Table Of Contents
Configuring Dynamic And Static Routing
Configuring Dynamic Routing
Configuring BGP Stub Routing
BGP Stub Routing Limitations
Configuring BGP Stub Routing
BGP (field information)
Configuring OSPF
Setup
Filtering
Interface
Redistribution
Static Neighbor
Summary Address
Virtual Link
Configuring RIP
Setup
Interface
Configuring EIGRP
Configuring EIGRP
Field Information for the EIGRP Panes
Configuring Static Routes
Overview
Static Routes Pane
Add/Edit Static Route
Monitoring Static Routes
Configuring an ASR Group
Configuring Route Health Injection
RHI Guidelines
Add/Edit Route Injection Entry
Configuring Proxy ARPs
Configuring Dynamic And Static Routing
To configure static routes and dynamic routing protocols, go to Configuration >Device Setup > Routing > area of the ASDM interface.
You can configure up to two OSPF, one EIGRP, and one RIP routing process on the FWSM at the same time. Dynamic routing is only available on FWSMs in routed firewall mode; you cannot configure dynamic routing protocols on a FWSM in transparent firewall mode.
You can configure static routes on FWSMs in either routed or transparent firewall mode. You can use the static route tracking feature to have the FWSM a backup static route if a primary static route becomes unavailable.
This section contains the following topics:
•
Configuring Dynamic Routing
•Configuring Static Routes
•Configuring an ASR Group
•Configuring Route Health Injection
•Configuring Proxy ARPs
Configuring Dynamic Routing
This section contains the following topics:
•Configuring BGP Stub Routing
•Configuring OSPF
•Configuring RIP
•Configuring EIGRP
Configuring BGP Stub Routing
The FWSM supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes. See the following topics for more information:
•BGP Stub Routing Limitations
•Configuring BGP Stub Routing
•BGP (field information)
For information about monitoring the BGP routing process, see the "Monitoring BGP" section on page 31-1.
BGP Stub Routing Limitations
The following limitations apply to configuring BGP stub routing on the FWSM:
•You can only configure one BGP routing process, even in multiple context mode.
•You can only configure one BGP neighbor.
•The FWSM does not process UPDATE messages received from the BGP neighbor. It can only send routing updates to the BGP neighbor.
•You cannot redistribute routes discovered by other routing processes into the BGP routing process.
•BGP stub does not support IPv6, VPN, or NLRI multicast.
•Only iBGP is supported; eBGP is not supported.
Configuring BGP Stub Routing
Before configuring BGP stub routing on the FWSM:
•You must enable route reflector on the BGP neighbor. Refer to the documentation of the BGP neighbor for more information about configuring this option.
•If the FWSM is in multiple context mode, you must be in the admin context to configure BGP stub routing. Additionally, the admin context must be in routed mode.
To enable and configure a BGP routing process, perform the following steps:
Step 1 Navigate to Configuration > Routing > Dynamic Routing > BGP. If you are in multiple context mode, you must be in the admin context to configure BGP stub routing.
Step 2 Enable the BGP routing process by checking the Enable BGP Routing check box.
Step 3 Assign an autonomous system number to the FWSM in the Router AS field. The autonomous system number must be the same as the AS number of the BGP peer. Valid values are from 1 to 65535.
Step 4 (Optional) Enter a router ID for the FWSM in the Router ID field. The router ID can be any IP address, including an IP address that is not configured on the FWSM. If you do not enter a router ID, the highest IP address configured on the FWSM is used.
Step 5 Specify the BGP neighbor that BGP updates are sent to by performing the following steps:
a. Enter the IP address of the BGP neighbor in the Neighbor Address field.
b. Enter the autonomous system number of the BGP neighbor in the Remote AS field. Valid values are from 1 to 65535.
c. (Optional) Enter a password used to authenticate the BGP message to the neighbor in the Password field. Reenter the same password in the Confirm Password field.
