Configuring RIP and OSPF Advanced Routing Services

* 
NOTE: ARS is a fully featured multi-protocol routing suite. The sheer number of configurable options and parameters provided is incongruous with the simplicity of a graphical user interface. Rather than limiting the functionality of ARS, an abbreviated representation of its capabilities has been rendered in the GUI, providing control over the most germane routing features, while the full command suite is available via the CLI. The ARS CLI can be accessed from an authenticated CLI session, and contains 3 modules:
route ars-nsm – The Advanced Routing Services Network Services Module. This component provides control over core router functionality, such as interface bindings and redistributable routes.
route ars-rip – The RIP module. Provides control over the RIP router.
route ars-ospf – The OSPF module. Provides control over the OSPF router.

In general, all of the functionality needed to integrate the firewall into most RIP and OSPF environments is available through the Web-based GUI. The additional capabilities of the CLI will make more advanced configurations possible. Please refer to the appendix for the full set of ARS CLI commands.

By default, Advanced Routing Services are disabled, and must be enabled to be made available. At the top of the Network > Routing page, is a drop-down menu for Routing mode. When you select Use Advanced Routing, the top of the Network > Routing page will look as follows:

The operation of the RIP and OSPF routing protocols is interface dependent. Each interface and virtual subinterface can have RIP and OSPF settings configured separately, and each interface can run both RIP and OSPF routers.

Configure RIP and OSPF for default routes received from Advanced Routing protocols as follows:
Configuring RIP
Configuring OSPF
Configuring Advanced Routing for Tunnel Interfaces

Configuring RIP

To configure RIP routing on an interface, select the Configure icon in the interface’s row under the Configure RIP column. This launches the RIP Configuration dialog.

Topics:
RIPng Options
Global RIPng Configuration
RIPng Options
RIPng – Select one of these modes from the drop-down menu:
Disabled (default) – RIP is disabled on this interface
Enable – The RIP router on this interface sends updates and process received updates.
Passive – The RIP router on this interface does not process received updates, and only sends updates to neighboring RIP routers specified with the CLI neighbor command.
* 
NOTE: This mode should be used only when configuring advanced RIP options from the ars-rip CLI.
* 
NOTE: Release 6.2.3.1 and earlier also have the following options for the RIP drop-down menu.
Send and Receive – The RIP router on this interface sends updates and processes received updates.
Send Only – The RIP router on this interface only sends updates and does not process received updates. This is similar to the basic routing implementation.
Receive Only – The RIP router on this interface only processes received updates.
Split Horizon – Enabling Split Horizon suppresses the inclusion of routes sent in updates to routers from which they were learned. This is a common RIP mechanism for preventing routing loops. See Maximum Hops . This option is selected by default.
Poisoned Reverse – Poison reverse is an optional mode of Split Horizon operation. Rather than suppressing the inclusion of learned routes, the routes are sent with a metric of infinity (16) thus indicating that they are unreachable. See Maximum Hops . This option is selected by default.
* 
NOTE: Release 6.2.3.1 and earlier also have the following RIP options.
Receive (available in Send and Receive and Receive Only modes)
RIPv1 – Receive only broadcast RIPv1 packets.
RIPv2 – Receive only multicast RIPv2 packets. RIPv2 packets are sent by multicast, although some implementations of RIP routers (including basic routing on SonicWALL devices) have the ability to send RIPv2 in either broadcast or multicast formats.
* 
IMPORTANT: Be sure the device sending RIPv2 updates uses multicast mode, or the updates are not processed by the ars-rip router.
Send (available in Send and Receive and Send Only modes)
RIPv1 – Send broadcast RIPv1 packets.
RIPv2 - v1 compatible – Send multicast RIPv2 packets that are compatible with RIPv1.
RIPv2 – Send multicast RIPv2 packets.
Global RIPng Configuration
Default Metric – Used to specify the metric that will be used when redistributing routes from other (Default, Static, Connected, OSPF, or VPN) routing information sources. The default value (undefined) is 1 and the maximum is 15.
Originate Default Route – This checkbox enables or disables the advertising of the firewall’s default route into the RIP system.
Redistribute Static Routes – Enables or disables the advertising of static (Policy Based Routing) routes into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the Default Metric setting.
Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the Default Metric setting.
Redistribute OSPF Routes - Enables or disables the advertising of routes learned via OSPF into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the Default Metric setting.
* 
NOTE: Release 6.2.3.1 and earlier also have the following Global RIP Configuration options.
Redistribute Remote VPN Networks - Enables or disables the advertising of static (Policy Based Routing) routes into the RIP system. The metric can be explicitly set for this redistribution, or it can use the value (default) specified in the Default Metric setting.
Use Password – Enables the use of a plain-text password on this interface, up to 16 alpha-numeric characters long, for identification.
Administrative Distance – The administrative distance value is used by routers in selecting a path when there is more than one route to a destination, with the smaller distance being preferred. The default value is 120, minimum is 1, and maximum is 255.

