IPv6 OSPF

In This Section:

Open Shortest Path First (OSPF) is a link-state routing protocol that calculates forwarding tables in an IP-based internetwork. OSPF is the preferred Interior Gateway Protocol (IGP) for Check Point.

OSPF supports IPv6. OSPF for IPv6 is also referred to as OSPF version 3 (OSPFv3). OSPFv3 is defined in RFC 5340 (which makes RFC 2740 obsolete).

OSPFv3 is supported by both VRRP and ClusterXL clusters.

The IPv6 address which appears in the source of OSPF packets sent on the interface must be a link-local address, that is, an FE80::/64 address. A link-local address is automatically added to each interface when IPv6 is enabled on Gaia.

The address is unique per interface and has this format:

Bytes 0..1: FE:80.
Bytes 2..7: Zeros.
Bytes 8..10: 00:1C:7F (Check Point’s OUI).
Bytes 11: Zeros.
Bytes 12..15: IPv4 VIP address

You can override the automatic Link-Local address with manual configuration. The addresses are used for next hops, to advertise routes, and to send hello messages. OSPF advertises the IPv6 addresses defined by the user, but OSPF exchanges routes which use the FE80 addresses. A /64 address is required by the OSPFv3 protocol. If the peer router does not use an FE80::/64 address, OSPFv3 does not work.

OSPFv2 is used with IPv4. See OSPF.

Configuring IPv6 OSPF - Gaia Portal

OSPFv3 has almost the same configuration parameters as OSPFv2.

To configure IPv6 OSPF in Gaia Portal:

Click the Network Management > Network interfaces page.
Configure Ethernet Interfaces and assign an IP address to the interfaces.
Click the Advanced Routing > IPv6 OSPF page.
Optional: Configure OSPFv3 multiple instances.
Define the Router ID.
Define other Global Options.
Optional: Define additional OSPF Areas (in addition to the backbone area).
Optional: For each area, you can add one or more address ranges if you want to reduce the number of routing entries that the area advertises into the backbone.

Note - To prevent an address range from being advertised into the backbone, select Restrict for the address range.
Configure OSPF Interfaces.

Configuring IPv6 OSPF Router ID

A number that uniquely defines the router in a routing domain. Best Practice - We recommend that you select an IP address which exists in the unit, because the OSPF Router ID inherently makes it unique. We recommend that you set the Router ID rather than rely on the system to pick on it based on an IP address. This way, the router ID does not change if the interface used for the router ID goes down.

Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0.
Default: A non-loopback IPv4 address assigned to the loopback interface, if available. Otherwise the system selects an IPv4 address from the list of active interfaces.

Configuring IPv6 OSPF Global Options

Configure these IPv6 OSPF global parameters:

Parameter	Description
SPF Delay	The time (in seconds) the system waits before it recalculates the OSPF routing table after a change in the topology. Default: 2. Range: 1-60.
SPF Hold Time	The minimum time (in seconds) between recalculations of the OSPF routing table. Default:5. Range: 1-60.
Default ASE Route Cost	When routes from other protocols are redistributed into OSPF as ASs, they are assigned this configured cost unless a cost was specified for the individual route. Range: 1-16777215. Default: 1.
Default ASE Route Type	When routes from other protocols are redistributed into OSPF as ASs, they are assigned this route type, unless a type was specified for the individual route. ASE ASs can be type 1 or type 2. Type 1: Used for routes imported into OSPF which are from IGPs whose metrics are directly comparable to OSPF metrics. When a routing decision is made, OSPF adds the internal cost to the AS border router to the external metric. Type 2: Used for routes whose metrics are not comparable to OSPF internal metrics. In this case, only the external OSPF cost is used. In the event of ties, the least cost to an AS border router is used. Range: Type 1, Type 2 Default: 1.
RFC 1583 Compatibility	This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility. Default: Selected.
Graceful Restart Helper	Routes received from the peer are preserved if the peer goes down, until the session is re-established (an OPEN message is received from the peer after it comes back up) or the graceful restart timer expires. Default: Cleared
Graceful Restart	Signals the neighboring routers that the Security Gateway or the cluster member restarts, and that it can forward data packets. This helps neighboring routers keep the Security Gateway or cluster member in the forwarding path. Default: Cleared
Force Hellos	When OSPF is configured with a low dead interval or too many OSPF neighbors or OSPF routes, routers can become too busy to send the OSPF hello packets on time. This can cause OSPF dead timers to expire on neighbors and cause outages. With the Forced Hellos feature enabled, OSPF sends out hello packets at specified intervals when it processes updates or synchronizes routes. These hello packets are in addition to the regular OSPF hello packets. Default: Cleared.

