Purpose
This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas.
It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.
Scope
• All FortiGate models
• FortiGate or VDOMs in NAT mode only
• FortiOS v4.0 and v3.0
Diagram
The following network diagram will be used for this example :
Expectations, Requirements
• FGT1 has a static default route and multiple other static routes that we do not want to inject into area 0.0.0.2, hence the use of a STUB area (see #1# )
• FGT1 will become automatically ASBR as it will advertise those static routes into area 0.0.0.1 (see #2# )
• FGT1 will also be automatically ABR as it is the border router between all 3 areas
• FGT1 should announce a default route into area 0.0.0.1 and 0.0.0.2 only if it has a default route in the routing table (see #3# )
• All locally connected interfaces must have OSPF enabled and the corresponding subnet be advertised as OSPF internal routes (not external) (see #4# )
NOTE : The use of loopback interfaces in this OSPF design is a simple rule that eases the OSPF troubleshooting and administration, where we will set the OSPF router ID identically to the loopback interface
TECH TIP : To enable OSPF on an interface, you only need to add it into the prefix list (see #4#). To enable all interfaces with a single setting, you can use the prefix “0.0.0.0/0.0.0.0”
Configuration
NOTE : Only the relevant parts of the configuration are given (interfaces and OSPF settings)
• FGT1
config system interface
edit "internal"
set vdom "root"
set ip 192.168.182.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port1"
set vdom "root"
set ip 10.141.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port8"
set vdom "root"
set ip 10.142.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback1"
set vdom "root"
set ip 10.0.0.1 255.255.255.255
set type loopback
config router static
edit 1
set device "internal"
set gateway 192.168.183.254
next
edit 2
set device "internal"
set dst 10.5.2.0 255.255.255.0
set gateway 192.168.183.254
next
edit 3
set device "internal"
set dst 10.6.2.0 255.255.255.0
set gateway 192.168.183.254
next
edit 4
set device "internal"
set dst 10.6.3.0 255.255.255.0
set gateway 192.168.183.254
next
edit 5
set device "internal"
set dst 10.6.6.0 255.255.255.0
set gateway 192.168.183.254
next
end
config router ospf
config area
edit 0.0.0.0
next
edit 0.0.0.1
set authentication md5
next
edit 0.0.0.2
set type stub #1#
next
end
set default-information-originate enable #3#
config network
edit 1
set area 0.0.0.2
set prefix 10.142.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.1
set prefix 10.141.0.0 255.255.0.0 #4#
next
edit 3
set prefix 10.0.0.1 255.255.255.255 #4#
next
edit 4
set prefix 192.168.182.0 255.255.254.0 #4#
next
end
config ospf-interface
edit "area1_port1"
set authentication md5
set cost 10
set interface "port1"
set ip 10.141.0.151
set md5-key 1 "fortinet"
next
end
config redistribute "static"
set status enable #2#
end
set router-id 10.0.0.1
end
next
NOTE : In this FGT1 configuration, we had to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters than the default ones. This was not necessary for port8 (area 0.0.0.2).
• FGT2
config system interface
edit "internal"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping https
set type physical
next
edit "port1"
set vdom "root"
set ip 10.141.0.152 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback2"
set vdom "root"
set ip 10.0.0.2 255.255.255.255
set type loopback
next
end
config router ospf
config area
edit 0.0.0.1
set authentication md5
next
end
config network
edit 1
set area 0.0.0.1
set prefix 10.141.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.1
set prefix 10.2.2.0 255.255.255.0 #4#
next
edit 3
set area 0.0.0.1
set prefix 10.0.0.2 255.255.255.255 #4#
next
end
config ospf-interface
edit "area1_port1"
set authentication md5
set cost 10
set interface "port1"
set ip 10.141.0.152
set md5-key 1 "fortinet"
next
end
set router-id 10.0.0.2
end
NOTE : In this FGT2 configuration, we had to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters other than the default ones.
• FGT3
config system interface
edit "internal"
set vdom "root"
set ip 10.3.3.1 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port8"
set vdom "root"
set ip 10.142.0.155 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback3"
set vdom "root"
set ip 10.0.0.3 255.255.255.255
set type loopback
next
end
config router ospf
config area
edit 0.0.0.2
set type stub #1#
next
end
config network
edit 1
set area 0.0.0.2
set prefix 10.142.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.2
set prefix 10.0.0.3 255.255.255.255 #4#
next
end
set router-id 10.0.0.3
end
Verification
Verify the OSPF neighbors and routing tables
• FGT1
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/DR 00:00:35 10.141.0.152 port1
10.0.0.3 1 Full/DR 00:00:30 10.142.0.155 port8
FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.183.254, internal
C 10.0.0.1/32 is directly connected, lback1
O 10.0.0.2/32 [110/110] via 10.141.0.152, port1, 01:34:05
O 10.0.0.3/32 [110/110] via 10.142.0.155, port8, 01:23:04
O 10.2.2.0/24 [110/20] via 10.141.0.152, port1, 02:54:11
S 10.5.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.3.0/24 [10/0] via 192.168.183.254, internal
S 10.6.6.0/24 [10/0] via 192.168.183.254, internal
C 10.141.0.0/23 is directly connected, port1
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
C 192.168.182.0/23 is directly connected, internal
• FGT2
FGT2 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:31 10.141.0.151 port1
FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.141.0.151, port1, 02:55:11
O IA 10.0.0.1/32 [110/110] via 10.141.0.151, port1, 01:35:18
C 10.0.0.2/32 is directly connected, lback2
O IA 10.0.0.3/32 [110/120] via 10.141.0.151, port1, 01:23:54
C 10.2.2.0/24 is directly connected, internal
O E2 10.5.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.3.0/24 [110/10] via 10.141.0.151, port1, 01:00:46
O E2 10.6.6.0/24 [110/10] via 10.141.0.151, port1, 01:00:30
C 10.141.0.0/23 is directly connected, port1
O IA 10.142.0.0/23 [110/20] via 10.141.0.151, port1, 02:55:11
C 10.160.0.0/23 is directly connected, external
• FGT3
FGT3 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:37 10.142.0.151 port8
FGT3 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*IA 0.0.0.0/0 [110/20] via 10.142.0.151, port8, 02:53:09
O IA 10.0.0.1/32 [110/110] via 10.142.0.151, port8, 01:36:17
O IA 10.0.0.2/32 [110/120] via 10.142.0.151, port8, 01:35:55
C 10.0.0.3/32 is directly connected, lback3
O IA 10.2.2.0/24 [110/30] via 10.142.0.151, port8, 02:53:09
C 10.3.3.0/24 is directly connected, internal
O IA 10.141.0.0/23 [110/20] via 10.142.0.151, port8, 02:53:09
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
Troubleshooting
Use the OSPF router command to check all the neighbors and LSDB :
“get router info ospf <subcommand>”
FGT# get router info ospf ?
database show ospf database information
interface show ospf interfaces
route show ospf routing table
neighbor show ospf neighbors
border-routers show ospf border routers
status show ospf status
virtual-links show ospf virtual links
For advanced troubleshooting, use the command :
FGT# diag ip router ospf all enable (or disable to stop the trace)
Related Articles
Technical Note : OSPF route redundancy over 2 VPN IPSec tunnels
Technical Tip: How to redistribute a default route in OSPF
Technical Note : simple OSPF configuration with 2 FortiGates in the same area
Technical Note : OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR)
