Adjacencies

Peering

General information on “OSPF Peering”:

Neighborship requirements:
- Primary interface IP must be on the same subnet
- Connected interface must not be passive
- Authentication must match
- Hello/Dead timers must match (default 10/40)
- Area ID must match
- Stub Area Flag must match
- Router IDs must be unique
- IP MTU must match (if not, router is stuck in EXSTART state)
Neighborship vs. Adjacency:
- Although the wording Neighborship/Adjacency is used interchangeably, there’s a major difference between them within OSPF
- Neighborship: Peering between two OSPF routers which don’t exchange routes (= 2-WAY state)
- Adjacency: Peering between two OSPF routers which do exchange routes (= FULL state)
OSPFv2 peering (IPv4 only):
- The network statement defines an IP range and enables OSPF on all interfaces belonging to it
- The interfaces will then advertise the connected networks with the “real” subnet mask
- Alternatively it’s possible to activate OSPFv2 per interface rather than using the network statement
- Important: Even if the interface is configured as passive, the connected network will still be advertised, it just won’t form an neighborship with the connected neighbor!
OSPFv3 peering (IPv4/IPv6):
- The network statement is eliminated in OSPFv3
- Instead, OSPFv3 for both AFs (IPv4 and IPv6) is activated on a per-interface basis
- If there’s no IPv4 address on any interface configured, the OSPFv3 router-id must be set explicitly
OSPFv3 instance ID:
- OSPFv3 introduces a new, optionally configurable attribute called Instance ID
- This allows for running multiple, different OSPF instances on a single link
- When the Instance ID is configured, it must match between the OSPF peers in order to form a neighborship/adjacency
- Problem: 4 routers are connected on a broadcast segment. It is required to peer router 1 and 2 as well as router 3 and 4 but there shouldn’t be any peer between 1 and 3/4 or 2 and 3/4.
- Solution: Router 1/2 are configured with their own instance ID and router 3/4 are configured with their own instance ID.

Instance ID value	Description
0	IPv6 unicast AF default instance
1-31	IPv6 unicast AF configurable instance
32	IPv6 multicast AF default instance
33-63	IPv6 multicast AF configure instance
64	IPv4 unicast AF default instance
65-95	IPv4 unicast AF configurable instance
96	IPv4 multicast AF default instance
97-127	IPv4 multicast AF configure instance
128-255	Unassigned

- Important: IOS 15.x/IOS-XE 16.x and 17.x support only one configured OSPF process per interface.

OSPF configuration considerations:

Valid for OSPFv2/v3:
- The process ID is only locally significant
Valid for OSPFv3 only:
- For advertising IPv4 routes, the interface needs an IPv4 AND IPv6 address (link-local is enough) in order to form a neighborship because OSPFv3 uses IPv6 as transport protocol
- A router-id can be either set globally for the whole process or individually for each address-family. A individually set router-id “overwrites” the globally set router-id.
- The instance ID is a domain-wide significant value

“OSPF Peering” CLI configuration commands:

## ======
## OSPFv2
## ======

## Configuring an OSPFv2 process
Router(config)# router ospf <pid>
Router(config-router)# network <network> <mask> area <id>

## Configuring OSPFv2 on a per-interface basis
Router(config)# interface <if>
Router(config-if)# ip ospf <pid> area <id>


## ======
## OSPFv3
## ======

## Configuring an OSPFv3 process
Router(config)# ipv6 unicast-routing

Router(config)# router ospfv3 <pid>
Router(config-router)# address-family [ipv4 | ipv6] unicast [vrf [VRF-NAME]]
Router(config-router-af)# [argument]

## Configuring OSPFv3 on a per-interface basis
Router(config)# ipv6 unicast-routing

Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> [ipv4 | ipv6] area <id> [instance <id>]

“OSPF Peering” CLI show commands:

## ======
## OSPFv2
## ======

## Showing all OSPFv2 neighbors
Router# show ip ospf neighbor

## Showing the OSPFv2 databases
Router# show ip ospf database

## Showing all OSPFv2 interfaces
Router# show ip ospf interface brief

## Showing a specific OSPFv2 interface in detail
Router# show ip ospf interface <if>


## ======
## OSPFv3
## ======

## Showing all OSPFv3 neighbors
Router# show ospfv3 [ipv4 | ipv6] neighbor

## Showing the OSPFv3 databases
Router# show ospfv3 [ipv4 | ipv6] database

## Showing all OSPFv3 interfaces
Router# show ospfv3 [ipv4 | ipv6] interface brief

## Showing a specific OSPFv3 interface in detail
Router# show ospfv3 [ipv4 | ipv6] interface <if>

Multicast

General information on “OSPF Multicast”:

