How to Configure Security Policies to Allow OSPF
Figure 8-3 shows the OSPF adjacency establishment process.
OSPF classifies networks into four types based on the link layer protocol. On different types of networks, the methods of sending OSPF packets during the adjacency establishment process are different. If unicast packets are sent in any phase of the process, security policies are required to permit these packets, which involve broadcast, non-broadcast multiple access (NBMA), and point-to-multipoint (P2MP) networks.
Network Type |
Hello |
DD |
LSR |
LSU |
LSAck |
Require Security Policy |
|---|---|---|---|---|---|---|
Broadcast |
Multicast |
Unicast |
Unicast |
Multicast |
Multicast |
Yes |
P2P |
Multicast |
Multicast |
Multicast |
Multicast |
Multicast |
No |
NBMA |
Unicast |
Unicast |
Unicast |
Unicast |
Unicast |
Yes |
P2MP |
Multicast |
Unicast |
Unicast |
Unicast |
Unicast |
Yes |
During the OSPF adjacency establishment process, both ends need to proactively send OSPF packets, thus requiring security policies to permit packets in both directions. When the firewall participates in route calculation, the source and destination security zones of a security policy are the Local zone and the security zone connected to the interface on the firewall. The protocol numbers of OSPFv3 and OSPF are both 89.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow ospf out |
Local |
Untrust |
10.1.1.10/24 |
10.1.2.10/24 |
ospf (89) |
permit |
102 |
Allow ospf in |
Untrust |
Local |
10.1.2.10/24 |
10.1.1.10/24 |
ospf (89) |
permit |
If no security policy is configured, or the security policy is incorrectly configured, Database Description (DD) packets will fail to be exchanged. As a result, OSPF adjacency cannot be established and the neighbors stay in Exstart state.