Skip to content

OSPF

You can create OSPF routes on Sophos Firewall.

Open Shortest Path First (OSPF) is a link-state routing protocol that multicasts the routing information to all the hosts within a single network. It sends routing information to all the routers in the network by calculating the shortest path to each router based on the structure built up by each router.

OSPF areas

An area is a logical division of an OSPF network. Each area maintains a separate database on the connecting router which contains information about the area's topology. The topology of an area isn't known outside of that area. Here are three types of areas:

Area name Description
Backbone area The backbone area, also known as area 0, distributes information between the other areas in the network. All other areas in the network are connected to the backbone. Routing between areas takes place using routers connected to the backbone and the other areas.
Stub area A stub area is an area that does not receive route advertisements external to the autonomous system (AS) (a collection of networks under a common network operator that share the same routing policy).
NSSA A not-so-stubby-area (NSSA) is a type of stub area that can import AS external routes in a limited amount.

An Area Border Router (ABR) is a router that connects areas to the backbone network and maintains separate routing information for each area to which it's connected. It has interfaces in more than one area, with at least one interface in the backbone area.

Global configuration

Specify the global settings you require as follows:

  1. Router ID: Enter an ID to identify the firewall as the router from which the packet originates. Make sure the ID meets the following conditions:

    • It must be in the IPv4 address format.
    • It doesn't need to be a valid IP address in your routing domain.
    • It must be unique within your routing domain.
    • You can't use 0.0.0.0.

    If you don't enter a value, the firewall uses the highest interface address.

  2. Default metric: Enter a value to use when the firewall redistributes connected, static, RIP, and BGP routes through OSPF, and you haven't configured individual metrics for each route type. Lower cost indicates higher preference.

    If you don't enter a value, the firewall uses the following default value: 20.

  3. ABR type: To ensure compatibility, select the Area Border Router (ABR) type in your routing domain from the following options:

    • Standard
    • Cisco
    • IBM
    • Shortcut
  4. Auto-cost reference-bandwidth (Mbps): Enter a value to calculate the cost of routing through the firewall. Lower cost indicates higher preference.

    It's divided by the interface speed to calculate the OSPF cost. Default: 100 Mbps

    Example

    Reference bandwidth = 100000 Mbps

    Interface bandwidth = 2000 Mbps

    Cost = 100000/20000 = 50

  5. Select the route advertisement settings you require in your network, enter the corresponding metric, and select the metric type from the following options:

    • External type 1: Sum of the internal cost (cost of reaching the ASBR) and external cost to the destination. So, the route cost differs for each router. Use this when you want traffic to go out of the network at the nearest exit point.
    • External type 2: Only the external cost to the destination. So, the route cost is the same for all routers in the OSPF domain. Use this when you want traffic to go out of the network at the point closest to the destination.

    Select the following based on your requirements:

    1. Default-information originate: Advertises the default route (0.0.0.0/0) to neighbors based on the following options:

      • Never: Doesn't advertise the default route.
      • Regular: Advertises it if it's present in the routing table.
      • Always: Always advertises it even if it's not present in the routing table.
    2. Redistribute connected: Redistributes routes for connected networks, including remote access SSL VPN traffic, into the OSPF routing table.

      Note

      Only traffic related to remote access SSL VPN's dynamic subnet is injected into OSPF. The static subnet isn't. You can configure an OSPF network for the static subnet.

      Note

      The firewall redistributes all networks directly attached to it. You can't selectively inject routes from the web admin console.

    3. Redistribute static: Redistributes static routes into the OSPF routing table.

    4. Redistribute RIP: Redistributes RIP routes into the OSPF routing table.
    5. Redistribute BGP: Redistributes BGP routes into the OSPF routing table.

Networks & areas

Under Networks & areas, the Networks section lists all available OSPF networks, the corresponding netmasks, and the area to which they belong. You can add a new OSPF network here. The Areas section lists all available OSPF areas, specifies their types and authentication type, the area cost, and, if available, virtual links. For more information, see Add OSPF areas and Add OSPF network.

Override interface configuration

You can manage the interface configuration here. For more information, see Override interface configuration.