“All routers” multicast address: 224.0.0.5 / FF02::5
DR/BDR multicast address: 224.0.0.6 / FF02::6
Protocol: ip/89

Unicast

General information on “OSPF Unicast”:

When multicast can’t be used, neighbors can be specified manually
Once unicast is enabled on an interface, multicast will be completely disabled on it
In order for unicast to work, the interface must be of type non-broadcast or point-to-multipoint non-broadcast

“OSPF Unicast” CLI configuration commands:

## ======
## OSPFv2
## ======

## Configuring a unicast neighbor in OSPFv2:
Router(config)# router ospf <pid>
Router(config-router)# neighbor <ip>


## ======
## OSPFv3
## ======

## Configuring a unicast neighbor in OSPFv3 for both address families:
Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> neighbor <ipv6-link-local>

## Configuring a unicast neighbor in OSPFv3 for a specific address family:
Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> [ipv4 | ipv6] neighbor <ipv6-link-local>

Authentication

General information on “OSPF Authentication”:

No authentication is configured by default
OSPFv2 supports 3 types of authentication:
- Type 0: None (Null)
- Type 1: Clear Text
- Type 2: Cryptographic (MD5/SHA)
OSPFv3s upports 3 types of authentication:
- None (Null)
- Cryptographic (MD5/SHA) (OSPF Authentication Trailer)
- IPsec (IPv6 Authentication Header)
Can be enabled for single interfaces or the whole area and all of its interfaces
If the whole area is configured for authentication, the key must be configured on each interface
Type 0 is used for excluding single interfaces if the whole area is configured for authentication
Interface configured authentication always overwrites area configured authentication
When using cryptographic authentication, only the key hash will be exchanged and compared against each other, not the key itself
Important: The OSPF packet content is still in clear-text because Authentication != Encryption. Encryption is only available in OSPFv3.

“OSPF Authentication” CLI configuration commands:

## ======
## OSPFv2
## ======

## Configuring clear-text authentication without a key-chain for OSPFv2 globally
Router(config)# router ospf <pid>
Router(config-router)# area <id> authentication

Router(config)# interface <if>
Router(config-if)# ip ospf authentication-key <key>

## Configuring cryptographic authentication with a key-chain for OSPFv2 globally
Router(config)# router ospf <pid>
Router(config-router)# area <id> authentication message-digest

Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <string>
Router(config-keychain-key)# cryptographic-algorithm <algorithm>

Router(config)# interface <if>
Router(config-if)# ip ospf authentication key-chain [NAME]

## Disabling authentication for OSPFv2 on a per-interface basis
Router(config)# interface <if>
Router(config-if)# ip ospf authentication null

## Configuring clear-text authentication without a key-chain for OSPFv2 on a per-interface basis
Router(config)# interface <if>
Router(config-if)# ip ospf authentication
Router(config-if)# ip ospf authentication-key <key>

## Configuring cryptographic authentication with a key-chain for OSPFv2 on a per-interface basis
Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <string>
Router(config-keychain-key)# cryptographic-algorithm <algorithm>

Router(config)# interface <if>
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# ip ospf authentication key-chain [NAME]


## ======
## OSPFv3
## ======

## Configuring IPsec (IPv6 auth header) authentication for OSPFv3 globally
Router(config)# router ospfv3 <pid>
Router(config-router)# area <id> authentication ipsec spi <value> [md5 | sha1] [0 | 7 | hex-string] <key>

## Configuring cryptographic (OSPFv3 auth trailer) authentication with a key-chain for OSPFv3 globally
Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <string>
Router(config-keychain-key)# cryptographic-algorithm <algorithm>

Router(config)# router ospfv3 <pid>
Router(config-router)# area <id> authentication key-chain [NAME]

## Disabling authentication for OSPFv3 on a per-interface basis for all processes
Router(config)# interface <if>
Router(config-if)# ospfv3 authentication null

## Disabling authentication for OSPFv3 on a per-interface basis for a specific process
Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> authentication null

## Configuring IPsec (IPv6 auth header) authentication for OSPFv3 on a per-interface basis for all processes
Router(config)# interface <if>
Router(config-if)# ospfv3 authentication ipsec spi <value> [md5 | sha1] [0 | 7 | hex-string] <key>

