Filter
Top Products
54-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 54 Configuring Routing Policies on Firewall Devices
Configuring OSPFv3
Think of a link as being an interface on a networking device. A link-state protocol makes its routing
decisions based on the states of the links that connect source and destination devices. The state of a link
is a description of that interface and its relationship to its neighboring networking devices. This interface
information includes the IPv6 prefix/length of the interface, the type of network it is connected to, the
devices connected to that network, and so on. This information is propagated in various type of link-state
advertisements (LSAs). Because only LSAs are exchanged, rather than entire routing tables, OSPF
networks converge more quickly than RIP networks.
The ASA can run two processes of the OSPFv3 protocol simultaneously on different sets of interfaces.
You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows
these interfaces to co-exist, but OSPFv3 does not allow overlapping addresses). Or you might want to
run one process on the inside interface and another on the outside, redistributing a subset of routes
between the two processes. Similarly, you might need to segregate private addresses from public
addresses.
You can redistribute routes into an OSPFv3 routing process from another OSPFv3 routing process, a RIP
routing process, or from static and connected routes configured on OSPFv3-enabled interfaces.
If NAT is employed but OSPFv3 is only running in public areas, routes to public networks can be
redistributed inside the private network, either as default or type 5 AS External LSAs. However, you
need to configure static routes for the private networks protected by the security appliance. Also, you
should not mix public and private networks on the same security appliance interface.
Differences Between OSPFv2 and OSPFv3
The additional features provided by OSPFv3 over OSPFv2 include the following:
• Use of the IPv6 link-local address for neighbor discovery and other features.
• LSAs expressed as prefix and prefix length.
• Addition of two LSA types.
• Handling of unknown LSA types.
• Protocol processing per link.
• Removal of addressing semantics.
• Addition of flooding scope.
• Support for multiple instances per link.
• Authentication support using the IPSec ESP standard for OSPFv3 routing protocol traffic, as
specified by RFC-4552.
Configuration Restrictions
The following are ASA OSPFv3 configuration restrictions:
• To enable OSPFv3 on a specific interface, IPv6 should be enabled on the interface and it must be
named.
• Only one OSPFv3 process, with one area and one instance, can be assigned to an interface.
• The Interface neighbor entries take effect only when the OSPFv3 is enabled, and network type
should be point-to-point on the specified interface.
• Interface neighbor address must be a link-local address.
• Range value in area Range table should be unique across the area.
• If the area is set to NSSA or stub, the same area cannot be set for virtual-link.
• OSPFv3 redistribution not applicable on the same OSPFv3 process.