PIX Security Appliance Routing Capabilities
OSPF

PIX Security Appliance Software Version 6.3 introduces support for dynamic routing using the OSPF routing protocol . OSPF is widely deployed in large internetworks because of its efficient use of network bandwidth and its rapid convergence after changes in topology. Some of the PIX OSPF supported features are:

  • Support for intra-area, interarea, and type 1 and 2 external routes
  • Support for virtual links
  • Authentication for OSPF packets
  • Configuring the PIX Security Appliance as a designated router (DR), area border router (ABR) and limited autonomous system boundary router (ASBR)
  • Support for stub and not so stubby areas (NSSAs)
  • ABR type 3 link-state advertisement (LSA) filtering
  • Route redistribution
NOTE:

OSPF routing is not supported on the PIX Security Appliance 501. OSPF and RIP cannot be enabled simultaneously on the PIX Security Appliance.

To configure OSPF on the PIX Security Appliance requires the administrator to do the following:

  • Enable OSPF
  • Define the PIX Security Appliance interfaces on which OSPF runs
  • Define OSPF areas

Enable OSPF
To enable OSPF routing, use the router ospf command. The syntax for the router ospf command is shown in Figure .

The PIX Security Appliance can be configured for one or two processes, or OSPF routing domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured for one OSPF process, OSPF 1.

Define Network Interfaces
To define the interfaces on which OSPF runs and the area ID for those interfaces, use the network area subcommand.

The syntax for the network area command is shown in Figure .

In the example in Figure , the three PIX Security Appliance interfaces are configured for OSPF. The outside interface, network 1.1.1.0, is configured as area 0.The DMZ interface, network 2.2.1.0, is configured as network 2.2.0.0. The inside interface, network 10.0.0.0, is configured as area 10.0.0.0. LSA type 3 advertisements pass between the three interfaces.

OSPF Processes
Defining a PIX Security Appliance with two OSPF processes enables the PIX to pass LSA type 3 advertisements between areas but not between processes. In the example in Figure , there are two defined process areas. OSPF process ID 1 encompasses OSPF area 0.OSPF process ID 2 encompasses areas 10.0.0.0 and 192.168.1.0. With two OSPF processes defined, LSA type 3 advertisements can pass between areas within a process; for example, 192.168.1.0 and 10.0.0.0. LSA type 3 advertisements cannot pass between areas defined by different processes. For example, 10.0.0.0 LSA type 3 advertisements cannot pass to area 0.

It might be advantageous to use two OSPF processes for the following scenario:

  • NAT is used.
  • OSPF is operating on the public and private interfaces.
  • LSA type 3 advertisement filtering is required.

A maximum of two processes can be defined for each PIX Security Appliance.

OSPF Areas
To configure two areas, define the router OSPF PID first. Next define the network and areas belonging to the OSPF process ID (PID). In Figure , there are two OSPF PIDs, OSPF 1 and OSPF 2. OSPF 1 is defined first. Network 1.1.1.0/24 is associated with area 0.

OSPF 2 is configured next. Within OSPF 2, there are two networks, 10.0.0.0 and 192.168.1.0. Network 10.0.0.0/24 is associated with OSPF area 10.0.0.0. Network 192.168.1.0/24 is associated with area 192.168.1.0. LSA type 3 advertisements can pass between areas of OSPF 2. LSA type 3 advertisements cannot pass between OSPF 1 and 2.