1HW6FUHHQ &RQFHSW

([DPSOHV

6FUHHQ26 5HIHUHQFH *XLGH
9ROXPH  '\QDPLF 5RXWLQJ

6FUHHQ26  31  5HY )

&RS\ULJKW 1RWLFH
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com

energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: • Reorient or relocate the receiving antenna. • Increase the separation between the equipment and receiver. • Consult the dealer or an experienced radio/TV technician for help. • Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

)&& 6WDWHPHQW
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency

'LVFODLPHU
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.

&RQWHQWV

&RQWHQWV
3UHIDFH  Y
&RQYHQWLRQV  YL
:HE8, 1DYLJDWLRQ &RQYHQWLRQV  YL ([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ YL &/, &RQYHQWLRQVYLL 'HSHQGHQF\ 'HOLPLWHUVYLL 1HVWHG 'HSHQGHQFLHV YLL $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV YLLL

%DVLF 263) &RQILJXUDWLRQ 7DVNV 
(QDEOLQJ 263) ,QVWDQFHV DW WKH 9LUWXDO 5RXWHU /HYHO  ([DPSOH 6WDUWLQJ DQ 263) ,QVWDQFH   5HPRYLQJ DQ 263) 9LUWXDO 5RXWLQJ ,QVWDQFH   ([DPSOH 'LVDEOLQJ 263)   &UHDWLQJ 263) $UHDV   ([DPSOH &UHDWH DQ 263) $UHD   $VVLJQLQJ ,QWHUIDFHV WR $UHDV   ([DPSOH $VVLJQLQJ DQ ,QWHUIDFH WR DQ 263) $UHD   5HGLVWULEXWLQJ 5RXWHV   ([DPSOH 5HGLVWULEXWLQJ D %*3 5RXWH LQWR 263)  

1HW6FUHHQ 'RFXPHQWDWLRQ  L[

&KDSWHU  263) 7DVN 5HIHUHQFH 
2YHUYLHZ RI 263) 
$UHDV 5RXWHU &ODVVLILFDWLRQ  +HOOR 3URWRFRO 1HWZRUN 7\SHV %URDGFDVW 1HWZRUNV  1RQ%URDGFDVW 1HWZRUNV  3RLQWWR3RLQW 1HWZRUNV  /LQN 6WDWH $GYHUWLVHPHQWV 263) RQ 1HW6FUHHQ 'HYLFHV  263) 6XSSRUW RQ 931 7XQQHOV  263) $XWKHQWLFDWLRQ  263) ,QWHUIDFH &KDUDFWHULVWLFV 

263) ,QWHUIDFH &RQILJXUDWLRQ 
'LVSOD\LQJ 263) ,QWHUIDFH 'HWDLOV  ([DPSOH 'LVSOD\LQJ 263) ,QWHUIDFH ,QIRUPDWLRQ  6HWWLQJ D &OHDU7H[W 3DVVZRUG RQ DQ ,QWHUIDFH  ([DPSOH &RQILJXULQJ WKH &OHDU7H[W 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG   6HWWLQJ DQ 0' 3DVVZRUG RQ DQ ,QWHUIDFH   ([DPSOH &RQILJXULQJ WKH 0' 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG   6HWWLQJ D &RVW 9DOXH IRU DQ 263) ,QWHUIDFH   ([DPSOH &RQILJXULQJ WKH &RVW IRU DQ 263) ,QWHUIDFH   6HWWLQJ D 'HDG ,QWHUYDO IRU DQ 263) ,QWHUIDFH  ([DPSOH &RQILJXULQJ WKH 'HDG ,QWHUYDO  6HWWLQJ D +HOOR ,QWHUYDO IRU DQ 263) ,QWHUIDFH   ([DPSOH &RQILJXULQJ WKH +HOOR ,QWHUYDO 

263) &RPPDQGV
263) &RQWH[W ,QLWLDWLRQ

1HW6FUHHQ &RQFHSWV

([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ

L

QVWDQFH   ([DPSOH 'LVSOD\LQJ 263) 6WDWLVWLFV   'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWLRQ &RQGLWLRQV   ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWLRQ &RQGLWLRQV   'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWHG 5RXWHV   ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWHG 5RXWHV 'HWDLOV   'LVSOD\LQJ 2EMHFWV LQ WKH 263) 'DWDEDVH  ([DPSOH 'LVSOD\LQJ 263) 'DWDEDVH 2EMHFWV   'LVSOD\LQJ 6WXE 'HWDLOV   ([DPSOH 'LVSOD\LQJ 6WXE $UHD 'HWDLOV  'LVSOD\LQJ 263) &RQILJXUDWLRQ  ([DPSOH /LVW 263) &RQILJXUDWLRQ &RPPDQGV   263) 9LUWXDO /LQN &RQILJXUDWLRQ  &UHDWLQJ D 9LUWXDO /LQN ([DPSOH &UHDWLQJ D 9LUWXDO /LQN WR WKH %DFNERQH $UHD  $XWRPDWLFDOO\ &UHDWLQJ D 9LUWXDO /LQN  ([DPSOH &UHDWLQJ DQ $XWRPDWLF 9LUWXDO /LQN  &UHDWLQJ D 0HVVDJH 'LJHVW IRU D 9LUWXDO /LQN  ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK 0' $XWKHQWLFDWLRQ  &RQILJXULQJ D &OHDU7H[W 3DVVZRUG IRU D 9LUWXDO /LQN  ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK &OHDU7H[W 3DVVZRUG  &UHDWLQJ D 'HDG .QWHUIDFH  ([DPSOH &RQILJXULQJ WKH 7UDQVLW 'HOD\ 263) .QWHUYDO IRU DQ 263) .&RQWHQWV 6HWWLQJ D 1HLJKERU /LVW IRU DQ 263) .QWHUIDFH ([DPSOH &RQILJXULQJ WKH 5HWUDQVPLW .QWHUYDO 6HWWLQJ D 3ULRULW\ 9DOXH RQ DQ 263) .QWHUIDFH ([DPSOH &RQILJXULQJ WKH 3ULRULW\ 9DOXH  6HWWLQJ D 7UDQVLW 'HOD\ 9DOXH RQ DQ 263) .QWHUYDO IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN +HOOR .QIRUPDWLRQ  'LVSOD\LQJ 6WDWLVWLFV IRU DQ 263) 5RXWLQJ .QWHUYDO &RQILJXULQJ D 7UDQVLW 'HOD\ 9DOXH IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 7UDQVLW 'HOD\  2WKHU 263) &RQILJXUDWLRQ %LQGLQJ 263) WR D 7XQQHO .QWHUYDO &RQILJXULQJ D 5HWUDQVPLW .QWHUIDFH   ([DPSOH %LQGLQJ D 7XQQHO WR DQ 263) 5RXWLQJ .QWHUYDO IRU D 9LUWXDO /LQN 1HLJKERU ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 1HLJKERU 'HDG .QWHUIDFH  ([DPSOH &RQILJXULQJ D 1HLJKERU /LVW  6HWWLQJ D 5HWUDQVPLW .QVWDQFH   $QQRXQFLQJ D 'HIDXOW 5RXWH LQ $OO $UHDV  ([DPSOH $GYHUWLVLQJ WKH 'HIDXOW 5RXWH   &RQILJXULQJ 6XPPDU\ 5RXWHV   ([DPSOH 6XPPDUL]LQJ 5HGLVWULEXWHG 5RXWHV  5HPRYLQJ D 'HIDXOW 5RXWH   ([DPSOH 5HPRYLQJ WKH 'HIDXOW 5RXWH IURP WKH 5RXWH 7DEOH  6HWWLQJ DQ $UHD 5DQJH   ([DPSOH &RQILJXULQJ DQ $UHD 5DQJH  6HWWLQJ D +HOOR )ORRG $WWDFN 7KUHVKROG   ([DPSOH &RQILJXULQJ WKH +HOOR 7KUHVKROG   6HWWLQJ DQ /6$ 7KUHVKROG  ([DPSOH &RQILJXULQJ WKH /6$ 7KUHVKROG   1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ LL .QWHUYDO &UHDWLQJ D +HOOR .QWHUYDO IRU D 9LUWXDO /LQN ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 5HWUDQVPLW .

JQRULQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV  &KDSWHU  %*3 7DVN 5HIHUHQFH 7KH %*3 &RPPDQGV &RQWH[W .QLWLDWLRQ  %DVLF %*3 &RPPDQG 'HVFULSWLRQV  $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV  $SSO\LQJ D 5RXWH 0DS WR 5RXWHV IURP 6SHFLILHG 1HLJKERUV  ([DPSOH $SSO\LQJ 5RXWH 0DSV  $VVLJQLQJ D :HLJKW WR D 3DWK  ([DPSOH 6SHFLI\LQJ D :HLJKW 9DOXH   6HWWLQJ DQ $6 3DWK $FFHVV /LVW   ([DPSOH &UHDWLQJ DQ (QWU\ LQ WKH $6 3DWK $FFHVV /LVW   &RQILJXULQJ D &RPPXQLW\ /LVW   ([DPSOH &UHDWLQJ D &RPPXQLW\ /LVW   6HWWLQJ D /RFDO 3UHIHUHQFH   ([DPSOH 6HWWLQJ WKH /RFDO 3UHIHUHQFH   6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0('.&RQWHQWV &RQILJXULQJ DQ 5)& (QYLURQPHQW ([DPSOH &KDQJH WR DQ 5)& (QYLURQPHQW  ([DPSOH .

  ([DPSOH 6HWWLQJ D 0('   6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0('.

