Recommended Practices for OSPF Configurations

While configuring OSPF routing major work is specifying the OSPF areas and corresponding interfaces in each area on which you want to run OSPF.

In case of IOS there are two options:

• Use the network command within in the OSPF routing process configuration. The network command allows you to specify an ACL-like filter that can match multiple interfaces with a single command, significantly reducing the configuration complexity. In IOS release 12.4T, you have the option to either use the wildcard mask or subnet mask in the network command.
• Use the ip ospf area command in the interface configuration mode. The ip ospf area command gives you very granular control over interface-to-area mappings.

Minimize the OSPF Configurations

If possible, always minimize the amount of OSPF configuration (this will in turn reduce the chances of like errors).  For example, all interfaces on a stub remote site router with two upstream WAN links should usually belong to the same OSPF area.
Stub router may be configured with the following minimum configuration:

interface Loopback0
 ip address 10.20.30.1 255.255.255.255

interface FastEthernet0/0
 description LAN interface
 ip address 10.2.0.1 255.255.255.0

interface Serial1/1
 description primary WAN link
 ip address 10.1.0.1 255.255.255.252

interface Serial1/2
 description backup WAN link
 ip address 10.1.0.5 255.255.255.252

router ospf 20
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 1

Last configuration command ensures that all the new interfaces configured on the router after the OSPF process has been configured get included in OSPF area 1 automatically.

Implementing Security in OSPF

Usually, all interfaces on a router are included in the OSPF routing process, but OSPF is run only on transit interfaces. To make your OSPF configuration safer, use the passive-interface default router configuration command and enable OSPF hello protocol on individual interfaces with the no passive-interface router configuration command. For example, a host on the remote site LAN should not be able to form an OSPF adjacency with the router and insert bogus routes into the OSPF area. To increase the security of the remote site router, use the following configuration in OSPF routing process configuration:

router ospf 20
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 1
 passive-interface default
 no passive-interface Serial1/1
 no passive-interface Serial1/2

In networks without a clear IP addressing design that would separate the core links from the access links, it’s best to avoid the network router configuration command and assign individual interfaces to specific OSPF areas. Although this approach is maintenance-intensive but slightly more secure. It is difficult to make out the scope of OSPF routing solely from the router configuration.

Loopback Interface

Always configure a loopback interface. Loopback interface can be helpful in more than one ways. OSPF will by default use the loopback as the router ID or use the highest IP number on an interface as the router ID. If you properly plan router loopbacks, you can end up with a logical OSPF IDs scheme.
            router1             10.20.30.1
            router2             10.20.30.2
            router3             10.20.30.3
In OSPF, each time a link flutters all the routers will recalculate the route changes. Since the loopback interface remains always up, this adds stability of your network.

Interface Description

Always use a description for each interface. For WAN links also include the underlying circuit number as part of the description. These details are real life savers while troubleshooting a down link over a phone in real life networks.