On 2007/03/08 10:12, Chris Black wrote: > Right now I include all links but the "pair partner link" (used for > pfsync) in my ospf configs. This leads to each host showing two ospf > neighbors rather than three. Is this ok?
yes that's ok. > The links to the internet and internal networks should be advertised > over ospf and that is working fine. However, no OSPF-specific traffic > such as hellos or link state advertisements should be sent over those > interfaces. What is the proper way to do this? I read about "passive" > but am not sure if this is the correct approach. passive is correct. > It seems like there is more than one DR (designated router) from the > output of ospfctl show neighbors. From my reading about OSPF I thought > there was only one DR per area, but it seems like there is one DR per > neighbor pair and a router can be a DR for one pair but BDR for another. > What am I misunderstanding here? I think I just don't fully understand > the output of ospfctl show neighbor. DR/BDR are per-network (i.e. shared-media between a number of routers e.g. an ethernet segment), an area may contain more than one of these. > Is there a way to get ospfd to reread its config without totally killing > and restarting? kill -HUP'ing the parent process did not seem to do > anything and HUP'ing the engine process killed all three processes. 4.1 will have added 'ospfctl reload' - this is way more complicated than you might first think (the diff is something like 1000 lines, it was done at the end of January). I tried it last time I added a vlan to production routers and it worked fine then. > redistribute connected That will redistribute the interface you run pfsync over which you might like to avoid. (you already specifically list the interfaces you are interested in so you don't need it). > auth-type none > I do plan on putting auth in place once I verify everything is working > without it. In addition I hope to collapse all these separate auth-type > directives into the global or area portions of the conf file. imho it pays to do things like that from the start - otherwise you then have to disrupt a working setup to change configuration. in global: "auth-type crypt auth-md 1 some.key.here auth-md-keyid 1"