## Configuring IPsec (IPv6 auth header) authentication for OSPFv3 on a per-interface basis for a specific process
Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> authentication ipsec spi <value> [md5 | sha1] [0 | 7 | hex-string] <key>

## Configuring cryptographic (OSPFv3 auth trailer) authentication with a key-chain for OSPFv3 on a per-interface basis for all processes
Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <string>
Router(config-keychain-key)# cryptographic-algorithm <algorithm>

Router(config)# interface <if>
Router(config-if)# ospfv3 authentication key-chain [NAME]

## Configuring cryptographic (OSPFv3 auth trailer) authentication with a key-chain for OSPFv3 on a per-interface basis for a specific process
Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <string>
Router(config-keychain-key)# cryptographic-algorithm <algorithm>

Router(config)# interface <if>
Router(config-if)# ospfv3 <pid> authentication key-chain [NAME]

Encryption

General information on “OSPFv3 Encryption”:

Only supported in OSPFv3
Can be configured globally or per interface
When configured globally it can be disabled per interface (if needed)
One-hop IPSec tunnel will be established between the adjacent routers
Therefor the packet will be authenticated and the content is encrypted

“OSPF Encryption” CLI configuration commands:

## ======
## OSPFv3
## ======

## Configuring IPsec encryption  (IPv6 ESP header) for the whole OSPFv3 process:
Router(config)# router ospfv3 <pid>
Router(config-if)# area <area> encryption spi <value> esp [3des | aes-cbc | des | null] [arguments]

## Configuring IPsec encryption  (IPv6 ESP header) for OSPFv3 on a per-interface basis:
Router(config)# interface <if>
Router(config-if)# ospfv3 encryption spi <value> esp [3des | aes-cbc | des | null] [arguments]

## Disabling IPsec encryption  (IPv6 ESP header) for OSPFv3 on a per-interface basis:
Router(config)# interface <if>
Router(config-if)# ospfv3 encryption null

Summarization

General information on “OSPF Summarization”:

Can only be done on ABRs and ASBRs
Summarization is done for LSAs, not routes
This is because within an area all routers must have the same LSDB
Re-Summarization is not possible (Summarize a already Summarized route again)
A discard-route is created for each summary-address on the summary originating router to prevent routing-loops in case of a loss of routes
How ABR summarization works:
- Summarizes intra-area routes which are advertised to other areas
- The area value is the area where the subnets exist
- If at least one subordinate intra-area route matches the summary prefix/mask, the ABR will advertise the summary as LSA type 3
- The ABR will not advertise the subordinate subnets anymore
- The ABR summary metric depends on the RFC used by the IOS:
  - Lowest metric from all subordinate routes (as of RFC 1583)
  - Highest metric from all subordinate route (as of RFC 2178)
- If no subordinates exist, the ABR will not advertise the summary
How ASBR summarization works:
- Summarizes external routes
- The ASBR looks at all subnets being redistributed into OSPF on the specific ASBR
- If at least one subordinate external route matches the summary prefix/mask, the ASBR will advertise the summary as LSA type 5
- The ASBR will not advertise the subordinate subnets anymore
- The ASBR summary metric depends on the RFC used by the IOS:
  - Lowest metric from all subordinate routes (as of RFC 1583)
  - Highest metric from all subordinate route (as of RFC 2178)
- If no subordinates exist, the ASBR will not advertise the summary
- Important: In a NSSA the “LSA 7-to-5 Translator” ABR (elected based on the highest RID) does the summarization!

“OSPF Summarization” CLI configuration commands:

## ======
## OSPFv2
## ======

## Configuring ABR summarization in OSPFv2
Router(config)# router ospf <pid>
Router(config-router)# area <id> range <prefix> <mask> [cost <cost> | not-advertise]

## Configuring ASBR summarization in OSPFv2
Router(config)# router ospf <pid>
Router(config-router)# summary-address <prefix> <mask> [not-advertise | nssa-only | tag]


## ======
## OSPFv3
## ======

## Configuring ABR summarization in OSPFv3
Router(config)# router ospfv3 <pid>
Router(config-router)# address-family [ipv4 | ipv6] unicast [vrf [VRF-NAME]]
Router(config-router-af)# area <id> range <prefix> <mask> [cost <cost> | not-advertise]

## Configuring ASBR summarization in OSPFv3
Router(config)# router ospfv3 <pid>
Router(config-router)# address-family [ipv4 | ipv6] unicast [vrf [VRF-NAME]]
Router(config-router-af)# summary-prefix <prefix> <mask> [not-advertise | nssa-only | tag]