OSPF and OSPFv3
You can create OSPF and OSPFv3 routes on Sophos Firewall.
Open Shortest Path First (OSPF) is a link-state routing protocol within an autonomous system (AS). It sends routing information to all the routers within the network by calculating the shortest path to each router based on the structure built up by each router.
OSPF supports IPv4. OSPFv3 supports IPv6.
OSPF areas
An area is a logical division of an OSPF network. Each area maintains a separate database on the connecting router which contains information about the area's topology. The topology of an area isn't known outside of that area. Here are three types of areas:
Area name | Description |
---|---|
Backbone area | The backbone area, also known as area 0, distributes information between the other areas in the network. All other areas in the network are connected to the backbone. Routing between areas takes place using routers connected to the backbone and the other areas. |
Stub area | A stub area is an area that does not receive route advertisements external to the autonomous system (AS). |
NSSA | A not-so-stubby-area (NSSA) is a type of stub area that doesn’t receive route advertisements external to the AS (type 5) from other OSPF areas but can carry the external routes redistributed into this area as type 7 LSAs. |
An Area Border Router (ABR) is a router that connects areas to the backbone network and maintains separate routing information for each area to which it's connected. It has interfaces in more than one area, with at least one interface in the backbone area.
Global configuration
You can configure the OSPF and OSPFv3 settings.
Specify the global settings you require as follows:
-
Router ID: Enter an ID to identify the firewall as the router from which the packet originates. Make sure the ID meets the following conditions:
- It must be in the IPv4 address format.
- It doesn't need to be a valid IP address in your routing domain.
- It must be unique within your routing domain.
- You can't use
0.0.0.0
.
If you don't enter a value, the firewall uses the highest interface address.
-
Default metric: Enter a value to use when the firewall redistributes connected, static, RIP, and BGP routes through OSPF, and you haven't configured individual metrics for each route type. Lower cost indicates higher preference.
If you don't enter a value, the firewall uses the following default value: 20.
-
ABR type: To ensure compatibility, select the Area Border Router (ABR) type in your routing domain from the following options:
- Standard
- Cisco
- IBM
- Shortcut
-
Auto-cost reference-bandwidth (Mbps): Enter a value to calculate the cost of routing through the firewall. Lower cost indicates higher preference.
It's divided by the interface speed to calculate the OSPF cost. Default: 100000 Mbps
Example
Reference bandwidth = 100000 Mbps
Interface bandwidth = 2000 Mbps
Cost = 100000/20000 = 50
Note
If you've migrated from an earlier version to 19.5 and later versions, the previous default value (100) is migrated as the current default value (100000). If you've changed the default value in the earlier version, the value is migrated without change.
-
Select the route advertisement settings you require in your network, enter the corresponding metric, and select the metric type from the following options:
- External type 1: Sum of the internal cost (cost of reaching the ASBR) and external cost to the destination. So, the route cost differs for each router. Use this when you want traffic to go out of the network at the nearest exit point.
- External type 2: Only the external cost to the destination. So, the route cost is the same for all routers in the OSPF domain. Use this when you want traffic to go out of the network at the point closest to the destination.
Select the following based on your requirements:
-
Default-information originate: Advertises the default route (
0.0.0.0/0
) to neighbors based on the following options:- Never: Doesn't advertise the default route.
- Regular: Advertises it if it's present in the routing table.
- Always: Always advertises it even if it's not present in the routing table.
-
Redistribute connected: Redistributes routes for connected networks, including remote access SSL VPN traffic, into the OSPF routing table.
Note
Only traffic related to remote access SSL VPN's dynamic subnet is injected into OSPF. The static subnet isn't. You can configure an OSPF network for the static subnet.
Note
The firewall redistributes all networks directly attached to it. You can't selectively inject routes from the web admin console.
-
Redistribute static: Redistributes static routes into the OSPF routing table.
- Redistribute RIP: Redistributes RIP routes into the OSPF routing table.
- Redistribute BGP: Redistributes BGP routes into the OSPF routing table.
-
Click Apply.
Note
When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the default setting log-adjacency-changes
.
Networks and areas
You can see the OSPF networks you configured, the corresponding subnet masks, and the area they belong to. See Add an OSPF network.
You can see the OSPF areas, the area and authentication types, area cost, and virtual links if any. See Add OSPF areas.
Override interface configuration
You can manage the interface configuration. See Override interface configuration.
Specify the global settings you require as follows:
-
Router ID: Enter an ID to identify the firewall as the router from which the packet originates. Make sure the ID meets the following conditions:
- It must be in the IPv4 address format.
- It doesn't need to be a valid IP address in your routing domain.
- It must be unique within your routing domain.
- You can't use
0.0.0.0
.
If you don't enter a value, the firewall uses the highest interface address.
-
Default metric: It's used to determine the best route among the routes redistributed into OSPFv3.
Currently, you can't change this value, and the value
0
appears, but the firewall uses the following default value: 20. -
ABR type: The Area Border Router (ABR) type is set to Standard, which complies with RFC 2328. You can't change it.
-
Auto-cost reference-bandwidth (Mbps): Enter a value to calculate the cost of routing through the firewall. Lower cost indicates higher preference.
It's divided by the interface speed to calculate the OSPFv3 cost. Default: 100000 Mbps
Example
Reference bandwidth = 100000 Mbps
Interface bandwidth = 2000 Mbps
Cost = 100000/20000 = 50
-
Select the route advertisement settings you require in your network, enter the corresponding metric, and select the metric type from the following options:
- External type 1: Sum of the internal cost (cost of reaching the ASBR) and external cost to the destination. So, the route cost differs for each router. Use this when you want traffic to go out of the network at the nearest exit point.
- External type 2: Only the external cost to the destination. So, the route cost is the same for all routers in the OSPF domain. Use this when you want traffic to go out of the network at the point closest to the destination.
Select the following settings based on your requirements:
-
Default-information originate: Advertises the default route (
0.0.0.0/0
) to neighbors based on the following options:- Never: Doesn't advertise the default route.
- Regular: Advertises it if it's present in the routing table.
- Always: Always advertises it even if it's not present in the routing table.
-
Redistribute connected: Redistributes routes for connected networks, including remote access SSL VPN traffic, into the OSPFv3 routing table.
Note
Only traffic related to remote access SSL VPN's dynamic subnet is injected into OSPFv3. The static subnet isn't. You can configure an OSPF network for the static subnet.
Note
The firewall redistributes all networks directly attached to it. You can't selectively inject routes from the web admin console.
-
Click Apply.
Note
When you apply the Global configuration settings on the web admin console, the firewall removes your changes to the default setting log-adjacency-changes
.
Interfaces and areas
You can see the interfaces you've configured to run OSPFv3 and the area the interface belongs to. See Add an OSPFv3 interface.
You can see the OSPF areas you configured on the firewall and the type of area. See Add an OSPFv3 area.