Hot!Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel

Author
Ozz
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/05 23:52:59
  • Status: offline
2020/12/15 09:04:12 (permalink)
0

Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel

Hello,
I have stucked in one subject . I have environmement which has routing protocol is "OSPF"  . HQ-test : 60.60.60.0/24
BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24.
HQ-Test & BCN-Test is connected via VPN  
Hq-Test & Test-Branch is connected via VPN. 
I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked.  I add also routing tables from all sites 
Could you have any idea for the solution?
HQ-TEST routing table:
HQ-TEST (VPN-VDOM) # get router info routing-table all
S*      0.0.0.0/0 [5/0] via X.X.X.129, internal7
C       1.20.255.19/32 is directly connected, VPN-Tst-BCN_0
C       1.20.255.20/32 is directly connected, VPN-Tst-BCN_0
O       1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
C       1.20.255.59/32 is directly connected, VPN_Bnch2_Dp
                       is directly connected, VPN_Bnch2_Dp_0
C       1.20.255.60/32 is directly connected, VPN_Bnch2_Dp
                       is directly connected, VPN_Bnch2_Dp_0
C       1.20.255.248/30 is directly connected, root2VPN1
O       1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h
O       60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m
O       60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m
O       60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m
O       60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m
O       60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m
C       62.96.202.128/27 is directly connected, internal7
S       66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0
O       66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
O       66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
O       66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
O       66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
O       70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
C       169.253.0.1/32 is directly connected, OSPF_Loopback
O       169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h
O       169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19h
O       169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m
O       169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
 
BCN-TST routing table:
BCN-TEST (VPN-VDOM) # get router info routing-table all
 
S*      0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2
C       1.20.255.19/32 is directly connected, VPN-HQ-Tst
C       1.20.255.20/32 is directly connected, VPN-HQ-Tst
O       1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00h
C       1.20.255.44/30 is directly connected, root2VPN1
O       1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
O       66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
O       66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
O       66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
O       70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m
O       70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m
O       70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m
O       70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m
O       70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m
O       169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00h
O       169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
O       169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m
C       169.253.0.7/32 is directly connected, OSPF-VPN
O       169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18h
O       169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
 
 
 
 
 
 
 
#1

14 Replies Related Threads

    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 9
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 09:21:28 (permalink)
    5 (1)
    Hello,
    by definition, with OSPF, you should have the same OSPF database in all routers in a specific area.
    If you want to filter, you need to use different area, or use distribute-list-in on your test branch.
    Benoit
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 2403
    • Scores: 233
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 10:08:13 (permalink)
    0
    Depending on your goal, if you don't want Branch to reach BCN, but still want to use OSPF area 0 for all locations, you should just NOT to set a policy/policies to allow the access.
    #3
    Yurisk
    Gold Member
    • Total Posts : 157
    • Scores: 32
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: online
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 10:57:20 (permalink)
    0
    Playing with OSPF filtering is painful regardless of the vendor as all databases have to be the same on all routers then you are only left with filtering what gets installed in RIB of a specific router, then you have to maintain this mess, but there are some good ideas here https://forum.fortinet.com/tm.aspx?m=146241 
     
    #4
    Ozz
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/05 23:52:59
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 00:09:20 (permalink)
    0
    Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution?
    #5
    emnoc
    Expert Member
    • Total Posts : 5919
    • Scores: 394
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 07:07:33 (permalink)
    0
    options:  filtering the route or install static routes that have a  higher admin distance to override the OSPF. You have been given numerous methods to correct or control this.
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 9
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 07:26:02 (permalink)
    0
    Ozz,
    if you need some example about filtering OSPF, you can go to the KB documentation of Fortinet.
    Search for "OSPF filtering" , and you will find some article that can help you to solve your issue. I recommend these two articles linked to what I recommended previously:
    * distribute-list-in example: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30259
    * inter-area filtering: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33624

    B
    est regards
    Benoit
    #7
    Ozz
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/05 23:52:59
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 13:06:22 (permalink)
    0
    Here is the topology 
    Ozz
    Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution?




