Configuring OSPF on a logical router enables VM connectivity across logical routers and from logical routers to edge services gateways (ESGs).
OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost.
An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables. An area is a logical collection of OSPF networks, routers, and links that have the same area identification.
Areas are identified by an Area ID.
A Router ID must be configured, as shown in OSPF Configured on the Logical (Distributed) Router.
When you enable a router ID, the field is populated by default with the logical router's uplink interface.
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Edges.
- Double-click a logical router.
- Click Routing and then click OSPF.
- Enable OSPF.
- Click Edit at the top right corner of the window and click Enable OSPF
- In Forwarding Address, type an IP address that is to be used by the router datapath module in the hosts to forward datapath packets.
- In Protocol Address, type a unique IP address within the same subnet as the Forwarding Address. The protocol address is used by the protocol to form adjacencies with the peers.
- Configure the OSPF areas.
- Optionally, delete the not-so-stubby area (NSSA) 51 that is configured by default.
- In Area Definitions, click the Add icon.
- Type an Area ID. NSX Edge supports an area ID in the form of an IP address or decimal number.
- In Type, select Normal or NSSA.
NSSAs prevent the flooding of AS-external link-state advertisements (LSAs) into NSSAs. They rely on default routing to external destinations. Hence, NSSAs must be placed at the edge of an OSPF routing domain. NSSA can import external routes into the OSPF routing domain, thereby providing transit service to small routing domains that are not part of the OSPF routing domain.
- (Optional) Select the type of Authentication. OSPF performs authentication at the area level.
All routers within the area must have the same authentication and corresponding password configured. For MD5 authentication to work, both the receiving and transmitting routers must have the same MD5 key.
- None: No authentication is required, which is the default value.
- Password: In this method of authentication, a password is included in the transmitted packet.
- MD5: This authentication method uses MD5 (Message Digest type 5 ) encryption. An MD5 checksum is included in the transmitted packet.
- For Password or MD5 type authentication, type the password or MD5 key.
If NSX Edge is configured for HA with OSPF graceful restart enabled and MD5 is used for authentication, OSPF fails to restart gracefully. Adjacencies are formed only after the grace period expires on the OSPF helper nodes.
You cannot configure MD5 authentication when FIPS mode is enabled.
NSX Data Center for vSphere always uses a key ID value of 1. Any device not managed by NSX Data Center for vSphere that peers with an Edge Services Gateway or Logical Distributed Router must be configured to use a key ID of value 1 when MD5 authentication is used. Otherwise an OSPF session cannot be established.
- Map interfaces to the areas.
- In Area to Interface Mapping, click the Add icon to map the interface that belongs to the OSPF area.
- Select the interface that you want to map and the OSPF area that you want to map it to.
- (Optional) If needed, edit the default OSPF settings.
In most cases, it is recommended to retain the default OSPF settings. If you do change the settings, make sure that the OSPF peers use the same settings.
Hello Interval displays the default interval between hello packets that are sent on the interface.
Dead Interval displays the default interval during which at least one hello packet must be received from a neighbor before the router declares that neighbor down.
Priority displays the default priority of the interface. The interface with the highest priority is the designated router.
Cost of an interface displays the default overhead required to send packets across that interface. The cost of an interface is inversely proportional to the bandwidth of that interface. The larger the bandwidth, the smaller the cost.
- Click Publish Changes.
OSPF Configured on the Logical (Distributed) Router
One simple NSX Data Center for vSphere scenario that uses OSPF is when a logical router (DLR) and an edge services gateway (ESG) are OSPF neighbors, as shown here.
In the following screen, the logical router's default gateway is the ESG's internal interface IP address (192.168.10.1).
The router ID is the logical router's uplink interface---in other words, the IP address that faces the ESG (192.168.10.2).
The logical router configuration uses 192.168.10.2 as its forwarding address. The protocol address can be any IP address that is in the same subnet and is not used anywhere else. In this case, 192.168.10.3 is configured. The area ID configured is 0, and the uplink interface (the interface facing the ESG) is mapped to the area.
What to do next
Make sure the route redistribution and firewall configuration allow the correct routes to be advertised.
In this example, the logical router's connected routes (172.16.10.0/24 and 172.16.20.0/24) are advertised into OSPF.
If you enabled SSH when you created the logical router, you must also configure a firewall filter that allows SSH to the logical router's protocol address. For example: