Cisco: OSPF Best Practice

From OnnoWiki
Jump to navigation Jump to search

Introduction

This documents lists best practices used in OSPF Design.

Summarization Techniques

  • Summarizing intra-area routes is recommended in most cases.
  • If an area has multiple ABRs, then the summarization for the same range of routes should be configured on all the ABRs in the area.
  • Since summarization for the same range of addresses on multiple ABRs in some topologies (typically hub and spoke topologies) can, in some situations, cause routing black holes it is generally best to have at least one link between two ABRs summarizing the same address space within the non-backbone area.
  • Make sure that the ‘null 0’ route (discard route) is installed for the summarized address ranges to avoid routing loops in some scenarios.
  • It is preferable to set manually the cost of the summary route, or use a loopback interface in the summarized IP address range to prevent the summary cost from changing due to network changes within the area.
  • Having more than one ABR for areas is recommended for redundancy.
  • Keep the number of ABRs for an area reasonable (2–4) in order to limit the number of summary LSAs within the domain.
  • If a normal OSPF Area needs to know only selective summary LSA from other Areas and not all the summary LSAs, then configure LSA type 3 filtering at the ABRs.

Type 3 LSA Filtering

  • If a normal OSPF Area needs to know only selective summary LSA from other Areas and not all the summary LSAs, then configure LSA type 3 filtering at the ABRs.
  • The Type -3 Filtering need to be configured on all the ABRs in an Area

External Routes

  • Summarize externally learned routes at the redistribution point (ASBR) to reduce the external LSAs where possible, since external LSAs are flooded throughout the OSPF domain.
  • Avoid configuring redistribute connected under the OSPF routing process. Instead, use the network statement under OSPF process and mark those interfaces as passive.
  • If redistribution is required, limit it to as fewer routers as possible.

Stub Areas

Note: All the points here assume there is more than one ABR present in each Area.

  • Use Stub Area where optimal routing to and from within the Area to the rest of the OSPF Areas is needed but optimal routing to reach the external AS routes from within the Area is not an important consideration.
  • Use Totally Stubby Area where optimal routing to and from devices within an area to the rest of the OSPF domain or external AS routes is not an important consideration.
  • Use NSSA Area if Stub Area characteristics are required, but also need to import External AS routes within this Area.
  • Use NSSA Totally Stub Area if Totally Stub Area characteristics are required but also need to import External AS routes within this Area.
  • Consider using an NSSA Area (NSSA or NSSA Totally Stub) if there are many ASBRs in an area redistributing routes in a way that cannot be summarized at the ASBR (redistributing point) itself, but combined redistributed external routes can be summarized at the NSSA ABR towards the backbone.
  • Configure a loopback address as part of a NSSA Area in an ASBR. This will help avoiding sub-optimal routing.

Redistribution

  • Where Possible, Avoid mutual redistribution at multiple points
  • Configure administrative distance in such a way that each prefix native to each protocol or process is reached via the corresponding domain’s protocol or process.
  • Control the prefixes (using distance or/and prefix-list / tag combination) in a way that the same prefix is not advertised back to the originating domain.

Router id

  • Configure a deterministic router ID for OSPF process, using router-id command.
  • Choose the router ID (IP address) from the same OSPF area address space the router belongs to. This helps in route summarization, in case these router IDs need to be routed.
  • If OSPF router ID needs to be routable, configure a loopback interface with the same IP address and include it under the OSPF process.
  • If applications like DLSW+, IPSec, etc., require optimal routing, configure separate loopback interface(s) and use IP addresses from a different address space which is not summarized at the ABRs. These addresses can be leaked as more specific routes to other areas for optimal path selection.

Process ID

  • Although OSPF process ID has local significance to the router, it is recommended to have the same process ID for all the routers in the same OSPF domain. This improves configuration consistency and eases automatic configuration tasks.

Authentication

•If security is of primary concern, use MD5 authentication between the OSPF neighbors.

Interfaces

  • Configure the OSPF auto-cost reference bandwidth through out the OSPF domain to higher than the highest bandwidth link in the network.
  • Configure passive interface default under OSPF routing process. And, enable specific interfaces using no passive interface .
  • Configure passive interface for the user VLANS and stub-networks.
  • In a broadcast multi-access LAN segment, deterministically assign the DR and BDR to different routers so that one router does not end up being the DR for many segments.
  • If there are only two neighbors in a broadcast multi-access LAN segment (like Ethernet) and no additional neighbors will be added, configure the two neighbor’s broadcast interfaces as ‘ospf point-to-point’ network type.
  • Choose the Appropriate OSPF Network type for your Wan Topology. Prefer Point to Point, or Point to Multipoint.

IP Addressing

  • Start off with a large address space.
  • Assign large blocks to each OSPF area (anticipate the future needs).
  • On Access Servers, assign contiguous blocks (from the area’s assigned block) for dial up connections (/32 host addresses for each line).
  • Allocate addresses based on topology/geography.

Backbone Area

  • Virtual link may be used if physical link cannot be available.
  • If virtual link is used, make sure that the IOS code has the TransitCapability, CSCdi62634
  • Provide redundant connections in the backbone area to prevent it from becoming discontiguous. Single link failures should not result in area partitions.
  • To achieve higher stability at the backbone area, one should have reliable, high bandwidth links, faster CPU routers with sufficient memory.
  • It is a good practice to configure a loopback as part of area 0, so that the ABR status remains unchanged if the router looses its backbone connection. This will help the connected areas to exchange traffic.

Load Balancing

  • If multiple equal cost paths are available to the same destination through multiple VLANs/interfaces, configure traffic-share min across-interfaces command under OSPF routing process.
  • In a switched environment with multiple VLANS on the same physical trunk, OSPF forms neighbor relationship on many VLANS which may be unnecessary. There should be clear distinction between transit networks and local networks. For OSPF to exchange routing information, it doesn’t have to form neighbor relationship with all the VLANS on the trunk. Instead, a dedicated VLAN can be used for OSPF neighbor relationship and transit network. These VLANS can also be designed to eliminate spanning-tree convergence issues. Passive-interface can be used to limit the neighbor relations.

OSPF through GRE Tunnel

  • Consider GRE Tunnel only when direct physical connection is not feasible.
  • When building GRE Tunnel and enabling OSPF on the Tunnel, the ‘Tunnel Destination’ should not be learned through the Tunnel itself.
  • When building GRE Tunnels for connecting the ABRs that summarize the non-backbone areas, the Tunnel itself should be built through Area 0 though the GRE Tunnel interfaces belong to a non-backbone area. (In other words, the GRE Tunnel source and destination loop back interfaces should belong to OSPF Area 0 though the GRE tunnel interfaces belong to non-backbone Area).
  • The OSPF Cost for the Tunnel need to be verified and adjusted for optimal path selection in failure scenarios.

OSPF flood reduction

  • OSPF Flood reduction can be enabled on any router as long as the feature is supported, no harm can be done by this fature
  • OSPF Flood reduction is used to minimize the LS aging process over a link so its usage is universal
  • OSPF Flood reduction may not work properly if neighboring router do not support DC bit(RFC 1793)

Pranala Menarik