Web: Example for Configuring OSPFv3 to Connect Network Devices
This section provides an example for configuring OSPFv3 to connect IPv6 devices.
Networking Requirements
As shown in Figure 1, an enterprise deploys FWs to connect to the R&D, marketing, and financial departments respectively. The enterprise also deploys a FW on the network border as a security gateway to connect the intranet to the IPv6 network through an ISP network.
Requirements are as follows:
- OSPFv3 runs on the intranet to connect IPv6 devices across departments.
- Routers in the R&D department belong to a totally stub area. These routers can only use a default route to access the IPv6 network, but cannot learn external area routes. Using the totally stub area minimizes external routing information distribution and improves router performance and R&D network quality.
- FW_A and the ISP router establish an OSPFv3 neighbor relationship so that FW_A can learn IPv6 network routes.
- Devices in all departments can access the IPv6 network through the ISP router.
Configuration Roadmap
- Configure OSPFv3 on each FW. FW_A, FW_B, FW_C, and FW_D are connected through switches and belong to Area 0. The financial department is connected to FW_B and belongs to Area 1. The R&D department is connected to FW_C and belongs to Area 2. The marketing department is connected to FW_D and belongs to Area 3. The ISP network to which FW_A is connected belongs to Area 4.
- Configure IP addresses for interfaces of each FW and add the interfaces to security zones.
- Configure a security policy on each FW so that the devices can exchange OSPFv3 packets and devices in all departments can access the IPv6 network.
- Configure return routes on the ISP router. This operation is performed by the ISP. Therefore, the configuration details are not provided.
- Sets the gateway address to 2001::1 for the financial department, 2002::1 for the R&D department, and 2003::1 for the marketing department. This operation is performed by a network administrator. Therefore, the configuration details are not provided.
Procedure
- Configure FW_A.
- Create an OSPFv3 process.
Before enabling IPv6 on an OSPFv3 interface, ensure that an OSPFv3 process has been created. Otherwise, the OSPFv3 interface cannot be configured.
Choose .
.
Click Add to create an OSPF process.
- Click OK.
- Set interface IP addresses and assign the interfaces to security zones.
- Choose .
Click
of GE0/0/1 and set required parameters.
- Click OK.
- Repeat the preceding steps to configure GE0/0/3.
Zone
trust
IPv6
IP Address
2000::1/64
- Configure OSPFv3 interfaces.
Enable OSPFv3 on each interface.
- Click
of the created OSPFv3 process. - In the OSPFv3 Process ID:1 navigation tree, choose .
- Click Add to enable OSPFv3 on GE0/0/1.
- Click OK.
- Click
- Repeat the preceding steps to enable OSPFv3 on GE0/0/3.
Interface Name
GE0/0/3
Area
0.0.0.4
- Configure a security policy that the devices can exchange OSPFv3 packets and the devices in all departments can access the IPv6 network.
The following example provides basic security policy parameters. You can set other parameters to the desired values.
Choose .
Click Add and configure an interzone security policy.
Name
policy_sec_1
Source Zone
Local and Trust
Destination Zone
Local and Trust
Action
Permit
Name
policy_sec_2
Source Zone
Local and Untrust
Destination Zone
Local and Untrust
Action
Permit
Name
policy_sec_3
Source Zone
trust
Destination Zone
untrust
Source Address/Region
2001:: 64
2002:: 64
2003:: 64
Action
Permit
- Click OK.
- Create an OSPFv3 process.
- Configure FW_B.
- Configure FW_C.
- Configure Area 2 as a stub area.
- Click of the created OSPFv3 process.
- In the OSPFv3 Process ID:1 navigation tree, choose .
- Click Add, and select Totally Stub to improve the router performance and R&D network quality.
- Click OK.
- Click
- Configure Area 2 as a stub area.
- Configure FW_D.
Example
Check the OSPFv3 neighbor status on each FW. The following example uses the command output on FW_A.
[FW_A] display ospfv3 peer OSPFv3 Process (1) OSPFv3 Area (0.0.0.1) Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 1 2-Way/DROther 00:00:34 GE0/0/3 0 3.3.3.3 1 Full/Backup 00:00:32 GE0/0/3 0 4.4.4.4 1 Full/DR 00:00:32 GE0/0/3 0 OSPFv3 Area (0.0.0.4) Neighbor ID Pri State Dead Time Interface Instance ID 5.5.5.5 1 Full/- 00:00:34 GE0/0/1 0
Check the OSPFv3 routing table on each FW. The following example uses the command output on FW_A.
[FW_A] display ospfv3 routing Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area, N - NSSA, U - Uninstalled, D - Denied by Import Policy OSPFv3 Process (1) Destination Metric Next-hop IA 2000::/64 1 directly-connected, GE0/0/3 IA 2001::/64 2 via 2000::2, GE0/0/3 IA 2002::/64 2 via 2000::3, GE0/0/3 2003::/64 2 via 2000::4, GE0/0/3 IA 3000::/64 1 directly-connected, GE0/0/1
According to the preceding command output, FW_A learns the network segment routes to all departments and IPv6 network routes.
Configuration Scripts
Configuration script of FW_A
# ipv6 # sysname FW_A # ospfv3 1 router-id 1.1.1.1 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 3000::1 64 ospfv3 1 area 0.0.0.4 # interface GigabitEthernet0/0/3 ipv6 enable ipv6 address 2000::1 64 ospfv3 1 area 0.0.0.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone trust destination-zone untrust source-address 2001:: 64 source-address 2002:: 64 source-address 2003:: 64 action permit # return
Configuration script of FW_B
# ipv6 # sysname FW_B # ospfv3 1 router-id 2.2.2.2 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2000::2 64 ospfv3 1 area 0.0.0.0 # interface GigabitEthernet0/0/3 ipv6 enable ipv6 address 2001::1 64 ospfv3 1 area 0.0.0.1 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone trust destination-zone untrust source-address 2001:: 64 action permit # return
Configuration script of FW_C
# ipv6 # sysname FW_C # ospfv3 1 router-id 3.3.3.3 area 0.0.0.2 stub no-summary # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2000::3 64 ospfv3 1 area 0.0.0.0 # interface GigabitEthernet0/0/3 ipv6 enable ipv6 address 2002::1 64 ospfv3 1 area 0.0.0.2 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone trust destination-zone untrust source-address 2002:: 64 action permit # return
Configuration script of FW_D
# ipv6 # sysname FW_D # ospfv3 1 router-id 4.4.4.4 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2000::4 64 ospfv3 1 area 0.0.0.0 # interface GigabitEthernet0/0/3 ipv6 enable ipv6 address 2003::1 64 ospfv3 1 area 0.0.0.3 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit rule name policy_sec_3 source-zone trust destination-zone untrust source-address 2003:: 64 action permit # return