Fireware “How To” Dynamic Routing Introduction
Transcription
Fireware “How To” Dynamic Routing Introduction
Fireware “How To” Dynamic Routing How do I configure my Firebox to use OSPF? Introduction A routing protocol is the language a router speaks with other routers to share information about the status of network routing tables. With static routing, routing tables are set and do not change. If a router on the remote path fails, a packet cannot get to its destination. Dynamic routing lets routing tables in routers change as the routes change. If the best path to a destination cannot be used, dynamic routing protocols change routing tables when necessary to keep your network traffic moving. Fireware™ Pro gives support to RIP v1 and v2, OSPF, and BGP v4 dynamic routing protocols. OSPF (Open Shortest Path First) is an interior routing protocol used in larger networks. With OSPF, a router that sees a change to its routing table or that detects a change in the network immediately sends a multicast update to all other routers in the network. OSPF is different from RIP because: • OSPF sends only the part of the routing table that has changed in its transmission. RIP sends the full routing table each time. • OSPF sends a multicast only when its information has changed. RIP sends the routing table every 30 seconds. Is there anything I need to know before I start? To use any of the dynamic routing protocols with Fireware, you must import or type a dynamic routing configuration file for the routing daemon you choose. This configuration file includes information such as a password and log file name. You can find a sample BGP configuration file in this FAQ: https://www.watchguard.com/support/advancedfaqs/fw_dynroute-ex.asp Notes about configuration files: • The “!” and the “#” characters are comment characters. If the first character of the word is one of the comment characters, then the rest of the line is interpreted as a comment. If the comment character is not the first character of the word, it is interpreted as a command. • Usually, you can use the word “no” at the beginning of the line to disable a command. For example: “no network 10.0.0.0/24 area 0.0.0.0” disables the backbone area on the specified network. There are also a few specific things it is important to understand about OSFP: • If you have multiple OSPF areas, one area must be area 0.0.0.0 (the backbone area). • All areas must be adjacent to the backbone area. If they are not adjacent to the backbone area, you must configure a virtual link to the backbone area. Supported OSPF routing commands to use in your routing daemon configuration file To create or modify a routing configuration file, here is a catalog of supported routing commands. The sections must appear in the configuration file in the same order they appear in this table. Section Command Description Configure Interface 1 ip ospf authentication-key [PASSWORD] Set OSPF authentication password interface eth[N] Begin section to set properties for interface ip ospf message-digest-key [KEY-ID] md5 [KEY] Set MD5 authentication key ID and key Section Command Description ip ospf cost [1-65535] Set link cost for the interface (see OSP Interface Cost table below) ip ospf hello-interval [1-65535] Set interval to send hello packets; default is 10 seconds ip ospf dead-interval [1-65535] Set interval after last hello from a neighbor before declaring it down; default is 40 seconds ip ospf retransmit-interval [1-65535] Set interval between link-state advertisements (LSA) retransmissions; default is 5 seconds ip ospf transmit-delay [1-3600] Set time required to send LSA update; default is 1 second ip ospf priority [0-255] Set router priority; high value increases eligibility to become the designated router (DR) Configure OSPF Routing Daemon router ospf Enable OSPF daemon ospf router-id [A.B.C.D] Set router ID for OSPF manually; router will determine its own ID if not set ospf rfc 1583compatibility Enable RFC 1583 compatibility (can lead to routing loops) ospf abr-type [cisco|ibm|shortcut|standard] More information about this command can be found in draftietf-abr-alt-o5.txt passive interface eth[N] Disable OSPF announcement on interface eth[N] auto-cost reference bandwidth [0-429495] Set global cost (see OSPF cost table below); do not use with “ip ospf [COST]” command timers spf [0-4294967295][0-4294967295] Set SPF schedule delay and hold time Enable OSPF on a Network *The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z]. network [A.B.C.D/M] area [Z] Announce OSPF on network A.B.C.D/M for area 0.0.0.Z Configure Properties for Backbone Area or Other Areas *The “Area” variable can be typed in two formats: [W.X.Y.Z]; or as an integer [Z]. area [Z] range [A.B.C.D/M] Create area 0.0.0.Z and set a classful network for the area (range and interface network and mask settings should match) area [Z] virtual-link [W.X.Y.Z] Set virtual link