Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel

Ozz · ‎12-15-2020

Hello,

I have stucked in one subject . I have environmement which has routing protocol is "OSPF" . HQ-test : 60.60.60.0/24

BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24.

HQ-Test & BCN-Test is connected via VPN

Hq-Test & Test-Branch is connected via VPN.

I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked. I add also routing tables from all sites

Could you have any idea for the solution?

[style="background-color: #ff0000;"]HQ-TEST routing table:[/style]

HQ-TEST (VPN-VDOM) # get router info routing-table all

S* 0.0.0.0/0 [5/0] via X.X.X.129, internal7

C 1.20.255.19/32 is directly connected, VPN-Tst-BCN_0

C 1.20.255.20/32 is directly connected, VPN-Tst-BCN_0

O 1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

C 1.20.255.59/32 is directly connected, VPN_Bnch2_Dp

is directly connected, VPN_Bnch2_Dp_0

C 1.20.255.60/32 is directly connected, VPN_Bnch2_Dp

is directly connected, VPN_Bnch2_Dp_0

C 1.20.255.248/30 is directly connected, root2VPN1

O 1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h

O 60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O 60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O 60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O 60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O 60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

C 62.96.202.128/27 is directly connected, internal7

S 66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0

O 66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O 66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O 66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O 66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O 70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

C 169.253.0.1/32 is directly connected, OSPF_Loopback

O 169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h

O 169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19h

O 169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O 169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

[style="background-color: #ff0000;"]BCN-TST routing table:[/style]

BCN-TEST (VPN-VDOM) # get router info routing-table all

S* 0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2

C 1.20.255.19/32 is directly connected, VPN-HQ-Tst

C 1.20.255.20/32 is directly connected, VPN-HQ-Tst

O 1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00h

C 1.20.255.44/30 is directly connected, root2VPN1

O 1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O 66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O 66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O 66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O 70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O 70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O 70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O 70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O 70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O 169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00h

O 169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O 169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

C 169.253.0.7/32 is directly connected, OSPF-VPN

O 169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18h

O 169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

Ozz · ‎12-18-2020

I can not change topolgy OSPF to BGP .. Normally I will connect Test-Branch to BCN-TEST. Why I need to stop advertising Branch blok from HQ site to the BCN site.

Ozz · ‎12-22-2020

but BCN-Tst also has also vpn connection to the Branch office. ( I can not create the senario , because of my lack of sources, like static IP ) if I write this acl to Bcn-tst , it will no accept the branch site blok from branch..

I have an another idea, if I run two vrf in backbone ara , it may work but I am not sure. If I have time, I will try..

cchokbengboun · ‎12-21-2020

Dear Ozz,

Please send us your ospf configuration and the ACLs.

Thanks

Ozz · ‎12-21-2020

config router access-list

edit "ac_drop_66"

config rule

edit 1

set action deny

set prefix 66.66.66.0 255.255.255.0

set exact-match enable

config router ospf

set abr-type cisco

set router-id 169.253.0.1

set restart-mode graceful-restart

config area

edit 0.0.0.0

set authentication md5

config filter-list

edit 1

set list "ac_drop_66"

config ospf-interface

edit "OSPF2root"

set interface "root2VPN1"

set authentication md5

set dead-interval 40

set hello-interval 10

set network-type point-to-point

config md5-keys

edit 1

set key-string ENC izQUWwhEeAXS0e7/3FbUXqeyvKT4a7MlCNK9g==

set interface "VPN-Tst-BCN"

set authentication md5

set cost 220

set priority 10

set dead-interval 40

set hello-interval 10

set network-type point-to-point

config md5-keys

edit 1

set key-string ENC kA0GugKhLdvfYZV3Q2wTaBoZZtRFoq8XHY1A6A==

set interface "VPN_Bnch2_Dp"

set authentication md5

set dead-interval 40

set hello-interval 10

set network-type point-to-point

config md5-keys

edit 1

set key-string ENC X04kxQACHw1N91M8Uxxx1cBNECk6b2CGVRpl/aG/qYw==

config network

edit 1

set prefix 169.253.0.1 255.255.255.255

set prefix 1.20.255.250 255.255.255.255

set prefix 10.60.6.10 255.255.255.255

set prefix 1.20.255.59 255.255.255.255

set prefix 1.20.255.19 255.255.255.255

config redistribute "connected"

end

config redistribute "static"

set status enable

end

config redistribute "rip"

end

config redistribute "bgp"

end

config redistribute "isis"

end

cchokbengboun · ‎12-21-2020

Hi Ozz,

If you apply a ACL into area configuration, It means that you want to filter between differents area. In your case you only have one area.

I think you have to apply your ACL directly on the FGT BCN-test with the following configuration :

config router access

edit "ac_drop_66" config rule

edit 1 set action deny set prefix 66.66.66.0 255.255.255.0 set exact-match enable next edit 2 set action permit set prefix any next end next end

config router ospf

set distribute-list-in "ac_drop_66"

end

Thanks,

CCH