. &RPSDULVRQ   ([DPSOH 6HWWLQJ D 0(' &RPSDULVRQ   &RQILJXULQJ D 5RXWH 5HIOHFWRU  ([DPSOH 'HVLJQDWLQJ D 5RXWH 5HIOHFWRU   6HWWLQJ D 1HLJKERU DV D 5RXWH 5HIOHFWRU &OLHQW  ([DPSOH &RQILJXULQJ DQ .HHSDOLYH 7LPHU  ([DPSOH 6HWWLQJ WKH .QVWDQFH  6SHFLI\LQJ 5HDFKDEOH 1HWZRUNV IURP DQ $6 ([DPSOH 0DNLQJ D 1HWZRUN 5HDFKDEOH IURP WKH /RFDO 9LUWXDO 5RXWHU (QDEOLQJ $JJUHJDWH 5RXWHV ([DPSOH 0DNLQJ DQ $JJUHJDWH 5RXWH (QWU\  (QDEOLQJ 5HGLVWULEXWLRQ  ([DPSOH &UHDWLQJ D 5HGLVWULEXWLRQ 5XOH  &RQILJXULQJ D %*3 1HLJKERU  ([DPSOH &RQILJXULQJ WKH 9LUWXDO 5RXWHU IRU D 1HLJKERU  (QDEOLQJ D %*3 3HHU ZLWK DQ .HHSDOLYH 7LPHU  (QDEOLQJ 5RXWH )ODS 'DPSLQJ  ([DPSOH (QDEOLQJ )ODS 'DPSLQJ 'LVFDUGLQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV IURP D 3HHU 5RXWHU  .QVWDQFH RI WKH 9LUWXDO 5RXWHU  ([DPSOH 6WDUWLQJ D 9LUWXDO 5RXWLQJ .3 $GGUHVV  ([DPSOH (QDEOLQJ D %*3 3HHU &RQQHFWLRQ  &RQILJXULQJ D +ROG 7LPHU  ([DPSOH 6HWWLQJ WKH +ROG7LPH 9DOXH  &RQILJXULQJ D . 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ LLL .%*3 1HLJKERU   &RQILJXULQJ D &RQIHGHUDWLRQ  ([DPSOH &UHDWLQJ D &RQIHGHUDWLRQ   $GGLQJ DQ $6 0HPEHU WR D &RQIHGHUDWLRQ   ([DPSOH $GGLQJ D 1HZ &RQIHGHUDWLRQ  %DVLF %*3 &RQILJXUDWLRQ 7DVNV &UHDWLQJ D %*3 .QGH[ ..

&RQWHQWV 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ LY .

basic configuration. “Dynamic Routing” describes how to configure Open Shortest Path First (OSPF) and Border Gateway (BGP). advanced configuration 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ Y . advanced configuration Overview of BGP. Dynamic routing shortens the time between changes in network topology and the forwarding of traffic on the network. BGP commands. basic configuration. Without routing. the security devices could not effectively forward secure traffic to desired destinations. Volume 5.3UHIDFH Routing is an essential part of security devices. This volume describes the following: • • Overview of OSPF. OSPF commands.

:HE8.&RQYHQWLRQV &219(17. The new address configuration dialog box appears. 4.216 This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI) and the command line interface (CLI). Click List. Click Objects in the menu column. a chevron ( > ) is used to indicate navigation through the WebUI by clicking menu options and links. 3. The conventions used for both are introduced below. (DHTML menu) Click Addresses. 1DYLJDWLRQ &RQYHQWLRQV Throughout this book. 2. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ YL . ([DPSOH 2EMHFWV ! $GGUHVVHV ! /LVW ! 1HZ To access the new address configuration dialog box. The Objects menu option expands to reveal a subset of options for Objects. (Applet menu) Hover the mouse over Addresses. do the following: 1. The address book table appears. Click the New link in the upper right corner. The Addresses option expands to reveal a subset of options for Addresses.

you must include either feature_2 or feature_3 if you include feature_1. To illustrate syntax rules. you can omit feature_1. The | symbol denotes an “or” relationship between two features. and mandatory in others. and still execute the command successfully. you can use the feature on that line. 'HSHQGHQF\ 'HOLPLWHUV Each syntax description shows the dependencies between command features by using special characters. The three hypothetical features shown below demonstrate this principle. you cannot successfully execute the command.&RQYHQWLRQV &/. and other features. Such delimiters indicate which command features are mandatory. Features enclosed by these symbols are essential for execution of the command. switches. which make features optional in some contexts. because the { and } delimiters surround feature_2 and feature_3. feature_2. This syntax may include options. When this symbol appears between two features on the same line. you can use either feature (but not both). [ feature_1 { feature_2 | feature_3 } ] The delimiters [ and ] surround the entire clause. or the one below it. some command descriptions use dependency delimiters. parameters. &RQYHQWLRQV Each CLI command description in this manual reveals some aspect of command syntax. Consequently. The following example shows some of the feature dependencies of the set interface command. • • • The { and } symbols denote a mandatory feature. 1HVWHG 'HSHQGHQFLHV Many CLI commands have nested dependencies. although omitting such features might adversely affect the outcome. Features enclosed by these symbols are not essential for execution of the command. The [ and ] symbols denote an optional feature. Otherwise. When this symbol appears at the end of a line. set interface vlan1 broadcast { flood | arp [ trace-route ] } 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ YLL . and in which contexts. and feature_3. However.

When this message appears. By contrast. &RPPDQGV DQG )HDWXUHV As you execute CLI commands using the syntax descriptions in this manual. the [ and ] brackets indicate that the trace-route option for arp is not mandatory. attempting to use such a feature usually generates the unknown keyword error message. Because NetScreen devices treat unavailable command features as improper syntax. For example. the following commands list available options for the set vpn command: ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ? 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ YLLL .&RQYHQWLRQV The { and } brackets indicate that specifyng either flood or arp is mandatory. the command might take any of the following forms: ns-> set interface vlan1 broadcast flood ns-> set interface vlan1 broadcast arp ns-> set interface vlan1 broadcast arp trace-route $YDLODELOLW\ RI &/. Thus. confirm the feature’s availability using the ? switch. you may find that certain commands and command features are unavailable for your NetScreen device model.

netscreen. you must be a registered user. see the release notes document for that release.com 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ L[ . To access the latest NetScreen documentation. then click Go. To access archived documentation from previous releases.) If you find any errors or omissions in the following content. visit www. see the Current Manuals section. please contact us at the e-mail address below: techpubs@netscreen.1HW6FUHHQ 'RFXPHQWDWLRQ 1(76&5((1 '2&80(17$7. Select the product and version. (To perform this download.21 To obtain technical documentation for any NetScreen product. see the Archived Manuals section. To obtain release notes.com/support and select Software Download.netscreen.com/support/manuals.html. To obtain the latest technical information on a NetScreen product release. visit www.

1HW6FUHHQ 'RFXPHQWDWLRQ 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ [ .

The following topics are covered: • • • 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .8uhƒ‡r…à 263) 7DVN 5HIHUHQFH • “Overview of OSPF” on page 3 – “Areas” on page 3 – “Router Classification” on page 4 – “Hello Protocol” on page 5 – “Network Types” on page 5 – “Link State Advertisements” on page 7 – “OSPF on NetScreen Devices” on page 8 “OSPF Commands” on page 10 “Basic OSPF Configuration Tasks” on page 11 – “Enabling OSPF Instances at the Virtual Router Level” on page 11 – “Removing an OSPF Virtual Routing Instance” on page 12 – “Creating OSPF Areas” on page 13 – “Assigning Interfaces to Areas” on page 14 – “Redistributing Routes” on page 15 “OSPF Interface Configuration” on page 17 – “Displaying OSPF Interface Details” on page 17 – “Setting a Clear-Text Password on an Interface” on page 18 – “Setting a Cost Value for an OSPF Interface” on page 20 – “Setting a Dead Interval for an OSPF Interface” on page 21 – “Setting a Hello Interval for an OSPF Interface” on page 22  This chapter describes the Open Shortest Path First (OSPF) routing protocol.

&KDSWHU  263) 7DVN 5HIHUHQFH • • • – “Setting a Neighbor List for an OSPF Interface” on page 23 – “Setting a Retransmit Interval for an OSPF Interface” on page 24 – “Setting a Priority Value on an OSPF Interface” on page 25 – “Setting a Transit Delay Value on an OSPF Interface” on page 26 “OSPF Virtual Link Configuration” on page 27 – “Creating a Virtual Link” on page 27 – “Automatically Creating a Virtual Link” on page 28 – “Creating a Message Digest for a Virtual Link” on page 29 – “Configuring a Clear-Text Password for a Virtual Link” on page 30 – “Creating a Dead Interval for a Virtual Link Neighbor” on page 31 – “Configuring a Retransmit Interval for a Virtual Link” on page 33 – “Configuring a Transit Delay Value for a Virtual Link” on page 34 “OSPF Information” on page 35 – “Displaying Statistics for an OSPF Routing Instance” on page 35 – “Displaying Details about Redistribution Conditions” on page 37 – “Displaying Details about Redistributed Routes” on page 38 – “Displaying Objects in the OSPF Database” on page 39 – “Displaying Stub Details” on page 40 – “Displaying OSPF Configuration” on page 41 “Other OSPF Configuration” on page 42 – “Binding OSPF to a Tunnel Interface” on page 42 – “Announcing a Default Route in All Areas” on page 43 – “Configuring Summary Routes” on page 44 – “Removing a Default Route” on page 46 – “Setting an Area Range” on page 47 – “Setting a Hello Flood Attack Threshold” on page 48 – “Setting an LSA Threshold” on page 49 – “Configuring an RFC-1583 Environment” on page 50 ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  1HW6FUHHQ &RQFHSWV .

A router running OSPF distributes its state information (i. No link-state information is maintained for networks/routers outside the local area. link-state databases grow and dividing the link-state database into smaller groups allows for better scalability. link-state databases. $UHDV OSPF allows networks to be grouped together logically or geographically by the use of areas.0).e. with only one exception to be covered later. and areas are covered later in this chapter.0. The constant distribution of LSAs throughout the As enables all routers in an AS to maintain an identical link-state database.&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) 29(59. Areas also reduce the amount of routing information passed throughout the network because a router only maintains a link-state database for the area it resides in. This is because as networks grow. By default all routers are grouped into a single “backbone” area called area 0 (usually denoted as area 0. More information on LSAs. While all routers have the same link state database. It is important to note that all areas must be directly connected to area 0. OSPF uses the link-state database to determine the best path to any network within the AS. The link-state database is a listing of topology and state information for the surrounding networks. usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs) throughout the AS. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . This is done by generating a shortest-path tree.(: 2) 263) The Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) intended to operating within a single Autonomous System (AS).0. they all have unique shortest-path trees because routers always generate the tree with themselves at the top (root) of the tree. However. Each OSPF router uses LSAs from neighboring routers to maintain a link-state database. which is a graphical representation of the shortest path to any network within the AS. large geographically dispersed networks are typically segmented into multiple areas.

