Technical Tip: OSPF configuration guide for ABR and ASBR settings

Description

This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas.
It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.

Scope

All FortiGate versions or any VDOM running NAT.

Solution

Diagram:

The following network diagram will be used for this example :


Expectations, Requirements:

• FGT1 has a static default route and multiple other static routes that we do not want to inject into area 0.0.0.2, hence the use of a STUB area (see #1).
• FGT1 will become automatically ASBR as it will advertise those static routes into area 0.0.0.1 (see #2).
• FGT1 will also be automatically ABR as it is the border router between all 3 areas.
• FGT1 should announce a default route into area 0.0.0.1 and 0.0.0.2 only if it has a default route in the routing table (see #3).
• All locally connected interfaces must have OSPF enabled and the corresponding subnet must be advertised as OSPF internal routes (not external) (see #4).
  
  

Note: The use of loopback interfaces in this OSPF design is a simple rule that eases the OSPF troubleshooting and administration, where the OSPF router ID will be set identically to the loopback interface.

Tip: To enable OSPF on an interface, it is only necessary to add it into the prefix list (see #4). To enable all interfaces with a single setting, use the prefix '0.0.0.0/0.0.0.0'.

Configuration:
Note: Only the relevant parts of the configuration are given (interfaces and OSPF settings)

FGT1:

config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.182.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "port1"
        set vdom "root"
        set ip 10.141.0.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

   edit "port8"
        set vdom "root"
        set ip 10.142.0.151 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback1"
        set vdom "root"
        set ip 10.0.0.1 255.255.255.255
        set type loopback

next 

end

config router static
    edit 1
        set device "internal"
        set gateway 192.168.183.254
    next
    edit 2
        set device "internal"
        set dst 10.5.2.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 3
        set device "internal"
        set dst 10.6.2.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 4
        set device "internal"
        set dst 10.6.3.0 255.255.255.0
        set gateway 192.168.183.254
    next
    edit 5
        set device "internal"
        set dst 10.6.6.0 255.255.255.0
        set gateway 192.168.183.254
    next
end

config router ospf
        config area
            edit 0.0.0.0
            next
            edit 0.0.0.1
                set authentication md5
            next
            edit 0.0.0.2
                set type stub    #1#
            next
        end
    set default-information-originate enable   #3#
        config network
            edit 1
                set area 0.0.0.2
                set prefix 10.142.0.0 255.255.0.0    #4#
            next
            edit 2
                set area 0.0.0.1
                set prefix 10.141.0.0 255.255.0.0     #4#
            next
            edit 3
                set prefix 10.0.0.1 255.255.255.255     #4#
            next
            edit 4
                set prefix 192.168.182.0 255.255.254.0     #4#
            next
        end
        config ospf-interface
            edit "area1_port1"
                set authentication md5
                set cost 10
                set interface "port1"
                set ip 10.141.0.151
                set md5-key 1 "fortinet"
            next
        end
        config redistribute "static"
            set status enable          #2#
        end
    set router-id 10.0.0.1
end
    next

end

Note: In this FGT1 configuration, it is necessary to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters than the default ones.  This was not necessary for port8 (area 0.0.0.2).

FGT2:

config system interface
    edit "internal"
        set vdom "root"
        set ip 10.2.2.1 255.255.255.0
        set allowaccess ping https
        set type physical
    next

    edit "port1"
        set vdom "root"
        set ip 10.141.0.152 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback2"
        set vdom "root"
        set ip 10.0.0.2 255.255.255.255
        set type loopback
    next
end

config router ospf
        config area
            edit 0.0.0.1
                set authentication md5
            next
        end
        config network
            edit 1
                set area 0.0.0.1
                set prefix 10.141.0.0 255.255.0.0     #4#
            next
            edit 2
                set area 0.0.0.1
                set prefix 10.2.2.0 255.255.255.0     #4#
            next
            edit 3
                set area 0.0.0.1
                set prefix 10.0.0.2 255.255.255.255       #4#
            next
        end
        config ospf-interface
            edit "area1_port1"
                set authentication md5
                set cost 10
                set interface "port1"
                set ip 10.141.0.152
                set md5-key 1 "fortinet"
            next
        end
    set router-id 10.0.0.2
end

Note: In this FGT2 configuration, it was necessary to create an OSPF interface for port1 (area 0.0.0.1) to access additional parameters other than the default ones.

FGT3:

config system interface
    edit "internal"
        set vdom "root"
        set ip 10.3.3.1 255.255.255.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "port8"
        set vdom "root"
        set ip 10.142.0.155 255.255.254.0
        set allowaccess ping https ssh http telnet
        set type physical
    next

    edit "lback3"
        set vdom "root"
        set ip 10.0.0.3 255.255.255.255
        set type loopback
    next
end

config router ospf
        config area
            edit 0.0.0.2
                set type stub       #1#
            next
        end
        config network
            edit 1
                set area 0.0.0.2
                set prefix 10.142.0.0 255.255.0.0   #4# 
            next
            edit 2
                set area 0.0.0.2
                set prefix 10.0.0.3 255.255.255.255    #4#
            next
        end
    set router-id 10.0.0.3
end

Verification:

Troubleshooting:

Use the OSPF router command to check all the neighbors and LSDB:

get router info ospf <subcommand>

get router info ospf ?
database          show ospf database information
interface         show ospf interfaces
route             show ospf routing table
neighbor          show ospf neighbors
border-routers    show ospf border routers
status            show ospf status
virtual-links     show ospf virtual links

For advanced troubleshooting, use the following command:

diag ip router ospf all enable (or disable to stop the trace)

Related articles:

• Technical Tip: OSPF route redundancy over 2 VPN IPSec tunnels
• Technical Tip: How to redistribute a default route in OSPF
• Technical Tip: simple OSPF configuration with 2 FortiGates in the same area
• Technical Tip: OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR)