How to filter OSPF advertised routes

asgspl · ‎02-24-2017

Hi Guys,

I'm trying to switch my national ipsec vpn site-to-site network from static routing to ospf. Each branch's got around 6 subnets from which only 4 should be routed via the ipsec tunnel. Using static routing it's easy since I add only what exactly I need.

My VPN network it's using a star topology and it might change to an extended star.

I've started with 2 branches, the HQ and a branch.

Everything works fine except that I'm not able to filter what routes are been advertised via OSPF since I'm using "config redistribute "connected""

Attached is a lab I did to test it, but still no luck. The routers in the diagram I've attached are FG-70D's.

I've tried:

- prefix-list with in and out on both sides - no luck

- access list with in and out on both sides - no luck

I'm missing something here, right ?!?!

Hope the diagram will give you a clear idea of what I wan to achieve.

Cheers,

Tony

support12 · ‎02-26-2017

This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list edit "Redistribute-Connected" config rule edit 1 set action deny set prefix 192.168.102.0 255.255.255.0 unset ge unset le next edit 4 set prefix any unset ge unset le next end next end config router route-map edit "Filter-Connected" config rule edit 1 set match-ip-address "Redistribute-Connected" next end next end config router ospf config redistribute "connected" set routemap "Filter-Connected" end end

View solution in original post

MikePruett · ‎02-24-2017

You use config router access list to perform this task

http://kb.fortinet.com/kb....do?externalID=FD36851

Mike Pruett

Fortinet GURU | Fortinet Training Videos

asgspl · ‎02-24-2017

Hi Mike,

I've been trying for the last few hours to use the method mention in your link but doesn't work and has a weird behavior as well.

I'm adding an access list on router_A as follows:

Router_A # show router access-list

[size="2"]config router access-list[/size] [size="2"] edit "OSPF_Filter"[/size] [size="2"] config rule[/size] [size="2"] edit 1[/size] [size="2"] set action deny[/size] [size="2"] set prefix 172.16.102.0 255.255.255.0[/size] [size="2"] set exact-match enable[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] next[/size] [size="2"]end[/size]

[size="2"]OSPF config looks like this:[/size]

[size="2"]Router_A # show router ospf[/size] [size="2"]config router ospf[/size] [size="2"] set abr-type cisco[/size] [size="2"] set router-id 0.0.0.1[/size] [size="2"] config area[/size] [size="2"] edit 0.0.0.0[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config ospf-interface[/size] [size="2"] edit "WAN1_TO_B"[/size] [size="2"] set interface "TO_B"[/size] [size="2"] set dead-interval 40[/size] [size="2"] set hello-interval 10[/size] [size="2"] set network-type point-to-point[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config network[/size] [size="2"] edit 1[/size] [size="2"] set prefix 10.101.1.1 255.255.255.255[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config distribute-list[/size] [size="2"] edit 1[/size] [size="2"] set access-list "OSPF_Filter"[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config redistribute "connected"[/size] [size="2"] set status enable[/size] [size="2"] end[/size] [size="2"] config redistribute "static"[/size] [size="2"] end[/size] [size="2"] config redistribute "rip"[/size] [size="2"] end[/size] [size="2"] config redistribute "bgp"[/size] [size="2"] end[/size] [size="2"] config redistribute "isis"[/size] [size="2"] end[/size] [size="2"]end[/size]

[size="2"]All I get is this:[/size]

[size="2"]Router_A # get router info ospf database brief[/size]

[size="2"]Router Link States (Area 0.0.0.0)[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 835 8000003b 36a0 0021 3[/size] [size="2"]0.0.0.2 0.0.0.2 842 80000038 24b3 0002 3[/size]

[size="2"]AS External Link States[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 874 80000008 9820 0002 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1454 80000008 d479 0002 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1424 80000008 5747 0002 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 1704 80000008 4c51 0002 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 1784 80000008 415b 0002 E2 172.16.102.0/24 0[/size]

[size="2"]Router_A # get router info ospf database brief[/size]

[size="2"]Router Link States (Area 0.0.0.0)[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 835 8000003b 36a0 0021 3[/size] [size="2"]0.0.0.2 0.0.0.2 842 80000038 24b3 0002 3[/size]

[size="2"]AS External Link States[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 874 80000008 9820 0002 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1454 80000008 d479 0002 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1424 80000008 5747 0002 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 1704 80000008 4c51 0002 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 1784 80000008 415b 0002 E2 172.16.102.0/24 0[/size]

[size="2"]Not sure if you've noticed, but I'm on router_A and instead to filter the route in green, I'm actually filtering all my connected networks/routes.[/size]

Am I missing something here ?

