Technical Tip: How to control (filter) OSPF route redistribution with access-list and route-map

Description

This article describes an example of how to control (filter) redistributed static and connected routes into OSPF.

Scope

In this example, a FGT80C and a FGT300A are 2 neighbors in OSPF area 0.0.0.0.

The requirements are that the FGT80C should redistribute to router FGT300A :

• Only connected network 10.168.6.0/23.  
• Only static route 10.11.0.0/24.
  
  

Solution

1. Configuration and verification before filtering the routes.

FGT80C:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
        set status enable
    end
    set router-id 0.0.0.114
end

Configuration in GUI:

FGT80C# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, wan1
S       10.11.0.0/24 [10/0] via 10.168.4.103, vlan4
S       10.12.0.0/24 [10/0] via 10.168.4.103, vlan4
C       10.168.0.0/23 is directly connected, internal
C       10.168.4.0/23 is directly connected, vlan4
C       10.168.6.0/23 is directly connected, wan2
C       172.31.224.0/23 is directly connected, wan1

FG300A:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
    set router-id 0.0.0.137
end

FG300A# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
O E2    10.12.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.4.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:07:33
O E2    172.31.224.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port

2. Add the filter in the FGT80C to redistribute:

• Only the connected interface.
• Only the static route.
  
  

FGT80C:

config router access-list
    edit "OnlyNet6"
        config rule
            edit 1
                set prefix 10.168.6.0 255.255.254.0
                set exact-match enable  <--- Comment: default action is permit.
            next
        end     <--- Comment: default action is deny.
    next
    edit "1"
    next
    edit "OnlyNet11"
        config rule
            edit 1
                set prefix 10.11.0.0 255.255.255.0
                set exact-match enable
            next
        end
    next
end

config router route-map
    edit "Map-OnlyNet6"
        config rule
            edit 1
                set match-ip-address "OnlyNet6"    <----- The default action is 'permit'.
            next
        end
    next
    edit "Map-OnlyNet11"
            config rule
                edit 1
                    set match-ip-address "OnlyNet11"
                next
            end
    next
end

config router ospf
    config area

        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
        set routemap "Map-OnlyNet6"
    end
    config redistribute "static"
        set status enable
        set routemap "Map-OnlyNet11"
    end

    set router-id 0.0.0.114
end

GUI settings to enable the filter and configure the routemap.

3. Verification of the FGT300A routing table once the route-map is enabled on FGT80C:

FG300A2904500072 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:01:07
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:01:35
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port5

Notes:

Instead of using the following configuration:

config redistribute "connected"
    set status enable
    set routemap "Map-onlyNet6"
end
       

Consider configuring the following:

config redistribute "connected"
    set status enable
end
config distribute-list
    edit 1

        set access-list "OnlyNet6"

    next

end

It is recommended to always use the same way to configure it to avoid conflicts.

Instead of using an access-list, consider using a prefix-list.

Useful commands:

get router info ospf neighbor
get router info routing-table all
get router info ospf network