## create loopback interface to be used as router ID
set zone WAN
set interface loopback.1 zone WAN\nset interface loopback.1 ip 10.10.10.254\/32\n##\n## set router ID\nset vrouter trust-vr router-id 10.10.10.254\n##\n## enable OSPF\nset vrouter trust-vr protocol ospf\nset vrouter trust-vr protocol ospf enable\n##\n## create all OSPF areas that will be used on this router\nset vrouter trust-vr protocol ospf area 0\n##\n## assign interface to area\nset interface ethernet0\/0 protocol ospf area 0\nset interface ethernet0\/1 protocol ospf area 0 \nset interface ethernet0\/2 protocol ospf area 0 \n##\n## enable ospf on interface\nset interface ethernet0\/0 protocol ospf enable\nset interface ethernet0\/1 protocol ospf enable\nset interface ethernet0\/2 protocol ospf enable<\/p><\/pre>\n<\/p>\n<\/p>\n
\n
Router B<\/u><\/p>\n
ethernet0\/0 = LAN
ethernet0\/1 = WAN to router A <\/p>\n
ethernet0\/2 = WAN to router C <\/p>\n<\/p>\n
## create loopback interface to be used as router ID
set zone WAN\nset interface loopback.1 zone WAN\nset interface loopback.1 ip 10.10.10.253\/32\n##\n## set router ID\nset vrouter trust-vr router-id 10.10.10.253\n##\n## enable OSPF\nset vrouter trust-vr protocol ospf\nset vrouter trust-vr protocol ospf enable\n##\n## create all OSPF areas that will be used on this router\nset vrouter trust-vr protocol ospf area 0\n##\n## assign interface to area\nset interface ethernet0\/0 protocol ospf area 0\nset interface ethernet0\/1 protocol ospf area 0 \nset interface ethernet0\/2 protocol ospf area 0 \n##\n## enable ospf on interface\nset interface ethernet0\/0 protocol ospf enable\nset interface ethernet0\/1 protocol ospf enable\nset interface ethernet0\/2 protocol ospf enable<\/p><\/pre>\n<\/p>\n
Before you continue, look at the section \u2018verify that everything is working\u2019 to verify that router A and router B are now in state \u2018Full\u2019 and are exchanging routes. <\/p>\n
\n
Router C<\/u><\/p>\n
ethernet0\/0 = LAN
\n
ethernet0\/1 = WAN to Router A <\/p>\n<\/p>\n
## create loopback interface to be used as router ID
set zone WAN\nset interface loopback.1 zone WAN\nset interface loopback.1 ip 10.10.30.254\/32\n##\n## set router ID\nset vrouter trust-vr router-id 10.10.30.254\n##\n## enable OSPF\nset vrouter trust-vr protocol ospf\nset vrouter trust-vr protocol ospf enable\n##\n## create all OSPF areas that will be used on this router\nset vrouter trust-vr protocol ospf area 0\n##\n## assign interface to area\nset interface ethernet0\/0 protocol ospf area 0\nset interface ethernet0\/1 protocol ospf area 0 \n#\n## enable ospf on interface\nset interface ethernet0\/0 protocol ospf enable\nset interface ethernet0\/1 protocol ospf enable<\/pre>\n<\/p>\n <\/p>\n
Router D<\/u><\/p>\n
ethernet0\/0 = LAN
ethernet0\/1 = WAN to router B <\/p>\n
ethernet0\/2 = WAN to router E <\/p>\n<\/p>\n
## create loopback interface to be used as router ID
set zone WAN\nset interface loopback.1 zone WAN\nset interface loopback.1 ip 10.10.20.253\/32\n##\n## set router ID\nset vrouter trust-vr router-id 10.10.20.253\n##\n## enable OSPF\nset vrouter trust-vr protocol ospf\nset vrouter trust-vr protocol ospf enable\n##\n## create all OSPF areas that will be used on this router\nset vrouter trust-vr protocol ospf area 0\n##\n## assign interface to area\nset interface ethernet0\/0 protocol ospf area 0\nset interface ethernet0\/1 protocol ospf area 0 \nset interface ethernet0\/2 protocol ospf area 0 \n##\n## enable ospf on interface\nset interface ethernet0\/0 protocol ospf enable\nset interface ethernet0\/1 protocol ospf enable\nset interface ethernet0\/2 protocol ospf enable<\/pre>\n<\/p>\n\n
<\/p>\n
Router E<\/u><\/p>\n
Since router F doesn\u2019t speak OSPF, we won\u2019t enable OSPF on the interface between E and F. This clearly has a security advantage, however it has a drawback too. The result is that that connected network 1.1.5.0\/24 will not get distributed into the OSPF area. So we will have to inject it (see next chapter) <\/p>\n
ethernet0\/0 = LAN to F : don\u2019t enable OSPF <\/p>\n
ethernet0\/1 = WAN to Router D<\/p>\n<\/p>\n
## create loopback interface to be used as router ID
set zone WAN\nset interface loopback.1 zone WAN\nset interface loopback.1 ip 10.10.40.254\/32\n##\n## set router ID\nset vrouter trust-vr router-id 10.10.40.254\n##\n## enable OSPF\nset vrouter trust-vr protocol ospf\nset vrouter trust-vr protocol ospf enable\n##\n## create all OSPF areas that will be used on this router\nset vrouter trust-vr protocol ospf area 0\n##\n## assign interface to area\nset interface ethernet0\/1 protocol ospf area 0 \n#\n## enable ospf on interface\nset interface ethernet0\/1 protocol ospf enable<\/pre>\n<\/p>\n\n