Below is the OSPF output from Router_B:

[size="2"]Router_B # get router info ospf database brief[/size]

[size="2"]Router Link States (Area 0.0.0.0)[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 1133 8000003b 36a0 0012 3[/size] [size="2"]0.0.0.2 0.0.0.2 1138 80000038 24b3 0021 3[/size]

[size="2"]AS External Link States[/size]

[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 1170 80000008 9820 0031 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1750 80000008 d479 0031 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1720 80000008 5747 0031 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 190 80000009 4a52 0031 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 270 80000009 3f5c 0031 E2 172.16.102.0/24 0[/size]

[size="2"]Router_B # get router info routing-table all [/size] [size="2"]Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP[/size] [size="2"] O - OSPF, IA - OSPF inter area[/size] [size="2"] N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2[/size] [size="2"] E1 - OSPF external type 1, E2 - OSPF external type 2[/size] [size="2"] i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area[/size] [size="2"] * - candidate default[/size]

[size="2"]C 10.0.0.0/30 is directly connected, wan1[/size] [size="2"]C 10.101.1.1/32 is directly connected, TO_A[/size] [size="2"]C 10.101.1.2/32 is directly connected, TO_A[/size] [size="2"]C 172.16.100.0/24 is directly connected, internal1[/size] [size="2"]C 172.16.101.0/24 is directly connected, internal2[/size] [size="2"]C 172.16.102.0/24 is directly connected, internal3[/size]

Cheers,

Tony

asgspl · ‎02-24-2017

Hi Guys,

After some struggle, I've managed to prevent the routing table to be populated with I don't want.

This is not affecting, filter, OSPF LS updates and doesn't impact the LSDB nor the LSAs redistribution.

This is just a filter acting on the routing table.

What I've done:

[left]Router_B # show router prefix-list [size="2"]config router prefix-list[/size] [size="2"] edit "OSPF-Filter"[/size] [size="2"]config rule[/size] [size="2"]edit 1[/size] [size="2"]set action deny[/size] [size="2"]set prefix 192.168.102.0 255.255.255.0[/size] [size="2"]unset ge[/size] [size="2"]unset le[/size] [size="2"]next[/size] [size="2"]edit 2[/size] [size="2"] set prefix any[/size] [size="2"] unset ge[/size] [size="2"] unset le[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"]next[/size] [size="2"]end[/size][/left]

[size="2"]Router_B # show router ospf [/size] [size="2"]config router ospf[/size] [size="2"] set abr-type cisco[/size] [size="2"] set router-id 0.0.0.2[/size] [size="2"] set distribute-list-in "OSPF-Filter"[/size] [size="2"] config area[/size] [size="2"] edit 0.0.0.0[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config ospf-interface[/size] [size="2"] edit "WAN1_TO_A"[/size] [size="2"] set interface "TO_A"[/size] [size="2"] set dead-interval 40[/size] [size="2"] set hello-interval 10[/size] [size="2"] set network-type point-to-point[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config network[/size] [size="2"] edit 1[/size] [size="2"] set prefix 10.101.1.2 255.255.255.255[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config redistribute "connected"[/size] [size="2"] set status enable[/size] [size="2"] end[/size] [size="2"] config redistribute "static"[/size] [size="2"] end[/size] [size="2"] config redistribute "rip"[/size] [size="2"] end[/size] [size="2"] config redistribute "bgp"[/size] [size="2"] end[/size] [size="2"] config redistribute "isis"[/size] [size="2"] end[/size] [size="2"]end[/size]

