Select Reject Default Route if
you do not want to learn any default routes through OSPFv3 This
is the recommended default setting.
Clear Reject Default Route if you
want to permit redistribution of default routes through OSPFv3.
Configure Auth Profile for the OSPFv3 protocol.
While OSPFv3 doesn't include any authentication capabilities
of its own, it relies entirely on IPSec to secure communications
between neighbors.
When configuring an authentication profile,
you must use Encapsulating Security Payload (ESP) (recommended)
or IPv6 Authentication Header (AH).
ESP
OSPFv3 authentication
On the Auth Profiles tab, Add a
name for the authentication profile to authenticate OSPFv3 messages.
Specify a Security Policy Index (SPI)
(hexadecimal value in the range from 00000000 to FFFFFFFF). The
two ends of the OSPFv3 adjacency must have matching SPI values.
Select ESP for Protocol.
Select a Crypto Algorithm.
You can select None or one of the
following algorithms: SHA1, SHA256, SHA384, SHA512,
or MD5.
If a Crypto Algorithm other
than None was selected, enter a value for Key and
then confirm.
AH OSPFv3 authentication
On the Auth Profiles tab, Add a
name for the authentication profile to authenticate OSPFv3 messages.
Specify a Security Policy Index (SPI).
The SPI must match between both ends of the OSPFv3 adjacency. The
SPI number must be a hexadecimal value between 00000000 and FFFFFFFF.
Select AH for Protocol.
Select a Crypto Algorithm.
You must enter one of the following algorithms: SHA1, SHA256, SHA384, SHA512,
or MD5.
Enter a value for Key and then
confirm.
Click OK.
Click OK again in the Virtual
Router - OSPF Auth Profile dialog.
Configure Areas - Type for the OSPFv3 protocol.
On the Areas tab, Add an Area
ID. This is the identifier that each neighbor must accept
to be part of the same area.
On the General tab, select
one of the following from the area Type list:
Normal—There are no restrictions;
the area can carry all types of routes.
Stub—There is no outlet from the area.
To reach a destination outside of the area, it is necessary to go
through the border, which connects to other areas. If you select
this option, configure the following:
Accept
Summary—Link state advertisements (LSA) are accepted
from other areas. If this option on a stub area Area Border Router
(ABR) interface is disabled, the OSPF area will behave as a Totally
Stubby Area (TSA) and the ABR will not propagate any summary LSAs.
Advertise Default Route—Default route
LSAs will be included in advertisements to the stub area along with
a configured metric value in the configured range 1-255.
NSSA (Not-So-Stubby Area)—The firewall
can leave the area only by routes other than OSPF routes. If selected,
configure Accept Summary and Advertise
Default Route as described for Stub.
If you select this option, configure the following:
Type—Select
either Ext 1 or Ext 2 route
type to advertise the default LSA.
Ext Ranges—Add ranges
of external routes that you want to enable or suppress advertising for.
Associate an OSPFv3 authentication profile to an area
or an interface.
To an Area
On the Areas tab,
select an existing area from the table.
On the General tab, select
a previously defined Authentication Profile from
the Authentication list.
Click OK.
To an Interface
On the Areas tab,
select an existing area from the table.
Select the Interface tab and Add the
authentication profile you want to associate with the OSPF interface
from the Auth Profile list.
Click OK.
Click OK again to save the area
settings.
(Optional) Configure Export Rules.
On the Export Rules tab,
select Allow Redistribute Default Route to
permit redistribution of default routes through OSPFv3.
Click Add.
Enter the Name; the value must
be a valid IPv6 subnet or valid redistribution profile name.
Select New Path Type, Ext
1 or Ext 2.
Specify a New Tag for the matched
route, using has a 32-bit value in dotted-decimal notation.
Assign a Metric to the new
rule (range is 1-16,777,215).
Click OK.
Configure Advanced OSPFv3 options.
On the Advanced tab,
select Disable Transit Routing for SPF Calculation if
you want the firewall to participate in OSPF topology distribution
without being used to forward transit traffic.
Specify a value for the SPF Calculation
Delay (sec) timer, which allows you to tune the delay
time (in seconds) between receiving new topology information and
performing an SPF calculation. Lower values enable faster OSPF re-convergence.
Routers peering with the firewall should use the same delay value
to optimize convergence times.
Specify a value for the LSA Interval (sec) timer,
which is the minimum time (in seconds) between transmissions of
two instances of the same LSA (same router, same type, same LSA
ID). This is equivalent to MinLSInterval in RFC 2328. Lower values
can be used to reduce re-convergence times when topology changes
occur.