1Hw6Fuhhq&Rqfhsw ( (Dpsohv

1HW6FUHHQ&RQFHSW
([DPSOHV
6FUHHQ265HIHUHQFH*XLGH
9ROXPH'\QDPLF5RXWLQJ
6FUHHQ26
31
5HY)

&RS\ULJKW1RWLFH energy. If it is not installed in accordance with NetScreen’s installation
instructions, it may cause interference with radio and television reception. This
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are equipment has been tested and found to comply with the limits for a Class B
registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, digital device in accordance with the specifications in part 15 of the FCC rules.
NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, These specifications are designed to provide reasonable protection against
NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, such interference in a residential installation. However, there is no guarantee
NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, that interference will not occur in a particular installation.
NetScreen-Remote Security Client, NetScreen-Remote VPN Client,
NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II If this equipment does cause harmful interference to radio or television
ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, reception, which can be determined by turning the equipment off and on, the
Inc. All other trademarks and registered trademarks are the property of their user is encouraged to try to correct the interference by one or more of the
respective companies.Information in this document is subject to change without following measures:
notice. • Reorient or relocate the receiving antenna.
No part of this document may be reproduced or transmitted in any form or by
any means, electronic or mechanical, for any purpose, without receiving written • Increase the separation between the equipment and receiver.
permission from
• Consult the dealer or an experienced radio/TV technician for help.
NetScreen Technologies, Inc.
350 Oakmead Parkway • Connect the equipment to an outlet on a circuit different from that to
Sunnyvale, CA 94085 U.S.A. which the receiver is connected.
www.netscreen.com
Caution: Changes or modifications to this product could void the user's
)&&6WDWHPHQW warranty and authority to operate this device.
The following information is for FCC compliance of Class A devices: This 'LVFODLPHU
equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE
provide reasonable protection against harmful interference when the equipment ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
is operated in a commercial environment. The equipment generates, uses, and PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED
can radiate radio-frequency energy and, if not installed and used in accordance HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
with the instruction manual, may cause harmful interference to radio SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR
communications. Operation of this equipment in a residential area is likely to NETSCREEN REPRESENTATIVE FOR A COPY.
cause harmful interference, in which case users will be required to correct the
interference at their own expense.
The following information is for FCC compliance of Class B devices: The
equipment described in this manual generates and may radiate radio-frequency

&RQWHQWV
&RQWHQWV
3UHIDFH Y %DVLF263)&RQILJXUDWLRQ7DVNV
&RQYHQWLRQV YL (QDEOLQJ263),QVWDQFHVDWWKH9LUWXDO5RXWHU/HYHO
([DPSOH6WDUWLQJDQ263),QVWDQFH
:HE8,1DYLJDWLRQ&RQYHQWLRQV YL
5HPRYLQJDQ263)9LUWXDO5RXWLQJ,QVWDQFH
([DPSOH2EMHFWV!$GGUHVVHV!/LVW!1HZ YL
([DPSOH'LVDEOLQJ263)
&/,&RQYHQWLRQVYLL
&UHDWLQJ263)$UHDV
'HSHQGHQF\'HOLPLWHUVYLL ([DPSOH&UHDWHDQ263)$UHD
1HVWHG'HSHQGHQFLHV YLL $VVLJQLQJ,QWHUIDFHVWR$UHDV
$YDLODELOLW\RI&/,&RPPDQGVDQG)HDWXUHV YLLL ([DPSOH$VVLJQLQJDQ,QWHUIDFHWRDQ263)
1HW6FUHHQ'RFXPHQWDWLRQ L[ $UHD
5HGLVWULEXWLQJ5RXWHV
&KDSWHU263)7DVN5HIHUHQFH ([DPSOH5HGLVWULEXWLQJD%*35RXWHLQWR263)
2YHUYLHZRI263) 263),QWHUIDFH&RQILJXUDWLRQ
$UHDV 'LVSOD\LQJ263),QWHUIDFH'HWDLOV
5RXWHU&ODVVLILFDWLRQ ([DPSOH'LVSOD\LQJ263),QWHUIDFH
,QIRUPDWLRQ
+HOOR3URWRFRO
6HWWLQJD&OHDU7H[W3DVVZRUGRQDQ,QWHUIDFH
1HWZRUN7\SHV
([DPSOH&RQILJXULQJWKH&OHDU7H[W3DVVZRUG
%URDGFDVW1HWZRUNV $XWKHQWLFDWLRQ0HWKRG
1RQ%URDGFDVW1HWZRUNV 6HWWLQJDQ0'3DVVZRUGRQDQ,QWHUIDFH
3RLQWWR3RLQW1HWZRUNV ([DPSOH&RQILJXULQJWKH0'3DVVZRUG
/LQN6WDWH$GYHUWLVHPHQWV $XWKHQWLFDWLRQ0HWKRG
263)RQ1HW6FUHHQ'HYLFHV 6HWWLQJD&RVW9DOXHIRUDQ263),QWHUIDFH
263)6XSSRUWRQ9317XQQHOV ([DPSOH&RQILJXULQJWKH&RVWIRUDQ263)
,QWHUIDFH
263)$XWKHQWLFDWLRQ
6HWWLQJD'HDG,QWHUYDOIRUDQ263),QWHUIDFH
263),QWHUIDFH&KDUDFWHULVWLFV
([DPSOH&RQILJXULQJWKH'HDG,QWHUYDO
263)&RPPDQGV 6HWWLQJD+HOOR,QWHUYDOIRUDQ263),QWHUIDFH
263)&RQWH[W,QLWLDWLRQ ([DPSOH&RQILJXULQJWKH+HOOR,QWHUYDO
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L

&RQWHQWV
6HWWLQJD1HLJKERU/LVWIRUDQ263),QWHUIDFH 263),QIRUPDWLRQ

([DPSOH&RQILJXULQJD1HLJKERU/LVW 'LVSOD\LQJ6WDWLVWLFVIRUDQ263)5RXWLQJ,QVWDQFH
6HWWLQJD5HWUDQVPLW,QWHUYDOIRUDQ263),QWHUIDFH ([DPSOH'LVSOD\LQJ263)6WDWLVWLFV
([DPSOH&RQILJXULQJWKH5HWUDQVPLW,QWHUYDO 'LVSOD\LQJ'HWDLOVDERXW5HGLVWULEXWLRQ&RQGLWLRQV
6HWWLQJD3ULRULW\9DOXHRQDQ263),QWHUIDFH ([DPSOH'LVSOD\LQJ5HGLVWULEXWLRQ&RQGLWLRQV
([DPSOH&RQILJXULQJWKH3ULRULW\9DOXH 'LVSOD\LQJ'HWDLOVDERXW5HGLVWULEXWHG5RXWHV
6HWWLQJD7UDQVLW'HOD\9DOXHRQDQ263),QWHUIDFH ([DPSOH'LVSOD\LQJ5HGLVWULEXWHG5RXWHV
([DPSOH&RQILJXULQJWKH7UDQVLW'HOD\ 'HWDLOV
263)9LUWXDO/LQN&RQILJXUDWLRQ 'LVSOD\LQJ2EMHFWVLQWKH263)'DWDEDVH

([DPSOH'LVSOD\LQJ263)'DWDEDVH2EMHFWV
&UHDWLQJD9LUWXDO/LQN
([DPSOH&UHDWLQJD9LUWXDO/LQNWRWKH 'LVSOD\LQJ6WXE'HWDLOV
%DFNERQH$UHD ([DPSOH'LVSOD\LQJ6WXE$UHD'HWDLOV
$XWRPDWLFDOO\&UHDWLQJD9LUWXDO/LQN 'LVSOD\LQJ263)&RQILJXUDWLRQ
([DPSOH&UHDWLQJDQ$XWRPDWLF9LUWXDO/LQN ([DPSOH/LVW263)&RQILJXUDWLRQ&RPPDQGV
&UHDWLQJD0HVVDJH'LJHVWIRUD9LUWXDO/LQN 2WKHU263)&RQILJXUDWLRQ
([DPSOH&UHDWLQJD9LUWXDO/LQNZLWK0' %LQGLQJ263)WRD7XQQHO,QWHUIDFH
$XWKHQWLFDWLRQ
([DPSOH%LQGLQJD7XQQHOWRDQ263)5RXWLQJ
&RQILJXULQJD&OHDU7H[W3DVVZRUGIRUD9LUWXDO/LQN ,QVWDQFH
([DPSOH&UHDWLQJD9LUWXDO/LQNZLWK&OHDU7H[W $QQRXQFLQJD'HIDXOW5RXWHLQ$OO$UHDV
3DVVZRUG
([DPSOH$GYHUWLVLQJWKH'HIDXOW5RXWH
&UHDWLQJD'HDG,QWHUYDOIRUD9LUWXDO/LQN1HLJKERU
&RQILJXULQJ6XPPDU\5RXWHV
([DPSOH&RQILJXULQJD9LUWXDO/LQN1HLJKERU
([DPSOH6XPPDUL]LQJ5HGLVWULEXWHG5RXWHV
'HDG,QWHUYDO
5HPRYLQJD'HIDXOW5RXWH
&UHDWLQJD+HOOR,QWHUYDOIRUD9LUWXDO/LQN
([DPSOH5HPRYLQJWKH'HIDXOW5RXWHIURP
([DPSOH&RQILJXULQJD9LUWXDO/LQN+HOOR
WKH5RXWH7DEOH
,QWHUYDO
6HWWLQJDQ$UHD5DQJH
&RQILJXULQJD5HWUDQVPLW,QWHUYDOIRUD9LUWXDO/LQN
([DPSOH&RQILJXULQJDQ$UHD5DQJH
([DPSOH&RQILJXULQJD9LUWXDO/LQN5HWUDQVPLW
,QWHUYDO 6HWWLQJD+HOOR)ORRG$WWDFN7KUHVKROG
&RQILJXULQJD7UDQVLW'HOD\9DOXHIRUD9LUWXDO/LQN ([DPSOH&RQILJXULQJWKH+HOOR7KUHVKROG
([DPSOH&RQILJXULQJD9LUWXDO/LQN7UDQVLW 6HWWLQJDQ/6$7KUHVKROG
'HOD\ ([DPSOH&RQILJXULQJWKH/6$7KUHVKROG
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LL

&RQWHQWV
&RQILJXULQJDQ5)&(QYLURQPHQW ([DPSOH,JQRULQJ'HIDXOW5RXWH
([DPSOH&KDQJHWRDQ5)&(QYLURQPHQW $GYHUWLVHPHQWV
$GYDQFHG%*3&RQILJXUDWLRQ7DVNV
&KDSWHU%*37DVN5HIHUHQFH
$SSO\LQJD5RXWH0DSWR5RXWHVIURP6SHFLILHG
7KH%*3&RPPDQGV 1HLJKERUV
&RQWH[W,QLWLDWLRQ ([DPSOH$SSO\LQJ5RXWH0DSV
%DVLF%*3&RPPDQG'HVFULSWLRQV
$VVLJQLQJD:HLJKWWRD3DWK
%DVLF%*3&RQILJXUDWLRQ7DVNV ([DPSOH6SHFLI\LQJD:HLJKW9DOXH
&UHDWLQJD%*3,QVWDQFHRIWKH9LUWXDO5RXWHU 6HWWLQJDQ$63DWK$FFHVV/LVW
([DPSOH6WDUWLQJD9LUWXDO5RXWLQJ,QVWDQFH ([DPSOH&UHDWLQJDQ(QWU\LQWKH$63DWK
6SHFLI\LQJ5HDFKDEOH1HWZRUNVIURPDQ$6 $FFHVV/LVW
([DPSOH0DNLQJD1HWZRUN5HDFKDEOHIURP &RQILJXULQJD&RPPXQLW\/LVW
WKH/RFDO9LUWXDO5RXWHU
([DPSOH&UHDWLQJD&RPPXQLW\/LVW
(QDEOLQJ$JJUHJDWH5RXWHV
6HWWLQJD/RFDO3UHIHUHQFH
([DPSOH0DNLQJDQ$JJUHJDWH5RXWH(QWU\
([DPSOH6HWWLQJWKH/RFDO3UHIHUHQFH
(QDEOLQJ5HGLVWULEXWLRQ
6HWWLQJD0XOWL([LW'LVFULPLQDWRU0('
([DPSOH&UHDWLQJD5HGLVWULEXWLRQ5XOH
([DPSOH6HWWLQJD0('
&RQILJXULQJD%*31HLJKERU
6HWWLQJD0XOWL([LW'LVFULPLQDWRU0('&RPSDULVRQ
([DPSOH&RQILJXULQJWKH9LUWXDO5RXWHUIRU
D1HLJKERU ([DPSOH6HWWLQJD0('&RPSDULVRQ
(QDEOLQJD%*33HHUZLWKDQ,3$GGUHVV &RQILJXULQJD5RXWH5HIOHFWRU
([DPSOH(QDEOLQJD%*33HHU&RQQHFWLRQ ([DPSOH'HVLJQDWLQJD5RXWH5HIOHFWRU
&RQILJXULQJD+ROG7LPHU 6HWWLQJD1HLJKERUDVD5RXWH5HIOHFWRU&OLHQW
([DPSOH6HWWLQJWKH+ROG7LPH9DOXH ([DPSOH&RQILJXULQJDQ,%*31HLJKERU
&RQILJXULQJD.HHSDOLYH7LPHU &RQILJXULQJD&RQIHGHUDWLRQ
([DPSOH6HWWLQJWKH.HHSDOLYH7LPHU ([DPSOH&UHDWLQJD&RQIHGHUDWLRQ
(QDEOLQJ5RXWH)ODS'DPSLQJ $GGLQJDQ$60HPEHUWRD&RQIHGHUDWLRQ
([DPSOH(QDEOLQJ)ODS'DPSLQJ
([DPSOH$GGLQJD1HZ&RQIHGHUDWLRQ
'LVFDUGLQJ'HIDXOW5RXWH$GYHUWLVHPHQWVIURP
D3HHU5RXWHU ,QGH[ ,;,
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LLL

&RQWHQWV
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LY

3UHIDFH
Routing is an essential part of security devices. Without routing, the security devices could not effectively forward
secure traffic to desired destinations. Dynamic routing shortens the time between changes in network topology and
the forwarding of traffic on the network.
Volume 5, “Dynamic Routing” describes how to configure Open Shortest Path First (OSPF) and Border Gateway
(BGP). This volume describes the following:
• Overview of OSPF, OSPF commands, basic configuration, advanced configuration
• Overview of BGP, BGP commands, basic configuration, advanced configuration
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ Y

&RQYHQWLRQV
&219(17,216
This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI)
and the command line interface (CLI). The conventions used for both are introduced below.
:HE8,1DYLJDWLRQ&RQYHQWLRQV
Throughout this book, a chevron ( > ) is used to indicate navigation through the WebUI by clicking menu options and
links.
([DPSOH2EMHFWV!$GGUHVVHV!/LVW!1HZ
To access the new address configuration dialog box, do the following:
1. Click Objects in the menu column.
The Objects menu option expands to reveal a subset of options for Objects.
2. (Applet menu) Hover the mouse over Addresses.
(DHTML menu) Click Addresses.
The Addresses option expands to reveal a subset of options for Addresses.
3. Click List.
The address book table appears.
4. Click the New link in the upper right corner.
The new address configuration dialog box appears.
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YL

&RQYHQWLRQV
&/,&RQYHQWLRQV
Each CLI command description in this manual reveals some aspect of command syntax. This syntax may include
options, switches, parameters, and other features. To illustrate syntax rules, some command descriptions use
dependency delimiters. Such delimiters indicate which command features are mandatory, and in which contexts.
'HSHQGHQF\'HOLPLWHUV
Each syntax description shows the dependencies between command features by using special characters.
• The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for
execution of the command.
• The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for
execution of the command, although omitting such features might adversely affect the outcome.
• The | symbol denotes an “or” relationship between two features. When this symbol appears between two
features on the same line, you can use either feature (but not both). When this symbol appears at the end of
a line, you can use the feature on that line, or the one below it.
1HVWHG'HSHQGHQFLHV
Many CLI commands have nested dependencies, which make features optional in some contexts, and mandatory in
others. The three hypothetical features shown below demonstrate this principle.
[ feature_1 { feature_2 | feature_3 } ]
The delimiters [ and ] surround the entire clause. Consequently, you can omit feature_1, feature_2, and feature_3,
and still execute the command successfully. However, because the { and } delimiters surround feature_2 and
feature_3, you must include either feature_2 or feature_3 if you include feature_1. Otherwise, you cannot
successfully execute the command.
The following example shows some of the feature dependencies of the set interface command.
set interface vlan1 broadcast { flood | arp [ trace-route ] }
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLL

&RQYHQWLRQV
The { and } brackets indicate that specifyng either flood or arp is mandatory. By contrast, the [ and ] brackets
indicate that the trace-route option for arp is not mandatory. Thus, the command might take any of the following
forms:
ns-> set interface vlan1 broadcast flood
ns-> set interface vlan1 broadcast arp
ns-> set interface vlan1 broadcast arp trace-route
$YDLODELOLW\RI&/,&RPPDQGVDQG)HDWXUHV
As you execute CLI commands using the syntax descriptions in this manual, you may find that certain commands
and command features are unavailable for your NetScreen device model.
Because NetScreen devices treat unavailable command features as improper syntax, attempting to use such a
feature usually generates the unknown keyword error message. When this message appears, confirm the
feature’s availability using the ? switch. For example, the following commands list available options for the set vpn
command:
ns-> set vpn ?
ns-> set vpn vpn_name ?
ns-> set vpn gateway gate_name ?
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLLL

1HW6FUHHQ'RFXPHQWDWLRQ
1(76&5((1'2&80(17$7,21
To obtain technical documentation for any NetScreen product, visit www.netscreen.com/support/manuals.html. To
access the latest NetScreen documentation, see the Current Manuals section. To access archived documentation
from previous releases, see the Archived Manuals section.
To obtain the latest technical information on a NetScreen product release, see the release notes document for that
release. To obtain release notes, visit www.netscreen.com/support and select Software Download. Select the
product and version, then click Go. (To perform this download, you must be a registered user.)
If you find any errors or omissions in the following content, please contact us at the e-mail address below:
techpubs@netscreen.com
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L[

1HW6FUHHQ'RFXPHQWDWLRQ
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ [

&KDSWHU
263)7DVN5HIHUHQFH

This chapter describes the Open Shortest Path First (OSPF) routing protocol. The following topics are covered:
• “Overview of OSPF” on page 3
– “Areas” on page 3
– “Router Classification” on page 4
– “Hello Protocol” on page 5
– “Network Types” on page 5
– “Link State Advertisements” on page 7
– “OSPF on NetScreen Devices” on page 8
• “OSPF Commands” on page 10
• “Basic OSPF Configuration Tasks” on page 11
– “Enabling OSPF Instances at the Virtual Router Level” on page 11
– “Removing an OSPF Virtual Routing Instance” on page 12
– “Creating OSPF Areas” on page 13
– “Assigning Interfaces to Areas” on page 14
– “Redistributing Routes” on page 15
• “OSPF Interface Configuration” on page 17
– “Displaying OSPF Interface Details” on page 17
– “Setting a Clear-Text Password on an Interface” on page 18
– “Setting a Cost Value for an OSPF Interface” on page 20
– “Setting a Dead Interval for an OSPF Interface” on page 21
– “Setting a Hello Interval for an OSPF Interface” on page 22
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

&KDSWHU263)7DVN5HIHUHQFH
– “Setting a Neighbor List for an OSPF Interface” on page 23

– “Setting a Retransmit Interval for an OSPF Interface” on page 24
– “Setting a Priority Value on an OSPF Interface” on page 25
– “Setting a Transit Delay Value on an OSPF Interface” on page 26
• “OSPF Virtual Link Configuration” on page 27
– “Creating a Virtual Link” on page 27
– “Automatically Creating a Virtual Link” on page 28
– “Creating a Message Digest for a Virtual Link” on page 29
– “Configuring a Clear-Text Password for a Virtual Link” on page 30
– “Creating a Dead Interval for a Virtual Link Neighbor” on page 31
– “Configuring a Retransmit Interval for a Virtual Link” on page 33
– “Configuring a Transit Delay Value for a Virtual Link” on page 34
• “OSPF Information” on page 35
– “Displaying Statistics for an OSPF Routing Instance” on page 35
– “Displaying Details about Redistribution Conditions” on page 37
– “Displaying Details about Redistributed Routes” on page 38
– “Displaying Objects in the OSPF Database” on page 39
– “Displaying Stub Details” on page 40
– “Displaying OSPF Configuration” on page 41
• “Other OSPF Configuration” on page 42
– “Binding OSPF to a Tunnel Interface” on page 42
– “Announcing a Default Route in All Areas” on page 43
– “Configuring Summary Routes” on page 44
– “Removing a Default Route” on page 46
– “Setting an Area Range” on page 47
– “Setting a Hello Flood Attack Threshold” on page 48
– “Setting an LSA Threshold” on page 49
– “Configuring an RFC-1583 Environment” on page 50

&KDSWHU263)7DVN5HIHUHQFH 2YHUYLHZRI263)
29(59,(:2)263)
The Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) intended to operating within a single
Autonomous System (AS). A router running OSPF distributes its state information (i.e, usable interfaces and
neighbor reachability) by periodically flooding link-state advertisements (LSAs) throughout the AS.
Each OSPF router uses LSAs from neighboring routers to maintain a link-state database. The link-state database is
a listing of topology and state information for the surrounding networks. The constant distribution of LSAs throughout
the As enables all routers in an AS to maintain an identical link-state database.
OSPF uses the link-state database to determine the best path to any network within the AS. This is done by
generating a shortest-path tree, which is a graphical representation of the shortest path to any network within the
AS. While all routers have the same link state database, they all have unique shortest-path trees because routers
always generate the tree with themselves at the top (root) of the tree.
More information on LSAs, link-state databases, and areas are covered later in this chapter.
$UHDV
OSPF allows networks to be grouped together logically or geographically by the use of areas. Areas also reduce the
amount of routing information passed throughout the network because a router only maintains a link-state database
for the area it resides in. No link-state information is maintained for networks/routers outside the local area.
By default all routers are grouped into a single “backbone” area called area 0 (usually denoted as area 0.0.0.0).
However, large geographically dispersed networks are typically segmented into multiple areas. This is because as
networks grow, link-state databases grow and dividing the link-state database into smaller groups allows for better
scalability. It is important to note that all areas must be directly connected to area 0, with only one exception to be
covered later.

