Configuring Routing Policies on Firewall Devices

The Routing section in Security Manager contains pages for defining and managing routing settings for security appliances.

This chapter contains the following topics:

Configuring No Proxy ARP

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. Address Resolution Protocol (ARP) is a Layer 2 protocol that resolves an IP address to a MAC address: a host sends an ARP request asking “Who is this IP address?” The device owning the IP address replies, “I own that IP address; here is my MAC address.”

With Proxy ARP, a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. Serving as an ARP Proxy for another host effectively directs network traffic to the proxy, in this case your security appliance. Traffic that passes through the appliance is then routed to the appropriate destination.

For example, the security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the appliance interface. The only way traffic can reach the destination hosts is if the appliance claims and subsequently routes traffic to the destination global addresses.

By default, proxy ARP is enabled for all interfaces. Use the No Proxy ARP page to disable proxy ARP for global addresses:

  • To disable proxy ARP for one or more interfaces, enter their names in the Interfaces field. Separate multiple interfaces with commas. You can click Select to choose the interfaces from a list of interfaces defined on the device, and interface roles defined in Security Manager.


Note

On ASA 8.4.2 and later devices operating in routed mode, you can disable Proxy ARP on the egress interface for a Manual NAT rule. See Do not proxy ARP on Destination Interface in Table 24-15 for more information.

Navigation Path

  • (Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Related Topics

Configuring BGP

Border Gateway Protocol (BGP) is an inter autonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).


Note

BGP configuration is supported on ASA 9.2(1)+ only. Also, beginning with ASA 9.3(1), BGP is supported in L2 (EtherChannel Type) and L3 (Individual Interface Type) clustering modes.

Navigation Path

  • (Device view) Select Platform > Routing > BGP from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > BGP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

The BGP page provides two tabbed panels for configuring BGP routing on a firewall device. This is the basic procedure for configuring the BGP process:

  1. Enable the BGP routing process by checking the Enable BGP check box on the BGP page.

  2. In the AS Number field, enter the autonomous system (AS) number for the BGP process. The AS number internally includes multiple autonomous numbers. The AS number can be from 1 to 4294967295 or from 1.0 to 65535.65535.

  3. On the General Tab:

    • (Optional) Check the Limit the number of AS numbers in AS_PATH attribute of received routes check box to restrict the number of AS numbers in AS_PATH attribute to a specific number. Valid values are from 1 to 254.

    • (Optional) Check the Log Neighbor Changes check box to enable logging of BGP neighbor changes (up or down) and resets. This helps in troubleshooting network connectivity problems and measuring network stability.

    • (Optional) Check the Use TCP path MTU Discovery check box to use the Path MTU Discovery technique to determine the maximum transmission unit (MTU) size on the network path between two IP hosts. This avoids IP fragmentation.

    • (Optional) Check the Enable fast external failover check box to reset the external BGP session immediately upon link failure.

    • (Optional) Check the Enforce that the first AS is peer’s AS for EBGP routes check box to discard incoming updates received from external BGP peers that do not list their AS number as the first segment in the AS_PATH attribute. This prevents a mis-configured or unauthorized peer from misdirecting traffic by advertising a route as if it was sourced from another autonomous system.

    • (Optional) Check the Use dot notation for AS numbers check box to split the full binary 4-byte AS number into two words of 16 bits each, separated by a dot. AS numbers from 0-65553 are represented as decimal numbers and AS numbers larger than 65535 are represented using the dot notation.

    • Define the configuration related to the best path selection process for BGP routing (see General Tab).

    • Specify the timer information in the Neighbor timers area (see General Tab).

    • (Optional) Configure Graceful Restart (see General Tab).

  4. On the IPv4 Family tab, select the Enable IPv4 Family check box and then use the tabs provided to configure IPv4 Address Family settings. For more information, see IPv4 Family Tab.

  5. On the IPv6 Family tab, select the Enable IPv6 Family check box and then use the tabs provided to configure IPv6 Address Family settings. For more information, see IPv6 Family Tab.

Related Topics

About BGP

BGP is an inter autonomous system routing protocol. An autonomous system is a network or group of networks under a common administration and with common routing policies. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

When to Use BGP

Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) such as OSPF for the exchange of routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems (AS), the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP).

Routing Table Changes

BGP neighbors exchange full routing information when the TCP connection between neighbors is first established. When changes to the routing table are detected, the BGP routers send to their neighbors only those routes that have changed. BGP routers do not send periodic routing updates, and BGP routing updates advertise only the optimal path to a destination network.

Routes learned via BGP have properties that are used to determine the best route to a destination, when multiple paths exist to a particular destination. These properties are referred to as BGP attributes and are used in the route selection process:

  • Weight -- This is a Cisco-defined attribute that is local to a router. The weight attribute is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight is preferred.

  • Local preference -- The local preference attribute is used to select an exit point from the local AS. Unlike the weight attribute, the local preference attribute is propagated throughout the local AS. If there are multiple exit points from the AS, the exit point with the highest local preference attribute is used as an exit point for a specific route.

  • Multi-exit discriminator -- The multi-exit discriminator (MED) or metric attribute is used as a suggestion to an external AS regarding the preferred route into the AS that is advertising the metric. It is referred to as a suggestion because the external AS that is receiving the MEDs may also be using other BGP attributes for route selection. The route with the lower MED metric is preferred.

  • Origin -- The origin attribute indicates how BGP learned about a particular route. The origin attribute can have one of three possible values and is used in route selection.

    • IGP- The route is interior to the originating AS. This value is set when the network router configuration command is used to inject the route into BGP.

    • EGP-The route is learned via the Exterior Border Gateway Protocol (EBGP).

    • Incomplete- The origin of the route is unknown or learned in some other way. An origin of incomplete occurs when a route is redistributed into BGP.

  • AS_path -- When a route advertisement passes through an autonomous system, the AS number is added to an ordered list of AS numbers that the route advertisement has traversed. Only the route with the shortest AS_path list is installed in the IP routing table.

  • Next hop -- The EBGP next-hop attribute is the IP address that is used to reach the advertising router. For EBGP peers, the next-hop address is the IP address of the connection between the peers. For IBGP, the EBGP next-hop address is carried into the local AS.

  • Community -- The community attribute provides a way of grouping destinations, called communities, to which routing decisions (such as acceptance, preference, and redistribution) can be applied. Route maps are used to set the community attribute. The predefined community attributes are as follows:

    • no-export- Do not advertise this route to EBGP peers.

    • no-advertise- Do not advertise this route to any peer.

    • internet- Advertise this route to the Internet community; all routers in the network belong to it.

BGP Path Selection

BGP may receive multiple advertisements for the same route from different sources. BGP selects only one path as the best path. When this path is selected, BGP puts the selected path in the IP routing table and propagates the path to its neighbors. BGP uses the following criteria, in the order presented, to select a path for a destination:

  • If the path specifies a next hop that is inaccessible, drop the update.

  • Prefer the path with the largest weight.

  • If the weights are the same, prefer the path with the largest local preference.

  • If the local preferences are the same, prefer the path that was originated by BGP running on this router.

  • If no route was originated, prefer the route that has the shortest AS_path.

  • If all paths have the same AS_path length, prefer the path with the lowest origin type (where IGP is lower than EGP, and EGP is lower than incomplete).

  • If the origin codes are the same, prefer the path with the lowest MED attribute.

  • If the paths have the same MED, prefer the external path over the internal path.

  • If the paths are still the same, prefer the path through the closest IGP neighbor.

  • If both paths are external, prefer the path that was received first (the oldest one).

  • Prefer the path with the lowest IP address, as specified by the BGP router ID.

  • If the originator or router ID is the same for multiple paths, prefer the path with the minimum cluster list length.

  • Prefer the path that comes from the lowest neighbor address.

General Tab

Use the General tab to configure BGP settings such as Best Path Selection, Neighbor Timers, and Graceful Restart.

Navigation Path

You can access the Neighbors tab from the BGP page (see Configuring BGP).

Related Topics

Field Reference

Table 1. General Tab

Element

Description

Limit the number of AS numbers in AS_PATH attribute of received routes

Restricts the number of AS numbers in AS_PATH attribute to a specific number. Valid values are from 1 to 254.

Log Neighbor Changes

Enables logging of BGP neighbor changes (up or down) and resets. This helps in troubleshooting network connectivity problems and measuring network stability.

Use TCP path MTU Discovery

Enables the use of the Path MTU Discovery technique to determine the maximum transmission unit (MTU) size on the network path between two IP hosts. This avoids IP fragmentation.

Enable fast external failover

Resets the external BGP session immediately upon link failure.

Enforce that the first AS is peer’s AS for EBGP routes

Discards incoming updates received from external BGP peers that do not list their AS number as the first segment in the AS_PATH attribute. This prevents a mis-configured or unauthorized peer from misdirecting traffic by advertising a route as if it was sourced from another autonomous system.

Use dot notation for AS numbers

Splits the full binary 4-byte AS number into two words of 16 bits each, separated by a dot. AS numbers from 0-65553 are represented as decimal numbers and AS numbers larger than 65535 are represented using the dot notation.

Best Path Selection

Default local preference

Specify a value between 0 and 4294967295. The default value is 100. Higher values indicate higher preference. This preference is sent to all routers and access servers in the local autonomous system.

Allow comparing MED from different neighbors

Allows the comparison of Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems.

Compare Router-id for identical EBGP paths

Compares similar paths received from external BGP peers during the best path selection process and switches the best path to the route with the lowest router ID.

Pick the best MED path among paths advertised from the neighboring AS

Enables MED comparison among paths learned from confederation peers. The comparison between MEDs is made only if no external autonomous systems are there in the path.

Treat missing MED as the least preferred one

Considers the missing MED attribute as having a value of infinity, making the path the least desirable; therefore, a path with a missing MED is least preferred.

Neighbor Timers

Keepalive Interval

Enter the time interval for which the BGP neighbor remains active after not sending a keepalive message. At the end of this keepalive interval, the BGP peer is declared dead, if no messages are sent. The default value is 60 seconds.

Hold Time

Enter the time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured. The default values is 180 seconds.

Min Hold Time

(Optional) Enter the minimum time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured. Specify a value from 0 to 65535.

Graceful Restart (Use in failover or spanned cluster mode)

(ASA 9.3.1+ only)

Enable Graceful Restart

Enables ASA peers to avoid a routing flap following a switchover.

Restart Time

Specify the time duration that ASA peers will wait to delete stale routes before a BGP open message is received. The default value is 120 seconds. Valid values are between 1 and 3600 seconds.

Stalepath Time

Enter the time duration that the ASA will wait before deleting stale routes after an end of record (EOR) message is received from the restarting ASA. The default value is 360 seconds. Valid values are between 1 and 3600 seconds.

IPv4 Family Tab

Use the IPv4 Family tab on the BGP page to enable and configure IPv4 settings for BGP.

Navigation Path

You can access the IPv4 Family tab from the BGP page. For more information about the BGP page, see Configuring BGP.

Related Topics

Field Reference

Table 2. IPv4 Family - Aggregate Address Tab

Element

Description

Enable IPv4 Family

Enables configuration of routing sessions that use standard IPv4 address prefixes.

General

Use this panel to configure general IPv4 settings such as Best Path Selection, Neighbor Timers, and Graceful Restart. See IPv4 Family - General Tab for more about these definitions.

Aggregate Address

Use this panel to define the aggregation of specific routes into one route.

Specify a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and 60. The default value is 30.

See Add/Edit Aggregate Address Dialog Box for more about these definitions.

Filtering

Use this panel to filter routes or networks received in incoming BGP updates. See Add/Edit Filter Dialog Box for more about these definitions.

Neighbor

Use this panel to define BGP neighbors and neighbor settings. See Add/Edit Neighbor Dialog Box for more about these definitions.

Networks

Use this panel to define the networks to be advertised by the BGP routing process. See Add/Edit Network Dialog Box for more about these definitions.

Redistribution

Use this panel to define the conditions for redistributing routes from another routing domain into BGP. See Add/Edit Redistribution Dialog Box for more about these definitions.

Route Injection

Use this panel to define the routes to be conditionally injected into the BGP routing table. See Add/Edit Route Injection Dialog Box for more about these definitions.

IPv4 Family - General Tab

Use the IPv4 Family - General tab to configure the general IPv4 settings.

Navigation Path

You can access the General tab from the IPv4 Family Tab on the BGP page. For more information about the IPv4 Family tab, see IPv4 Family Tab.

Related Topics
Field Reference
Table 3. IPv4 Family - General Tab

Element

Description

Router ID

On a single device, choose Automatic or IP Address. (An address field appears when you choose IP Address.)

If you choose Automatic, the highest-level IP address on the security appliance is used as the router ID. To use a fixed router ID, choose IP Address and enter an IPv4 address in the Router ID field.

On a device cluster, choose Automatic or Cluster Pool. (An IPv4 Pool object ID field appears when you choose Cluster Pool.)

If you choose Cluster Pool, enter or Select the name of the IPv4 Pool object that is to supply the Router ID address. For more information, see Add or Edit IPv4 Pool Dialog Box.

Learned Route Map

Enter or Select the name of a route map object.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Scanning Interval

Enter a scanning interval (in seconds) for BGP routers for next-hop validation. Valid values are from 5 to 60 seconds. The default value is 60.

Routes and Synchronization

Generate Default Route

(Optional) Configures a BGP routing process to distribute a default route (network 0.0.0.0).

Summarize subnet routes into network-level routes

(Optional) Configures automatic summarization of subnet routes into network-level routes.

Advertise inactive routes

(Optional) Advertises routes that are not installed in the routing information base (RIB).

Synchronize between BGP and the Interior Gateway Protocol (IGP) system

Enables synchronization between BGP and your Interior Gateway Protocol (IGP) system. To enable the Cisco IOS software to advertise a network route without waiting for the IGP, deselect this option.

Usually, a BGP speaker does not advertise a route to an external neighbor unless that route is local or exists in the IGP. By default, synchronization between BGP and the IGP is turned off to allow the Cisco IOS software to advertise a network route without waiting for route validation from the IGP. This feature allows routers and access servers within an autonomous system to have the route before BGP makes it available to other autonomous systems. Use synchronization if routers in the autonomous system do not speak BGP.

Redistribute iBGP into an IGP

(Optional) Configures iBGP redistribution into an interior gateway protocol (IGP), such as IS-IS or OSPF.

Administrative Route Distances

External

Specifies the administrative distance for external BGP routes. Routes are external when learned from an external autonomous system. The range of values for this argument are from 1 to 255. The default value is 20.

Internal

Specifies administrative distance for internal BGP routes. Routes are internal when learned from peer in the local autonomous system. The range of values for this argument are from 1 to 255. The default value is 200.

Local

Specifies administrative distance for local BGP routes. Local routes are those networks listed with a network router configuration command, often as back doors, for the router or for the networks that is being redistributed from another process. The range of values for this argument are from 1 to 255. The default value is 200.

Next Hop

Enable address tracking

(Optional) Enables BGP next hop address tracking.

Delay Interval

Specify the delay interval between checks on updated next-hop routes installed in the routing table.

Forward packets over Multiple Paths

Number of Paths

(Optional) Specify the maximum number of external BGP routes that can be installed to the routing table.

IBGP Number of Paths

(Optional) Specify the maximum number of internal BGP routes that can be installed to the routing table.

Add/Edit Aggregate Address Dialog Box

Use the Add/Edit Aggregate Address dialog box to define the aggregation of specific routes into one route.

Navigation Path

You can access the Add/Edit Aggregate Address dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 4. Add/Edit Aggregate Address Dialog Box

Element

Description

Network

Enter an IP address, or enter or Select the desired Network/Hosts objects.

Attribute Map

(Optional) Enter or Select the route map used to set the attribute of the aggregate route.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Advertise Map

(Optional) Enter or Select the route map used to select the routes to create AS_SET origin communities.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Suppress Map

(Optional) Enter or Select the route map used to select the routes to be suppressed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Generate AS Set Path Information

Enables generation of autonomous system set path information.

Filter all more-specific routes from updates

Filters all more-specific routes from updates.