This password must be set on both the neighbor and the FWSM before BGP messages can be exchanged. The password can contains numbers, letters, and any of the following symbols:
` ~ ! @ # $ % ^ & * ( ) - _ = + | \ } ] { [ " ` : ; / > < . , ?
The password cannot contain spaces.
Step 6 (Optional) Select the authentication mode from the Mode list. If you select a mode, the BGP neighbor must support the mode option and have it set to the same value.
Step 7 Specify which of the static and directly-connected networks that the BGP routing process advertises. Perform the following steps for each network you want to advertise. You can configure up to 200 networks on the FWSM.
a. Type the network address in the IP Network field.
b. Type or select the network mask from the Netmask field.
c. Click Add to add the network to the BGP Networks list.
d. (Optional) To remove a configured network from the BGP Networks list, select the network and click Delete.
Step 8 Click Apply to save your changes to the FWSM.
BGP (field information)
The BGP pane lets you enable and configure a BGP routing process. You can only enable a single BGP routing process on the device at a time.
Fields
BGP Routing Parameters
•Enable BGP Routing—Check this check box to enable the BGP routing process. Uncheck this check box to disable the BGP routing process.
•Router AS—The autonomous system number of the FWSM.
•Router ID—The router ID of the FWSM. The router ID is entered in IP address format. Any valid IP address can be used, even an address that is not locally configured on the FWSM. If not entered, the router ID is set to the highest IP address configured on the FWSM.
BGP Neighbor—The BGP Neighbor area lets you define the BGP neighbor that the BGP routing updates are sent to.
•Neighbor Address—The IP address of the BGP neighbor.
•Remote AS—The autonomous system number of the BGP neighbor.
•Password—Type a password used for MD5 authentication of the BGP messages. The BGP neighbor must be configured with the same password.
•Mode—Select the password mode from the list.
•Confirm Password—Re-type you password.
BGP Networks—The BGP Networks area lets you define the networks the BGP routing process can advertise.
•BGP Networks—Displays the networks that the BGP routing process can advertise.
•IP Network—Enter a network address.
•Netmask—The mask to apply to the IP Network. You can select a standard network mask from the list or type the mask in the field.
•Add—Click to add the defined network to the BGP Networks table.
•Delete—Click to delete the selected network from the BGP Networks table.
Modes
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
For More Information
Configuring BGP Stub Routing
Monitoring BGP, page 31-1
Configuring OSPF
OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements rather than routing table updates. Because only LSAs are exchanged instead of the entire routing tables, OSPF networks converge more quickly than RIP networks.
OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.
If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processes—one process for the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the FWSM acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.
Note Only type 3 LSAs can be filtered. If you configure the FWSM as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas.
If NAT is employed but OSPF is only running in public areas, then routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the FWSM. Also, you should not mix public and private networks on the same FWSM interface.
You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process running on the FWSM at the same time.
For more information about enabling and configuring OSPF, see the following:
•Setup
•Filtering
•Interface
•Redistribution
•Static Neighbor
•Summary Address
•Virtual Link
Setup
The Setup pane lets you enable OSPF processes, configure OSPF areas and networks, and define OSPF route summarization.
For more information about configuring these areas, see the following:
•Setup > Process Instances Tab
•Setup > Area/Networks Tab
•Setup > Route Summarization Tab
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Setup > Process Instances Tab
You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.
Fields
•OSPF Process 1 and 2 areas—Each area contains the settings for a specific OSPF process.
•Enable this OSPF Process—Check the check box to enable an OSPF process. Uncheck this check box to remove the OSPF process.
•OSPF Process ID—Enter a unique numeric identifier for the OSPF process. This process ID is used internal and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.
•Advanced—Opens the Edit OSPF Process Advanced Properties dialog box, where you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings. See Edit OSPF Process Advanced Properties for more information.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Edit OSPF Process Advanced Properties
You can edit process-specific settings, such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings, in the Edit OSPF Process Advanced Properties dialog box.
