Advanced Routing Services (OSPF and RIP)
03/26/2020 41 16777
SonicOS: Advanced Routing Services (OSPF and RIP)
In addition to Policy Based Routing and RIP advertising, SonicOS Enhanced offers the option of enabling Advanced Routing Services (ARS). Advanced Routing Services provides full advertising and listening support for the Routing Information Protocol (RIPv1 - RFC1058) and (RIPv2 - RFC2453), and Open Shortest Path First (OSPFv2 – RFC2328). Advanced Routing Service should only be enabled by those environments requiring support for either or both of these dynamic routing protocols.
RIP and OSPF are Interior Gateway Protocols (IGP) that are both widely used by networks of various sizes to automate the process of route distribution. RIP is commonly used within smaller networks, while OSPF is used by larger networks, although network size should not be the only factor used to determine the appropriateness of one protocol over the other – network speed, interoperability requirements, and relative overall complexity, for example, should also be considered. RIPv1 and RIPv2 are both supported by ARS, the largest differences between the two being that RIPv2 supports VLSM (Variable Length Subnet Masks), authentication, and routing updates. The following table illustrates the major differences between RIPv1, RIPv2, and OSPFv2:
Routing table updates
Full table broadcast
Full table broadcast or multicast periodically,
Link state advertisement multicasts, triggered by changes, fast
Only class- based
Indivisible and flat
Indivisible and flat
|Area based, allowing for segmentation and aggregation|
- Protocol Type – Distance Vector protocols such as RIP base routing metrics exclusively on hop counts, while Link state protocols such as OSPF consider the state of the link when determining metrics. For example, OSPF determines interface metrics by dividing its reference bandwidth (100mbits by default) by the interface speed – the faster the link, the lower the cost and the more preferable the path. Consider the following example network:
In the above sample network, if Host A wanted to reach Host B, with RIP, the lowest cost route would be from Router A to Router B, across the relatively slow 64kbps link. With OSPF, the cost from Router A to Router B would be 1562, while the cost from Router A to Router C to Router D to Router B would be 364 (see the Cost section in OSPF concepts later), making it the preferred route.
- Maximum Hops – RIP imposes a hop count of 15 to help prevent routing loops which can occur when bad (e.g. stale) routing information is broadcast and propagated through a network either due to misconfiguration, or slow convergence. Consider if the link between Router D and Router E failed in the diagram above, and there were no safeguards in place:
- Router A’s routing information states that it can reach Network E through Router B or Router C with a metric of 3.
- When the link between Router D and Router E fail, and Router A broadcasts its routing information, Router B and Router C determine that they can reach Network E through Router A with a metric of 4.
- Router B and Router C broadcast this information, and it is received by Router D which then determines it can reach Network E through Router B or Router C with a metric of 5.
- This loop continues until the hop count of 16 (infinity) is reached, Other measures against this sort of situation are also commonly employed by RIP, including:
- Split-Horizon – A preventative mechanism where routing information learned through an interface is not sent back out the same interface. This generally works well on broadcast links, but not on non-broadcast links such as Frame Relay, where a single link can commonly be used to reach two separate autonomous systems.
- Poison reverse – Also known as route poisoning, an extension of split-horizon where a network is advertised with a metric of 16 (unreachable), helping to ensure that incorrect alternative routes aren’t propagated.
OSPF does not have to impose a hop count limit because it does not advertise entire routing tables, rather it generally only sends link state updates when changes occur. This is a significant advantage in larger networks in that it converges more quickly, produces less update traffic, and supports an unlimited number of hops.
- Routing table updates – As mentioned above, the practice of sending an entire routing table introduces the problems of slower convergences, higher bandwidth utilization, and increased potential for stale routing information. RIPv1 broadcasts its entire routing table at a prescribed interval (usually every 30 seconds), RIPv2 can either broadcast or multicast, and OSPF multicasts only link state updates whenever a change to the network fabric occurs. OSPF has a further advantage of using designated routers (DR) in forming adjacencies in multiple-access networks (more on these concepts later) so that updates don’t have to be sent to the entire network.
