Skip to content

OSPF and OSPFv3

You can create OSPF and OSPFv3 routes on Sophos Firewall.

Open Shortest Path First (OSPF) is a link-state routing protocol within an autonomous system (AS). It sends routing information to all the routers within the network by calculating the shortest path to each router based on the structure built up by each router.

OSPF supports IPv4. OSPFv3 supports IPv6.

OSPF areas

An area is a logical division of an OSPF network. Each area maintains a separate database on the connecting router which contains information about the area's topology. The topology of an area isn't known outside of that area. Here are three types of areas:

Area name Description
Backbone area The backbone area, also known as area 0, distributes information between the other areas in the network. All other areas in the network are connected to the backbone. Routing between areas takes place using routers connected to the backbone and the other areas.
Stub area A stub area is an area that does not receive route advertisements external to the autonomous system (AS).
NSSA A not-so-stubby-area (NSSA) is a type of stub area that doesn’t receive route advertisements external to the AS (type 5) from other OSPF areas but can carry the external routes redistributed into this area as type 7 LSAs.

An Area Border Router (ABR) is a router that connects areas to the backbone network and maintains separate routing information for each area to which it's connected. It has interfaces in more than one area, with at least one interface in the backbone area.

Global configuration

You can configure the OSPF and OSPFv3 settings.

Specify the global settings you require as follows:

  1. Router ID: Enter an ID to identify the firewall as the router from which the packet originates. Make sure the ID meets the following conditions:

    • It must be in the IPv4 address format.
    • It doesn't need to be a valid IP address in your routing domain.
    • It must be unique within your routing domain.
    • You can't use 0.0.0.0.

    If you don't enter a value, the firewall uses the highest interface address.

  2. Default metric: Enter a value to use when the firewall redistributes connected, static, RIP, and BGP routes through OSPF, and you haven't configured individual metrics for each route type. Lower cost indicates higher preference.

    If you don't enter a value, the firewall uses the following default value: 20.

  3. ABR type: To ensure compatibility, select the Area Border Router (ABR) type in your routing domain from the following options:

    • Standard
    • Cisco
    • IBM
    • Shortcut
  4. Auto-cost reference-bandwidth (Mbps): Enter a value to calculate the cost of routing through the firewall. Lower cost indicates higher preference.

    It's divided by the interface speed to calculate the OSPF cost. Default: 100000 Mbps

    Example

    Reference bandwidth = 100000 Mbps

    Interface bandwidth = 2000 Mbps

    Cost = 100000/20000 = 50

    Note

    If you've migrated from an earlier version to 19.5 and later versions, the previous default value (100) is migrated as the current default value (100000). If you've changed the default value in the earlier version, the value is migrated without change.

  5. Select the route advertisement settings you require in your network, enter the corresponding metric, and select the metric type from the following options:

    • External type 1: Sum of the internal cost (cost of reaching the ASBR) and external cost to the destination. So, the route cost differs for each router. Use this when you want traffic to go out of the network at the nearest exit point.
    • External type 2: Only the external cost to the destination. So, the route cost is the same for all routers in the OSPF domain. Use this when you want traffic to go out of the network at the point closest to the destination.

    Select the following based on your requirements:

    1. Default-information originate: Advertises the default route (0.0.0.0/0) to neighbors based on the following options:

      • Never: Doesn't advertise the default route.
      • Regular: Advertises it if it's present in the routing table.
      • Always: Always advertises it even if it's not present in the routing table.
    2. Redistribute connected: Redistributes routes for connected networks, including remote access SSL VPN traffic, into the OSPF routing table.

      Note

      Only traffic related to remote access SSL VPN's dynamic subnet is injected into OSPF. The static subnet isn't. You can configure an OSPF network for the static subnet.

      Note

      The firewall redistributes all networks directly attached to it. You can't selectively inject routes from the web admin console.

    3. Redistribute static: Redistributes static routes into the OSPF routing table.

    4. Redistribute RIP: Redistributes RIP routes into the OSPF routing table.
    5. Redistribute BGP: Redistributes BGP routes into the OSPF routing table.
  6. Click Apply.

Note

When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the default setting log-adjacency-changes.

Networks and areas

You can see the OSPF networks you configured, the corresponding subnet masks, and the area they belong to. See Add an OSPF network.

You can see the OSPF areas, the area and authentication types, area cost, and virtual links if any. See Add OSPF areas.

Override interface configuration

You can manage the interface configuration. See Override interface configuration.

Specify the global settings you require as follows:

  1. Router ID: Enter an ID to identify the firewall as the router from which the packet originates. Make sure the ID meets the following conditions:

    • It must be in the IPv4 address format.
    • It doesn't need to be a valid IP address in your routing domain.
    • It must be unique within your routing domain.
    • You can't use 0.0.0.0.

    If you don't enter a value, the firewall uses the highest interface address.

  2. Default metric: It's used to determine the best route among the routes redistributed into OSPFv3.

    Currently, you can't change this value, and the value 0 appears, but the firewall uses the following default value: 20.

  3. ABR type: The Area Border Router (ABR) type is set to Standard, which complies with RFC 2328. You can't change it.

  4. Auto-cost reference-bandwidth (Mbps): Enter a value to calculate the cost of routing through the firewall. Lower cost indicates higher preference.

    It's divided by the interface speed to calculate the OSPFv3 cost. Default: 100000 Mbps

    Example

    Reference bandwidth = 100000 Mbps

    Interface bandwidth = 2000 Mbps

    Cost = 100000/20000 = 50

  5. Select the route advertisement settings you require in your network, enter the corresponding metric, and select the metric type from the following options:

    • External type 1: Sum of the internal cost (cost of reaching the ASBR) and external cost to the destination. So, the route cost differs for each router. Use this when you want traffic to go out of the network at the nearest exit point.
    • External type 2: Only the external cost to the destination. So, the route cost is the same for all routers in the OSPF domain. Use this when you want traffic to go out of the network at the point closest to the destination.

    Select the following settings based on your requirements:

    1. Default-information originate: Advertises the default route (0.0.0.0/0) to neighbors based on the following options:

      • Never: Doesn't advertise the default route.
      • Regular: Advertises it if it's present in the routing table.
      • Always: Always advertises it even if it's not present in the routing table.
    2. Redistribute connected: Redistributes routes for connected networks, including remote access SSL VPN traffic, into the OSPFv3 routing table.

      Note

      Only traffic related to remote access SSL VPN's dynamic subnet is injected into OSPFv3. The static subnet isn't. You can configure an OSPF network for the static subnet.

      Note

      The firewall redistributes all networks directly attached to it. You can't selectively inject routes from the web admin console.

  6. Click Apply.

Note

When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the default setting log-adjacency-changes.

Interfaces and areas

You can see the interfaces you've configured to run OSPFv3 and the area the interface belongs to. See Add an OSPFv3 interface.

You can see the OSPF areas you configured on the firewall and the type of area. See Add an OSPFv3 area.