    Attached Image(s)

    #8
    Toshi Esumi
    Expert Member
    • Total Posts : 2403
    • Scores: 233
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 14:08:42 (permalink)
    0
    I really think you shouldn't be putting all of these vdoms in at least one area0 of OSPF domain while OSPF is designed to share the topology inside an area. To me you're trying to break OSFP design.
    Instead, I would set eBGP between HQ VPN-VDOM, BCN VPN-VDOM and Branch root-VDOM, then use OSPF inside HQ and inside BCN, so that those VPN-VDOMs would be ASBR in the OSPF domain and you can control what to import/export using route-maps between OSPF and BGP.
    #9
    emnoc
    Expert Member
    • Total Posts : 5919
    • Scores: 394
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 15:21:58 (permalink)
    0
    eBGP would better and simpler but a lot of people are nervous about BGP. You could set backbne area 0 between the vpn-dom and set the root-vdoms or links to such as a opsf area 1 area 2 area 3  and then filter at the ABR but that would be a lot of work also
     
    OP why do yo need to filter advertisements ? Sounds like you network address topology needs to be rethought. I would double check you do NOT have CIDR overlaps.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #10
    Ozz
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/05 23:52:59
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/18 01:25:47 (permalink)
    0
    I can not change topolgy OSPF to BGP .. Normally I will connect Test-Branch to BCN-TEST. Why I need to stop advertising Branch blok from HQ site to the BCN site.
    #11
    cchokbengboun
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/23 23:33:45
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 01:19:33 (permalink)
    0
    Dear Ozz,
    Please send us your ospf configuration and the ACLs.
    Thanks
    #12
    Ozz
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/05 23:52:59
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 05:15:47 (permalink)
    0
    config router access-list
        edit "ac_drop_66"
            config rule
                edit 1
                    set action deny
                    set prefix 66.66.66.0 255.255.255.0
                    set exact-match enable
                next
            end
        next
    end
     
     
    config router ospf
        set abr-type cisco
        set router-id 169.253.0.1
        set restart-mode graceful-restart
        config area
            edit 0.0.0.0
                set authentication md5
                config filter-list
                    edit 1
                        set list "ac_drop_66"
                    next
                end
            next
        end
        config ospf-interface
            edit "OSPF2root"
                set interface "root2VPN1"
                set authentication md5
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
                config md5-keys
                    edit 1
                        set key-string ENC izQUWwhEeAXS0e7/3FbUXqeyvKT4a7MlCNK9g==
                    next
                end
            next
            edit "OSPF_Barcelona_2"
                set interface "VPN-Tst-BCN"
                set authentication md5
                set cost 220
                set priority 10
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
                config md5-keys
                    edit 1
                        set key-string ENC kA0GugKhLdvfYZV3Q2wTaBoZZtRFoq8XHY1A6A==
                    next
                end
            next
            edit "OSPF-Branch"
                set interface "VPN_Bnch2_Dp"
                set authentication md5
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
                config md5-keys
                    edit 1
                        set key-string ENC X04kxQACHw1N91M8Uxxx1cBNECk6b2CGVRpl/aG/qYw==
                    next
                end
            next
        end
        config network
            edit 1
                set prefix 169.253.0.1 255.255.255.255
            next
            edit 2
                set prefix 1.20.255.250 255.255.255.255
            next
            edit 3
                set prefix 10.60.6.10 255.255.255.255
            next
            edit 4
                set prefix 1.20.255.59 255.255.255.255
            next
            edit 5
                set prefix 1.20.255.19 255.255.255.255
            next
        end
        config redistribute "connected"
        end
        config redistribute "static"
            set status enable
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
        config redistribute "isis"
        end
    end
    #13
    cchokbengboun
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/23 23:33:45
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 06:31:32 (permalink)
    0
    Hi Ozz,
    If you apply a ACL into area configuration, It means that you want to filter between differents area. In your case you only have one area.
    I think you have to apply your ACL directly on the FGT BCN-test with the following configuration :
    config router access
         edit "ac_drop_66"
            config rule
                edit 1
                    set action deny
                    set prefix 66.66.66.0 255.255.255.0
                    set exact-match enable
                next
                edit 2
                    set action permit
                    set prefix any
                next
            end
          next
    end
    config router ospf
    set distribute-list-in "ac_drop_66"
    end
     
    Thanks,
    CCH
    #14
    Ozz
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/05 23:52:59
    • Status: offline
    Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/22 00:34:16 (permalink)
    0
    but BCN-Tst also has  also vpn connection to the Branch office. ( I can not create the senario , because of my lack of sources, like static IP ) if I write this acl to Bcn-tst , it will no accept the branch site blok from branch..
    I have an another idea, if I run two vrf in backbone ara , it may work but I am not sure. If I have time, I will try..
     
    #15
    Jump to:
    © 2021 APG vNext Commercial Version 5.5