Skip to main content
hklb
hklb
New Contributor
October 20, 2015
Question

OSPF - how to "restrict" the routes propagate by ospf

  • October 20, 2015
  • 1 reply
  • 11549 views

Hello,

 

I test in my lab a solution for a customer. The goal of this lab is to implement OSPF over IPSEC. The schema is very basic :

- one Headoffice with one WAN connection (area 0.0.0.0 for internal trafic and area 1.1.1.1 for VPN). The firewall name "fortilab_HQ".

- two remote sites with two internet connections (firewall name fortilab_R2 and fortilab_R1)

 

I already configured my area, interface, ... The configuration is OK, but I would like to improve the configuration like that :

1) I configured the summary-address on all sites (10.200.0.0/16 for HQ, 10.201.0.0/16 for R1, 10.202.0.0/16 for R2). But my headoffice still propagate the route learned by ospf to my remote firewall :

 
(fortilab_R2) # get router info routing-table database
 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
 
       O - OSPF, IA - OSPF inter area
 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 
       E1 - OSPF external type 1, E2 - OSPF external type 2
 
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 
       > - selected route, * - FIB route, p - stale info
 
 
 
S    *> 0.0.0.0/0 [10/0] via 192.168.23.1, WAN1_R2
 
     *>           [10/0] via 192.168.24.1, WAN2_R2, [10/0]
 
O E2 *> 10.200.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:00:23
 
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:00:23
 
O IA *> 10.200.248.0/24 [110/111] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/111] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
 
 
 
(fortilab_HQ) # show router ospf 
 
config router ospf
 
    set router-id 1.1.1.1
 
        config area
 
            edit 0.0.0.0
 
            next
 
            edit 1.1.1.1
 
            next
 
        end
 
        config ospf-interface
 
            edit "OSPF_VPN1_R2"
 
                set interface "VPN1_R2"
 
                set dead-interval 40
 
                set hello-interval 10
 
                set network-type point-to-point
 
            next
 
            edit "OSPF_VPN2_R2"
 
                set interface "VPN2_R2"
 
                set dead-interval 40
 
                set hello-interval 10
 
                set network-type point-to-point
 
            next
 
            edit "OSPF_VPN1_R1"
 
                set interface "VPN1_R1"
 
                set dead-interval 40
 
                set hello-interval 10
 
                set network-type point-to-point
 
            next
 
            edit "OSPF_VPN2_R1"
 
                set interface "VPN2_R1"
 
                set dead-interval 40
 
                set hello-interval 10
 
                set network-type point-to-point
 
            next
 
            edit "OSPF_Interco"
 
                set interface "INTERCORTR"
 
                set dead-interval 40
 
                set hello-interval 10
 
            next
 
        end
 
        config network
 
            edit 1
 
                set prefix 192.168.30.0 255.255.255.248
 
                set area 1.1.1.1
 
            next
 
            edit 2
 
                set prefix 192.168.30.8 255.255.255.248
 
                set area 1.1.1.1
 
            next
 
            edit 3
 
                set prefix 192.168.70.0 255.255.255.0
 
            next
 
        end
 
        config summary-address
 
            edit 1
 
                set prefix 10.200.0.0 255.255.0.0
 
            next
 
        end
 
        config redistribute "connected"
 
            set status enable
 
            set routemap "MapInternal"
 
        end
 
        config redistribute "static"
 
        end
 
        config redistribute "rip"
 
        end
 
        config redistribute "bgp"
 
        end
 
        config redistribute "isis"
 
        end
 
end
 
 
(fortilab_HQ) # show router access-list 
 
config router access-list
 
    edit "Internal"
 
            config rule
 
                edit 1
 
                    set prefix 10.200.0.0 255.255.0.0
 
                    set exact-match disable
 
                next
 
            end
 
    next
 
end
 
 
 
(fortilab_HQ) # show router route-map 
 
config router route-map
 
    edit "MapInternal"
 
            config rule
 
                edit 1
 
                    set match-ip-address "Internal"
 
                next
 
            end
 
    next
 
end
 
 
 
Is that possible to avoid the route "10.200.248.0" to be propagate ?
 