Backbone Router . both with their own characteristics: • Stub area . the router between the two autonomous systems is called an autonomous system boundary router (ASBR). Area Border Router .Like a normal stub area. An ABR summarizes the routes from the non-backbone area for distribution back to area 0. 5RXWHU &ODVVLILFDWLRQ Routers that participate in OSPF routing are classified according to their function or location in the network: • • • Internal Router . An area border router (ABR) is a router that has interfaces in multiple areas.When an OSPF area borders another AS.An area that receives route summaries from the backbone area but does not receive link-state advertisements from other areas for routes learned through non-OSPF sources (i. • Areas are configured at the VR level first.A router that has an interface in the backbone area. any area outside of the backbone area is called a stub area.When an OSPF area borders another area. Not So Stubby Area (NSSA) . one of which is the backbone area. There are two common types of stub areas used in OSPF. However. An ASBR is responsible for advertising external AS routing information throughout an AS. NSSAs cannot receive routes from non-OSPF sources outside the current area.A router with all interfaces belonging to the same area. external routes learned within the area can be learned and passed to other areas. A stub area can be considered a Totally Stubby Area if no summary routes are allowed in the stub area. If a second area is created within ScreenOS. • 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . the device functions as an ABR. then interfaces can be configured to reside in area’s defined at the VR level.e. BGP). AS Boundary Router . the router between the two areas is called an area border router.&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) A router that is placed between two areas is called an area border router and because all areas must be directly connected to area 0.

Routers use the hello protocol to establish and maintain these neighbor relationships. they are said to have established an adjacency. they cannot exchange routing information. Therefore. Pairs of routers on a broadcast network are assumed to be able to communicate with each other. it is necessary to establish one router as the designated router (DR) and another as the backup designated router (BDR).&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) +HOOR 3URWRFRO Two routers with interfaces on the same subnet are considered neighbors. The DR is considered the most important router in an OSPF network because it is the only router that can form adjacencies with other routers on the network.0. The BDR is responsible for becoming the designated router if the DR should fail. the DR is the only router on a network that can provide routing information to other routers. When two routers establish bidirectional communication. the OSPF router dynamically detects its neighbor routers by sending Hello packets to the multicast address 224. If two routers do not establish an adjacency. a single physical message to all the attached routers. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . the Hello protocol elects a Designated Router and Backup Designated Router for the network. or broadcast.5. In cases were there are multiple routers on a network. For broadcast networks. 1HWZRUN 7\SHV ScreenOS supports the following network types: • • • Broadcast Networks Non-Broadcast Networks Point-to-Point Networks %URDGFDVW 1HWZRUNV A broadcast network is a network that connects many routers together and can send.0. On broadcast networks. The designated router is solely responsible for flooding the network with LSAs containing a list of all OSPF-enabled routers attached to the network. It is this type of hierarchy that enables OSPF to scale while minimizing network “chatter”. Ethernet is an example of a broadcast network.

OSPF runs in one of two modes: • • Non-broadcast multi-access (NBMA) simulates OSPF operation on a broadcast network Point-to-multipoint considers the network to be a collection of point-to-point networks On non-broadcast networks. On point-to-point networks.0. 3RLQWWR3RLQW 1HWZRUNV A point-to-point network typically joins two routers over a Wide Area Network (WAN). On non-broadcast networks. For NBMA networks. OSPF protocol packets that are normally multicast need to be sent to each neighboring router.0. An example of a point-to-point network is two routers connected by a 56Kb serial line.&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) 1RQ%URDGFDVW 1HWZRUNV A non-broadcast network is a network that connects many routers together but cannot broadcast messages to attached routers. the OSPF router dynamically detects neighbor routers by sending Hello packets to the multicast address 224. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . the Hello protocol elects a Designated Router and Backup Designated Router for the network.5. On non-broadcast networks. you will need to enter configuration information in order for the OSPF router to discover its neighbors.

Additionally. The following table summarizes the LSA types: LSA Type Router LSA Network LSA Sent By All OSPF routers Designated Router on broadcast and NBMA networks Area Border Routers Flooded Throughout Area Area Information Sent in LSA Describes the state of all router interfaces throughout the area. Often. Contains a list of all routers connected to the network. Summary LSA Area Describes a route to a destination outside the area but still inside the AS. there are other types of LSAs that a router can send out.Type 3 summary-LSAs describe routes to networks.0/0).&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) /LQN 6WDWH $GYHUWLVHPHQWV Each OSPF router sends out LSAs that define the router’s local state information. AS-External Autonomous System Boundary Router Autonomous System Routes to a network in another AS. . this is the default route (0. There are two types: .0. depending upon the router’s OSPF function.Type 4 summary-LSAs describe routes to AS boundary routers. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .0.

OSPF is enabled on a virtual router basis and has configuration parameters at the VR level and the interface level. as defined by RFC 2328. in this case. ScreenOS supports OSPF version 2. Since you can have multiple virtual routers in a system.&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) 263) RQ 1HW6FUHHQ 'HYLFHV On NetScreen devices. When OSPF is enabled for a tunnel interface. you can enable and configure OSPF in the same way as a physical interface. 263) $XWKHQWLFDWLRQ ScreenOS provides simple password and MD5 authentication to validate OSPF packets received from neighbors. Authentication can also be configured at the interface level. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . You can enable OSPF on a VPN that is bound to a single tunnel interface that can be numbered or unnumbered. the network type is point-to-point. all OSPF interfaces associated with the virtual router use the same authentication method. you can also run multiple instances of OSPF on a single device. You can also configure OSPF to be compatible with RFC 1538. After binding the VPN to the tunnel interface. an earlier version of OSPF. 263) 6XSSRUW RQ 931 7XQQHOV OSPF is supported for IPsec VPN tunnel and requires the use of route-based VPNs. Authentication can be configured at the virtual router level.

• • • • • • 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . The higher the bandwidth.The retransmit interval is the amount of time that elapses between LSA retransmissions for adjacencies that belong to a specified interface. Two types of authentication exist in ScreenOS: message digest (MD5) password authentication and clear-text password authentication. The default is 5 seconds. the lower.Transit delay is the amount of time required between transmissions of link-state update packets sent by the current interface. The higher the number. An MD5 authentication password requires a 16-digit password string and a clear-text password requires an eight-digit password string. Dead Interval . The default cost is 10.The OSPF routing instance sends out Hello packet at regular intervals. The default is 10. Cost . Retransmit Interval . The MD5 password also requires the configuration of key strings. The default is 40 seconds. The cost associated with a network interface depends on the bandwidth of the link to which the interface is connected.The dead interval is the maximum amount of time that elapses before OSPF determines one of its neighbors is not running.The priority is used when electing the Designated Router and Backup Designated Router. The default is 1 second. The following are OSPF interface characteristics: • Authentication Type .Authentication enables the interface to verify OSPF communication on the interface. Transit Delay .&KDSWHU  263) 7DVN 5HIHUHQFH 2YHUYLHZ RI 263) 263) .QWHUIDFH &KDUDFWHULVWLFV Several OSPF parameters are configurable at the interface level. or more desirable. Priority . The default is 10 seconds. Hello Interval .In OSPF. the cost value. the more likely the OSPF routing instance is to be elected as a DR or BDR. a route’s cost determines the desirability of the route.

do the following: 1. refer to “Context-Sensitive Commands in the CLI” on page 2 -58. ns(trust-vr)-> set protocol ospf For more information on the ospf context commands.QLWLDWLRQ To issue ospf context commands. 263) &RQWH[W . Enter the ospf context by executing the set protocol ospf command.&KDSWHU  263) 7DVN 5HIHUHQFH 263) &RPPDQGV 263) &200$1'6 Use the ospf context commands and the interface commands to configure OSPF in a NetScreen device. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Enter the vrouter context by executing the set vrouter command. 2. ns-> set vrouter vrouter where vrouter is the name of the virtual router.

3. you enable OSPF in the trust-vr with default options.&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV %$6.& 263) &21).6 The following configuration tasks are mandatory for most OSPF implementations. only the specific OSPF interface is affected.21 7$6. ([DPSOH 6WDUWLQJ DQ 263) .QVWDQFH In the following example. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr)-> save Note: Use the unset protocol ospf command to disable OSPF instances. (QDEOLQJ 263) . and then click OK. &/. When you enable or disable OSPF at the interface level. :HE8. 1. all OSPF interfaces inside the virtual router are affected. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .*85$7. 2. Network > Routing > Virtual Routers > trust-vr : Select Create OSPF Instance. You can create an instance of OSPF in a virtual router using either the WebUI or the CLI set protocol ospf command.QVWDQFHV DW WKH 9LUWXDO 5RXWHU /HYHO You can enable or disable OSPF instances at the virtual router level or at the interface level. When you enable or disable OSPF at the virtual router level.

&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV 5HPRYLQJ DQ 263) 9LUWXDO 5RXWLQJ . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> unset enable ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 4. 1. 2. Network > Routing > Virtual Routers > Edit (for trust-vr) > Delete OSPF Instance. ([DPSOH 'LVDEOLQJ 263) In the following example. &/. you disable the current OSPF routing instance. 3. :HE8.QVWDQFH Use the WebUI or the CLI unset enable command to remove the OSPF routing instance from the virtual router on which it was created.

Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area: Enter the following. 1. :HE8. use either the WebUI or the CLI set area commands. and then click OK: Area ID: 10 Type: stub Action: Add &/. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 10 stub ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . you create an OSPF stub area with an area ID of 10. 4. 2.&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV &UHDWLQJ 263) $UHDV To configure or display details about OSPF areas on a NetScreen devices. ([DPSOH &UHDWH DQ 263) $UHD In the following example. 3.

2. Click OK. using either the WebUI or the CLI set interface command. &/. ([DPSOH $VVLJQLQJ DQ . 1.&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV $VVLJQLQJ .QWHUIDFH WR DQ 263) $UHD In the following example. :HE8. you assign interface ethernet1 to OSPF area 10.QWHUIDFHV WR $UHDV Once an area is created at the VR level. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for Area 10) > ethernet1: Use the Add button to move the interface from the Available Interfaces column to the Selected Interfaces column. you can assign an interface to the area. ns-> set interface ethernet1 protocol ospf area 10 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .

the router performs redistribution. Because different protocols are imported using different preferences. if you are on an OSPF network and a BGP network. For more information on configuring route maps. the OSPF domain can import all known routes from the BGP network to allow devices in the OSPF routing domain to reach devices on the BGP network. refer to “Route Redistribution” on page 2 -74. redistribution provides a local preference value as a way of comparing path desirability between protocols. When a route is redistributed. When you configure route redistribution. For external LSAs to be advertised. particularly known routes. or target. from the other routing protocol. protocol that will advertise these newly-learned external routes. You can redistribute routes using either the WebUI or the CLI set redistribute route-map commands. determine which routing protocol is the source of the routes and which routing protocol is the destination. you must first specify a route map that defines the routes to be distributed. This process allows the translation of routing information. it affects the number of external LSAs generated in a given domain. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV 5HGLVWULEXWLQJ 5RXWHV Redistribution is the process of importing a route into the current routing domain from another part of the network that uses another routing protocol. To configure route redistribution. For example.

