OSPF Overview
Route propagation and greatly reduced route convergence times are two of the many benefits
that occur by using OSPF. OSPF is widely deployed in large internetworks because of its
efficient use of network bandwidth and its rapid convergence after changes in topology. The
Cisco Security Appliance implementation supports intra-area, interarea, and external routes.
The distribution of static routes to OSPF processes and route redistribution between OSPF
processes are also included.
An OSPF router that has interfaces in multiple areas is called an Area Border Router (ABR).
A router that redistributes traffic or imports external routes (Type 1 or Type 2) between
routing domains is called an Autonomous System Boundary Router (ASBR). An ABR uses
link-state advertisements (LSA) to send information about available routes to other OSPF
routers. Using ABR Type 3 LSA filtering, you can have separate private and public areas,
with the Security Appliance acting as an ABR. Type 3 LSAs (interarea routes) can be filtered
from one area to another. This lets you use NAT and OSPF together without advertising
private networks.
The Security Appliance OSPF supported features are as follows:
■ Support for intra-area, interarea, and external routes
■ Support for virtual links
■ Authentication for OSPF packets
■ The capability to configure the Security Appliance as a designated router, ABR, and
limited ASBR
■ ABR Type 3 LSA filtering
■ Support for stub and not so stubby areas (NSSA)
■ Route redistribution
OSPF Commands
To configure OSPF on your Security Appliance, you use various commands. To enable OSPF
on your PIX Firewall, you use the router ospf command. The syntax is as follows:
router ospf pid
The pid represents a unique identification for the OSPF routing process in the range from 1
to 65,535. Each OSPF routing process on a single Security Appliance must be unique, and
Security Appliance Version 6.3 supports a maximum of two different OSPF routing
processes.
After you issue the router ospf command, the Security Appliance command prompt enters a
subcommand mode indicated by a command prompt similar to the following:
pix515a(config-router)#
In subcommand mode, you can configure various OSPF parameters (see Table 11-9).
NOTE Your Cisco Security Appliance can filter only Type 3 LSAs. If you configure your
Security Appliance to function as an ASBR in a private network, then information about
your private networks will be sent to the public interfaces, because Type 5 LSAs describing
private networks will be flooded to the entire autonomous system (including the public
areas) unless you configure two separate OSPF processes.