Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel

Author Post Essentials Only Full Version
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline 2020/12/15 09:04:12 (permalink) 0 Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel Hello, I have stucked in one subject . I have environmement which has routing protocol is "OSPF" . HQ-test : 60.60.60.0/24 BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24. HQ-Test & BCN-Test is connected via VPN Hq-Test & Test-Branch is connected via VPN. I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked. I add also routing tables from all sites Could you have any idea for the solution? HQ-TEST routing table: HQ-TEST (VPN-VDOM) # get router info routing-table all S* 0.0.0.0/0 [5/0] via X.X.X.129, internal7 C 1.20.255.19/32 is directly connected, VPN-Tst-BCN_0 C 1.20.255.20/32 is directly connected, VPN-Tst-BCN_0 O 1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m C 1.20.255.59/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0 C 1.20.255.60/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0 C 1.20.255.248/30 is directly connected, root2VPN1 O 1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h O 60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m O 60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m O 60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m O 60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m O 60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28m C 62.96.202.128/27 is directly connected, internal7 S 66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0 O 66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48 O 66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48 O 66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48 O 66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48 O 70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m C 169.253.0.1/32 is directly connected, OSPF_Loopback O 169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19h O 169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19h O 169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39m O 169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48 BCN-TST routing table: BCN-TEST (VPN-VDOM) # get router info routing-table all S* 0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2 C 1.20.255.19/32 is directly connected, VPN-HQ-Tst C 1.20.255.20/32 is directly connected, VPN-HQ-Tst O 1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00h C 1.20.255.44/30 is directly connected, root2VPN1 O 1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20 O 66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20 O 66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20 O 66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20 O 70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m O 70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m O 70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m O 70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m O 70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30m O 169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00h O 169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m O 169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40m C 169.253.0.7/32 is directly connected, OSPF-VPN O 169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18h O 169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20 #1 14 Replies Related Threads
Benoit_Rech_FTNT Bronze Member Total Posts : 49 Scores: 9 Reward points: 0 Joined: 2013/06/04 02:38:46 Location: Sophia Antipolis (France) Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 09:21:28 (permalink) 5 (1) Hello, by definition, with OSPF, you should have the same OSPF database in all routers in a specific area. If you want to filter, you need to use different area, or use distribute-list-in on your test branch. Benoit #2
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 10:08:13 (permalink) 0 Depending on your goal, if you don't want Branch to reach BCN, but still want to use OSPF area 0 for all locations, you should just NOT to set a policy/policies to allow the access. #3
Yurisk Gold Member Total Posts : 157 Scores: 32 Reward points: 0 Joined: 2011/12/04 03:30:01 Status: online Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/15 10:57:20 (permalink) 0 Playing with OSPF filtering is painful regardless of the vendor as all databases have to be the same on all routers then you are only left with filtering what gets installed in RIB of a specific router, then you have to maintain this mess, but there are some good ideas here https://forum.fortinet.com/tm.aspx?m=146241 Yuri https://yurisk.info/ #4
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 00:09:20 (permalink) 0 Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution? #5
emnoc Expert Member Total Posts : 5919 Scores: 394 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 07:07:33 (permalink) 0 options: filtering the route or install static routes that have a higher admin distance to override the OSPF. You have been given numerous methods to correct or control this. Ken Felix PCNSE NSE StrongSwan #6
