Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ozz
New Contributor

Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel

Hello,

I have stucked in one subject . I have environmement which has routing protocol is "OSPF"  . HQ-test : 60.60.60.0/24

BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24.

HQ-Test & BCN-Test is connected via VPN  

Hq-Test & Test-Branch is connected via VPN. 

I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked.  I add also routing tables from all sites 

Could you have any idea for the solution?

[style="background-color: #ff0000;"]HQ-TEST routing table:[/style]

HQ-TEST (VPN-VDOM) # get router info routing-table all

S*      0.0.0.0/0 [5/0] via X.X.X.129, internal7

C       1.20.255.19/32 is directly connected, VPN-Tst-BCN_0

C       1.20.255.20/32 is directly connected, VPN-Tst-BCN_0

O       1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

C       1.20.255.59/32 is directly connected, VPN_Bnch2_Dp

                       is directly connected, VPN_Bnch2_Dp_0

C       1.20.255.60/32 is directly connected, VPN_Bnch2_Dp

                       is directly connected, VPN_Bnch2_Dp_0

C       1.20.255.248/30 is directly connected, root2VPN1

O       1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h

O       60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O       60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O       60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O       60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

O       60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m

C       62.96.202.128/27 is directly connected, internal7

S       66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0

O       66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O       66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O       66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O       66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

O       70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

C       169.253.0.1/32 is directly connected, OSPF_Loopback

O       169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h

O       169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19h

O       169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m

O       169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48

 

[style="background-color: #ff0000;"]BCN-TST routing table:[/style]

BCN-TEST (VPN-VDOM) # get router info routing-table all

 

S*      0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2

C       1.20.255.19/32 is directly connected, VPN-HQ-Tst

C       1.20.255.20/32 is directly connected, VPN-HQ-Tst

O       1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00h

C       1.20.255.44/30 is directly connected, root2VPN1

O       1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O       66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O       66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O       66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

O       70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O       70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O       70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O       70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O       70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m

O       169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00h

O       169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

O       169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m

C       169.253.0.7/32 is directly connected, OSPF-VPN

O       169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18h

O       169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20

 

 

 

 

 

 

 

14 REPLIES 14
Benoit_Rech_FTNT

Hello, by definition, with OSPF, you should have the same OSPF database in all routers in a specific area. If you want to filter, you need to use different area, or use distribute-list-in on your test branch.

Benoit

Toshi_Esumi
Esteemed Contributor III

Depending on your goal, if you don't want Branch to reach BCN, but still want to use OSPF area 0 for all locations, you should just NOT to set a policy/policies to allow the access.

Yurisk
Valued Contributor

Playing with OSPF filtering is painful regardless of the vendor as all databases have to be the same on all routers then you are only left with filtering what gets installed in RIB of a specific router, then you have to maintain this mess, but there are some good ideas here https://forum.fortinet.com/tm.aspx?m=146241 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Ozz
New Contributor

Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution?

emnoc
Esteemed Contributor III

options:  filtering the route or install static routes that have a  higher admin distance to override the OSPF. You have been given numerous methods to correct or control this.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Benoit_Rech_FTNT

Ozz,

if you need some example about filtering OSPF, you can go to the KB documentation of Fortinet. Search for "OSPF filtering" , and you will find some article that can help you to solve your issue. I recommend these two articles linked to what I recommended previously: * distribute-list-in example: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30259

* inter-area filtering: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33624 Best regards Benoit

Ozz
New Contributor

Here is the topology 

Ozz wrote:

Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution?

Toshi_Esumi
Esteemed Contributor III

I really think you shouldn't be putting all of these vdoms in at least one area0 of OSPF domain while OSPF is designed to share the topology inside an area. To me you're trying to break OSFP design.

Instead, I would set eBGP between HQ VPN-VDOM, BCN VPN-VDOM and Branch root-VDOM, then use OSPF inside HQ and inside BCN, so that those VPN-VDOMs would be ASBR in the OSPF domain and you can control what to import/export using route-maps between OSPF and BGP.

emnoc
Esteemed Contributor III

eBGP would better and simpler but a lot of people are nervous about BGP. You could set backbne area 0 between the vpn-dom and set the root-vdoms or links to such as a opsf area 1 area 2 area 3  and then filter at the ABR but that would be a lot of work also

 

OP why do yo need to filter advertisements ? Sounds like you network address topology needs to be rethought. I would double check you do NOT have CIDR overlaps.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors