OSPF (Open Shortest Path First Protocol) is an interior gateway routing protocol (IGRP). Using link state algorithm advertisements (LSA’s) the router builds a database (LSDB) of the networks. OSPF uses protocol 89.
Requirements for OSPF:
1. Basic understanding of OSPF.
2. Understanding of TCP/IP and routing.
3. OSPF Area information and IP Router ID for Virtual Links if needed.
To configure OSPF:
1. Navigate to Configure>Network>Routing>OSPF. 2. Select eNable.
3. Enter the router iD in the form of 0.0.0.0. (Example: 0.0.0.1).
4. Enable the aDvertiSe Default route if the firewall will be the default route.
5. Create the OSPF Area(s).
a. Area: Specify the OSPF area.
b. Type: Determine the behavior of the firewall/router. i. Normal: No restriction.
ii. Stub: No Type 5 AS-external LSA allowed.
iii. Stub No Summary: No Type 3, 4, or 5 LSAs allowed except the default route summary route.
iv: NSSA: No Type 5 AS-external LSAs allowed; Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse..
v: NSSA No Summary: No Type 3, 4, or 5 LSAs except the default summary route; Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed. c. Networks: Select the network(s) which will use OSPF.
d. Authentication: Must be enabled if authentication is required. Other routers in the same area must have a matching ID and password.
e. Virtual Links: Identify if the firewall is not directly connected to the back bone (area 0). Virtual links are used to create a link to another router directly connected to the back bone. The target router should have a virtual link pointing back to this router.
6. Advanced steps
a. Set the Default MetriC and DiStaNCe.
b Configure redistribution if needed.
Note
For more information on OSPF, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from O’Reilly and Associates.
Figure 3.26: OSPF Setup
Table 3.24: Configuring OSPF
Field Description
Enable Enables the OSPF interface.
Router iD Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
advertise Default Route A toggle for whether or not the firewall will advertise itself as the default route. Advanced
automatic Policies Enables the firewall to generate a set of automatic policies to allow a configured OSPF interface to function properly. By default this is enabled. The policy created is for IP Protocol 89 and is viewable in the Monitor>activity>Security
Policies>automatic section.
Default Metric The value used by a routing algorithm by which one route is determined to perform better than another. When metrics do not convert, the default metric will provide a substitute, enabling redistribution to proceed.
Distance A selection used to determine which routes a router should trust if the router receives two routes with identical information.
Redistribute
Metric Configure the metric when the route is redistributed.
Connected If enabled, routing information is sent for those networks directly assigned to the firewall--such as interfaces and aliases
BGP If enabled, routing information is sent for those networks that are configured via BGP. Only supported on GB-2000, GB-3000, and GB-Ware.
RiP If enabled, routing information is sent for those networks configured via RIP.
Static If enabled, outing information is sent for those networks that are statically assigned to the firewall.
To edit an existing OSPF interface, select the edit icon. To create a new OSPF interface, select the New
Icon.
Figure 3.27: OSPF Setup
Table 3.25: Configuring OSPF
Field Description
Disable Disables OSPF for the specified area.
area This selection specifies the OSPF area.
Description A short description to identify the OSPF area.
Type This selection is used to determine the behavior of the firewall/router.
Networks A selection for the network(s) which will use OSPF. Advanced
Link Cost The cost to send a packet via an interface. The cost value is set to router-LSA’s metric field and used for SPF calculation
Priority A selection for the priority status of the route. The router with the highest priority will be more eligible to become the Designated Router. Setting the value to 0 makes the router ineligible to become the Designated Router. Default value is 1.
Dead interval Define the period of time (in seconds) after which the route will be considered down.
Hello interval Define the period of time (in seconds) in which updates will be sent.
Retransmit interval Define the period of time (in seconds) in which the router will wait after an update is sent. If time expires, the router will resend the update.
Transmit Delay Define the estimated time (in seconds) to send an update. This value must be greater than zero.
Authentication
KeyiD Pre-shared secret key ID.
Password Password that must be used to collect routing information through OSPF. Once entered, this field will be obscured. Select modify to enter a new password. Virtual Links
Router iD Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
RIP Setup
RIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is a TCP/IP routing protocol defined by RFC 1058 that allows broadcasting and/or listening to routing information in order to choose the most efficient route for a packet. Hosts using RIP select the routes that use the fewest hops, or select an alternate path if a route is down or has been slowed by high traffic. RIP is limited to 15 hops; more than that, and the route is flagged as unreachable.
CaUTiON
Most smaller network configurations do not benefit from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks and acceptance of RIP sources can compromise network security.
RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from external sources. If RIP is enabled, the firewall can receive and/or broadcast routing information for either RIP version 1 or 2.
To configure RiP version 2.0:
1. Navigate to Configure>Network>Routing>RIP.
2. Check eNable to enable the RIP messages over RIP interfaces.
3. Enable the aDvertiSe Default route checkbox if you wish to do so on any protected network or
PSN on which RIP is enabled.
4. Select a RIP interface and click the edit icon to configure it.
5. Select “v2” from either the input or output field, or both, to indicate version 2 of the protocol. 6. In the password fields, you may select a password encryption scheme from the menu. The
<None> option will require no password and no encryption. <Clear> will send an unencrypted password, while <MD5> will use MD5 encryption on the password.
7. If you selected <Clear>, enter a password in the text box. If you selected <MD5> encryption for your password, you must enter a pre-shared secret along with the password that will be used to encrypt the password.
8. Configure reDiStributioN if needed. CaUTiON
Sending unencrypted (clear/plain) passwords can expose your RIP password to the network and potential attackers, and therefore it is not recommended by GTA.
Figure 3.28: RIP Setup
Table 3.26: Configuring RIP
Field Description
Disable Disables the RIP interface.
interface The interface for which RIP is being configured.
Table 3.26: Configuring RIP
Field Description
input/Output Controls how RIP is implemented. iNput determines whether any version of RIP will
be accepted from other routers. output determines whether any version of RIP will
be exported or broadcast. The choices are:
• <V1>: Version 1 RIP is accepted or exported. • <V2>: Version 2 RIP is accepted or exported. • <Both>: Both version 1 and 2 are used.
Password Type Type of encryption that will be used. If an encryption is selected, the password field is enabled. Encryption types are: None, Clear and MD5.
This only applies to RIPv2
Password Password that must be used to collect routing information through RIPv2.
Key iD Pre-shared secret key ID.
This only applies to RIPv2 when MD5 encryption is used. Advanced
automatic Policies Enables the firewall to generate an automatic set of policies to allow configured RIP interface settings to function properly. Default is selected.
Default Metric The value used by a routing algorithm by which one route is determined to perform better than another.
RIP Timers
Update The rate at which RIP sends a message containing the complete routing table to all neighboring RIP routers. Timer limit is 30 seconds.
Timeout Upon expiration of the timeout, the route is no longer vaild. The route is retained in the routing table for a short time so neighbors can be notified that the route has been dropped. Timer limit is 180 seconds.
Garbage Upon expiration of the garbage timer, the route is completely removed from the routing table. Timer limit is 120 seconds.