Skip to main content
Steve_Stevenson
Steve_Stevenson
New Member
October 6, 2015
Question

Block host route OSPF advertised with prefix/access-list

  • October 6, 2015
  • 1 reply
  • 5646 views

Hello guys,

 

I have a Fortigate with FOS v5.2.3 running and advertising some local loopback /24s and interface /32s via OSPF to the neighbours.

What I can't figure is to block the advertisement of the /32 addresses by using either router access-list or prefix-list. Whatever I do, the /32s are popping up in the routing table of the other end.

 

I tried something similar;

 

config router prefix-list

    set comments "Deny /32 to the remote"

    edit "test"

    config rule

       edit 1

           set action deny

           set prefix 1.1.1.0 255.255.255.0

           unset ge

           set le 32

       next

 

or

 

config router access-list

    edit "test"

        set comments "Deny /32 to the remote"

            config rule

                edit 1

                    set action deny

                    set prefix 1.1.1.1 255.255.255.255

                    set exact-match enable

                next

 

But still getting the following in the neighbor's routing table.

 

# get router info routing-table ospf

O       1.1.1.0/24 [110/110] via 172.16.32.20, wan1, 00:36:17

[style="background-color: #ff0000;"]O       1.1.1.1/32 [110/10] via 172.16.32.20, wan1, 00:36:17[/style]

 

Thank you.

 

Regards,

 

Steve

    1 reply

    emnoc
    emnoc
    New Member
    October 7, 2015

    Where and how are you deploying this. BTW  that mask you have shown is not a /32 mask in that 1st rule. That would match prefix /24 with anything  equal to less than /32 ( /32  /30 /29 /28 etc...) is that want you wanted?

     

    Or do i have that wrong?

     

    Also ( for testing );

     

    If you unset the  ge an le, and did  "exact match" what happens to a single /32 ?

     

    (e.g fro testing and get your route controls right  and then  you can work on securing up the prefix-list )

     

    config router prefix-list     set comments "Deny this one /32 to the remote"     edit "test"     config rule        edit 1            set action deny            set prefix 1.1.1.1 255.255.255.255            unset ge            unset le        next

     

    That would check your prefix-function and then you can work on the range. Also  you might have  a better way of doing this by dropping any config router redistribution for those loopbacks  or by doing some type of summary but you would need to look into this.

     

     

     

     

    pcsridharbe_FTNT
    Staff
    pcsridharbe_FTNT
    Staff
    October 8, 2015

    Hi ,

     

    I am just giving my thoughts ...correct me if I am wrong.

     

    I assume all your neighbours are in same area R1---R2---R3 all are in the same area .

      

    Assume R1 advertise Loopback address. in area 0 . you can block in R2  ( in direction )  ( routing table wont have that info )   but still it will be in your ospf database of R2. Hence R3 also will get that loopback address.

      

    ospf database exchanges before installing in routing table. ( type1 and type2 LSA)

     

     outgoing block can be done in Area border router.

     

    Regards,

    Sridhar.

    Terms & ConditionsAccessibility statement