<\/p>\n
Router F<\/u> (non-OSPF) <\/p>\n
You can either create a static route to all other networks and send them to router E; or you can just set the default route to router E. Since we don\u2019t have any other connects from router F, we\u2019ll set the default route to router E.<\/p>\n<\/p>\n
router-f-><\/span> set route 0.0.0.0\/0 gate 1.1.5.1 <\/pre>\n<\/p>\n <\/p>\n
\n <\/p>\n
Verify that everything is working<\/h3>\n
First of all, make sure OSPF is properly configured on the routers : <\/p>\n
As soon as you have configured the first 2 juniper devices (router-a and router-b), routes are already being distributed. If you would look at the routing table on router A, right after setting up router A and router B, you would see : <\/p>\n
<\/p>\n<\/p>\n
router-a-><\/span> get route protocol ospf\n\nIPv4 Dest-Routes for <\/font><<\/span>untrust-vr<\/span>><\/span> (0 entries)\n--------------------------------------------------------------------------------\nH: Host C: Connected S: Static A: Auto-Exported\nI: Imported R: RIP P: Permanent D: Auto-Discovered\niB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1\nE2: OSPF external type 2\n\n\nIPv4 Dest-Routes for <<\/span>trust-vr<\/span>><\/span> (2 entries)\n--------------------------------------------------------------------------------\n ID IP-Prefix Interface Gateway P Pref Mtr Vsys\n--------------------------------------------------------------------------------\n* 6 1.1.2.0\/24 eth0\/1 10.10.10.2 O 60 1 Root
* 7 10.10.20.0\/24 eth0\/1 10.10.10.2 O 60 1 Root
<\/p><\/pre>\n<\/p>\n\n
Router A now contains 2 new routes that have been discovered via OSPF : 1.1.2.0\/24 (which is connected to ethernet0\/0 on router B) and 10.10.20.0\/24 (connected to ethernet0\/2 on router B and refers to the network between router B and router D). The network between router A and router B is not displayed because it is a connected network between router A and B, so there was no reason to distribute this via OSPF. <\/p>\n
In both cases, the gateway points to 10.10.10.2, which is the WAN interface on router B. <\/p>\n
If you would look at the OSPF parameters of router A, eth0\/1 (WAN interface to router B), you would see this : <\/p>\n
<\/p>\n<\/p>\n
router-a-><\/span> get int e0\/1 proto ospf\n\nVR: trust-vr RouterId: 10.10.10.254\n----------------------------------\nInterface: ethernet0\/1\nIpAddr: 10.10.10.1\/24, OSPF: enabled, Router: enabled\nType: Broadcast Area: 0.0.0.0 Priority: 1 Cost: 1 Passive: No\nTransit delay: 1s Retransmit interval: 8s Hello interval: 10s\nRouter Dead interval: 40s Authentication-Type: None\nIgnore-MTU: no Reduce-flooding: no \nState: Designated Router DR: 10.10.10.1(self) BDR: 10.10.10.2\nNeighbors:\n RtrId: 10.10.10.253 IpAddr: 10.10.10.254 Pri: 1 State: Full<\/pre>\n<\/p>\nAs you can see, router A and B are in state \u2018Full\u2019 which means that they have fully exchanged their OSPF data. Router A was the first router to be OSPF enabled, so it has become Designated Router. Router B was the second one to be OSPF enabled and it now acts as Backup Designated Router <\/p>\n
As you continue to setup the other routers, the number of routes grow. After setting up all OSPF routers, the routing table should now contain all subnets that are directly attached to the interfaces that are OSPF enabled. <\/p>\n
The only network that still remains unreachable is network 2.2.2.0\/24, because it is behind a non OSPF enabled device. Network 1.1.5.0\/24 is not part of the routing table either, because it is connected to the interface on router E that is not OSPF enabled. <\/p>\n
The next chapters will explain how we can take advantage of OSPF, 1 static route and route redistribution to get these 2 issues fixed. <\/p>\n
<\/p>\n
<\/p>\n
Inject the static route on Router E into the OSPF area<\/h3>\n
First, create a static route on Router E and send traffic for the 2.2.2.0\/24 network towards router F : <\/p>\n<\/p>\n
router-e><\/span> set route 2.2.2.0\/24 gate 1.1.5.2<\/pre>\n<\/p>\nNext, since router E is OSPF enabled, you can inject this static route into the OSPF area so it will be distributed to all other routers in the area.
