Configuring OSPF Router ID Hello and Dead Timers Metrics Cost authentication and load balancing
Configuring the OSPF Router ID
OSPF-speaking routers must have a Router ID (RID) for proper operation. To find its RID, a Cisco routers uses the following process when the router reloads and brings up the OSPF process. When one of these steps identifies the RID, the process stops.
1. If the router-id rid OSPF subcommand is configured, this value is used as the RID.
2. If any loopback interfaces have an IP address configured and the interface has a line and protocol status of up/up, the router picks the highest numeric IP address among the up/up loopback interfaces.
3. The router picks the highest numeric IP address from all other working (up/up) interfaces.
A loopback interface is a virtual interface that can be configured with the interface loopback interface-number command, where interface-number is an integer. Loopback interfaces are always in an “up and up” state unless administratively placed in a shutdown state. Because loopback interfaces do not rely on any hardware, these interfaces can be up/up whenever IOS is running, making them good interfaces on which to base an OSPF RID.
Each router chooses its OSPF RID when OSPF is initialized. Initialization happens during the initial load of IOS. So, if OSPF comes up, and later other interfaces come up that happen to have higher IP addresses, the OSPF RID does not change until the OSPF process is restarted. OSPF can be restarted with the clear ip ospf process command as well, but depending on circumstances, IOS still may not change its OSPF RID until the next IOS reload.
OSPF Hello and Dead Timers
The default settings for the OSPF Hello and dead timers typically work just fine. It is important to note that a mismatch on either setting causes two potential neighbors to never become neighbors, never reaching the two-way state.
show ip ospf interface lists more detailed information about OSPF operation on each interface. This command lists the area number, OSPF cost, and any neighbors known on each interface. The timers used on the interface, including the Hello and dead timer, are listed.
To configure the Hello and Dead intervals, you can use the ip ospf hello-interval value and ip ospf dead-interval value interface subcommands. If the Hello interval is configured, IOS automatically reconfigures the interface’s dead interval to be 4 times the Hello interval.
OSPF Metrics (Cost)
OSPF calculates the metric for each possible route by adding up the outgoing interfaces’ OSPF costs. The OSPF cost for an interface can be configured, or a router can calculate the cost based on the interface’s bandwidth setting.
The bandwidth setting on an interface can be configured using the bandwidth interface subcommand. This command sets the router’s perception of interface speed, with a unit of Kbps. Note that the interface’s bandwidth setting does not have to match the physical interface speed. On Ethernet interfaces, the bandwidth reflects the current negotiated speed – 10,000 (Kbps) for 10 Mbps Ethernet, and 100,000 (Kbps) for 100Mbps. For serial interfaces, the bandwidth defaults 1544 (Kbps), but IOS cannot adjust this setting dynamically.
IOS chooses an interface’s cost based on the following rules:
1. The cost can be explicitly set using the ip ospf cost x interface subcommand, to a value between 1 and 65,535 inclusive.
2. IOS can calculate a value based on a generic formula Ref-BW / Int-Bw, where Ref-BW is a reference bandwidth that defaults to 100 Mbps, and Int-BW is the interface’s bandwidth setting.
3. The reference bandwidth can be configured from its default setting of 100 (100 Mbps) using the router OSPF subcommand auto-cost reference-bandwidth ref-bw, which in turn affects the calculation of the default interface cost.
The formula to calculate the default OSPF cost requires that the numerator and denominator use the same units, whereas the bandwidth and auto-cost reference-bandwidth commands use different units. Cisco IOS defaults Ethernet interfaces to use a bandwidth of 10,000 Kbps. The reference bandwidth defaults to a value of 100 Mbps. So, the default OSPF cost on an Ethernet interface would be 100 Mbps / 10 Mbps (10,000 Kbps), after making both values use a unit of Mbps. Higher-speed serial interfaces default to a bandwidth of 1544, giving a default cost of 10^8bps / 1,544,000 bps, which is rounded down to a value of 64. If the reference bandwidth has been changed to 1000, using the router OSPF subcommand auto-cost reference-bandwidth 1000, the calculated metric would be 647.
The reason for changing the reference bandwidth is so that routers can have different cost values for interfaces running at speeds of 100 Mbps and higher. With the default setting, an interface with a 100 Mbps bandwidth setting and an interface with a 1000 Mbps bandwidth would both have a default cost of 1. By changing the reference bandwidth to 1000, meaning 1000 Mbps, the default cost on a 100-Mpbs bandwidth interface would be 10, versus a default cost of 1 on an interface with a bandwidth of 1000 Mbps.
OSPF Authentication
The lack of authentication opens the network to attacks in which an attacker connects a router to the network, with the legitimate routers believing the OSPF data from the rogue router. As a result, the attacker can easily cause a denial-of-service (DoS) attack by making all routers remove the legitimate routes to all subnets, instead installing routes that forward packets to the attacking router. The attacker can also perform a reconnaissance attack, learning information about the network by listening for an interpreting the OSPF messages.
OSPF supports three types of authentication – one called null authentication (meaning no authentication), one that uses a simple text password and therefore is easy to break, and one that uses MD5. The only one worth configuring is MD5. As soon as a router has configured OSPF authentication on an interface, that router must pass the authentication process for every OSPF message, with every neighboring router on that interface. This means that each neighboring router on that interface must also have the same authentication type and the same authentication password configured.
The configuration can use two interface subcommands on each interface – one to enable the particular type of authentication, and one to set the password used for the authentication.
OSPF Authentication Types:
Type | Meaning | Command to Enable Authentication | What the Password Is Configured With |
---|---|---|---|
0 | None | ip ospf authentication null | – |
1 | Clear text | ip ospf authentication | ip ospf authentication-key key-value |
2 | MD5 | ip ospf authentication message-digest | ip ospf message-digest-key key-number md5 key-value |
Passwords are kept in clear text in the configuration unless you add the service password-encryption global command to the configuration.
The default setting to use type 0 authentication (no authentication) can be overriden on an area-by-area basis by using the area authentication router command. area area-value authentication message-digest is how you would make the router default to use MD5 authentication on all its interfaces in the area specified in area-value. area area-value authentication enables simple password authentication for all interfaces in the area, which makes the ip ospf authentication command unnecessary. The passwords must still be configured with the appropriate interface subcommands.
OSPF Load Balancing
When OSPF uses SPF to calculate the metric for each of several routes to reach one subnet, one route may have the lowest metric, so OSPF puts that route in the routing table. However, when the metric is a tie, the router can put up to 16 different equal-cost routes in the routing table (the default is four different routes) based on the setting of the maximum-paths number router subcommand.
A router could load-balance the packets on a per-packet basis.