A router that is placed between two areas is called an area border router and because all areas must be directly
connected to area 0, any area outside of the backbone area is called a stub area. There are two common types of
stub areas used in OSPF, both with their own characteristics:
• Stub area - An area that receives route summaries from the backbone area but does not receive link-state
advertisements from other areas for routes learned through non-OSPF sources (i.e. BGP). A stub area can
be considered a Totally Stubby Area if no summary routes are allowed in the stub area.
• Not So Stubby Area (NSSA) - Like a normal stub area, NSSAs cannot receive routes from non-OSPF
sources outside the current area. However, external routes learned within the area can be learned and
passed to other areas.
Areas are configured at the VR level first, then interfaces can be configured to reside in area’s defined at the VR
level.
5RXWHU&ODVVLILFDWLRQ
Routers that participate in OSPF routing are classified according to their function or location in the network:
• Internal Router - A router with all interfaces belonging to the same area.
• Backbone Router - A router that has an interface in the backbone area.
• Area Border Router - When an OSPF area borders another area, the router between the two areas is
called an area border router. An area border router (ABR) is a router that has interfaces in multiple areas,
one of which is the backbone area. An ABR summarizes the routes from the non-backbone area for
distribution back to area 0. If a second area is created within ScreenOS, the device functions as an ABR.
• AS Boundary Router - When an OSPF area borders another AS, the router between the two autonomous
systems is called an autonomous system boundary router (ASBR). An ASBR is responsible for advertising
external AS routing information throughout an AS.

+HOOR3URWRFRO
Two routers with interfaces on the same subnet are considered neighbors. Routers use the hello protocol to
establish and maintain these neighbor relationships. When two routers establish bidirectional communication, they
are said to have established an adjacency. If two routers do not establish an adjacency, they cannot exchange
routing information.
In cases were there are multiple routers on a network, it is necessary to establish one router as the designated
router (DR) and another as the backup designated router (BDR). The designated router is solely responsible for
flooding the network with LSAs containing a list of all OSPF-enabled routers attached to the network. The DR is
considered the most important router in an OSPF network because it is the only router that can form adjacencies
with other routers on the network. Therefore, the DR is the only router on a network that can provide routing
information to other routers. It is this type of hierarchy that enables OSPF to scale while minimizing network
“chatter”. The BDR is responsible for becoming the designated router if the DR should fail.
1HWZRUN7\SHV
ScreenOS supports the following network types:
• Broadcast Networks
• Non-Broadcast Networks
• Point-to-Point Networks
%URDGFDVW1HWZRUNV
A broadcast network is a network that connects many routers together and can send, or broadcast, a single physical
message to all the attached routers. Pairs of routers on a broadcast network are assumed to be able to
communicate with each other. Ethernet is an example of a broadcast network.
On broadcast networks, the OSPF router dynamically detects its neighbor routers by sending Hello packets to the
multicast address 224.0.0.5. For broadcast networks, the Hello protocol elects a Designated Router and Backup
Designated Router for the network.

1RQ%URDGFDVW1HWZRUNV
A non-broadcast network is a network that connects many routers together but cannot broadcast messages to
attached routers. On non-broadcast networks, OSPF protocol packets that are normally multicast need to be sent to
each neighboring router.
On non-broadcast networks, OSPF runs in one of two modes:
• Non-broadcast multi-access (NBMA) simulates OSPF operation on a broadcast network
• Point-to-multipoint considers the network to be a collection of point-to-point networks
On non-broadcast networks, you will need to enter configuration information in order for the OSPF router to discover
its neighbors. For NBMA networks, the Hello protocol elects a Designated Router and Backup Designated Router for
the network.
3RLQWWR3RLQW1HWZRUNV
A point-to-point network typically joins two routers over a Wide Area Network (WAN). An example of a point-to-point
network is two routers connected by a 56Kb serial line. On point-to-point networks, the OSPF router dynamically
detects neighbor routers by sending Hello packets to the multicast address 224.0.0.5.

/LQN6WDWH$GYHUWLVHPHQWV
Each OSPF router sends out LSAs that define the router’s local state information. Additionally, there are other types
of LSAs that a router can send out, depending upon the router’s OSPF function. The following table summarizes the
LSA types:
LSA Type Sent By Flooded Information Sent in LSA

Throughout
Router LSA All OSPF routers Area Describes the state of all router interfaces throughout
the area.
Network LSA Designated Router Area Contains a list of all routers connected to the network.
on broadcast and
NBMA networks
Summary LSA Area Border Area Describes a route to a destination outside the area
Routers but still inside the AS. There are two types:
- Type 3 summary-LSAs describe routes to
networks.
- Type 4 summary-LSAs describe routes to AS
boundary routers.
AS-External Autonomous Autonomous Routes to a network in another AS. Often, this is the
System Boundary System default route (0.0.0.0/0).
Router

263)RQ1HW6FUHHQ'HYLFHV
On NetScreen devices, OSPF is enabled on a virtual router basis and has configuration parameters at the VR level
and the interface level. Since you can have multiple virtual routers in a system, you can also run multiple instances
of OSPF on a single device.
ScreenOS supports OSPF version 2, as defined by RFC 2328. You can also configure OSPF to be compatible with
RFC 1538, an earlier version of OSPF.
263)6XSSRUWRQ9317XQQHOV
OSPF is supported for IPsec VPN tunnel and requires the use of route-based VPNs. You can enable OSPF on a
VPN that is bound to a single tunnel interface that can be numbered or unnumbered. After binding the VPN to the
tunnel interface, you can enable and configure OSPF in the same way as a physical interface. When OSPF is
enabled for a tunnel interface, the network type is point-to-point.
263)$XWKHQWLFDWLRQ
ScreenOS provides simple password and MD5 authentication to validate OSPF packets received from neighbors.
Authentication can be configured at the virtual router level; in this case, all OSPF interfaces associated with the
virtual router use the same authentication method. Authentication can also be configured at the interface level.

263),QWHUIDFH&KDUDFWHULVWLFV
Several OSPF parameters are configurable at the interface level. The following are OSPF interface characteristics:
• Authentication Type - Authentication enables the interface to verify OSPF communication on the interface.
Two types of authentication exist in ScreenOS: message digest (MD5) password authentication and
clear-text password authentication. An MD5 authentication password requires a 16-digit password string
and a clear-text password requires an eight-digit password string. The MD5 password also requires the
configuration of key strings.
• Cost - In OSPF, a route’s cost determines the desirability of the route. The cost associated with a network
interface depends on the bandwidth of the link to which the interface is connected. The higher the
bandwidth, the lower, or more desirable, the cost value. The default cost is 10.
• Dead Interval - The dead interval is the maximum amount of time that elapses before OSPF determines
one of its neighbors is not running. The default is 40 seconds.
• Hello Interval - The OSPF routing instance sends out Hello packet at regular intervals. The default is 10
seconds.
• Retransmit Interval - The retransmit interval is the amount of time that elapses between LSA
retransmissions for adjacencies that belong to a specified interface. The default is 5 seconds.
• Transit Delay - Transit delay is the amount of time required between transmissions of link-state update
packets sent by the current interface. The default is 1 second.
• Priority - The priority is used when electing the Designated Router and Backup Designated Router. The
higher the number, the more likely the OSPF routing instance is to be elected as a DR or BDR. The default
is 10.

&KDSWHU263)7DVN5HIHUHQFH 263)&RPPDQGV
263)&200$1'6
Use the ospf context commands and the interface commands to configure OSPF in a NetScreen device.
263)&RQWH[W,QLWLDWLRQ
To issue ospf context commands, do the following:
1. Enter the vrouter context by executing the set vrouter command.
ns-> set vrouter vrouter
where vrouter is the name of the virtual router.
2. Enter the ospf context by executing the set protocol ospf command.
ns(trust-vr)-> set protocol ospf
For more information on the ospf context commands, refer to “Context-Sensitive Commands in the CLI” on page
2 -58.

&KDSWHU263)7DVN5HIHUHQFH %DVLF263)&RQILJXUDWLRQ7DVNV
%$6,&263)&21),*85$7,217$6.6
The following configuration tasks are mandatory for most OSPF implementations.
(QDEOLQJ263),QVWDQFHVDWWKH9LUWXDO5RXWHU/HYHO
You can enable or disable OSPF instances at the virtual router level or at the interface level. When you enable or
disable OSPF at the virtual router level, all OSPF interfaces inside the virtual router are affected. When you enable
or disable OSPF at the interface level, only the specific OSPF interface is affected.
You can create an instance of OSPF in a virtual router using either the WebUI or the CLI set protocol ospf
command.
([DPSOH6WDUWLQJDQ263),QVWDQFH
In the following example, you enable OSPF in the trust-vr with default options.
:HE8,
Network > Routing > Virtual Routers > trust-vr : Select Create OSPF Instance, and then click OK.
&/,
1. ns-> set vrouter trust-vr
2. ns(trust-vr)-> set protocol ospf
3. ns(trust-vr)-> save
Note: Use the unset protocol ospf command to disable OSPF instances.

