How to process OSPF in FW?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to process OSPF in FW?

L4 Transporter

Hello,

I heard from someone in the past that control plane send ospf hello packet and data plane has routing table.

Is it correct??

OSPF issue occurred in my custom site. So I wonder it.

And what is the different between routing table and FIB?

Thanks.

1 accepted solution

Accepted Solutions

L3 Networker

Hello cheon.

The hello packets are generated on the management plane and sent out the data plane. The routing table is managed by the mangment plane, and "frequently used, or best match" routes are sent to the FIB.

The FIB(forwarding information base) is a software copy of the routes which are programmed to the TCAM for packet forwarding.  This is a simple explanation, but I hope it answers your questions.

-chadd.

View solution in original post

9 REPLIES 9

L3 Networker

Hello cheon.

The hello packets are generated on the management plane and sent out the data plane. The routing table is managed by the mangment plane, and "frequently used, or best match" routes are sent to the FIB.

The FIB(forwarding information base) is a software copy of the routes which are programmed to the TCAM for packet forwarding.  This is a simple explanation, but I hope it answers your questions.

-chadd.

Thank you very much, chadd.

I got very helpful from you answer.

L2 Linker

Hi cheon,

What was the issue you had? We have run into OSPF issues that have a lower than default hello interval. Like 2 seconds.

Hi stewart,

I had ospf issue that failed ospf hello negotiation with neighbor L3 device when FW was attacked ddos.

We had an issue like that. We had the hello set to 2 and when the PA was under high load it would miss hello msgs from neighbors. The dead timer on L3 neighbor would expire and the link would be moved to down. PA does not recommend using a hello lower than the default of 10 seconds.

You mentioned that not recommend using a hello lower lower that the default of 10 seconds.

What is the best values for ospf hello and dead timer that PA recommend??

I would generally leave ospf parameters like the hello timers at the defaults unless there is a compelling reason to make them more aggressive like a design for faster convergence and failover among multiple devices.

You can find Palo Alto's general ospf deploy descriptions here:

How to Configure OSPF

For definitions:

RIB: Routing information Base - this is the current listing of best routes used by the router to forward packets arriving on the device.  This gets built out of the FIB table based on the metrics assigned to each route as it is learned by the router.

FIB: Forwarding information Base - this is a complete list of all available routes that the router knows about for reaching destinations.  This will include additional duplicate routes for the same destinations that are not rated as good as the route for that same destination that gets installed into the RIB.  Routes are added as they are learned from sources and removed as neighbors either are lost or withdraw routes.  These changes may or may not then cause an update to the RIB.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Steven Puluka, Thank you for your answer.

Sorry, I don't understand correctly.

Do you mean that routing table equal RIB??

Regards,

KC Lee

Essentially, the RIB is your active routing table.

On Palo Alto your main commands would be:

RIB

show routing route

FIB

show routing fib

Also helpful is

show routing summary

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 5766 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!