- Subnet sizes supported – RIPv1 was first implemented when networks were strictly class A, class B, and class C (and later D and E):
- Class A – 184.108.40.206 to 220.127.116.11 (0.0.0.0 and 127.0.0.0 are reserved)
–Leftmost bit 0; 7 network bits; 24 host bits
–0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh (8 bit classful netmask)
–126 Class A networks, 16,777,214 hosts each
- Class B - 18.104.22.168 to 22.214.171.124
–Leftmost bits 10; 14 network bits; 16 host bits
–10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh (16 bit classful netmask)
–16,384 Class B networks, 65,532 hosts each
- Class C – 192.0.0.0 to 126.96.36.199
–Leftmost bits 110; 21 network bits; 8 host bits
–110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh (24 bit classful netmask)
–2,097,152 Class Cs networks, 254 hosts each
- Class D - 188.8.131.52 to 184.108.40.206 (multicast)
–Leftmost bits 1110; 28 multicast address bits
–1110mmmm mmmmmmmm mmmmmmmm mmmmmmmm
- Class E - 240.0.0.0 to 255.255.255.255 (reserved)
–Leftmost bits 1111; 28 reserved address bits
–1111rrrr rrrrrrrr rrrrrrrr rrrrrrrr
This method of address allocation proved to be very inefficient because it provided no flexibility, neither in the way of segmentation (subnetting) or aggregation (supernetting, or CIDR – classless inter-domain routing) by means of VLSM – variable length subnet masks.
VLSM, supported by RIPv2 and OSPF, allows for classless representation of networks to break larger networks into smaller networks:
For example, take the classful 10.0.0.0/8 network, and assign it a /24 netmask. This subnetting allocates an additional 16 bits from the host range to the network range (24-8=16). To calculate the number of additional networks this subnetting provides, raise 2 to the number of additional bits: 2^16=65,536. Thus, rather than having a single network with 16.7 million hosts (usually more than most LAN’s require) it is possible to have 65,536 networks, each with 254 usable hosts.
VLSM also allows for route aggregation (CIDR):
For example, if you had 8 class C networks: 192.168.0.0/24 through 192.168.7.0/24, rather than having to have a separate route statement to each of them, it would be possible to provide a single route to 192.168.0.0/21 which would encompass them all.
This ability, in addition to providing more efficient and flexible allocation of IP address space, also allows routing tables and routing updates to be kept smaller.
- Autonomous system topologies – An autonomous system (AS) is a collection of routers that are under common administrative control, and that share the same routing characteristics. When a group of autonomous systems share routing information, they are commonly referred to as a confederation of autonomous systems. (RFC1930 and RFC975 address these concepts in much greater detail). In simple terms, an AS is a logical distinction that encompasses physical network elements based on the commonness of their configurations.
With regard to RIP and OSPF, RIP autonomous systems cannot be segmented, and all routing information must be advertised (broadcast) through the entire AS. This can become difficult to manage and can result in excessive routing information traffic. OSPF, on the other hand, employs the concept of Areas, and allows for logically, manageable segmentation to control the sharing of information within an AS. OSPF areas begin with the backbone area (area 0 or 0.0.0.0), and all other areas must connect to this backbone area (although there are exceptions). This ability to segment the routing AS helps to ensure that it never becomes too large to manage, or too computationally intensive for the routers to handle.
OSPF is substantially more complicated to configure and maintain than RIP. The following concepts are critical to understanding an OSPF routing environment:
- Link state – As it pertains to OSPF, a link is an egress interface on a router, and the state describes characteristics of that interface, such as its cost. Link states are sent in the form of Link State Advertisements (LSA) which are contained within Link State Update (LSU) packets, one of five types of OSPF packets.
- Cost – A quantification of the overhead required to send a packet along a particular link. Cost is calculated by dividing a reference bandwidth (usually 100mbit, or 10^8 bit) by an interface’s speed. The lower the cost, the more preferable the link. Some common path costs:
|Divided by 10^8 (100mbit) = OSPF Cost|
- Area – The network comprising the group of OSPF routers intended to share a common Link State Database. OSPF networks are built around the backbone area (area 0, or 0.0.0.0) and all other areas must connect to the backbone area (unless virtual links are used, which is generally discouraged). Area assignment is interface specific on an OSPF router; in other words, a router with multiple interfaces can have those interfaces configured for the same or different areas.
- Neighbors – OSPF routers on a common network segment have the potential to become neighbors by means of sending Hello packets. Hello packets act as a form of advertisement and identification, and if two OSPF routers share a common set of certain characteristics, they will become neighbors upon seeing their own router ID in the other router’s Hello packet. Hello packets are also used in the DR (Designated Router) and BDR (Backup Designated Router) election process. For two routers to become neighbors, the characteristics that they must have in common are:
–Area-ID – An area ID identifies an OSPF area with a 32 bit value, and is generally represented in an IP address format. OSPF requires at a minimum the backbone area, area 0 (or 0.0.0.0) for operation.
–Authentication – Authentication types can generally be set to none, simple text, or MD5. When using simple text, it should only be used for identification purposes, since it is sent in the clear. For security, MD5 should be used.
–Timer intervals – ‘Hello’ and ‘Dead’ intervals must be the same. The Hello interval specifies the number of seconds between Hello packets (as a Keepalive function), and the Dead interval specifies the number of seconds after which a router will be considered unavailable if a Hello is not received.
–Stub area flag – A Stub area is an area that only requires a single point of egress, and therefore does not require a full list of external link advertisements. The stub area flag on two potential neighbors must be the same to avoid inappropriate link state exchanges. Another factor that affects neighboring is the kind of network. OSPF recognizes three network types:
- Broadcast – For example, Ethernet. In broadcast networks, neighboring can be established with all other routers in the broadcast domain.
- Point to Point – For example, serial links. In point to point (or point to multipoint) networks, neighboring can be established with the router at the other end of the link.
- NBMA (non-broadcast multiple access) – For example, frame relay. In NBMA networks, neighbors must be explicitly declared.
- Link State Database – The Link State Database is composed of the LSA’s sent and received by neighboring OSPF routers that have created adjacencies within an area. The database, once complete, will contain all the link state information for a given area, at which time the Shortest Path First (SPF) algorithm will be applied to determine the optimal route to all connected networks based on cost. The SPF algorithm employs the Dijkstra pathfinding algorithm, which essentially regards all routers as vertices in a graph, and computes the cost between each vertex.
- Adjacencies – OSPF routers exchange LSA’s with adjacent routers to create the LSDB. Adjacencies are created in different fashions depending on the network type(see Neighbors section above). Generally, the network type is broadcast (e.g. Ethernet) so adjacencies are formed by the exchanging OSPF packets in a handshake-like fashion (see OSPF Packet types below). To minimize the amount of information exchanged between adjacent routers, segments (broadcast domains) with multiple OSPF routers elect a Designated Router (DR) and a Backup Designated Router (BDR) using Hello packets.
- DR (Designated Router) – On multi-access segments, OSPF routers elect a DR and a BDR, and all other routers on the segment create adjacencies with the DR and the BDR. DR election is based on a router’s OSPF Priority, which is a configurable value from 0 (not eligible for DR) to 255. The router with the highest priority becomes the DR. In the event of a priority tie, the router with the highest Router ID (based on interface addressing) wins. Once a router is the DR, its role is uncontested, until it becomes unavailable.
LSA’s are then exchanged within LSU’s across these adjacencies rather than between each possible pairing combination of routers on the segment. Link state updates are sent by non-DR routers to the multicast address 220.127.116.11, the RFC1583 assigned ‘OSPFIGP Designated Routers’ address. They are also flooded by DR routers to the multicast address 18.104.22.168 ‘OSPFIGP All Routers’ for all routers to receives the LSA’s.
- OSPF Packet types – The five types of OSPF packets are:
–Hello (OSPF type 1) – Sent at a certain interval to establish and maintain relationships with neighboring OSPF routers, and elect Designated Routers. (Sent during the initialization and the 2-WAY phases on LSDB synchronization).
–Database Description (OSPF type 2) – Sent between OSPF routers during the creation of an adjacency. During the Exstart phase of LSDB synchronization, DD packets establish an ISN (initial sequence number) used to track LSA’s, and they establish a master/slave relationship between neighboring OSPF routers. In the Exchange phase of LSDB synchronization, they contain short versions of Link State Advertisements. Because DD exchanges can span multiple packets, they are exchanged in a poll (master) and response (slave) fashion to ensure completeness.
–Link State Request (OSPF type 3) – During the Loading phase of LSDB synchronization, LSR packets are sent to request database updates from a neighbor. This is the final step in the establishment of an adjacency.
–Link State Update (OSPF type 4) – Sent in response to Link State Requests, LSU packets flood adjacencies with Link State Advertisements to achieve LSDB synchronization.
–Link State Acknowledgement (OSPF type 5) – To ensure reliability of LSA flooding, all updates are acknowledged.
- Link State Advertisements (LSA) – There are 7 types of LSA’s:
–Type 1 (Router Link Advertisements) - Sent by an OSPF router to describe the links to each area to which it belongs. Type 1 LSA’s are only flooded into a router’s area.
–Type 2 (Network Links Advertisements) – Sent by the DR for an area describing the set of routers within the network. Type 2 LSA’s are only flooded into a router’s area.
–Type 3 (Summary Link Advertisements) – Sent across areas by ABR’s (Area Border Routers) to describe the networks within an area. Type 3 LSA’s are also used for route aggregation purposes, and are not sent to Totally Stubby Areas.
