User manual
The Virtual Link is configured between fw1 and fw2 on Area 1, as it is used as the transit area. In
the configuration only the Router ID have to be configured, as in the example above show fw2 need
to have a Virtual Link to fw1 with the Router ID 192.168.1.1 and vice versa. These VLinks need to
be configured in Area 1.
OSPF High Availability Support
There are some limitations in High Availability support for OSPF that should be noted:
Both the active and the inactive part of an HA cluster will run separate OSPF processes, although
the inactive part will make sure that it is not the preferred choice for routing. The HA master and
slave will not form adjacency with each other and are not allowed to become DR/BDR on broadcast
networks. This is done by forcing the router priority to 0.
For OSPF HA support to work correctly, the NetDefend Firewall needs to have a broadcast interface
with at least ONE neighbor for ALL areas that the firewall is attached to. In essence, the inactive
part of the cluster needs a neighbor to get the link state database from.
It should also be noted that is not possible to put an HA cluster on the same broadcast network
without any other neighbors (they will not form adjacency with each other because of the router
priority 0). However, it may be possible, depending on the scenario, to setup a point to point link
between them instead. Special care must also be taken when setting up a virtual link to an firewall in
an HA cluster. The endpoint setting up a link to the HA firewall must setup 3 separate links: one to
the shared, one to the master and one to the slave router id of the firewall.
4.5.3. Dynamic Routing Policy
Overview
In a dynamic routing environment, it is important for routers to be able to regulate to what extent
they will participate in the routing exchange. It is not feasible to accept or trust all received routing
information, and it might be crucial to avoid that parts of the routing database gets published to
other routers.
For this reason, NetDefendOS provides a Dynamic Routing Policy, which is used to regulate the
flow of dynamic routing information.
A Dynamic Routing Policy rule filters either statically configured or OSPF learned routes according
to parameters like the origin of the routes, destination, metric and so on. The matched routes can be
controlled by actions to be either exported to OSPF processes or to be added to one or more routing
tables.
The most common usages of Dynamic Routing Policy are:
• Importing OSPF routes from an OSPF process into a routing table.
• Exporting routes from a routing table to an OSPF process.
• Exporting routes from one OSPF process to another.
Note: No routes are imported automatically
By default, NetDefendOS will not import or export any routes. In other words, for
dynamic routing to be meaningful, it is mandatory to define at least one Dynamic
Routing Policy rule.
4.5.3. Dynamic Routing Policy Chapter 4. Routing
159










