-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
-
About This Guide
-
Quick Start Steps
-
Introduction to the Firewall Services Module
-
Configuring the Switch for the Firewall Services Module
-
Getting Started
-
Managing Security Contexts
-
Configuring the Firewall Mode
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing and DHCP Services
-
Configuring IPv6
-
Identifying Traffic with Access Lists
-
Permitting and Denying Network Access
-
Configuring NAT
-
Configuring Failover
-
Configuring AAA Servers and the Local Database
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Configuring ARP Inspection and Bridging Parameters
-
Using Modular Policy Framework
-
Preventing Network Attacks
-
Applying Application Layer Protocol Inspection
-
Configuring Management Access
-
Managing Software, Licenses, and Configurations
-
Monitoring the Firewall Services Module
-
Troubleshooting the Firewall Services Module
-
Specifications
-
Sample Configurations
-
Using the Command-Line Interface
-
Addresses, Protocols, and Ports
-
Open Source License Acknowledgements
-
Glossary
-
Index
-
Table Of Contents
Configuring IP Routing and DHCP Services
How Routing Behaves Within FWSM
Egress Interface Selection Process
Configuring Static and Default Routes
Redistributing Routes Between OSPF Processes
Redistributing Static, Connected, or OSPF Routes to an OSPF Process
Configuring OSPF Interface Parameters
Configuring OSPF Area Parameters
Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor
Configuring Route Summarization Between OSPF Areas
Configuring Route Summarization when Redistributing Routes into OSPF
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Displaying OSPF Update Packet Pacing
Disabling IGMP on an Interface
Configuring a Statically Joined Group
Controlling Access to Multicast Groups
Limiting the Number of IGMP States on an Interface
Modifying the Query Interval and Query Timeout
Changing the Query Response Time
Configuring Stub Multicast Routing
Configuring a Static Multicast Route
Configuring a Static Rendezvous Point Address
Configuring the Designated Router Priority
Filtering PIM Register Messages
Configuring PIM Message Intervals
For More Information About Multicast Routing
Configuring Asymmetric Routing Support
Adding Interfaces to ASR Groups
Asymmetric Routing Support Example
Using Cisco IP Phones with a DHCP Server
Configuring DHCP Relay Services
Configuring IP Routing and DHCP Services
This chapter describes how to configure IP routing and DHCP on the FWSM. This chapter includes the following sections:
•
How Routing Behaves Within FWSM
•
•
•
How Routing Behaves Within FWSM
FWSM uses both routing table and XLATE tables for routing decisions. To handle destination-ip-translated, that is, untranslated traffic, FWSM searches for existing XLATE, or static translation to select the egress interface. The selection process is as follows:
Egress Interface Selection Process
1.
2.
3.
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination-translated incoming packets are always forwarded using existing XLATE or static translation rules.
Next Hop Selection Process
After selecting egress interface using any method described above, an additional route lookup is performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6 error message 110001 "no route to host", even if there is another route for a given destination network that belongs to different egress interface. If the route that belongs to selected egress interface is found, the packet is forwarded to corresponding next hop.
Load sharing on FWSM is possible only for multiple next-hops available using single egress interface. Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on FWSM and route table changes after XLATE creation, for example route flap, then destination-translated traffic is still forwarded using old XLATE, not via route table, until XLATE times out. It may be either forwarded to wrong interface or dropped with message 110001 "no route to host" if old route was removed from the old interface and attached to another one by routing process.
The same problem may happen when there is no route flaps on FWSM itself, but some routing process is flapping around it, sending source-translated packets that belong to the same flow through FWSM using different interfaces. Destination-translated return packets may be forwarded back using the wrong egress interface.
This issue has a high probability in same-security-traffic configuration, where virtually any traffic may be either source-translated or destination-translated, depending on direction of initial packet in the flow. When this issue occurs after a route flap, it can be resolved manually by using the clear xlate command, or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if necessary. To ensure that this rarely happens, make sure that there is no route flaps on FWSM and around it. That is, ensure that destination-translated packets that belong to the same flow are always forwarded the same way through FWSM.
Configuring Static and Default Routes
This section describes how to configure static and default routes on FWSM.
Multiple context mode does not support dynamic routing, so you must use static routes for any networks to which FWSM is not directly connected; for example, when there is a router between a network and FWSM.
You might want to use static routes in single context mode in the following cases:
•
•
•
The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to FWSM.
In transparent firewall mode, for traffic that originates on FWSM and is destined for a non-directly connected network, you need to configure either a default route or static routes so FWSM knows out of which interface to send traffic. Traffic that originates on FWSM might include communications to a system log server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes.
Note
The FWSM supports up to three equal cost routes to the same destination per interface for load balancing.