Configuring IPv6 OSPF Areas

Configure these IPv6 OSPF Area parameters.

The Areas section shows the IPv6 OSPF parameters of each area.

Add/Edit Area

Parameter	Description
Area	For the name of the area, choose an IPv4 address (preferred) or an integer.
Area Type	A Stub Area is an area in which there are no Autonomous System External (ASE) routes. ASE routes are routes to destinations external to the AS. Note: The backbone area cannot be a stub area. NSSA Areas are not supported. Range: Normal, Stub Default: Normal

Parameter

Description

Area

For the name of the area, choose an IPv4 address (preferred) or an integer.

Area Type

A Stub Area is an area in which there are no Autonomous System External (ASE) routes. ASE routes are routes to destinations external to the AS.

Note: The backbone area cannot be a stub area. NSSA Areas are not supported.

Range: Normal, Stub
Default: Normal

Stub Area Parameters

These parameters show if you define the area as a stub area.

Parameter	Description
Cost for Default Route	The cost for the default route to the stub area. Range: 1-16777215. Default: 1.
Import Summary Routes	ASE routes or summary routes are imported in to the area. When the user clears this option, the area becomes totally stubby Default: Routes are imported. Area is initially not totally stubby.

Parameter

Description

Cost for Default Route

The cost for the default route to the stub area.

Range: 1-16777215.
Default: 1.

Import Summary Routes

ASE routes or summary routes are imported in to the area. When the user clears this option, the area becomes totally stubby

Default: Routes are imported. Area is initially not totally stubby.

Add/Edit Address Ranges

Parameter	Description
IPv6 address/Mask length	You can configure an area with any number of address ranges. Address ranges are used to reduce the number of routing entries that a given area emits into the backbone (and therefore all) areas. An address range is defined by a prefix and a mask length. If a given prefix aggregates a number of more specific prefixes within an area, then an address range can be configured and will be the only prefix advertised into the backbone. Be careful when you configure an address range that covers parts of a prefix that are not contained within the area. Otherwise, these prefixes will not be advertised into the backbone.
Restrict	Prevent an advertisement of an address into the backbone. Range: Selected (Restrict), Deselected (Do not restrict)

Parameter

Description

IPv6 address/Mask length

You can configure an area with any number of address ranges. Address ranges are used to reduce the number of routing entries that a given area emits into the backbone (and therefore all) areas.

An address range is defined by a prefix and a mask length. If a given prefix aggregates a number of more specific prefixes within an area, then an address range can be configured and will be the only prefix advertised into the backbone. Be careful when you configure an address range that covers parts of a prefix that are not contained within the area. Otherwise, these prefixes will not be advertised into the backbone.

Restrict

Prevent an advertisement of an address into the backbone.

Range: Selected (Restrict), Deselected (Do not restrict)

Add/Edit Stub Network

Parameter	Description
IPv6 address/Mask length	OSPF can advertise reachability to prefixes that do not run OSPF by configuring a stub network. The advertised prefix shows as an OSPF internal route and can be filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured (that is, one of the routers interface addresses must fall in the prefix) in order to be included in the router-LSA. Stub hosts are configured by specifying a mask length of 128. An address range is defined by a prefix and a mask length. A prefix and mask can be advertised. That can be activated by the local address of a point-to-point interface. To advertise reachability to such an address, enter an IP address for the prefix and a non-zero cost for the prefix.
Cost	The cost associated with the stub network. The higher the cost, the less preferred the prefix as an OSPF route. Range: 1-65535 Default: No default

Parameter

Description

IPv6 address/Mask length

OSPF can advertise reachability to prefixes that do not run OSPF by configuring a stub network. The advertised prefix shows as an OSPF internal route and can be filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured (that is, one of the routers interface addresses must fall in the prefix) in order to be included in the router-LSA. Stub hosts are configured by specifying a mask length of 128.

