SPF Delay

Specifies the time in seconds the system waits to recalculate the OSPF routing table after a change in topology.

• Default: 2.
• Range: 1-60.

SPF Hold Time

Specifies the minimum time in seconds between recalculations of the OSPF routing table.

• Default:5.
• Range: 1-60.

Default ASE Route Cost

Specifies a cost for routes redistributed into OSPF as ASs. Any cost previously assigned to a redistributed routed overrides this value.

Default ASE Route Type

Specifies a route type for routes redistributed into OSPF as ASs, unless these routes already have a type assigned.

There are two types:

• Type 1 external: Used for routes imported into OSPF which are from IGPs whose metrics are directly comparable to OSPF metrics. When a routing decision is made, OSPF adds the internal cost to the AS border router to the external metric.
• Type 2 external: Used for routes whose metrics are not comparable to OSPF internal metrics. In this case, only the external OSPF cost is used. In the event of ties, the least cost to an AS border router is used.

RFC1583 Compatibility

This implementation of OSPF is based on RFC2178, which fixed some looping problems in an earlier specification of OSPF. If your implementation is running in an environment with OSPF implementations based on RFC1583 or earlier, enable RFC 1583 compatibility to ensure backwards compatibility.

• Default: Selected

Graceful Restart Helper

Routes received from the peer are preserved if the peer goes down, until the session is re-established (an OPEN message is received from the peer after it comes back up) or the graceful restart timer expires.

• Default: Cleared

Graceful Restart

Signals the neighboring routers that the Security Gateway or the cluster member restarts, and that it can forward data packets. This helps neighboring routers keep the Security Gateway or cluster member in the forwarding path.

• Default: Cleared

Force Hellos

When OSPF is configured with a low dead interval or too many OSPF neighbors or OSPF routes, routers can become too busy to send the OSPF hello packets on time. This can cause OSPF dead timers to expire on neighbors and cause outages. With the Forced Hellos feature enabled, OSPF sends out hello packets at specified intervals when it processes updates or synchronizes routes. These hello packets are in addition to the regular OSPF hello packets

• Default: Cleared

Add Address Range

You can configure any area with any number of address ranges. Use these ranges to reduce the number of routing entries that a given area emits into the backbone and thus all areas. If a given IPv4 address aggregates a number of more specific IPv4 addresses within an area, you can configure an address that becomes the only IPv4 address advertised into the backbone. You must be careful when configuring an address range that covers parts of an IPv4 address not contained within the area. By definition, an address range consists of a IPv4 address and a mask length.

Note: To prevent a specific IPv4 address from being advertised into the backbone, select Restrict.

Add Stub Network

OSPF can advertise reachability to IPv4 addresses that are not running OSPF using a stub network. The advertised IPv4 address appears as an OSPF internal route and can be filtered at area borders with the OSPF area ranges. The IPv4 address must be directly reachable on the router where the stub network is configured; that is, one of the router's interface addresses must fall within the IPv4 address to be included in the router-LSA. You configure stub hosts by specifying a mask length of 32.

This feature also supports advertising an IPv4 address and mask that can be activated by the local address of a point-to-point interface. To advertise reachability to such an address, enter an IP address and a cost with a value other than zero.

Area Type

For descriptions of area types, see Types of Areas.

• Options: Normal/Stub/NSSA.

Import Summary Routes

Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.

• Default: Selected.

Translator Role

Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties. If this NSSA router is not a border router, then this option has no effect.

• Default: Candidate.

Translator Stability Interval

Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. This field appears only if an area is defined as an NSSA with translator role as Candidate.

• Default: 40 seconds.

Import Summary Routes

Specifies if summary routes (summary link advertisements) are imported into the stub area or NSSA. Each summary link advertisement describes a route to a destination outside the area, yet still inside the AS (i.e. an inter-area route). These include routes to networks and routes to AS boundary routers.

• Default: On.

Cost for Default Route

Enter a cost associated with the default route to the NSSA.

