Fireware “How To” Dynamic Routing Introduction

Transcription

Fireware “How To” Dynamic Routing Introduction
Fireware “How To”
Dynamic Routing
How do I configure my Firebox to use OSPF?
Introduction
A routing protocol is the language a router speaks with other routers to share information about the status of network routing tables. With static routing, routing tables are set and do not change. If a router on the remote path fails,
a packet cannot get to its destination.
Dynamic routing lets routing tables in routers change as the routes change. If the best path to a destination cannot
be used, dynamic routing protocols change routing tables when necessary to keep your network traffic moving.
Fireware™ Pro gives support to RIP v1 and v2, OSPF, and BGP v4 dynamic routing protocols.
OSPF (Open Shortest Path First) is an interior routing protocol used in larger networks. With OSPF, a router that sees
a change to its routing table or that detects a change in the network immediately sends a multicast update to all
other routers in the network. OSPF is different from RIP because:
• OSPF sends only the part of the routing table that has changed in its transmission. RIP sends the full routing
table each time.
• OSPF sends a multicast only when its information has changed. RIP sends the routing table every 30 seconds.
Is there anything I need to know before I start?
To use any of the dynamic routing protocols with Fireware, you must import or type a dynamic routing configuration
file for the routing daemon you choose. This configuration file includes information such as a password and log file
name. You can find a sample BGP configuration file in this FAQ:
https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp
Notes about configuration files:
• The “!” and the “#” characters are comment characters. If the first character of the word is one of the comment
characters, then the rest of the line is interpreted as a comment. If the comment character is not the first
character of the word, it is interpreted as a command.
• Usually, you can use the word “no” at the beginning of the line to disable a command. For example: “no network
10.0.0.0/24 area 0.0.0.0” disables the backbone area on the specified network.
There are also a few specific things it is important to understand about OSFP:
• If you have multiple OSPF areas, one area must be area 0.0.0.0 (the backbone area).
• All areas must be adjacent to the backbone area. If they are not adjacent to the backbone area, you must
configure a virtual link to the backbone area.
Supported OSPF routing commands to use in your routing daemon configuration file
To create or modify a routing configuration file, here is a catalog of supported routing commands. The sections must
appear in the configuration file in the same order they appear in this table.
Section
Command
Description
Configure Interface
1
ip ospf authentication-key [PASSWORD]
Set OSPF authentication password
interface eth[N]
Begin section to set properties for
interface
ip ospf message-digest-key [KEY-ID] md5 [KEY]
Set MD5 authentication key ID and
key
Section
Command
Description
ip ospf cost [1-65535]
Set link cost for the interface (see
OSP Interface Cost table below)
ip ospf hello-interval [1-65535]
Set interval to send hello packets;
default is 10 seconds
ip ospf dead-interval [1-65535]
Set interval after last hello from a
neighbor before declaring it down;
default is 40 seconds
ip ospf retransmit-interval [1-65535]
Set interval between link-state
advertisements (LSA)
retransmissions; default is 5
seconds
ip ospf transmit-delay [1-3600]
Set time required to send LSA
update; default is 1 second
ip ospf priority [0-255]
Set router priority; high value
increases eligibility to become the
designated router (DR)
Configure OSPF Routing Daemon
router ospf
Enable OSPF daemon
ospf router-id [A.B.C.D]
Set router ID for OSPF manually;
router will determine its own ID if
not set
ospf rfc 1583compatibility
Enable RFC 1583 compatibility (can
lead to routing loops)
ospf abr-type [cisco|ibm|shortcut|standard]
More information about this
command can be found in draftietf-abr-alt-o5.txt
passive interface eth[N]
Disable OSPF announcement on
interface eth[N]
auto-cost reference bandwidth [0-429495]
Set global cost (see OSPF cost table
below); do not use with “ip ospf
[COST]” command
timers spf [0-4294967295][0-4294967295]
Set SPF schedule delay and hold
time
Enable OSPF on a Network
*The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
network [A.B.C.D/M] area [Z]
Announce OSPF on network
A.B.C.D/M for area 0.0.0.Z
Configure Properties for Backbone Area or Other Areas
*The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z].
area [Z] range [A.B.C.D/M]
Create area 0.0.0.Z and set a
classful network for the area (range
and interface network and mask
settings should match)
area [Z] virtual-link [W.X.Y.Z]
Set virtual link neighbor for area
0.0.0.Z
area [Z] stub
Set area 0.0.0.Z as a stub
area [Z] stub no-summary
area [Z] authentication
Enable simple password
authentication for area 0.0.0.Z
area [Z] authentication message-digest
Enable MD5 authentication for area
0.0.0.Z
Redistribute OSPF Routes
2
default-information originate
Share route of last resort (default
route) with OSPF
default-information originate metrics [0-16777214]
Share route of last resort (default
route) with OSPF
Is there anything I need to know before I start?
Section
Command
Description
default-information originate always
Share route of last resort (default
route) with OSPF
default-information originate always metrics [0-16777214]
Share route of last resort (default
route) with OSPF
redistribute connected
Redistribute routes from all
interfaces to OSPF
redistribute connected metrics
Redistribute routes from all
interfaces to OSPF
Configure Route Redistribution with Access Lists and Route Maps
access-list [LISTNAME] permit [A.B.C.D/M]
Create an access list to allow
distribution of A.B.C.D/M
access-list [LISTNAME] deny any
Restrict distribution of any route
map not specified above
route-map [MAPNAME] permit [N]
Create a route map with name
[MAPNAME] and allow with a
priority of [N]
match ip address [LISTNAME]
OSPF Interface Cost table
The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors such as interface
link speed, the number of hops between points, and other metrics. By default, OSPF uses the actual link speed of a
device to calculate the total cost of a route. You can set the interface cost manually to help maximize efficiency if, for
example, your gigabyte-based firewall is connected to a 100M router. Use the numbers in the OSPF Interface Cost
table to manually set the interface cost to a value different from the actual interface cost.
Interface Type
Bandwidth in
bits/second
Bandwidth in
bytes/second
OSPF Interface Cost
Ethernet
1G
100M
1
Ethernet
100M
10M
10
Ethernet
10M
1M
100
Modem
2M
200K
500
Modem
1M
100K
1000
Modem
500K
50K
2000
Modem
250K
25K
4000
Modem
125K
12500
8000
Modem
62500
6250
16000
Serial
115200
9216
10850
Serial
57600
4608
21700
Serial
38400
3072
32550
Serial
19200
1636
61120
Serial
9600
768
65535
Configuring the Firebox to Use OSPF
1
From Policy Manager, select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
2
3
4
Click the OSPF tab.
Click Enable Dynamic Routing and Enable OSPF.
Click Import to import a routing daemon configuration file, or type your configuration parameters in the text
box.
If you click Import, you can browse to the location of the OSPF daemon configuration file. It is located in C:\Documents and
Settings\My Documents\My WatchGuard.
5
Click OK.
Allowing OSPF Traffic Through the Firebox
You must add and configure a policy to allow OSPF multicasts from the routers that have OSPF enabled to the
reserved multicast addresses for OSPF.
1
From Policy Manager, select Edit > Add Policies. From the list of packet filters, select OSPF. Click Add.
The New Policy Properties window appears for OSPF.
4
2
In the New Policy Properties window, configure the policy to allow traffic from the IP or network address of the
router using OSPF to the IP addresses 224.0.0.5 and 224.0.0.6. Click OK.
Frequently Asked Questions About This Procedure
What’s the best way to get started?
To get started, you only need two commands in your OSPF configuration file. These two commands, in this order,
will start the OSPF process:
router OSPF
network <network IP address of the interface you want the process to listen on and
distribute through the protocol> area <area ID in x.x.x.x format, such as 0.0.0.0>
On the Firebox, you also need to add the OSPF policy as described in the document above. You can configure the
policy to allow “any” to “any” until you are sure OSPF is working, and then restrict the policy as recommended
above.
Finally, you must set up the router for the Firebox to talk to. After it is configured, look at the Firebox Status Report
dynamic routing section to verify that the Firebox and the router are sending updates to each other. You can then
add authentication and restrict the OSPF policy to listen only on the correct interfaces.
What are some useful Cisco commands for troubleshooting dynamic routing?
From the enable mode on the Cisco router:
show ip route -- shows the routing table for the router
show ip ospf neighbor -- shows the neighbor relationships specific to that router
debug ip ospf events -- shows all the OSPF occurrences on the router. Use this command with caution as you can
get too much information and/or crash the router
undebug ip ospf events -- turn off the debug function
SUPPORT:
COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Techwww.watchguard.com/support
nologies, Inc. in the United States and/or other countries.
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
5
6