Fields
•OSPF Process—Displays the OSPF process you are configuring. You cannot change this value.
•Router ID—To used a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the FWSM is used as the router ID.
•Ignore LSA MOSPF—Check this check box to suppress the sending of system log messages when the FWSM receives type 6 (MOSPF) LSA packets. This setting is unchecked by default.
•RFC 1583 Compatible—Check this check box to calculate summary route costs per RFC 1583. Uncheck this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically.This setting is selected by default.
•Adjacency Changes—Contains settings that define the adjacency changes that cause system log messages to be sent.
–Log Adjacency Changes—Check this check box to cause the FWSM to send a system log message whenever an OSPF neighbor goes up or down. This setting is selected by default.
–Log Adjacency Changes Detail—Check this check box to cause the FWSM to send a system log message whenever any state change occurs, not just when a neighbor goes up or down. This setting is unchecked by default.
•Administrative Route Distances—Contains the settings for the administrative distances of routes based on the route type.
–Inter Area—Sets the administrative distance for all routes from one area to another. Valid values range from 1 to 255. The default value is 100.
–Intra Area—Sets the administrative distance for all routes within an area. Valid values range from 1 to 255. The default value is 100.
–External—Sets the administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255. The default value is 100.
•Timers—Contains the settings used to configure LSA pacing and SPF calculation timers.
–SPF Delay Time—Specifies the time between when OSPF receives a topology change and when the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.
–SPF Hold Time—Specifies the hold time between consecutive SPF calculations.Valid values range from 1 to 65534. The default value is 10.
–LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800. The default value is 240.
•Default Information Originate—Contains the settings used by an ASBR to generate a default external route into an OSPF routing domain.
–Enable Default Information Originate—Check this check box to enable the generation of the default route into the OSPF routing domain.
–Always advertise the default route—Check this check box to always advertise the default route. This option is unchecked by default.
–Metric Value—Specifies the OSPF default metric. Valid values range from 0 to 16777214. The default value is 1.
–Metric Type—Specifies the external link type associated with the default route advertised into the OSPF routing domain. Valid values are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.
–Route Map—(Optional) The name of the route map to apply. The routing process generates the default route if the route map is satisfied.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Setup > Area/Networks Tab
The Area/Networks tab displays the areas, and the networks they contain, for each OSPF process on the FWSM.
Fields
•Area/Networks—Displays information about the areas and the area networks configured for each OSPF process. Double-clicking a row in the table opens the Add/Edit OSPF Area dialog box for the selected area.
–OSPF Process—Displays the OSPF process the area applies to.
–Area ID—Displays the area ID.
–Area Type—Displays the area type. The area type is one of the following values: Normal, Stub, NSSA.
–Networks—Displays the area networks.
–Authentication—Displays the type of authentication set for the area. The authentication type is one of the following values: None, Password, MD5.
–Options—Displays any options set for the area type.
–Cost—Displays the default cost for the area.
•Add—Opens the Add/Edit OSPF Area dialog box. Use this button to add a new area configuration.
•Edit—Opens the Add/Edit OSPF Area dialog box. Use this button to change the parameters of the selected area.
•Delete—Removes the selected area from the configuration.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Add/Edit OSPF Area
You define area parameters, the networks contained by the area, and the OSPF process associated with the area in the Add/Edit OSPF Area dialog box.
Fields
•OSPF Process—When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the FWSM, then that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.
•Area ID—When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.
•Area Type—Contains the settings for the type of area being configured.
–Normal—Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.
–Stub—Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (type 5 LSAs) from being flooded into the stub area. When you create a stub area, you have the option of preventing summary LSAs (type 3 and 4) from being flooded into the area by unchecking the Summary check box.
–Summary—When the area being defined is a stub area, unchecking this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.