4.&KDSWHU  263) 7DVN 5HIHUHQFH %DVLF 263) &RQILJXUDWLRQ 7DVNV ([DPSOH 5HGLVWULEXWLQJ D %*3 5RXWH LQWR 263) In the following example. 3. you redistribute a route that originated from a BGP routing domain into the current OSPF routing domain. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules: Enter the following. :HE8. and then click Add: Route Map: map1 Protocol: BGP &/. 1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map map1 protocol bgp ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Both the CLI and WebUI examples assume that you previously created a route map called map1. 2.

QIRUPDWLRQ In the following example. :HE8. OSPF: enabled. Router: enabled Type: Ethernet Area: 0.20.0.17(5)$&( &21).1 ---------------------------------Interface: ethernet2/1 IpAddr: 20.20.QWHUIDFH .1.0 Neighbors: Valid neighbor access list numbers in Vrouter (trust-vr) ---------------------------------------------------------------------1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .QWHUIDFH &RQILJXUDWLRQ 263) .21 This section describes OSPF interface configuration tasks. ([DPSOH 'LVSOD\LQJ 263) . you display details of the interface for which you have configured an OSPF routing instance.20.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .0.*85$7.20(self) BDR: 0. Note: You can only view OSPF configuration details for an interface through the CLI.0.20/16.10 Priority: 100 Cost: 1 Transit delay: 60s Retransmit interval: 5s Hello interval: 10s Router Dead interval: 40s Authentication-Type: MD-5 Authentication-Key: **************** MD-5 KeyId: 1 State: Designated Router DR: 20.1. ns-> get interface ethernet1 protocol ospf VR: trust-vr RouterId: 212. 'LVSOD\LQJ 263) .QWHUIDFH 'HWDLOV Use the CLI get interface command to display details of the interface for which you have configured an OSPF routing instance. &/.0.20.

([DPSOH &RQILJXULQJ WKH &OHDU7H[W 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG In this example.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D &OHDU7H[W 3DVVZRUG RQ DQ . use either the WebUI or the CLI set interface command. Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following. and then click Apply : Password: (select). ns-> set interface ethernet1 protocol ospf authentication password 12345678 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 1. 2. you set a clear-text password 12345678 for OSPF on interface ethernet1.QWHUIDFH To configure a clear-text password as an authentication method for OSPF communication on an interface. 12345678 &/.&KDSWHU  263) 7DVN 5HIHUHQFH 263) . :HE8.

use either the WebUI or the CLI set interface command. you set a message digest password 1234567890123456 and a key ID 1 for OSPF on interface ethernet1.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .QWHUIDFH To configure a message digest (MD5) password as an authentication method for all OSPF communication on an interface. 2. ([DPSOH &RQILJXULQJ WKH 0' 3DVVZRUG $XWKHQWLFDWLRQ 0HWKRG In the following example. and then click Apply: MD5 Key: (select). :HE8. ns-> set interface ethernet1 protocol ospf authentication md5 1234567890123456 key 1 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following. 1234567890123456 Key ID: 1 &/.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ DQ 0' 3DVVZRUG RQ DQ . 1.

and then click Apply: Cost: 20 &/. ([DPSOH &RQILJXULQJ WKH &RVW IRU DQ 263) .QWHUIDFH You can set a cost value for an OSPF interface using either the WebUI or the CLI set interface command.QWHUIDFH In this example. :HE8. 2.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D &RVW 9DOXH IRU DQ 263) . you set a cost value for OSPF on interface ethernet1. Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following. ns-> set interface ethernet1 protocol ospf cost 20 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 1.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .

([DPSOH &RQILJXULQJ WKH 'HDG . 2.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D 'HDG . To set a dead interval value on a physical interface on a NetScreen device. :HE8.QWHUYDO In this example. ns-> set interface ethernet1 protocol ospf dead-interval 100 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .&KDSWHU  263) 7DVN 5HIHUHQFH 263) . 1. and then click Apply: Neighbor Dead Interval: 100 &/. Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following. you set a dead interval of 100 seconds for OSPF on interface ethernet1. use either the WebUI or the CLI set interface command.QWHUYDO IRU DQ 263) .QWHUIDFH A dead interval is the maximum amount of time that can elapse before a neighbor is determined to be not running.

1. ns-> set interface ethernet1 protocol ospf hello-interval 100 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ([DPSOH &RQILJXULQJ WKH +HOOR . and then click Apply: Hello Interval: 100 &/.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D +HOOR . you set a hello interval of 100 seconds for OSPF on interface ethernet1.QWHUYDO IRU DQ 263) . Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following. :HE8.QWHUIDFH A Hello interval is the amount of time that elapses between instances of a hello packet being sent out to the network by the current routing instance. 2.QWHUYDO In this example. To set a hello interval. use either the WebUI or the CLI set interface command.

([DPSOH &RQILJXULQJ D 1HLJKERU /LVW In this example. :HE8. Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following.&KDSWHU  263) 7DVN 5HIHUHQFH 263) . you create a neighbor list for OSPF on interface ethernet1.QWHUIDFH You can configure a list of peers or neighbors to the current OSPF virtual routing instance.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D 1HLJKERU /LVW IRU DQ 263) . ns-> set interface ethernet1 protocol ospf neighbor-list 4 5 6 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . and then click Apply: Neighbor List: 4 | 5 | 6 &/. 2. using either the WebUI or the CLI set interface command. 1.

1. ([DPSOH &RQILJXULQJ WKH 5HWUDQVPLW . and then click Apply: Retransmit Interval: 100 &/.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D 5HWUDQVPLW . 2. Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following.QWHUYDO IRU DQ 263) .QWHUIDFH A retransmit interval value specifies the amount of time. in seconds.QWHUYDO In the following example. ns-> set interface ethernet1 protocol ospf retransmit-interval 100 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . that elapses before the interface resends an LSA to a neighbor that did not respond to the original LSA. you set a retransmit interval of 100 seconds for OSPF on interface ethernet1.&KDSWHU  263) 7DVN 5HIHUHQFH 263) . :HE8. You can specify a retransmit interval for an OSPF interface using either the WebUI or the CLI set interface command.

&KDSWHU  263) 7DVN 5HIHUHQFH 263) .QWHUIDFH Routers on a network go through an election process to become the designated router. 1. You can configure a priority value on an OSPF interface using either the WebUI or the CLI set interface command. and then click Apply.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D 3ULRULW\ 9DOXH RQ DQ 263) . &/. you set a priority value of 100 for OSPF interface ethernet1. Network > Interfaces > Edit (for ethernet1) > OSPF: Type 100 in the Priority field. :HE8. ([DPSOH &RQILJXULQJ WKH 3ULRULW\ 9DOXH In this example. ns-> set interface ethernet1 protocol ospf priority 100 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . The designation is made by routers comparing their priority value. 2. The router with the larger value has the best (although not guaranteed) chance of being elected the DR.

1. and then click Apply. use either the WebUI or the CLI set interface command.QWHUIDFH &RQILJXUDWLRQ 6HWWLQJ D 7UDQVLW 'HOD\ 9DOXH RQ DQ 263) . &/. you set a transit delay of 10 seconds on OSPF interface ethernet1.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .QWHUIDFH To set the amount of time between transmissions of link-state update packets on an interface. :HE8. ns-> set interface ethernet1/1 protocol ospf transit_delay 10 ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ([DPSOH &RQILJXULQJ WKH 7UDQVLW 'HOD\ In the following example. 2. you need to set a transit delay value. Network > Interfaces > Edit (for ethernet1) > OSPF: Type 10 in the Transit Delay field. To configure a transit delay value on an OSPF interface.

10 Router ID: 10. :HE8. Sometimes. 2. 1.0.20. and then click Add: Area ID: 0.20 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .1. ns(trust-vr/ospf)-> set vlink area 0.0.0.10.0. To create or display details about a virtual link for the current routing instance. The virtual link provides a remote area with a logical path to the backbone through another area. To solve this problem you configure a virtual link.10 router-id 10.10.10.21 This section describes OSPF virtual link configuration tasks.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ 263) 9.578$/ /. you create a vlink using an area of 0.10 with a route ID of 10. use the WebUI or the CLI set vlink commands. &21).*85$7.10.10.20 &/.0. ([DPSOH &UHDWLQJ D 9LUWXDO /LQN WR WKH %DFNERQH $UHD In the following example.0. &UHDWLQJ D 9LUWXDO /LQN All areas in an OSPF internetwork must connect directly to the backbone area. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.10. you need to create a new area that is not physically connected to the backbone area.

&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ $XWRPDWLFDOO\ &UHDWLQJ D 9LUWXDO /LQN You can direct a virtual router to automatically create a virtual link for instances when it cannot reach the network backbone. &/. 3. :HE8. 2. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set auto-vlink ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Automatically generate virtual links and then click OK. 1. you configure automatic virtual link creation. ([DPSOH &UHDWLQJ DQ $XWRPDWLF 9LUWXDO /LQN In the following example. 4. You configure a virtual router to automatically create virtual links using either the WebUI or the CLI set autovlink command. Having the virtual router automatically create virtual links replaces the more time-consuming process of creating each virtual link manually.

use either the WebUI or the CLI set vlink authentication md5 command.10.20 > Configure: Enter the following.0. ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK 0' $XWKHQWLFDWLRQ In the following example. 4.10 Router ID: 10.10 router-id 10.0. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.0.10. you create a virtual link with an area ID of 10.10. 3. a router ID of 10.10. and an MD5 password of 1234567890123456. and then click OK: Authentication MD5: (select) MD5 Key (16 characters): 1234567890123456 &/. :HE8.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &UHDWLQJ D 0HVVDJH 'LJHVW IRU D 9LUWXDO /LQN To enable MD5 authentication for a virtual link on an OSPF virtual routing instance. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.20.10.0. 2.10. 1.20 authentication-type md5 1234567890123456 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . and then click Add: Area ID: 0.

3.10.10.10.10.20 > Configure: Enter the following.0.0.0. a router ID of 10.0. 4. and then click OK: Authentication Password: (Selected) Password (8 characters): 12345678 &/.20.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &RQILJXULQJ D &OHDU7H[W 3DVVZRUG IRU D 9LUWXDO /LQN To configure a clear-text password as an authentication method for a virtual link on an OSPF virtual routing instance. 2. 1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area-id 0.10 Router ID: 10. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.10.10 router-id 10. and then click Add: Area ID: 0. use either the WebUI or the CLI set vlink authentication command. and a clear-text password with a value of 12345678.10.20 authentication-type password 12345678 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . :HE8. ([DPSOH &UHDWLQJ D 9LUWXDO /LQN ZLWK &OHDU7H[W 3DVVZRUG In the following example. you create a virtual link with an area ID of 10.