\n
This is how this works : <\/p>\n
- Create an access list and route map <\/p>\n
- Set the injected network type (OSPF External type 1 or OSPF External type 2). Type 1 : preference indicates sum of the preferences to the target network. Type 2 : preference doesn\u2019t change <\/p>\n
- Tell ospf to redistribute the route map and choose the type of protocol that needs to be redistributed<\/p>\n<\/p>\n
router-e-><\/span> set vrouter trust-vr\nrouter-e(trust-vr)-><\/span> set access-list 1 permit ip 2.2.2.0\/24 10\nrouter-e(trust-vr)-><\/span> set route-map name InjectStaticNetworks permit 10\nrouter-e(trust-vr\/InjectStaticNetworks-10)-><\/span> set match ip 1\nrouter-e(trust-vr\/InjectStaticNetworks-10)-><\/span> set metric 20\nrouter-e(trust-vr\/InjectStaticNetworks-10)-><\/span> set metric-type type-1\nrouter-e(trust-vr\/InjectStaticNetworks-10)-><\/span> exit\nrouter-e(trust-vr)-><\/span> set protocol ospf redistribute route-map InjectStaticNetworks protocol static \nrouter-e(trust-vr)-><\/span> exit<\/pre>\n<\/p>\nThe example above indicates that I have created an access list that permits the use of network 2.2.2.0\/24. Of course, if you want to redistribute all static routes, you could also have used
set access-list 1 permit ip 0.0.0.0\/0 10 <\/p>\n
You can also assign tags to your static routes and then match the route-map to the tags (instead of having to specify the networks twice : <\/p>\n
<\/p>\n<\/p>\n
router-e-><\/span> set route 2.2.2.0\/24 gate 1.1.5.2 tag 100\n\nrouter-e-><\/span> set vrouter "trust-vr"\nrouter-e(trust-vr)-><\/span>set route-map name "InjectStaticNetworks" permit 10\nrouter-e(trust-vr\/InjectStaticNetworks)-><\/span> set match tag 100\nrouter-e(trust-vr\/InjectStaticNetworks)-><\/span> exit\nrouter-e(trust-vr)-><\/span> exit<\/pre>\n<\/p>\n\n <\/p>\n<\/p>\n
Inject a connected subnet (from the non-OSPF enabled interface) on Router E into the OSPF area <\/h3>\n
If you want to inject a connected subnet (e.g. from an interface that is not OSPF enabled), you can set the protocol to \u2018connected\u2019. Since we did not enable OSPF on the router-e interface that connects to F, a route to this subnet is not part of the OSPF distribution.
\n
This is how this can be solved :<\/p>\n<\/p>\n
router-e-><\/span> set vrouter trust-vr\nrouter-e(trust-vr)-><\/span> set access-list 2 permit ip 1.1.5.0\/24 10\nrouter-e(trust-vr)-><\/span> set route-map name InjectConnectedNetworks permit 10\nrouter-e(trust-vr\/InjectConnectedNetworks-10)-><\/span> set match ip 2\nrouter-e(trust-vr\/InjectConnectedNetworks-10)-><\/span> set metric 20\nrouter-e(trust-vr\/InjectConnectedNetworks-10)-><\/span> set metric-type type-1\nrouter-e(trust-vr\/InjectConnectedNetworks-10)-><\/span> exit\nrouter-e(trust-vr)-><\/span> set protocol ospf redistribute route-map InjectConnectedNetworks protocol connected \nrouter-e(trust-vr)-><\/span> exit<\/pre>\n<\/p>\nThat\u2019s it \u2013 wait a couple of seconds and the new route should become visible on all routers in the OSPF area<\/p>\n
<\/p>\n
<\/p>\n
Inject from other sources<\/h3>\n
\n
This is the full list of sources that can be used when injecting information into ospf :<\/p>\n<\/p>\n
\nBGP : Match BGP routes.
\n
Connected : Match connected routes. <\/p>\n
Discovered : Match discovered routes. <\/p>\n
Imported : Match imported routes. <\/p>\n
RIP : Match RIP routes. <\/p>\n
Static : Match static routes. <\/p>\n
<\/p>\n
Redistribute the default route<\/h3>\n
\n
You do not need to create a route-map to distribute the default route :<\/p>\n<\/p>\n
router-a-><\/span> set vrouter "trust-vr"\nrouter-a(trust-vr)-><\/span> set protocol ospf\nrouter-a(trust-vr\/ospf)-><\/span> set advertise-def-route metric 1 metric-type 1\nrouter-a(trust-vr\/ospf)-><\/span> exit\nrouter-a(trust-vr)-><\/span> exit<\/pre>\n<\/p>\n <\/p>\n
\n <\/p>\n
Stub area<\/h3>\n
An alternative way to set up the OSPF environment from the example above is to put router A and C in area 0 and to put the other routers in a stub area. This way, the routing table will look a lot more simple.