5HPRYLQJDQ263)9LUWXDO5RXWLQJ,QVWDQFH
Use the WebUI or the CLI unset enable command to remove the OSPF routing instance from the virtual router on
which it was created.
([DPSOH'LVDEOLQJ263)
In the following example, you disable the current OSPF routing instance.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Delete OSPF Instance.
&/,
3. ns(trust-vr/ospf)-> unset enable
4. ns(trust-vr/ospf)-> save

&UHDWLQJ263)$UHDV
To configure or display details about OSPF areas on a NetScreen devices, use either the WebUI or the CLI set area
commands.
([DPSOH&UHDWHDQ263)$UHD
In the following example, you create an OSPF stub area with an area ID of 10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area: Enter the following,
and then click OK:
Area ID: 10
Type: stub
Action: Add
&/,
3. ns(trust-vr/ospf)-> set area 10 stub

$VVLJQLQJ,QWHUIDFHVWR$UHDV
Once an area is created at the VR level, you can assign an interface to the area, using either the WebUI or the CLI
set interface command.
([DPSOH$VVLJQLQJDQ,QWHUIDFHWRDQ263)$UHD
In the following example, you assign interface ethernet1 to OSPF area 10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for
Area 10) > ethernet1: Use the Add button to move the interface from the Available Interfaces column to the
Selected Interfaces column. Click OK.
&/,
1. ns-> set interface ethernet1 protocol ospf area 10
2. ns-> save

5HGLVWULEXWLQJ5RXWHV
Redistribution is the process of importing a route into the current routing domain from another part of the network
that uses another routing protocol. This process allows the translation of routing information, particularly known
routes, from the other routing protocol. For example, if you are on an OSPF network and a BGP network, the OSPF
domain can import all known routes from the BGP network to allow devices in the OSPF routing domain to reach
devices on the BGP network.
When a route is redistributed, it affects the number of external LSAs generated in a given domain. For external LSAs
to be advertised, the router performs redistribution. To configure route redistribution, determine which routing
protocol is the source of the routes and which routing protocol is the destination, or target, protocol that will advertise
these newly-learned external routes. Because different protocols are imported using different preferences,
redistribution provides a local preference value as a way of comparing path desirability between protocols.
When you configure route redistribution, you must first specify a route map that defines the routes to be distributed.
For more information on configuring route maps, refer to “Route Redistribution” on page 2 -74.
You can redistribute routes using either the WebUI or the CLI set redistribute route-map commands.

([DPSOH5HGLVWULEXWLQJD%*35RXWHLQWR263)
In the following example, you redistribute a route that originated from a BGP routing domain into the current OSPF
routing domain. Both the CLI and WebUI examples assume that you previously created a route map called map1.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules: Enter
the following, and then click Add:
Route Map: map1
Protocol: BGP
&/,
3. ns(trust-vr/ospf)-> set redistribute route-map map1 protocol bgp

&KDSWHU263)7DVN5HIHUHQFH 263),QWHUIDFH&RQILJXUDWLRQ
263),17(5)$&(&21),*85$7,21
This section describes OSPF interface configuration tasks.
'LVSOD\LQJ263),QWHUIDFH'HWDLOV
Use the CLI get interface command to display details of the interface for which you have configured an OSPF
routing instance.
([DPSOH'LVSOD\LQJ263),QWHUIDFH,QIRUPDWLRQ
In the following example, you display details of the interface for which you have configured an OSPF routing
instance.
:HE8,
Note: You can only view OSPF configuration details for an interface through the CLI.
&/,
ns-> get interface ethernet1 protocol ospf
VR: trust-vr RouterId: 212.1.1.1
----------------------------------
Interface: ethernet2/1
IpAddr: 20.20.20.20/16, OSPF: enabled, Router: enabled
Type: Ethernet Area: 0.0.0.10 Priority: 100 Cost: 1
Transit delay: 60s Retransmit interval: 5s Hello interval: 10s
Router Dead interval: 40s Authentication-Type: MD-5
Authentication-Key: ****************
MD-5 KeyId: 1
State: Designated Router DR: 20.20.20.20(self) BDR: 0.0.0.0
Neighbors:
Valid neighbor access list numbers in Vrouter (trust-vr)
----------------------------------------------------------------------

6HWWLQJD&OHDU7H[W3DVVZRUGRQDQ,QWHUIDFH
To configure a clear-text password as an authentication method for OSPF communication on an interface, use either
the WebUI or the CLI set interface command.
([DPSOH&RQILJXULQJWKH&OHDU7H[W3DVVZRUG$XWKHQWLFDWLRQ0HWKRG
In this example, you set a clear-text password 12345678 for OSPF on interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply :
Password: (select), 12345678
&/,
1. ns-> set interface ethernet1 protocol ospf authentication password 12345678
2. ns-> save

6HWWLQJDQ0'3DVVZRUGRQDQ,QWHUIDFH
To configure a message digest (MD5) password as an authentication method for all OSPF communication on an
interface, use either the WebUI or the CLI set interface command.
([DPSOH&RQILJXULQJWKH0'3DVVZRUG$XWKHQWLFDWLRQ0HWKRG
In the following example, you set a message digest password 1234567890123456 and a key ID 1 for OSPF on
interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Enter the following, and then click Apply:
MD5 Key: (select), 1234567890123456
Key ID: 1
&/,
1. ns-> set interface ethernet1 protocol ospf authentication md5 1234567890123456 key 1
2. ns-> save

6HWWLQJD&RVW9DOXHIRUDQ263),QWHUIDFH
You can set a cost value for an OSPF interface using either the WebUI or the CLI set interface command.
([DPSOH&RQILJXULQJWKH&RVWIRUDQ263),QWHUIDFH
In this example, you set a cost value for OSPF on interface ethernet1.
:HE8,
Cost: 20
&/,
1. ns-> set interface ethernet1 protocol ospf cost 20
2. ns-> save

6HWWLQJD'HDG,QWHUYDOIRUDQ263),QWHUIDFH
A dead interval is the maximum amount of time that can elapse before a neighbor is determined to be not running.
To set a dead interval value on a physical interface on a NetScreen device, use either the WebUI or the CLI set
interface command.
([DPSOH&RQILJXULQJWKH'HDG,QWHUYDO
In this example, you set a dead interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Neighbor Dead Interval: 100
&/,
1. ns-> set interface ethernet1 protocol ospf dead-interval 100
2. ns-> save

6HWWLQJD+HOOR,QWHUYDOIRUDQ263),QWHUIDFH
A Hello interval is the amount of time that elapses between instances of a hello packet being sent out to the network
by the current routing instance. To set a hello interval, use either the WebUI or the CLI set interface command.
([DPSOH&RQILJXULQJWKH+HOOR,QWHUYDO
In this example, you set a hello interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Hello Interval: 100
&/,
1. ns-> set interface ethernet1 protocol ospf hello-interval 100
2. ns-> save

6HWWLQJD1HLJKERU/LVWIRUDQ263),QWHUIDFH
You can configure a list of peers or neighbors to the current OSPF virtual routing instance, using either the WebUI or
the CLI set interface command.
([DPSOH&RQILJXULQJD1HLJKERU/LVW
In this example, you create a neighbor list for OSPF on interface ethernet1.
:HE8,
Neighbor List: 4 | 5 | 6
&/,
1. ns-> set interface ethernet1 protocol ospf neighbor-list 4 5 6
2. ns-> save

6HWWLQJD5HWUDQVPLW,QWHUYDOIRUDQ263),QWHUIDFH
A retransmit interval value specifies the amount of time, in seconds, that elapses before the interface resends an
LSA to a neighbor that did not respond to the original LSA. You can specify a retransmit interval for an OSPF
interface using either the WebUI or the CLI set interface command.
([DPSOH&RQILJXULQJWKH5HWUDQVPLW,QWHUYDO
In the following example, you set a retransmit interval of 100 seconds for OSPF on interface ethernet1.
:HE8,
Retransmit Interval: 100
&/,
1. ns-> set interface ethernet1 protocol ospf retransmit-interval 100
2. ns-> save

6HWWLQJD3ULRULW\9DOXHRQDQ263),QWHUIDFH
Routers on a network go through an election process to become the designated router. The designation is made by
routers comparing their priority value. The router with the larger value has the best (although not guaranteed)
chance of being elected the DR. You can configure a priority value on an OSPF interface using either the WebUI or
the CLI set interface command.
([DPSOH&RQILJXULQJWKH3ULRULW\9DOXH
In this example, you set a priority value of 100 for OSPF interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 100 in the Priority field, and then click Apply.
&/,
1. ns-> set interface ethernet1 protocol ospf priority 100
2. ns-> save

6HWWLQJD7UDQVLW'HOD\9DOXHRQDQ263),QWHUIDFH
To set the amount of time between transmissions of link-state update packets on an interface, you need to set a
transit delay value. To configure a transit delay value on an OSPF interface, use either the WebUI or the CLI set
interface command.
([DPSOH&RQILJXULQJWKH7UDQVLW'HOD\
In the following example, you set a transit delay of 10 seconds on OSPF interface ethernet1.
:HE8,
Network > Interfaces > Edit (for ethernet1) > OSPF: Type 10 in the Transit Delay field, and then click
Apply.
&/,
1. ns-> set interface ethernet1/1 protocol ospf transit_delay 10
2. ns-> save

&KDSWHU263)7DVN5HIHUHQFH 263)9LUWXDO/LQN&RQILJXUDWLRQ
263)9,578$//,1.&21),*85$7,21
This section describes OSPF virtual link configuration tasks.
&UHDWLQJD9LUWXDO/LQN
All areas in an OSPF internetwork must connect directly to the backbone area. Sometimes, you need to create a
new area that is not physically connected to the backbone area. To solve this problem you configure a virtual link.
The virtual link provides a remote area with a logical path to the backbone through another area.
To create or display details about a virtual link for the current routing instance, use the WebUI or the CLI set vlink
commands.
([DPSOH&UHDWLQJD9LUWXDO/LQNWRWKH%DFNERQH$UHD
In the following example, you create a vlink using an area of 0.0.0.10 with a route ID of 10.10.10.20.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Virtual Link: Enter the
following, and then click Add:
Area ID: 0.0.0.10
Router ID: 10.10.10.20
&/,
1. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20

$XWRPDWLFDOO\&UHDWLQJD9LUWXDO/LQN
You can direct a virtual router to automatically create a virtual link for instances when it cannot reach the network
backbone. Having the virtual router automatically create virtual links replaces the more time-consuming process of
creating each virtual link manually. You configure a virtual router to automatically create virtual links using either the
WebUI or the CLI set autovlink command.
([DPSOH&UHDWLQJDQ$XWRPDWLF9LUWXDO/LQN
In the following example, you configure automatic virtual link creation.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Automatically
generate virtual links and then click OK.
&/,
3. ns(trust-vr/ospf)-> set auto-vlink