This section includes the following topics:
For information about configuring IPv6 static and default routes, see the "Configuring IPv6 Default and Static Routes" section on page 9-5.
Configuring a Static Route
To add a static route, enter the following command:
hostname(config)# route if_name dest_ip mask gateway_ip [distance]The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router.
The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up.
Note
The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface:
hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1You can define up to three equal cost routes to the same destination per interface. ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.
The following example shows static routes that are equal cost routes that direct traffic to three different gateways on the outside interface. The FWSM distributes the traffic among the specified gateways.
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3Configuring a Default Route
A default route identifies the gateway IP address to which FWSM sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.
You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.
If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the message "ERROR: Cannot add route entry, possible conflict with existing routes."
To define the default route, enter the following command:
hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance]
Tip
The following example shows an FWSM configured with three equal cost default routes. Traffic received by the FWSM for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3.
hostname(config)# route outside 0 0 192.168.2.1hostname(config)# route outside 0 0 192.168.2.2hostname(config)# route outside 0 0 192.168.2.3Configuring OSPF
This section describes how to configure OSPF. This section includes the following topics:
•
•
•
•
•
•
•
•
•
OSPF Overview
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
•
•
The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.
FWSM can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.
Redistribution between the two OSPF processes is supported. Static and connected routes configured on OSPF-enabled interfaces on FWSM can also be redistributed into the OSPF process. You cannot enable RIP on FWSM if OSPF is enabled. Redistribution between RIP and OSPF is not supported.
FWSM supports the following OSPF features:
•
•
•
•
•
•
•
•
Enabling OSPF
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.
Note
To enable OSPF, perform the following steps:
Step 1
hostname(config)# router ospf process_idThis command enters the router configuration mode for this OSPF process.
The process_id is an internally used identifier for this routing process. It can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes.
Step 2
hostname(config-router)# network ip_address mask area area_idThe following example shows how to enable OSPF:
hostname(config)# router ospf 2hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0Redistributing Routes Between OSPF Processes
The FWSM can control the redistribution of routes between OSPF routing processes. The FWSM matches and changes routes according to settings in the redistribute command or by using a route map. See also the "Generating a Default Route" section for another use for route maps.
Note
This section includes the following topics:
•
Adding a Route Map
To define a route map, perform the following steps:
Step 1
hostname(config)# route-map name {permit | deny} [sequence_number]Route map entries are read in order. You can identify the order using the sequence_number option, or the FWSM uses the order in which you add the entries.
Step 2
•
hostname(config-route-map)# match ip address acl_id [acl_id] [...]If you specify more than one access list, then the route can match any of the access lists.
•
hostname(config-route-map)# match metric metric_valueThe metric_value can be from 0 to 4294967295.
•
hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...]If you specify more than one access list, then the route can match any of the access lists.
•
hostname(config-route-map)# match interface if_nameIf you specify more than one interface, then the route can match either interface.
•
hostname(config-route-map)# match ip route-source acl_id [acl_id] [...]If you specify more than one access list, then the route can match any of the access lists.
•
hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]}Step 3
If a route matches the match commands, then the following set commands determine the action to perform on the route before redistributing it.
•
hostname(config-route-map)# set metric metric_valueThe metric_value can be a value between 0 and 294967295
•
hostname(config-route-map)# set metric-type {type-1 | type-2}The following example shows how to redistribute routes with a hop count equal to 1. The FWSM redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
hostname(config)# route-map 1-to-2 permithostname(config-route-map)# match metric 1hostname(config-route-map)# set metric 5hostname(config-route-map)# set metric-type type-1Redistributing Static, Connected, or OSPF Routes to an OSPF Process
To redistribute static, connected, or OSPF routes from one process into another OSPF process, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# redistribute {ospf process_id [match {internal | external 1 | external 2}] | static | connect} [metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]The ospf process_id, static, and connect keywords specify from where you want to redistribute routes.
You can either use the options in this command to match and set route properties, or you can use a route map. The tag and subnets options do not have equivalents in the route-map command. If you use both a route map and options in the redistribute command, then they must match.
The following example shows route redistribution from OSPF process 1 into OSPF process 2 by matching routes with a metric equal to 1. The FWSM redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.
hostname(config)# route-map 1-to-2 permithostname(config-route-map)# match metric 1hostname(config-route-map)# set metric 5hostname(config-route-map)# set metric-type type-1hostname(config-route-map)# set tag 1hostname(config-route-map)# router ospf 2hostname(config-router)# redistribute ospf 1 route-map 1-to-2The following example shows the specified OSPF process routes being redistributed into OSPF process 109. The OSPF metric is remapped to 100.
hostname(config)# router ospf 109hostname(config-router)# redistribute ospf 108 metric 100 subnetsThe following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics.
hostname(config)# router ospf 1hostname(config-router)# redistribute ospf 2 metric 5 metric-type externalConfiguring OSPF Interface Parameters
You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values.
