End-of-Life (EoL)

Configure OSPFv3

OSPF supports both IPv4 and IPv6. You must use OSPFv3 if you are using IPv6.
  1. Configure general virtual router configuration settings.
    See Virtual Routers for details.
  2. Configure general OSPF configuration settings.
    1. Select the
      OSPF
      tab.
    2. Select
      Enable
      to enable the OSPF protocol.
    3. Select
      Reject Default Route
      if you do not want to learn any default routes through OSPF. This is the recommended default setting.
    4. Clear
      Reject Default Route
      if you want to permit redistribution of default routes through OSPF.
  3. Configure general OSPFv3 configuration settings.
    1. Select the
      OSPFv3
      tab.
    2. Select
      Enable
      to enable the OSPF protocol.
    3. Select
      Reject Default Route
      if you do not want to learn any default routes through OSPFv3 This is the recommended default setting.
      Clear
      Reject Default Route
      if you want to permit redistribution of default routes through OSPFv3.
  4. Configure Auth Profile for the OSPFv3 protocol.
    While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPsec to secure communications between neighbors.
    When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (which is recommended) or IPv6 Authentication Header (AH).
    ESP OSPFv3 authentication
    1. On the
      Auth Profiles
      tab, click
      Add
      .
    2. Enter a name for the authentication profile to authenticate OSPFv3 messages.
    3. Specify a Security Policy Index (
      SPI
      ). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
    4. Select
      ESP
      for
      Protocol
      .
    5. Select a
      Crypto Algorithm
      from the drop-down.
      You can enter none or one of the following algorithms: SHA1, SHA256, SHA384, SHA512 or MD5.
    6. If a
      Crypto Algorithm
      other than none was selected, enter a value for
      Key
      and then confirm.
    AH OSPFv3 authentication
    1. On the
      Auth Profiles
      tab, click
      Add
      .
    2. Enter a name for the authentication profile to authenticate OSPFv3 messages.
    3. Specify a Security Policy Index (
      SPI
      ). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
    4. Select
      AH
      for
      Protocol
      .
    5. Select a
      Crypto Algorithm
      from the drop-down.
      You must enter one of the following algorithms: SHA1, SHA256, SHA384, SHA512 or MD5.
    6. Enter a value for
      Key
      and then confirm.
    7. Click
      OK
      .
    8. Click
      OK
      again in the Virtual Router - OSPF Auth Profile dialog.
  5. Configure Areas - Type for the OSPF protocol.
    1. On the
      Areas
      tab, click
      Add
      .
    2. Enter an Area ID. This is the identifier that each neighbor must accept to be part of the same area.
    3. On the
      General
      tab, select one of the following from the area
      Type
      drop-down:
      • Normal
        —There are no restrictions; the area can carry all types of routes.
      • Stub
        —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
        • Accept Summary
          —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
        • Advertise Default Route
          —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
      • NSSA
        (Not-So-Stubby Area)—The firewall can only leave the area by routes other than OSPF routes. If selected, configure
        Accept Summary
        and
        Advertise Default Route
        as described for
        Stub
        . If you select this option, configure the following:
        • Type
          —Select either
          Ext 1
          or
          Ext 2
          route type to advertise the default LSA.
        • Ext Ranges
          —Click
          Add
          in the section to enter ranges of external routes that you want to enable or suppress advertising for.
  6. Associate an OSPFv3 authentication profile to an area or an interface.
    To an Area
    1. On the
      Areas
      tab, select an existing area from the table
      .
    2. On the
      General
      tab, select a previously defined
      Authentication Profile
      from the
      Authentication
      drop-down.
    3. Click
      OK
      .
    To an Interface
    1. On the
      Areas
      tab, select an existing area from the table
      .
    2. Select the
      Interface
      tab and click
      Add
      .
    3. Select the authentication profile
      you want to associate with the OSPF interface from the
      Auth Profile
      drop-down.
  7. (
    Optional
    ) Configure Export Rules
    1. On the
      Export
      tab, click
      Add
      .
    2. Select
      Allow Redistribute Default Route
      to permit redistribution of default routes through OSPFv3.
    3. Select the name of a redistribution profile. The value must be an IP subnet or valid redistribution profile name.
    4. Select a metric to apply for
      New Path Type
      .
    5. Specify a
      New Tag
      for the matched route that has a 32-bit value.
    6. Assign a metric for the new rule (range is 1 - 65535).
    7. Click
      OK
      .
  8. Configure Advanced OSPFv3 options.
    1. On the
      Advanced
      tab, select
      Disable Transit Routing for SPF Calculation
      if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic.
    2. Configure a value for the
      SPF Calculation Delay
      (sec) timer.
      This timer allows you to tune the delay time between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should be tuned in a similar manner to optimize convergence times.
    3. Configure a value for the
      LSA Interval (sec) time
      . This timer specifies the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.

Recommended For You