OSPF area configuration best practices

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

A major part of OSPF routing configuration in Cisco IOS is specifying the interfaces on which you want to run OSPF and the OSPF areas to which these interfaces belong. IOS gives you two configuration mechanisms:

  • The network command within in the OSPF routing process configuration. The network command allows you to specify an ACL-like filter that can match multiple interfaces with a single command, significantly reducing the configuration complexity.
In IOS release 12.4T, you can use either the wildcard mask (low-end bits set to one) or subnet mask (high-end bits set to one) in the network command.
  • The ip ospf area command in the interface configuration mode. The ip ospf area command gives you very granular control over interface-to-area mappings.

Contents

Building the list of OSPF interfaces

The following steps are taken when the OSPF routing process decides whether to use an interface and in which area to place it:

  1. If the interface configuration contains ip ospf number area area command with the number matching the OSPF process number, the interface is used by the OSPF process and placed in the specified area.
  2. For all other interfaces configured on the router, the IP address of the interface is matched with the network statements, starting with the most specific ones. The first network statement that matches the IP address of the interface is used to determine the OSPF area.

These steps are repeated every time you change the routing process configuration or IP-related interface configuration (change in IP address or configuration/removal of the ip ospf area interface configuration command).

Best practices

Whenever possible, minimize the amount of OSPF configuration. For example, all interfaces on a stub remote site router with two upstream WAN links should usually belong to the same OSPF area (Figure 1).

Figure 1: Simple remote site design

You can use the following minimum configuration on the stub router:

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 description site LAN
 ip address 10.2.0.1 255.255.255.0
!
interface Serial1/1
 description primary WAN
 ip address 10.1.0.1 255.255.255.252
!
interface Serial1/2
 description backup WAN
 ip address 10.1.0.5 255.255.255.252
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 1

The network 0.0.0.0 255.255.255.255 area 1 router configuration command ensures that all the new interfaces configured on the router after the OSPF process has been configured (for example, additional VLAN subnets) get included in OSPF area 1 automatically.

Securing the interfaces

In most cases, you want to include all interfaces on a router in the OSPF routing process, but only run OSPF on transit interfaces. To make your OSPF configuration safer, use the passive-interface default router configuration command and enable OSPF hello protocol on individual interfaces with the no passive-interface router configuration command. For example, a host on the remote site LAN in Figure 1 should not be able to form an OSPF adjacency with the router and insert bogus routes into the OSPF area. To increase the security of the remote site router, use the following configuration:

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.2.0.1 255.255.255.0
!
interface Serial1/1
 ip address 10.1.0.1 255.255.255.252
!
interface Serial1/2
 ip address 10.1.0.5 255.255.255.252
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 1
 passive-interface default
 no passive-interface Serial1/1
 no passive-interface Serial1/2

Multi-area configuration

In most cases, majority of the router’s interfaces belong to one area. For example, a distribution-layer router might have all access links in one area and a few core links in another (backbone) area, as shown in Figure 2.

Figure 2: Regional router design

If the access links in area 1 use different parts of IP address space than the core links, you can use two network statements (the most specific one will take precedence):

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Serial1/1
 description Core link #1
 ip address 10.2.0.1 255.255.255.252
!
interface Serial1/2
 description Core link #2
 ip address 10.2.0.5 255.255.255.252
!
interface Serial2/0.101
 ip address 10.1.0.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.2.0.0 0.0.0.255 area 0
 network 0.0.0.0 255.255.255.255 area 1

Alternatively, you can assign individual interfaces to the backbone area with the ip ospf area interface configuration command:

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Serial1/1
 description Core link #1
 ip address 10.2.0.1 255.255.255.252
 ip ospf 1 area 0
!
interface Serial1/2
 description Core link #2
 ip address 10.2.0.5 255.255.255.252
 ip ospf 1 area 0
!
interface Serial2/0.101
 ip address 10.1.0.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 1

Complex scenarios

In networks without a clear IP addressing design that would separate the core links from the access links, it’s best to avoid the network router configuration command and assign individual interfaces to specific OSPF areas.

This approach is maintenance-intensive (but also slightly more secure), as you have to specify OSPF area number each time you configure a new interface on the router. It’s also harder to deduce the scope of OSPF routing solely from the router configuration.

The regional router’s configuration from the previous section could be rewritten as follows:

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
 ip ospf 1 area 1 
!
interface Serial1/1
 description Core link #1
 ip address 10.2.0.1 255.255.255.252
 ip ospf 1 area 0
!
interface Serial1/2
 description Core link #2
 ip address 10.2.0.5 255.255.255.252
 ip ospf 1 area 0
!
interface Serial2/0.101
 ip address 10.1.0.1 255.255.255.0
 ip ospf 1 area 1
!
router ospf 1
 log-adjacency-changes

Bad recommendations

Several training courses and textbooks promote yet another OSPF configuration practice: you should list the subnet and inverse mask of each individual interface with the network statement. Using this recommendation, the configuration of the regional router becomes unnecessarily complex:

interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Serial1/1
 description Core link #1
 ip address 10.2.0.1 255.255.255.252
!
interface Serial1/2
 description Core link #2
 ip address 10.2.0.5 255.255.255.252
!
interface Serial2/0.101
 ip address 10.1.0.1 255.255.255.0
!
router ospf 1
 network 10.0.0.1 0.0.0.0 area 1
 network 10.1.0.0 0.0.0.255 area 1
 network 10.2.0.0 0.0.0.3 area 0
 network 10.2.0.4 0.0.0.3 area 0
 log-adjacency-changes

Listing the subnet of each individual interface with the network statement does not result in any advantage. This practice presents significant opportunities for errors, as you have to calculate IP subnet and reverse subnet mask, which is often a non-trivial operation.

More information

Additional Resources  

Personal tools

CT3

Main menu