Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎09-23-2010 07:16 AM Edited on ‎06-26-2025 04:18 AM By Moderator

Article Id 195410

Technical Note : How to control (filter) OSPF route redistribution with access-list and route-map

Description

 

This article describes an example of how to to control (filter) redistributed static and connected routes into OSPF.

 

Scope


In this example, a FGT80C and  a FGT300A are 2 neighbors in OSPF area 0.0.0.0.

The requirements are that the FGT80C should redistribute to router FGT300A :

  • Only connected network 10.168.6.0/23  
  • Only static route 10.11.0.0/24

Solution

 

 

  1. Configuration and verification prior to filtering the routes.


FGT80C:

 

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
        set status enable
    end
    set router-id 0.0.0.114
end

FGT80C# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, wan1
S       10.11.0.0/24 [10/0] via 10.168.4.103, vlan4
S       10.12.0.0/24 [10/0] via 10.168.4.103, vlan4
C       10.168.0.0/23 is directly connected, internal
C       10.168.4.0/23 is directly connected, vlan4
C       10.168.6.0/23 is directly connected, wan2
C       172.31.224.0/23 is directly connected, wan1

FG300A:

config router ospf
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "static"
    end
set router-id 0.0.0.137
end


FG300A# get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
O E2    10.12.0.0/24 [110/10] via 10.168.1.114, port1, 00:07:25
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.4.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:07:33
O E2    172.31.224.0/23 [110/10] via 10.168.1.114, port1, 00:00:38
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port

 

 

  1. Add the filter in the FGT80C to redistribute:

 

  • Only the connected interface.
  • Only the static route.

FGT80C:

 

config router access-list
    edit "OnlyNet6"
            config rule
                edit 1
                    set prefix 10.168.6.0 255.255.254.0
                    set exact-match enable   <--- comment: default action is permit
                next
            end     <--- comment: default action is deny
    next
    edit "1"
    next
    edit "OnlyNet11"
            config rule
                edit 1
                    set prefix 10.11.0.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "Map-OnlyNet6"
            config rule
                edit 1
                    set match-ip-address "OnlyNet6"    <----- The default action is 'permit'.
                next
            end
    next
    edit "Map-OnlyNet11"
            config rule
                edit 1
                    set match-ip-address "OnlyNet11"
                next
            end
    next
end

config router ospf
    config area

        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.168.0.0 255.255.254.0
        next
    end
    config redistribute "connected"
        set status enable
        set routemap "Map-OnlyNet6"
    end
    config redistribute "static"
        set status enable
        set routemap "Map-OnlyNet11"
    end

    set router-id 0.0.0.114
end

 

 

  1. Verification of the FGT300A routing table once the route-map is enabled on FGT80C:

 

FG300A2904500072 # get router info routing-table all

 

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, port5
O E2    10.11.0.0/24 [110/10] via 10.168.1.114, port1, 00:01:07
C       10.168.0.0/23 is directly connected, port1
O E2    10.168.6.0/23 [110/10] via 10.168.1.114, port1, 00:01:35
C       192.168.100.0/24 is directly connected, port2
C       192.168.182.0/23 is directly connected, port5


Notes:

 

Instead of using the following configuration...

 

config redistribute "connected"
    set status enable
    set routemap "Map-onlyNet6"
end
       

... consider configuring the following:

config redistribute "connected"
    set status enable
end
config distribute-list
    edit 1

        set access-list "OnlyNet6"

    next

end

 

It is recommended to always use the same way to configure it to avoid conflicts.


Instead of using access-list, consider using prefix-list.

 

Useful commands:


get router info ospf neighbor
get router info routing-table all
get router info ospf network

Labels:
34965
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.