Web: Example for Configuring an OSPF NSSA

To import external routes only to a specific OSPF area, not stub areas, you can configure the area as an NSSA.

Networking Requirements

As shown in Figure 1, all Figure 1s run OSPF, and the AS is divided into three areas. FW_A and FW_B serve as ABRs to forward inter-area routes. FW_D serves as an ASBR and imports external routes (static routes).

It is required that Area1 should be configured as an NSSA, FW_C should be configured as an ASBR to import external routes (static routes), and routing information should be correctly advertised in the AS.

Figure 1 Networking diagram for configuring an OSPF NSSA

Configuration Roadmap

The configuration roadmap is as follows:

Enable OSPF and configure basic OSPF functions on each FW.
Configure a static route on FW_D and import it to OSPF.
Configure Area1 as an NSSA. Run the stub command on each device in Area1. Check OSPF routes on FW_C.
Configure a static route on FW_C and import it to OSPF.
Check OSPF routes on FW_D.

Data Planning

To implement the configuration, you need to collect the following data:

Router ID of FW_A (1.1.1.1), OSPF process ID (1), network segment in Area 0 (192.168.0.0/24), and network segment in Area 1 (192.168.1.0/24)
Router ID of FW_B (2.2.2.2), OSPF process ID (1), network segment in Area 0 (192.168.0.0/24), and network segment in Area 2 (192.168.2.0/24)
Router ID of FW_C (3.3.3.3), OSPF process ID (1), and network segments in Area 1 (192.168.1.0/24 and 172.16.1.0)
Router ID of FW_D (4.4.4.4), OSPF process ID (1), and network segments in Area 2 (192.168.2.0/24 and 172.17.1.0)

Procedure

Configure FW_A.
1. Set interface IP addresses and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1and set required parameters.
    
    Zone
    
    Trust
    
    IPv4
    
    IP Address
    
    192.168.0.1/24
  3. Click OK.
  4. Repeat the preceding steps to configure GE0/0/2 based on the parameters in the following table.
    
    Zone
    
    Trust
    
    IPv4
    
    IP Address
    
    192.168.1.1/24
2. Configure a security policy for transmitting packets on the network.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add and configure the Local -> Trust interzone policy.
    
    Name
    
    policy_sec_1
    
    Source Zone
    
    Local and Trust
    
    Destination Zone
    
    Local and Trust
    
    Action
    
    Permit
  3. Click OK.
3. Configure basic OSPF functions.
  1. Choose Network > Route > OSPF.
  2. Click Add to create an OSPF process.
  3. Configure the area where network segment 192.168.0.0 as Area 0.
    1. Click of the created OSPF process.
    2. In the OSPF Process ID:1 navigation tree, choose Basic Configuration > Area Settings.
    3. Click Add and configure the area where network segment 192.168.0.0 resides as Area 0.
    4. Click OK.
  4. Repeat the preceding steps to configure the area where network segment 192.168.1.0 resides as Area 1.
4. Configure Area 1 as an NSSA.
  1. Click of Area 1.
  2. Set Area Type to NSSA.
  3. Click OK.
  You are advised to select Totally NSSA for the ABR (FW_A in this example), which can reduce the routing table capacity of NSSA routers. Do not select Totally NSSA for the other NSSA routers.
Configure FW_B.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/1
  
  GE0/0/2
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  192.168.0.2/24
  
  192.168.2.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  2.2.2.2
  
  Advanced Settings
  
  Area
  
  0
  
  IP Network
  
  192.168.0.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
  
  Area
  
  2
  
  IP Network
  
  192.168.2.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
Configure FW_C.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/2
  
  GE0/0/3
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  192.168.1.2/24
  
  172.16.1.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  3.3.3.3
  
  Advanced Settings
  
  Area
  
  1
  
  IP Network
  
  192.168.1.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
  
  IP Network
  
  172.16.1.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
4. By referring to Step 4 of FW_A, configure Area 1 as an NSSA.
5. Configure a static route and import it to OSPF.
  1. Choose Network > Route > Static Route.
  2. Click Add and set parameters as follows:
  3. Click OK.
  4. Click of the created OSPF process.
  5. In the OSPF Process ID:2 navigation tree, choose Advanced Settings > Route Import.
  6. Click Add to configure a static route and import the route to OSPF.
  7. Click OK.
Configure FW_D.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/2
  
  GE0/0/3
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  192.168.2.2/24
  
  172.17.1.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  4.4.4.4
  
  Advanced Settings
  
  Area
  
  2
  
  IP Network
  
  192.168.2.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
  
  IP Network
  
  172.17.1.0
  
  Mask/Wildcard Mask
  
  0.0.0.255
4. Configure a static route and import it to OSPF.
  1. By referring to Step 5 of FW_C, configure a static route.
    Destination Address/Mask
    
    1.1.1.0/255.0.0.0
    
    Interface
    
    NULL0
  2. By referring to Step 5 of FW_C, import the static route into OSPF.

