Configuring OSPF Interface Parameters Overview
By default, OSPF is disabled on all interfaces in the VR. You must enable OSPF on an interface before OSPF can use that interface to transmit receive packets. When you disable OSPF on an interface, OSPF does not transmit or receive packets on the specified interface, but interface configuration parameters are preserved.
For instructions for configuring OSPF settings on the virtual router and on the interface, see the Network and Security Manager Online Help.
You can enable OSPF on Ethernet and tunnel interfaces. When configuring OSPF on a tunnel interface, you can configure additional parameters to keep OSPF tunnel traffic to a minimum.
The OSPF interface parameters are displayed in Table 1.
Table 1: OSPF Interface Parameters
Bind to Area
Select a previously created area to bind the interface to that area. By default, all interfaces are bound to area 0, the backbone area.
Configure the metric for the interface. The cost associated with an interface depends upon the bandwidth of the link to which the interface is connected. The higher the bandwidth, the lower (more desirable) the cost value.
Configure the number of seconds that the interface sends out OSPF hello packets to the network. By default, the interface sends 10 hello packets per second.
Configure the priority level of the VR elected by the interface. The router (designated router or backup designated router) with the larger priority value has the best chance (although not guaranteed) of being elected.
Configure the number of seconds that elapse before the interface resends an LSA to a neighbor that did not respond to the original LSA. By default, the interface resends an unacknowledged LSA every 5 seconds.
Configure the number of seconds between transmissions of link-state update packets sent on the interface. By default, the interface sends link-state updates every second.
Configuring Interface Link Type
Configure how the interface forms adjacencies with other routers:
Enable Reduction in LSA Flooding (ScreenOS 5.1 and later only)
Select to suppress LSA packets. When this option is enabled, the device sends LSA packets only when the LSA content has changed. By default, this option is disabled.
Configure to Ignore MTU Mismatch in DB Exchange (ScreenOS 5.1 and later only)
Select to ignore any mismatches in maximum transmission unit (MTU) values between the local and remote interfaces that are found during OSPF database negotiations. Use this option only when the MTU on the local interface is lower than the MTU on the remote interface.
Interface OSPF Passive Mode
Select to prevent the interface from transmitting or receiving packets. The IP address of the interface is still advertised on the OSPF domain as an OSPF route and not as an external route. You might want to select this option when BGP is also enabled on the interface.
In addition you can configure OSPF demand circuit for ScreenOS 5.1 and later tunnel interfaces only. An OSPF demand circuit is a network segment on which connect time or usage affects the cost of using such a connection. When traversing a demand circuit, the security device limits routing protocol traffic to changes in network topology, and suppresses sending OSPF hello packets and periodic refreshment of LSA flooding.
To configure an interface as a demand circuit:
The interface link type must be point-to-point or serial; you cannot configure a point-to-multipoint interface as a demand circuit.
You must configure both ends of the tunnel as demand circuits.
Configuring OSPF Neighbors
Two routers with interfaces on the same subnet are considered neighbors. Routers use the hello protocol to establish and maintain these neighbor relationships. When two routers establish bidirectional communication, they are said to have established an adjacency. If two routers do not establish an adjacency, they cannot exchange routing information. By default, the OSPF routing instance on the virtual router forms adjacencies with all OSPF neighbors communicating on an OSPF-enabled interface.
You can configure the following settings for neighbors on the interface:
Neighbor Dead Interface—Enter the number of seconds that elapses with no response from an OSPF neighbor before OSPF determines the neighbor is not running. By default, OSPF determines a neighbor is “dead” after 40 seconds.
Add/Edit/Delete Neighbor (Ethernet Interface Only)—To limit the devices on an interface that can form adjacencies with the OSPF routing instance, define the subnets that contain eligible OSPF neighbors. Only hosts or routers that reside in the specified subnets can form adjacencies with the OSPF routing instance.
All OSPF routers in an area must use the same hello, dead, and retransmit interval values before they can form adjacencies.
Configuring OSPF Authentication
Because LSAs are unencrypted, most protocol analyzers can decapsulate OSPF packets. Authenticating OSPF neighbors using MD5 authentication or simple password is the best way to fend off these types of attacks.
When authentication is enabled, the device discards all unauthenticated OSPF packets received on the interface. By default, authentication is disabled.
To enable authentication, select one of the following authentication methods:
Clear Text Authentication—To use a simple password for authentication, select this option and enter the password.
All passwords handled by NSM are case-sensitive.
Multiple MD5 Authentication— To use MD5 keys for authentication, select this option, and then configure the active MD5 key.
To use an existing MD5 key, select the key ID as the active MD5 key ID.
To add a new MD5 key, click the Add icon and configure a key ID for the new MD5 key.
You must use the same MD5 key for the sending and receiving OSPF routers.