Configure OSPF

OSPF determines routes dynamically by obtaining information from other routers and advertising routes to other routers by way of Link State Advertisements (LSAs). The router keeps information about the links between it and the destination and can make highly efficient routing decisions. A cost is assigned to each router interface, and the best routes are determined to be those with the lowest costs, when summed over all the encountered outbound router interfaces and the interface receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be advertised and the associated LSAs. Because OSPF dynamically processes a considerable amount of route information, it has greater processor and memory requirements than does RIP.
  1. Configure general virtual router configuration settings.
    See Virtual Routers for details.
  2. Enable OSPF.
    1. Select the OSPF tab.
    2. Select Enable to enable the OSPF protocol.
    3. Enter the Router ID.
    4. Select Reject Default Route if you do not want to learn any default routes through OSPF. This is the recommended, default setting.
      Clear Reject Default Route if you want to permit redistribution of default routes through OSPF.
  3. Configure Areas - Type for the OSPF protocol.
    1. On the Areas tab, Add an Area ID for the area in x.x.x.x format. This is the identifier that each neighbor must accept to be part of the same area.
    2. On the Type tab, select one of the following from the area Type list:
      • Normal—There are no restrictions; the area can carry all types of routes.
      • Stub—There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
        • Accept Summary—Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
        • Advertise Default Route—Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
      • NSSA (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If you select NSSA, select Accept Summary and Advertise Default Route as described for Stub. If you select this option, configure the following:
        • Type—Select either Ext 1 or Ext 2 route type to advertise the default LSA.
        • Ext RangesAdd ranges of external routes that you want to Advertise or for which you want to Suppress advertising.
    3. Click OK.
  4. Configure Areas - Range for the OSPF protocol
    1. On the Range tab, Add aggregate LSA destination addresses in the area into subnets.
    2. Advertise or Suppress advertising LSAs that match the subnet, and click OK. Repeat to add additional ranges.
  5. Configure Areas - Interfaces for the OSPF protocol
    1. On the Interface tab, Add the following information for each interface to be included in the area:
      • Interface—Select an interface.
      • Enable—Selecting this option causes the OSPF interface settings to take effect.
      • Passive—Select if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database.
      • Link type—Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-multipoint) when neighbors must be defined manually and Add the neighbor IP addresses for all neighbors that are reachable through this interface.
      • Metric—Enter an OSPF metric for this interface (range is 0-65,535; default is 10).
      • Priority—Enter an OSPF priority for this interface. This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) (range is 0-255; default is 1). If zero is configured, the router will not be elected as a DR or BDR.
      • Auth Profile—Select a previously-defined authentication profile.
      • Timing—Modify the timing settings if desired (not recommended). For details on these settings, refer to the online help.
    2. Click OK.
  6. Configure Areas - Virtual Links.
    1. On the Virtual Link tab, Add the following information for each virtual link to be included in the backbone area:
      • Name—Enter a name for the virtual link.
      • Enable—Select to enable the virtual link.
      • Neighbor ID—Enter the router ID of the router (neighbor) on the other side of the virtual link.
      • Transit Area—Enter the area ID of the transit area that physically contains the virtual link.
      • Timing—It is recommended that you keep the default timing settings.
      • Auth Profile—Select a previously-defined authentication profile.
    2. Click OK to save virtual links.
    3. Click OK to save area.
  7. (Optional) Configure Auth Profiles.
    By default, the firewall does not use OSPF authentication for the exchange between OSPF neighbors. Optionally, you can configure OSPF authentication between OSPF neighbors by either a simple password or using MD5 authentication. MD5 authentication is recommended; it is more secure than a simple password.
    Simple Password OSPF authentication
    1. Select the Auth Profiles tab and Add a name for the authentication profile to authenticate OSPF messages.
    2. Select Simple Password as the Password Type.
    3. Enter a simple password and then confirm.
    MD5 OSPF authentication
    1. Select the Auth Profiles tab and Add a name for the authentication profile to authenticate OSPF messages.
    2. Select MD5 as the Password Type and Add one or more password entries, including:
      • Key-ID (range is 0-255)
      • Key
      • Select the Preferred option to specify that the key be used to authenticate outgoing messages.
    3. Click OK.
  8. Configure Advanced OSPF options.
    1. On the Advanced tab, select RFC 1583 Compatibility to ensure compatibility with RFC 1583.
    2. Specify a value for the SPF Calculation Delay (sec) timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
    3. Specify a value for the LSA Interval (sec) timer, which is the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
    4. Click OK.
  9. Commit your changes.

Related Documentation