To configure OSPF interface parameters, perform the following steps:
Step 1
hostname(config)# interface if_nameStep 2
•
hostname(config-interface)# ospf authentication [message-digest | null]•
hostname(config-interface)# ospf authentication-key keyThe key can be any continuous string of characters up to 8 bytes in length.
The password created by this command is used as a key that is inserted directly into the OSPF header when the FWSM software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
•
hostname(config-interface)# ospf cost costThe cost is an integer from 1 to 65535.
•
hostname(config-interface)# ospf dead-interval secondsThe value must be the same for all nodes on the network.
•
hostname(config-interface)# ospf hello-interval secondsThe value must be the same for all nodes on the network.
•
hostname(config-interface)# ospf message-digest-key key_id md5 keySet the following values:
–
–
Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value.
We recommend that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Removing the old key also reduces overhead during rollover.
•
hostname(config-interface)# ospf priority number_valueThe number_value is between 0 to 255.
•
hostname(config-interface)# ospf retransmit-interval secondsThe seconds must be greater than the expected round-trip delay between any two routers on the attached network. The range is from 1 to 65535 seconds. The default is 5 seconds.
•
hostname(config-interface)# ospf transmit-delay secondsThe seconds is from 1 to 65535 seconds. The default is 1 second.
The following example shows how to configure the OSPF interfaces:
hostname(config)# router ospf 2hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0hostname(config-router)# interface insidehostname(config-interface)# ospf cost 20hostname(config-interface)# ospf retransmit-interval 15hostname(config-interface)# ospf transmit-delay 10hostname(config-interface)# ospf priority 20hostname(config-interface)# ospf hello-interval 10hostname(config-interface)# ospf dead-interval 40hostname(config-interface)# ospf authentication-key ciscohostname(config-interface)# ospf message-digest-key 1 md5 ciscohostname(config-interface)# ospf authentication message-digestThe following is sample output from the show ospf command:
hostname(config)# show ospfRouting Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2Supports only single TOS(TOS0) routesSupports opaque LSASPF schedule delay 5 secs, Hold time between two SPFs 10 secsMinimum LSA interval 5 secs. Minimum LSA arrival 1 secsNumber of external LSA 5. Checksum Sum 0x 26da6Number of opaque AS LSA 0. Checksum Sum 0x 0Number of DCbitless external and opaque AS LSA 0Number of DoNotAge external and opaque AS LSA 0Number of areas in this router is 1. 1 normal 0 stub 0 nssaExternal flood list length 0Area BACKBONE(0)Number of interfaces in this area is 1Area has no authenticationSPF algorithm executed 2 timesArea ranges areNumber of LSA 5. Checksum Sum 0x 209a3Number of opaque link LSA 0. Checksum Sum 0x 0Number of DCbitless LSA 0Number of indication LSA 0Number of DoNotAge LSA 0Flood list length 0Configuring OSPF Area Parameters
You can configure several area parameters. These area parameters (shown in the following task table) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3) into the stub area.
To specify area parameters for your network, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
•
hostname(config-router)# area area-id authentication•
hostname(config-router)# area area-id authentication message-digest•
hostname(config-router)# area area-id stub [no-summary]•
hostname(config-router)# area area-id default-cost costThe cost is an integer from 1 to 65535. The default is 1.
The following example shows how to configure the OSPF area parameters:
hostname(config)# router ospf 2hostname(config-router)# area 0 authenticationhostname(config-router)# area 0 authentication message-digesthostname(config-router)# area 17 stubhostname(config-router)# area 17 default-cost 20Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as an OSPF stub area because routes for the remote site could not be redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.
To specify area parameters for your network as needed to configure OSPF NSSA, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
•
hostname(config-router)# area area-id nssa [no-redistribution] [default-information-originate]•
hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag]This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address.
OSPF does not support summary-address 0.0.0.0 0.0.0.0.
In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement.
hostname(config-router)# summary-address 10.1.1.0 255.255.0.0Before you use this feature, consider these guidelines:
–
–
Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor
You need to define a static OSPF neighbor to advertise OSPF routes over a point-to-point, non-broadcast network. When an interface is configured as point-to-point, the following restrictions apply:
•
•
•
To define an OSPF neighbor on a point-to-point, non-broadcast network, perform the following tasks:
Step 1
Step 2
a.
hostname(config)# router ospf pidb.
hostname(config-router)# neighbor addr [interface if_name]The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the directly-connected interfaces, you must specify the interface.
c.
hostname(config-router)# network addr mask area area_idThe addr mask pair must cover the IP address of the interface.