Default Route Type

Specifies the route type associated with the Type-7 default route for an NSSA when routes from other protocols are redistributed into OSPF as ASs. If a redistributed route already has a route type, this type is maintained. If summary routes are imported into an NSSA, only then a Type-7 default route is generated (otherwise a Type-3 default route is generated). This field appears only if an area is defined as an NSSA into which summary routes are imported.

The route type can be either 1 or 2. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.

• Default: 1

Redistribution

Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this router. This option will have effect only if this router is an NSSA border router and this router is an AS border router.

• Default: On

Type 7 Address Ranges

An NSSA border router that performs translation duties translates Type-7 LSAs to Type-5 LSAs. An NSSA border router can be configured with Type-7 address ranges. Use these ranges to reduce the number of Type-5 LSAs. Many separate Type-7 networks may fall into a single Type-7 address range. These Type-7 networks are aggregated and a single Type-5 LSA is advertised. By definition, a Type-7 address range consists of a prefix and a mask length.

Note - To prevent a specific prefix from being advertised, select On in the Restrict field next to the entry for that prefix.

Area

The drop-down list displays all of the areas configured and enabled on your platform. An entry for the backbone area is displayed even if it is disabled.

An OSPF area defines a group of routers running OSPF that have the complete topology information of the given area. OSPF areas use an area border router (ABR) to exchange information about routes. Routes for a given area are summarized into the backbone area for distribution into other non-backbone areas. An ABR must have at least two interfaces in at least two different areas.

For information on adding an area Configuring OSPF Areas and Global Settings.

Hello Interval

Specifies the length of time in seconds between hello packets that the router sends on this interface. For a given link, this value must be the same on all routers, or adjacencies do not form.

• Range: 1-65535 in seconds
• Default: For broadcast interfaces, the default hello interval is 10 seconds. For point-to-point interfaces, the default hello interval is 30 seconds.

Router Dead Interval

Specifies the number of seconds after the router stops receiving hello packets that it declares the neighbor is down.

• Recommended value: Four times the hello interval. For a given link, this value must be the same on all routers, or adjacencies do not form. The value must not be 0.
• Range: 1-65535 in seconds.
• Default: For broadcast interfaces, the default dead interval is 40 seconds. For point-to-point interfaces, the default dead interval is 120 seconds.

Retransmit Interval

Specifies the number of seconds between LSA retransmissions for this interface. This value is also used when retransmitting database description and link state request packets. Set this value well above the expected round-trip delay between any two routers on the attached network. Be conservative when setting this value to prevent necessary retransmissions.

• Range: 1-65535 in seconds.
• Default: 5.

Link Cost

Specifies the weight of a given path in a route. The higher the cost you configure, the less preferred the link as an OSPF route. For example, you can assign different relative costs to two interfaces to make one more preferred as a routing path. You can explicitly override this value in route redistribution.

• Range: 1-65535.
• Default: 1.

Election Priority

Specifies the priority for becoming the designated router (DR) on this link. When two routers attached to a network both attempt to become a designated router, the one with the highest priority wins. If there is a current DR on the link, it remains the DR regardless of the configured priority. This feature prevents the DR from changing too often and applies only to a shared-media interface, such as Ethernet. A DR is not elected on point-to-point type interfaces. A router with priority 0 is not eligible to become the DR.

• Range: 0-255.
• Default: 1.

Passive

Specifies that the interface does not send hello packets, which means that the link does not form any adjacencies. This mode enables the network associated with the interface to be included in the intra-area route calculation rather than redistributing the network into OSPF and having it as an ASE. In passive mode, all interface configuration information, with the exception of the associated area and the cost, is ignored.

• Options: On or Off.
• Default: Off.

Subtract Authlen

Subtracts authentication length from DD packets when MD5 is configured. Used when we pair with old IPSO machines.

Use Virtual Address

Makes OSPF run only on the VRRP Virtual IP address associated with this interface. If this router is not a VRRP master, then OSPF will not run if this option is On. It will only run on the VRRP master. For more information, see Configuring Monitored-Circuit VRRP.

• Options: On or Off.
• Default: Off.

IP Reachability Detection

Sets Bidirectional Forwarding Detection for OSPFv2 peers. You can set Bidirectional Forwarding Detection (BFD) on each OSPF Security Gateway and cluster member that sends or receives BFD packets.

