PIX Security Appliance Software Version 6.3 introduces support for dynamic
routing using the OSPF routing protocol
. OSPF is widely
deployed in large internetworks because of its efficient use of network
bandwidth and its rapid convergence after changes in topology. Some of the PIX
OSPF supported features are:
- Support for intra-area, interarea, and type 1 and 2 external routes
- Support for virtual links
- Authentication for OSPF packets
- Configuring the PIX Security Appliance as a designated router (DR), area
border router (ABR) and limited autonomous system boundary router (ASBR)
- Support for stub and not so stubby areas (NSSAs)
- ABR type 3 link-state advertisement (LSA) filtering
- Route redistribution
 |
NOTE:
OSPF routing is not supported on the PIX Security Appliance 501. OSPF
and RIP cannot be enabled simultaneously on the PIX Security Appliance.
|
To configure OSPF on the PIX Security Appliance requires the
administrator to do the following:
- Enable OSPF
- Define the PIX Security Appliance interfaces on which OSPF runs
- Define OSPF areas
Enable OSPF
To enable OSPF routing, use the router
ospf command. The syntax for the router ospf
command is shown in Figure
.
The PIX Security Appliance can be configured for one or two processes, or
OSPF routing domains. If the PIX is functioning as an ABR and it is configured
for one process, the PIX will pass type 3 LSA between defined OSPF areas. In
the example in Figure
, the PIX is
configured for one OSPF process, OSPF 1.
Define Network
Interfaces
To define the interfaces on which OSPF runs and the area ID
for those interfaces, use the network area subcommand.
The syntax for the network area command is shown in
Figure
.
In the
example in Figure
, the three PIX
Security Appliance interfaces are configured for OSPF. The outside interface,
network 1.1.1.0, is configured as area 0.The DMZ interface, network 2.2.1.0, is
configured as network 2.2.0.0. The inside interface, network 10.0.0.0, is
configured as area 10.0.0.0. LSA type 3 advertisements pass between the three
interfaces.
OSPF Processes
Defining a PIX Security Appliance with two OSPF
processes enables the PIX to pass LSA type 3 advertisements between areas but
not between processes. In the example in Figure
, there are two
defined process areas. OSPF process ID 1 encompasses OSPF area 0.OSPF process
ID 2 encompasses areas 10.0.0.0 and 192.168.1.0. With two OSPF processes
defined, LSA type 3 advertisements can pass between areas within a process; for
example, 192.168.1.0 and 10.0.0.0. LSA type 3 advertisements cannot pass
between areas defined by different processes. For example, 10.0.0.0 LSA type 3
advertisements cannot pass to area 0.
It might be advantageous to use two
OSPF processes for the following scenario:
- NAT is used.
- OSPF is operating on the public and private interfaces.
- LSA type 3 advertisement filtering is required.
A maximum of two processes can be defined for each PIX Security
Appliance.
OSPF Areas
To configure two areas, define the
router OSPF PID first. Next define the network and areas belonging to the OSPF
process ID (PID). In Figure
, there are two
OSPF PIDs, OSPF 1 and OSPF 2. OSPF 1 is defined first. Network 1.1.1.0/24 is
associated with area 0.
OSPF 2 is configured next. Within OSPF 2, there are two networks, 10.0.0.0
and 192.168.1.0. Network 10.0.0.0/24 is associated with OSPF area 10.0.0.0.
Network 192.168.1.0/24 is associated with area 192.168.1.0. LSA type 3
advertisements can pass between areas of OSPF 2. LSA type 3 advertisements
cannot pass between OSPF 1 and 2.