–Type 4 (AS Summary Link Advertisements) – Sent across areas by ABR’s to describe networks within a different AS. Type 4 LSA’s are not sent to Stub Areas.
–Type 5 (AS External Link Advertisements) – Sent by ASBR (Autonomous System Boundary Routers) to describe routes to networks in a different AS. Type 5 LSA’s are net sent to Stub Areas. There are two types of External Link Advertisements:
- External Type 1 - Type 1 packets add the internal link cost to the external link cost when calculating a link’s metric. A Type 1 route is always preferred over a Type 2 route to the same destination.
- External Type 2 - Type 2 packets only use the external link cost to determine the metric. Type 2 is generally used when there is only one path to an external AS.
–Type 6 (Multicast OSPF) - Spooky. See RFC1584.
–Type 7 (NSSA AS External Link Advertisements) – Sent by ASBR’s that are part of an NSSA (see ‘Stub Area’).
- Stub Area – A stub area is an area that only requires one path, rather than an optimal path. This can be an area with only a single point of egress, or it can be an area where SPF optimization is not necessary. All routers in a stub area must be configured as stub routers, and rather than receiving the full state database, and computing the SPF tree, they will receive only a summary link information. There are different type of stub area:
- Stub area – The standard stub area receives all LSA’s except for LSA type 5 (AS External Link advertisement). This helps to keep the LSDB smaller, and reduces the computational overhead on the router.
- Totally Stubby Area – A special type of stub area into which LSA types 3 (Summary Links), 4 (AS Summary Links) and 5 are not passed. Only intra-area routes, and a default route are advertised into totally stubby areas.
- NSSA (Not So Stubby Area) – Described by RFC3101, NSSA is a hybrid stub area that allows external routes to be flooded within the NSSA area using type 7 LSA’s (NSSA AS External Routes), but does not accept type 5 LSA’s from other areas. NSSA’s are useful when connecting a remote site running a different IGP (such as RIP) to an OSPF site, where the remote site’s routes do not need to be distributed back to the main OSPF site. An NSSA ABR (Area Border Router) also has the ability to translate type 7 to type 5 LSA’s (this is possible only from the SonicOS Enhanced CLI).
- Router Types – OSPF recognizes 4 types of routers, based on their roles:
- IR (Internal Router) - A router whose interfaces are all contained within the same area. An internal router’s LSDB only contains information about its own area.
- ABR (Area Border Router) – A router with interfaces in multiple areas. An ABR maintains LSDB’s for each area to which it is connected, one of which is typically the backbone.
- Backbone Router – A router with an interface connected to area 0, the backbone.
- ASBR (Autonomous System Boundary Router) – A router with an interface connected to a non-OSPF AS (such as a RIP network) which advertises external routing information from that AS into the OSPF AS.
Configuring Advanced Routing Services
Note : ARS is a fully featured multi-protocol routing suite. The sheer number of configurable options and parameters provided is incongruous with the simplicity of a graphical user interface. Rather than limiting the functionality of ARS, an abbreviated representation of its capabilities has been rendered in the GUI, providing control over the most germane routing features, while the full command suite is available via the CLI. The ARS CLI can be accessed from an authenticated CLI session, and contains 3 modules:
- route ars-nsm – The Advanced Routing Services Network Services Module. This component provides control over core router functionality, such as interface bindings and redistributable routes.
- route ars-rip – The RIP module. Provides control over the RIP router.
- route ars-ospf – The OSPF module. Provides control over the OSPF router.
In general, all of the functionality needed to integrate the SonicWall into most RIP and OSPF environments is available through the web-based GUI. The additional capabilities of the CLI will make more advanced configurations possible. Please refer to the appendix for the full set of ARS CLI commands.
By default, Advanced Routing Services are disabled, and must be enabled to be made available. At the top of the Network | Routing page, is a checkbox Use Advanced Routing. Toggling the state of this checkbox will require a reboot for the changes to take effect. When the SonicWall is running in Advanced Routing mode, the top of the Network | Routing page will look as follows:
The operation of the RIP and OSPF routing protocols is interface dependent. Each interface and virtual sub-interface can have RIP and OSPF settings configured separately, and each interface can run both RIP and OSPF routers.
To configure RIP routing on an interface, select the (Configure) icon in the interface’s row under the “Configure RIP” column. This will launch the RIP Configuration window.
To configure OSPF routing on an interface, select the (Configure) icon in the interface’s row under the “Configure OSPF” column. This will launch the OSPF Configuration window.