Add/Edit Filter Dialog Box

Use the Add/Edit Filter dialog box to filter routes or networks received in incoming BGP updates.

Navigation Path

You can access the Add/Edit Filter dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 5. Add/Edit Filter Dialog Box

Element

Description

ACL

Select an Access Control List that defines which networks are to be received and which are to be suppressed in routing updates.

Direction

Choose a direction from the Direction drop-down list. The direction will specify if the filter should be applied to inbound updates or outbound updates.

Protocol

Select the routing process for which you want to filter: None, BGP, Connected, EIGRP, OSPF, RIP, or Static.

AS Number

Shows the autonomous system number of the BGP routing process. This value is specified on the BGP page (see Configuring BGP).

Process ID

Enter the identifier for the routing process. Applies to EIGRP and OSPF routing protocols.

Add/Edit Neighbor Dialog Box

Use the Add/Edit Neighbor dialog box to define BGP neighbors and neighbor settings.

Navigation Path

You can access the Add/Edit Neighbor dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 6. Add/Edit Neighbor Dialog Box

Element

Description

General

IP Address

Enter the BGP neighbor IP address. This IP address is added to the BGP neighbor table.

Remote AS

Enter the autonomous system to which the BGP neighbor belongs.

Enable Address Family

(Optional) Enables communication with the BGP neighbor.

Shutdown neighbor administratively

(Optional) Disable a neighbor or peer group.

Configure Graceful Restart per neighbor

(ASA 9.3.1+ only)

(Optional) Enables configuration of the Border Gateway Protocol (BGP) graceful restart capability for this neighbor. After selecting this option, you must use the Graceful Restart (Use in failover or spanned cluster mode) option to specify whether graceful restart should be enabled or disabled for this neighbor.

Graceful Restart (Use in failover or spanned cluster mode)

(ASA 9.3.1+ only)

(Optional) Enables the Border Gateway Protocol (BGP) graceful restart capability for this neighbor.

Description

(Optional) Enter a description for the BGP neighbor.

fall-over BFD

(Optional) Enables BFD support for fall-over for the BGP neighbor.

BFD-Hop

(Optional) Specify if there is a single IP hop or multiple IP hops between a BFD source and destination.

Filtering

Filter routes using an access list

(Optional) Enter or Select the appropriate incoming or outgoing access control list to distribute BGP neighbor information.

Filter routes using route map

(Optional) Enter or Select the appropriate incoming or outgoing route maps to apply a route map to incoming or outgoing routes.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Filter routes using a Prefix list

(Optional) Enter or Select the appropriate incoming or outgoing prefix list to distribute BGP neighbor information.

Tip 
Click Select to open the Prefix List Object Selector from which you can select a prefix list object. You can also create new objects from the object Prefix List Object selector. For more information, see Add or Edit Prefix List Object Dialog Box.

Filter routes using AS Path filter

(Optional) Enter or Select the appropriate incoming or outgoing AS path filter to distribute BGP neighbor information.

Tip 
Click Select to open the AS Path Object Selector from which you can select an AS path object. You can also create new AS path objects from the AS Path Object Selector. For more information, see Add or Edit As Path Object Dialog Boxes.

Limit the number of prefixes allowed from the neighbor

(Optional) Select to control the number of prefixes that can be received from a neighbor.

  • Enter the maximum number of prefixes allowed from a specific neighbor in the Maximum Prefixes field.

  • Enter the percentage (of maximum) at which the router starts to generate a warning message in the Threshold Level field. Valid values are integers between 1 and 100. The default value is 75.

  • (Optional) Check the Control prefixes received from the peer check box to specify additional controls for the prefixes received from a peer. Do one of the following:

    • Select Terminate peering when prefix limit is exceeded to stop the BGP neighbor when the prefix limit is reached. Specify the interval after which the BGP neighbor will restart in the Restart interval field.

    • Select Give only warning message when prefix limit is exceeded to generate a log message when the maximum prefix limit is exceeded. Here, the BGP neighbor will not be terminated.

Routes

Advertisement Interval

Enter the minimum interval (in seconds) between the sending of BGP routing updates. Valid values are between 1 and 600.

Remove private AS numbers from outbound routing updates

(Optional) Excludes the private AS numbers from being advertised on outbound routes.

Generate Default route

(Optional) Select to allow the local router to send the default route 0.0.0.0 to a neighbor to use as a default route. Enter or Select the route map that allows the route 0.0.0.0 to be injected conditionally in the Route map field.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Conditionally Advertised Routes

(Optional) To add or edit conditionally advertised routes, click the Add Row (+)button, or select a row in the table and click the Edit Row(pencil)button.

In the Add/Edit Advertised Route dialog box, do the following:

  • Click Select to open the Route Map Object Selector from which you can select a route map that will be advertised if the conditions of the exist map or the non-exist map are met. For more information about route maps, see Understanding Route Map Objects.

  • Do one of the following:

    • Select Set Exist Map and choose a route map from the Route Map Object Selector. This route map will be compared with the routes in the BGP table, to determine whether or not the advertise map route is advertised.

    • Select Non-Exist Map and choose a route map from the Route Map Object Selector. This route map will be compared with the routes in the BGP table, to determine whether or not the advertise map route is advertised.

Timers

Set timers for the BGP peer

(Optional) Select to set the keepalive frequency, hold time and minimum hold time.

Keepalive Interval

Enter the frequency (in seconds) with which the ASA sends keepalive messages to the neighbor. Valid values are between 0 and 65535. The default value is 60 seconds.

Hold Time

Enter the interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. Valid values are between 0 and 65535. The default value is 180 seconds.

Min Hold Time

(Optional) Enter the minimum interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. Valid values are between 0 and 65535. The default value is 0 seconds.

Advanced

Enable Authentication

(Optional) Select to enable MD5 authentication on a TCP connection between two BGP peers.

  • Choose an encryption type from the Enable Encryption drop-down list.

  • Enter a password in the Password field. Reenter the password in the Confirm field.

The password is case-sensitive and can be up to 25 characters long when the service password-encryption command is enabled and up to 81 characters long when the service password-encryption command is not enabled. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces.

Note 
You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.

Send Community attribute to this neighbor

(Optional) Specifies that communities attributes should be sent to the BGP neighbor.

Use ASA as next hop for neighbor

(Optional) Select to configure the router as the next-hop for a BGP speaking neighbor or peer group.

Disable connection verification

(Optional) Select to disable the connection verification process for eBGP peering sessions that are reachable by a single hop but are configured on a loopback interface or otherwise configured with a non-directly connected IP address.

This command is required only when the neighbor ebgp-multihop command is configured with a TTL value of 1. The address of the single-hop eBGP peer must be reachable. The neighbor update-source command must be configured to allow the BGP routing process to use the loopback interface for the peering session.

When deselected (default), a BGP routing process will verify the connection of single-hop eBGP peering session (TTL=254) to determine if the eBGP peer is directly connected to the same network segment by default. If the peer is not directly connected to same network segment, connection verification will prevent the peering session from being established.

Allow connections with neighbor that is not directly connected

Select to accept and attempt BGP connections to external peers residing on networks that are not directly connected.

(Optional) Enter the time-to-live in the TTL hops field. Valid values are between 1 and 255.

Note 
This feature should be used only under the guidance of Cisco technical support staff. To prevent the creation of loops through oscillating routes, the multihop will not be established if the only route to the multihop peer is the default route (0.0.0.0).

Limit number of TTL hops to neighbor

Select this option to secure a BGP peering session. Enter the maximum number of hops that separate eBGP peers in the TTL hops field. Valid values are between 1 and 254.

This feature provides a lightweight security mechanism to protect BGP peering sessions from CPU utilization-based attacks. These types of attacks are typically brute force Denial of Service (DoS) attacks that attempt to disable the network by flooding the network with IP packets that contain forged source and destination IP addresses in the packet headers.

This feature leverages designed behavior of IP packets by accepting only IP packets with a TTL count that is equal to or greater than the locally configured value. Accurately forging the TTL count in an IP packet is generally considered to be impossible. Accurately forging a packet to match the TTL count from a trusted peer is not possible without internal access to the source or destination network.

This feature should be configured on each participating router. It secures the BGP session in the incoming direction only and has no effect on outgoing IP packets or the remote router. When this feature is enabled, BGP will establish or maintain a session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. This feature has no effect on the BGP peering session, and the peering session can still expire if keepalive packets are not received. If the TTL value in a received packet is less than the locally configured value, the packet is silently discarded and no Internet Control Message Protocol (ICMP) message is generated. This is designed behavior; a response to a forged packet is not necessary.

To maximize the effectiveness of this feature, the hop-count value should be strictly configured to match the number of hops between the local and external network. However, you should also take path variation into account when configuring this feature for a multihop peering session.

The following restrictions apply to the configuration of this command:

  • This feature is not supported for internal BGP (iBGP) peers.

  • The effectiveness of this feature is reduced in large-diameter multihop peerings. In the event of a CPU utilization-based attack against a BGP router that is configured for large-diameter peering, you may still need to shut down the affected peering sessions to handle the attack.

  • This feature is not effective against attacks from a peer that has been compromised inside of your network. This restriction also includes peers that are on the network segment between the source and destination network.

Use TCP Path MTU Discovery

(Optional) Select to enable a TCP transport session for a BGP session.

TCP transport mode

Choose the TCP connection mode from the drop-down list. Options are Default, Active, or Passive.

Weight

(Optional) Enter a weight for the BGP neighbor connection.

BGP Version

Choose the BGP version that the ASA will accept from the drop-down list. The version can be set to 4-Only to force the software to use only Version 4 with the specified neighbor. The default is to use Version 4 and dynamically negotiate down to Version 2 if requested.

Migration

Note 
This customization should only be used for AS migration, and should be removed after the transition has been completed. The procedure should be attempted only by an experienced network operator. Routing loops can be created through improper configuration.

Customize the AS number for routes received from the neighbor

(Optional) Select to customize the AS_PATH attribute for routes received from an eBGP neighbor.

Local AS Number

Enter the local autonomous system number. Valid values are any valid autonomous system number from 1 to 4294967295 or 1.0 to 65535.65535.

Do not prepend local AS number to routes received from neighbor

(Optional) Select to prevent the local AS number from being prepended to any routes received from eBGP peer.

Replace real AS number with local AS number in routes received from neighbor

(Optional) Select to replace the real autonomous system number with the local autonomous system number in the eBGP updates. The autonomous system number from the local BGP routing process is not prepended.

Accept either real AS number or local AS number in routes received from neighbor

(Optional) Configures the eBGP neighbor to establish a peering session using the real autonomous system number (from the local BGP routing process) or by using the local autonomous system number.

Add/Edit Network Dialog Box

Use the Add/Edit Network dialog box to define the networks to be advertised by the BGP routing process.

Navigation Path

You can access the Add/Edit Network dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 7. Add/Edit Network Dialog Box

Element

Description

Network

Specifies the network to be advertised by the BGP routing processes.

Route Map

(Optional) Enter or Select a route map that should be examined to filter the networks to be advertised. If not specified, all networks are redistributed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Add/Edit Redistribution Dialog Box

Use the Add/Edit Redistribution dialog box to define the conditions for redistributing routes from another routing domain into BGP.

Navigation Path

You can access the Add/Edit Redistribution dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 8. Add/Edit Redistribution Dialog Box

Element

Description

Source Protocol

Choose the protocol from which you want to redistribute routes into the BGP domain from the Source Protocol drop-down list.

Process ID

Enter the identifier for the routing process. Applies to EIGRP and OSPF routing protocols.

Metric

(Optional) Enter a metric for the redistributed route.

Route Map

Enter or Select a route map that should be examined to filter the networks to be redistributed. If not specified, all networks are redistributed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Match

The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions. These options are enabled only when OSPF is chosen as the Source Protocol.

  • Internal

  • External 1

  • External 2

  • NSSA External 1

  • NSSA External 2

Add/Edit Route Injection Dialog Box

Use the Add/Edit Route Injection dialog box to define the routes to be conditionally injected into the BGP routing table.

Navigation Path

You can access the Add/Edit Route Injection dialog box from the IPv4 Family Tab.

Related Topics
Field Reference
Table 9. Add/Edit Route Injection Dialog Box

Element

Description

Inject Map

Enter or Select the route map that specifies the prefixes to inject into the local BGP routing table.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Exist Map

Enter or Select the route map containing the prefixes that the BGP speaker will track.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Injected routes will inherit the attributes of the aggregate route

Configures the injected route to inherit attributes of the aggregate route.

IPv6 Family Tab

Use the IPv6 Family tab on the BGP page to enable and configure IPv6 settings for BGP.

Navigation Path

You can access the IPv6 Family tab from the BGP page. For more information about the BGP page, see Configuring BGP.

Related Topics

Field Reference

Table 10. IPv6 Family - Aggregate Address Tab

Element

Description

Enable IPv6 Family

Enables configuration of routing sessions that use standard IPv6 address prefixes.

General

Use this panel to configure general IPv6 settings. See IPv6 Family - General Tab for more about these definitions.

Aggregate Address

Use this panel to define the aggregation of specific routes into one route.

Specify a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and 60. The default value is 30.

See Add/Edit Aggregate Address Dialog Box for more about these definitions.

Neighbor

Use this panel to define BGP neighbors and neighbor settings. See Add/Edit Neighbor Dialog Box for more about these definitions.

Networks

Use this panel to define the networks to be advertised by the BGP routing process. See Add/Edit Network Dialog Box for more about these definitions.

Redistribution

Use this panel to define the conditions for redistributing routes from another routing domain into BGP. See Add/Edit Redistribution Dialog Box for more about these definitions.

Route Injection

Use this panel to define the routes to be conditionally injected into the BGP routing table. See Add/Edit Route Injection Dialog Box for more about these definitions.

IPv6 Family - General Tab

Use the IPv6 Family - General tab to configure the general IPv6 settings.

Navigation Path

You can access the General tab from the IPv6 Family Tab on the BGP page. For more information about the IPv6 Family tab, see IPv6 Family Tab.

Related Topics
Field Reference
Table 11. IPv6 Family - General Tab

Element

Description

Scanning Interval

Enter a scanning interval (in seconds) for BGP routers for next-hop validation. Valid values are from 5 to 60 seconds. The default value is 60.

Routes and Synchronization

Generate Default Routes

(Optional) Configures a BGP routing process to distribute a default route (network 0.0.0.0).

Advertise inactive routes

(Optional) Advertises routes that are not installed in the routing information base (RIB).

Synchronize between BGP and the Interior Gateway Protocol (IGP) system

Enables synchronization between BGP and your Interior Gateway Protocol (IGP) system. To enable the Cisco IOS software to advertise a network route without waiting for the IGP, deselect this option.

Usually, a BGP speaker does not advertise a route to an external neighbor unless that route is local or exists in the IGP. By default, synchronization between BGP and the IGP is turned off to allow the Cisco IOS software to advertise a network route without waiting for route validation from the IGP. This feature allows routers and access servers within an autonomous system to have the route before BGP makes it available to other autonomous systems. Use synchronization if routers in the autonomous system do not speak BGP.

Redistribute iBGP into an IGP (use filtering to limit the number of prefixes that are redistributed)

(Optional) Configures iBGP redistribution into an interior gateway protocol (IGP), such as IS-IS or OSPF.

Administrative Route Distances

External

Specifies the administrative distance for external BGP routes. Routes are external when learned from an external autonomous system. The range of values for this argument are from 1 to 255. The default value is 20.

Internal

Specifies administrative distance for internal BGP routes. Routes are internal when learned from peer in the local autonomous system. The range of values for this argument are from 1 to 255. The default value is 200.

Local

Specifies administrative distance for local BGP routes. Local routes are those networks listed with a network router configuration command, often as back doors, for the router or for the networks that is being redistributed from another process. The range of values for this argument are from 1 to 255. The default value is 200.

Forward packets over Multiple Paths

Number of Paths

(Optional) Specify the maximum number of Border Gateway Protocol routes that can be installed in a routing table. The range of values are from 1 to 8. The default value is 1.

IBGP Number of Paths

(Optional) Specify the maximum number of parallel internal Border Gateway Protocol (iBGP) routes that can be installed in a routing table. The range of values are from 1 to 8. The default value is 1.

Add/Edit Aggregate Address Dialog Box

Use the Add/Edit Aggregate Address dialog box to define the aggregation of specific routes into one route.

Navigation Path

You can access the Add/Edit Aggregate Address dialog box from the IPv6 Family Tab. Click the Add Row (+) button, or select a row in the table and click the Edit Row(pencil) button.

Related Topics
Field Reference
Table 12. Add/Edit Aggregate Address Dialog Box

Element

Description

Network

Enter an IP address, or enter or Select the desired Network/Hosts objects.

Attribute Map

(Optional) Enter or Select the route map used to set the attribute of the aggregate route.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Advertise Map

(Optional) Enter or Select the route map used to select the routes to create AS_SET origin communities.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Suppress Map

(Optional) Enter or Select the route map used to select the routes to be suppressed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Generate AS Set Path Information

Enables generation of autonomous system set path information.

Filter all more-specific routes from updates

Filters all more-specific routes from updates.

Add/Edit Neighbor Dialog Box

Use the Add/Edit Neighbor dialog box to define BGP neighbors and neighbor settings.

Navigation Path

You can access the Add/Edit Neighbor dialog box from the IPv6 Family Tab. Click the Add Row (+) button, or select a row in the table and click the Edit Row(pencil) button.

Related Topics
Field Reference
Table 13. Add/Edit Neighbor Dialog Box

Element

Description

General

IP Address

Enter the BGP neighbor IP address. This IP address is added to the BGP neighbor table.

Remote AS

Enter the autonomous system to which the BGP neighbor belongs.

Enable Address Family

(Optional) Enables communication with the BGP neighbor.

Shutdown neighbor administratively

(Optional) Disable a neighbor or peer group.

Configure Graceful Restart per neighbor

(ASA 9.3.1+ only)

(Optional) Enables configuration of the Border Gateway Protocol (BGP) graceful restart capability for this neighbor. After selecting this option, you must use the Graceful Restart (Use in failover or spanned cluster mode) option to specify whether graceful restart should be enabled or disabled for this neighbor.

Graceful Restart (Use in failover or spanned cluster mode)

(ASA 9.3.1+ only)

(Optional) Enables the Border Gateway Protocol (BGP) graceful restart capability for this neighbor.

Description

(Optional) Enter a description for the BGP neighbor.

fall-over BFD

(Optional) Enables BFD support for fall-over for the BGP neighbor.

BFD-Hop

(Optional) Specify if there is a single IP hop or multiple IP hops between a BFD source and destination.

Filtering

Filter routes using an access list

(Optional) Enter or Select the appropriate incoming or outgoing access control list to distribute BGP neighbor information.

Filter routes using route map

(Optional) Enter or Select the appropriate incoming or outgoing route maps to apply a route map to incoming or outgoing routes.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Filter routes using a Prefix list

(Optional) Enter or Select the appropriate incoming or outgoing prefix list to distribute BGP neighbor information.

Tip 
Click Select to open the Prefix List Object Selector from which you can select a prefix list object. You can also create new objects from the object Prefix List Object selector. For more information, see Add or Edit Prefix List Object Dialog Box.

Filter routes using AS Path filter

(Optional) Enter or Select the appropriate incoming or outgoing AS path filter to distribute BGP neighbor information.

Tip 
Click Select to open the AS Path Object Selector from which you can select an AS path object. You can also create new AS path objects from the AS Path Object Selector. For more information, see Add or Edit As Path Object Dialog Boxes.

Limit the number of prefixes allowed from the neighbor

(Optional) Select to control the number of prefixes that can be received from a neighbor.

  • Enter the maximum number of prefixes allowed from a specific neighbor in the Maximum Prefixes field.

  • Enter the percentage (of maximum) at which the router starts to generate a warning message in the Threshold Level field. Valid values are integers between 1 and 100. The default value is 75.

  • (Optional) Check the Control prefixes received from the peer check box to specify additional controls for the prefixes received from a peer. Do one of the following:

    • Select Terminate peering when prefix limit is exceeded to stop the BGP neighbor when the prefix limit is reached. Specify the interval after which the BGP neighbor will restart in the Restart interval field.

    • Select Give only warning message when prefix limit is exceeded to generate a log message when the maximum prefix limit is exceeded. Here, the BGP neighbor will not be terminated.

Routes

Advertisement Interval

Enter the minimum interval (in seconds) between the sending of BGP routing updates. Valid values are between 1 and 600.

Remove private AS numbers from outbound routing updates

(Optional) Excludes the private AS numbers from being advertised on outbound routes.

Generate Default route

(Optional) Select to allow the local router to send the default route 0.0.0.0 to a neighbor to use as a default route. Enter or Select the route map that allows the route 0.0.0.0 to be injected conditionally in the Route map field.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Conditionally Advertised Routes

(Optional) To add or edit conditionally advertised routes, click the Add Row (+)button, or select a row in the table and click the Edit Row(pencil)button.

In the Add/Edit Advertised Route dialog box, do the following:

  • Click Select to open the Route Map Object Selector from which you can select a route map that will be advertised if the conditions of the exist map or the non-exist map are met. For more information about route maps, see Understanding Route Map Objects.

  • Do one of the following:

    • Select Set Exist Map and choose a route map from the Route Map Object Selector. This route map will be compared with the routes in the BGP table, to determine whether or not the advertise map route is advertised.

    • Select Non-Exist Map and choose a route map from the Route Map Object Selector. This route map will be compared with the routes in the BGP table, to determine whether or not the advertise map route is advertised.

Timers

Set timers for the BGP peer

(Optional) Select to set the keepalive frequency, hold time and minimum hold time.

Keepalive Interval

Enter the frequency (in seconds) with which the ASA sends keepalive messages to the neighbor. Valid values are between 0 and 65535. The default value is 60 seconds.

Hold Time

Enter the interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. Valid values are between 0 and 65535. The default value is 180 seconds.

Min Hold Time

(Optional) Enter the minimum interval (in seconds) after not receiving a keepalive message that the ASA declares a peer dead. Valid values are between 0 and 65535. The default value is 0 seconds.

Advanced

Enable Authentication

(Optional) Select to enable MD5 authentication on a TCP connection between two BGP peers.

  • Choose an encryption type from the Enable Encryption drop-down list.

  • Enter a password in the Password field. Reenter the password in the Confirm field.

The password is case-sensitive and can be up to 25 characters long when the service password-encryption command is enabled and up to 81 characters long when the service password-encryption command is not enabled. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces.

Note 
You cannot specify a password in the format number-space-anything. The space after the number can cause authentication to fail.

Send Community attribute to this neighbor

(Optional) Specifies that communities attributes should be sent to the BGP neighbor.

Use ASA as next hop for neighbor

(Optional) Select to configure the router as the next-hop for a BGP speaking neighbor or peer group.

Disable connection verification

(Optional) Select to disable the connection verification process for eBGP peering sessions that are reachable by a single hop but are configured on a loopback interface or otherwise configured with a non-directly connected IP address.

This command is required only when the neighbor ebgp-multihop command is configured with a TTL value of 1. The address of the single-hop eBGP peer must be reachable. The neighbor update-source command must be configured to allow the BGP routing process to use the loopback interface for the peering session.

When deselected (default), a BGP routing process will verify the connection of single-hop eBGP peering session (TTL=254) to determine if the eBGP peer is directly connected to the same network segment by default. If the peer is not directly connected to same network segment, connection verification will prevent the peering session from being established.

Allow connections with neighbor that is not directly connected

Select to accept and attempt BGP connections to external peers residing on networks that are not directly connected.

(Optional) Enter the time-to-live in the TTL hops field. Valid values are between 1 and 255.

Note 
This feature should be used only under the guidance of Cisco technical support staff. To prevent the creation of loops through oscillating routes, the multihop will not be established if the only route to the multihop peer is the default route (0.0.0.0).

Limit number of TTL hops to neighbor

Select this option to secure a BGP peering session. Enter the maximum number of hops that separate eBGP peers in the TTL hops field. Valid values are between 1 and 254.

This feature provides a lightweight security mechanism to protect BGP peering sessions from CPU utilization-based attacks. These types of attacks are typically brute force Denial of Service (DoS) attacks that attempt to disable the network by flooding the network with IP packets that contain forged source and destination IP addresses in the packet headers.

This feature leverages designed behavior of IP packets by accepting only IP packets with a TTL count that is equal to or greater than the locally configured value. Accurately forging the TTL count in an IP packet is generally considered to be impossible. Accurately forging a packet to match the TTL count from a trusted peer is not possible without internal access to the source or destination network.

This feature should be configured on each participating router. It secures the BGP session in the incoming direction only and has no effect on outgoing IP packets or the remote router. When this feature is enabled, BGP will establish or maintain a session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. This feature has no effect on the BGP peering session, and the peering session can still expire if keepalive packets are not received. If the TTL value in a received packet is less than the locally configured value, the packet is silently discarded and no Internet Control Message Protocol (ICMP) message is generated. This is designed behavior; a response to a forged packet is not necessary.

To maximize the effectiveness of this feature, the hop-count value should be strictly configured to match the number of hops between the local and external network. However, you should also take path variation into account when configuring this feature for a multihop peering session.

The following restrictions apply to the configuration of this command:

  • This feature is not supported for internal BGP (iBGP) peers.

  • The effectiveness of this feature is reduced in large-diameter multihop peerings. In the event of a CPU utilization-based attack against a BGP router that is configured for large-diameter peering, you may still need to shut down the affected peering sessions to handle the attack.

  • This feature is not effective against attacks from a peer that has been compromised inside of your network. This restriction also includes peers that are on the network segment between the source and destination network.

Use TCP Path MTU Discovery

(Optional) Select to enable a TCP transport session for a BGP session.

TCP transport mode

Choose the TCP connection mode from the drop-down list. Options are Default, Active, or Passive.

Weight

(Optional) Enter a weight for the BGP neighbor connection.

BGP Version

Choose the BGP version that the ASA will accept from the drop-down list. The version can be set to 4-Only to force the software to use only Version 4 with the specified neighbor. The default is to use Version 4 and dynamically negotiate down to Version 2 if requested.

Migration

Note 
This customization should only be used for AS migration, and should be removed after the transition has been completed. The procedure should be attempted only by an experienced network operator. Routing loops can be created through improper configuration.

Customize the AS number for routes received from the neighbor

(Optional) Select to customize the AS_PATH attribute for routes received from an eBGP neighbor.

Local AS Number

Enter the local autonomous system number. Valid values are any valid autonomous system number from 1 to 4294967295 or 1.0 to 65535.65535.

Do not prepend local AS number to routes received from neighbor

(Optional) Select to prevent the local AS number from being prepended to any routes received from eBGP peer.

Replace real AS number with local AS number in routes received from neighbor

(Optional) Select to replace the real autonomous system number with the local autonomous system number in the eBGP updates. The autonomous system number from the local BGP routing process is not prepended.

Accept either real AS number or local AS number in routes received from neighbor

(Optional) Configures the eBGP neighbor to establish a peering session using the real autonomous system number (from the local BGP routing process) or by using the local autonomous system number.

Add/Edit Network Dialog Box

Use the Add/Edit Network dialog box to define the networks to be advertised by the BGP routing process.

Navigation Path

You can access the Add/Edit Network dialog box from the IPv6 Family Tab. Click the Add Row (+) button, or select a row in the table and click the Edit Row(pencil) button.

Related Topics
Field Reference
Table 14. Add/Edit Network Dialog Box

Element

Description

Network

Specifies the network to be advertised by the BGP routing processes.

Route Map

(Optional) Enter or Select a route map that should be examined to filter the networks to be advertised. If not specified, all networks are redistributed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Add/Edit Redistribution Dialog Box

Use the Add/Edit Redistribution dialog box to define the conditions for redistributing routes from another routing domain into BGP.

Navigation Path

You can access the Add/Edit Redistribution dialog box from the IPv6 Family Tab. Click the Add Row (+) button, or select a row in the table and click the Edit Row(pencil) button.

Related Topics
Field Reference
Table 15. Add/Edit Redistribution Dialog Box

Element

Description

Source Protocol

Choose the protocol from which you want to redistribute routes into the BGP domain from the Source Protocol drop-down list.

Process ID

Enter the identifier for the routing process. Applies to EIGRP and OSPF routing protocols.

Metric

(Optional) Enter a metric for the redistributed route.

Route Map

Enter or Select a route map that should be examined to filter the networks to be redistributed. If not specified, all networks are redistributed.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Match

The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions. These options are enabled only when OSPF is chosen as the Source Protocol.

  • Internal

  • External 1

  • External 2

  • NSSA External 1

  • NSSA External 2

Add/Edit Route Injection Dialog Box

Use the Add/Edit Route Injection dialog box to define the routes to be conditionally injected into the BGP routing table.

Navigation Path

You can access the Add/Edit Route Injection dialog box from the IPv6 Family Tab. Click the Add Row (+)button, or select a row in a table and click the Edit Row (pencil) button.

Related Topics
Field Reference
Table 16. Add/Edit Route Injection Dialog Box

Element

Description

Inject Map

Enter or Select the route map that specifies the prefixes to inject into the local BGP routing table.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Exist Map

Enter or Select the route map containing the prefixes that the BGP speaker will track.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Injected routes will inherit the attributes of the aggregate route

Configures the injected route to inherit attributes of the aggregate route.

Configuring EIGRP

The EIGRP page provides six tabbed panels for configuring Enhanced Interior Gateway Routing Protocol (EIGRP) routing on a firewall device. The following topics provide detailed information about enabling and configuring EIGRP:

Navigation Path

  • (Device view) Select Platform > Routing > EIGRP from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > EIGRP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Field Reference

Table 17. EIGRP Page

Element

Description

Enable EIGRP

Check this box to enable the EIGRP routing process.

AS Number

Enter the autonomous system (AS) number for the EIGRP process. The AS number can be from 1 to 65535.

Advanced button

Opens the EIGRP Advanced Dialog Box, in which you can configure additional EIGRP process settings, such as the router ID, stub routing, and adjacency changes.

Setup tab

Use the Setup tab to configure the networks used by the EIGRP routing process, passive interfaces, default route information, administrative distances, and default metrics.

For more information, see Setup Tab.

Filter Rules tab

Use the Filter Rules tab to define filter rules that let you control which routes are accepted or advertised by the EIGRP routing process.

For more information, see Filter Rules Tab.

Neighbors tab

Use the Neighbors tab to manually define EIGRP neighbors.

For more information, see Neighbors Tab.

Redistribution tab

Use the Redistribution tab to define the rules for redistributing routes from other routing protocols to the EIGRP routing process.

For more information, see Redistribution Tab.

Summary Address tab

Use the Summary Address tab to create statically defined EIGRP summary addresses.

For more information, see Summary Address Tab.

Interfaces tab

Use the Interfaces tab to configure interfaces for EIGRP.

For more information, see Interfaces Tab.

About EIGRP

EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Key capabilities that distinguish EIGRP from other routing protocols include fast convergence, support for variable-length subnet mask, support for partial updates, and support for multiple network layer protocols.

A router running EIGRP stores all the neighbor routing tables so that it can quickly adapt to alternate routes. If no appropriate route exists, EIGRP queries its neighbors to discover an alternate route. These queries propagate until an alternate route is found. Its support for variable-length subnet masks permits routes to be automatically summarized on a network number boundary. In addition, EIGRP can be configured to summarize on any bit boundary at any interface. EIGRP does not make periodic updates. Instead, it sends partial updates only when the metric for a route changes. Propagation of partial updates is automatically bounded so that only those routers that need the information are updated. As a result of these two capabilities, EIGRP consumes significantly less bandwidth than IGRP.

Neighbor discovery is the process that the ASA uses to dynamically learn of other routers on directly attached networks. EIGRP routers send out multicast hello packets to announce their presence on the network. When the ASA receives a hello packet from a new neighbor, it sends its topology table to the neighbor with an initialization bit set. When the neighbor receives the topology update with the initialization bit set, the neighbor sends its topology table back to the ASA.

