< Home

Web: Example for Configuring OSPF Virtual Links

In some cases, non-backup areas cannot be physically connected to the backbone area. You can configure a virtual link for an ABR that is not directly connected to the backbone area to establish a tunnel to the backbone area.

Networking Requirements

As shown in Figure 1, Area 2 is not directly connected to the backbone area. Area 1 serves as a transit area to connect Area 2 and Area 0. A virtual link between FW_A and FW_B needs to be configured.

Figure 1 Networking diagram for configuring OSPF virtual links.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable OSPF and configure basic OSPF functions on each FW.
  2. Configure a virtual link between FW_A and FW_B to connect a non-backbone area to the backbone area.

Data Planning

To implement the configuration, you need to collect the following data:

  • OSPF router ID of FW_A (1.1.1.1), area numbers (Area 0 and Area 1), and network segment where OSPF is enabled (192.168.1.0/24, 10.0.0.0/8).
  • OSPF router ID of FW_B (2.2.2.2), area numbers (Area 1 and Area 2), and network segment where OSPF is enabled (192.168.1.0/24, 172.16.0.0/16).

Procedure

  • Configure FW_A.
    1. Set interface IP addresses and assign the interfaces to security zones.

      1. Choose Network > Interface.

      2. Click of GE0/0/1 and set required parameters.

        Zone

        Trust

        IPv4

        IP Address

        192.168.1.1/24
      3. Click OK.

      4. Repeat the preceding steps to configure GE GigabitEthernet0/0/2 based on the parameters in the following table.

        Zone

        Trust

        IPv4

        IP Address

        10.1.1.1/8

    2. Configure a security policy for transmitting packets on the network.

      1. Choose Policy > Security Policy > Security Policy.

      2. Click Add and configure the Local -> Trust interzone policy.

        Name

        policy_sec_1

        Source Zone

        Local and Trust

        Destination Zone

        Local and Trust

        Action

        Permit
      3. Click OK.

    3. Configure basic OSPF functions.

      1. Choose Network > Route > OSPF.

      2. Click Add to create an OSPF process.



      3. Configure the area where network segment 192.168.1.0 as Area 1.

        1. Click of the created OSPF process.
        2. In the OSPFv2 Process ID:1 navigation tree, choose Basic Configuration > Area Settings.
        3. Click Add and configure the area where network segment 192.168.1.0 resides as Area 1.



        4. Click OK.

      4. Repeat the preceding steps to configure the area where network segment 10.0.0.0 resides as Area 0.

    4. Configure a virtual link.

      1. Click of the created OSPF process.
      2. In the OSPFv2 Process ID:1 navigation tree, choose Advanced Settings > Virtual Link.
      3. Click Add and configure a virtual link.

      4. Click OK.

  • Configure FW_B.
    1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.

      Interface Name

      GE0/0/1

      GE0/0/2

      Zone

      trust

      trust

      IP Address

      192.168.1.2/24

      172.16.1.1/16

    2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.

      Name

      policy_sec_1

      Source Zone

      Local and Trust

      Destination Zone

      Local and Trust

      Action

      Permit

    3. By referring to Step 3 of FW_A, configure basic OSPF functions.

      Add OSPF Process

      Process ID

      1

      Router ID

      2.2.2.2

      Advanced Settings

      Area

      1

      IP Network

      192.168.1.0

      Mask/Wildcard Mask

      0.0.0.255

      Area

      2

      IP Network

      172.16.0.0

      Mask/Wildcard Mask

      0.0.255.255

    4. By referring to Step 4 of FW_A, configure a virtual link.

      Peer Router ID

      1.1.1.1

      Transit Area

      0.0.0.1

Verification

Before a virtual link is configured:

# Check OSPF routing table of FW_A.

<FW_A> display ospf routing

          OSPF Process 1 with Router ID 1.1.1.1
                   Routing Tables

 Routing for Network
 Destination        Cost  Type       NextHop         AdvRouter       Area
 10.0.0.0/8         1     Stub       10.1.1.1        1.1.1.1         0.0.0.0
 192.168.1.0/24     1     Transit    192.168.1.1     1.1.1.1         0.0.0.1

 Total Nets: 2
 Intra Area: 2  Inter Area: 0  ASE: 0  NSSA: 0

The routing table of FW_A does not have the route to Area 2 because Area 2 is not directly connected to Area 0.

After a virtual link is configured:

# Check OSPF routing table of FW_A.

[FW_A] display ospf routing

          OSPF Process 1 with Router ID 1.1.1.1
                   Routing Tables

 Routing for Network
 Destination        Cost  Type       NextHop         AdvRouter       Area
 172.16.1.1/32      2     Inter-area 192.168.1.2     2.2.2.2         0.0.0.0
 10.0.0.0/8         1     Stub       10.1.1.1        1.1.1.1         0.0.0.0
 192.168.1.0/24     1     Transit    192.168.1.1     1.1.1.1         0.0.0.1

 Total Nets: 3
 Intra Area: 2  Inter Area: 1  ASE: 0  NSSA: 0

Configuration Scripts

  • Configuration script of FW_A

    #
 sysname FW_A
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.1.1 255.0.0.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#
security-policy
 rule name policy_sec_1
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  action permit
#
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
  network 10.0.0.0 0.255.255.255
 area 0.0.0.1
  network 192.168.1.0 0.0.0.255
  vlink-peer 2.2.2.2
#
return

  • Configuration script of FW_B

    #
 sysname FW_B
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 172.16.1.1 255.255.0.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#
security-policy
 rule name policy_sec_1
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  action permit
#
ospf 1 router-id 2.2.2.2
 area 0.0.0.1
  network 192.168.1.0 0.0.0.255.
  vlink-peer 1.1.1.1
 area 0.0.0.2
  network 172.16.0.0 0.0.255.255
#
return
Parent Topic: Configuration Examples for OSPF
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >