Skip to main content
kcheng
Staff & Editor
kcheng
Staff & Editor
October 6, 2025

Technical Tip: Using route-map to control subnet advertising on OSPF links when redistribute static is required

  • October 6, 2025
  • 0 replies
  • 1794 views
Description This article describes the steps to control subnet advertising on OSPF links when the redistribute static is enabled.
Scope FortiGate.
Solution

In certain network requirements, connections between FortiGates are controlled by OSPF redistribution. The following network topology interlinks FortiGate communication via OSPF routes with a redistributed default route and a static route enabled:

 

image.png

 

In the network topology, the following setup is configured:
  • External FortiGate port2 forms OSPF with port3 of FortiGate Edge.
  • Internal FortiGate Port3 forms OSPF with FortiGate port5.

 

The following routing table is observed in all the FortiGates:

 

FortiGate External.

 

Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 10.11.102.1, port2, 02:09:20, [1/0]
C 10.11.102.0/24 is directly connected, port2
C 10.254.1.0/24 is directly connected, port1
O 192.168.0.0/24 [110/2] via 10.11.102.1, port2, 02:09:21, [1/0]
O 192.168.3.0/24 [110/3] via 10.11.102.1, port2, 00:07:46, [1/0]

 

FortiGate Edge.

 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 203.0.113.254, port2, [1/0]
C 10.11.102.0/24 is directly connected, port3
C 10.254.1.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port4
C 192.168.3.0/24 is directly connected, port5
C 203.0.113.0/24 is directly connected, port2

 

FortiGate Internal.

 

Routing table for VRF=0
O*E2 0.0.0.0/0 [110/10] via 192.168.0.1, port2, 02:10:18, [1/0]
O 10.11.102.0/24 [110/2] via 192.168.0.1, port2, 02:10:19, [1/0]
C 10.254.1.0/24 is directly connected, port1
C 192.168.0.0/24 is directly connected, port2
C 192.168.3.0/24 is directly connected, port3

 

Under this configuration, if the network administrator wants to segregate management traffic (192.168.101.0/24) through port 3 on the FortiGate Internal interface, the subnet on the Internal FortiGate will not be able to communicate with the loopback IP (LO-EX) configured on the FortiGate External Interface. A static route will need to be configured on FortiGate Internal to route the traffic through port3 (192.168.3.2):

 

image.png

 

However, this configuration will cause a network loop in FortiGate Edge:

 

image.png

 

To resolve this looping issue, it is possible to configure a route-map to avoid FortiGate Internal from redistributing the static route:

Configure route-map and access-list in FortiGate Internal to avoid the advertisement of 192.168.101.0/24 subnet:

  • Access-list.

 

config router access-list

    edit "DoNotSend"

        config rule

            edit 1

                set prefix 192.168.101.0 255.255.255.0

                set exact-match enable

            next

        end

    next

end

 

  • Route-map.

 

config router route-map

    edit "Exclude-NET"

        config rule 

            edit 1

                set action deny

                set match-ip-address "DoNotSend"

                unset set-ip-prefsrc

            next

            exit 2

                unset set-ip-prefsrc

            next

        end

    next

end

 

  • Apply the route-map in OSPF configuration:

 

config router ospf

    config redistribute "static"

        set status enable

        set routemap "Exclude-NET"

    end

end

 

With this configuration, FortiGate Edge will see a single route to route 192.168.101.0/24 to FortiGate External:

 

image.png

 

Accessing FortiGate External Loopback IP is now possible from 192.168.3.2 configured on FortiGate Internal:

 

image.png
    Terms & ConditionsAccessibility statement