Explorer III

Question

Route map doesn't filter OSPF routes

Forum|Forum|1 year ago
January 3, 2025
6 replies
4436 views

Hi all¡

I have a simple scenario where 2 fortigates connect to area 0 using a Point to Point OSPF network and a /30 IPv4 network.

One distributes connected routes and the other receives them. I would like to filter some of those routes using a route map with an ACL but, when I apply it the routes are not filtered.

I have created 2 ACL, one used to filter one network and another used to permit all the rest of traffic. Finally, a route map with these 2 ACL.

config router access-list
edit "ACL_OSPF_DENY"
config rule
edit 1
set prefix 192.168.1.0 255.255.255.0
set exact-match enable
next
end
next
edit "ACL_OSPF_PERMITANY"
config rule
edit 1
set prefix any
set exact-match enable <-- comment, witouth this command it doesn't work either.

config router route-map
edit "RM-OSPF"
config rule
edit 1
set action deny
set match-ip-address "ACL_OSPF_DENY"
next
edit 2
set match-ip-address "ACL_OSPF_PERMITANY"

If I get the OSPF routes afther having applied the route map (using GUI), the 192.168.1.0 network still there. I have tryed several ways but the route map doesn't filter the route. Could you help me please? What I'm doing wrong?

Thanks¡¡

Toshi_Esumi

SuperUser

OSPF doesn't filter route within an area. You need to use BGP instead.
If you search "OSFP by definition doesn't filter specific routes within the area" at Google search, it would give you below AI answer:
This statement is correct; OSPF (Open Shortest Path First) does not inherently filter specific routes within an area because it operates as a link-state protocol, where all routers within an area must maintain the same Link-State Database (LSDB), meaning you cannot selectively filter routes within that area without affecting the consistency of the database across all devices.

Toshi

Toshi_Esumi

SuperUser

Or, if only two neighbors, you could filter those routes BEFORE redestributed into OSFP domain, like under "config redistribute connected", "config redistribute static", etc. depending on the source of the prefix.
You can use a route-map there.

Toshi

fortimasterAuthor

Explorer III

Thanks for your help Toshi ¡¡

It makes sense that as it is a common database you cannot filter routes, but I have tryed using a prefix-list and it works perfectly, not applyed at source.

config router prefix-list
edit "PREFIX"
config rule
edit 1
set action deny
set prefix 192.168.116.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix any
unset ge
unset le
next

config router ospf
set router-id 1.1.1.1
set distribute-list-in "PREFIX"

Curiously it works.

Toshi_Esumi

SuperUser

The "distibute-list-in" is a filter that is applied when OSPF routes go into RIB. It's NOT filtering when OSPF advertising to the neighbor. You're filtering routes on the receiving side. That's why it works. See the KB below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-OSPF-distribute-list-in-example-to/ta-p/192864

You would see all routes in OSPF domain with "get router info ospf route".

Toshi

Toshi_Esumi

SuperUser

It maybe opposite. The KB's description is confusing. Which side did you apply this?

Toshi

dingjerry_FTNT

Staff

Hi @fortimaster ,

As the KB explained:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-OSPF-distribute-list-in-example-to/ta-p/192864

It does not filter routes. It only controls routes injected into the routing table.

Toshi_Esumi

SuperUser

Ok, then my original interpretation was right. It's same as Cisco's OSPF configuration like below:
router ospf 1
    router-id 10.0.0.2
    log-adjacency-changes
    network 172.16.2.1 0.0.0.255 area 0
    distribute-list route-map <route-map-name> in        [OSPF table -> RIB]

Toshi

dingjerry_FTNT

Staff

And as you tested, for OSPF, it's better to use a Prefix list instead of an Access list.

fortimasterAuthor

Explorer III

Thanks for your help, you are right. The route is filtered before it enters in the RIB. For me is a good option cause I need to filter it to avoid routing problems. There is no problem if the route is on the OSPF data base. We are talking about 192.168.116.0 in my test lab:

-FortiGate-VM64-KVM # get router info routing-table ospf
Routing table for VRF=0
O 10.127.0.0/30 [110/2] via 192.168.204.1, port3, 00:08:32

FortiGate-VM64-KVM # get router info ospf route

E2 192.168.116.0/24 [1/10] via 192.168.204.1, port3

The only thing I have to think about if I should create a new area between these 2 firewalls, just for security reasons and to bypass less information, cause the firewall (internal) that sends the routes to the other (External FW), is connected to area 0 with a lot of routers. In any case, we are talking about firewalls and no one will be able to use that OSPF information if I keep everything connected to area 0.

Thanks ¡¡¡

Toshi_Esumi

SuperUser

No. That idea wouldn't work only with two routers/neighbors. If a third router is inbetween, you can split the area at the 3rd one/ABR to bridge between two areas. The nighbors can directly talk each other only in the same area.

With your concern, as I said originally, you can filter out those unwanted routes from advertisement on the source side before entering OSPF domain so that the source router/FGT won't be able to advertise those to the other end over OSPF.
You can use the same route-map on the source FGT as well like below:

config router ospf
config redistribute connected (or static)
set status enable
set routemap <filtering-routemap>
end
end

Toshi

fortimasterAuthor

Explorer III

Thanks Toshi,

I have tried some options, using area 0 or creating a new area between those 2 firewalls and the new link point to point. Finally I'm going to put them all in area 0. It's a good option for what I want and it works perfectly.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded