Article Directory
1. Route summary
1.1 Deploy route summary on ABR
For example, on the ABR-GS-R1 of Area 1, the routes in Area 1 are summarized, the detailed routes in Site 1 are summarized to 192.168.0.0/19 and only this summary route is advertised to Area 0, so Area 0 The CO and GS-R2 in the site will only learn this summary route, but not the detailed route in site 1.
By default, the Cost value of the summary route is equal to the largest cost value of the summary route.
1.2 Deploy route summarization on ASBR
The principle is the same as that of ABR summary. The difference is that if the metric type of the summary route is Metric-Type-2, then the cost of the summary route is equal to the maximum value of the cost of the summary route plus 1.
2.Virtual Link
OSPF Virtual Link (virtual link) is a virtual and logical link that is deployed between two OSPF routers. It traverses a non-backbone area and is used to connect another non-backbone area to Areao. Virtual Link is regarded as an extension of Areao. When we establish a virtual link across a non-backbone area on two routers, the two routers begin to try to establish an adjacency on this Virtual Link. When based on Virtual Link After the adjacency relationship is established, the routers at both ends of the Virtual Link will describe this Virtual Link in the Type-1 LSA generated by it. In Type-1 LSA, the Virtual Link uses Type 4 Link to describe. It should be emphasized that VirtualLink cannot be deployed in the Stub area.
3. The default route
The default route (Default Route ), also known as the default route, refers to the route whose destination network address and netmask are both 0. It is usually used as the "last help object" of the router. When you go to a destination network to find When there is no matching specific route, if there is a default route in the routing table of the device, the device will use the default route to forward data.
3.1 Advertise default routes in regular areas
By default, routers in regular areas will not advertise OSPF default routes , even if there is a default route in its routing table (the default route may be discovered by the router through other protocols, such as RIP, etc.). Only through the corresponding configuration can the router advertise the default route to the OSPF network.
OSPF defines special commands for importing default routes. For example, if you want to import default routes into OSPF on OR, the OR configuration is as follows: Default-route-advertise cost 10 type 2
Default-route-advertise cost 10 type 2 This command is used to advertise a default route to the OSPF domain. This default route is described by Type-5 LSA, so it is actually an external route. In this command, the cost keyword is used to specify the cost value of the default route, and the type keyword is used to specify the Metric-Type of the route. It should be emphasized that the premise of using this method to advertise the default route to OSPF is the OR routing table. There must already be a default route in it. This default route can be static or learned from other dynamic routing protocols (or other OSPF processes). Only when this condition is met, the default route will be successfully delivered to the OSPF domain. If the always keyword is added to the default-route-advertise command, it will always deliver the default route to the OSPF network regardless of whether there is a default route in the routing table of OR.
3.2 Advertise the default route in the stub area
When an OSPF area is configured as a stub area, Type-5 LSAs will no longer be allowed to flood in the area, and routers inside the area cannot learn routes outside the OSPF area, so how do these routers access networks outside the area? What?
The ABR in the stub area will automatically issue a default route (Type-3 LSA) to the area, so that the routers in the stub area can send traffic outside the access domain to the ABR through this default route, and then the ABR will forward the traffic out. .
By default, the cost of this default route is 1. You can use the default-cost command in the OSPF area configuration view of the ABR in this stub area to modify this cost value.
3.3 Advertise the default route in the Totally Stub area
The Totally Stub area is based on the Stub area and further prohibits Type-3 LSAs in other areas from flooding in this area. Routers in this area cannot learn routes outside the OSPF area and routes from other OSPF areas. Automatically advertise a default route (Type-3 LSA) to the area, so that routers inside the area can reach other areas and outside the OSPF area through ABR.
By default, the cost of this default route is 1. You can use the default-cost command to modify the cost value in the OSPF area configuration view of the ABR in this totally stub area.
3.4 Advertise the default route in NSSA
When an area is configured as NSSA, the area will no longer allow Type-4 LSA and Type-5 LSA to enter.On the other hand, NSSA allows the introduction of a small amount of external routes locally, which means that the routers in NSSA will not The external routes imported outside the area will be learned, and the ABR of the NSSA will automatically issue a default route (described by Type-7 LSA) to the NSSA.
Of course, we may face another requirement, that is, the routers in the NSSA want to deliver the default route through the ASBR (R2) in the area, so you need to manually configure the R2. The key configuration of R2 is as follows: nssa default-route-advertise
After completing the configuration, R2 will inject a default route described by Type-7 LSA into NSSA. This default route will only be propagated within NSSA and will not be converted into Type-5 LSA by ABR and enter Area 0. It is worth noting that only when the NSSA ASBR already has a default route in its routing table, the above command can be used to inject the default route into the NSSA, otherwise the default route will not be injected.