Step 3
hostname(config)# interface vlanhostname(config-if)# ospf network point-to-point non-broadcastThe following example shows how to configure OSPF across a point-to-point, non-broadcast network. The OSPF neighbor is not on a directly-connected network, so a static route is needed.
hostname(config)# route ospf_outside 10.3.3.0 255.255.255.0 10.1.1.99 1hostname(config)# interface Vlan55hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# ospf network point-to-point non-broadcasthostname(config-if)# exithostname(config)# router ospf 1hostname(config-router)# network 10.1.1.0 255.255.255.0 area 100hostname(config-router)# neighbor 10.3.3.1 interface outsidehostname(config-router)# log-adj-changesConfiguring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise]The following example shows how to configure route summarization between OSPF areas:
hostname(config)# router ospf 1hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0Configuring Route Summarization when Redistributing Routes into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the FWSM to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a network address and mask, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag]OSPF does not support summary-address 0.0.0.0 0.0.0.0.
The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:
hostname(config)# router ospf 1hostname(config-router)# summary-address 10.1.0.0 255.255.0.0Generating a Default Route
You can force an ASBR to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an ASBR. However, an ASBR does not by default generate a default route into the OSPF routing domain.
To generate a default route, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# default-information originate [always] [metric metric-value] [metric-type {1 | 2}] [route-map map-name]The following example shows how to generate a default route:
hostname(config)# router ospf 2hostname(config-router)# default-information originate alwaysConfiguring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# timers spf spf-delay spf-holdtimeThe spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately.
The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay; that is, two SPF calculations can be done, one immediately after the other.
The following example shows how to configure route calculation timers:
hostname(config)# router ospf 1hostname(config-router)# timers spf 10 120Logging Neighbors Going Up or Down
By default, the system sends a system log message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ospf adjacency command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.
To log neighbors going up or down, perform the following steps:
Step 1
hostname(config)# router ospf process_idStep 2
hostname(config-router)# log-adj-changes [detail]
Note
The following example shows how to log neighbors up/down messages:
hostname(config)# router ospf 1hostname(config-router)# log-adj-changes detailDisplaying OSPF Update Packet Pacing
OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart. Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could not receive the updates quickly enough, or the router could run out of buffer space. For example, without pacing packets might be dropped if either of the following topologies exist:
•
•
Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically.
To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command:
hostname# show ospf flood-list if_nameMonitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.
To display various routing statistics, perform one of the following tasks, as needed:
•
hostname# show ospf [process-id [area-id]]•
hostname# show ospf border-routers•
hostname# show ospf [process-id [area-id]] database•
hostname# show ospf flood-list if-name•
hostname# show ospf interface [if_name]•
hostname# show ospf neighbor [if-name] [neighbor-id] [detail]•
hostname# show ospf request-list neighbor if_name•
hostname# show ospf retransmission-list neighbor if_name•
hostname# show ospf [process-id] summary-address•
hostname# show ospf [process-id] virtual-linksRestarting the OSPF Process
To restart an OSPF process, clear redistribution, or counters, enter the following command:
hostname(config)# clear ospf pid {process | redistribution | counters [neighbor [neighbor-interface] [neighbor-id]]}Configuring RIP
This section describes how to configure RIP. This section includes the following topics:
RIP Overview
Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure initially.
RIP has advantages over static routes because the initial configuration is simple, and you do not need to update the configuration when the topology changes. The disadvantage to RIP is that there is more network and processing overhead than static routing.
FWSM uses a limited version of RIP; it does not send out RIP updates that identify the networks that FWSM can reach. However, you can enable one or both of the following methods:
•
Passive RIP allows FWSM to learn about networks to which it is not directly connected.
•
You can use the default route option with passive RIP, or alone. You might use the default route option alone if you use static routes on FWSM, but do not want to configure static routes on downstream routers. Typically, you would not enable the default route option on the outside interface, because FWSM is not typically the default gateway for the upstream router.
Enabling RIP
To enable RIP on an interface, enter the following command:
hostname(config)# rip if_name {default | passive} [version {1 | 2 [authentication {text | md5} key key_id]}]You can enable both the passive and default modes of RIP on an interface by entering the rip command twice, one time for each method. For example, enter the following commands:
hostname(config)# rip inside default version 2 authentication md5 scorpius 1hostname(config)# rip inside passive version 2 authentication md5 scorpius 1If you want to enable passive RIP on all interfaces, but only enable default routes on the inside interface, enter the following commands:
hostname(config)# rip inside default version 2 authentication md5 scorpius 1hostname(config)# rip inside passive version 2 authentication md5 scorpius 1hostname(config)# rip outside passive version 2 authentication md5
