Select Reject Default Route if
you do not want to learn any default routes through OSPF. This is
the recommended, default setting.
Clear Reject Default Route if you
want to permit redistribution of default routes through OSPF.
Configure Areas - Type for the OSPF protocol.
On the Areas tab, Add an Area
ID for the area in x.x.x.x format. This
is the identifier that each neighbor must accept to be part of the
same area.
On the Type tab, select one
of the following from the area Type list:
Normal—There are no restrictions;
the area can carry all types of routes.
Stub—There is no outlet from the area.
To reach a destination outside of the area, it is necessary to go
through the border, which connects to other areas. If you select
this option, configure the following:
Accept
Summary—Link state advertisements (LSA) are accepted
from other areas. If this option on a stub area Area Border Router (ABR)
interface is disabled, the OSPF area will behave as a Totally Stubby
Area (TSA) and the ABR will not propagate any summary LSAs.
Advertise Default Route—Default route
LSAs will be included in advertisements to the stub area along with
a configured metric value in the configured range 1-255.
NSSA (Not-So-Stubby Area)—The firewall
can leave the area only by routes other than OSPF routes. If you
select NSSA, select Accept Summary and Advertise
Default Route as described for Stub.
If you select this option, configure the following:
Type—Select
either Ext 1 or Ext 2 route
type to advertise the default LSA.
Ext Ranges—Add ranges
of external routes that you want to Advertise or
for which you want to Suppress advertising.
Click OK.
Configure Areas - Range for the OSPF protocol
On the Range tab, Add aggregate
LSA destination addresses in the area into subnets.
Advertise or Suppress advertising
LSAs that match the subnet, and click OK.
Repeat to add additional ranges.
Configure Areas - Interfaces for the OSPF protocol
On the Interface tab, Add the
following information for each interface to be included in the area:
Interface—Select an interface.
Enable—Selecting this option causes
the OSPF interface settings to take effect.
Passive—Select if you do not want
the OSPF interface to send or receive OSPF packets. Although OSPF
packets are not sent or received if you choose this option, the
interface is included in the LSA database.
Link type—Choose Broadcast if
you want all neighbors that are accessible through the interface
to be discovered automatically by multicasting OSPF hello messages,
such as an Ethernet interface. Choose p2p (point-to-point)
to automatically discover the neighbor. Choose p2mp (point-to-multipoint)
when neighbors must be defined manually and Add the
neighbor IP addresses for all neighbors that are reachable through
this interface.
Metric—Enter an OSPF metric for this
interface (range is 0-65,535; default is 10).
Priority—Enter an OSPF priority for
this interface. This is the priority for the router to be elected
as a designated router (DR) or as a backup DR (BDR) (range is 0-255;
default is 1). If zero is configured, the router will not be elected
as a DR or BDR.
Auth Profile—Select a previously-defined
authentication profile.
Timing—Modify the timing settings
if desired (not recommended). For details on these settings,
refer to the online help.
Click OK.
Configure Areas - Virtual Links.
On the Virtual Link tab, Add the
following information for each virtual link to be included in the
backbone area:
Name—Enter a name for the
virtual link.
Enable—Select to enable the virtual
link.
Neighbor ID—Enter the router ID of
the router (neighbor) on the other side of the virtual link.
Transit Area—Enter the area ID of
the transit area that physically contains the virtual link.
Timing—It is recommended that you
keep the default timing settings.
Auth Profile—Select a previously-defined
authentication profile.
Click OK to save virtual links.
Click OK to save area.
(Optional) Configure Auth Profiles.
By default, the firewall does not use OSPF authentication
for the exchange between OSPF neighbors. Optionally, you can configure
OSPF authentication between OSPF neighbors by either a simple password
or using MD5 authentication. MD5 authentication is recommended;
it is more secure than a simple password.
Simple
Password OSPF authentication
Select the Auth Profiles tab
and Add a name for the authentication profile
to authenticate OSPF messages.
Select Simple Password as the Password
Type.
Enter a simple password and then confirm.
MD5 OSPF authentication
Select the Auth Profiles tab
and Add a name for the authentication profile
to authenticate OSPF messages.
Select MD5 as the Password
Type and Add one or more password
entries, including:
Key-ID (range is 0-255)
Key
Select the Preferred option to specify
that the key be used to authenticate outgoing messages.
Click OK.
Configure Advanced OSPF options.
On the Advanced tab,
select RFC 1583 Compatibility to ensure compatibility
with RFC 1583.
Specify a value for the SPF Calculation
Delay (sec) timer, which allows you to tune the delay
time (in seconds) between receiving new topology information and
performing an SPF calculation. Lower values enable faster OSPF re-convergence.
Routers peering with the firewall should use the same delay value to
optimize convergence times.
Specify a value for the LSA Interval (sec) timer,
which is the minimum time between transmissions of two instances
of the same LSA (same router, same type, same LSA ID). This is equivalent
to MinLSInterval in RFC 2328. Lower values can be used to reduce
re-convergence times when topology changes occur.
