Saucepan

User Tools

Site Tools

Trace:
paloaltonetworks:configuration:ospf

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:ospf [2020/05/28 08:12] bstaffordpaloaltonetworks:configuration:ospf [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
-======OSPF======+====== OSPF ======
  
-=====Show Routes Learned=====+===== Show Routes Learned =====
 To see routes being learned by OSPF, use the following command To see routes being learned by OSPF, use the following command
 <code>show routing protocol ospf lsdb</code> <code>show routing protocol ospf lsdb</code>
  
-=====Show Routes Exported=====+Get general routing data with 
 +<code>show routing route</code> 
 + 
 +**Oi** means ospf intra-area and is the subnet in which the virtual router has established OSPF peering relationships. If you have several /32 addresses in the same subnet as the larger /x on the interface, those /32 routes will also have Oi routes created with a metric of //x + 10// where x is the value set at 
 +<code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric</code> 
 + 
 +===== Show Routes Exported =====
 To see what routes we are exporting to OSPF from all virtual routers, use the following command To see what routes we are exporting to OSPF from all virtual routers, use the following command
 <code>show routing protocol redist ospf</code> <code>show routing protocol redist ospf</code>
Line 12: Line 18:
 <code>show routing protocol redist ospf virtual-router VR_NAME</code> <code>show routing protocol redist ospf virtual-router VR_NAME</code>
  
-=====OSPF Redistribution=====+===== OSPF Redistribution =====
 If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported. If you enable OSPF and export a redistribution profile that has the source type configured but no filters, all routes will be exported.
  
-=====Setting Metrics===== +Remember, the //priority// field in the redistribution profile has nothing to do with metrics. Is it to give a processing order for evaluating redistribution profiles. So, if you have a rule that distributes all static routes and set the priority to ''10'', you can then create a //no-redist// rule with a priority of ''9'' that matches static routes with a destination of ''10.11.11.0/29''. You then add this to an OSPF export rule and it will suppress that specific static route from being exported. All other static routes will be exported because they then match the general "export all static routes" redistribution profile which is attached to another export rule. Obviously the default rule doesn't come into this unless you have enabled default route redistribution.
-To set the OSPF route to all OSPF peer IP addresses in the firewall's routing table, you need to edit the following field. +
-<code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric''</code>+
  
-To set what the peer appliance uses as a metric on the route it learns from the firewall, set the value in the ''Metric'' option of the OSPF export rule. If '' Ext2'' is selectedthen the peer appliance uses this value in its routing tableIf ''Ext1'' is selected, then the peer appliance uses this value added to a value of its own in its routing tableIf the peer appliance is a Palo Alto Networks firewallyou can set the peer appliance's value at the following location.+If you redistribute all connected routes from one firewall to another, the list of redistributed routes will not include the link used for OSPF (that is covered by the ospf intra-area route. It will also not include any loopback IP addresses. It will include IP addresses that are on tunnel interfaces but it will not include GlobalProtect 'attachedsubnets (even though they are listed as static routes in the FIB) unless you put an IP on the GlobalProtect tunnel interface. 
 + 
 +If you import a redistributed route in OSPF that you already have as a connected route, the virtual router will not mark the imported route as 'active'
 + 
 +Remember, if you set a redistribution profile to redistribute static routes matching 10.10.0.0/16, this will actually distribute all static routes that match 10.10.0.0/16 and anything more specific than that (e.g. 10.10.10.0/24). 
 + 
 + 
 +===== Setting Metrics ===== 
 +The firewall places a metric on the //ospf intra-area// routes which are the subnets that the firewall establishes OSPF peering relationships in. For example, if you have an interface with an IP of 10.1.1.1/24 and you configure OSPF on it, the firewall will end up with an ospf intra-area route to 10.1.1.0/24 marked as ''Oi''. The value of the metric is set in the following location. The //priority// value next to the metric is for the router to be elected as designated router (DR) or as a backup DR (BDR) according to the OSPF protocolWhen the value is zero, the router will not be elected as a DR or BDR.
 <code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric</code> <code>Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric</code>
  
 +When the firewall learns routes from another firewall, the route will show as an //O1// or //O2// route depending on whether the other firewall set the export rule //new path type// to //ext-1// or //ext-2//.
  
