Amer Networks E5Web GUI User Manual

Finally, a Dynamic Routing Rule needs to be defined to deploy the OSPF network. This involves
two steps:

i.

A Dynamic Routing Policy Rule object is added. This rule should be an Import rule that
enables the option From OSPF Process so that the previously defined OSPF Router Process
object is selected. What we are doing is saying that we want to import all routes from the
OSPF AS.

In addition, the optional Or is within filter parameter for the destination network must be
set to be all-nets. We could use a narrower filter for the destination network but in this case
we want all networks.

ii.

Within the Dynamic Routing Policy Rule just added, we now add a Routing Action object. Here
we add the routing table into the Selected list which will receive the routing information
from OSPF.

In the typical case this will be the routing table called main.

There is no need to have a Dynamic Routing Policy Rule which exports the local routing table into
the AS since this is done automatically for OSPF Interface objects.

The exception to this is if a route involves an ISP gateway (in other words, a router hop). In this
case the route MUST be explicitly exported. The most frequent case when this is necessary is for
the all-nets route to the external public Internet where the gateway is the ISP's router. Doing this
is discussed in the next step.

5. Add a Dynamic Routing Rule for all-nets

Optionally, a Dynamic Routing Rule needs to be defined if any routes except the OSPF Interface
routes are to be exported. This involves the following steps

i.

A Dynamic Routing Policy Rule object is added. This rule should be an Export rule that enables
the option From Routing Table with the main routing table moved to the Selected list.

In addition, the optional Or is within filter parameter for the destination network must be
set to be all-nets. This means all routes will be exported.

ii.

Within the Dynamic Routing Policy Rule just added, we now add an OSPF Action object. Here
set the Export to process option to be the OSPF Router Process which represents the OSPF
AS.

6. Repeat these steps on the other security gateway

Now repeat steps 1 to 5 for the other Clavister Security Gateway that will be part of the OSPF AS
and area. The OSPF Router and OSPF Area objects will be identical on each. The OSPF Interface
objects will be different depending on which interfaces and networks will be included in the
OSPF system.

If more than two security gateways will be part of the same OSPF area then all of them should be
configured similarly.

OSPF Routing Information Exchange Begins Automatically

As the new configurations are created in the above steps and then deployed, OSPF will
automatically start and begin exchanging routing information. Since OSPF is a dynamic and
distributed system, it does not matter in which order the configurations of the individual security
gateways are deployed.

When the physical link is plugged in between two interfaces on two different security gateways

Chapter 4: Routing

315