Routes learned via RIP appear in the Route Policies table as OSPF or RIP route.

Configuring OSPF

* 
NOTE: OSPF design concepts are beyond the scope of this document. This section describes how to configure a SonicWALL to integrate into an OSPF network, be it existing or newly implemented, but it does not offer design guidelines. For terms used throughout this section, refer to OSPF Terms .

Consider the following simple example network:

In an OSPF network where the backbone (area 0.0.0.0) comprises the X0 interface on the firewall and the int1 interface on Router A. Two additional areas, 0.0.0.1 and 100.100.100.100 are connected, respectively, to the backbone via interface int2 on ABR Router A, and via the X4:100 VLAN subinterface on the firewall.

To configure OSPF routing on the X0 and the X4:100 interfaces, select the Configure icon in the interface’s row under the Configure OSPF column. This will launch the following dialog:

Topics:
OSPFv3 Configuration
Global OSPFv3 Configuration
OSPFv3 Configuration
OSPFv3 – Select one of these settings from the drop-down menu:
Disable (default) – OSPF Router is disabled on this interface
Enable – OSPF Router is enabled on this interface
Passive – The OSPF router is enabled on this interface, but only advertises connected networks using type 1 LSA’s (Router Link Advertisements) into the local area. This is different from the Redistribute Connected Networks options, which would cause the OSPF router to behave as an ASBR, and to use type 5 LSA’s (AS External Link Advertisement) to flood the advertisements into all non-stub areas. For more information, see OSPF Terms .
Dead Interval (1-65535) – The period, in seconds, after which an entry in the LSDB is removed if Hello is not received. The default is 40 seconds, with a minimum of 1 and a maximum on 65,535.
* 
NOTE: Be sure this value agrees with the other OSPF routers on the segment for successful neighbor establishment.
Hello Interval (1-65535) – The period of time between Hello packets. The default is 10 seconds, with a minimum of 1 and a maximum on 65,535.
* 
NOTE: Be sure this value agrees with the other OSPF routers on the segment for successful neighbor establishment.
Router Priority (0-255) – The router priority value is used in determining the Designated Router (DR) for a segment. The higher the value, the higher the priority. For a priority tie, the Router ID acts as the tie-breaker. Setting a value of 0 makes the OSPF router on this interface ineligible for DR status. The default value is 1, and the maximum value is 255.
OSPFv3 Area – The OSPF Area can be represented in either IP or decimal notation. For example, you may represent the area connected to X4:100 as either 100.100.100.100 or 1684300900. The default is 0.
OSPFv3 Area Type – For a detailed description of the following settings, see OSPF Terms :
Normal (default) – Receives and sends all applicable LSA types.
Stub Area – Does not receive type 5 LSA’s (AS External Link Advertisements).
Totally Stubby Area – Does not receive LSA types 3, 4, or 5.
* 
NOTE: Release 6.2.3.1 and earlier also have the following options for the OSPF Area Type drop-down menu.
Not So Stubby Area – Receives type 7 LSA’s (NSSA AS External Routes).
Totally Stubby NSSA – Receives type 1 and 2 LSA’s.
Interface Cost (1-65535) – Specifies the overhead of sending packets across this interface. The default value is 10, generally used to indicate an Ethernet interface. The minimum and default value is 1 (for example, Fast Ethernet) and the maximum value is 65,535 (for example, pudding).
Auto – Selecting Auto dims the Interface Cost field as the cost is determined automatically. This checkbox is not selected by default.
Instance-ID: (0-255) – The minimum value is 0, the default value is 0, and the maximum is 255. This field is normally dimmed.
* 
NOTE: Release 6.2.3.1 and earlier also have the following OSFP Configuration options.
Authentication - Be sure this setting agrees with the other OSPF routers on the segment for successful neighbor establishment.
Disabled – No authentication is used on this interface.
Simple Password – A plain-text password is used for identification purposes by the OSPF router on this interface.
Message Digest – An MD5 hash is used to securely identify the OSPF router on this interface.
Password – Enter the password for this router.
Global OSPFv3 Configuration
OSPFv3 Router ID (n.n.n.n) – The Router ID can be any value, represented in IP address notation. It is unrelated to the any of the IP addresses on the firewall, and can be set to any unique value within your OSPF network.
ABR Type Allows for the specification of the topology with which this OSPF router will be participating, for the sake of compatibility. The options are:
Standard – Full RFC2328 compliant ABR OSPF operation.
Cisco – For interoperating with Cisco’s ABR behavior, which expects the backbone to be configured and active before setting the ABR flag.
IBM – For interoperating with IBM’s ABR behavior, which expects the backbone to be configured before settings the ABR flag.
* 
NOTE: Release 6.2.3.1 and earlier also have the following option for the ABR Type drop-down menu.
Shortcut – A shortcut area enables traffic to go through the non-backbone area with a lower metric whether or not the ABR router is attached to area 0.
Default Metric (1-16777214) – Specifies the metric used when redistributing routes from other (Default, Static, Connected, RIP, or VPN) routing information sources. The default value (Undefined) is 1, and the maximum is 16,777,214.
Auto-Cost Reference B@ (Mb/s) – The default is 100.
Redistribute Static Routes – Enables or disables the advertising of static (Policy Based Routing) routes into the OSPF system. This option is not selected by default.
* 
NOTE: The following applies to all Redistributed routes:
Metric – Can be explicitly set for this redistribution, or it can use the value (Default) specified in the Default Metric option.
Metric Type – The redistributed route advertisement i an LSA Type 5, and the type may be selected as either External Type 1 (adds the internal link cost) or External Type 2 (only uses the external link cost).