The hello packets are sent out as multicast messages. No response is expected to a hello message. The exception to this is for statically defined neighbors. If you manually configure a neighbor, the hello messages sent to that neighbor are sent as unicast messages. Routing updates and acknowledgments are sent out as unicast messages.

Once this neighbor relationship is established, routing updates are not exchanged unless there is a change in the network topology. The neighbor relationship is maintained through the hello packets. Each hello packet received from a neighbor includes a hold time. This is the time in which the ASA can expect to receive a hello packet from that neighbor. If the ASA does not receive a hello packet from that neighbor within the hold time advertised by that neighbor, the ASA considers that neighbor to be unavailable.

The EIGRP protocol uses four key algorithm technologies, four key technologies, including neighbor discovery/recovery, Reliable Transport Protocol (RTP), and DUAL, which is important for route computations. DUAL saves all routes to a destination in the topology table, not just the least-cost route. The least-cost route is inserted into the routing table. The other routes remain in the topology table. If the main route fails, another route is chosen from the feasible successors. A successor is a neighboring router used for packet forwarding that has a least-cost path to a destination. The feasibility calculation guarantees that the path is not part of a routing loop.

If a feasible successor is not found in the topology table, a route recomputation must occur. During route recomputation, DUAL queries the EIGRP neighbors for a route, who in turn query their neighbors. Routers that do no have a feasible successor for the route return an unreachable message.

During route recomputation, DUAL marks the route as active. By default, the ASA waits for three minutes to receive a response from its neighbors. If the ASA does not receive a response from a neighbor, the route is marked as stuck-in-active. All routes in the topology table that point to the unresponsive neighbor as a feasibility successor are removed.


Note

EIGRP neighbor relationships are not supported through the IPsec tunnel without a GRE tunnel.

Related Topics

EIGRP Advanced Dialog Box

Use the EIGRP Advanced dialog box to configure settings such as the router ID, stub routing, and adjacency changes.

Navigation Path

You can access the EIGRP Advanced dialog box from the EIGRP page (see Configuring EIGRP).

Related Topics

Field Reference

Table 18. EIGRP Advanced Dialog Box

Element

Description

Router ID

The router ID is used to identify the originating router for external routes. If an external route is received with the local router ID, the route is discarded. To prevent this, specify a global address for the router ID. A unique value should be configured for each EIGRP router.

On a single device, choose Automatic or IP Address. (An address field appears when you choose IP Address.)

If you choose Automatic, the highest-level IP address on the security appliance is used as the router ID. To use a fixed router ID, choose IP Address and enter an IPv4 address in the Router ID field.

On a device cluster, choose Automatic or Cluster Pool. (An IPv4 Pool object ID field appears when you choose Cluster Pool.)

If you choose Cluster Pool, enter or Select the name of the IPv4 Pool object that is to supply the Router ID address. For more information, see .

Stub

You can enable, and configure the ASA as an EIGRP stub router. Stub routing decreases memory and processingAdd or Edit IPv4 Pool Dialog Box requirements on the ASA. As a stub router, the ASA does not need to maintain a complete EIGRP routing table because it forwards all nonlocal traffic to a distribution router. Generally, the distribution router need not send anything more than a default route to the stub router.

Only specified routes are propagated from the stub router to the distribution router. As a stub router, the ASA responds to all queries for summaries, connected routes, redistributed static routes, external routes, and internal routes with the message “inaccessible.” When the ASA is configured as a stub, it sends a special peer information packet to all neighboring routers to report its status as a stub router. Any neighbor that receives a packet informing it of the stub status will not query the stub router for any routes, and a router that has a stub peer will not query that peer. The stub router depends on the distribution router to send the correct updates to all peers.

To enable the ASA as an EIGRP stub routing process, choose one or more of the following EIGRP stub routing processes:

  • Receive only—Configures the EIGRP stub routing process to receive route information from the neighbor routers but does not send route information to the neighbors. If this option is selected, you cannot select any of the other stub routing options.

  • Connected—Advertises connected routes.

  • Redistributed—Advertises redistributed routes.

  • Static—Advertises static routes.

  • Summary—Advertises summary routes.

Adjacency Changes

These options specify the syslog messages sent when adjacency changes occur.

  • Log Neighbor Changes – enables the logging of EIGRP neighbor adjacency changes. This option is selected by default.

  • Log Neighbor Warnings – enables the logging of EIGRP neighbor warning messages. This option is selected by default.

(Optional) The time interval (in seconds) between repeated neighbor warning messages. Valid values are from 1 to 65535. Repeated warnings are not logged if they occur during this interval.

Setup Tab

Use the Setup tab on the EIGRP page to configure the networks used by the EIGRP routing process, passive interfaces, default route information, administrative distances, and default metrics.

Navigation Path

You can access the Setup tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 19. EIGRP - Setup Tab

Element

Description

Auto Summary

Check this box to enable automatic route summarization. Auto summary is enabled by default for ASA versions earlier than 9.2.1 and is disabled by default for ASA 9.2(1) and later.

When enabled, the EIGRP routing process summarizes on network number boundaries. This can cause routing problems if you have noncontiguous networks.

For example, if you have a router with the networks 192.168.1.0, 192.168.2.0, and 192.168.3.0 connected to it, and those networks all participate in EIGRP, the EIGRP routing process creates the summary address 192.168.0.0 for those routes. If an additional router is added to the network with the networks 192.168.10.0 and 192.168.11.0, and those networks participate in EIGRP, they will also be summarized as 192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses.

Networks

Enter the IP addresses of the networks to participate in the EIGRP routing process.

Tip 
You can click Select to select the networks from a list of network/host objects.

Passive Interface

You can configure one or more interfaces as passive interfaces. In EIGRP, a passive interface does not send or receive routing updates.

By deafult, all interfaces are enabled for active routing (sending and receiving routing updates) when routing is enabled for that interface.

To configure passive interfaces, do one of the following:

  • To enable all interfaces for active routing (sending and receiving routing updates) when routing is enabled for that interface, select None.

  • To configure all interfaces as passive, select All Interfaces.

  • To configure specific interfaces as passive, select Specified Interfaces and then enter or select the interfaces that you want to make passive.

Default Route Information

You can control the sending and receiving of default route information in EIGRP updates. By default, default routes are sent and accepted. Configuring the ASA to disallow default information to be received causes the candidate default route bit to be blocked on received routes. Configuring the ASA to disallow default information to be sent disables the setting of the default route bit in advertised routes.

  • Accept Default Route Info—configures EIGRP to accept exterior default routing information. Optionally, you can specify a standard access list that define which networks are allowed and which are not when receiving default route information.

  • Send Default Route Info—configures EIGRP to advertise external routing information. Optionally, you can specify a standard access list that defines which networks are allowed and which are not when sending default route information.

Administrative Distance

Because every routing protocol has metrics based on algorithms that are different from the other routing protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Administrative distance is a route parameter that the ASA uses to select the best path when there are two or more different routes to the same destination from two different routing protocols.

If you have more than one routing protocol running on the ASA, you can use the distance eigrp command to adjust the default administrative distances of routes discovered by the EIGRP routing protocol in relation to the other routing protocols.:

Internal Distance—Administrative distance for EIGRP internal routes. Internal routes are those that are learned from another entity within the same autonomous system. Valid values are from 1 to 255. The default value is 90.

External Distance—Administrative distance for EIGRP external routes. External routes are those for which the best path is learned from a neighbor external to the autonomous system. Valid values are from 1 to 255.The default value is 170.

Default Metrics

You can define the default metrics for routes redistributed into the EIGRP routing process:

  • Bandwidth—the minimum bandwidth of the route in kilobits per second. Valid values range from 1 to 4294967295.

  • Delay Time—the route delay in tens of microseconds. Valid values range from 0 to 4294967295.

  • Reliability—the likelihood of successful packet transmission expressed as a number 0 through 255. The value 255 indicates 100 percent reliability; 0 means no reliability.

  • Loading—the effective bandwidth of the route. Valid values range from 1 to 255; 255 indicates 100 percent loaded.

  • MTU—the smallest allowed value for the maximum transmission unit of the path. Valid values range from 1 to 65535.

Filter Rules Tab

The Filter Rules tab contains the Filter Rules table which displays the route filtering rules configured for the EIGRP routing process. Filter rules let you control which routes are accepted or advertised by the EIGRP routing process.

Navigation Path

You can access the Filter Rules tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 20. EIGRP - Filter Rules Tab

Element

Description

Direction

The direction for the filter rule:

  • Inbound—The rule filters default route information from incoming EIGRP routing updates.

  • Outbound—The rule filters default route information from outgoing EIGRP routing updates.

Interface

(Optional) The interface to which the filter rule applies.

Protocol

The routing protocol being filtered: BGP, Connected, OSPF, RIP, or Static.

ACL

Standard IP access list name. The list defines which networks are to be received and which are to be suppressed in routing updates.

Add/Edit EIGRP Filter Rule Dialog Box

Use the Add/Edit EIGRP Filter Rule dialog box to add new filter rules to the Filter Rules table or to modify an existing filter rule.

Navigation Path

You can access the Add/Edit EIGRP Filter Rule dialog box from the Filter Rules Tab.

Related Topics
Field Reference
Table 21. Add/Edit EIGRP Filter Rule Dialog Box

Element

Description

EIGRP Filter Direction

Specify the direction for the filter rule:

  • Inbound—The rule filters default route information from incoming EIGRP routing updates.

  • Outbound—The rule filters default route information from outgoing EIGRP routing updates.

Type

Specify the type of filter rule:

  • (Optional) Interface—Specify the interface on which to apply the routing updates. Specifying an interface causes the access list to be applied only to routing updates for that interface. If no interface is specified, the access list will be applied to all updates.

  • (Optional) Routing Protocol—For outbound EIGRP routing updates, select the routing protocol for which you want to filter: BGP, Connected, OSPF, RIP, or Static.

Routing Protocol ID—Enter the identifier for the routing process. Applies to BGP and OSPF routing protocols.

ACL

Select an Access Control List that defines which networks are to be received and which are to be suppressed in routing updates.

Neighbors Tab

The Neighbors tab contains the Neighbors table, through which you can define static neighbors. When you manually define an EIGRP neighbor, hello packets are sent to that neighbor as unicast messages.

Navigation Path

You can access the Neighbors tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 22. EIGRP - Neighbors Tab

Element

Description

Interface

The interface through which the neighbor is available.

Neighbor

The IP address of the static neighbor.

Add/Edit EIGRP Neighbor Dialog Box

EIGRP hello packets are sent as multicast packets. If an EIGRP neighbor is located across a non broadcast network, such as a tunnel, you must manually define that neighbor. When you manually define an EIGRP neighbor, hello packets are sent to that neighbor as unicast messages.


Note

Configuring the passive-interface command for an interface suppresses all incoming and outgoing routing updates and hello messages on that interface. EIGRP neighbor adjacencies cannot be established or maintained over an interface that is configured as passive.

Use the Add/Edit EIGRP Neighbor dialog box to define a static neighbor or change information for an existing static neighbor.

Navigation Path

You can access the Add/Edit EIGRP Neighbor dialog box from the Neighbors Tab.

Related Topics
Field Reference
Table 23. Add/Edit EIGRP Neighbor Dialog Box

Element

Description

Interface

The interface through which the neighbor is available.

Tip 
You can click Select to select the interface from a list of interface objects.

Neighbor

The IP address of the static neighbor.

Tip 
You can click Select to select the neighbor from a list of host objects.

Redistribution Tab

Use the Redistribution tab to define the rules for redistributing routes from other routing protocols to the EIGRP routing process.

Navigation Path

You can access the Redistribution tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 24. EIGRP - Redistribution Tab

Element

Description

Protocol

The source protocol from which the routes are being redistributed:

  • BGP—Redistribute routes discovered by the BGP routing process to EIGRP.

  • RIP—Redistributes routes discovered by the RIP routing process to EIGRP.

  • Static—Redistributes static routes to the EIGRP routing process. Static routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

  • Connected—Redistributes connected routes (routes established automatically by virtue of having IP address enabled on the interface) to the EIGRP routing process. Connected routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

  • OSPF—Redistributes routes discovered by the OSPF routing process to EIGRP. If you choose this protocol, the Match options on this dialog box become visible. These options are not available when redistributing static, connected, RIP, or BGP routes.

ID

The autonomous system (AS) number for the BGP or OSPF routing process.

Bandwidth

The minimum bandwidth of the route in kilobits per second. Valid values range from 1 to 4294967295.

Delay Time

The route delay in tens of microseconds. Valid values range from 0 to 4294967295.

Reliability

The likelihood of successful packet transmission expressed as a number 0 through 255. The value 255 indicates 100 percent reliability; 0 means no reliability.

Loading

The effective bandwidth of the route. Valid values range from 1 to 255; 255 indicates 100 percent loaded.

MTU

The smallest allowed value for the maximum transmission unit of the path. Valid values range from 1 to 65535.

Route Map

The name of the route map object to apply to the redistribution entry.

Add/Edit EIGRP Redistribution Dialog Box

Use the Add/Edit Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.

Navigation Path

You can access the Add/Edit EIGRP Redistribution dialog box from the Redistribution Tab.

Related Topics
Field Reference
Table 25. Add/Edit EIGRP Redistribution Dialog Box

Element

Description

Protocol

Select the source protocol from which the routes are being redistributed. You can choose one of the following options:

  • BGP—Redistribute routes discovered by the BGP routing process to EIGRP.

  • RIP—Redistributes routes discovered by the RIP routing process to EIGRP.

  • Static—Redistributes static routes to the EIGRP routing process. Static routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

  • Connected—Redistributes connected routes (routes established automatically by virtue of having IP address enabled on the interface) to the EIGRP routing process. Connected routes that fall within the scope of a network statement are automatically redistributed into EIGRP; you do not need to define a redistribution rule for them.

  • OSPF—Redistributes routes discovered by the OSPF routing process to EIGRP. If you choose this protocol, the Match options on this dialog box become visible. These options are not available when redistributing static, connected, RIP, or BGP routes.

Routing Process ID

The autonomous system (AS) number for the BGP or OSPF routing process.

Optional Metrics

You can define the following metrics for routes redistributed into the EIGRP routing process:

  • Bandwidth—the minimum bandwidth of the route in kilobits per second. Valid values range from 1 to 4294967295.

  • Delay Time—the route delay in tens of microseconds. Valid values range from 0 to 4294967295.

  • Reliability—the likelihood of successful packet transmission expressed as a number 0 through 255. The value 255 indicates 100 percent reliability; 0 means no reliability.

  • Loading—the effective bandwidth of the route. Valid values range from 1 to 255; 255 indicates 100 percent loaded.

  • MTU—the smallest allowed value for the maximum transmission unit of the path. Valid values range from 1 to 65535.

Route Map

Enter or Select a route map object to define which routes are redistributed into the EIGRP routing process.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Optional OSPF Redistribution

If you have chosen OSPF as the Route Type, choose the conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

  • Internal—The route is internal to a specific AS.

  • External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

  • External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

  • NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

  • NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Summary Address Tab

Use the Summary Address tab to configure a summary for EIGRP on a specific interface. You can configure summary addresses on a per-interface basis. You need to manually define summary addresses if you want to create summary addresses that do not occur at a network number boundary or if you want to use summary addresses on an ASA with automatic route summarization disabled. If any more specific routes are in the routing table, EIGRP will advertise the summary address out the interface with a metric equal to the minimum of all more specific routes.

Navigation Path

You can access the Summary Address tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 26. EIGRP - Summary Address Tab

Element

Description

Interface

The interface from which the summary address is advertised.

Network

The IP address and network mask of the summary address.

Administrative Distance

The administrative distance of the summary route.

Add/Edit EIGRP Summary Address Dialog Box

Use the Add/Edit EIGRP Summary Address dialog box to add new entries or to modify existing entries in the Summary Address table. You can configure summary addresses on a per-interface basis. You need to manually define summary addresses if you want to create summary addresses that do not occur at a network number boundary or if you want to use summary addresses on an ASA with automatic route summarization disabled. If any more specific routes are in the routing table, EIGRP will advertise the summary address out the interface with a metric equal to the minimum of all more specific routes.