[size="2"]The result:[/size]

[size="2"]The database still contains all routes, including the one in red.[/size]

Router_B # get router info ospf database brief

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count 0.0.0.1 0.0.0.1 852 80000042 28a7 0002 3 0.0.0.2 0.0.0.2 845 80000040 14bb 0021 3

AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag 10.0.0.0 0.0.0.1 1153 80000001 ac14 0002 E2 10.0.0.0/30 0 10.0.0.0 0.0.0.2 861 80000001 a619 0021 E2 10.0.0.0/30 0 10.101.1.1 0.0.0.2 861 80000001 e272 0021 E2 10.101.1.1/32 0 10.101.1.2 0.0.0.1 1153 80000001 de76 0002 E2 10.101.1.2/32 0 172.16.100.0 0.0.0.2 861 80000001 6540 0021 E2 172.16.100.0/24 0 172.16.101.0 0.0.0.2 861 80000001 5a4a 0021 E2 172.16.101.0/24 0 172.16.102.0 0.0.0.2 861 80000001 4f54 0021 E2 172.16.102.0/24 0 192.168.100.0 0.0.0.1 1153 80000001 3fba 0002 E2 192.168.100.0/24 0 192.168.101.0 0.0.0.1 1153 80000001 34c4 0002 E2 192.168.101.0/24 0 [size="2"]192.168.102.0 0.0.0.1 35 80000002 27cf 0012 E2 192.168.102.0/24 0[/size]

But the routing table, doesn't:

Router_B # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

C 10.0.0.0/30 is directly connected, wan1 C 10.101.1.1/32 is directly connected, TO_A C 10.101.1.2/32 is directly connected, TO_A C 172.16.100.0/24 is directly connected, internal1 C 172.16.101.0/24 is directly connected, internal2 C 172.16.102.0/24 is directly connected, internal3 [size="2"]O E2 192.168.100.0/24 [110/10] via 10.101.1.1, TO_A, 00:15:39[/size] [size="2"]O E2 192.168.101.0/24 [110/10] via 10.101.1.1, TO_A, 00:15:39[/size]

Now, it's all good, but, I would really really like to stop the route been distributed from the router it belongs too.

This means, Router_A should not send that route at all.

Cheers,

Tony

support12 · ‎02-26-2017

and delete this from both

[size="2"]set distribute-list-in "OSPF-Filter"[/size]

support12 · ‎02-26-2017

This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list edit "Redistribute-Connected" config rule edit 1 set action deny set prefix 192.168.102.0 255.255.255.0 unset ge unset le next edit 4 set prefix any unset ge unset le next end next end config router route-map edit "Filter-Connected" config rule edit 1 set match-ip-address "Redistribute-Connected" next end next end config router ospf config redistribute "connected" set routemap "Filter-Connected" end end

asgspl · ‎02-27-2017

Thank you for your replies. I'll try to reproduce this on my testing environment and I'll let you guys know.

asgspl · ‎02-27-2017

Advanced Routing for FortiOS 5.2

Fortinet Technologies Inc.

Page 56

"Route maps

[size="2"]Route maps are a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations. Compared to access lists, route maps support enhanced packet-matching. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. Route maps can be used for limiting both received route updates, and sent route updates. This can include the redistribution of routes learned from other types of routing. For example if you don’t want to advertise local static routes to external networks, you could use a route map to accomplish this."[/size]

Thank you Edwin, works like a charm.

Personal note:

I would recommend that every tech who's thinking to play with dynamic routing to read from scratch the whole

"FortiOS™ Handbook - Advanced Routing VERSION 5.2.2" and try to reproduce every example in the lab.

Cheers,

Tony

tanr · ‎02-28-2017

The 5.4 version of Advanced Routing doesn't have a PDF version. The online help version is at:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/HB_intro.htm

asgspl · ‎02-28-2017

Hi Tarn,

I've seen this one but din't read it yet. My boxes were running 5.2.10 so I've preferred reading the old advanced routing handbook. Upgrading my boxes to 5.4.4 is the next step.

Thanks for your reply.

Cheers,

Tony