([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 1HLJKERU 'HDG . type 50. use the WebUI or the CLI set vrouter protocol ospf vlink dead-interval command. 1. 4.10. and then click OK: &/. a router ID of 10.0. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.QWHUYDO In the following example. 3.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &UHDWLQJ D 'HDG .0.10.0.10 router 10.10 Router ID: 10. and then click Add: Area ID: 0.QWHUYDO IRU D 9LUWXDO /LQN 1HLJKERU To create a dead interval for a neighbor that is reachable across a virtual link. :HE8.0. you create a virtual link with an area ID of 10.10.20 dead-interval 50 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0. and a dead interval of 50 seconds.10.10.10. 2.20 > Configure: In the Router Dead Interval field.20.

10. a router ID of 10.10 router 10.0.20.0. type 30. and then click Add: Area ID: 0.QWHUYDO In the following example. you create a virtual link with an area ID of 10. 1.10.0.10. and then click OK.0. use the WebUI or the CLI set vrouter protocol ospf hello-interval command.10. &/.10 Router ID: 10. 2.20 hello-interval 30 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0.10. 3. :HE8. ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN +HOOR . 4.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &UHDWLQJ D +HOOR .QWHUYDO IRU D 9LUWXDO /LQN To create a hello interval for a virtual link on an OSPF virtual routing instance. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.20 > Configure: In the Hello Interval field.10. and a hello interval of 30 seconds.

&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &RQILJXULQJ D 5HWUDQVPLW .0. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.QWHUYDO IRU D 9LUWXDO /LQN To specify the time between link-state advertisement (LSA) retransmissions for adjacencies across a virtual link interface. type 20.0.10 Router ID: 10.10. 2.10.10. a router ID of 10.10.QWHUYDO In this example. 4.10. ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 5HWUDQVPLW .10. 3.20 retransmit-interval 20 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . you create a virtual link with an area ID of 10.20 > Configure: In the Retransmit Interval field. and then click OK.0. :HE8. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0. use the WebUI or the CLI set vlink area router retransmit-interval command. and a retransmit interval of 20 seconds.10 router 10. 1.20. and then click Add: Area ID: 0. &/.0.

0. use the WebUI or the CLI set vlink transit-delay command. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set vlink area 0. :HE8.10. and then click OK. 2. a router ID of 10. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the following.20 > Configure: In the Transit Delay field.10 router-id 10.20.0. &/. 4.10. type 100. you create a virtual link with an area ID of 10.10.10 Router ID: 10.0.20 transit-delay 100 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 1. ([DPSOH &RQILJXULQJ D 9LUWXDO /LQN 7UDQVLW 'HOD\ In this example. and then click Add: Area ID: 0.0. and a transit delay of 100 seconds.&KDSWHU  263) 7DVN 5HIHUHQFH 263) 9LUWXDO /LQN &RQILJXUDWLRQ &RQILJXULQJ D 7UDQVLW 'HOD\ 9DOXH IRU D 9LUWXDO /LQN To configure the amount of time required between transmissions of link-state update packets being sent by the current virtual link.10.10.10. 3.

21 This section describes tasks for displaying OSPF information. :HE8.QVWDQFH Use the CLI get statistics command to display information about the following objects associated with an OSPF routing instance: • • • • • • • • • • Hello Packets Link State Requests Link State Acknowledgments Link State Updates Database Descriptions Areas Created Shorted Path First Runs Packets Dropped Errors Received Bad Link State Requests ([DPSOH 'LVSOD\LQJ 263) 6WDWLVWLFV In the following example.QIRUPDWLRQ 263) . 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .1)250$7. Note: You can only display these statistics through the CLI.&KDSWHU  263) 7DVN 5HIHUHQFH 263) . 'LVSOD\LQJ 6WDWLVWLFV IRU DQ 263) 5RXWLQJ . you display information about various statistics recorded for OSPF in the trust-vr virtual router.

2. 1.0.0 1 0.0. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .10 0 Packets Dropped: None Receive Errors: None Bad LS Requests: 0 Note: Use the clear command to reset all packet types to 0.QIRUPDWLRQ &/.0.0.0.0 ---------------------------------Packet Type Transmit Receive --------------------------------------------------------------------Hello 0 0 LS Request 0 0 LS Acknowledge 0 0 LS Update 0 0 Database Desc 0 0 AreaId SPF Runs -------------------------------------------0. 3.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .0. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get statistics VR: untrust-vr RouterId: 0.

QIRUPDWLRQ 'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWLRQ &RQGLWLRQV Use either the WebUI or the CLI get rules-redistribute command to display details about conditions set for routes that have been imported from a non-OSPF router in another routing domain.2 ---------------------------------trust-vr ========== Redistribution Rules -------------------------------------------------IP-Prefix Source-Protocol Cost ASE-Type Tag ------------------------------------------------------------------------------100.0. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules &/.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .1.4/16 any 10 1 0.0.1. ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWLRQ &RQGLWLRQV In the following example. you display the currently-configured redistribution rules.10 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get rules-redistribute VR: trust-vr RouterId: 1.1. :HE8.123. 1. 2. 3.

&KDSWHU  263) 7DVN 5HIHUHQFH 263) .0 20 1 0. you display information about routes that have been imported from a non-OSPF router in another routing domain by the current OSPF routing instance.0 0.QIRUPDWLRQ 'LVSOD\LQJ 'HWDLOV DERXW 5HGLVWULEXWHG 5RXWHV Use the routes-redistribute command to display details about routes that have been imported from a non-OSPF router in another routing domain by the current OSPF virtual routing instance.1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get routes-redistribute VR: trust-vr RouterId: 1.1.0. ([DPSOH 'LVSOD\LQJ 5HGLVWULEXWHG 5RXWHV 'HWDLOV In the following example. 3. :HE8.0 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . &/. 1. 2.2 ---------------------------------IP-Prefix Cost ASE-Type Forwarding-IP Tag ---------------------------------------------------------------1.1.0.1. Note: You can only display these details through the CLI.0.0.

3. 2. ([DPSOH 'LVSOD\LQJ 263) 'DWDEDVH 2EMHFWV In the following example.QIRUPDWLRQ 'LVSOD\LQJ 2EMHFWV LQ WKH 263) 'DWDEDVH Use the CLI get database command to display objects in the current OSPF router’s database. &/. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get database area 0 router Link-State-Id Adv-Router-IDAge Sequence Checksum ---------------------------------------------------------20 1.0 20 2 1 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .&KDSWHU  263) 7DVN 5HIHUHQFH 263) .1. :HE8.1. you display details about route LSAs for area 0 in the OSPF database of the current OSPF routing instance. Note: You can only use the CLI to display these statistics. 1.

0. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get stub VR: untrust-vr RouterId: 0. Active number of interfaces is 0 Route Imports: None. ([DPSOH 'LVSOD\LQJ 6WXE $UHD 'HWDLOV In the following example. :HE8.QIRUPDWLRQ 'LVSOD\LQJ 6WXE 'HWDLOV Use the WebUI or the CLI get stub command to display details about a stub area that has been created on the current OSPF virtual routing instance. you display the stub type created on the current OSPF routing instance. 1. Checksum: 0x0 Default route metric type is ext-type-1.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .0 ---------------------------------Area-ID: 0. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure &/.0.0. 3.0. 2. metric is 1 Type-3 LSA Filter: disabled 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . SPF Runs: 0 Number of ABR(s): 0. Number of ASBR(s): 0 Number of LSA(s): 0.10 (Stub) Total number of interfaces is 0.

1. you must use the CLI. :HE8. ([DPSOH /LVW 263) &RQILJXUDWLRQ &RPPDQGV In the following example.0. you display a list of all OSPF configuration commands. 3. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> get config VR: untrust-vr RouterId: 0. Note: To view the OSPF commands. &/. 2.0.0.0.10 nssa exit 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .QIRUPDWLRQ 'LVSOD\LQJ 263) &RQILJXUDWLRQ Use the CLI get config command to display the OSPF configuration.&KDSWHU  263) 7DVN 5HIHUHQFH 263) .0 ---------------------------------set protocol ospf set disable set auto-vlink set advertise-def-route always metric 10 metric-type 1 set area 0.

*85$7.1 Use the Add button to move the tunnel. %LQGLQJ 263) WR D 7XQQHO .&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ 27+(5 263) &21). Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure: Enter the following. use either the WebUI or the CLI set interface tunnel command. 1.QVWDQFH In the following example.QWHUIDFH To bind a tunnel interface to an OSPF routing instance on a NetScreen device.1 protocol ospf ns-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .1. you bind OSPF to the tunnel interface tunnel. &/. :HE8.21 This section describes tasks for displaying OSPF information. 2. and then click Apply: Available Interfaces: tunnel. ([DPSOH %LQGLQJ D 7XQQHO WR DQ 263) 5RXWLQJ .1 interface from the Available Interfaces column to the Selected Interfaces column. ns-> set interface tunnel.

you advertise the current OSPF routing instance’s default route.&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ $QQRXQFLQJ D 'HIDXOW 5RXWH LQ $OO $UHDV Every router has a default route in its routing table. ([DPSOH $GYHUWLVLQJ WKH 'HIDXOW 5RXWH In the following example. 2. Note: The default metric is 1 and the default metric-type is ASE type 1. :HE8. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set advertise-default-route always metric 1 metric-type 1 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 1. and then click OK. The default route matches every destination network in a routing table.0/0. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Advertising Default Route Enable. 4. &/. the default route is 0. Typically. although a more specific prefix overrides the default route. Use either the WebUI or the CLI set advertise-default-route command to advertise or display the current default route throughout an AS.0.0. 3.

Note that you need a route map to perform a redistribution. complex network is that it can isolate topology changes from other routers. In addition to creating fewer entries in the routing tables on the backbone routers. reduces the number of routes that a router must maintain because it represents a series of network addresses as a single summary address. In these environments. also called route summarization.&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ &RQILJXULQJ 6XPPDU\ 5RXWHV In large internetworks. That is. if a specific link in a given domain is intermittently failing. By summarizing multiple addresses. the summary route would not change. so no router external to the domain would need to keep modifying its routing table due to the link failure. Route aggregation. you enable a series of routes to be recognized as one route. simplifying the process. hundreds or even thousands of network addresses can exist. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . some routers may become overly congested with route information. You can summarize inter-area routes or external routes. Another advantage to using route summarization in a large. route summarization prevents the propagation of LSAs to other areas when one of the summarized networks goes down or comes up. you can bundle the routes into one generalized or summarized network route. Once you have redistributed a series of routes from an external protocol to the current OSPF routing instance. Use either the WebUI or the CLI set summary-import command to summarize route redistribution.