Zone	Trust
IPv4
IP Address	192.168.0.1/24

Zone	Trust
IPv4
IP Address	192.168.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Interface Name	GE0/0/1	GE0/0/2
Zone	Trust	Trust
IP Address	192.168.0.2/24	192.168.2.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	2.2.2.2

Advanced Settings
Area	0
IP Network	192.168.0.0
Mask/Wildcard Mask	0.0.0.255
Area	2
IP Network	192.168.2.0
Mask/Wildcard Mask	0.0.0.255

Interface Name	GE0/0/2	GE0/0/3
Zone	Trust	Trust
IP Address	192.168.1.2/24	172.16.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	3.3.3.3

Advanced Settings
Area	1
IP Network	192.168.1.0
Mask/Wildcard Mask	0.0.0.255
IP Network	172.16.1.0
Mask/Wildcard Mask	0.0.0.255

Interface Name	GE0/0/2	GE0/0/3
Zone	Trust	Trust
IP Address	192.168.2.2/24	172.17.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	4.4.4.4

Advanced Settings
Area	2
IP Network	192.168.2.0
Mask/Wildcard Mask	0.0.0.255
IP Network	172.17.1.0
Mask/Wildcard Mask	0.0.0.255

Destination Address/Mask	1.1.1.0/255.0.0.0
Interface	NULL0

Verification

# Check OSPF routing table of FW_C.

[FW_C] display ospf routing
          OSPF Process 1 with Router ID 3.3.3.3
                   Routing Tables

 Routing for Network
 Destination        Cost  Type       NextHop         AdvRouter       Area
 0.0.0.0/0          2     Inter-area 192.168.1.1     1.1.1.1         0.0.0.1
 172.16.1.0/24      1     Stub       172.16.1.1      3.3.3.3         0.0.0.1
 192.168.1.0/24     1     Transit    192.168.1.2     3.3.3.3         0.0.0.1

 Total Nets: 3
 Intra Area: 2  Inter Area: 1  ASE: 0  NSSA: 0

When the area where FW_C resides is configured as an NSSA, no AS external route is found, but a default route is found in the routing table.

# Check OSPF routing table of FW_D.

[FW_D] display ospf routing

          OSPF Process 1 with Router ID 172.17.1.1
                   Routing Tables

 Routing for Network
 Destination        Cost  Type       NextHop         AdvRouter       Area
 172.16.1.0/24      4     Inter-area 192.168.2.1     2.2.2.2         0.0.0.2
 172.17.1.0/24      1     Stub       172.17.1.1      4.4.4.4         0.0.0.2
 192.168.0.0/24     2     Inter-area 192.168.2.1     2.2.2.2         0.0.0.2
 192.168.1.0/24     3     Inter-area 192.168.2.1     2.2.2.2         0.0.0.2
 192.168.2.0/24     1     Transit    192.168.2.2     4.4.4.4         0.0.0.2

 Routing for ASEs
 Destination        Cost      Type       Tag         NextHop         AdvRouter
 100.0.0.0/8        1         Type2      1           192.168.2.1     1.1.1.1

 Total Nets: 6
 Intra Area: 2  Inter Area: 3  ASE: 1  NSSA: 0

An AS external route imported by the NSSA exists in the routing table of FW_D.

Configuration Scripts

Configuration script of FW_A

#
 sysname FW_A
#
router id 1.1.1.1
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 192.168.0.0 0.0.0.255
 area 0.0.0.1
  network 192.168.1.0 0.0.0.255
  nssa default-route-advertise no-summary
#                                                                                
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone local                                                           
    source-zone trust                                                         
    destination-zone local                                                      
    destination-zone trust                                                    
    action permit            
#
return

Configuration script of FW_B

#
 sysname FW_B
#
router id 2.2.2.2
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 192.168.0.0 0.0.0.255
 area 0.0.0.2
  network 192.168.2.0 0.0.0.255
#                                                                                
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone local                                                           
    source-zone trust                                                         
    destination-zone local                                                      
    destination-zone trust                                                    
    action permit            
#
return

Configuration script of FW_C

#
 sysname FW_C
#
router id 3.3.3.3
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 172.16.1.1 255.255.255.0
#
ospf 1
import-route static
 area 0.0.0.1
  network 172.16.1.0 0.0.0.255
  network 192.168.1.0 0.0.0.255
#
ip route-static 100.0.0.0 255.0.0.0 NULL0
#                                                                                
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone local                                                           
    source-zone trust                                                         
    destination-zone local                                                      
    destination-zone trust                                                    
    action permit            
#
return

Configuration script of FW_D

#
 sysname FW_D
#
router id 4.4.4.4
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 172.17.1.1 255.255.255.0
#
ospf 1
 import-route static type 1 
 area 0.0.0.2
  network 172.16.1.0 0.0.0.255 
  network 192.168.1.0 0.0.0.255  
#
ip route-static 1.1.1.0 255.0.0.0 NULL0
#                                                                                
security-policy                                                                 
  rule name policy_sec_1                                                        
    source-zone local                                                           
    source-zone trust                                                         
    destination-zone local                                                      
    destination-zone trust                                                    
    action permit            
#
return