2) I would like to don't propagate the IP of the IPSEC interface IP to all my remote site. Is that possible to disable to propagation of these address (all my IPSEC interface are in subnet 192.168.30.0/24) ?
 
 
(fortilab_R2) # get router info routing-table database
 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
 
       O - OSPF, IA - OSPF inter area
 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 
       E1 - OSPF external type 1, E2 - OSPF external type 2
 
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 
       > - selected route, * - FIB route, p - stale info
 
 
 
S    *> 0.0.0.0/0 [10/0] via 192.168.23.1, WAN1_R2
 
     *>           [10/0] via 192.168.24.1, WAN2_R2, [10/0]
 
O E2 *> 10.200.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:00:23
 
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:00:23
 
O IA *> 10.200.248.0/24 [110/111] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/111] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
O E2 *> 10.201.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
C    *> 10.202.101.0/24 is directly connected, R2_LAN_USER
 
C    *> 192.168.23.0/24 is directly connected, WAN1_R2
 
C    *> 192.168.24.0/24 is directly connected, WAN2_R2
 
O    *> 192.168.30.1/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
O    *> 192.168.30.2/32 [110/200] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/200] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
O    *> 192.168.30.5/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
O    *> 192.168.30.6/32 [110/200] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/200] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
O       192.168.30.9/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
                        [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
C    *> 192.168.30.9/32 is directly connected, VPN1_R2HQ
 
C    *> 192.168.30.10/32 is directly connected, VPN1_R2HQ
 
O       192.168.30.13/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
                         [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
C    *> 192.168.30.13/32 is directly connected, VPN2_R2HQ
 
C    *> 192.168.30.14/32 is directly connected, VPN2_R2HQ
 
O IA *> 192.168.70.0/28 [110/101] via 192.168.30.9, VPN1_R2HQ, 00:03:36
 
     *>                 [110/101] via 192.168.30.13, VPN2_R2HQ, 00:03:36
 
     Thanks in advance ! And sorry for my english..   Lucas 
 
    1 reply
    emnoc
    emnoc
    New Member
    October 20, 2015
    Will that's a IA route, so do you have it populated via the network statement? and what filtering do you have now that's deployed?
     
     
    hklb
    hklbAuthor
    New Contributor
    October 20, 2015
    The subnet 10.200.248.0/24 is declared on my internal cisco router (in area 0.0.0.0)
     
     (fortilab_HQ) # get router info ospf database router lsa                   Router Link States (Area 0.0.0.0)     LS age: 485   Options: 0x2 (*|-|-|-|-|-|E|-)   Flags: 0x3 : ABR ASBR   LS Type: router-LSA   Link State ID: 1.1.1.1    Advertising Router: 1.1.1.1   LS Seq Number: 80000074   Checksum: 0x8ae7   Length: 36    Number of Links: 1       Link connected to: a Transit Network      (Link ID) Designated Router address: 192.168.70.2      (Link Data) Router Interface address: 192.168.70.1       Number of TOS metrics: 0        TOS 0 Metric: 1       LS age: 1954   Options: 0x22 (*|-|DC|-|-|-|E|-)   Flags: 0x0   LS Type: router-LSA   Link State ID: 192.168.71.1    Advertising Router: 192.168.71.1   LS Seq Number: 8000006e   Checksum: 0x4fc0   Length: 48    Number of Links: 2       Link connected to: a Transit Network      (Link ID) Designated Router address: 192.168.70.2      (Link Data) Router Interface address: 192.168.70.2       Number of TOS metrics: 0        TOS 0 Metric: 10       Link connected to: Stub Network      (Link ID) Network/subnet number: 10.200.248.0      (Link Data) Network Mask: 255.255.255.0       Number of TOS metrics: 0        TOS 0 Metric: 10   I only do a "summary-address" on my HQ fortigate like this : 
    config summary-address  edit 1  set prefix 10.200.0.0 255.255.0.0  next  end
     
    Thanks
    emnoc
    emnoc
    New Member
    October 20, 2015
    That summary is a external route not a IA route. Look at you  route table.
     
    A IA route is always path preferred over a ext type1 or type2. The real question is ; " do you really need to filter that IA route and if so why ? Do you have network-topo map explain your area0 bkbne and the other areas?
     
     
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsCookie settingsAccessibility statement