1. 2.1.0/16 Tag: 20 &/.1.0/16 tag 20 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Summary Import: Enter the following.0/16. 1.1. you summarize a set of redistributed routes under the network address 2.1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set redistribute route-map abcd protocol static ns(trust-vr/ospf)-> set redistribute route-map abcd protocol bgp ns(trust-vr/ospf)-> set summary-import 2. 5. 6. and then click Add: IP/Netmask: 2. :HE8.&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ ([DPSOH 6XPPDUL]LQJ 5HGLVWULEXWHG 5RXWHV In the following example.1. 4. 3.

ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set reject-default-route ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 1. ([DPSOH 5HPRYLQJ WKH 'HIDXOW 5RXWH IURP WKH 5RXWH 7DEOH In the following example.&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ 5HPRYLQJ D 'HIDXOW 5RXWH Use either the WebUI or the CLI set reject-default-route command to remove a default route learned from OSPF. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the Do not add default-route learned in OSPF check box and then click OK. 3. &/. :HE8. you specify that a default route not be learned from OSPF. 2. 4.

you can also specify whether to advertise or to withhold the area range defined.20.0. use either the WebUI or the CLI set area command.0.0. When you configure an area range. and then click OK: IP: 20. 4.20.0.&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ 6HWWLQJ DQ $UHD 5DQJH Configuring an area range allows an area border router to summarize the networks advertised within an area.0.0/16 advertise ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .0.10.0.10 range 20.0/16 for the area 0. 3. you create an area range of 20.10): Enter the following. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set area 0.0.0. :HE8. 2.255. ([DPSOH &RQILJXULQJ DQ $UHD 5DQJH In the following example.0 Type: (select) Advertise Action: Add &/.0 NetMask: 255. 1.20. An area range allows a group of subnets to be consolidated into a single network address to be advertised in a summary link advertisement. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for 0. To configure an area range.0.

:HE8. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set hello-threshold 20 ns(trust-vr/ospf)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .&KDSWHU  263) 7DVN 5HIHUHQFH 2WKHU 263) &RQILJXUDWLRQ 6HWWLQJ D +HOOR )ORRG $WWDFN 7KUHVKROG Use the WebUI or the CLI set hello-threshold command to configure the maximum number of hello packets allowed within a specified amount of time. you configure a threshold of 20 packets. and then click Apply: Prevent Hello Packet Flooding Attack: On Max hello packet: 20 &/. ([DPSOH &RQILJXULQJ WKH +HOOR 7KUHVKROG In the following example. 3. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following. 1. 2. 4.

&KDSWHU  263) 7DVN 5HIHUHQFH

2WKHU 263) &RQILJXUDWLRQ

6HWWLQJ DQ /6$ 7KUHVKROG
Link State Advertisements (LSAs) enable OSPF routers to provide device, network, and routing information for the link state database. Each router retrieves information from the LSAs sent by other routers on the network to distill path information for the routing table. LSA flood protection enables you to manage the number of LSAs entering the virtual router. If the virtual router receives too many LSAs, the router fails because of LSA flooding. To set the number of LSAs that the virtual router receives within a certain amount of time, use either the WebUI or the CLI set lsa-threshold command to configure a maximum number of LSAs that can be received per neighbor per LSA interval to prevent LSA flooding.

([DPSOH &RQILJXULQJ WKH /6$ 7KUHVKROG
In this example, you create an OSPF LSA flood attack threshold of 10 packets per 10 seconds.

:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then click OK: LSA Packet Threshold Time: 10 Maximum LSAs: 10

&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set lsa-threshold 10 10 ns(trust-vr/ospf)-> save

1HW6FUHHQ &RQFHSWV

([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ 

&KDSWHU  263) 7DVN 5HIHUHQFH

2WKHU 263) &RQILJXUDWLRQ

&RQILJXULQJ DQ 5)& (QYLURQPHQW
Use the set rfc-1583 commands to set or display OSPF as specified by the Request for Comments 1583 document.

([DPSOH &KDQJH WR DQ 5)& (QYLURQPHQW
In the following example, you change your environment to one that is compatible with one specified by RFC 1583.

:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the rfc-1583 compatible check box, and then click OK.

&/,
1. 2. 3. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol ospf ns(trust-vr/ospf)-> set rfc-1583 ns(trust-vr/ospf)-> save

1HW6FUHHQ &RQFHSWV

([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ 

8uhƒ‡r…Ã!

%*3 7DVN 5HIHUHQFH 

BGP is a routing protocol for communication between autonomous systems (ASs) on the internet. Peer routers in each AS use BGP to exchange routing information. Each BGP peer router requires explicit configuration with the network-layer reachability information it advertises to (and accepts from) peer devices. This chapter describes important and commonly-used procedures for configuring your local virtual router for BGP environments. • • “The BGP Commands” on page 53 “Basic BGP Configuration Tasks” on page 57 – “Creating a BGP Instance of the Virtual Router” on page 57 – “Specifying Reachable Networks from an AS” on page 58 – “Enabling Aggregate Routes” on page 59 – “Enabling Redistribution” on page 60 – “Configuring a BGP Neighbor” on page 61 – “Enabling a BGP Peer with an IP Address” on page 62 – “Configuring a Hold Timer” on page 63 – “Configuring a Keepalive Timer” on page 64 – “Enabling Route Flap Damping” on page 65 – “Discarding Default Route Advertisements from a Peer Router” on page 66 “Advanced BGP Configuration Tasks” on page 67 – “Applying a Route Map to Routes from Specified Neighbors” on page 67 – “Assigning a Weight to a Path” on page 68 – “Setting an AS Path Access List” on page 69 – “Configuring a Community List” on page 70

1HW6FUHHQ &RQFHSWV

([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ 

&KDSWHU  %*3 7DVN 5HIHUHQFH – – – – – – – “Setting a Local Preference” on page 73 “Setting a Multi-Exit Discriminator (MED)” on page 74 “Setting a Multi-Exit Discriminator (MED) Comparison” on page 75 “Configuring a Route Reflector” on page 76 “Setting a Neighbor as a Route Reflector Client” on page 77 “Configuring a Confederation” on page 78 “Adding an AS Member to a Confederation” on page 79 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .

&RQWH[W . Enter the vrouter context by executing the set vrouter command: ns-> set vrouter vrouter where vrouter is the name of the virtual router. ns(trust-vr)-> set protocol bgp For more information on contexts. Enter the bgp context by executing the set protocol bgp command. (For this example. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . and the CLI commands that configure a local virtual router to use BGP protocol.QLWLDWLRQ Before you can execute a BGP command. you must initiate the bgp context.&KDSWHU  %*3 7DVN 5HIHUHQFH 7KH %*3 &RPPDQGV 7+( %*3 &200$1'6 This section briefly describes the BGP context. see the NetScreen CLI Reference Guide. vrouter is the trust-vr virtual router.) 2. Note: For more information on the BGP commands. see “Context-Sensitive Commands in the CLI” on page 2 -58. Initiating the bgp context requires two steps: 1.

unset Use the always-compare-med commands to enable. or display the current always-compare-med setting. or to display the list. set. Command options: get. Routers can use the community attribute when they need to treat two or more advertised routes in the same way. In addition. A community consists of routes containing the same community attribute. When you enable this setting. thus reducing overhead. to remove a router from the list. The MED determines the most suitable entry or exit point to each neighbor AS. aggregate Use aggregate commands to create. or display a regular expression in an AS-Path access list. set. the NetScreen device compares paths from each autonomous system (AS) using the Multi-Exit Discriminator (MED). This attribute is an identifier that classifies the routes according to some useful criterion. unset always-compare-med as-path-access-list Use as-path-access-list commands to create. The NetScreen device can consult such a list and permit or deny BGP packets based on the regular expressions contained in the list. Command options: get. Aggregation is a technique for summarizing a range of routing addresses into a single route entry. All routes with the same community attribute are said to be members of the same community. An AS-path access list serves as a packet filtering mechanism. expressed as an IP address and a subnet mask. aggregation can reduce the number of advertised addresses. remove. disable. or delete aggregates.&KDSWHU  %*3 7DVN 5HIHUHQFH 7KH %*3 &RPPDQGV %DVLF %*3 &RPPDQG 'HVFULSWLRQV The following commands are executable in the bgp context. set. Aggregates can reduce the size of a routing table on a router. Command options: get. unset community-list 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Command options: get. unset Use community-list commands to enter a router in a community list. display. while maintaining its level of connectivity. set.

set. set.&KDSWHU  %*3 7DVN 5HIHUHQFH 7KH %*3 &RPPDQGV confederation Use the confederation commands to create a confederation. This metric expresses preference for one set of paths over another. Command options: get. set. unset ignore-default-route setting. disable. Flap damping allows the NetScreen device to contain routing instability at an AS border router. These transmissions ensure that the TCP connection between the local BGP router and a neighbor router is up. unset Use the local-pref command to configure the LOCAL_PREF metric on a BGP router. Using confederations reduces the number of connections inside an AS. unset Use the hold-time commands to specify or display the maximum amount of time (in seconds) that can elapse between messages received from the BGP neighbor. unset local-pref 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . to remove a confederation. thus simplifying the routing process. set. Command options: get. Enabling this setting blocks the advertisement of a route until the route becomes stable. unset Use the enable commands to enable or disable BGP. Enabling this setting makes the NetScreen device ignore default route advertisements from the BGP peer router. set. or display the keepalive Use the keepalive commands to specify the amount of time (in seconds) that elapses between keepalive packet transmissions. Command options: get. Command options: get. unset Use the flap-damping commands to enable or disable the flap-damping setting. unset enable flap-damping hold-time ignore-default-route Use the ignore-default-route commands to enable. adjacent to the region where instability occurs. or to display confederation information. set. Command options: get. Command options: get. Confederation is a technique for dividing an AS into smaller sub-ASs and grouping them. Command options: get. set.

or delete network and subnet entries.&KDSWHU  %*3 7DVN 5HIHUHQFH 7KH %*3 &RPPDQGV med Use the med commands to specify or display the local Multi-Exit Discriminator (MED) ID number. Command options: get. unset Use the neighbor commands to set or display general configuration parameters for the local BGP virtual router. unset Use the network commands to create. The device uses these parameters while establishing a BGP connection to another autonomous system (AS). Command options: get. set. Command options: get. get. The MED determines the most suitable entry or exit point when there are multiple exit/entry points to the same neighbor autonomous system (AS). Command options: clear. exec. Command options: set. unset Use the reflector commands to allow the local BGP virtual router to serve as a route reflector. without first requiring redistribution into BGP (as with static routing table entries). unset neighbor network redistribute reflector synchronization 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . The BGP virtual router advertises these entries to peer devices. set. display. set. Command options: get. unset Use the redistribute commands to import routes advertised by external routers that use protocols other than BGP. The clients use the route reflector to readvertise routes to the entire autonomous system (AS). set. set. thus eliminating the need for each router in a mesh to talk to every other router. A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients). or to display the current redistribute settings. unset Use the synchronization command to enable synchronization with Interior Gateway Protocol (IGP).

