This topic explains how to configure OSPF on your Firebox.
Before You Begin
Before you begin, make sure you understand the following OSPF requirements and options.
OSPF has these requirements:
- If you have more than one OSPF area, one area must be area 0.0.0.0 (the backbone area).
- All areas must be adjacent to the backbone area. If they are not, you must configure a virtual link to the backbone area.
- The OSPF authentication password must be 1 to 8 characters in length. If you specify a password that includes 9 or more characters, the password is truncated to 8 characters.
If you enable OSPF for a FireCluster, you must set the router-id in the OSPF configuration to the interface IP address used by the cluster. This is to make sure that the routing protocol does not try to use the FireCluster management IP address as the router-id. Do not use the FireCluster management IP address or cluster IP address as the router-id. To set the router-id, use the command ospf router-id <ip-address> in your OSPF configuration.
If your Firebox has multi-WAN enabled, you can configure a loopback interface, and use the IP address of the loopback interface instead of the IP address of the physical interfaces in the dynamic routing configuration. For more information, see Configure a Loopback Interface.
Free Range Routing (Fireware v12.9 or Higher)
In Fireware v12.9 or higher, Fireware uses the Free Range Routing (FRR) routing engine, which replaces Quagga. If your configuration includes Quagga commands for dynamic routing, those commands work after you upgrade. Some FRR commands appear in a different section than in Quagga.
In Fireware v12.9 or higher, you can use a simplified implementation of bidirectional forwarding (BFD). You must configure a firewall policy for BFD traffic and enable BFD in the OSPF or BGP configuration on your Firebox. For information about how to implement BFD, go to Bidirectional Forwarding.
For a routing configuration file sample, go to Sample OSPF Routing Configuration File (FRR).
For a list of commands, go to OSPF Commands (FRR).
Quagga (Fireware v12.8.x or Lower)
Quagga is the routing daemon in Fireware v12.8.x or lower.
For a sample routing configuration file, go to Sample OSPF Routing Configuration File (Quagga).
For a list of commands, see OSPF Commands (Quagga).
Configure OSPF
- Select Network > Dynamic Routing.
The Dynamic Routing page appears. - Select the Enable Dynamic Routing check box.
- Select the OSPF tab.
- Select the Enable check box.
- Copy and paste your routing daemon configuration file in the text box.
For more information, go to About Sample Routing Configuration Files.
To get started, you must have at least two commands in your OSPF configuration file. These two commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute through the protocol>
area <area ID in x.x.x.x format, such as 0.0.0.0>
- Click Save.
If necessary, Fireware automatically adds the required dynamic routing policy or enables an existing OSPF dynamic routing policy, if one exists.
- Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears. - Select the Enable Dynamic Routing check box.
- Select the OSPF tab.
- Select the Enable OSPF check box.
- Click Import to import a routing daemon configuration file, or copy and paste your configuration file in the text box.
For more information, go to About Sample Routing Configuration Files.
To get started, you must have at least two commands in your OSPF configuration file. These two commands, in this order, start the OSPF process:
router ospf
network <network IP address of the interface you want the process to listen on and distribute through the protocol>
area <area ID in x.x.x.x format, such as 0.0.0.0>
- Click OK.
If an enabled dynamic routing policy does not exist, Policy Manager asks if you want to add the required policy. - Click Yes to add the required dynamic routing policy.
Policy Manager adds the required dynamic routing policy, or enables an existing OSPF dynamic routing policy, if one exists.
When you enable OSPF, the Firebox automatically creates a dynamic routing policy called DR-OSPF-Allow. This policy is configured to allow OSPF multicasts to the reserved multicast addresses for OSPF. By default, the DR-OSPF-Allow policy allows traffic from the alias Any to the Firebox. As a best practice, we recommend that you edit this policy to add authentication and restrict the policy to listen on only the correct interfaces.
After you configure the Firebox and the OSPF router, you can look at the routes table to verify that the Firebox has received route updates from the OSPF router.
To see the dynamic routes, from Firebox System Manager, select the Status Report tab.
To see dynamic routes, from Fireware Web UI, select System Status > Routes.