3.5 Advertise the default route in Totally NSSA
Totally NSSA prohibits Type-3, Type-4, and Type-5 LSAs from flooding in this area, and at the same time, the ABR of the area automatically issues a default route (Tуре-3 LSA) to the area, so that the NSSA router can pass through This default route reaches other areas or networks outside the domain.
4. Message authentication
OSPF supports three types of authentication methods, are empty authentication (the Authentication Null ), simple single password authentication (the Simple Password ), cipher text authentication (Ctyptograhpic the Authentication ), three authentication mode corresponding to the "Authentication Type" field value, respectively 0, 1, and 2.
4.1 Null certification
OSPF supports three types of authentication methods, namely Null Authentication , Simple Password , and Ctyptograhpic Authentication . The value of the "Authentication Type" field corresponding to these three authentication methods is 0. , 1 and 2.
4.2 Simple password authentication
Simple password authentication is also called plain text authentication. A plain text password is included in the authentication data field to authenticate the sending and receiving of OSPF messages. Therefore, in fact, this authentication method is not safe, as long as the network environment has conditions for message snooping , You can analyze the captured message, and the attacker can directly see the plaintext password contained in it.
4.3 ciphertext authentication
Different from simple password authentication, when using cipher text authentication, the OSPF message does not directly contain the password in plain text for authentication, but contains a hash value, which is the password configured by the user The content is calculated by MD5 algorithm.
The MD5 algorithm is a theoretically irreversible hash algorithm. Therefore, even if the OSPF message is captured, the plaintext password cannot be obtained through the hash value contained in the message. Therefore, this authentication method is obviously more than simple password authentication. Safety.
| Field | size | meaning |
|---|---|---|
| Key-ID (Key-Identification) |
8-bit | Password ID. If two directly connected OSPF routers have activated message authentication, then the Key-ID and password of both parties must be consistent. |
| Authentication data length (Authentication Data Length) |
8-bit | The data obtained after the password is calculated by a hash algorithm (such as MD5) is appended to the end of the OSPF message (not in the header of the OSPF message), it is not regarded as part of the OSPF protocol message, so the OSPF message The value displayed in the "message length" field in the header does not include the authentication data in the length calculation. The "Authentication Data Length" field shows the length of this authentication data. |
| Cryptographic Sequence Number (Cryptographic Sequence Number) | 32 bit | A sequence number that keeps increasing continuously, used for anti-replay attacks of OSPF packets. Since the value of this field only increases without decreasing, when the password sequence number of the received OSPF message is equal to or less than the current sequence number, the router considers the message to be a replay attack message, and then discards it. |
5. Forwarding address
OSPF Type-5 LSA and Type-7 LSA contain a special field— Forwarding Address (FA ). The introduction of FA enables OSPF to avoid suboptimal path problems in some special scenarios.
OSPF has designed the FA field to solve the problem of suboptimal path . The FA field only exists in Type-5 LSA and Type-7 LSA, which is somewhat similar to the concept of "Exit" to the external network.
Take Type-5 LSA as an example. When a router uses Type-5 LSA to calculate a route to an external network segment, it will perform an AND operation based on the link state ID of the Type-5 LSA and the network mask contained in the LSA. In this way, the destination network address and mask of the route are obtained. In addition, the router will check the reachability of the ASBR that generated this LSA. If the ASBR is unreachable, then this Type-5 LSA will not be used to calculate the route. When the ASBR is reachable, this LSA is considered valid.
At this time, if the FA contained in the LSA is 0.0.0.0, the router thinks that the data packet that reaches the destination network segment should be sent to the ASBR, so it will reach the next hop address of the ASBR as the next hop of this external route; If FA is not 0.0.0.0, the router thinks that the data packet that reaches the destination network segment should be sent to this FA (identified device), so it will query the route to this FA in its own OSPF routing table. OSPF routing table can find the OSPF area internal route or OSPF inter-area route that matches this FA, then use the next hop address to reach this FA as the next hop address of this external route. If there is no route that meets the above conditions, this Type-5 LSA will not be used for external route calculation.
When external routes are imported into OSPF by ASBR, the FA field value of Type-5LSA used to describe these external routes is generally set to 0.0.0.0, but when certain conditions are met, the FA field can also be set by ASBR Into a value other than 0.0.0.0.