:HE8. use the WebUI or the CLI set enable commands. ([DPSOH 6WDUWLQJ D 9LUWXDO 5RXWLQJ .&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV %$6. you cannot create a new BGP virtual routing instance if one already exists. &UHDWLQJ D %*3 . 2. 4.6 The following configuration tasks are mandatory for most BGP implementations. and then click OK: AS Number (required): 20 BGP Enabled: (select) &/.QVWDQFH Note: A virtual router (such as trust-vr) can have only one BGP virtual routing instance at a time.21 7$6. 1.QVWDQFH RI WKH 9LUWXDO 5RXWHU To enable or disable a specific BGP virtual routing instance.& %*3 &21).*85$7. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp 20 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Network > Routing > Virtual Routers > Edit (for trust-vr) > Create BGP Instance: Enter the following. In the following example. Consequently. you start a virtual routing instance (with AS ID 20) and enable BGP. 3.

The BGP virtual router advertises these network entries to peer devices.168. &/.169. and then click OK. you make a network (192.0/24) reachable from the local virtual router. 1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set network 192.0/24 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 3. 2. :HE8. ([DPSOH 0DNLQJ D 1HWZRUN 5HDFKDEOH IURP WKH /RFDO 9LUWXDO 5RXWHU In the following example. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Networks: Enter 192. without first requiring redistribution into BGP (as with static routing table entries). use the WebUI or the CLI set network commands.1.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV 6SHFLI\LQJ 5HDFKDEOH 1HWZRUNV IURP DQ $6 During the initial setup of your BGP network.169. you need to construct a list of networks that are reachable from the virtual router.1. To make entries in the network list. 4.1.0/24 in the IP/Netmask field.

0/24: • • • • 192. 6.0/24 ns(trust-vr/bgp)-> set enable ns(trust-vr/bgp)-> save ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  1HW6FUHHQ &RQFHSWV .10.0/28 192. 5.168.16/28 192.10. 2.0/24). 1.168. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> unset enable ns(trust-vr/bgp)-> set aggregate ip 192.10.128/30 Instead of sending individual routes for each. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Aggregate Address: Enter the following. you aggregate them into one advertisement (192.168.168. :HE8. ([DPSOH 0DNLQJ DQ $JJUHJDWH 5RXWH (QWU\ For the following example.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV (QDEOLQJ $JJUHJDWH 5RXWHV Aggregation summarizes a range of routing addresses into a single route entry expressed as an IP address and a subnet mask. You can create. assume that the internetwork contains the following subnets of 192.10.10. display.168.10. and then click OK: IP/Netmask: 192.168.168. 3.10.0/24 Aggregate State: Enable: (select) &/. or delete BGP aggregates using the WebUI or the CLI set aggregate commands.168.32/28 192.10.

and filter the routes according to an existing route map (Corp_Office). To import such routes.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV (QDEOLQJ 5HGLVWULEXWLRQ When a virtual router learns about routes from other dynamic protocols (or by static configuration) it does not automatically advertise the routes to the BGP peers. or to display the current route redistribution settings. 1. You must first import the routes into the BGP protocol. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set redistribute route-map Corp_Office protocol ospf ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . use the WebUI or the CLI set redistribute commands. 3. see “Route Redistribution” on page 2 -74. 4. :HE8. 2. ([DPSOH &UHDWLQJ D 5HGLVWULEXWLRQ 5XOH In the following example. and then click OK: Route Map: Corp_Office Protocol: OSPF &/. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Redist Rules : Enter the following. you create a redistribution rule for all routes learned from OSPF. For more information on importing route redistribution rules and on importing routes.

4 &/.4. ([DPSOH &RQILJXULQJ WKH 9LUWXDO 5RXWHU IRU D 1HLJKERU In the following example.4 remote-as 20 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . Note: If the neighbor is in the same AS as the local BGP speaker. the two devices use IBGP to establish a connection. 2.4. they need to identify each other so they can start a BGP session.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D %*3 1HLJKERU Before two BGP devices can communicate and exchange routes.55. 4. To identify a neighbor to the virtual router.4. use the WebUI or the set neighbor commands. This neighbor has the following attributes: • • IP address 192. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.55. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors: Enter the following and then click Add: AS Number: 20 Remote IP: 192. you configure the virtual router for a connection with a neighbor. 3. 1.4 Resides in an AS with ID 20 :HE8.55.

4.55. 4. 3. ([DPSOH (QDEOLQJ D %*3 3HHU &RQQHFWLRQ In the following example. you enable a connection between the local virtual router and a BGP neighbor (192.4 enable ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192. and then click OK. 2. :HE8.3 $GGUHVV After setting up a connection between the virtual router and a neighbor.55. use the WebUI or the CLI set neighbor commands. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192. 1.55. To perform this operation.4.4). you must enable the connection.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV (QDEOLQJ D %*3 3HHU ZLWK DQ .4.4): Select Peer Enabled. &/.

([DPSOH 6HWWLQJ WKH +ROG7LPH 9DOXH In the following example. 4. 1. you set the hold-time value to 60 seconds.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D +ROG 7LPHU As your network becomes mature. you may need to alter the maximum time interval between messages transmitted from a BGP speaker to its neighbor. 3. To specify or display this interval. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set hold-time 60 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . :HE8. 2. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following and then click OK: Hold Time: Enable (select) Hold Time: 60 &/. use the WebUI or the CLI hold-time commands.

3. you create a keepalive value of 20. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Hold Time Enable. you indirectly set the keepalive value to 20 seconds. However. 2. type 60 in the Hold Time field. ([DPSOH 6HWWLQJ WKH .HHSDOLYH 7LPHU Keepalive transmissions ensure that the TCP connection between the local BGP router and a neighbor router is still up. because the keepalive value is always 1/3 of the Hold Time value.HHSDOLYH 7LPHU In the following example.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set keepalive 20 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . and then click OK. use the WebUI or the CLI keepalive commands. Note: You cannot specifically set a value for the keepalive interval through the WebUI. :HE8. 4. &/. To set or display the time interval (in seconds) that can elapse between keepalive packet transmissions. 1. by setting the Hold Time value at 60 seconds.

3. and then click OK. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set flap-damping ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . To enable or disable this setting. 2. use the WebUI or the CLI set flap-damping commands. &/. you enable flap damping on the BGP instance configured on the Trust-VR.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV (QDEOLQJ 5RXWH )ODS 'DPSLQJ Flap damping contains routing instability at an AS border router. :HE8. adjacent to the region where instability occurs. 4. ([DPSOH (QDEOLQJ )ODS 'DPSLQJ In the following example. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Route flap damping state. 1. The flap-damping setting blocks the advertisement of a route until the route becomes stable.

:HE8. 4.&KDSWHU  %*3 7DVN 5HIHUHQFH %DVLF %*3 &RQILJXUDWLRQ 7DVNV 'LVFDUGLQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV IURP D 3HHU 5RXWHU You can instruct the BGP instance configured on a virtual router to ignore default route advertisements from its BGP peer. and then click OK. use the WebUI or the CLI ignore-default-route commands. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set ignore-default-route ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . To enable. you enable the BGP instance defined on the Trust-VR to ignore default route advertisements that it receives from its BGP peer. disable. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Ignore default route from peer. &/. 2. 3. 1. or display this setting. ([DPSOH .JQRULQJ 'HIDXOW 5RXWH $GYHUWLVHPHQWV In the following example.

and are necessary only in advanced network environments.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV $'9$1&(' %*3 &21).182): Enter the following.182 route-map 15 out ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.1.6 The following configuration tasks are optional. use the WebUI or the CLI set neighbor commands. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.168.1.1. 5.21 7$6. 3.168.182 route-map 10 in ns(trust-vr/bgp)-> set neighbor 192.1. 1. 4. $SSO\LQJ D 5RXWH 0DS WR 5RXWHV IURP 6SHFLILHG 1HLJKERUV A route map acts as a filter for routes going to and from BGP neighbors. 2. and then click OK: Incoming Map-Tag: 10 Outgoing Map-Tag: 15 Peer Enabled: (select) &/.*85$7.182). :HE8. To apply route map entries to incoming and outgoing routes from specified neighbors. you apply two existing route maps (ID numbers 10 and 15) to an existing neighbor configuration (192.168.168. ([DPSOH $SSO\LQJ 5RXWH 0DSV In the following example.

3.4. 2. the greater the priority of the route.4. use the WebUI or the CLI set neighbor commands.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV $VVLJQLQJ D :HLJKW WR D 3DWK The weight value represents the priority of the route between the local BGP virtual routing instance and the neighbor. 1.55. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192. &/. The higher this value. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for 192.182): Type 30 in the Weight field.4 weight 30 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .168.1. To set this priority. :HE8.55. and then click OK. 4. you specify a weight value of 30 for the BGP neighbor at IP address 192.4. ([DPSOH 6SHFLI\LQJ D :HLJKW 9DOXH In the following example.

Specifies the end of a path. 2. The NetScreen device permits or denies BGP packets based on the regular expressions contained in the list. ([DPSOH &UHDWLQJ DQ (QWU\ LQ WKH $6 3DWK $FFHVV /LVW In the following example.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 6HWWLQJ DQ $6 3DWK $FFHVV /LVW An AS-path access list serves as a packet filtering mechanism. 3. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > AS Path: Enter the following and then click Add: AS Path Access List ID: 10 Permit: Permit AS Path String: ^100 Action: Add &/. remove or display a regular expression in an AS-Path access list. 1. :HE8. To create. you create an AS path access list entry (with ID 10) matching any path beginning with 100. Specify the criteria in the AS Path String field: Expression Description ‘^’ ‘$’ Specifies the start of a path. use the WebUI or the CLI as-path-access-list commands. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set as-path-access-list 10 permit ^100 ns(trust-vr/bgp)-> save ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  1HW6FUHHQ &RQFHSWV . 4.

