1. Home
    2. PAN-OS
    3. PAN-OS® Networking Administrator’s Guide
    4. OSPF
    5. Configure OSPFv3

    Configure OSPFv3

    OSPF supports both IPv4 and IPv6. You must use OSPFv3 if you are using IPv6.
    1. Configure general virtual router settings.
    2. Configure general OSPFv3 configuration settings.
      1. Select the
        OSPFv3
         tab.
      2. Select
        Enable
         to enable the OSPF protocol.
      3. Enter the
        Router ID
        .
      4. Select
        Reject Default Route
         if you do not want to learn any default routes through OSPFv3 This is the recommended default setting.
        Clear
        Reject Default Route
         if you want to permit redistribution of default routes through OSPFv3.
    3. Configure Auth Profile for the OSPFv3 protocol.
      While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPSec to secure communications between neighbors.
      When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (recommended) or IPv6 Authentication Header (AH).
      ESP OSPFv3 authentication
      1. On the
        Auth Profiles
         tab,
        Add
         a name for the authentication profile to authenticate OSPFv3 messages.
      2. Specify a Security Policy Index (
        SPI
        ) (hexadecimal value in the range from 00000000 to FFFFFFFF). The two ends of the OSPFv3 adjacency must have matching SPI values.
      3. Select
        ESP
         for
        Protocol
        .
      4. Select a
        Crypto Algorithm
        .
        You can select
        None
         or one of the following algorithms:
        SHA1
        ,
        SHA256
        ,
        SHA384
        ,
        SHA512
        , or
        MD5
        .
      5. If a
        Crypto Algorithm
         other than None was selected, enter a value for
        Key
         and then confirm.
      AH OSPFv3 authentication
      1. On the
        Auth Profiles
         tab,
        Add
         a name for the authentication profile to authenticate OSPFv3 messages.
      2. Specify a Security Policy Index (
        SPI
        ). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
      3. Select
        AH
         for
        Protocol
        .
      4. Select a
        Crypto Algorithm
        .
        You must enter one of the following algorithms:
        SHA1
        ,
        SHA256
        ,
        SHA384
        ,
        SHA512
        , or
        MD5
        .
      5. Enter a value for
        Key
         and then confirm.
      6. Click
        OK
        .
      7. Click
        OK
         again in the Virtual Router - OSPF Auth Profile dialog.
    4. Configure Areas - Type for the OSPFv3 protocol.
      1. On the
        Areas
         tab,
        Add
         an
        Area ID
        . This is the identifier that each neighbor must accept to be part of the same area.
      2. On the
        General
         tab, select one of the following from the area
        Type
         list:
        • Normal
          —There are no restrictions; the area can carry all types of routes.
        • Stub
          —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
          • Accept Summary
            —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
          • Advertise Default Route
            —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
        • NSSA
           (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If selected, configure
          Accept Summary
           and
          Advertise Default Route
           as described for
          Stub
          . If you select this option, configure the following:
          • Type
            —Select either
            Ext 1
             or
            Ext 2
             route type to advertise the default LSA.
          • Ext Ranges
            Add
             ranges of external routes that you want to enable or suppress advertising for.
    5. Associate an OSPFv3 authentication profile to an area or an interface.
      To an Area
      1. On the
        Areas
         tab, select an existing area from the table.
      2. On the
        General
         tab, select a previously defined
        Authentication Profile
         from the
        Authentication
         list.
      3. Click
        OK
        .
      To an Interface
      1. On the
        Areas
         tab, select an existing area from the table.
      2. Select the
        Interface
         tab and
        Add
         the authentication profile you want to associate with the OSPF interface from the
        Auth Profile
         list.
      3. Click
        OK
        .
    6. Click
      OK
       again to save the area settings.
    7. (
      Optional
      ) Configure Export Rules.
      1. On the
        Export Rules
         tab, select
        Allow Redistribute Default Route
         to permit redistribution of default routes through OSPFv3.
      2. Click
        Add
        .
      3. Enter the
        Name
        ; the value must be a valid IPv6 subnet or valid redistribution profile name.
      4. Select
        New Path Type
        ,
        Ext 1
         or
        Ext 2
        .
      5. Specify a
        New Tag
         for the matched route, using has a 32-bit value in dotted-decimal notation.
      6. Assign a
        Metric
         to the new rule (range is 1-16,777,215).
      7. Click
        OK
        .
    8. Configure Advanced OSPFv3 options.
      1. On the
        Advanced
         tab, select
        Disable Transit Routing for SPF Calculation
         if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic.
      2. Specify a value for the
        SPF Calculation Delay (sec)
         timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
      3. Specify a value for the
        LSA Interval (sec)
         timer, which is the minimum time (in seconds) between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
      5. Click
        OK
        .
    9. Commit
       your changes.

    Recommended For You