Navigation Path

You can access the Add/Edit EIGRP Summary Address dialog box from the Summary Address Tab.

Related Topics
Field Reference
Table 27. Add/Edit EIGRP Summary Address Dialog Box

Element

Description

Interface

The interface from which the summary address is advertised.

Tip 
You can click Select to select the interface from a list of interface objects.

Networks

The IP address and network mask of the summary address.

Tip 
You can click Select to select the network from a list of network objects.

Administrative Distance

(Optional) The administrative distance of the summary route. Valid values are from 1 to 255. The default value is 5.

Interfaces Tab

Use the Interfaces tab to configure interface-specific EIGRP routing properties.

Navigation Path

You can access the Interfaces tab from the EIGRP Page; see Configuring EIGRP for more information.

Related Topics

Field Reference

Table 28. EIGRP - Interfaces Tab

Element

Description

Interface

The name of the interface to which the configuration applies.

Hello Interval

The interval, in seconds, between EIGRP hello packets sent on an interface. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Hold Time

The hold time advertised by the ASA in EIGRP hello packets. Valid values range from 1 to 65535 seconds. The default value is 15 seconds.

Split Horizon

Whether EIGRP split-horizon is enabled (true) or disabled (false) on an interface.

Delay

The delay time in tens of microseconds. Valid values are from 1 to 16777215. This option is not supported for devices in multi-context mode.

Key ID

The ID of the key used to authenticate EIGRP updates.

Add/Edit EIGRP Interface Dialog Box

Use the Add/Edit EIGRP Interface dialog box to configure interface-specific EIGRP routing parameters.

Navigation Path

You can access the Add/Edit EIGRP Interface dialog box from the Interfaces Tab.

Related Topics
Field Reference
Table 29. Add/Edit EIGRP Interface Dialog Box

Element

Description

Interface

The name of the interface to which the configuration applies.

Hello Interval

The interval, in seconds, between EIGRP hello packets sent on an interface. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Hold Time

The hold time advertised by the ASA in EIGRP hello packets. Valid values range from 1 to 65535 seconds. The default value is 15 seconds.

Split Horizon

Enable/disable EIGRP split-horizon on an interface.

Delay Time

The delay time in tens of microseconds. Valid values are from 1 to 16777215. This option is not supported for devices in multi-context mode and will be disabled.

Enable MD5 Authentication

Enables MD5 authentication of EIGRP packets.

Key Type

Select Clear Text to indicate that the key you will be entering is in clear text. Select Encrypted to indicate that the key you will be entering is already encrypted.

Key ID and Key

Specify the key to authenticate EIGRP updates:

  • Key ID—Enter a numerical key identifier. Valid values range from 0to 255.

  • Key—An alphanumeric character string of up to 16 bytes.

  • Confirm—Re-enter the key.

Configuring ISIS

The ISIS page provides nine tabbed panels for configuring ISIS (Intermediate System-to-Intermediate System) routing on a firewall device. ISIS routing protocol is supported from Security Manager version 4.11 for ASA devices running the software version 9.6(1) or later. The following topics provide detailed information about enabling and configuring ISIS:

Navigation Path

  • (Device view) Select Platform > Routing > ISIS from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > ISIS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Select Enable ISIS to enable Intermediate System-to-Intermediate System routing protocol on the selected ASA device.

About ISIS

Intermediate System-to-Intermediate System (ISIS) routing protocol is a link-state Interior Gateway Protocol (IGP). Link-state protocols are characterized by the propagation of the information required to build a complete network connectivity map on each participating router. That map is then used to calculate the shortest path to destinations. The IOS ISIS implementation supports CLNP, IPv4, and IPv6.

A routing domain may be divided into one or more sub-domains. Each sub-domain is referred to as an area and is assigned an area address. Routing within an area is referred to as Level-1 routing. Routing between Level-1 areas is referred to as Level-2 routing. A router in OSI terminology is referred to as an Intermediate System (IS). An IS may operate at Level 1, Level 2, or both. ISs that operate at Level 1 exchange routing information with other Level-1 ISs in the same area. ISs that operate at Level 2 exchange routing information with other Level-2 routers regardless of whether they are in the same Level-1 area. The set of Level-2 routers and the links that interconnect them form the Level-2 sub-domain, which must not be partitioned in order for routing to work properly.

General Tab

Use the General tab to configure BGP settings such as Best Path Selection, Neighbor Timers, and Graceful Restart.

Navigation Path

You can access the Neighbors tab from the BGP page (see Configuring BGP).

Related Topics

Field Reference

Table 30. General Tab

Element

Description

Limit the number of AS numbers in AS_PATH attribute of received routes

Restricts the number of AS numbers in AS_PATH attribute to a specific number. Valid values are from 1 to 254.

Log Neighbor Changes

Enables logging of BGP neighbor changes (up or down) and resets. This helps in troubleshooting network connectivity problems and measuring network stability.

Use TCP path MTU Discovery

Enables the use of the Path MTU Discovery technique to determine the maximum transmission unit (MTU) size on the network path between two IP hosts. This avoids IP fragmentation.

Enable fast external failover

Resets the external BGP session immediately upon link failure.

Enforce that the first AS is peer’s AS for EBGP routes

Discards incoming updates received from external BGP peers that do not list their AS number as the first segment in the AS_PATH attribute. This prevents a mis-configured or unauthorized peer from misdirecting traffic by advertising a route as if it was sourced from another autonomous system.

Use dot notation for AS numbers

Splits the full binary 4-byte AS number into two words of 16 bits each, separated by a dot. AS numbers from 0-65553 are represented as decimal numbers and AS numbers larger than 65535 are represented using the dot notation.

Best Path Selection

Default local preference

Specify a value between 0 and 4294967295. The default value is 100. Higher values indicate higher preference. This preference is sent to all routers and access servers in the local autonomous system.

Allow comparing MED from different neighbors

Allows the comparison of Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems.

Compare Router-id for identical EBGP paths

Compares similar paths received from external BGP peers during the best path selection process and switches the best path to the route with the lowest router ID.

Pick the best MED path among paths advertised from the neighboring AS

Enables MED comparison among paths learned from confederation peers. The comparison between MEDs is made only if no external autonomous systems are there in the path.

Treat missing MED as the least preferred one

Considers the missing MED attribute as having a value of infinity, making the path the least desirable; therefore, a path with a missing MED is least preferred.

Neighbor Timers

Keepalive Interval

Enter the time interval for which the BGP neighbor remains active after not sending a keepalive message. At the end of this keepalive interval, the BGP peer is declared dead, if no messages are sent. The default value is 60 seconds.

Hold Time

Enter the time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured. The default values is 180 seconds.

Min Hold Time

(Optional) Enter the minimum time interval for which the BGP neighbor remains active while a BGP connection is being initiated and configured. Specify a value from 0 to 65535.

Graceful Restart (Use in failover or spanned cluster mode)

(ASA 9.3.1+ only)

Enable Graceful Restart

Enables ASA peers to avoid a routing flap following a switchover.

Restart Time

Specify the time duration that ASA peers will wait to delete stale routes before a BGP open message is received. The default value is 120 seconds. Valid values are between 1 and 3600 seconds.

Stalepath Time

Enter the time duration that the ASA will wait before deleting stale routes after an end of record (EOR) message is received from the restarting ASA. The default value is 360 seconds. Valid values are between 1 and 3600 seconds.

IPv4 Family Tab

Use the IPv4 Family tab on the BGP page to enable and configure IPv4 settings for BGP.

Navigation Path

You can access the IPv4 Family tab from the BGP page. For more information about the BGP page, see Configuring BGP.

Related Topics

Field Reference

Table 31. IPv4 Family - Aggregate Address Tab

Element

Description

Enable IPv4 Family

Enables configuration of routing sessions that use standard IPv4 address prefixes.

General

Use this panel to configure general IPv4 settings such as Best Path Selection, Neighbor Timers, and Graceful Restart. See IPv4 Family - General Tab for more about these definitions.

Aggregate Address

Use this panel to define the aggregation of specific routes into one route.

Specify a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and 60. The default value is 30.

See Add/Edit Aggregate Address Dialog Box for more about these definitions.

Filtering

Use this panel to filter routes or networks received in incoming BGP updates. See Add/Edit Filter Dialog Box for more about these definitions.

Neighbor

Use this panel to define BGP neighbors and neighbor settings. See Add/Edit Neighbor Dialog Box for more about these definitions.

Networks

Use this panel to define the networks to be advertised by the BGP routing process. See Add/Edit Network Dialog Box for more about these definitions.

Redistribution

Use this panel to define the conditions for redistributing routes from another routing domain into BGP. See Add/Edit Redistribution Dialog Box for more about these definitions.

Route Injection

Use this panel to define the routes to be conditionally injected into the BGP routing table. See Add/Edit Route Injection Dialog Box for more about these definitions.

IPv4 Family Tab—General Tab

Field Reference
Table 32. ISIS IPv4 Family Tab—General Tab

Element

Description

Perform Adjacency Check

Check the ‘Perform adjacency check’ check box for the router to check on nearby IS routers.

Distance

Administrative Distance

In the Administrative Distance field, enter a distance assigned to routes discovered by IS-IS protocol. Administrative distance is a parameter used to compare routes among different routing protocols. In general, the higher the value, the lower the trust rating. And administrative distance of 255 means that the routing information source cannot be trusted at all and should be ignored. The range is 1 to 255. The default is 115.

Maximum No. of Forward Paths

Enter the maximum number of IS routes that can be installed in a routing table. The range is 1 to 8, the default is 4.

Distribute Default Route

Check the Distribute default route check box to configure an IS routing process to distribute a default route, and then choose the default route from the Route Map Object selector.

ISIS Metrics

Global ISIS Metric Level 1

Enter a number specifying the metric.

The range depends on the TLV Style that you select. The default is 10.

  • If you select Use old style of TLVs with narrow metric, the range is 1 to 63.

  • If you select Use new style of TLVs to carry wider metric, the range is 1 to 16777214.

  • If you select Send and accept both styles of TLVs during transition, the range is 1 to 16777214.

Global ISIS Metric Level 2

Enter a number specifying the metric.

The range depends on the TLV Style that you select. The default is 10.

  • If you select Use old style of TLVs with narrow metric, the range is 1 to 63.

  • If you select Use new style of TLVs to carry wider metric, the range is 1 to 16777214.

  • If you select Send and accept both styles of TLVs during transition, the range is 1 to 16777214.

TLV Style

Select one of the following Type, Length, and Values:

  • Use old style of TLVs with narrow metric

  • Use new style of TLVs to carry wider metric

  • Send and accept both styles of TLVs during transition

Accept both styles of TLVs during transition

If you selected one of the first two options in TLV Style, you can select this option,

Apply metric style to

Select one of the following:

  • Level 1

  • Level 2

  • Both

The default is Level 1.

IPv4 Family Tab—SPF Tab

Field Reference
Table 33. ISIS IPv4 FamilyTab—SPF Tab

Element

Description

Shortest Path First

Honour external metrics during SPF calculations

Check this check box to have the SPF calculations include external metrics.

Signal other routers to not use this router as an intermediate hop in their SPF calculations

Check this check box if you want to exclude this device, and configure the following:

Specify on-startup behavior

If you select this element you must choose one of the following options:

  • Advertise overself as overloaded until BGP has converged

  • Specify time to advertise overself as overloaded after reboot—Specify the time in the range of 5 to 86400 seconds.

Don’t advertise IP prefixes learned from other protocols when overload bit is set

Check this check box to exclude IP prefixes.

Don’t advertise IP prefixes learned from another ISIS level when overload bit is set

Check this check box to exclude IP prefixes.

Minimum interval between partial route calculations

PRC Interval

Enter an amount of time for the router to wait between partial route calculations (PRCs). The range is 1 to 120 seconds. The default is 5 seconds.

Initial wait for PRC

Enter the initial PRC calculation delay (in milliseconds) after a topology change. The range is 1 to 120.000 milliseconds. The default is 2000 milliseconds.

Minimum wait between first and second PRC

Enter the amount of time in milliseconds that you want the router to wait between PRCs. The range is 1 to 120,000 milliseconds. The default is 5000 milliseconds.

Minimum interval between SPF calculations

Configure parameters for level 1

SPF calculation interval

Enter an amount of time for the router to wait between SPF calculations. The range is 1 to 120 seconds. The default is 10 seconds.

Initial wait for SPF calculation

Enter the amount of time for the router to wait for an SPF calculation. The range is 1 to 120.000 milliseconds. The default is 5500 milliseconds.

Minimum wait between first and second SPF calculation

Enter the amount of time in milliseconds that you want the router to wait between SPF calculations. The range is 1 to 120,000 milliseconds. The default is 5500 milliseconds.

Configure parameters for level 2

SPF calculation interval

Enter an amount of time for the router to wait between SPF calculations. The range is 1 to 120 seconds. The default is 10 seconds.

Initial wait for SPF calculation

Enter the amount of time for the router to wait for an SPF calculation. The range is 1 to 120.000 milliseconds. The default is 5500 milliseconds.

Minimum wait between first and second SPF calculation

Enter the amount of time in milliseconds that you want the router to wait between SPF calculations. The range is 1 to 120,000 milliseconds. The default is 5500 milliseconds.

IPv4 Family Tab—Redistribution Tab

Use the Add/Edit button to add a new Redistribution route or edit an existing row.

Field Reference
Table 34. ISIS IPv4 Family Tab—Redistribution Tab

Element

Description

Source Protocol

From the Source Protocol drop-down list, choose the protocol (BGP, Connected, EIGRP, OSPF, RIP, or Static) from which you want to redistribute routes into the ISIS domain.

Process ID

Enter the Process ID for the source protocol.

Route Level

From the Route Level drop-down list, choose Level-1, Level- 2, or Level 1-2.

Metric

In the Metric field, enter a metric for the redistributed route. The range is 1 to 4294967295.

Metric Type

For the Metric Type, click the internal or external radio button.

ISIS Inter Area Route Levels

Source ISIS Level

Select Level 1 or Level 2. The default is Level 1.

Destination ISIS Level

Select Level 1 or Level 2. The default is Level 1.

Distribution List

Select from the available Access Control List or add new.

Route Map

Choose a route map from the Route Map Object selector that should be examined to filter the networks to be redistributed, or click Add to add a new route map or edit an existing route map.

Match

Check one or more of the Match check boxes -Internal, External 1, External 2, NSSA External 1, and NSSA External 2 check boxes to redistribute routes from an OSPF network.

IPv6 Family Tab

Use the IPv6 Family tab on the BGP page to enable and configure IPv6 settings for BGP.

Navigation Path

You can access the IPv6 Family tab from the BGP page. For more information about the BGP page, see Configuring BGP.

Related Topics

Field Reference

Table 35. IPv6 Family - Aggregate Address Tab

Element

Description

Enable IPv6 Family

Enables configuration of routing sessions that use standard IPv6 address prefixes.

General

Use this panel to configure general IPv6 settings. See IPv6 Family - General Tab for more about these definitions.

Aggregate Address

Use this panel to define the aggregation of specific routes into one route.

Specify a value for the aggregate timer (in seconds) in the Aggregate Timer field. Valid values are 0 or any value between 6 and 60. The default value is 30.

See Add/Edit Aggregate Address Dialog Box for more about these definitions.

Neighbor

Use this panel to define BGP neighbors and neighbor settings. See Add/Edit Neighbor Dialog Box for more about these definitions.

Networks

Use this panel to define the networks to be advertised by the BGP routing process. See Add/Edit Network Dialog Box for more about these definitions.

Redistribution

Use this panel to define the conditions for redistributing routes from another routing domain into BGP. See Add/Edit Redistribution Dialog Box for more about these definitions.

Route Injection

Use this panel to define the routes to be conditionally injected into the BGP routing table. See Add/Edit Route Injection Dialog Box for more about these definitions.

IPv6 Family Tab—General Tab

Field Reference
Table 36. ISIS IPv6 Family Tab—General Tab

Element

Description

Perform Adjacency Check

Check the ‘Perform adjacency check’ check box for the router to check on nearby IS routers.

Distance

Administrative Distance

In the Administrative Distance field, enter a distance assigned to routes discovered by ISIS protocol. Administrative distance is a parameter used to compare routes among different routing protocols. In general, the higher the value, the lower the trust rating. And administrative distance of 255 means that the routing information source cannot be trusted at all and should be ignored. The range is 1 to 255. The default is 115.

Maximum No. of Forward Paths

Enter the maximum number of IS routes that can be installed in a routing table. The range is 1 to 8. The default is 4.

Distribute Default Route

Check the Distribute default route check box to configure an IS routing process to distribute a default route, and then choose the default route from the Route Map Object selector.

IPv6 Family Tab—SPF Tab

Field Reference
Table 37. ISIS IPv6 FamilyTab—SPF Tab

Element

Description

Shortest Path First

Signal other routers to not use this router as an intermediate hop in their SPF calculations

Check this check box if you want to exclude this device, and configure the following:

Specify on-startup behavior

If you select this element you must choose one of the following options:

  • Advertise overself as overloaded until BGP has converged

  • Specify time to advertise overself as overloaded after reboot—Specify the time in the range of 5 to 86400 seconds.

Don’t advertise IP prefixes learned from other protocols when overload bit is set

Check this check box to exclude IP prefixes.

Don’t advertise IP prefixes learned from another ISIS level when overload bit is set

Check this check box to exclude IP prefixes.

Minimum interval between partial route calculations

PRC Interval

Enter an amount of time for the router to wait between partial route calculations (PRCs). The range is 1 to 120 seconds. The default is 5 seconds.

Initial wait for PRC

Enter the initial PRC calculation delay (in milliseconds) after a topology change. The range is 1 to 120.000 milliseconds. The default is 2000 milliseconds.

Minimum wait between first and second PRC

Enter the amount of time in milliseconds that you want the router to wait between PRCs. The range is 1 to 120,000 milliseconds. The default is 5000 milliseconds.

Minimum interval between SPF calculations

Configure parameters for level 1

SPF calculation interval

Enter an amount of time for the router to wait between SPF calculations. The range is 1 to 120 seconds. The default is 10 seconds.

Initial wait for SPF calculation

Enter the amount of time for the router to wait for an SPF calculation. The range is 1 to 120.000 milliseconds. The default is 5500 milliseconds.

Minimum wait between first and second SPF calculation

Enter the amount of time in milliseconds that you want the router to wait between SPF calculations. The range is 1 to 120,000 milliseconds. The default is 5500 milliseconds.

Configure parameters for level 2

SPF calculation interval

Enter an amount of time for the router to wait between SPF calculations. The range is 1 to 120 seconds. The default is 10 seconds.

Initial wait for SPF calculation

Enter the amount of time for the router to wait for an SPF calculation. The range is 1 to 120.000 milliseconds. The default is 5500 milliseconds.

Minimum wait between first and second SPF calculation

Enter the amount of time in milliseconds that you want the router to wait between SPF calculations. The range is 1 to 120,000 milliseconds. The default is 5500 milliseconds.

IPv6 Family Tab—Redistribution Tab

Use the Add/Edit button to add or edit Redistribution routes.

Field Reference
Table 38. ISIS IPv6 Family Tab—Redistribution Tab

Element

Description

Source Protocol

From the Source Protocol drop-down list, choose the protocol (BGP, Connected, EIGRP, OSPF, RIP, or Static) from which you want to redistribute routes into the ISIS domain.

Process ID

Enter the Process ID for the source protocol.

Route Level

From the Route Level drop-down list, choose Level-1, Level- 2, or Level 1-2.

Metric

In the Metric field, enter a metric for the redistributed route. The range is 1 to 4294967295.

Metric Type

For the Metric Type, click the internal or external radio button.

ISIS Inter Area Route Levels

Source ISIS Level

Select Level 1 or Level 2. The default is Level 1.

Destination ISIS Level

Select Level 1 or Level 2. The default is Level 1.

Distribution List

Select from the available Access Control List or add new.

Route Map

Choose a route map from the Route Map Object selector that should be examined to filter the networks to be redistributed, or click Add to add a new route map or edit an existing route map.

Match

Check one or more of the Match check boxes -Internal, External 1, External 2, NSSA External 1, and NSSA External 2 check boxes to redistribute routes from an OSPF network.

IPv6 Family Tab—Summary Prefix

You must configure at least one Network Entity Title entry to proceed.

See Network Entity Title Tab for more information.

Use the Add/Edit button to add or edit Summary Prefix.

Field Reference
Table 39. ISIS IPv6 Family Tab—Summary Prefix Tab

Element

Description

IPv6 Summary Prefix

IPv6 prefix in the form X.X.X.X.::X/0-128

Apply Summary Prefix into

Select Level 1, Level 2, or Both.

Level 1: Only routes redistributed into Level 1 are summarized with the configured address and mask value.

Level 2: Routes learned by Level 1 routing are summarized into the Level 2 backbone with the configured address and mask value. Redistributed routes into Level 2 ISIS are also summarized.

Both: Summary routes are applied when redistributing routes into Level 1 and Level2 ISIS and when Level 2 ISIS advertises Level 1 routes as reachable in it area.

Authentication Tab

Field Reference

Table 40. ISIS Authentication Tab

Element

Description

Configure authentication parameter for level 1

Type

Select a Type from the drop-down list.

Key

Enter the key to authenticate ISIS updates. The key can include up to 16 characters.

Confirm

Confirm the key.

Send only

Click Enable or Disable depending on whether you want Send Only enabled.

Mode

Choose the authentication mode by clicking either the Disabled, MD5, or Clear Text radio buttons.

Area password

Enter the Area password and confirm the same in the next textbox.

Configure authentication parameter for level 2

Type

Select a Type from the drop-down list.

Key

Enter the key to authenticate ISIS updates. The key can include up to 16 characters.

Confirm

Confirm the key.

Send only

Click Enable or Disable depending on whether you want Send Only enabled.

Mode

Choose the authentication mode by clicking either the Disabled, MD5, or Clear Text radio buttons.

Domain password

Enter the Domain password and confirm the same.

Link State Packet Tab

Field Reference

Table 41. ISIS Link State Packet Tab

Element

Description

Ignore LSP Errors

Check the Ignore LSP Errors check box to allow the ASA to ignore LSP packets that are received with internal checksum errors rather than purging the LSPs.

Flood LSPs before running SPF

Check this box to fast-flood and fill LSPs before running SPF. If you select this option, enter the number of LSPs to be flooded in the range of 1 to 15.

This parameter sends a specified number of LSPs from the ASA. If no LSP number is specified, the default of 5 is used. The LSPs invoke SPF before running SPF. Cisco recommends that you enable fast flooding, because then you speed up the LSP flooding process, which improves overall network convergence time.The default value is 5.

Suppress IP prefixes

To suppress IP prefixes, check the Suppress IP prefixes check box, and then check one of the following.

In networks where there is no limit placed on the number of redistributed routes into IS-IS, it is possible that the LSP can become full and routes will be dropped. Use these options to control which routes are suppressed when the PDU becomes full.

Don’t advertise IP prefixes learned from another ISIS level when ran out of LSP fragments

Suppresses any routes coming from another level. For example, if the Level-2 LSP becomes full, routes from Level 1 are suppressed.

Don’t advertise IP prefixes learned from other protocols when ran out of LSP fragments

Suppresses any redistributed routes on the ASA.

LSP General Interval

LSP Interval Parameters for level 1

LSP Calculation Interval

Enter the interval of time in seconds between transmission of each LSP. The range is 1-120 seconds. The default is 5.

The number should be greater than the expected round-trip delay between any two ASAs on the attached network. The number should be conservative or needless transmission results. Retransmissions occur only when LSPs are dropped. So setting the number to a higher value has little effect on reconvergence. The more neighbors the ASAs have, and the more paths over which LSPs can be flooded, the higher you can make this value.

Initial wait for LSP calculation

Enter the time in milliseconds specifying the initial wait time before the first LSP is generated. The range is 1 to 120,000. The default is 50.

Minimum wait between first and second

Enter the time in milliseconds between the first and second LSP generation. The range is 1 to 120,000. The default is 5000.

LSP Interval Parameters for level 2

Use level 1 parameter also for level 2

If you want the values you configured for Level 1 to also apply to Level 2, check the Use level 1 parameters also for level 2 check box.

LSP Calculation Interval

Enter the interval of time in seconds between transmission of each LSP. The range is 1-120 seconds. The default is 5.

The number should be greater than the expected round-trip delay between any two ASAs on the attached network. The number should be conservative or needless transmission results. Retransmissions occur only when LSPs are dropped. So setting the number to a higher value has little effect on reconvergence. The more neighbors the ASAs have, and the more paths over which LSPs can be flooded, the higher you can make this value.

Initial wait for LSP calculation

Enter the time in milliseconds specifying the initial wait time before the first LSP is generated. The range is 1 to 120,000. The default is 50.

Minimum wait between first and second

Enter the time in milliseconds between the first and second LSP generation. The range is 1 to 120,000. The default is 5000.

Maximum LSP size

In the Maximum LSP size field, enter the number of seconds. The range is 128 to 4352. The default is 1492.

LSP refresh interval

In the LSP refresh interval field, enter the number of seconds at which LSPs are refreshed. The range is 1 to 655535. The default is 900.

The refresh interval determines the rate at which the software periodically transmits in LSPs the route topology information that it originates. This is done to keep the database information from becoming too old.

Reducing the refresh interval reduces the amount of time that undetected link state database corruption can persist at the cost of increased link utilization. (This is an extremely unlikely event, however, because there are other safeguards against corruption.) Increasing the interval reduces the link utilization caused by the flooding of refreshed packets (although this utilization is very small).

Maximum LSP lifetime

In the Maximum LSP lifetime field, enter the maximum number of seconds that LSPs can remain in a router's database without being refreshed. The range is 1 to 65535. The default is 1200 (20 minutes).

You might need to adjust this parameter if you change the LSP refresh interval. LSPs must be periodically refreshed before their lifetimes expire. The value set for LSP refresh interval should be less that the value set for the maximum LSP lifetime; otherwise LSPs will time out before they are refreshed. If you make the LSP lifetime too low compared to the LSP refresh interval, the LSP refresh interval is automatically reduced to prevent the LSPs from timing out.

Summary Address Tab

Use the Add/Edit button to add or edit Summary Addresses.

Field Reference

Table 42. ISIS Summary Address Tab

Element

Description

IP address

Enter the IP address of the summary route.

Net Mask

Choose or enter the network mask to apply to the IP address.

Select level

Select the Level 1, Level 2, or Level 1 and 2 radio button depending on which levels you want to receive summary addresses.

Tag

In the Tag field, enter a number for the tag. The range is from 1 to 4294967295.

Metric

In the Metric field. enter the metric that will be applied to the summary route. The range is from 1 to 4294967295. The default value is 10.

Network Entity Title Tab

Use the Add/Edit button to add to edit Network Entity Title.

Field Reference

Table 43. ISIS Network Entity Title Tab

Element

Description

Network Entity Title (NET)

Enter a value in the address format 48.0000.1111.2222.00. The total length of NET address must be between 16 and 40 characters.

NET Pool

Click Select to open the NET Pool Object Selector dialog box. You can add and edit NET Pool Objects using this dialog box. For more information about how to add or edit NET Pool Objects, see Add or Edit NET Pool Object Dialog Box.

The NET Pool is applicable only for cluster devices in individual mode.

Network Entity Title (NET) is not applicable for cluster devices in individual mode.

Maximum allowed NET

Enter a NET value in the range of 3 to 254. The default value is 3.

Interface Tab

Use the Interface tab to configure interface-specific OSPF authentication routing properties.

Navigation Path

You can access the Interface tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Field Reference

Table 44. Interface Tab

Element

Description

Interface

The name of the interface to which the configuration applies.

Authentication

The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values:

  • None—OSPF authentication is disabled.

  • Password—Clear text password authentication is enabled.

  • MD5—MD5 authentication is enabled.

  • Area—The authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

  • Key Chain—Key chain authentication is enabled.

Point-to-Point

Displays “true” if the interface is set to non-broadcast (point-to-point). Displays “false” if the interface is set to broadcast.

Cost

The cost of sending a packet through the interface.

Priority

The OSPF priority assigned to the interface.

MTU Ignore

Displays “false” if MTU mismatch detection is enabled. Displays “true” if the MTU mismatch detection is disabled.

Database Filter

Displays “true” if outgoing LSAs are filtered during synchronization and flooding. Displays “false” if filtering is not enabled.

Hello Interval

The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Transmit Delay

The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.

Retransmit Interval

The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgment message. If the router receives no acknowledgment, it resends the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Dead Interval

The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Hello Multiplier

(ASA 9.2(1)+ only)

The number of hello packets to be sent per second. Valid values are between 3 and 20.

Interface Tab—General Tab

Field Reference
Table 45. ISIS Interfaces Tab—General Tab

Element

Description

Interface

Select the interface from available interfaces.

Shutdown ISIS on this interface

Shutdown ISIS on this interface—Lets you disable the IS-IS protocol for this interface without removing the configuration parameters. The IS-IS protocol will not form any adjacencies on this interface and the IP address of this interface will be put into the LSP that is generated by the ASA.

Enable ISIS on this interface

Enables IS-IS protocol on the selected interface.

Enable IPv6 ISIS on this interface

Enables IPv6 IS-IS routing on the selected interface.

Priority for level 1

Lets you set a priority for Level 1. The priority is used to determine which router on a LAN will be the designated router or Designated Intermediate System (DIS). The priorities are advertised in the hello packets. The router with the highest priority becomes the DIS. The range is 0 to 127. The default is 64.

Priority for level 2

Lets you set a priority for Level 2. The priority is used to determine which router on a LAN will be the designated router or Designated Intermediate System (DIS). The priorities are advertised in the hello packets. The router with the highest priority becomes the DIS. The range is 0 to 127. The default is 64.

Tag

Sets a tag on the IP address configured for an interface when this IP prefix is put into an ISIS LSP.

CSNP Interval for level 1

Sets the Complete Sequence Number PDUs (CSNPs) interval in seconds between transmission of CSNPs on multiaccess networks for Level 1. This interval only applies for the designated router. The range is from 0 to 65535. The default is 10 seconds.

CSNP Interval for level 2

Sets the Complete Sequence Number PDUs (CSNPs) interval in seconds between transmission of CSNPs on multiaccess networks for Level 2. This interval only applies for the designated router. The range is from 0 to 65535. The default is 10 seconds.

Adjacency filter

Filters the establishment of IS-IS adjacencies.

Match all area addresses

All NSAP addresses must match the filter to accept the adjacency.

If not specified (the default), only one address must match the filter for the adjacency to be accepted.

Interface Tab—Authentication Tab

Field Reference
Table 46. ISIS Interfaces Tab—Authentication Tab

Element

Description

Level 1 parameters

Key Type

Select Clear Text or Encrypted.

Key

Enter the key to authenticate IS-IS updates. The range is 0 to 8 characters.

If no password is configured with the Key option, no key authentication is performed.

Note 
If you selected Key Type as Clear Text, you can enter a maximum of 17 characters in the Key field. If you selected Key Type as Encrypted, you can enter a maximum of 50 characters in the Key field.

Send only

For Send only click the Enable or Disable radio button.

Choosing Send only causes the system only to insert the password into the SNPs, but not check the password in SNPs that it receives. Use this keyword during a software upgrade to ease the transition. The default is disabled.

Mode

Choose the authentication mode by checking the Mode check box and then choosing MD5 or Text from the drop-down list.

Password

Enter a password.

Note 
You can select either Mode or enter a password value.

Level 2 parameters

Key Type

Select Clear Text or Encrypted.

Key

Enter the key to authenticate IS-IS updates. The range is 0 to 8 characters.

If no password is configured with the Key option, no key authentication is performed.

Note 
If you selected Key Type as Clear Text, you can enter a maximum of 17 characters in the Key field. If you selected Key Type as Encrypted, you can enter a maximum of 50 characters in the Key field.

Send only

For Send only click the Enable or Disable radio button.