Benoit_Rech_FTNT Bronze Member Total Posts : 49 Scores: 9 Reward points: 0 Joined: 2013/06/04 02:38:46 Location: Sophia Antipolis (France) Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/16 07:26:02 (permalink) 0 Ozz, if you need some example about filtering OSPF, you can go to the KB documentation of Fortinet. Search for "OSPF filtering" , and you will find some article that can help you to solve your issue. I recommend these two articles linked to what I recommended previously: * distribute-list-in example: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30259 * inter-area filtering: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33624 Best regards Benoit #7
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 13:06:22 (permalink) 0 Here is the topology Ozz Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution? Attached Image(s) #8
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 14:08:42 (permalink) 0 I really think you shouldn't be putting all of these vdoms in at least one area0 of OSPF domain while OSPF is designed to share the topology inside an area. To me you're trying to break OSFP design. Instead, I would set eBGP between HQ VPN-VDOM, BCN VPN-VDOM and Branch root-VDOM, then use OSPF inside HQ and inside BCN, so that those VPN-VDOMs would be ASBR in the OSPF domain and you can control what to import/export using route-maps between OSPF and BGP. #9
emnoc Expert Member Total Posts : 5919 Scores: 394 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/17 15:21:58 (permalink) 0 eBGP would better and simpler but a lot of people are nervous about BGP. You could set backbne area 0 between the vpn-dom and set the root-vdoms or links to such as a opsf area 1 area 2 area 3 and then filter at the ABR but that would be a lot of work also OP why do yo need to filter advertisements ? Sounds like you network address topology needs to be rethought. I would double check you do NOT have CIDR overlaps. Ken Felix PCNSE NSE StrongSwan #10
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/18 01:25:47 (permalink) 0 I can not change topolgy OSPF to BGP .. Normally I will connect Test-Branch to BCN-TEST. Why I need to stop advertising Branch blok from HQ site to the BCN site. #11
cchokbengboun New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2017/01/23 23:33:45 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 01:19:33 (permalink) 0 Dear Ozz, Please send us your ospf configuration and the ACLs. Thanks #12
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 05:15:47 (permalink) 0 config router access-list edit "ac_drop_66" config rule edit 1 set action deny set prefix 66.66.66.0 255.255.255.0 set exact-match enable next end next end config router ospf set abr-type cisco set router-id 169.253.0.1 set restart-mode graceful-restart config area edit 0.0.0.0 set authentication md5 config filter-list edit 1 set list "ac_drop_66" next end next end config ospf-interface edit "OSPF2root" set interface "root2VPN1" set authentication md5 set dead-interval 40 set hello-interval 10 set network-type point-to-point config md5-keys edit 1 set key-string ENC izQUWwhEeAXS0e7/3FbUXqeyvKT4a7MlCNK9g== next end next edit "OSPF_Barcelona_2" set interface "VPN-Tst-BCN" set authentication md5 set cost 220 set priority 10 set dead-interval 40 set hello-interval 10 set network-type point-to-point config md5-keys edit 1 set key-string ENC kA0GugKhLdvfYZV3Q2wTaBoZZtRFoq8XHY1A6A== next end next edit "OSPF-Branch" set interface "VPN_Bnch2_Dp" set authentication md5 set dead-interval 40 set hello-interval 10 set network-type point-to-point config md5-keys edit 1 set key-string ENC X04kxQACHw1N91M8Uxxx1cBNECk6b2CGVRpl/aG/qYw== next end next end config network edit 1 set prefix 169.253.0.1 255.255.255.255 next edit 2 set prefix 1.20.255.250 255.255.255.255 next edit 3 set prefix 10.60.6.10 255.255.255.255 next edit 4 set prefix 1.20.255.59 255.255.255.255 next edit 5 set prefix 1.20.255.19 255.255.255.255 next end config redistribute "connected" end config redistribute "static" set status enable end config redistribute "rip" end config redistribute "bgp" end config redistribute "isis" end end #13
cchokbengboun New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2017/01/23 23:33:45 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/21 06:31:32 (permalink) 0 Hi Ozz, If you apply a ACL into area configuration, It means that you want to filter between differents area. In your case you only have one area. I think you have to apply your ACL directly on the FGT BCN-test with the following configuration : config router access edit "ac_drop_66" config rule edit 1 set action deny set prefix 66.66.66.0 255.255.255.0 set exact-match enable next edit 2 set action permit set prefix any next end next end config router ospf set distribute-list-in "ac_drop_66" end Thanks, CCH #14
Ozz New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2020/03/05 23:52:59 Status: offline Re: Stop sending advertisement for specific network in ospf Area 0 to the other VPN tunnel 2020/12/22 00:34:16 (permalink) 0 but BCN-Tst also has also vpn connection to the Branch office. ( I can not create the senario , because of my lack of sources, like static IP ) if I write this acl to Bcn-tst , it will no accept the branch site blok from branch.. I have an another idea, if I run two vrf in backbone ara , it may work but I am not sure. If I have time, I will try.. #15

Jump to:

© 2021 APG vNext Commercial Version 5.5