Configure OSPF

OSPF determines routes dynamically by obtaining information from other routers and advertising routes to other routers by way of Link State Advertisements (LSAs). The router keeps information about the links between it and the destination and can make highly efficient routing decisions. A cost is assigned to each router interface, and the best routes are determined to be those with the lowest costs, when summed over all the encountered outbound router interfaces and the interface receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be advertised and the associated LSAs. Because OSPF dynamically processes a considerable amount of route information, it has greater processor and memory requirements than does RIP.
  1. Configure general virtual router configuration settings.
    See Virtual Routers for details.
  2. Enable OSPF.
    1. Select the
      OSPF
      tab.
    2. Select
      Enable
      to enable the OSPF protocol.
    3. Enter the
      Router ID
      .
    4. Select
      Reject Default Route
      if you do not want to learn any default routes through OSPF. This is the recommended, default setting.
      Clear
      Reject Default Route
      if you want to permit redistribution of default routes through OSPF.
  3. Configure Areas - Type for the OSPF protocol.
    1. On the
      Areas
      tab,
      Add
      an
      Area ID
      for the area in
      x.x.x.x
      format. This is the identifier that each neighbor must accept to be part of the same area.
    2. On the
      Type
      tab, select one of the following from the area
      Type
      list:
      • Normal
        —There are no restrictions; the area can carry all types of routes.
      • Stub
        —There is no outlet from the area. To reach a destination outside of the area, it is necessary to go through the border, which connects to other areas. If you select this option, configure the following:
        • Accept Summary
          —Link state advertisements (LSA) are accepted from other areas. If this option on a stub area Area Border Router (ABR) interface is disabled, the OSPF area will behave as a Totally Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
        • Advertise Default Route
          —Default route LSAs will be included in advertisements to the stub area along with a configured metric value in the configured range 1-255.
      • NSSA
        (Not-So-Stubby Area)—The firewall can leave the area only by routes other than OSPF routes. If you select NSSA, select
        Accept Summary
        and
        Advertise Default Route
        as described for
        Stub
        . If you select this option, configure the following:
        • Type
          —Select either
          Ext 1
          or
          Ext 2
          route type to advertise the default LSA.
        • Ext Ranges
          Add
          ranges of external routes that you want to
          Advertise
          or for which you want to
          Suppress
          advertising.
    3. Click
      OK
      .
  4. Configure Areas - Range for the OSPF protocol
    1. On the
      Range
      tab,
      Add
      aggregate LSA destination addresses in the area into subnets.
    2. Advertise
      or
      Suppress
      advertising LSAs that match the subnet, and click
      OK
      . Repeat to add additional ranges.
  5. Configure Areas - Interfaces for the OSPF protocol
    1. On the
      Interface
      tab,
      Add
      the following information for each interface to be included in the area:
      • Interface
        —Select an interface.
      • Enable
        —Selecting this option causes the OSPF interface settings to take effect.
      • Passive
        —Select if you do not want the OSPF interface to send or receive OSPF packets. Although OSPF packets are not sent or received if you choose this option, the interface is included in the LSA database.
      • Link type
        —Choose
        Broadcast
        if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose
        p2p
        (point-to-point) to automatically discover the neighbor. Choose
        p2mp
        (point-to-multipoint) when neighbors must be defined manually and
        Add
        the neighbor IP addresses for all neighbors that are reachable through this interface.
      • Metric
        —Enter an OSPF metric for this interface (range is 0-65,535; default is 10).
      • Priority
        —Enter an OSPF priority for this interface. This is the priority for the router to be elected as a designated router (DR) or as a backup DR (BDR) (range is 0-255; default is 1). If zero is configured, the router will not be elected as a DR or BDR.
      • Auth Profile
        —Select a previously-defined authentication profile.
      • Timing
        —Modify the timing settings if desired (
        not recommended
        ). For details on these settings, refer to the online help.
    2. Click
      OK
      .
  6. Configure Areas - Virtual Links.
    1. On the
      Virtual Link
      tab,
      Add
      the following information for each virtual link to be included in the backbone area:
      • Name
        —Enter a name for the virtual link.
      • Enable
        —Select to enable the virtual link.
      • Neighbor ID
        —Enter the router ID of the router (neighbor) on the other side of the virtual link.
      • Transit Area
        —Enter the area ID of the transit area that physically contains the virtual link.
      • Timing
        —It is recommended that you keep the default timing settings.
      • Auth Profile
        —Select a previously-defined authentication profile.
    2. Click
      OK
      to save virtual links.
    3. Click
      OK
      to save area.
  7. (
    Optional
    ) Configure Auth Profiles.
    By default, the firewall does not use OSPF authentication for the exchange between OSPF neighbors. Optionally, you can configure OSPF authentication between OSPF neighbors by either a simple password or using MD5 authentication. MD5 authentication is recommended; it is more secure than a simple password.
    Simple Password OSPF authentication
    1. Select the
      Auth Profiles
      tab and
      Add
      a name for the authentication profile to authenticate OSPF messages.
    2. Select
      Simple Password
      as the
      Password Type
      .
    3. Enter a simple password and then confirm.
    MD5 OSPF authentication
    1. Select the
      Auth Profiles
      tab and
      Add
      a name for the authentication profile to authenticate OSPF messages.
    2. Select
      MD5
      as the
      Password Type
      and
      Add
      one or more password entries, including:
      • Key-ID (range is 0-255)
      • Key
      • Select the
        Preferred
        option to specify that the key be used to authenticate outgoing messages.
    3. Click
      OK
      .
  8. Configure Advanced OSPF options.
    1. On the
      Advanced
      tab, select
      RFC 1583 Compatibility
      to ensure compatibility with RFC 1583.
    2. Specify a value for the
      SPF Calculation Delay (sec)
      timer, which allows you to tune the delay time (in seconds) between receiving new topology information and performing an SPF calculation. Lower values enable faster OSPF re-convergence. Routers peering with the firewall should use the same delay value to optimize convergence times.
    3. Specify a value for the
      LSA Interval (sec)
      timer, which is the minimum time between transmissions of two instances of the same LSA (same router, same type, same LSA ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can be used to reduce re-convergence times when topology changes occur.
    4. Click
      OK
      .
  9. Commit
    your changes.

Related Documentation