–NSSA—Choose this option to make the area a not-so-stubby area. NSSAs accept type 7 LSAs. When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate.
–Redistribute—Uncheck this check box to prevent routes from being imported into the NSSA. This check box is selected by default.
–Summary—When the area being defined is a NSSA, unchecking this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.
–Default Information Originate—Check this check box to generate a type 7 default into the NSSA. This check box is unchecked by default.
–Metric Value—Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.
–Metric Type—The OSPF metric type for the default route. The choices are 1 (type 1) or 2 (type 2). The default value is 2.
•Area Networks—Contains the settings for defining an OSPF area.
–Enter IP Address and Mask—Contains the settings used to define the networks in the area.
IP Address—Enter the IP address of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.
Netmask—Choose the network mask for the IP address or host to be added to the area. If adding a host, choose the 255.255.255.255 mask.
–Add—Adds the network defined in the Enter IP Address and Mask area to the area. The added network appears in the Area Networks table.
–Delete—Deletes the selected network from the Area Networks table.
–Area Networks—Displays the networks defined for the area.
IP Address—Displays the IP address of the network.
Netmask—Displays the network mask for the network.
•Authentication—Contains the settings for OSPF area authentication.
–None—Choose this option to disable OSPF area authentication. This is the default setting.
–Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.
–MD5—Choose this option to use MD5 authentication.
•Default Cost—Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Setup > Route Summarization Tab
In OSPF, an ABR will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the ABR to advertise a summary route that covers all the individual networks within the area that fall into the specified range. To define summary address for external routes being redistributed into an OSPF area, see Summary Address.
Fields
•Route Summarization—Displays information about route summaries defined on the FWSM. Double-clicking a row in the table opens the Add/Edit Route Summarization dialog box for the selected route summary.
–OSPF Process—Displays the OSPF process ID for the OSPF process associated with the route summary.
–Area ID—Displays the area associated with the route summary.
–IP Address—Displays the summary address.
–Network Mask—Displays the summary mask.
–Advertise—Displays "yes" when the route summaries are advertised when they match the address/mask pair or "no" when route summaries are suppressed when they match the address/mask pair.
•Add—Opens the Add/Edit Route Summarization dialog box. Use this button to define a new route summarization.
•Edit—Opens the Add/Edit Route Summarization dialog box. Use this button to change the parameters of the selected route summarization.
•Delete—Removes the selected route summarization from the configuration.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Add/Edit Route Summarization
Use the Add Route Summarization dialog box to add a new entry to the Route Summarization table. Use the Edit Route Summarization dialog box to change an existing entry.
Fields
•OSPF Process—Choose the OSPF process the route summary applies to. You cannot change this value when editing an existing route summary entry.
•Area ID—Choose the area ID the route summary applies to. You cannot change this value when editing an existing route summary entry.
•IP Address—Enter the network address for the routes being summarized.
•Network Mask—Choose one of the common network masks from the list or type the mask in the field.
•Advertise—Check this check box to set the address range status to "advertise". This causes type 3 summary LSAs to be generated. Uncheck this check box to suppress the type 3 summary LSA for the specified networks. This check box is checked by default.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Filtering
The Filtering pane displays the ABR type 3 LSA filters that have been configured for each OSPF process.
ABR type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.
Benefits
OSPF ABR type 3 LSA filtering improves your control of route distribution between OSPF areas.
Restrictions
Only type 3 LSAs that originate from an ABR are filtered.
Fields
The Filtering table displays the following information. Double-clicking a table entry opens the Add/Edit Filtering Entry dialog box for the selected entry.
•OSPF Process—Displays the OSPF process associated with the filter entry.
•Area ID—Displays the ID of the area associated with the filter entry.
•Filtered Network—Displays the network address being filtered.
•Traffic Direction—Displays "Inbound" if the filter entry applies to LSAs coming in to an OSPF area or Outbound if it applies to LSAs coming out of an OSPF area.
