Saucepan

User Tools

Site Tools

Trace:
paloaltonetworks:configuration:ospf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:ospf [2020/05/27 15:36] bstaffordpaloaltonetworks:configuration:ospf [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== OSPF ====== ====== OSPF ======
-When you set the metric to 15 in ''Router->OSPF->Areas->0.0.0.0->Interface->[interface id]->Metric'', the routing table of the firewall will set the OSPF route to all OSPF peer IP addresses as that metric. 
  
-When a fireawll sets ''Router->OSPF>Export Rules'' and then selects a redistribution profile to ensure routes are exported, whatever is set in the Export Rule->Metric is going to be the route set on the other firewalls if ''New Path Type'' ''Ext2''. If ''New Path Type'' ''EXT 1'', then the other firewalls will set the metric of the routes learned from this firewall to the value in ''Router->OSPF->Export Rule->Metric'' //added// to the value on the other firewall's ''Router->OSPF->Areas->0.0.0.0->Interface->[interface id]->Metric''.+===== Show Routes Learned ===== 
 +To see routes being learned by OSPF, use the following command 
 +<code>show routing protocol ospf lsdb</code>
  
 +Get general routing data with
 +<code>show routing route</code>
 +
 +**Oi** means ospf intra-area and is the subnet in which the virtual router has established OSPF peering relationships. If you have several /32 addresses in the same subnet as the larger /x on the interface, those /32 routes will also have Oi routes created with a metric of //x + 10// where x is the value set at
 +<code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric</code>
 +
 +===== Show Routes Exported =====
 +To see what routes we are exporting to OSPF from all virtual routers, use the following command
 +<code>show routing protocol redist ospf</code>
 +
 +To limit the output to a specific virutal router, use the following command
 +<code>show routing protocol redist ospf virtual-router VR_NAME</code>
 +
 +===== OSPF Redistribution =====
 If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported. If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported.
  
-When setting OSPF over VPN links (tunnel interfaces)make sure the ''Router->OSPF->Areas->0.0.0.0->Interface->tunnel.9->Link Type'' is set to ''p2p''.+Remember, the //priority// field in the redistribution profile has nothing to do with metrics. Is it to give a processing order for evaluating redistribution profiles. So, if you have a rule that distributes all static routes and set the priority to ''10'', you can then create a //no-redist// rule with a priority of ''9'' that matches static routes with a destination of ''10.11.11.0/29''. You then add this to an OSPF export rule and it will suppress that specific static route from being exported. All other static routes will be exported because they then match the general "export all static routes" redistribution profile which is attached to another export rule. Obviously the default rule doesn't come into this unless you have enabled default route redistribution.
  
 +If you redistribute all connected routes from one firewall to another, the list of redistributed routes will not include the link used for OSPF (that is covered by the ospf intra-area route. It will also not include any loopback IP addresses. It will include IP addresses that are on tunnel interfaces but it will not include GlobalProtect 'attached' subnets (even though they are listed as static routes in the FIB) unless you put an IP on the GlobalProtect tunnel interface.
 +
 +If you import a redistributed route in OSPF that you already have as a connected route, the virtual router will not mark the imported route as 'active'.
 +
 +Remember, if you set a redistribution profile to redistribute static routes matching 10.10.0.0/16, this will actually distribute all static routes that match 10.10.0.0/16 and anything more specific than that (e.g. 10.10.10.0/24).
 +
 +
 +===== Setting Metrics =====
 +The firewall places a metric on the //ospf intra-area// routes which are the subnets that the firewall establishes OSPF peering relationships in. For example, if you have an interface with an IP of 10.1.1.1/24 and you configure OSPF on it, the firewall will end up with an ospf intra-area route to 10.1.1.0/24 marked as ''Oi''. The value of the metric is set in the following location. The //priority// value next to the metric is for the router to be elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol. When the value is zero, the router will not be elected as a DR or BDR.
 +<code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric</code>
 +
 +When the firewall learns routes from another firewall, the route will show as an //O1// or //O2// route depending on whether the other firewall set the export rule //new path type// to //ext-1// or //ext-2//.
 +
 +When in doubt, set the //new path type// to //ext-2//.
 +
 +If the remote firewall is exporting the route as //ext-2//, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the //new path type// is set to //ext-2//, the local firewall will use the metric set by the remote firewall's export rule.
 +
 +If the remote firewall is exporting the route as //ext-1//, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the //new path type// is set to //ext-1//, the local firewall will use the metric set by the remote firewall's export rule. The local firewall will use that value and add it to the value in its own ''Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric'' field to determine the route weight.
 +
 +===== Summarise Routes =====
 +With OSPF, you can summarise routes from one area to another if the firewall has an interface in one area and another interface in another area.
  
 When you have a firewall with a leg in ''0.0.0.0'' and a leg in ''0.0.0.2'', if you configure "Range" in ''0.0.0.0'' with the summary path you want, that summary will be distributed, along with all other routes, into 0.0.0.2. When you have a firewall with a leg in ''0.0.0.0'' and a leg in ''0.0.0.2'', if you configure "Range" in ''0.0.0.0'' with the summary path you want, that summary will be distributed, along with all other routes, into 0.0.0.2.
  
-If you have two firewalls (active/active) doing this, then set the area ''0.0.0.0->Interface metric'' of the primary to 10 and the area ''0.0.0.0->Interface'' metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary+If you have two firewalls (active/active) doing this, then set the area ''0.0.0.0 > Interface metric'' of the primary to 10 and the area ''0.0.0.0 > Interface'' metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary
  
 +===== Redistribute Loopback IP =====
 If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route. If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route.
  
 +===== OSPF Over VPN =====
 +When setting OSPF over VPN links (tunnel interfaces), make sure that ''Link Type'' is set to ''p2p'' at the following configuration location.
 +<code>Router > OSPF > Areas > 0.0.0.0 > Interface > tunnel.9 > Link Type</code>
 +
 +If you have two firewalls that connect to each over over VPN and over, say, MPLS, you can put both interfaces into Area 0.0.0.0. You can give the interface configuration in Area 0.0.0.0 the same metric. You can also use //ext-2// in the export rules. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
 +
 +If you want MPLS and VPN to have different metrics to achieve the same result, set, in Area 0.0.0.0 the interface metric of MPLS to 1 and the metric of VPN to 2. Then set the export rule to be //ext-1// and set the metric to 11. The means the MPLS metric when installed on the other firewall is 12 and the VPN is 13. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
 +
 +===== OSPF with Backup Static Route =====
 +If you have OSPF from (e.g.) MPLS terminating on your firewall, you may also have a backup VPN to the other sites.
 +You can create a static route with metric 20 for the VPN tunnel and OSPF will (depending on configuration) have a metric of 11. However, you may find PAN-OS selecting the static route with metric 20 over the OSPF route with metric 11. The issue is administrative distance. If you update the static route to have an administrative distance of 150, the OSPF route should suddenly get priority. I've tried 129 and that also worked. However, 75 seemed to leave me with the static route still being preferred. Not sure what the tipping point is.
paloaltonetworks/configuration/ospf.1590593810.txt.gz · Last modified: (external edit)