Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Global OSPF Settings Overview

 

A global OSPF setting affects operations on all OSPF-enabled interfaces. You configure global settings in the virtual router.

For instructions on configuring OSPF settings on the virtual router and on the interface, see the Network and Security Manager Online Help.

Configuring OSPF Parameters

The OSPF instance parameters are displayed in Table 1.

Table 1: OSPF Instance Parameters

Parameters

Your Action

Automatically Generate Virtual Links

Select this option to direct the VR to automatically create a virtual link for instances when it cannot reach the network backbone. By default, this option is disabled.

Reject Default Route

Select this option to prevent Route Detour Attacks, in which a router injects a default route (0.0.0.0/0) into the routing domain to detour packets to itself. During a router detour, a compromised router can then either drop the packets, causing service disruption, or it can obtain sensitive information in the packets before forwarding them. By default, this option is disabled, meaning OSPF accepts any default routes that are learned in OSPF and adds the default route to the routing table.

RFC 1583 Compatible

Select this option to make the OSPF routing instance compatible with RFC 1583, an earlier version of OSPF. By default, security devices support OSPF version 2, as defined by RFC 2328.

Prevent Hello Packet Flooding Attack

Configure the Maximum Hello Packets threshold accepted by the VR. By default, the OSPF hello packet threshold is 10 packets per hello interval. You might want to use this setting to prevent a malfunctioning or compromised router from flooding its neighbors with OSPF hello packets.

Prevent LSA Flooding Attack

Configure the number of LSAs accepted by the VR. By default, the VR accepts all LSAs. You might want to use this setting to prevent a malfunctioning or compromised router from flooding its neighbors with OSPF LSA packets. During an LSA flood attack, a router generates an excessive number of LSAs in a short period of time, thus keeping other OSPF routers in the network busy running the SPF algorithm.

Advertising Default Route

Select this option to direct the VR to advertise an active default route (0.0.0.0/0) in the VR route table to all OSPF areas.

Configuring OSPF Areas

By default, all routers are grouped into a single “backbone” area called area 0 (usually denoted as area 0.0.0.0). However, you might want to segment large geographically dispersed networks into multiple areas for better scalability.

Using multiple areas reduces the amount of routing information passed throughout the network because a router only maintains a link-state database for the area in which it resides. The VR maintains link-state information for all connected areas, and does not maintain link-state information for networks or routers outside the area.

AS external advertisements describe routes to destinations in other autonomous systems and are flooded throughout an AS. To prevent AS external advertisements from flooding an AS, configure the OSPF area as a stub area:

  • Stub area—An area that receives route summaries from the backbone area but does not receive link-state advertisements from other areas for routes learned through non-OSPF sources (BGP, for example). A stub area can be considered a totally stubby area if no summary routes are allowed in the stub area.

  • Not So Stubby Area (NSSA)—Like a normal stub area, NSSAs cannot receive routes from non-OSPF sources outside the current area. However, external routes learned within the area can be learned and passed to other areas.

All areas must connect to area 0, which is defined by default on the virtual router when you enable the OSPF routing instance on the virtual router. For areas that cannot be physically connected to the backbone area, you must configure a virtual link to provide the remote area with a logical path to the backbone through another area. For details on virtual links, see Configuring OSPF Virtual Links.

Configuring OSPF Summary Import

In large internetworks where hundreds or even thousands of network addresses can exist, routers can become overly congested with route information. After you have redistributed a series of routes from an external protocol to the current OSPF routing instance, you can bundle the routes into one generalized or summarized network route. By summarizing multiple addresses, you enable a series of routes to be recognized as one route, simplifying the process.

Using route summarization in a large, complex network can isolate topology changes from other routers. An intermittently failing link in a domain does not affect the summary route, so no router external to the domain needs to modify its routing table due to the link failure. Route summarization also prevents LSAs from propagating to other areas when a summarized network goes down or comes up.

You can summarize inter area routes or external routes.

Configuring OSPF Redistribution Rules

Use route redistribution to exchange route information between routing protocols. You can redistribute the following types of routes into the OSPF routing instance in the same VR:

  • Routes learned from BGP

  • Directly connected routes

  • Imported routes

  • Statically configured routes

When you configure route redistribution, you must first specify a route map to filter the routes that are redistributed.

Configuring OSPF Virtual Links

All areas must connect to area 0, which is the backbone. Area 0 is defined by default on the virtual router when you enable the OSPF routing instance on the virtual router. For areas that cannot be physically connected to the backbone area, you must configure a virtual link to provides the remote area with a logical path to the backbone through another area.

To enable a virtual link, the virtual link must exist on routers at both ends of the link. Specifically, you must configure:

  • Area ID—The ID of the OSPF area through which the virtual link passes. You cannot create a virtual link that passes through the backbone area or a stub area.

  • Router ID—The ID of the router at the other end of the virtual link.