Description

This article describes an example of how to to control (filter) redistributed static and connected routes into OSPF.

Scope

In this example, a FGT80C and  a FGT300A are 2 neighbors in OSPF area 0.0.0.0.

The requirements are that the FGT80C should redistribute to router FGT300A :

• Only connected network 10.168.6.0/23  
• Only static route 10.11.0.0/24
  
  

Solution

1. Configuration and verification prior to filtering the routes.

FGT80C:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
        set status enable
    end
    set router-id 0.0.0.114
end

FGT80C# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, wan1
S       10.11.0.0/24 [10/0] via 10.168.4.103, vlan4
S       10.12.0.0/24 [10/0] via 10.168.4.103, vlan4
C       10.168.0.0/23 is directly connected, internal
C       10.168.4.0/23 is directly connected, vlan4
C       10.168.6.0/23 is directly connected, wan2
C       172.31.224.0/23 is directly connected, wan1

FG300A:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
set router-id 0.0.0.137
end

FG300A# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
O E2    10.12.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.4.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:07:33
O E2    172.31.224.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port

2. Add the filter in the FGT80C to redistribute:

• Only the connected interface.
• Only the static route.
  
  

FGT80C:

config router access-list
    edit "OnlyNet6"
            config rule
                edit 1
                    set prefix 10.168.6.0 255.255.254.0
                    set exact-match enable   <--- comment: default action is permit
                next
            end     <--- comment: default action is deny
    next
    edit "1"
    next
    edit "OnlyNet11"
            config rule
                edit 1
                    set prefix 10.11.0.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "Map-OnlyNet6"
            config rule
                edit 1
                    set match-ip-address "OnlyNet6"    <----- The default action is 'permit'.
                next
            end
    next
    edit "Map-OnlyNet11"
            config rule
                edit 1
                    set match-ip-address "OnlyNet11"
                next
            end
    next
end

config router ospf
    config area

        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
        set routemap "Map-OnlyNet6"
    end
    config redistribute "static"
        set status enable
        set routemap "Map-OnlyNet11"
    end

    set router-id 0.0.0.114
end

3. Verification of the FGT300A routing table once the route-map is enabled on FGT80C:

FG300A2904500072 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:01:07
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:01:35
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port5

Notes:

Instead of using the following configuration...

config redistribute "connected"
    set status enable
    set routemap "Map-onlyNet6"
end
       

... consider configuring the following:

config redistribute "connected"
    set status enable
end
config distribute-list
    edit 1

        set access-list "OnlyNet6"

    next

end

It is recommended to always use the same way to configure it to avoid conflicts.

Instead of using access-list, consider using prefix-list.

Useful commands:

get router info ospf neighbor
get router info routing-table all
get router info ospf network