&UHDWLQJD0HVVDJH'LJHVWIRUD9LUWXDO/LQN
To enable MD5 authentication for a virtual link on an OSPF virtual routing instance, use either the WebUI or the CLI
set vlink authentication md5 command.
([DPSOH&UHDWLQJD9LUWXDO/LQNZLWK0'$XWKHQWLFDWLRQ
In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and an MD5
password of 1234567890123456.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: Enter the following, and then click OK:
Authentication
MD5: (select)
MD5 Key (16 characters): 1234567890123456
&/,
3. ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type md5
1234567890123456

&RQILJXULQJD&OHDU7H[W3DVVZRUGIRUD9LUWXDO/LQN
To configure a clear-text password as an authentication method for a virtual link on an OSPF virtual routing instance,
use either the WebUI or the CLI set vlink authentication command.
([DPSOH&UHDWLQJD9LUWXDO/LQNZLWK&OHDU7H[W3DVVZRUG
In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a clear-text
password with a value of 12345678.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: Enter the following, and then click OK:
Authentication
Password: (Selected)
Password (8 characters): 12345678
&/,
3. ns(trust-vr/ospf)-> set vlink area-id 0.0.0.10 router-id 10.10.10.20 authentication-type password 12345678

&UHDWLQJD'HDG,QWHUYDOIRUD9LUWXDO/LQN1HLJKERU
To create a dead interval for a neighbor that is reachable across a virtual link, use the WebUI or the CLI set vrouter
protocol ospf vlink dead-interval command.
([DPSOH&RQILJXULQJD9LUWXDO/LQN1HLJKERU'HDG,QWHUYDO
In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a dead
interval of 50 seconds.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: In the Router Dead Interval field, type 50, and then click OK:
&/,
3. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 dead-interval 50

&UHDWLQJD+HOOR,QWHUYDOIRUD9LUWXDO/LQN
To create a hello interval for a virtual link on an OSPF virtual routing instance, use the WebUI or the CLI set vrouter
protocol ospf hello-interval command.
([DPSOH&RQILJXULQJD9LUWXDO/LQN+HOOR,QWHUYDO
In the following example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a hello
interval of 30 seconds.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: In the Hello Interval field, type 30, and then click OK.
&/,
3. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 hello-interval 30

&RQILJXULQJD5HWUDQVPLW,QWHUYDOIRUD9LUWXDO/LQN
To specify the time between link-state advertisement (LSA) retransmissions for adjacencies across a virtual link
interface, use the WebUI or the CLI set vlink area router retransmit-interval command.
([DPSOH&RQILJXULQJD9LUWXDO/LQN5HWUDQVPLW,QWHUYDO
In this example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a retransmit interval of
20 seconds.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: In the Retransmit Interval field, type 20, and then click OK.
&/,
3. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router 10.10.10.20 retransmit-interval 20

&RQILJXULQJD7UDQVLW'HOD\9DOXHIRUD9LUWXDO/LQN
To configure the amount of time required between transmissions of link-state update packets being sent by the
current virtual link, use the WebUI or the CLI set vlink transit-delay command.
([DPSOH&RQILJXULQJD9LUWXDO/LQN7UDQVLW'HOD\
In this example, you create a virtual link with an area ID of 10, a router ID of 10.10.10.20, and a transit delay of 100
seconds.
:HE8,
Area ID: 0.0.0.10
Router ID: 10.10.10.20
> Configure: In the Transit Delay field, type 100, and then click OK.
&/,
3. ns(trust-vr/ospf)-> set vlink area 0.0.0.10 router-id 10.10.10.20 transit-delay 100

&KDSWHU263)7DVN5HIHUHQFH 263),QIRUPDWLRQ
263),1)250$7,21
This section describes tasks for displaying OSPF information.
'LVSOD\LQJ6WDWLVWLFVIRUDQ263)5RXWLQJ,QVWDQFH
Use the CLI get statistics command to display information about the following objects associated with an OSPF
routing instance:
• Hello Packets
• Link State Requests
• Link State Acknowledgments
• Link State Updates
• Database Descriptions
• Areas Created
• Shorted Path First Runs
• Packets Dropped
• Errors Received
• Bad Link State Requests
([DPSOH'LVSOD\LQJ263)6WDWLVWLFV
In the following example, you display information about various statistics recorded for OSPF in the trust-vr virtual
router.
:HE8,
Note: You can only display these statistics through the CLI.

&/,
3. ns(trust-vr/ospf)-> get statistics
VR: untrust-vr RouterId: 0.0.0.0
----------------------------------
Packet Type Transmit Receive
---------------------------------------------------------------------
Hello 0 0
LS Request 0 0
LS Acknowledge 0 0
LS Update 0 0
Database Desc 0 0
AreaId SPF Runs

--------------------------------------------
0.0.0.0 1
0.0.0.10 0
Packets Dropped:
None
Receive Errors:
None
Bad LS Requests: 0
Note: Use the clear command to reset all packet types to 0.

'LVSOD\LQJ'HWDLOVDERXW5HGLVWULEXWLRQ&RQGLWLRQV
Use either the WebUI or the CLI get rules-redistribute command to display details about conditions set for routes
that have been imported from a non-OSPF router in another routing domain.
([DPSOH'LVSOD\LQJ5HGLVWULEXWLRQ&RQGLWLRQV
In the following example, you display the currently-configured redistribution rules.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Redistributable Rules
&/,
3. ns(trust-vr/ospf)-> get rules-redistribute
----------------------------------
trust-vr
==========
Redistribution Rules
--------------------------------------------------
IP-Prefix Source-Protocol Cost ASE-Type Tag
-------------------------------------------------------------------------------
100.123.1.4/16 any 10 1 0.0.0.10

'LVSOD\LQJ'HWDLOVDERXW5HGLVWULEXWHG5RXWHV
Use the routes-redistribute command to display details about routes that have been imported from a non-OSPF
router in another routing domain by the current OSPF virtual routing instance.
([DPSOH'LVSOD\LQJ5HGLVWULEXWHG5RXWHV'HWDLOV
In the following example, you display information about routes that have been imported from a non-OSPF router in
another routing domain by the current OSPF routing instance.
:HE8,
Note: You can only display these details through the CLI.
&/,
3. ns(trust-vr/ospf)-> get routes-redistribute
----------------------------------
IP-Prefix Cost ASE-Type Forwarding-IP Tag
----------------------------------------------------------------
1.1.1.0 20 1 0.0.0.0 0.0.0.0

'LVSOD\LQJ2EMHFWVLQWKH263)'DWDEDVH
Use the CLI get database command to display objects in the current OSPF router’s database.
([DPSOH'LVSOD\LQJ263)'DWDEDVH2EMHFWV
In the following example, you display details about route LSAs for area 0 in the OSPF database of the current OSPF
routing instance.
:HE8,
Note: You can only use the CLI to display these statistics.
&/,
3. ns(trust-vr/ospf)-> get database area 0 router
Link-State-Id Adv-Router-IDAge Sequence Checksum
----------------------------------------------------------
20 1.1.1.0 20 2 1

'LVSOD\LQJ6WXE'HWDLOV
Use the WebUI or the CLI get stub command to display details about a stub area that has been created on the
current OSPF virtual routing instance.
([DPSOH'LVSOD\LQJ6WXE$UHD'HWDLOV
In the following example, you display the stub type created on the current OSPF routing instance.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure
&/,
3. ns(trust-vr/ospf)-> get stub
----------------------------------
Area-ID: 0.0.0.10 (Stub)
Total number of interfaces is 0, Active number of interfaces is 0
Route Imports: None, SPF Runs: 0
Number of ABR(s): 0, Number of ASBR(s): 0
Number of LSA(s): 0, Checksum: 0x0
Default route metric type is ext-type-1, metric is 1
Type-3 LSA Filter: disabled

'LVSOD\LQJ263)&RQILJXUDWLRQ
Use the CLI get config command to display the OSPF configuration.
([DPSOH/LVW263)&RQILJXUDWLRQ&RPPDQGV
In the following example, you display a list of all OSPF configuration commands.
:HE8,
Note: To view the OSPF commands, you must use the CLI.
&/,
3. ns(trust-vr/ospf)-> get config
----------------------------------
set protocol ospf
set disable
set auto-vlink
set advertise-def-route always metric 10 metric-type 1
set area 0.0.0.10 nssa
exit

&KDSWHU263)7DVN5HIHUHQFH 2WKHU263)&RQILJXUDWLRQ
27+(5263)&21),*85$7,21
This section describes tasks for displaying OSPF information.
%LQGLQJ263)WRD7XQQHO,QWHUIDFH
To bind a tunnel interface to an OSPF routing instance on a NetScreen device, use either the WebUI or the CLI set
interface tunnel command.
([DPSOH%LQGLQJD7XQQHOWRDQ263)5RXWLQJ,QVWDQFH
In the following example, you bind OSPF to the tunnel interface tunnel.1.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure: Enter the
following, and then click Apply:
Available Interfaces: tunnel.1
Use the Add button to move the tunnel.1 interface from the Available
Interfaces column to the Selected Interfaces column.
&/,
1. ns-> set interface tunnel.1 protocol ospf
2. ns-> save

$QQRXQFLQJD'HIDXOW5RXWHLQ$OO$UHDV
Every router has a default route in its routing table. The default route matches every destination network in a routing
table, although a more specific prefix overrides the default route. Typically, the default route is 0.0.0.0/0.
Use either the WebUI or the CLI set advertise-default-route command to advertise or display the current default
route throughout an AS.
([DPSOH$GYHUWLVLQJWKH'HIDXOW5RXWH
In the following example, you advertise the current OSPF routing instance’s default route.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select Advertising Default
Route Enable, and then click OK.
Note: The default metric is 1 and the default metric-type is ASE type 1.
&/,
3. ns(trust-vr/ospf)-> set advertise-default-route always metric 1 metric-type 1

&RQILJXULQJ6XPPDU\5RXWHV
In large internetworks, hundreds or even thousands of network addresses can exist. In these environments, some
routers may become overly congested with route information. Route aggregation, also called route summarization,
reduces the number of routes that a router must maintain because it represents a series of network addresses as a
single summary address. Another advantage to using route summarization in a large, complex network is that it can
isolate topology changes from other routers. That is, if a specific link in a given domain is intermittently failing, the
summary route would not change, so no router external to the domain would need to keep modifying its routing table
due to the link failure.
In addition to creating fewer entries in the routing tables on the backbone routers, route summarization prevents the
propagation of LSAs to other areas when one of the summarized networks goes down or comes up. You can
summarize inter-area routes or external routes.
Once you have redistributed a series of routes from an external protocol to the current OSPF routing instance, you
can bundle the routes into one generalized or summarized network route. By summarizing multiple addresses, you
enable a series of routes to be recognized as one route, simplifying the process. Note that you need a route map to
perform a redistribution.
Use either the WebUI or the CLI set summary-import command to summarize route redistribution.

([DPSOH6XPPDUL]LQJ5HGLVWULEXWHG5RXWHV
In the following example, you summarize a set of redistributed routes under the network address 2.1.1.0/16.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Summary Import: Enter the
IP/Netmask: 2.1.1.0/16
Tag: 20
&/,
3. ns(trust-vr/ospf)-> set redistribute route-map abcd protocol static
4. ns(trust-vr/ospf)-> set redistribute route-map abcd protocol bgp
5. ns(trust-vr/ospf)-> set summary-import 2.1.1.0/16 tag 20

5HPRYLQJD'HIDXOW5RXWH
Use either the WebUI or the CLI set reject-default-route command to remove a default route learned from OSPF.
([DPSOH5HPRYLQJWKH'HIDXOW5RXWHIURPWKH5RXWH7DEOH
In the following example, you specify that a default route not be learned from OSPF.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the Do not add
default-route learned in OSPF check box and then click OK.
&/,
3. ns(trust-vr/ospf)-> set reject-default-route

6HWWLQJDQ$UHD5DQJH
Configuring an area range allows an area border router to summarize the networks advertised within an area. An
area range allows a group of subnets to be consolidated into a single network address to be advertised in a
summary link advertisement. When you configure an area range, you can also specify whether to advertise or to
withhold the area range defined.
To configure an area range, use either the WebUI or the CLI set area command.
([DPSOH&RQILJXULQJDQ$UHD5DQJH
In the following example, you create an area range of 20.20.0.0/16 for the area 0.0.0.10.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance > Area > Configure (for
0.0.0.10): Enter the following, and then click OK:
IP: 20.20.0.0
NetMask: 255.255.0.0
Type: (select) Advertise
Action: Add
&/,
3. ns(trust-vr/ospf)-> set area 0.0.0.10 range 20.20.0.0/16 advertise

6HWWLQJD+HOOR)ORRG$WWDFN7KUHVKROG
Use the WebUI or the CLI set hello-threshold command to configure the maximum number of hello packets
allowed within a specified amount of time.
([DPSOH&RQILJXULQJWKH+HOOR7KUHVKROG
In the following example, you configure a threshold of 20 packets.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then
click Apply:
Prevent Hello Packet Flooding Attack: On
Max hello packet: 20
&/,
3. ns(trust-vr/ospf)-> set hello-threshold 20

6HWWLQJDQ/6$7KUHVKROG
Link State Advertisements (LSAs) enable OSPF routers to provide device, network, and routing information for the
link state database. Each router retrieves information from the LSAs sent by other routers on the network to distill
path information for the routing table. LSA flood protection enables you to manage the number of LSAs entering the
virtual router. If the virtual router receives too many LSAs, the router fails because of LSA flooding.
To set the number of LSAs that the virtual router receives within a certain amount of time, use either the WebUI or
the CLI set lsa-threshold command to configure a maximum number of LSAs that can be received per neighbor
per LSA interval to prevent LSA flooding.
([DPSOH&RQILJXULQJWKH/6$7KUHVKROG
In this example, you create an OSPF LSA flood attack threshold of 10 packets per 10 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Enter the following, and then
click OK:
LSA Packet Threshold Time: 10
Maximum LSAs: 10
&/,
3. ns(trust-vr/ospf)-> set lsa-threshold 10 10

&RQILJXULQJDQ5)&(QYLURQPHQW
Use the set rfc-1583 commands to set or display OSPF as specified by the Request for Comments 1583 document.
([DPSOH&KDQJHWRDQ5)&(QYLURQPHQW
In the following example, you change your environment to one that is compatible with one specified by RFC 1583.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit OSPF Instance: Select the rfc-1583
compatible check box, and then click OK.
&/,
3. ns(trust-vr/ospf)-> set rfc-1583

&KDSWHU
%*37DVN5HIHUHQFH

BGP is a routing protocol for communication between autonomous systems (ASs) on the internet. Peer routers in
each AS use BGP to exchange routing information. Each BGP peer router requires explicit configuration with the
network-layer reachability information it advertises to (and accepts from) peer devices.
This chapter describes important and commonly-used procedures for configuring your local virtual router for BGP
environments.
• “The BGP Commands” on page 53
• “Basic BGP Configuration Tasks” on page 57
– “Creating a BGP Instance of the Virtual Router” on page 57
– “Specifying Reachable Networks from an AS” on page 58
– “Enabling Aggregate Routes” on page 59
– “Enabling Redistribution” on page 60
– “Configuring a BGP Neighbor” on page 61
– “Enabling a BGP Peer with an IP Address” on page 62
– “Configuring a Hold Timer” on page 63
– “Configuring a Keepalive Timer” on page 64
– “Enabling Route Flap Damping” on page 65
– “Discarding Default Route Advertisements from a Peer Router” on page 66
• “Advanced BGP Configuration Tasks” on page 67
– “Applying a Route Map to Routes from Specified Neighbors” on page 67
– “Assigning a Weight to a Path” on page 68
– “Setting an AS Path Access List” on page 69
– “Configuring a Community List” on page 70

&KDSWHU%*37DVN5HIHUHQFH
– “Setting a Local Preference” on page 73

– “Setting a Multi-Exit Discriminator (MED)” on page 74
– “Setting a Multi-Exit Discriminator (MED) Comparison” on page 75
– “Configuring a Route Reflector” on page 76
– “Setting a Neighbor as a Route Reflector Client” on page 77
– “Configuring a Confederation” on page 78
– “Adding an AS Member to a Confederation” on page 79

&KDSWHU%*37DVN5HIHUHQFH 7KH%*3&RPPDQGV
7+(%*3&200$1'6
This section briefly describes the BGP context, and the CLI commands that configure a local virtual router to use
BGP protocol.
Note: For more information on the BGP commands, see the NetScreen CLI Reference Guide.
&RQWH[W,QLWLDWLRQ
Before you can execute a BGP command, you must initiate the bgp context. Initiating the bgp context requires two
steps:
1. Enter the vrouter context by executing the set vrouter command:
ns-> set vrouter vrouter
where vrouter is the name of the virtual router. (For this example, vrouter is the trust-vr virtual router.)
2. Enter the bgp context by executing the set protocol bgp command.
ns(trust-vr)-> set protocol bgp
For more information on contexts, see “Context-Sensitive Commands in the CLI” on page 2 -58.

%DVLF%*3&RPPDQG'HVFULSWLRQV
The following commands are executable in the bgp context.
aggregate Use aggregate commands to create, display, or delete aggregates.

Aggregation is a technique for summarizing a range of routing addresses into a single route
entry, expressed as an IP address and a subnet mask. Aggregates can reduce the size of a
routing table on a router, while maintaining its level of connectivity. In addition, aggregation
can reduce the number of advertised addresses, thus reducing overhead.
Command options: get, set, unset
always-compare-med Use the always-compare-med commands to enable, disable, or display the current
always-compare-med setting. When you enable this setting, the NetScreen device
compares paths from each autonomous system (AS) using the Multi-Exit Discriminator
(MED). The MED determines the most suitable entry or exit point to each neighbor AS.
as-path-access-list Use as-path-access-list commands to create, remove, or display a regular expression in an
AS-Path access list.
An AS-path access list serves as a packet filtering mechanism. The NetScreen device can
consult such a list and permit or deny BGP packets based on the regular expressions
contained in the list.
community-list Use community-list commands to enter a router in a community list, to remove a router from
the list, or to display the list.
A community consists of routes containing the same community attribute. This attribute is an
identifier that classifies the routes according to some useful criterion. All routes with the same
community attribute are said to be members of the same community. Routers can use the
community attribute when they need to treat two or more advertised routes in the same way.

confederation Use the confederation commands to create a confederation, to remove a confederation, or

to display confederation information.
Confederation is a technique for dividing an AS into smaller sub-ASs and grouping them.
Using confederations reduces the number of connections inside an AS, thus simplifying the
routing process.
enable Use the enable commands to enable or disable BGP.
flap-damping Use the flap-damping commands to enable or disable the flap-damping setting.
Enabling this setting blocks the advertisement of a route until the route becomes stable. Flap
damping allows the NetScreen device to contain routing instability at an AS border router,
adjacent to the region where instability occurs.
hold-time Use the hold-time commands to specify or display the maximum amount of time (in
seconds) that can elapse between messages received from the BGP neighbor.
ignore-default-route Use the ignore-default-route commands to enable, disable, or display the
ignore-default-route setting. Enabling this setting makes the NetScreen device ignore
default route advertisements from the BGP peer router.
keepalive Use the keepalive commands to specify the amount of time (in seconds) that elapses
between keepalive packet transmissions. These transmissions ensure that the TCP
connection between the local BGP router and a neighbor router is up.
local-pref Use the local-pref command to configure the LOCAL_PREF metric on a BGP router. This
metric expresses preference for one set of paths over another.

med Use the med commands to specify or display the local Multi-Exit Discriminator (MED) ID
number. The MED determines the most suitable entry or exit point when there are multiple
exit/entry points to the same neighbor autonomous system (AS).
neighbor Use the neighbor commands to set or display general configuration parameters for the local
BGP virtual router. The device uses these parameters while establishing a BGP connection
to another autonomous system (AS).
Command options: clear, exec, get, set, unset
network Use the network commands to create, display, or delete network and subnet entries. The
BGP virtual router advertises these entries to peer devices, without first requiring
redistribution into BGP (as with static routing table entries).
redistribute Use the redistribute commands to import routes advertised by external routers that use
protocols other than BGP, or to display the current redistribute settings.
reflector Use the reflector commands to allow the local BGP virtual router to serve as a route
reflector.
A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP
neighbors (clients), thus eliminating the need for each router in a mesh to talk to every other
router. The clients use the route reflector to readvertise routes to the entire autonomous
system (AS).
synchronization Use the synchronization command to enable synchronization with Interior Gateway
Protocol (IGP).
Command options: set, unset

&KDSWHU%*37DVN5HIHUHQFH %DVLF%*3&RQILJXUDWLRQ7DVNV
%$6,&%*3&21),*85$7,217$6.6
The following configuration tasks are mandatory for most BGP implementations.
&UHDWLQJD%*3,QVWDQFHRIWKH9LUWXDO5RXWHU
To enable or disable a specific BGP virtual routing instance, use the WebUI or the CLI set enable commands.
([DPSOH6WDUWLQJD9LUWXDO5RXWLQJ,QVWDQFH
Note: A virtual router (such as trust-vr) can have only one BGP virtual routing instance at a time. Consequently, you
cannot create a new BGP virtual routing instance if one already exists.
In the following example, you start a virtual routing instance (with AS ID 20) and enable BGP.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Create BGP Instance: Enter the following, and
then click OK:
AS Number (required): 20
BGP Enabled: (select)
&/,
2. ns(trust-vr)-> set protocol bgp 20
3. ns(trust-vr/bgp)-> set enable
4. ns(trust-vr/bgp)-> save

6SHFLI\LQJ5HDFKDEOH1HWZRUNVIURPDQ$6
During the initial setup of your BGP network, you need to construct a list of networks that are reachable from the
virtual router. The BGP virtual router advertises these network entries to peer devices, without first requiring
redistribution into BGP (as with static routing table entries). To make entries in the network list, use the WebUI or the
CLI set network commands.
([DPSOH0DNLQJD1HWZRUN5HDFKDEOHIURPWKH/RFDO9LUWXDO5RXWHU
In the following example, you make a network (192.169.1.0/24) reachable from the local virtual router.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Networks: Enter
192.168.1.0/24 in the IP/Netmask field, and then click OK.
&/,
2. ns(trust-vr)-> set protocol bgp
3. ns(trust-vr/bgp)-> set network 192.169.1.0/24

(QDEOLQJ$JJUHJDWH5RXWHV
Aggregation summarizes a range of routing addresses into a single route entry expressed as an IP address and a
subnet mask. You can create, display, or delete BGP aggregates using the WebUI or the CLI set aggregate
commands.
([DPSOH0DNLQJDQ$JJUHJDWH5RXWH(QWU\
For the following example, assume that the internetwork contains the following subnets of 192.168.10.0/24:
• 192.168.10.0/28
• 192.168.10.16/28
• 192.168.10.32/28
• 192.168.10.128/30
Instead of sending individual routes for each, you aggregate them into one advertisement (192.168.10.0/24).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Aggregate Address: Enter
the following, and then click OK:
IP/Netmask: 192.168.10.0/24
Aggregate State: Enable: (select)
&/,
3. ns(trust-vr/bgp)-> unset enable
4. ns(trust-vr/bgp)-> set aggregate ip 192.168.10.0/24
5. ns(trust-vr/bgp)-> set enable

(QDEOLQJ5HGLVWULEXWLRQ
When a virtual router learns about routes from other dynamic protocols (or by static configuration) it does not
automatically advertise the routes to the BGP peers. You must first import the routes into the BGP protocol. To
import such routes, or to display the current route redistribution settings, use the WebUI or the CLI set redistribute
commands.
For more information on importing route redistribution rules and on importing routes, see “Route Redistribution” on
page 2 -74.
([DPSOH&UHDWLQJD5HGLVWULEXWLRQ5XOH
In the following example, you create a redistribution rule for all routes learned from OSPF, and filter the routes
according to an existing route map (Corp_Office).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Redist Rules : Enter the
following, and then click OK:
Route Map: Corp_Office
Protocol: OSPF
&/,
3. ns(trust-vr/bgp)-> set redistribute route-map Corp_Office protocol ospf

&RQILJXULQJD%*31HLJKERU
Before two BGP devices can communicate and exchange routes, they need to identify each other so they can start
a BGP session. To identify a neighbor to the virtual router, use the WebUI or the set neighbor commands.
Note: If the neighbor is in the same AS as the local BGP speaker, the two devices use IBGP to establish a
connection.
([DPSOH&RQILJXULQJWKH9LUWXDO5RXWHUIRUD1HLJKERU
In the following example, you configure the virtual router for a connection with a neighbor. This neighbor has the
following attributes:
• IP address 192.4.55.4
• Resides in an AS with ID 20
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors: Enter the
following and then click Add:
AS Number: 20
Remote IP: 192.4.55.4
&/,
3. ns(trust-vr/bgp)-> set neighbor 192.4.55.4 remote-as 20

(QDEOLQJD%*33HHUZLWKDQ,3$GGUHVV
After setting up a connection between the virtual router and a neighbor, you must enable the connection. To perform
this operation, use the WebUI or the CLI set neighbor commands.
([DPSOH(QDEOLQJD%*33HHU&RQQHFWLRQ
In the following example, you enable a connection between the local virtual router and a BGP neighbor (192.4.55.4).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Neighbors > Configure (for
192.4.55.4): Select Peer Enabled, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set neighbor 192.4.55.4 enable

&RQILJXULQJD+ROG7LPHU
As your network becomes mature, you may need to alter the maximum time interval between messages transmitted
from a BGP speaker to its neighbor. To specify or display this interval, use the WebUI or the CLI hold-time
commands.
([DPSOH6HWWLQJWKH+ROG7LPH9DOXH
In the following example, you set the hold-time value to 60 seconds.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following and then
click OK:
Hold Time: Enable (select)
Hold Time: 60
&/,
3. ns(trust-vr/bgp)-> set hold-time 60

&RQILJXULQJD.HHSDOLYH7LPHU
Keepalive transmissions ensure that the TCP connection between the local BGP router and a neighbor router is still
up. To set or display the time interval (in seconds) that can elapse between keepalive packet transmissions, use the
WebUI or the CLI keepalive commands.
([DPSOH6HWWLQJWKH.HHSDOLYH7LPHU
In the following example, you create a keepalive value of 20.
:HE8,
Note: You cannot specifically set a value for the keepalive interval through the WebUI. However, because
the keepalive value is always 1/3 of the Hold Time value, by setting the Hold Time value at 60 seconds, you
indirectly set the keepalive value to 20 seconds.
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Hold Time Enable,
type 60 in the Hold Time field, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set keepalive 20

(QDEOLQJ5RXWH)ODS'DPSLQJ
Flap damping contains routing instability at an AS border router, adjacent to the region where instability occurs. The
flap-damping setting blocks the advertisement of a route until the route becomes stable. To enable or disable this
setting, use the WebUI or the CLI set flap-damping commands.
([DPSOH(QDEOLQJ)ODS'DPSLQJ
In the following example, you enable flap damping on the BGP instance configured on the Trust-VR.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Route flap damping
state, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set flap-damping

'LVFDUGLQJ'HIDXOW5RXWH$GYHUWLVHPHQWVIURPD3HHU5RXWHU
You can instruct the BGP instance configured on a virtual router to ignore default route advertisements from its BGP
peer. To enable, disable, or display this setting, use the WebUI or the CLI ignore-default-route commands.
([DPSOH,JQRULQJ'HIDXOW5RXWH$GYHUWLVHPHQWV
In the following example, you enable the BGP instance defined on the Trust-VR to ignore default route
advertisements that it receives from its BGP peer.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Ignore default route
from peer, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set ignore-default-route

&KDSWHU%*37DVN5HIHUHQFH $GYDQFHG%*3&RQILJXUDWLRQ7DVNV
$'9$1&('%*3&21),*85$7,217$6.6
The following configuration tasks are optional, and are necessary only in advanced network environments.
$SSO\LQJD5RXWH0DSWR5RXWHVIURP6SHFLILHG1HLJKERUV
A route map acts as a filter for routes going to and from BGP neighbors. To apply route map entries to incoming and
outgoing routes from specified neighbors, use the WebUI or the CLI set neighbor commands.
([DPSOH$SSO\LQJ5RXWH0DSV
In the following example, you apply two existing route maps (ID numbers 10 and 15) to an existing neighbor
configuration (192.168.1.182).
:HE8,
192.168.1.182): Enter the following, and then click OK:
Incoming Map-Tag: 10
Outgoing Map-Tag: 15
Peer Enabled: (select)
&/,
3. ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 10 in
4. ns(trust-vr/bgp)-> set neighbor 192.168.1.182 route-map 15 out

$VVLJQLQJD:HLJKWWRD3DWK
The weight value represents the priority of the route between the local BGP virtual routing instance and the
neighbor. The higher this value, the greater the priority of the route. To set this priority, use the WebUI or the CLI set
neighbor commands.
([DPSOH6SHFLI\LQJD:HLJKW9DOXH
In the following example, you specify a weight value of 30 for the BGP neighbor at IP address 192.4.55.4.
:HE8,
192.168.1.182): Type 30 in the Weight field, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set neighbor 192.4.55.4 weight 30

6HWWLQJDQ$63DWK$FFHVV/LVW
An AS-path access list serves as a packet filtering mechanism. The NetScreen device permits or denies BGP
packets based on the regular expressions contained in the list. To create, remove or display a regular expression in
an AS-Path access list, use the WebUI or the CLI as-path-access-list commands.
Specify the criteria in the AS Path String field:
Expression Description
‘^’ Specifies the start of a path.
‘$’ Specifies the end of a path.
([DPSOH&UHDWLQJDQ(QWU\LQWKH$63DWK$FFHVV/LVW
In the following example, you create an AS path access list entry (with ID 10) matching any path beginning with 100.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > AS Path: Enter the following
and then click Add:
AS Path Access List ID: 10
Permit: Permit
AS Path String: ^100
Action: Add
&/,
3. ns(trust-vr/bgp)-> set as-path-access-list 10 permit ^100

&RQILJXULQJD&RPPXQLW\/LVW
A community consists of routes containing the same community attribute. This attribute is an identifier that classifies
the routes according to some useful criterion. All routes with the same community attribute are said to be members
of the same community. Routers can use the community attribute when they need to treat two or more advertised
routes in the same way.
To assign a route to a community, remove a route from the community, or display the community attribute, use the
WebUI or the CLI community-list commands.
Note: Guidelines concerning when and how to use communities is beyond the scope of this manual.
([DPSOH&UHDWLQJD&RPPXQLW\/LVW
In the following example, you configure a community on two devices (Peer A and Peer B).
On Peer A, you configure a community-list with ID 1, using attribute 100:500. You then configure a static route for an
internal network, which Peer A advertises to Peer B along with the community attribute. The community attribute
enables Peer B to selectively insert this static route into its routing table. Then you create two access lists (ACLs)
and apply them to two route-maps configured for route redistribution. This allows insertion of the connected and
static routes into the local routing table. Finally, you configure neighbor settings, which allow the device to append
routing updates with the community attributes specified in the route-map.
On Peer B, you configure a community-list with ID 1 using attribute 100:500. You then configure an access-list and
apply it to a route-map configured for route redistribution. You then apply the route-map to the access-list, so Peer B
can insert the static route received from Peer A (with community 100:500 appended) into the local routing table.
Finally, you configure neighbor settings, which associate the route-map with Peer A.