These fields are dimmed unless the Redistributed route option is selected.

Release 6.2.3.1 and earlier also have the following option:
Tag (0-4294967295) – An optional route tag value can be added to help other routers identify this redistributed route; the minimum tag number is 0, the maximum tag number is 4,294,967,295, and the default tag value is Undefined.
Redistribute Connected Networks - Enables or disables the advertising of locally connected networks into the OSPF system. This option is not selected by default.
Redistribute RIP Routes - Enables or disables the advertising of routes learned via RIP into the OSPF system. This option is not selected by default.
* 
NOTE: Release 6.2.3.1 and earlier also have the following Global OSFP Configuration option.
Originate Default Route – Controls the advertising of the firewall’s default route into the OSPF system on this interface. The options are:
Never – Disables advertisement of the default route into the OSPF system.
When WAN is up – Advertises the default route into the OSPF system when the WAN is online. The default route is always advertised as an External Type 2 using LSA Type 5.
Always – Enables advertisement of the default route into the OSPF system. The default route is always advertised as an External Type 2 using LSA Type 5.
Metric (1-16777214) – Can be explicitly set for this redistribution, or it can use the value specified in the Default Metric option. The minimum value is 1, the maximum value is 16,777,214, and the default value is 10.
Redistribute Remote VPN Networks - Enables or disables the advertising of static (Policy Based Routing) routes into the RIP system.

The Routing Protocols section shows the status of all active OSPF routers by interface.

The and Status LED’s indicate whether or not there are active neighbors and can be moused over for more detail.

The Routing Policies section shows routes learned by OSPF as OSPF or RIP Routes.

Configuring Advanced Routing for Tunnel Interfaces

VPN Tunnel Interfaces can be configured for advanced routing. To do so, you must enable advanced routing for the tunnel interface on the Advanced tab of its configuration. See Adding a Tunnel Interface for more information.

After you have enabled advanced routing for a Tunnel Interface, it is displayed in the list with the other interfaces in the Advanced Routing table on the Network > Routing page.

To configure Advanced Routing options, click on the Edit icon in the Configure RIP or Configure OSPF column for the Tunnel Interface you wish to configure. The RIP and OSPF configurations for Tunnel Interfaces are very similar to the configurations for traditional interfaces.

Global Unnumbered Configuration (Releases 6.2.3.1 and Earlier Only)

Because Tunnel Interfaces are not physical interfaces and have no inherent IP address, they must “borrow” the IP address of another interface. Therefore, the advanced routing configuration for a Tunnel Interface includes the following options for specifying the source and destination IP addresses for the tunnel:
IP Address Borrowed From - The interface whose IP address is used as the source IP address for the Tunnel Interface.
* 
NOTE: The borrowed IP address must be a static IP address.
Remote IP Address - The IP address of the remote peer to which the Tunnel Interface is connected. In the case of a SonicWALL-to-SonicWALL configuration with another Tunnel Interface, this should be the IP address of the borrowed interface of the Tunnel Interface on the remote peer.

* 
NOTE: The IP Address Borrowed From and Remote IP Address values apply to both RIP and OSPF for the Tunnel Interface. Changing one of these values in RIP will change the value in OSPF and vice versa.
Guidelines for Configuring Tunnel Interfaces for Advanced Routing

The following guidelines will ensure success when configuring Tunnel Interfaces for advanced routing:
The borrowed interface must have a static IP address assignment.
The borrowed interface cannot have RIP or OSPF enabled on its configuration.
* 
TIP: SonicWALL recommends creating a VLAN interface that is dedicated solely for use as the borrowed interface. This avoids conflicts when using wired connected interfaces.
The IP address of the borrowed interface should be from a private address space, and should have a unique IP address in respect to any remote Tunnel Interface endpoints.
The Remote IP Address of the endpoint of the Tunnel Interface should be in the same network subnet as the borrowed interface.
The same borrowed interface may be used for multiple Tunnel Interfaces, provided that the Tunnel interfaces are all connected to different remote devices.
When more than one Tunnel Interface on an appliance is connected to the same remote device, each Tunnel Interface must use a unique borrowed interface.

Depending on the specific circumstances of your network configuration, these guidelines may not be essential to ensure that the Tunnel Interface functions properly. But these guidelines are SonicWALL best practices that will avoid potential network connectivity issues.