•Sequence #—Displays the sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.
•Action—Displays "Permit" if LSAs matching the filter are allowed or "Deny" if LSAs matching the filter are denied.
•Lower Range—Displays the minimum prefix length to be matched.
•Upper Range—Displays the maximum prefix length to be matched.
You can perform the following actions on entries in the Filtering table:
•Add—Opens the Add/Edit Filtering Entry dialog box for adding a new entry to the Filter table.
•Edit—Opens the Add/Edit Filtering Entry dialog box for modifying the selected filter.
•Delete—Removes the selected filter from the Filter table.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Add/Edit Filtering Entry
The Add/Edit Filtering Entry dialog box lets you add new filters to the Filter table or to modify an existing filter. Some of the filter information cannot be changed when you edit an existing filter.
Fields
•OSPF Process—Choose the OSPF process associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting.
•Area ID—Choose the ID of the area associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting.
•Filtered Network—Enter the address and mask of the network being filtered using CIDR notation (a.b.c.d/m).
•Traffic Direction—Choose the traffic direction being filtered. Choose "Inbound" to filter LSAs coming into an OSPF area or "Outbound" to filter LSAs coming out of an OSPF area. If you are editing an existing filter entry, you cannot modify this setting.
•Sequence #—Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.
•Action—Choose "Permit" to allow the LSA traffic or "Deny" to block the LSA traffic.
•Optional—Contains the optional settings for the filter.
–Lower Range—Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.
–Upper Range—Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Interface
The Interface pane lets you configure interface-specific OSPF routing properties, such as OSPF message authentication and properties. For more information about configuring these properties, see the following:
•Interface > Authentication Tab
•Interface > Properties Tab
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Interface > Authentication Tab
The Authentication tab displays the OSPF authentication information for the FWSM interfaces.
Fields
•Authentication Properties—Displays the authentication information for the FWSM interfaces. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.
–Interface—Displays the interface name.
–Authentication Type—Displays the type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:
None—OSPF authentication is disabled.
Password—Clear text password authentication is enabled.
MD5—MD5 authentication is enabled.
Area—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.
•Edit—Opens the Edit OSPF Interface Properties dialog box for the selected interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Edit OSPF Interface Authentication
The Edit OSPF Interface Authentication dialog box lets you configure the OSPF authentication type and parameters for the selected interface.
Fields
•Interface—Displays the name of the interface for which authentication is being configured. You cannot edit this field.
•Authentication—Contains the OSPF authentication options.
–None—Choose this option to disable OSPF authentication.
–Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.
–MD5—Choose this option to use MD5 authentication (recommended).
–Area—(Default) Choose this option to use the authentication type specified for the area (see Add/Edit OSPF Area for information about configuring area authentication). Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication.
•Authentication Password—Contains the settings for entering the password when password authentication is enabled.
–Enter Password—Enter a text string of up to 8 characters.
–Re-enter Password—Reenter the password.
•MD5 IDs and Keys—Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.
–Enter MD5 ID and Key—Contains the settings for entering MD5 key information.
Key ID—Enter a numerical key identifier. Valid values range from 1 to 255.
Key—An alphanumeric character string of up to 16 bytes.
–Add—Adds the specified MD5 key to the MD5 ID and Key table.
–Delete—Removes the selected MD5 key and ID from the MD5 ID and Key table.
–MD5 ID and Key—Displays the configured MD5 keys and key IDs.
Key ID—Displays the key ID for the selected key.
Key—Displays the key for the selected key ID.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Interface > Properties Tab
The Properties tab displays the OSPF properties defined for each interface in a table format.
Fields
•OSPF Interface Properties—Displays interface-specific OSPF properties. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.
–Interface—Displays the name of the interface that the OSPF configuration applies to.
–Broadcast—Displays "No" if the interface is set to non-broadcast (point-to-point). Displays "Yes" if the interface is set to broadcast. "Yes" is the default setting for Ethernet interfaces.
–Cost—Displays the cost of sending a packet through the interface.
–Priority—Displays the OSPF priority assigned to the interface.
–MTU Ignore—Displays "No" if MTU mismatch detection is enabled. Displays "Yes" if the MTU mismatch detection is disabled.
–Database Filter—Displays "Yes" if outgoing LSAs are filtered during synchronization and flooding. Displays "No" if filtering is not enabled.
•Edit—Opens the Edit OSPF Interface Properties dialog box for the selected interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Edit OSPF Interface Properties
Fields
•Interface—Displays the name of the interface for which you are configuring OSPF properties. You cannot edit this field.
•Broadcast—Check this check box to specify that the interface is a broadcast interface. This check box is selected by default for Ethernet interfaces. Uncheck this check box to designate the interface as a point-to-point, non-broadcast interface. Specifying an interface as point-to-point, non-broadcast lets you transmit OSPF routes over VPN tunnels.
When an interface is configured as point-to-point, non-broadcast, the following restrictions apply:
–You can define only one neighbor for the interface.
–You need to manually configure the neighbor (see Static Neighbor).
–You need to define a static route pointing to the crypto endpoint (see Static Routes Pane).
–If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router cannot be run on the same interface.
–You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.
•Cost—Specify the cost of sending a packet through the interface. The default value is 10.
•Priority—Specify the OSPF router priority. When two routers connect to a network, both attempt to become the designated router. The devices with the higher router priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router.
Valid values for this setting range from 0 to 255.The default value is 1. Entering 0 for this setting makes the router ineligible to become the designated router or backup designated router. This setting does not apply to interfaces that are configured as point-to-point non-broadcast interfaces.
•MTU Ignore—OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange DBD packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.
•Database Filter—Check this check box to filter outgoing LSA interface during synchronization and flooding. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. In a fully meshed topology, this can waste bandwidth and lead to excessive link and CPU usage. Checking this check box prevents flooding OSPF LSA on the selected interface.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Edit OSPF Interface Advanced Properties
The Edit OSPF Interface Advanced Properties dialog box lets you change the values for the OSPF hello interval, retransmit interval, transmit delay, and dead interval. Typically, you only need to change these values from the defaults if you are experiencing OSPF problems on your network.
Fields
•Hello Interval—Specifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.
•Retransmit Interval—Specifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.
•Transmit Delay—Specifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.
•Dead Interval—Specifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
|
Security Context
|
Routed
|
Transparent
|
Single
|
Multiple
|
Context
|
System
|
•
|
—
|
•
|
—
|
—
|
Redistribution
The Redistribution pane displays the rules for redistributing routes from one routing process into an OSPF routing process.
Fields
The Redistribution table displays the following information. Double-clicking a table entry opens the Add/Edit OSPF Redistribution Entry dialog box for the selected entry.
•OSPF Process—Displays the OSPF process associated with the route redistribution entry.
•Protocol—Displays the source protocol the routes are being redistributed from. Valid entries are the following:
–Static—Static routes are redistributed into the OSPF routing process.
–Connected—The route was established automatically by virtue of having IP enabled on the interface. These routes are redistributed into the OSPF routing process as external to the AS.
–OSPF—Routes from another OSPF routing process are being redistributed into the OSPF routing process.
–EIGRP—Routes are redistributed from the EIGRP routing process into the OSPF routing process.
–RIP—Routes are redistributed from the RIP routing process into the OSPF routing process.
•Match—Displays the conditions used for redistributing routes from one OSPF routing process to another.
•Subnets—Displays "Yes" if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.
•Metric Value—Displays the metric that is used for the route. This column is blank for redistribution entries if the default metric is used.
•Metric Type—Displays "1" if the metric is a Type 1 external route, "2" if the metric is Type 2 external route.
•Tag Value—A 32-bit decimal value attached to each external route. This