&/,3HHU$
&RPPXQLW\/LVW
2. ns(trust-vr)->set protocol bgp
3. ns(trust-vr/bgp)-> set community-list 1 permit 6554100
4. ns(trust-vr/bgp)-> exit
6WDWLF5RXWH
5. ns(trust-vr)-> set route 10.1.1.0/24 interface ethernet3 gateway 192.128.1.254
$FFHVV/LVWIRUDOOQHWZRUNV
6. ns(trust-vr)-> set access-list 1
7. ns(trust-vr)-> set access-list 1 permit ip 0.0.0.0/0 1
$FFHVV/LVWIRUQHWZRUN
8. ns(trust-vr)-> set access-list 2
9. ns(trust-vr)-> set access-list 2 permit ip 10.1.1.0/24 1
5RXWH0DS$&/
10. ns(trust-vr)-> set route-map name “Import_ACL1” permit 90
11. ns(trust-vr)-> set match ip 1
12. ns(trust-vr)->exit
5RXWH0DS$&/
13. ns(trust-vr)-> set route-map name “Import_ACL2” permit 100
14. ns(trust-vr)-> set match ip 2
15. ns(trust-vr)-> set community 1
5RXWH5HGLVWULEXWLRQ
16. ns(trust-vr)-> set protocol bgp redistribute route-map “Import_ACL1” protocol connected
17. ns(trust-vr)-> set protocol bgp redistribute route-map “Import_ACL2” protocol static

1HLJKERU
18. ns(trust-vr)-> set neighbor 172.16.1.254 send-community
19. ns(trust-vr)-> set neighbor 172.16.1.254 route-map “Import_ACL2” out
&/,3HHU%
&RPPXQLW\/LVW
2. ns(trust-vr)->set protocol bgp
3. ns(trust-vr/bgp)-> set community-list 1 permit 6554100
$FFHVV/LVWIRUDOOQHWZRUNV
4. ns(trust-vr/bgp)-> set access-list 1
5. ns(trust-vr/bgp)-> set access-list 1 permit ip 0.0.0.0/0 1
5RXWH0DS$&/
6. ns(trust-vr/bgp)-> set route-map name “Import_Comm1” permit 90
7. ns(trust-vr/bgp)-> set match ip 1
8. ns(trust-vr/bgp)-> set match community 1
5RXWH5HGLVWULEXWLRQ
9. ns(trust-vr/bgp)-> set protocol bgp redistribute route-map “Import_Comm1” protocol imported
1HLJKERU
10. ns(trust-vr/bgp)-> set neighbor 172.16.1.254 route-map “Import_Comm1” in

6HWWLQJD/RFDO3UHIHUHQFH
The degree to which the virtual router prefers one external route over another depends upon the LOCAL_PREF
attribute. The higher the LOCAL_PREF value, the greater the preference. Routers always advertise this attribute to
internal peers (that is, peers in the same AS) and to neighboring confederations, never to external peers.
When a router receives a route that contains the LOCAL_PREF value, the router does not modify the route.
Non-BGP routes advertised by a BGP router have a LOCAL_PREF value of 100 by default.
To set or display the LOCAL_PREF attribute, use the WebUI or the CLI local-pref commands.
([DPSOH6HWWLQJWKH/RFDO3UHIHUHQFH
In the following example, you configure a local preference value of 20 for all non-BGP routes advertised to IBGP
peers.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Parameters: Type 20 in the
Local Preference field, and then click OK.
&/,
1. ns(trust-vr/bgp)-> set local-pref 20

6HWWLQJD0XOWL([LW'LVFULPLQDWRU0('
The Multi-Exit Discriminator (MED) is an optional attribute used for selecting an external BGP connection when
there are multiple connections to the same AS. When all other factors are equal, the virtual router uses the
connection with the lowest MED value.
If an EGBP update contains a MED value, the router sends the MED to all IGBP peers within the AS.
If you assign a MED to the virtual router, this value overrides any MEDs received in update messages from external
peers.
To set or display the MED value, use the WebUI or the CLI med commands.
([DPSOH6HWWLQJD0('
In the following example, you override the default value (100) with a value of 20. When the virtual router readvertises
the external routes to IBGP peers, the routes have a MED value of 20.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Type 20 in the Default MED
field, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set med 20

6HWWLQJD0XOWL([LW'LVFULPLQDWRU0('&RPSDULVRQ

You can enable the BGP instance configured on a virtual router to compare paths from each autonomous system
(AS) using the Multi-Exit Discriminator (MED). The MED determines the most suitable entry or exit point to each
neighbor AS. To enable, disable, or display this setting, use the WebUI or the CLI always-compare-med
commands.
([DPSOH6HWWLQJD0('&RPSDULVRQ
In the following example, you enable the BGP instance on the Trust-VR to compare paths it receives from each AS.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Select Always compare med
state, and then click OK.
&/,
3. ns(trust-vr/bgp)-> set always-compare-med

&RQILJXULQJD5RXWH5HIOHFWRU
A route reflector is a router that passes Interior BGP (IBGP) learned routes to specified IBGP neighbors (clients).
This makes it unnecessary for each router in a mesh to talk to every other router. The clients use the route reflector
to readvertise routes to the entire autonomous system (AS). To configure a route reflector, use the WebUI or the CLI
set reflector command.
([DPSOH'HVLJQDWLQJD5RXWH5HIOHFWRU
In the following example, you designate a route reflector in a cluster (ID number 10).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance: Enter the following, and then
click OK:
Route Reflector: Enable
Cluster ID: 10
&/,
3. ns(trust-vr/bgp)-> set reflector cluster-id 10

6HWWLQJD1HLJKERUDVD5RXWH5HIOHFWRU&OLHQW
After setting up a route reflector to communicate route information, you must configure client devices that receive
the information. To configure an IBGP neighbor as a client, use the CLI neighbor commands.
([DPSOH&RQILJXULQJDQ,%*31HLJKERU
In the following example, you configure an IBGP neighbor (292.55.4.3) as a client.
:HE8,
Note: To set a neighbor as a route reflector client, you must use the CLI.
&/,
3. ns(trust-vr/bgp)-> set neighbor 192.55.4.3 reflector-client

&RQILJXULQJD&RQIHGHUDWLRQ
A confederation divides an AS into smaller sub-ASs and groups them, thus reducing the number of connections
inside the AS, and simplifying the routing matrices created by meshes. To create a confederation, remove a
confederation, or display confederation information, use the WebUI or the CLI confederation commands.
([DPSOH&UHDWLQJD&RQIHGHUDWLRQ
In the following example, you create a confederation (200) and add a member (30).
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Enter the
following and then click OK:
Enable: (select)
ID: 200
Supported RFC: RFC 1965
Peer Member Area ID: 30
&/,
3. ns(trust-vr/bgp)-> set confederation id 200
4. ns(trust-vr/bgp)-> set confederation peer 30
Note: It is not necessary to specify RFC 1965. NetScreen BGP confederations support this RFC by default.

$GGLQJDQ$60HPEHUWRD&RQIHGHUDWLRQ
To add an AS to a confederation, use the WebUI or the CLI set confederation { ... } peer command.
([DPSOH$GGLQJD1HZ&RQIHGHUDWLRQ
In the following example, you add an AS (45040) to a confederation.
:HE8,
Network > Routing > Virtual Routers > Edit (for trust-vr) > Edit BGP Instance > Confederation: Type 45040
in Peer member area ID, and then click Add:
&/,
3. ns(trust-vr/bgp)-> set confederation peer 45040


,QGH[
,QGH[
% 2 neighbor routers 5
network types 5
BGP OSPF
advertisements 55 adjacency 5 non-broadcast networks 6
aggregates 54, 59 Area Border Router 4 Not So Stubby Area 4
AS path access list 54, 69 area range 47 overview 3
community lists 54 areas 3, 13 point-to-point networks 6
confederation 79 AS Boundary Router 4
priority 25
confederations 55, 78 authentication methods 8
default route 55 backbone area 3 retransmit interval 24, 33
flap-damping 55 Backbone Router 4 RFC 1538 8
hold time 55 backup designated router 5 RFC 1583 50
hold timer 63 broadcast networks 5 RFC 2328 8
keepalive 55 clear-text password 18, 30
route redistribution 15, 38
keepalive timer 64 configuration commands 41
local preference 55, 73 context 10 route redistribution rules 37
multi-exit discriminator (MED) 54, 56 cost 20 routing instance, creating 11
neighbor 56 database 39 statistics 35
peer enabling 55, 62 dead interval 21, 31 stub area 4, 40
reachable networks 56, 58 default route 43, 46
summary route 44
redistribution 56 designated router 5
hello interval 22, 32 Totally Stubby Area 4
route maps 67
route reflector 77 hello protocol 5 transit delay 26, 34
route reflectors 56, 76 hello threshold 48 tunnel interface 42
synchronization 56 instance 11, 12 virtual link 27, 28
virtual routing instance 57 instances 8
VPN tunnel support 8
weight 68 interface 17
interface characteristics 9
&
interfaces 14 6
Internal Router 4
CLI conventions vii link state advertisements 7 set commands
command link-state advertisements 3 admin 69, 70, 75
set admin 69, 70, 75 link-state database 3
conventions
CLI vii
LSA threshold 49
MD5 password 19, 29
:
WebUI vi neighbor list 23 WebUI, conventions vi
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ ,;,

,QGH[
1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ ,;,,

1Hw6Fuhhq&Rqfhsw ( (Dpsohv

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

1Hw6Fuhhq&Rqfhsw ( (Dpsohv

Transféré par

Droits d'auteur :

Formats disponibles

1HW6FUHHQ&RQFHSW

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L

6HWWLQJD1HLJKERU/LVWIRUDQ263),QWHUIDFH  263),QIRUPDWLRQ 

263)9LUWXDO/LQN&RQILJXUDWLRQ  'LVSOD\LQJ2EMHFWVLQWKH263)'DWDEDVH 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LY

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ Y

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L[

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ [

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

– “Setting a Neighbor List for an OSPF Interface” on page 23

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

LSA Type Sent By Flooded Information Sent in LSA

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

AreaId SPF Runs

Note: Use the clear command to reset all packet types to 0.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ 

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L

6HWWLQJD1HLJKERU/LVWIRUDQ263),QWHUIDFH 263),QIRUPDWLRQ

263)9LUWXDO/LQN&RQILJXUDWLRQ 'LVSOD\LQJ2EMHFWVLQWKH263)'DWDEDVH

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ LY

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ Y

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ YLLL

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ L[

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ [

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH'\QDPLF5RXWLQJ