\n
Router A and C will get the routes from the stub area, and the routers on the stub area will have a default route and a summary of the routes from routers A and C. <\/p>\n
Of course, since the network connected to routers A and C cannot easily be summarized (using a unique supernet definition), the number of route entries for those networks will be the same.<\/p>\n
The configuration of routers A and C will be the same, except for the interface ethernet0\/2 on router A (which connects to router B), which will be part of the stub area as well<\/p>\n
To set up a stub area, you must configure all interfaces as stub :<\/p>\n
\n
router-a-><\/span> set vrouter "trust-vr"\nrouter-a(trust-vr)-><\/span> set protocol ospf\nrouter-a(trust-vr\/ospf)-><\/span> set area 3 stub\nrouter-a(trust-vr\/ospf)-><\/span> exit\nrouter-a(trust-vr)-><\/span> exit\nrouter-a-><\/span>set int eth0\/2 proto ospf area 3\nrouter-a-><\/span>set int eth0\/2 proto ospf enable\n\n\nrouter-b-><\/span> set vrouter "trust-vr"\nrouter-b(trust-vr)-><\/span> set protocol ospf\nrouter-b(trust-vr\/ospf)-><\/span> set area 3 stub\nrouter-b(trust-vr\/ospf)-><\/span> exit\nrouter-b(trust-vr)-><\/span> exit\nrouter-b-><\/span>set int eth0\/0 proto ospf area 3 \nrouter-b-><\/span>set int eth0\/0 proto ospf enable\nrouter-b-><\/span>set int eth0\/1 proto ospf area 3\nrouter-b-><\/span>set int eth0\/1 proto ospf enable\nrouter-b-><\/span>set int eth0\/2 proto ospf area 3 \nrouter-b-><\/span>set int eth0\/2 proto ospf enable<\/p> <\/p>\n\n
router-d-><\/span> set vrouter "trust-vr" \nrouter-d(trust-vr)-><\/span> set protocol ospf \nrouter-d(trust-vr\/ospf)-><\/span> set area 3 stub \nrouter-d(trust-vr\/ospf)-><\/span> exit \nrouter-d(trust-vr)-><\/span> exit\nrouter-d-><\/span>set int eth0\/0 proto ospf area 3 \nrouter-d-><\/span>set int eth0\/0 proto ospf enable \nrouter-d-><\/span>set int eth0\/1 proto ospf area 3 \nrouter-d-><\/span>set int eth0\/1 proto ospf enable\nrouter-d-><\/span>set int eth0\/2 proto ospf area 3 \nrouter-d-><\/span>set int eth0\/2 proto ospf enable<\/p> <\/p>\n\n
router-e-><\/span> set vrouter "trust-vr" \nrouter-e(trust-vr)-><\/span> set protocol ospf \nrouter-e(trust-vr\/ospf)-><\/span> set area 3 stub \nrouter-e(trust-vr\/ospf)-><\/span> exit \nrouter-e(trust-vr)-><\/span> exit \nrouter-e-><\/span>set int eth0\/1 proto ospf area 3 \nrouter-e-><\/span>set int eth0\/1 proto ospf enable<\/p><\/pre>\n<\/p><\/div>\nThat\u2019s it. Router A has now become a ABR (because it sits between area 0 and area 3, which is the stub area). Again, in this example, the use of a stub area would not change a lot to the routing table, because the networks in area 0 cannot easily be summarized. The use of a totally stubby area would be more efficient here, because that way, the routers on the stub area would only see a default route to area 0, which is ok in this scenario<\/p>\n
<\/p>\n
<\/p>\n
<\/h3>\nTotally stubby area<\/h3>\n
<\/p>\n
A totally stubby area has essentially the same setup as a stub area, but on the ABR, you must suppress the use of summary LSA\u2019s. In my example, router A is the ABR (eth0\/2), so you can use this single command to convert the stub area into a totally stubby area :<\/p>\n
\n
router-a-><\/span> set vr trust-vr protocol ospf area 3 no-summary<\/pre>\n<\/p><\/div>\nAll other routers in area 3 do not need to be changed. The ABR will take remove all summary LSAs from the LSDB and replace them with a default route. <\/p>\n
<\/p>\n
![\"ospf_diagram\"](\"\/wp-content\/uploads\/2008\/10\/ospf-diagram-thumb.png\" "\\"ospf_diagram\\"")
<\/a>