Choosing Send only causes the system only to insert the password into the SNPs, but not check the password in SNPs that it receives. Use this keyword during a software upgrade to ease the transition. The default is disabled.

Mode

Choose the authentication mode by checking the Mode check box and then choosing MD5 or Text from the drop-down list.

Password

Enter a password.

Note 
You can select either Mode or enter a password value.

Interface Tab—Hello Padding Tab

Field Reference
Table 47. ISIS Interfaces Tab—Hello Padding Tab

Element

Description

Hello Padding

Enables Hello Padding.

IS-IS hellos are padded to the full maximum transmission unit (MTU) size. Padding IS-IS hellos to the full MTU allows for early detection of errors that result from transmission problems with large frames or errors that result from mismatched MTUs on adjacent interfaces.

Minimal holdtime 1 second for level 1

Enables the holdtime (in seconds) that the LSP remains valid for Level 1.

Hello interval for level 1

Specifies the length of time in seconds between hello packets for Level 1. The range is 1 to 65535. The default is 10.

Minimal holdtime 1 second for level 2

Enables the holdtime (in seconds) that the LSP remains valid for Level 2.

Hello interval for level 2

Specifies the length of time in seconds between hello packets for Level 2. The range is 1 to 65535. The default is 10.

Hello multiplier for level 1

Specifies the number of IS-IS hello packets a neighbor must miss before the ASA declares the adjacency is down for Level 1.

The advertised hold time in IS-IS hello packets will be set to the hello multiplier times the hello interval. Neighbors will declare an adjacency to this router down after not having received any IS-IS hello packets during the advertised hold time. The hold time (and thus the hello multiplier and the hello interval) can be set on a per-interface basis, and can be different between different routers in one area. The range is 3 to 1000. The default is 3.

Hello multiplier for level 2

Specifies the number of IS-IS hello packets a neighbor must miss before the ASA declares the adjacency is down for Level 2.

The advertised hold time in IS-IS hello packets will be set to the hello multiplier times the hello interval. Neighbors will declare an adjacency to this router down after not having received any IS-IS hello packets during the advertised hold time. The hold time (and thus the hello multiplier and the hello interval) can be set on a per-interface basis, and can be different between different routers in one area. The range is 3 to 1000. The default is 3.

Configure Circuit Type

Specifies whether the interface is configured for local routing (level 1), area routing (Level 2), or both local and area routing (Level 1-2).

Interface Tab—LSP Settings Tab

Field Reference
Table 48. ISIS Interfaces Tab—LSP Settings Tab

Element

Description

Advertise ISIS Prefix

Allows the advertising of IP prefixes of connected networks in the LSP advertisements per IS-IS interface.

Disabling this option is an IS-IS mechanism to exclude IP prefixed of connected network from LSP advertisements thereby reducing IS-IS convergence time.

Retransmit Interval

Specifies the amount of time in seconds between retransmission of each IS-IS LSP on a point-to-point link.

The number should be greater than the expected round-trip delay between any two routers on the attached network. The range is 0 to 65535. The default is 5.

Retransmit Throttle Interval

Specifies the amount of time in milliseconds between retransmissions on each IS-IS LSP on a point-to-point interface.

This option may be useful in very large networks with many LSPs and many interfaces as a way of controlling LSP retransmission traffic. This option controls the rate at which LSPs can be re-sent on the interface. The range is 0 to 65535. The default is 33.

LSP Interval

Specifies the time delay in millisecond between successive IS-IS LSP transmissions.

In topologies with a large number of IS-IS neighbors and interfaces, a router may have difficulty with the CPU load imposed by LSP transmission and reception. This option allows the LSP transmission rate (and by implication the reception rate of other systems) to be reduced. The range is 1 to 4294967295. The default is 33.

Interface Tab—Metrics Tab

Field Reference
Table 49. ISIS Interfaces Tab—Metrics Tab

Element

Description

Metrics for level 1

Use maximum metric value

Specifies the metric assigned to the link and used to calculate the cost from each other router via the links in the network to other destinations. This is enabled by default.

Default metric

Enter the number for the metric. The range is 1 to 16777214.

Metrics for level 2

Use maximum metric value

Specifies the metric assigned to the link and used to calculate the cost from each other router via the links in the network to other destinations. This is enabled by default.

Default metric

Enter the number for the metric. The range is 1 to 16777214.

Passive Interfaces Tab

The Passive Interfaces tab enables you to allow or suppress routing updates on an interface. Only interfaces configured with a name can be suppressed from sending routing updates.

Field Reference

Table 50. ISIS Network Entity Title Tab

Element

Description

Passive Interface

Select from the following options:

  • None—No Interface is selected.

  • Default—Open the Interfaces Selector dialog to select interfaces that you want to exclude. By default all interfaces are selected.

  • Specified Interfaces—Open the Interfaces Selector dialog to select interfaces that you want to select and include.

Configuring BFD Routing

The BFD page provides two tabs for configuring BFD (Bidirectional Forwarding Detection) routing on a firewall device. The following topics provide detailed information on configuring BFD.

Navigation Path

  • (Device view) Select Platform > Routing > BFD from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > BFD from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

Related Topics

About BFD

Bidirectional Forwarding Detection (BFD) is a detection protocol designed to provide fast forwarding path failure detection times for all media types, encapsulations, topologies, and routing protocols. BFD operates in a unicast, point-to-point mode on top of any data protocol being forwarded between two systems. Packets are carried in the payload of the encapsulating protocol appropriate for the media and the network.

BFD provides a consistent failure detection method for network administrators in addition to fast forwarding path failure detection. Because the network administrator can use BFD to detect forwarding path failures at a uniform rate, rather than the variable rates for different routing protocol hello mechanisms, network profiling and planning are easier and reconvergence time is consistent and predictable.

BFD Asynchronous Mode and Echo Function

BFD can operate in asynchronous mode with or without the echo function enabled.

Asynchronous Mode

In asynchronous mode, the systems periodically send BFD control packets to one another, and if a number of those packets in a row are not received by the other system, the session is declared to be down. Pure asynchronous mode (without the Echo function) is useful because it requires half as many packets to achieve a particular detection time as the Echo function requires.

BFD Echo Function

The BFD echo function sends echo packets from the forwarding engine to the directly-connected single-hop BFD neighbor. The echo packets are sent by the forwarding engine and forwarded back along the same path to perform detection. The BFD session at the other end does not participate in the actual forwarding of the echo packets. Because the echo function and the forwarding engine are responsible for the detection process, the number of BFD control packets that are sent out betweenBFD neighbors is reduced. And also because the forwarding engine is testing the forwarding path on the remote neighbor system without involving the remote system, the inter-packet delay variance is improved. This results in quicker failure detection times.

When the echo function is enabled, BFD can use the slow timer to slow down the asynchronous session and reduce the number of BFD control packets that are sent between BFD neighbors, which reduces processing overhead while at the same time delivering faster failure detection.


Note

The echo function is not supported for IPv4 multi-hop or IPv6 single-hop BFD neighbors.

You can enable BFD at the interface and routing protocol levels. You must configure BFD on both systems (BFD peers). After you enable BFD on the interfaces and at the router level for the appropriate routing protocols, a BFD session is created, BFD timers are negotiated, and the BFD peers begin to send BFD control packets to each other at the negotiated level.

BFD Session Establishment

The following example shows the ASA and a neighboring router running Border Gateway Protocol (BGP).At the time when both devices come up, there is no BFD session established between them.

Figure 1. BFD Session Initiated

After BGP identifies its BGP neighbor, it bootstraps the BFD process with the IP address of the neighbor. BFD does not discover its peers dynamically. It relies on the configured routing protocols to tell it which IP addresses to use and which peer relationships to form.

The BFD on the router and the BFD on the ASA form a BFD control packet and start sending the packets to each other at a one-second interval until the BFD session is established. The initial control packets from either system are very similar, for example, the Vers, Diag, H, D, P, and F bits are all set to zero, and the State is set to Down. The My Discriminator field is set to a value that is unique on the transmitting device. The Your Discriminator field is set to zero because the BFD session has not yet been established. The TX and RX timers are set to the values found in the configuration of the device.

After the remote BFD device receives a BFD control packet during the session initiation phase, it copies the value of the My Discriminator field into its own Your Discriminator field and the transition from Down state to Init state and then eventually to Up state occurs. Once both systems see their own Discriminators in each other's control packets, the session is officially established.

The following illustration shows the established BFD connection.

Figure 2. BFD Session Established

BFD Timer Negotiation

BFD devices must negotiate the BFD timers to control and synchronize the send rate of BFD control packets.

A device needs to ensure the following before it can negotiate a BFD timer:

  • That its peer device saw the packet containing the proposed timers of the local device

  • That it never sends BFD control packets faster than the peer is configured to receive them

  • That the peer never sends BFD control packets faster than the local system is configured to receive them

The setting of the Your Discriminator field and the H bit are sufficient to let the local device that the remote device has seen its packets during the initial timer exchange. After receiving a BFD control packet, each system takes the Required Min RX Interval and compares it to its own Desired Min TX Interval, and then takes the greater (slower) of the two values and uses it as the transmission rate for its BFD packets. The slower of the two systems determines the transmission rate.

When these timers have been negotiated, they can be renegotiated at any time during the session without causing a session reset. The device that changes its timers sets the P bit on all subsequent BFD control packets until it receives a BFD control packet with the F bit set from the remote system. This exchange of bits guards against packets that might otherwise be lost in transit.


Note

The setting of the F bit by the remote system does not mean that it accepts the newly proposed timers. It indicates that the remote system has seen the packets in which the timers were changed.

BFD Failure Detection

When the BFD session and timers have been negotiated, the BFD peers send BFD control packets to each other at the negotiated interval. These control packets act as a heartbeat that is very similar to IGP Hello protocol except that the rate is more accelerated.

As long as each BFD peer receives a BFD control packet within the configured detection interval (Required Minimum RX Interval), the BFD session stays up and any routing protocol associated with BFD maintains its adjacencies. If a BFD peer does not receive a control packet within this interval, it informs any clients participating in that BFD session about the failure. The routing protocol determines the appropriate response to that information. The typical response is to terminate the routing protocol peering session and reconverge and thus bypass a failed peer.

Each time a BFD peer successfully receives a BFD control packet in a BFD session, the detection timer for that session is reset to zero. Thus the failure detection is dependent on received packets and NOT when the receiver last transmitted a packet.

BFD Deployment Scenarios

The following describes how BFD operates in these specific scenarios.

Failover

In a failover scenario, BFD sessions are established and maintained between the active unit and the neighbor unit. Standby units do not maintain any BFD sessions with the neighbors. When a failover happens, the new active unit must initiate session establishment with the neighbor because session information is not synched between active and standby units.

For a graceful restart/NSF scenario, the client (BGP IPv4/IPv6) is responsible for notifying its neighbor about the event. When the neighbor receives the information, it keeps the RIB table until failover is complete. During failover, the BFD and the BGP sessions go down on the device. When the failover is complete, a new BFD session between the neighbors is established when the BGP session comes up.

Spanned EtherChannel and L2 Cluster

In a Spanned EtherChannel cluster scenario, the BFD session is established and maintained between the primary unit and its neighbor. Subordinate units do not maintain any BFD sessions with the neighbors.If a BFD packet is routed to the subordinate unit because of load balancing on the switch, the subordinate unit must forward this packet to the primary unit through the cluster link. When a cluster switchover happens, the new primary unit must initiate session establishment with the neighbor because session information is not synched between primary and subordinate units.

Individual Interface Mode and L3 Cluster

In an individual interface mode cluster scenario, individual units maintain their BFD sessions with their neighbors.

Create BFD Template

This section describes the steps required to create a BFD template policy object. The BFD template specifies a set of BFD interval values. BFD interval values as configured in the BFD template are not specific to a single interface. You can also configure authentication for single-hop and multi-hop sessions. You can enable Echo on single-hop only.

Navigation Path

Select Manage > Policy Objects, then select BFD Template from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Field Reference

Table 51. Add/Edit BFD Template

Element

Description

Name

The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects.

Description

An optional description of the object.

Config Mode

Specify if there is a single IP hop or multiple IP hops between a BFD source and destination associated with an interface.

Enable Echo

(Optional) Select to enable echo. When enabled, echo packets are sent by the forwarding engine and forwarded back along the same path in order to perform detection.

Note 
This is applicable only for single hop configuration mode.

Interval tab (Optional)

Interval Type

Specify if you want to define the interval type in microseconds or milliseconds.The default interval type is None.

Transmit and Receive Values Interval Values in Microseconds

This section is enabled, if the Interval type is microseconds. Valid values are between 50000 and 999000 microseconds.

Minimum Transmit Value - Enter the minimum transmit interval capability in microseconds.

Minimum Receive Value - Enter the minimum receive interval capability microseconds.

Transmit and Receive Values Interval Values in Milliseconds

This section is enabled, if the Interval type is milliseconds. Valid values are between 50 and 999 milliseconds.

Minimum Transmit Value - Enter the minimum transmit interval capability in milliseconds.

Minimum Receive Value - Enter the minimum receive interval capability milliseconds.

Multiplier Value

Enter the number of consecutive BFD control packets that must be missed before BFD declares that a peer is unavailable.The default value is 3. Valid values are between 3 to 50.

Authentication tab (Optional)

Authentication Type

Select to configure authentication for the BFD template and specify if you want to use an encrypted password or an unencrypted password,for the authentication.

Key Value

Enter a BFD password and confirm it.

  • For encrypted BFD templates, the length of the Key value is between 17 and 66 characters.

  • For unencrypted BFD templates of sha-1 or meticulous- sha-1authentication type the length of the Key Value must be less than 29 characters.

  • For unencrypted BFD templates of md5 or meticulous-md5 authentication type the length of the Key Value must be less than 25 characters.

Key ID

Enter an authentication key ID. This is a shared key ID, that matches the key string.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Add/Edit BFD Map Dialog Box

The Add/ Edit BFD Map dialog box lets you create a BFD map containing destinations that you can associate with a multi-hop template. You must have a multi-hop BFD template already configured. For more information see, Create BFD Template.

Navigation Path

You can access the Add/ Edit BFD Map dialog box from the Maps tab on the BFD page. Click the Add Row button to add a new BFD map; select an existing BFD map and click the Edit Row button to edit that map.

Related Topics

Field Reference

Table 52. BFD Maps Tab

Element

Description

BFD Template

Select a multi-hop BFD template or add a multi-hop BFD template. For more information see, Create BFD Template.

IP version

Select the appropriate address format for the source and destination - IPv4 or IPv6.

IPv4 Destination/Prefix, IPv4 Source/Prefix

Enter the IPv4 address for the destination and source in the appropriate fields in the x.x.x.x/prefix format.

IPv6 Destination/ Prefix, IPv6 Source/prefix

Enter the IPv6 address for the destination and source in the appropriate fields in the x:x:x:x:x:x:x:x/prefix format.

Slow Timers

This reduces the number of BFD control packets, that are sent between BFD neighbors. This slows down the asynchronous session, reduces the processing overhead and results in faster failure detection.

The default value for slow timers is 1000 and valid values are between 1000 - 30000.

Add/ Edit BFD Interface Dialog Box

The Add/ Edit BFD Interfaces dialog box lets you bind a BFD template to an interface, configure the baseline BFD session parameters per interface, and enable echo mode per interface.

Navigation Path

You can access the Add/ Edit BFD Interface dialog box from the Interface tab on the BFD page. Click the Add Row button to add a new BFD interface; select an existing BFD interface and click the Edit Row button to edit that map.

Related Topics

Field Reference

Table 53. BFD Interface Tab

Element

Description

Interface

Enter an interface name, select an interface or add an interface role.

BFD Configuration

Select BFD template to select an existing single-hop BFD template or add a single-hop BFD template. Alternately, select BFD interval.

For more information see, Create BFD Template.

BFD Interval

Minimum Transmit Value

Enter the minimum transmit interval capability in milliseconds.Valid values are between 50 and 999 milliseconds

Minimum Receive Value

Enter the minimum receive interval capability milliseconds. Valid values are between 50 and 999 milliseconds

Multiplier

Enter the number of consecutive BFD control packets that must be missed before BFD declares that a peer is unavailable.The default value is 3. Valid values are between 3 to 50.