These conditions are:
The ASBR that imports external routes activates OSPF on its interface connected to the external network (the outgoing interface of the external route);
The interface is not configured as Silent-Interface;
The network type of the interface is Broadcast or NBMA;
The IP address of this interface falls within the network command range configured by the OSPF protocol.
When the above four conditions are met at the same time, FA is allowed to be set to a value other than 0.0.0.0, otherwise FA is set to 0.0.0.0.
6. OSPF routing anti-loop mechanism
OSPF is different from distance vector routing protocols. The interaction between routers running OSPF is not routing information, but LSA, and the calculation of routes is based on the various LSAs flooded in the network, so in fact, the OSPF routing loop The route avoidance mechanism also depends on many designs related to LSA.
6.1 Loop prevention of intra-area routing
Relying on Type-1 and Type-2 LSA, the router can depict the topology and network segment information in the area, so as to run the SPF algorithm, calculate the optimal path to each network segment, and install these paths into the routing table. Therefore, the routing in the area can achieve no loop.
6.2 Loop prevention of inter-area routing
(1) OSPF requires all non-backbone areas to be directly connected to Area 0, and inter-area routes need to be transited through Area 0.
This rule prevents inter-area route transmission from occurring between two non-backbone areas, which to a large extent avoids the occurrence of inter-area routing loops, and also makes the OSPF area architecture logically form a similar star. Type topology.
(2) The Type-3 LSA received by the ABR from the non-backbone area cannot be used for inter-area route calculation.
OSPF has strict requirements on ABR. The key point of inter-area routing is how ABR processes Type-3 LSA.
OSPF stipulates that when ABR uses Type-3 LSA to calculate routes between areas, it will only use the Type-3 LSA received in Area 0 for calculation, while the Type-3 LSA received from non-backbone areas is Will not be used for routing calculations. This can effectively avoid the occurrence of loops.
(3) ABR can only inject the intra-area route that it reaches to the connected area into the backbone area (inter-area routing is not allowed), in addition, it can reach the intra-area route of the connected area and the inter-area of other areas Routes are injected into non-backbone areas.
R3 can inject the routing information describing Area 2 into Area 0, and at the same time inject the Type-3 LSA generated from R4 into Arae 0. At this time, R2 cannot use these Type-3 LSAs for inter-area routing calculations, let alone inject Type-3 LSAs describing these routes into Area 0 (the first half of this rule). Because all interfaces of R2 belong to Area 0. This can effectively prevent inter-area routes from being poured back into Area0.
On the other hand, R3 will find Type-1 LSAs (and possibly Type-2 LSAs) in Area 0, and will also receive Type-3 LSAs describing inter-area routes. R3 can use these LSA calculations to reach Area 0. The intra-area routes of each network segment, and the inter-area routes to each network segment in Area 1, and the Type-3 LSA describing these routes can be injected into the non-backbone area-Area 2 (the second half of this rule).
The injection is unidirectional.
**(4) ABR will not inject Type-3 LSAs that describe routes to network segments in a certain area back into the area. **
R2 acts as an ABR to generate Type-3 LSAs describing Area 1, and inject them into Area 0. These Type-3 LSAs will not be sent back to Area 1. After R3 receives the Type-3 LSA sent by R2, it generates a new Type-3 LSA to describe the route to the Arae 1 area to the routers in the Area 2 area. This Type-3 LSA will not be sent back to Area 0.
(5) Type-3 LSA has also designed Down-Bit (a special bit) for routing anti-loop protection in the MPLS VPN environment.
6.3 Anti-loop of external routing
There are two prerequisites for a router to use Type-5 LSA to calculate a route. One is to receive Type-5 LSA, and the other is to know how to reach the ASBR that generated this Type-5 LSA.
Type-5 LSA will be flooded to the entire OSPF domain. On the surface, it does not have any anti-loop capabilities, but in fact, it does not need it because it can rely on Type-1 LSA. Type-2 LSA And Type-4 LSA to realize anti-ring.
7. OSPF routing type and priority
Their priority is arranged in the following order:
Intra Area Route : Intra Area Route refers to the route calculated by the router based on the Type1 and Type-2 LSA flooded in the area. Using these routes, the router can reach the network segment in the directly connected area.
Inter Area Route : Inter Area Route refers to the route calculated by the router according to Type-3 LSA. Using these routes, the router can reach the network segment of other areas.
Type1 external route (Metric-Type-1 External Route ): Here Type1 external route refers to the external route calculated by the router according to Type-5 LSA (Metric-Type-1).
Type2 external route (Metric-Type-2 External Route ): Here Type2 external route refers to the external route calculated by the router according to Type-5 LSA (Metric-Type-2).