Configure OSPFv3

OSPF supports both IPv4 and IPv6. You must use OSPFv3 if you are using IPv6.
  1. Configure general virtual router configuration settings.
    See Virtual Routers for details.
  2. Configure general OSPFv3 configuration settings.
    1. Select the
      OSPFv3
      tab.
    2. Select
      Enable
      to enable the OSPF protocol.
    3. Enter the
      Router ID
      .
    4. Select
      Reject Default Route
      if you do not want to learn any default routes through OSPFv3 This is the recommended default setting.
      Clear
      Reject Default Route
      if you want to permit redistribution of default routes through OSPFv3.
  3. Configure Auth Profile for the OSPFv3 protocol.
    While OSPFv3 doesn't include any authentication capabilities of its own, it relies entirely on IPSec to secure communications between neighbors.
    When configuring an authentication profile, you must use Encapsulating Security Payload (ESP) (recommended) or IPv6 Authentication Header (AH).
    ESP OSPFv3 authentication
    1. On the
      Auth Profiles
      tab,
      Add
      a name for the authentication profile to authenticate OSPFv3 messages.
    2. Specify a Security Policy Index (
      SPI
      ) (hexadecimal value in the range from 00000000 to FFFFFFFF). The two ends of the OSPFv3 adjacency must have matching SPI values.
    3. Select
      ESP
      for
      Protocol
      .
    4. Select a
      Crypto Algorithm
      from the drop-down.
      You can select
      None
      or one of the following algorithms:
      SHA1
      ,
      SHA256
      ,
      SHA384
      ,
      SHA512
      , or
      MD5
      .
    5. If a
      Crypto Algorithm
      other than None was selected, enter a value for
      Key
      and then confirm.
    AH OSPFv3 authentication
    1. On the
      Auth Profiles
      tab,
      Add
      a name for the authentication profile to authenticate OSPFv3 messages.
    2. Specify a Security Policy Index (
      SPI
      ). The SPI must match between both ends of the OSPFv3 adjacency. The SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
    3. Select
      AH
      for
      Protocol
      .
    4. Select a
      Crypto Algorithm
      from the drop-down.
      You must enter one of the following algorithms:
      SHA1
      ,
      SHA256
      ,
      SHA384
      ,
      SHA512
      , or
      MD5
      .
    5. Enter a value for
      Key
      and then confirm.
    6. Click
      OK
      .
    7. Click
      OK
      again in the Virtual Router - OSPF Auth Profile dialog.
  4. Configure Areas - Type for the OSPFv3 protocol.
    1. On the
      Areas
      tab,
      Add
      an
      Area ID
      . This is the identifier that each neighbor must accept to be part of the same area.
    2. On the
      General
      tab, select one of the following from the area
      Type
      drop-down:
      • Normal
        —There are no restrictions; the area can carry all types of routes.
      • Stub
        —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
        • Accept Summary
          —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
        • Advertise Default Route
          —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
      • NSSA
        (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If selected, configure
        Accept Summary
        and
        Advertise Default Route
        as described for
        Stub
        . If you select this option, configure the following:
        • Type
          —Select either
          Ext 1
          or
          Ext 2
          route type to advertise the default LSA.
        • Ext Ranges
          Add
          ranges of external routes that you want to enable or suppress advertising for.
  5. Associate an OSPFv3 authentication profile to an area or an interface.
    To an Area
    1. On the
      Areas
      tab, select an existing area from the table.
    2. On the
      General
      tab, select a previously defined
      Authentication Profile
      from the
      Authentication
      drop-down.
    3. Click
      OK
      .
    To an Interface
    1. On the
      Areas
      tab, select an existing area from the table.
    2. Select the
      Interface
      tab and
      Add
      the authentication profile you want to associate with the OSPF interface from the
      Auth Profile
      drop-down.
    3. Click
      OK
      .
  6. Click
    OK
    again to save the area settings.
  7. (
    Optional
    ) Configure Export Rules.
    1. On the
      Export Rules
      tab, select
      Allow Redistribute Default Route
      to permit redistribution of default routes through OSPFv3.
    2. Click
      Add
      .
    3. Enter the
      Name
      ; the value must be a valid IPv6 subnet or valid redistribution profile name.
    4. Select
      New Path Type
      ,
      Ext 1
      or
      Ext 2
      .
    5. Specify a
      New Tag
      for the matched route, using has a 32-bit value in dotted-decimal notation.
    6. Assign a
      Metric
      to the new rule (range is 1-16,777,215).
    7. Click
      OK
      .
  8. Configure Advanced OSPFv3 options.
    1. On the
      Advanced
      tab, select
      Disable Transit Routing for SPF Calculation
      if you want the firewall to participate in OSPF topology distribution without being used to forward transit traffic.
    2. Specify a value for the
      SPF Calculation Delay (sec)
      timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
    3. Specify a value for the
      LSA Interval (sec)
      timer, which is the minimum time (in seconds) between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
    4. Click
      OK
      .
  9. Commit
    your changes.

Related Documentation