Echo

(Optional) Select to enable echo. When enabled, echo packets are sent by the forwarding engine and forwarded back along the same path in order to perform detection.

Configuring OSPF

The OSPF page provides ten tabbed panels for configuring OSPF (Open Shortest Path First) routing on a firewall device. The following topics provide detailed information about enabling and configuring OSPF:


Note

Depending on the device version that you are configuring, some tabs might not be available.

Note

Beginning with ASA version 9.2(1), certain OSPF settings have changed. If you configure a shared policy that uses settings specific to ASA 9.2(1)+, you will receive a validation error if that policy is assigned to a device whose version is earlier than 9.2(1). Likewise, if you configure a shared policy that uses settings that no longer apply to ASA 9.2(1)+, you will receive a validation error if that policy is assigned to an 9.2(1)+ device.

Navigation Path

  • (Device view) Select Platform > Routing > OSPF from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.

About OSPF

Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements (LSAs) rather than routing table updates. Because only LSAs are exchanged, rather than entire routing tables, OSPF networks converge more quickly than RIP networks.

OSPF supports MD5 and clear-text neighbor authentication. Authentication should be used with all routing protocols whenever possible, because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.

If NAT is used when OSPF is operating on public and private areas, and if address filtering is required, you need to run two OSPF processes—one process for the public areas and one for the private areas.

A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).

An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.


Note

Only type 3 LSAs can be filtered. If you configure the security appliance as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will be broadcast to the entire autonomous system (AS) including public areas.

If NAT is employed but OSPF is only running in public areas, routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface.

Related Topics

General Tab

Use the General panel on the OSPF page to enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.


Note

You cannot enable OSPF if you have RIP enabled.

Navigation Path

You can access the General tab from the OSPF page; see Configuring OSPF for more information.

Related Topics

Field Reference

Table 54. OSPF General Tab

Element

Description

The General tab provides two identical sections; each is used to enable one OSPF process. The following options are available in each section.

Enable this OSPF Process

Check this box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this option to remove the OSPF process.

OSPF Process ID

Enter a unique numeric identifier for the OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.

Advanced button

Opens the OSPF Advanced Dialog Box, in which you can configure additional process-related parameters, such as Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings.

OSPF Advanced Dialog Box

Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.


Note

Beginning with ASA version 9.2(1), certain OSPF settings have changed. If you configure a shared policy that uses settings specific to ASA 9.2(1)+, you will receive a validation error if that policy is assigned to a device whose version is earlier than 9.2(1). Likewise, if you configure a shared policy that uses settings that no longer apply to ASA 9.2(1)+, you will receive a validation error if that policy is assigned to an 9.2(1)+ device.
Navigation Path

You can access the OSPF Advanced dialog box from the General Tab.

Related Topics
Field Reference
Table 55. OSPF Advanced Dialog Box

Element

Description

OSPF Process

Displays the ID of the OSPF process you are configuring. You cannot change this value in this dialog box.

General Tab

Router ID

To use a fixed router ID, select IP Address and then enter a router ID in IP address format in the Router ID field. To have the router ID automatically generated (the highest-level IP address on the security appliance is used as the router ID), select Automatic.

Ignore LSA MOSPF

Select this option to suppress transmission of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets.

RFC 1583 Compatible

Select this option to calculate summary route costs per RFC 1583. Deselect this option to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically. This option is selected by default.

Adjacency Changes

These options specify the syslog messages sent when adjacency changes occur.

  • Log Adjacency Changes – When selected, the security appliance sends a syslog message whenever an OSPF neighbor goes up or down. This option is selected by default.

  • Log Adjacency Changes Detail – When selected, the security appliance sends a syslog message whenever any state change occurs, not just when a neighbor goes up or down. This option is not selected by default.

Administrative Route Distances

Settings for the administrative route distances, according to the route type.

  • Inter Area – The administrative distance for all routes from one area to another. Valid values range from 1 to 255; the default value is 110.

  • Intra Area – The administrative distance for all routes within an area. Valid values range from 1 to 255; the default value is 110.

  • External – The administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255; the default value is 110.

Timers

Settings used to configure LSA arrival, LSA pacing, and throttling for ASA 9.2(1)+ devices:

  • LSA Arrival – The minimum delay in milliseconds that must pass between acceptance of the same LSA arriving from neighbors. The range is from 0 to 600,000 milliseconds. The default is 1000 milliseconds.

  • LSA Flood Pacing – The time in milliseconds at which LSAs in the flooding queue are paced in between updates. The configurable range is from 5 to 100 milliseconds. The default value is 33 milliseconds.

  • LSA Group Pacing – The interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800; the default value is 240 seconds.

  • LSA Retransmission Pacing - The time in milliseconds at which LSAs in the retransmission queue are paced. The configurable range is from 5 to 200 milliseconds. The default value is 66 milliseconds.

  • LSA Throttle – The delay in milliseconds to generate the first occurrence of the LSA. Valid values range from 0 to 600000 milliseconds. When you enter a value in this field, the Min and Max fields are enabled:

    • Min – The minimum delay for originating the same LSA. Valid values range from 1 to 600000 milliseconds.

    • Max – The maximum delay for originating the same LSA. Valid values range from 1 to 600000 milliseconds.

Note 
For LSA throttling, the first occurrence value must be equal to or less than the minimum value and the minimum value must be equal to or less than the maximum value.
  • SPF Throttle – The delay to receive a change to the SPF calculation. Valid values range from 1 to 600000 milliseconds. When you enter a value in this field, the Min and Max fields are enabled:

    • Min – The delay between the first and second SPF calculations. Valid values range from 1 to 600000 milliseconds.

    • Max – The maximum wait time for SPF calculations. Valid values range from 1 to 600000 milliseconds.

Note 
For SPF throttling, the first occurrence value must be equal to or less than the minimum value and the minimum value must be equal to or less than the maximum value.

Settings used to configure LSA pacing and SPF calculation timers for device versions earlier than 9.2(1):

  • SPF Delay – The time between receipt of a topology change and the start of shortest path first (SPF) calculations. Valid values range from 0 to 65535; the default value is 5 seconds.

  • SPF Hold – The hold time between consecutive SPF calculations. Valid values range from 1 to 65534; the default value is 10 seconds.

  • LSA Group Pacing – The interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800; the default value is 240 seconds.

Default Information Originate

Settings used by an ASBR to generate a default external route into an OSPF routing domain.

  • Enable Default Information Originate – Check this box to enable generation of a default route into the OSPF routing domain; the following options become available:

    • Always advertise the default route – Check this box to always advertise the default route.

    • Metric Value – Enter the OSPF metric for the default route. Valid values range from 0 to 16777214; the default value is 1.

    • Metric Type – Choose the external link type associated with the default route advertised into the OSPF routing domain. The choices are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.

    • Route Map – (Optional) Enter or Select a route map object to apply. The routing process generates the default route if the route map is satisfied.

Tip 
Click Select to open the Route Map Object Selector from which you can select a route map object. You can also create new route map objects from the Route Map Object Selector. For more information, see Understanding Route Map Objects.

Non Stop Forwarding Tab

Note 
Non Stop Forwarding (NSF) is supported on ASA 9.3(1)+ devices in Spanned Cluster mode or Failover mode only.

Enable Cisco Non Stop Forwarding Capability

Enables configuration of Cisco nonstop forwarding (NSF) operations.

Enable Cisco Non Stop Forwarding Helper mode

Enables Cisco nonstop forwarding (NSF) helper mode.

When an ASA has NSF enabled, it is said to be NSF-capable and will operate in graceful restart mode--the OSPF router process performs nonstop forwarding recovery due to a Route Processor (RP) switchover. By default, the neighboring ASAs of the NSF-capable ASA will be NSF-aware and will operate in NSF helper mode. When the NSF-capable ASA is performing graceful restart, the helper ASAs assist in the nonstop forwarding recovery process.

If you do not want the ASA to help the restarting neighbor with nonstop forwarding recovery, clear the Enable Cisco Non Stop Forwarding Helper mode option.

Enable Cisco Non Stop Forwarding

Enables Cisco nonstop forwarding (NSF).

Cancel NSF restart when non-NSF-aware neighboring networking devices are detected (Enforce Global)

If neighbors that are not NSF-aware are detected on a network interface during an NSF graceful restart, restart is aborted on that interface only and graceful restart will continue on other interfaces. To cancel restart for the entire OSPF process when neighbors that are not NSF-aware are detected during restart, select the Cancel NSF restart when non-NSF-aware neighboring networking devices are detected (Enforce Global) option.

Note 
The NSF graceful restart will also be canceled for the entire process when a neighbor adjacency reset is detected on any interface or when an OSPF interface goes down.

Enable IETF Non Stop Forwarding Capability

Enables configuration of Internet Engineering Task Force (IETF) NSF operations.

Enable IETF Non Stop Forwarding Helper mode

Enables IETF nonstop forwarding (NSF) helper mode.

When an ASA has NSF enabled, it is said to be NSF-capable and will operate in graceful restart mode--the OSPF router process performs nonstop forwarding recovery due to a Route Processor (RP) switchover. By default, the neighboring ASAs of the NSF-capable ASA will be NSF-aware and will operate in NSF helper mode. When the NSF-capable ASA is performing graceful restart, the helper ASAs assist in the nonstop forwarding recovery process.

If you do not want the ASA to help the restarting neighbor with nonstop forwarding recovery, clear the Enable IETF Non Stop Forwarding Helper mode option.

Enable Strict Link State advertisement checking

Enables strict link-state advertisement (LSA) checking for IETF NSF helper mode.

Enable IETF Non Stop Forwarding

Enables IETF nonstop forwarding (NSF).

Length of graceful restart interval

(Optional) Specifies the length of the graceful restart interval, in seconds. The range is from 1 to 1800. The default is 120.

Note 
For a restart interval below 30 seconds, graceful restart will be terminated.

Area Tab

Use the Area tab on the OSPF page to configure OSPF areas and networks.

Navigation Path

You can access the Area tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Field Reference

Table 56. Area Tab

Element

Description

OSPF Process

The OSPF process the area applies to.

Area ID

The area ID.

Area Type

The area type (Normal, Stub, or NSSA).

Networks

The area networks.

Options

The options, if any, set for the area type.

Authentication

The type of authentication set for the area (None, Password, or MD5).

Cost

The default cost for the area.

Add/Edit Area/Area Networks Dialog Box

Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.

Navigation Path

You can access the Add/Edit Area/Area Networks dialog box from the Area Tab.

Related Topics
Field Reference
Table 57. Add/Edit Area/Area Networks Dialog Box

Element

Description

OSPF Process

When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being added. If there is only one OSPF process enabled on the security appliance, that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

Area ID

When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.

Area Type

Normal

Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub

Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you can prevent summary LSAs (Type 3 and 4) from being flooded into the area by deselecting the Summary check box.

Summary (allows sending LSAs into the stub area)

When the area being defined is a stub area, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA

Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you can prevent summary LSAs from being flooded into the area by deselecting the Summary check box. You can also disable route redistribution by deselecting the Redistribute check box and enabling Default Information Originate.

Redistribute (imports routes to normal and NSSA areas)

Deselect this check box to prevent routes from being imported into the NSSA. This check box is selected by default.

Summary (allows sending LSAs into the NSSA area)

When the area being defined is a NSSA, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.

Default Information Originate (generate a Type 7 default)

Select this check box to generate a Type 7 default into the NSSA. This check box is deselected by default.

Metric Value

Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.

Metric Type

The OSPF metric type for the default route. The choices are 1 (Type 1) or 2 (Type 2). The default value is 2.

Network

The IP address and network mask of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.

Tip 
You can click Select to select the interfaces from a list of interface objects.

Authentication

Contains the settings for OSPF area authentication.

  • None—Choose this option to disable OSPF area authentication. This is the default setting.

  • Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.

  • MD5—Choose this option to use MD5 authentication.

Default Cost

Specify a default cost for the area. Valid values range from 0 to 65535 for ASA devices earlier than 9.2(1) and from 0 to 16777214 for ASA 9.2(1)+. The default value is 1.

Range Tab

Use the Range tab to summarize routes between areas.

Navigation Path

You can access the Range tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Field Reference

Table 58. Range Tab

Element

Description

Process ID

The ID of the OSPF process associated with the route summary.

Area ID

The ID of the area associated with the route summary.

Network

The summary IP address and network mask.

Advertise

Displays “true” if the route summaries are advertised when they match the address/mask pair or “false” if the route summaries are suppressed when they match the address/mask pair.

Add/Edit Area Range Network Dialog Box

Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.

Navigation Path

You can access the Add/Edit Area Range Network dialog box from the Range Tab.

Related Topics
Field Reference
Table 59. Add/Edit Area Range Network Dialog Box

Element

Description

OSPF Process

Select the OSPF process to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Area

Select the area ID of the area to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Network

The IP address and mask of the network for the routes being summarized.

Tip 
You can click Select to select the networks from a list of network objects.

Advertise

Select this check box to set the address range status to “advertise”. This causes Type 3 summary LSAs to be generated. Deselect this check box to suppress the Type 3 summary LSA for the specified networks.

Neighbors Tab

Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.

Navigation Path

You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Field Reference

Table 60. Neighbors Tab

Element

Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Interface

The interface associated with the static neighbor.

Add/Edit Static Neighbor Dialog Box

Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.

Navigation Path

You can access the Add/Edit Static Neighbor dialog box from the Neighbors Tab.

Related Topics
Field Reference
Table 61. Add/Edit Static Neighbor Dialog Box

Element

Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Tip 
You can click Select to select the neighbor from a list of host objects.

Interface

The interface associated with the static neighbor.

Tip 
You can click Select to select the interface from a list of interface objects.

Redistribution Tab

Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.

Navigation Path

You can access the Redistribution tab from the OSPF Page. For more information about the OSPF page, see Configuring OSPF.

Related Topics

Field Reference

Table 62. Redistribution Tab

Element

Description

OSPF Process The OSPF process associated with the route redistribution entry.
Route Type

The source protocol the routes are being redistributed from. Valid entries are the following:

  • BGP—Redistribute routes from the BGP routing process.

  • Connected—Redistributes connected routes (routes established automatically by virtue of having IP address enabled on the interface) to the OSPF routing process. Connected routes are redistributed as external to the AS.

  • EIGRP—Redistributes routes from the EIGRP routing process. Choose the autonomous system number of the EIGRP routing process from the list.

  • OSPF—Redistributes routes from another OSPF routing process.

  • RIP—Redistributes routes from the RIP routing process.

  • Static—Redistributes static routes to the OSPF routing process.

Match

The conditions used for redistributing routes from one routing protocol to another. These options are not available when redistributing static, connected, RIP, BGP, or EIGRP routes.

Subnets

Displays “true” if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.

Metric Value

The metric that is used for the route. This column is blank for redistribution entries if the default metric is used.

Metric Type

Displays “1” if the metric is a Type 1 external route, “2” if the metric is Type 2 external route.

Tag Value

A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Route Map The name of the route map object to apply to the redistribution entry.

Redistribution Dialog Box

Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.

Navigation Path

You can access the Redistribution dialog box from the Redistribution Tab.

Related Topics
Field Reference
Table 63. OSPF Redistribution Settings Dialog Box

Element

Description

OSPF Process

Select the OSPF process associated with the route redistribution entry.

Route Type

Select the source protocol from which the routes are being redistributed. You can choose one of the following options:

  • BGP—Redistribute routes from the BGP routing process.

  • Connected—Redistributes connected routes (routes established automatically by virtue of having IP address enabled on the interface) to the OSPF routing process. Connected routes are redistributed as external to the AS.

  • EIGRP—Redistributes routes from the EIGRP routing process. Choose the autonomous system number of the EIGRP routing process from the list.

  • OSPF—Redistributes routes from another OSPF routing process. If you choose this protocol, the Match options on this dialog box become visible. These options are not available when redistributing static, connected, RIP, BGP, or EIGRP routes.

  • RIP—Redistributes routes from the RIP routing process.