Configure OSPFv3
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure OSPFv3
OSPF supports both IPv4 and IPv6. You must
use OSPFv3 if you
are using IPv6.
- Configure general virtual router settings.Configure general OSPFv3 configuration settings.
- Select the OSPFv3 tab.Select Enable to enable the OSPF protocol.Enter the Router ID.Select Reject Default Route if you do not want to learn any default routes through OSPFv3 This is the recommended default setting.Clear Reject Default Route if you want to permit redistribution of default routes through OSPFv3.Configure Auth Profile for the OSPFv3 protocol.While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPSec to secure communications between neighbors.When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (recommended) or IPv6 Authentication Header (AH).ESP OSPFv3 authentication
- On the Auth Profiles tab, Add a name for the authentication profile to authenticate OSPFv3 messages.Specify a Security Policy Index (SPI) (hexadecimal value in the range from 00000000 to FFFFFFFF). The two ends of the OSPFv3 adjacency must have matching SPI values.Select ESP for Protocol.Select a Crypto Algorithm.You can select None or one of the following algorithms: SHA1, SHA256, SHA384, SHA512, or MD5.If a Crypto Algorithm other than None was selected, enter a value for Key and then confirm.AH OSPFv3 authentication
- On the Auth Profiles tab, Add a name for the authentication profile to authenticate OSPFv3 messages.Specify a Security Policy Index (SPI). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.Select AH for Protocol.Select a Crypto Algorithm.You must enter one of the following algorithms: SHA1, SHA256, SHA384, SHA512, or MD5.Enter a value for Key and then confirm.Click OK.Click OK again in the Virtual Router - OSPF Auth Profile dialog.Configure Areas - Type for the OSPFv3 protocol.
- On the Areas tab, Add an Area ID. This is the identifier that each neighbor must accept to be part of the same area.On the General tab, select one of the following from the area Type list:
- Normal—There are no restrictions; the area can carry all types of routes.
- Stub—There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
- Accept Summary—Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
- Advertise Default Route—Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
- NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If selected, configure Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following:
- Type—Select either Ext 1 or Ext 2 route type to advertise the default LSA.
- Ext Ranges—Add ranges of external routes that you want to enable or suppress advertising for.
Associate an OSPFv3 authentication profile to an area or an interface.To an Area- On the Areas tab, select an existing area from the table.On the General tab, select a previously defined Authentication Profile from the Authentication list.Click OK.To an Interface
- On the Areas tab, select an existing area from the table.Select the Interface tab and Add the authentication profile you want to associate with the OSPF interface from the Auth Profile list.Click OK.Click OK again to save the area settings.(Optional) Configure Export Rules.
- On the Export Rules tab, select Allow Redistribute Default Route to permit redistribution of default routes through OSPFv3.Click Add.Enter the Name; the value must be a valid IPv6 subnet or valid redistribution profile name.Select New Path Type, Ext 1 or Ext 2.Specify a New Tag for the matched route, using has a 32-bit value in dotted-decimal notation.Assign a Metric to the new rule (range is 1-16,777,215).Click OK.Configure Advanced OSPFv3 options.
- On the Advanced tab, select Disable Transit Routing for SPF Calculation if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic.Specify a value for the SPF Calculation Delay (sec) timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.Specify a value for the LSA Interval (sec) timer, which is the minimum time (in seconds) between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.(Optional) Configure OSPF Graceful Restart.Click OK.Commit your changes.