Next-Generation Firewall
OSPF
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
OSPF
Learn about Open Shortest Path First (OSPF) and how it dynamically determines routes
in a large enterprise network.
Where Can I Use This? | What Do I Need? |
---|---|
|
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) that is most often used to
dynamically manage network routes in large enterprise networks. It determines routes
dynamically by obtaining information from other routers and advertising routes to other
routers by way of Link State Advertisements (LSAs). The firewall uses information
gathered from the LSAs to construct a topology map of the network. The firewall shares
the topology map across routers in the network and uses the topology map to populate the
IP routing table with available routes.
Changes in the network topology are detected dynamically and
used to generate a new topology map within seconds. A shortest path tree
is computed of each route. Metrics associated with each routing
interface are used to calculate the best route. These can include distance,
network throughput, link availability etc. Additionally, these metrics
can be configured statically to direct the outcome of the OSPF topology
map.
The Palo Alto Networks® implementation of OSPF fully
supports the following RFCs:
OSPF determines routes dynamically by obtaining information from other routers and
advertising routes to other routers by way of LSAs. The router keeps information about
the links between it and the destination and can make highly efficient routing
decisions. A cost is assigned to each router interface, and the best routes are
determined to be those with the lowest costs, when summed over all the encountered
outbound router interfaces and the interface receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be advertised
and the associated LSAs. Because OSPF dynamically processes a considerable amount of
route information, it has greater processor and memory requirements than does RIP.
Two OSPF-enabled routers connected by a common network and in the same OSPF area that
form a relationship are OSPF neighbors. The connection between these
routers can be through a common broadcast domain or by a point-to-point connection. This
connection is made through the exchange of hello OSPF protocol packets. These neighbor
relationships are used to exchange routing updates between routers.
OSPFv3
OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As
such, it provides support for IPv6 addresses and prefixes. It retains most of the
structure and functions in OSPFv2 (for IPv4) with some minor changes. The following
are some of the additions and changes to OSPFv3:
- Support for multiple instances per link—With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.
- Protocol Processing Per-link—OSPFv3 operates per-link instead of per-IP-subnet as on OSPFv2.
- Changes to Addressing—IPv6 addresses are not present in OSPFv3 packets, except for LSA payloads within link state update packets. Neighboring routers are identified by the Router ID.
- Authentication Changes—OSPFv3 doesn't include any authentication capabilities. Configuring OSPFv3 on a firewall requires an authentication profile that specifies Encapsulating Security Payload (ESP) or IPv6 Authentication Header (AH).The re-keying procedure specified in RFC 4552 is not supported in this release.
- Support for multiple instances per-link—Each instance corresponds to an instance ID contained in the OSPFv3 packet header.
- New LSA Types—OSPFv3 supports two new LSA types: Link LSA and Intra Area Prefix LSA.
All additional changes are described in detail in RFC 5340.
OSPF Areas
OSPF operates within a single autonomous system (AS). Networks within this single AS,
however, can be divided into a number of areas. By default, Area 0 is created. Area
0 can either function alone or act as the OSPF backbone for a larger number of
areas. Each OSPF area is named using a 32-bit identifier which in most cases is
written in the same dotted-decimal notation as an IP4 address. For example, Area 0
is usually written as 0.0.0.0.
The topology of an area is maintained in its own link state database and is hidden
from other areas, which reduces the amount of traffic routing required by OSPF. The
topology is then shared in a summarized form between areas by a connecting
router.
OSPF Area Type
|
Description
|
---|---|
Backbone Area
|
The backbone area (Area 0) is the core of an OSPF network. All
other areas are connected to it and all traffic between areas
must traverse it. All routing between areas is distributed
through the backbone area. While all other OSPF areas must
connect to the backbone area, this connection doesn’t need to be
direct and can be made through a virtual link.
|
Normal OSPF Area
|
In a normal OSPF area there are no restrictions; the area can
carry all types of routes.
|
Stub OSPF Area
|
A stub area does not receive routes from other autonomous
systems. Routing from the stub area is performed through the
default route to the backbone area.
|
NSSA Area
|
The Not So Stubby Area (NSSA) is a type of stub area that can
import external routes, with some limited exceptions.
|
OSPF Router Types
Within an OSPF area, routers are divided into the following categories.
- Internal Router—A router with that has OSPF neighbor relationships only with devices in the same area.
- Area Border Router (ABR)—A router that has OSPF neighbor relationships with devices in multiple OSPF areas. ABRs gather topology information from their connected areas and distribute it to the backbone area.
- Backbone Router—A backbone router is a router that runs OSPF and has at least one interface connected to the OSPF backbone area. Since ABRs are always connected to the backbone, they are always classified as backbone routers.
- Autonomous System Boundary Router (ASBR)—An ASBR is a router that attaches to more than one routing protocol and exchanges routing information between them.