&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D &RPPXQLW\ /LVW A community consists of routes containing the same community attribute. Finally. remove a route from the community. you configure neighbor settings. All routes with the same community attribute are said to be members of the same community. Then you create two access lists (ACLs) and apply them to two route-maps configured for route redistribution. use the WebUI or the CLI community-list commands. Routers can use the community attribute when they need to treat two or more advertised routes in the same way. This allows insertion of the connected and static routes into the local routing table. you configure a community-list with ID 1 using attribute 100:500. You then apply the route-map to the access-list. To assign a route to a community. On Peer B. using attribute 100:500. you configure a community on two devices (Peer A and Peer B). which Peer A advertises to Peer B along with the community attribute. You then configure a static route for an internal network. so Peer B can insert the static route received from Peer A (with community 100:500 appended) into the local routing table. ([DPSOH &UHDWLQJ D &RPPXQLW\ /LVW In the following example. you configure neighbor settings. You then configure an access-list and apply it to a route-map configured for route redistribution. which associate the route-map with Peer A. The community attribute enables Peer B to selectively insert this static route into its routing table. which allow the device to append routing updates with the community attributes specified in the route-map. This attribute is an identifier that classifies the routes according to some useful criterion. Note: Guidelines concerning when and how to use communities is beyond the scope of this manual. you configure a community-list with ID 1. or display the community attribute. Finally. On Peer A. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .

&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV &/. 3HHU $.

&RPPXQLW\ /LVW
1. 2. 3. 4. 5. 6. 7. 8. 9. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100 ns(trust-vr/bgp)-> exit ns(trust-vr)-> set route 10.1.1.0/24 interface ethernet3 gateway 192.128.1.254 ns(trust-vr)-> set access-list 1 ns(trust-vr)-> set access-list 1 permit ip 0.0.0.0/0 1 ns(trust-vr)-> set access-list 2 ns(trust-vr)-> set access-list 2 permit ip 10.1.1.0/24 1

6WDWLF 5RXWH $FFHVV /LVW IRU DOO QHWZRUNV

$FFHVV /LVW IRU  QHWZRUN

5RXWH 0DS $&/ 

ns(trust-vr)->exit 5RXWH 0DS $&/ . ns(trust-vr)-> set route-map name “Import_ACL1” permit 90 11. 10. ns(trust-vr)-> set match ip 1 12.

ns(trust-vr)-> set community 1 5RXWH 5HGLVWULEXWLRQ 16. ns(trust-vr)-> set protocol bgp redistribute route-map “Import_ACL2” protocol static 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns(trust-vr)-> set match ip 2 15. ns(trust-vr)-> set route-map name “Import_ACL2” permit 100 14. ns(trust-vr)-> set protocol bgp redistribute route-map “Import_ACL1” protocol connected 17. 13.

254 route-map “Import_ACL2” out 20.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 1HLJKERU 18. ns(trust-vr)-> set neighbor 172.254 send-community 19. 3HHU %. ns(trust-vr/bgp)-> save &/.16. ns(trust-vr)-> set neighbor 172.16.1.1.

2. 3. &RPPXQLW\ /LVW 1. ns-> set vrouter trust-vr ns(trust-vr)->set protocol bgp ns(trust-vr/bgp)-> set community-list 1 permit 6554100 $FFHVV /LVW IRU DOO QHWZRUNV.

5. ns(trust-vr/bgp)-> set access-list 1 ns(trust-vr/bgp)-> set access-list 1 permit ip 0. 4.0/0 1 5RXWH 0DS $&/ .0.0.

8.254 route-map “Import_Comm1” in 11.1. ns(trust-vr/bgp)-> set route-map name “Import_Comm1” permit 90 ns(trust-vr/bgp)-> set match ip 1 ns(trust-vr/bgp)-> set match community 1 5RXWH 5HGLVWULEXWLRQ 9. ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ns(trust-vr/bgp)-> set protocol bgp redistribute route-map “Import_Comm1” protocol imported 1HLJKERU 10. ns(trust-vr/bgp)-> set neighbor 172.16. 6. 7.

To set or display the LOCAL_PREF attribute. ns(trust-vr/bgp)-> set local-pref 20 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . the router does not modify the route. use the WebUI or the CLI local-pref commands. :HE8. peers in the same AS) and to neighboring confederations. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Parameters: Type 20 in the Local Preference field. never to external peers. &/. the greater the preference. 2. When a router receives a route that contains the LOCAL_PREF value. Non-BGP routes advertised by a BGP router have a LOCAL_PREF value of 100 by default. 1. and then click OK. ([DPSOH 6HWWLQJ WKH /RFDO 3UHIHUHQFH In the following example. Routers always advertise this attribute to internal peers (that is. The higher the LOCAL_PREF value. you configure a local preference value of 20 for all non-BGP routes advertised to IBGP peers.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 6HWWLQJ D /RFDO 3UHIHUHQFH The degree to which the virtual router prefers one external route over another depends upon the LOCAL_PREF attribute.

&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0('.

Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Type 20 in the Default MED field. &/. 2. ([DPSOH 6HWWLQJ D 0(' In the following example. and then click OK. the router sends the MED to all IGBP peers within the AS. the routes have a MED value of 20. The Multi-Exit Discriminator (MED) is an optional attribute used for selecting an external BGP connection when there are multiple connections to the same AS. To set or display the MED value. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set med 20 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 3. :HE8. When all other factors are equal. use the WebUI or the CLI med commands. the virtual router uses the connection with the lowest MED value. you override the default value (100) with a value of 20. If you assign a MED to the virtual router. 1. If an EGBP update contains a MED value. When the virtual router readvertises the external routes to IBGP peers. this value overrides any MEDs received in update messages from external peers.

&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 6HWWLQJ D 0XOWL([LW 'LVFULPLQDWRU 0('.

4. &/. To enable. you enable the BGP instance on the Trust-VR to compare paths it receives from each AS. 2. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set always-compare-med ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . disable. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Always compare med state. or display this setting. use the WebUI or the CLI always-compare-med commands. The MED determines the most suitable entry or exit point to each neighbor AS. ([DPSOH 6HWWLQJ D 0(' &RPSDULVRQ In the following example. and then click OK. :HE8. &RPSDULVRQ You can enable the BGP instance configured on a virtual router to compare paths from each autonomous system (AS) using the Multi-Exit Discriminator (MED). 1. 3.

To configure a route reflector. 1. 4.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D 5RXWH 5HIOHFWRU A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients). 2. use the WebUI or the CLI set reflector command. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set reflector cluster-id 10 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . :HE8. This makes it unnecessary for each router in a mesh to talk to every other router. ([DPSOH 'HVLJQDWLQJ D 5RXWH 5HIOHFWRU In the following example. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following. you designate a route reflector in a cluster (ID number 10). 3. The clients use the route reflector to readvertise routes to the entire autonomous system (AS). and then click OK: Route Reflector: Enable Cluster ID: 10 &/.

4. &/.55. To configure an IBGP neighbor as a client. ([DPSOH &RQILJXULQJ DQ . 4.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 6HWWLQJ D 1HLJKERU DV D 5RXWH 5HIOHFWRU &OLHQW After setting up a route reflector to communicate route information. 3. you configure an IBGP neighbor (292. you must use the CLI.3) as a client.3 reflector-client ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . :HE8.55.4.%*3 1HLJKERU In the following example. 1. use the CLI neighbor commands. Note: To set a neighbor as a route reflector client. 2. you must configure client devices that receive the information. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set neighbor 192.

Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Enter the following and then click OK: Enable: (select) ID: 200 Supported RFC: RFC 1965 Peer Member Area ID: 30 &/. 5. and simplifying the routing matrices created by meshes. 2. remove a confederation. 1. use the WebUI or the CLI confederation commands. or display confederation information. you create a confederation (200) and add a member (30). :HE8. thus reducing the number of connections inside the AS.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV &RQILJXULQJ D &RQIHGHUDWLRQ A confederation divides an AS into smaller sub-ASs and groups them. To create a confederation. 3. NetScreen BGP confederations support this RFC by default. 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . ([DPSOH &UHDWLQJ D &RQIHGHUDWLRQ In the following example. 4. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation id 200 ns(trust-vr/bgp)-> set confederation peer 30 ns(trust-vr/bgp)-> save Note: It is not necessary to specify RFC 1965.

and then click Add: &/. 1. ns-> set vrouter trust-vr ns(trust-vr)-> set protocol bgp ns(trust-vr/bgp)-> set confederation peer 45040 ns(trust-vr/bgp)-> save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  . 3. 2.. } peer command.. :HE8. ([DPSOH $GGLQJ D 1HZ &RQIHGHUDWLRQ In the following example. Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Type 45040 in Peer member area ID. use the WebUI or the CLI set confederation { . 4. you add an AS (45040) to a confederation.&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV $GGLQJ DQ $6 0HPEHU WR D &RQIHGHUDWLRQ To add an AS to a confederation.

&KDSWHU  %*3 7DVN 5HIHUHQFH $GYDQFHG %*3 &RQILJXUDWLRQ 7DVNV 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ  .

32 hello protocol 5 hello threshold 48 instance 11. 73 multi-exit discriminator (MED) 54. 31 default route 43. 56 neighbor 56 peer enabling 55. 29 neighbor list 23 neighbor routers 5 network types 5 non-broadcast networks 6 Not So Stubby Area 4 overview 3 point-to-point networks 6 priority 25 retransmit interval 24. 40 summary route 44 Totally Stubby Area 4 transit delay 26. creating 11 statistics 35 stub area 4. conventions vi 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ . . 78 default route 55 flap-damping 55 hold time 55 hold timer 63 keepalive 55 keepalive timer 64 local preference 55. 70... 28 VPN tunnel support 8 & CLI conventions vii command set admin 69.. 59 AS path access list 54. 34 tunnel interface 42 virtual link 27. 58 redistribution 56 route maps 67 route reflector 77 route reflectors 56. 12 instances 8 interface 17 interface characteristics 9 interfaces 14 Internal Router 4 link state advertisements 7 link-state advertisements 3 link-state database 3 LSA threshold 49 MD5 password 19. 69 community lists 54 confederation 79 confederations 55. 62 reachable networks 56. 46 designated router 5 hello interval 22. 76 synchronization 56 virtual routing instance 57 weight 68 2 OSPF adjacency 5 Area Border Router 4 area range 47 areas 3. 38 route redistribution rules 37 routing instance.QGH[ . 75 conventions CLI vii WebUI vi 6 set commands admin 69.QGH[ % BGP advertisements 55 aggregates 54. 70. 13 AS Boundary Router 4 authentication methods 8 backbone area 3 Backbone Router 4 backup designated router 5 broadcast networks 5 clear-text password 18. 75 : WebUI. 33 RFC 1538 8 RFC 1583 50 RFC 2328 8 route redistribution 15. 30 configuration commands 41 context 10 cost 20 database 39 dead interval 21.

... .QGH[ 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  '\QDPLF 5RXWLQJ ..