Before you begin:

• Make sure the firewall policy passes UDP port 3784 in both directions.
• Make sure the SmartConsole topology is correct (issues with incorrect firewall topology can cause anti-spoofing to interfere with BFD traffic).

Default: Cleared.

Authentication Mode

Specifies which type of authentication scheme to use for a given OSPF link. This feature guarantees that routing information is accepted only from trusted routers.

In general, all routers on an OSPF interface or link must agree on the OSPF authentication settings to form OSPF adjacencies. The OSPF authentication algorithm creates a crypto checksum of an OSPF packet and an authentication key. The receiving router performs a calculation using the correct authentication key and discards the OSPF packet, if the key does not match. In addition, the receiving router keeps a sequence number to prevent the replay of older OSPF packets.

Options are:

• None: Does not authenticate OSPF packets.

  This is the default option.

• Simple: Provides little protection, because the key is sent in the clear, and it is possible to capture packets from the network and learn the authentication key. Uses an alphanumeric key from 1 to 8 characters.

• Cryptographic: Provides much stronger protection with the OSPFv2 HMAC-SHA authentication (RFC 5709). Authentication guarantees that routing information is accepted only from trusted routers. This OSPFv2 HMAC-SHA authentication is backward-compatible with the OSPFv2 MD5 authentication feature.

  For cryptographic authentication, you must configure at least one key - with Key ID, Algorithm, and Secret.

  If you configure multiple keys:

  • When transmitting OSPF packets, Gaia uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them.
  • When transmitting OSPF packets, Gaia accepts all the keys.

  Configuration:

  • Key ID - Enter an integer value from 1 to 255.
  • Algorithm - Select a cryptographic authentication algorithm. The available algorithms are listed in the decreasing order of their cryptographic strength:

    Important - Both OSPF sides must agree on these settings for the OSPF authentication to work.

    • hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret.
    • hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret.
    • hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability.
    • hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret.
    • md5 - Provides a cryptographic MD5 hash based on the configured key.
  • Secret - Enter a shared secret for cryptographic authentication.
    • For HMAC - Alphanumeric key from 1 to 80 characters.
    • For MD5 - Alphanumeric key from 1 to 16 characters.

None

Does not authenticate OSPF packets.

This is the default option.

Simple

Provides little protection, because the key is sent in the clear, and it is possible to capture packets from the network and learn the authentication key. Uses an alphanumeric key from 1 to 8 characters.

Cryptographic

Provides much stronger protection with the OSPFv2 HMAC-SHA authentication (RFC 5709). Authentication guarantees that routing information is accepted only from trusted routers. This OSPFv2 HMAC-SHA authentication is backward-compatible with the OSPFv2 MD5 authentication feature.

For cryptographic authentication, you must configure at least one key - with Key ID, Algorithm, and Secret.

If you configure multiple keys:

• When transmitting OSPF packets, Gaia uses the key with the highest Key ID. Gaia includes a message digest or message authentication code in the outgoing OSPF packets to enable receivers to authenticate them.
• When transmitting OSPF packets, Gaia accepts all the keys.

Configuration:

• Key ID - Enter an integer value from 1 to 255.
• Algorithm - Select a cryptographic authentication algorithm. The available algorithms are listed in the decreasing order of their cryptographic strength:

  Important - Both OSPF sides must agree on these settings for the OSPF authentication to work.

  • hmac-sha-512 - Provides a cryptographic SHA-512 hash based on the configured secret.
  • hmac-sha-384 - Provides a cryptographic SHA-384 hash based on the configured secret.
  • hmac-sha-256 - Provides a cryptographic SHA-256 hash based on the configured secret. We recommend this algorithm for best interoperability.
  • hmac-sha-1 - Provides a cryptographic SHA-1 hash based on the configured secret.
  • md5 - Provides a cryptographic MD5 hash based on the configured key.
• Secret - Enter a shared secret for cryptographic authentication.
  • For HMAC - Alphanumeric key from 1 to 80 characters.
  • For MD5 - Alphanumeric key from 1 to 16 characters.