/OTHER   00:00:33 212.37.18.200  em2       06w4d01h
212.37.18.201  1   FULL/DR      00:00:33 212.37.18.201  em2       06w4d01h
admin>

Common errors

Routes flapping when running in a cluster with same router-ID

If you're using two routers running in a cluster, it's very important to specify a unique router-id per node. Otherwise, they might use the same router ID, which will make other routers very confused, and cause route flapping.