neighbor for area 0.0.0.Z area [Z] stub Set area 0.0.0.Z as a stub area [Z] stub no-summary area [Z] authentication Enable simple password authentication for area 0.0.0.Z area [Z] authentication message-digest Enable MD5 authentication for area 0.0.0.Z Redistribute OSPF Routes 2 default-information originate Share route of last resort (default route) with OSPF default-information originate metrics [0-16777214] Share route of last resort (default route) with OSPF Is there anything I need to know before I start? Section Command Description default-information originate always Share route of last resort (default route) with OSPF default-information originate always metrics [0-16777214] Share route of last resort (default route) with OSPF redistribute connected Redistribute routes from all interfaces to OSPF redistribute connected metrics Redistribute routes from all interfaces to OSPF Configure Route Redistribution with Access Lists and Route Maps access-list [LISTNAME] permit [A.B.C.D/M] Create an access list to allow distribution of A.B.C.D/M access-list [LISTNAME] deny any Restrict distribution of any route map not specified above route-map [MAPNAME] permit [N] Create a route map with name [MAPNAME] and allow with a priority of [N] match ip address [LISTNAME] OSPF Interface Cost table The OSPF protocol finds the most efficient route between two points. To do this, it looks at factors such as interface link speed, the number of hops between points, and other metrics. By default, OSPF uses the actual link speed of a device to calculate the total cost of a route. You can set the interface cost manually to help maximize efficiency if, for example, your gigabyte-based firewall is connected to a 100M router. Use the numbers in the OSPF Interface Cost table to manually set the interface cost to a value different from the actual interface cost. Interface Type Bandwidth in bits/second Bandwidth in bytes/second OSPF Interface Cost Ethernet 1G 100M 1 Ethernet 100M 10M 10 Ethernet 10M 1M 100 Modem 2M 200K 500 Modem 1M 100K 1000 Modem 500K 50K 2000 Modem 250K 25K 4000 Modem 125K 12500 8000 Modem 62500 6250 16000 Serial 115200 9216 10850 Serial 57600 4608 21700 Serial 38400 3072 32550 Serial 19200 1636 61120 Serial 9600 768 65535 Configuring the Firebox to Use OSPF 1 From Policy Manager, select Network > Dynamic Routing. The Dynamic Routing Setup dialog box appears. 2 3 4 Click the OSPF tab. Click Enable Dynamic Routing and Enable OSPF. Click Import to import a routing daemon configuration file, or type your configuration parameters in the text box. If you click Import, you can browse to the location of the OSPF daemon configuration file. It is located in C:\Documents and Settings\My Documents\My WatchGuard. 5 Click OK. Allowing OSPF Traffic Through the Firebox You must add and configure a policy to allow OSPF multicasts from the routers that have OSPF enabled to the reserved multicast addresses for OSPF. 1 From Policy Manager, select Edit > Add Policies. From the list of packet filters, select OSPF. Click Add. The New Policy Properties window appears for OSPF. 4 2 In the New Policy Properties window, configure the policy to allow traffic from the IP or network address of the router using OSPF to the IP addresses 224.0.0.5 and 224.0.0.6. Click OK. Frequently Asked Questions About This Procedure What’s the best way to get started? To get started, you only need two commands in your OSPF configuration file. These two commands, in this order, will start the OSPF process: router OSPF network <network IP address of the interface you want the process to listen on and distribute through the protocol> area <area ID in x.x.x.x format, such as 0.0.0.0> On the Firebox, you also need to add the OSPF policy as described in the document above. You can configure the policy to allow “any” to “any” until you are sure OSPF is working, and then restrict the policy as recommended above. Finally, you must set up the router for the Firebox to talk to. After it is configured, look at the Firebox Status Report dynamic routing section to verify that the Firebox and the router are sending updates to each other. You can then add authentication and restrict the OSPF policy to listen only on the correct interfaces. What are some useful Cisco commands for troubleshooting dynamic routing? From the enable mode on the Cisco router: show ip route -- shows the routing table for the router show ip ospf neighbor -- shows the neighbor relationships specific to that router debug ip ospf events -- shows all the OSPF occurrences on the router. Use this command with caution as you can get too much information and/or crash the router undebug ip ospf events -- turn off the debug function SUPPORT: COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Techwww.watchguard.com/support nologies, Inc. in the United States and/or other countries. U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 5 6