An address range is defined by a prefix and a mask length. A prefix and mask can be advertised. That can be activated by the local address of a point-to-point interface. To advertise reachability to such an address, enter an IP address for the prefix and a non-zero cost for the prefix.

Cost

The cost associated with the stub network. The higher the cost, the less preferred the prefix as an OSPF route.

Range: 1-65535
Default: No default

Configuring IPv6 OSPF Interfaces

To configure an IPv6 OSPF interface:

In the Add/Edit Interface window, assign the appropriate Area to each interface by selecting the OSPF area that this interface participates in.
The OSPF interface configuration parameters are displayed showing the default settings. If you want to accept the default settings for the interface, no further action is necessary.
(Optional) Change any configuration parameters for the interface.

Note - The hello interval and dead interval must be the same for all routers on the link. Authentication is not supported for IPv6 OSPF interfaces.

Add/Edit Area

Parameter	Description
Interface	The interfaces for OSPF configuration. An interface must have an area associated with it in order to become active in OSPF.
Area	The OSPF area to which the interface belongs. An OSPF area defines a group of routers which run OSPF and have the complete topology information of the area. OSPF areas use an area border router to exchange information about routes. Routes for a given area are summarized into the backbone area for distribution into other non-backbone areas. An area border router (ABR) is one that has at least two interfaces in at least two different areas. One of those areas must be the backbone or the router must have a virtual link configured. OSPF forces a hub and spoke topology of areas, while the backbone area always being the hub. Range: All areas currently configured. Default: None.
Hello interval	The time, in seconds, between hello packets that the router sends on the interface. For a given link, this must be the same on all routers, or adjacencies will not be created. Range: 1-65535 (seconds). Default: For broadcast interfaces, the default is 10 seconds. For point-to-point interfaces, the default is 30 seconds.
Router Dead interval	The number of seconds after a router stops receiving hello packets that it declares the neighbor is down. Typically, the value of this field is four times the size of the hello interval. For a given link, this field must be the same on all routers, or adjacencies will not be created. The value must not be zero. Range: 1-65535 (seconds). Default: For broadcast interfaces, the default is 40 seconds. For point-to-point interfaces, the default is 120 seconds.
Retransmit interval	The number of seconds between LSA retransmissions, for adjacencies which belong to this interface. Also used during the retransmission of Database Description and Link State Request Packets. This should be well over the expected round-trip delay between any two routers on the attached network. The setting of this value must be conservative, or needless retransmissions will result. Range: 1-65535 (seconds). Default: 5.
Link Cost	The weight of a given path in a route. The higher the cost, the less preferred the link. You may explicitly override this setting in route redistribution. To use one interface over another for routing paths, give one a higher cost. Range: 1-65535. Default: 1.
Election Priority	The priority to become the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins. If there is currently an elected DR on the link, it remains the DR regardless of the configured priority. This feature prevents too frequent changes in the DR. This field is only relevant on a shared-media interface (Ethernet), as a DR is not elected on point-to-point type interfaces. A router with priority 0 is not eligible to become the designated router. Range: 0-255. Default: 1.
Passive	An interface in passive mode does not send hello packets out of the given interface. This means no adjacencies are formed on the link. The purpose of passive mode is to make it possible for the network associated with the interface to be included in the intra-area route calculation. In non-passive mode, the network is redistributed into OSPF and is an ASE. In passive mode, all interface configuration information is ignored, with the exception of the associated area and the cost. Default: Cleared
Use Virtual Address	Directs OSPFv3 to use the VRRPv3 virtual link-local address as the source of its control packets. When enabled, OSPFv3 runs on the interface only while the local router is the master with respect to a VRRPv3 state machine on the interface. Note: The VRRPv3 state machine must back-up an IPv6 link-local address that is not auto-configured on the interface. Default: Cleared
IP Reachability Detection	Sets Bidirectional Forwarding Detection for OSPFv3 peers. You can set Bidirectional Forwarding Detection (BFD) on each OSPFv3 Security Gateway and cluster member that sends or receives BFD packets. Before you begin: Make sure the firewall policy passes UDP port 3784 in both directions. Make sure the SmartConsole topology is correct (issues with incorrect firewall topology can cause anti-spoofing to interfere with BFD traffic). Default: Cleared.