-=====OSPF Over VPN===== +When in doubt, set the //new path type// to //ext-2//.
-When setting OSPF over VPN links (tunnel interfaces)make sure that ''Link Type'' is set to ''p2p'' at the following configuration location. +
-<code>Router > OSPF > Areas > 0.0.0.0 > Interface > tunnel.9 > Link Type</code>+
  
-=====Summmarise Routes=====+If the remote firewall is exporting the route as //ext-2//, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the //new path type// is set to //ext-2//, the local firewall will use the metric set by the remote firewall's export rule. 
 + 
 +If the remote firewall is exporting the route as //ext-1//, then it either does not set an export rule metric and defaults to a metric of 1 or a metric can be set. Because the //new path type// is set to //ext-1//, the local firewall will use the metric set by the remote firewall's export rule. The local firewall will use that value and add it to the value in its own ''Router > OSPF > Areas > 0.0.0.0 > Interface > [interface id] > Metric'' field to determine the route weight. 
 + 
 +===== Summarise Routes =====
 With OSPF, you can summarise routes from one area to another if the firewall has an interface in one area and another interface in another area. With OSPF, you can summarise routes from one area to another if the firewall has an interface in one area and another interface in another area.
  
Line 34: Line 49:
 If you have two firewalls (active/active) doing this, then set the area ''0.0.0.0 > Interface metric'' of the primary to 10 and the area ''0.0.0.0 > Interface'' metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary If you have two firewalls (active/active) doing this, then set the area ''0.0.0.0 > Interface metric'' of the primary to 10 and the area ''0.0.0.0 > Interface'' metric of the secondary to 11 and that means OSPF peers in 0.0.0.2 area will prefer to get their 0.0.0.0 area routes from the primary
  
-=====Redistribute Loopback IP=====+===== Redistribute Loopback IP =====
 If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route. If you want to redistribute loopback addresses, you will need to create a local static route that points the loopback IP (/32) to itself (IP) as the next hop. You can then redistribute the static route.
  
 +===== OSPF Over VPN =====
 +When setting OSPF over VPN links (tunnel interfaces), make sure that ''Link Type'' is set to ''p2p'' at the following configuration location.
 +<code>Router > OSPF > Areas > 0.0.0.0 > Interface > tunnel.9 > Link Type</code>
 +
 +If you have two firewalls that connect to each over over VPN and over, say, MPLS, you can put both interfaces into Area 0.0.0.0. You can give the interface configuration in Area 0.0.0.0 the same metric. You can also use //ext-2// in the export rules. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
 +
 +If you want MPLS and VPN to have different metrics to achieve the same result, set, in Area 0.0.0.0 the interface metric of MPLS to 1 and the metric of VPN to 2. Then set the export rule to be //ext-1// and set the metric to 11. The means the MPLS metric when installed on the other firewall is 12 and the VPN is 13. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
  
 +===== OSPF with Backup Static Route =====
 +If you have OSPF from (e.g.) MPLS terminating on your firewall, you may also have a backup VPN to the other sites.
 +You can create a static route with metric 20 for the VPN tunnel and OSPF will (depending on configuration) have a metric of 11. However, you may find PAN-OS selecting the static route with metric 20 over the OSPF route with metric 11. The issue is administrative distance. If you update the static route to have an administrative distance of 150, the OSPF route should suddenly get priority. I've tried 129 and that also worked. However, 75 seemed to leave me with the static route still being preferred. Not sure what the tipping point is.
paloaltonetworks/configuration/ospf.1590653532.txt.gz · Last modified: (external edit)