Fortinet firewall and OSPF type-2 metric

Question

Anyone know why a Fortinet firewall set to originate type-2 externals is advertising what looks like type-1 costs (i.e., including internal path costs)? I thought with type-2, only the cost I manually assign to the interface (e.g., set cost 100) should be advertised, regardless of internal link costs. Instead, neighbors are seeing the cost increase as if type-1 logic is being applied.

Misconfig? Bug? Misunderstanding on my part?

Below is my ospf config for reference

config router ospf     set abr-type cisco     set router-id 192.168.8.181     config area         edit 0.0.0.0             set authentication message-digest         next         edit 0.0.0.16             set authentication message-digest             set stub-type no-summary             set type stub             config range                 edit 1                     set prefix 172.16.0.0 255.255.0.0                 next             end         next     end     config ospf-interface         edit "segfw-user"             set interface "segfw-user"             set authentication message-digest             set cost 1101             set priority 0         edit "netmgmt-inside"             set interface "segfw-netmgmt"             set authentication message-digest             set prefix-length 27             set cost 1101             set priority 0     end     config network         edit 1             set prefix 192.168.8.160 255.255.255.224         next         edit 2             set prefix 172.16.0.0 255.255.0.0             set area 0.0.0.16         next     end     config redistribute "connected"         set status enable     end     config redistribute "static"         set metric 3333         set metric-type 1     end     config redistribute "rip"     end     config redistribute "bgp"     end     config redistribute "isis"     end end

To add a little more data. When I log in to a Cisco nexus and run:

I get:

LS age: 133

Options: 0x2 (No TOS-capability, No DC)

LS Type: Network Summary

Link State ID: 172.16.0.0 (Network address)

Advertising Router: 192.168.8.181

LS Seq Number: 0x80000407

Checksum: 0x2082

Length: 28

Network Mask: /16

TOS: 0 Metric: 5101

aguerriero · Accepted Answer

by default when you range/summarize between areas both fortigate and cisco use RFC 2328 which makes the summary route cost the lowest cost route for any subnets making up the summary.

the difference could be that in cisco you are manually setting the cost on the range command instead of letting it use RFC 2328. Fortigates do not let you manually set the initial cost of the LSA type 3 so you are at the mercy of the LSDB and what the cost is on the ABR.

For RFC 2328 check out page 135 section 12.4.3.

The fortigate only supports the RFC, cisco offers a bunch of bells and whistles for fine grain control

aguerriero · Answer

You have your redistribution set as metric type 1 in the configuration.

your show command on the nexus is showing the lsa for the area range command. The LSA that is advertised into area other areas is a type 3 network summary. There will be no metric type 1 or 2 for that LSA since it is not an external type 5 LSA.

There should be no type 5 LSAs in the totally stubby area 16. The no summary option in your area tells the firewall to block all LSAs from coming from an area other than 16 and instead advertise a default summary 0.0.0.0/0.

If you want an external LSA in area 16 you would need to convert the area to a regular area to get type 5s with metric type 1 or 2... or convert to NSSA and you would instead get type 7 externals with a metric type 1 or 2.

Is the nexus you issued the show command from in area 16,0, or some other area? If it is in area 16 and has that LSA there seems to be a problem.

In any case the LSDB on any router in area 16 "should" not have an external or summary LSA for that prefix. It would violate the stub no-summary rules of OSPF.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded