The following description is meant to point out a convenient way for OSPF and RIP configuration on a Barracuda NG Firewall. The example assumes that a Barracuda NG Firewall is added to a network already configured for OSPF.
In this article:
Network Setup
Four routers are appointed to learn routes from OSPF and RIP "Clouds". Router 1 and router 2 are both attached to LAN segment 62.99.0.0/24 and belong to OSPF Area 0. Router 3 is attached to LAN segment 194.93.0.0/24 serving as OSPF router in OSPF Area 1 and as RIP router for RIP Cloud 2. Router 4 is a sole RIP router attached to LAN segment 194.93.0.0/24. Two further networks 192.168.10.0/24 and 192.168.11.0/24 live in Rip Cloud 2.
Example setup for OSPF and RIP configuration:
| Router 1 | OSPF learned networks from OSPF Cloud 1: | 62.99.0.0/24 | - | - |
| Router 2 | OSPF learned networks from OSPF Cloud 1: | 62.99.0.0/24 | - | - |
| Router 3 | RIP and OSPF learned networks from OSPF and RIP Cloud 2: | 194.93.0.0/24 | 192.168.10.0/24 | 192.168.11.0/24 |
| Router 4 | RIP learned networks from RIP Cloud 2: | 194.93.0.0/24 | - | - |
OSPF Basic Setup
The network is already configured for OSPF. Several destinations are reachable through multiple paths. The newly installed Barracuda NG Firewall should participate in the routing and load-sharing is to be used.
Step 1: Install the OSPF/RIP Service
For more information on how to setup a virtual service, see Virtual Servers and Services.
Step 2: Add the Network Interfaces Speaking OSPF to the Server Properties
OSPF is spoken on two interfaces linking to the following networks: eth1 (62.99.0.0/24) and eth2 (194.93.0.0/24).
Configuring of addresses in the Server Properties:
Step 3: Configure OSPF Routing Settings
Operational Setup
The Barracuda NG Firewall is configured to operate as "normal" router. The operation mode is set to "active-passive" (that is advertise-learn). By this means, all routes are learned and forwarded. Setting a Router ID is mandatory. It is important for easily identifying LSAs during troubleshooting.
OSPF Router Setup
Specify a Terminal Password and a Privileged Terminal Password. These passwords are needed to to access the routing engine directly via telnet. Setting Auto-Cost Ref Bandwidth to 10000 causes a more granular cost in LAN environments. The cost is calculated as ref-bandwidth divided by intf-bandwidth (MBit/s). In the example, a 1 GBit link would have a cost of 10 (10000/1000).
Specify the interfaces where OSPF should be enabled and where adjacencies should be built through the Network Prefix parameter. In the example, the Barracuda NG Firewall is made an Area Border Router (ABR) with interfaces in Area 0 and Area 1. The network 62.99.0.0/24 is part of Area 0; the network 194.93.0.0/24 is part of Area 1.
Step 4: Send Changes and Activate the configuration
The basic OSPF setup is complete. The routes learned through OSPF can now be viewed in the Barracuda NG Firewall's routing table:
A further way to see more detailed information regarding the OSPF service is to connect to the quagga engine itself with a telnet to localhost:2604 at the Command Line Interface. This mode can also be used for debugging purposes. If needed, see www.quagga.net for information about the Quagga Routing Suite. The following screenshot shows the Quagga engine output of the commands sh ip ospf neigh and ship ospf route.
[root@NF1:~]# telnet localhost 2604
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, this is quagga (version 0.96.5).
Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Password:
NF1> en
Password:
NF1# sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
192.168.254.3 1 Full/DR 00:00:35 194.93.0.254 eth2:194.93.0.105 0 0 0
192.168.254.2 1 Full/DR 00:00:33 62.99.0.253 eth1:62.99.0.105 0 0 0
192.168.254.1 1 Full/Backup 00:00:35 62.99.0.254 eth1:62.99.0.105 0 0 0
NF1# sh ip ospf route
============ OSPF network routing table ============
N 62.99.0.0/24 [1000] area: 0.0.0.0 directly attached to eth1
N 192.168.1.0/24 [1010] area: 0.0.0.0 via 62.99.0.253, eth1
D IA 192.168.10.0/23 Discard entry
N 192.168.10.0/24 [1010] area: 0.0.0.1 via 194.93.0.254, eth2
N 192.168.11.0/24 [1010] area: 0.0.0.1 via 194.93.0.254, eth2
N 192.168.12.0/24 [1010] area: 0.0.0.1 via 194.93.0.254, eth2
N 192.168.254.1/32 [1001] area: 0.0.0.0 via 62.99.0.254, eth1
N 192.168.254.2/32 [1001] area: 0.0.0.0 via 62.99.0.253, eth1
N 192.168.254.3/32 [1001] area: 0.0.0.1 via 194.93.0.254, eth2
N 194.93.0.0/24 [1000] area: 0.0.0.1 directly attached to eth2
============ OSPF router routing table =============
R 192.168.254.1 [1000] area: 0.0.0.0, ABR, ASBR via 62.99.0.254, eth1
R 192.168.254.2 [1000] area: 0.0.0.0, ABR via 62.99.0.253, eth1
R 192.168.254.3 [1000] area: 0.0.0.1, ABR, ASBR via 194.93.0.254, eth2
============ OSPF external routing table ===========
N E1 10.0.84.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 28.235.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 38.232.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 38.232.1.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 56.47.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 56.47.1.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 79.29.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 79.29.1.0/24 [1010] tag: 0
via 62.99.0.254, eth1
N E1 123.43.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 123.43.1.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 134.46.0.0/24 [1010] tag: 0 via 62.99.0.254, eth1
N E1 134.46.1.0/24 [1010] tag: 0 via 62.99.0.254, eth1Redistribution of Connected Networks to OSPF
Proceed as follows to configure redistribution of connected networks:
- Open the Network page (Config > Full Config > Network).
