Technical Note : How to control (filter) OSPF route redistribution with access-list and route-map

gfranceschi · ‎09-23-2010

Purpose
This article provides an example to control (filter) redistributed static and connected routes into OSPF.
Expectations, Requirements
In this example, a FGT80C and a FGT300A are 2 neighbors in OSPF area 0.0.0.0.

The requirements are that the FGT80C should redistribute to router FGT300A :
- only connected network 10.168.6.0/23
- only static route 10.11.0.0/24

Configuration
1- Configuration and verification prior to filtering the routes

FGT80C

config router ospf
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.168.0.0 255.255.254.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
    set router-id 0.0.0.114
end

FGT80C# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, wan1
S       10.11.0.0/24 [10/0] via 10.168.4.103, vlan4
S       10.12.0.0/24 [10/0] via 10.168.4.103, vlan4
C       10.168.0.0/23 is directly connected, internal
C       10.168.4.0/23 is directly connected, vlan4
C       10.168.6.0/23 is directly connected, wan2
C       172.31.224.0/23 is directly connected, wan1

FG300A

config router ospf
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.168.0.0 255.255.254.0
            next
        end
        config redistribute "connected"
        end
        config redistribute "static"
        end
    set router-id 0.0.0.137
end

FG300A# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
O E2    10.12.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.4.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:07:33
O E2    172.31.224.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port5

2 - Add the filter in the FGT80C to redistribute :

- only connected interface
- only static route

FGT80C

config router access-list
    edit "OnlyNet6"
            config rule
                edit 1
                    set prefix 10.168.6.0 255.255.254.0
                    set exact-match enable   <--- comment: default action is permit
                next
            end <--- comment: default action is deny
    next
    edit "1"
    next
    edit "OnlyNet11"
            config rule
                edit 1
                    set prefix 10.11.0.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "Map-OnlyNet6"
            config rule
                edit 1
                    set match-ip-address "OnlyNet6"    <--- comment: default action is permit
                next
            end
    next
    edit "Map-OnlyNet11"
            config rule
                edit 1
                    set match-ip-address "OnlyNet11"
                next
            end
    next
end

config router ospf
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.168.0.0 255.255.254.0
            next
        end
        config redistribute "connected"
            set status enable
            set routemap "Map-OnlyNet6"
        end
        config redistribute "static"
            set status enable
            set routemap "Map-OnlyNet11"
        end

    set router-id 0.0.0.114
end

3 - Verification of the FGT300A routing table once the route-map is enabled on FGT80C

FG300A2904500072 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:01:07
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:01:35
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port5

Remarks:

Instead of using the configuration :

       config redistribute "connected"
            set status enable
            set routemap "Map-onlyNet6"
        end


      you could configure:

        config redistribute "connected"
            set status enable
        end
        config distribute-list
            edit 1
                set access-list "OnlyNet6"
            next
        end

       We recommend you to always use the same way to configure it to avoid conflicts.

Instead of using access-list, you could use prefix-list.