Configuring OSPF Interface Parameters Overview

By default, OSPF is disabled on all interfaces in the VR. You must enable OSPF on an interface before OSPF can use that interface to transmit receive packets. When you disable OSPF on an interface, OSPF does not transmit or receive packets on the specified interface, but interface configuration parameters are preserved.

For instructions for configuring OSPF settings on the virtual router and on the interface, see the Network and Security Manager Online Help.

You can enable OSPF on Ethernet and tunnel interfaces. When configuring OSPF on a tunnel interface, you can configure additional parameters to keep OSPF tunnel traffic to a minimum.

The OSPF interface parameters are displayed in Table 77.

Table 77: OSPF Interface Parameters

Parameters

Your Action

Bind to Area

Select a previously created area to bind the interface to that area. By default, all interfaces are bound to area 0, the backbone area.

Cost

Configure the metric for the interface. The cost associated with an interface depends upon the bandwidth of the link to which the interface is connected. The higher the bandwidth, the lower (more desirable) the cost value.

Hello Interval

Configure the number of seconds that the interface sends out OSPF hello packets to the network. By default, the interface sends 10 hello packets per second.

OSPF Priority

Configure the priority level of the VR elected by the interface. The router (designated router or backup designated router) with the larger priority value has the best chance (although not guaranteed) of being elected.

Retransmit Interval

Configure the number of seconds that elapse before the interface resends an LSA to a neighbor that did not respond to the original LSA. By default, the interface resends an unacknowledged LSA every 5 seconds.

Transmit Delay

Configure the number of seconds between transmissions of link-state update packets sent on the interface. By default, the interface sends link-state updates every second.

Configuring Interface Link Type

Configure how the interface forms adjacencies with other routers:

  • A point-to-point interface for OSPF forms an adjacency with only one OSPF router in the area. If the local tunnel interface is to be bound to multiple tunnels, you must configure the local tunnel interface as a point-to-multipoint interface.
  • A regular multicast interface for OSPF acts as a broadcast interface, and forms adjacencies with all routers in the area.

Enable Reduction in LSA Flooding (ScreenOS 5.1 and later only)

Select to suppress LSA packets. When this option is enabled, the device sends LSA packets only when the LSA content has changed. By default, this option is disabled.

Configure to Ignore MTU Mismatch in DB Exchange (ScreenOS 5.1 and later only)

Select to ignore any mismatches in maximum transmission unit (MTU) values between the local and remote interfaces that are found during OSPF database negotiations. Use this option only when the MTU on the local interface is lower than the MTU on the remote interface.

Interface OSPF Passive Mode

Select to prevent the interface from transmitting or receiving packets. The IP address of the interface is still advertised on the OSPF domain as an OSPF route and not as an external route. You might want to select this option when BGP is also enabled on the interface.

In addition you can configure OSPF demand circuit for ScreenOS 5.1 and later tunnel interfaces only. An OSPF demand circuit is a network segment on which connect time or usage affects the cost of using such a connection. When traversing a demand circuit, the security device limits routing protocol traffic to changes in network topology, and suppresses sending OSPF hello packets and periodic refreshment of LSA flooding.

Configuring OSPF Neighbors

Two routers with interfaces on the same subnet are considered neighbors. Routers use the hello protocol to establish and maintain these neighbor relationships. When two routers establish bidirectional communication, they are said to have established an adjacency. If two routers do not establish an adjacency, they cannot exchange routing information. By default, the OSPF routing instance on the virtual router forms adjacencies with all OSPF neighbors communicating on an OSPF-enabled interface.

You can configure the following settings for neighbors on the interface:

Configuring OSPF Authentication

Because LSAs are unencrypted, most protocol analyzers can decapsulate OSPF packets. Authenticating OSPF neighbors using MD5 authentication or simple password is the best way to fend off these types of attacks.

When authentication is enabled, the device discards all unauthenticated OSPF packets received on the interface. By default, authentication is disabled.

To enable authentication, select one of the following authentication methods:

Related Documentation