- In the left menu, click IP Configuration.
- Click Lock.
- Set the parameter Advertise Route to yes.
- Click Send Changes and Activate.
Step 6: Configure Route Redistribution
Route Redistribution is configured in the OSPF Router tab within the OSPF Routing Settings configuration. In the example, the following values are specified for the available parameters:
With these configuration settings, all networks connected to the Barracuda NG Firewall will be redistributed to OSPF with a cost of 10 and Metric-type External 1.
Injecting the Default Route to OSPF
Step 7: Activate OSPF Advertising
Static Routes as well are only advertised via OSPF when the Advertise Route option is set in the network configuration. This should already be done by the steps described in Step 6.
Step 8: Configure Default Route Redistribution
Default Route Redistribution is configured in the OSPF Router tab within the OSPF Routing Settings configuration. In the example, the following values are specified for the available parameters:
With these configuration settings, the default route (if configured) will be redistributed to OSPF with a cost of 10 and Metric-type External 1. If a default route should always be distributed unless configured or not, set parameter Originate Always to yes.
OSPF Multipath Routing
Multipath routing is configured in the OSPF Routing Settings’ OSPF Preferences view. Three options are available for Multipath Handling:
- ignore – No Multipath routing is used; learned Multipath routes are ignored.
- assign internal preferences – The metric of every equal cost route is translated to different values - load-sharing is not used. Additional routes are only used as backup.
- accept on same device – Multipath routing is enabled but it is only available when the routes are learned on the same interface.
The example configuration uses the setting accept on same device.
OSPF Link Authentication
Two methods for OSPF authentication exist:
- Authentication in an Area
- Authentication on a Link
Area authentication is configured within the OSPF Area Setup. For Link Authentication first a parameter template has to be created, and then a reference to this template has to be established. The example uses Link Authentication. Authentication configuration is done in the Network Interfaces section of the OSPF Routing configuration. Proceed as follows to configure Link Authentication:
Step 9: Configure a Parameter Template
Open the Network Interfaces section and click the Insert … button in the Parameter Template Configuration section to create a new parameter template.
The following values are defined in the example: MD5 Authentication usage with key ID 1 and authentication key Barracuda.
Step 10: Create a Reference to the Parameter Template
Click the Insert … button in Network Interface > Interfaces (Network Interfaces view) to configure link authentication on an interface. The example defines the following values:
OSPF Route Summation
In large networks is it useful to summarize routes on Area or Autonomous system borders. In the example setup, two networks live in Area 1: 192.168.10.0/24 and 192.168.11.0/24. The aim is to summarize these two networks to 192.168.10.0/23. The configuration for summation of areas is done in the OSPF Area Setup.
- Click Insert … to create new configuration settings for Area 1. Set the value for Area ID [Int] to 1.
- Create a new entry for parameter Summary Range IP/Mask by clicking Insert …
A new window opens allowing for configuration of the following values:
Range 192.168.10.0/23 is now going to be advertised as summary route with cost 10. A router in Area 0 is going to create an entry in its routing table.
SW2#sh ip route 192.168.10.0 Routing entry for 192.168.10.0/23, supernet Known via "ospf 1", distance 110, metric 1020, type inter area Last update from 62.99.0.105 on Vlan111, 00:03:46 ago Routing Descriptor Blocks: * 62.99.0.105, from 192.168.254.10, 00:03:46 ago, via Vlan111 Route metric is 1020, traffic share count is 1
RIP Basic Setup
Basic RIP settings are to be configured within the Operational Setup, the RIP Preferences and the RIP Router Setup. In the example setup, RIP Version 2 is used and multipath routes are discarded. Therefore, the following configuration settings apply:
- Operational Setup – RIP is activated by setting parameter Run RIP Router to yes.
- RIP Preferences – Parameter Multipath Handling is set to ignore.
- RIP Router Setup – RIP Version 2 is enabled on Network Device eth2 in the Networks section. Redistribution of connected networks to RIP is configured in the Route Redistribution section. In the example, all connected networks are redistributed to RIP with a hopcount of 2.
Redistribution Between RIP and OSPF
To implement redistribution between RIP and OSPF the following minimum settings must be configured:
OSPF Router Setup – To redistribute routes learned by RIP insert a new entry in the Route Redistribution Configuration section.
RIP Router Setup – To redistribute routes learned by OSPF insert a new entry in the Route Redistribution Configuration section.
