Description
This article describes the basic steps to configure FortiGates in an OSPF scenario where the FortiGates will be ABR and ASBR OSPF routers across 3 areas.
It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.
Scope
All FortiGate versions or any VDOM running NAT.
Solution
Diagram:
The following network diagram will be used for this example :
Expectations, Requirements:
- FGT1 has a static default route and multiple other static routes that we do not want to inject into area 0.0.0.2, hence the use of a STUB area (see #1).
- FGT1 will become automatically ASBR as it will advertise those static routes into area 0.0.0.1 (see #2).
- FGT1 will also be automatically ABR as it is the border router between all 3 areas.
- FGT1 should announce a default route into area 0.0.0.1 and 0.0.0.2 only if it has a default route in the routing table (see #3).
- All locally connected interfaces must have OSPF enabled and the corresponding subnet must be advertised as OSPF internal routes (not external) (see #4).
Note: The use of loopback interfaces in this OSPF design is a simple rule that eases the OSPF troubleshooting and administration, where the OSPF router ID will be set identically to the loopback interface.
Tip: To enable OSPF on an interface, it is only necessary to add it into the prefix list (see #4). To enable all interfaces with a single setting, use the prefix '0.0.0.0/0.0.0.0'.
Configuration:
Note: Only the relevant parts of the configuration are given (interfaces and OSPF settings)
FGT1:
config system interface
edit "internal"
set vdom "root"
set ip 192.168.182.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port1"
set vdom "root"
set ip 10.141.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port8"
set vdom "root"
set ip 10.142.0.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback1"
set vdom "root"
set ip 10.0.0.1 255.255.255.255
set type loopback
config router static
edit 1
set device "internal"
set gateway 192.168.183.254
next
edit 2
set device "internal"
set dst 10.5.2.0 255.255.255.0
set gateway 192.168.183.254
next
edit 3
set device "internal"
set dst 10.6.2.0 255.255.255.0
set gateway 192.168.183.254
next
edit 4
set device "internal"
set dst 10.6.3.0 255.255.255.0
set gateway 192.168.183.254
next
edit 5
set device "internal"
set dst 10.6.6.0 255.255.255.0
set gateway 192.168.183.254
next
end
config router ospf
config area
edit 0.0.0.0
next
edit 0.0.0.1
set authentication md5
next
edit 0.0.0.2
set type stub #1#
next
end
set default-information-originate enable #3#
config network
edit 1
set area 0.0.0.2
set prefix 10.142.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.1
set prefix 10.141.0.0 255.255.0.0 #4#
next
edit 3
set prefix 10.0.0.1 255.255.255.255 #4#
next
edit 4
set prefix 192.168.182.0 255.255.254.0 #4#
next
end
config ospf-interface
edit "area1_port1"
set authentication md5
set cost 10
set interface "port1"
set ip 10.141.0.151
set md5-key 1 "fortinet"
next
end
config redistribute "static"
set status enable #2#
end
set router-id 10.0.0.1
end
next
Note: In this FGT1 configuration, it is necessary to create an OSPF interface for port1 (area 0.0.0.1) to access to additional parameters than the default ones. This was not necessary for port8 (area 0.0.0.2).
FGT2:
config system interface
edit "internal"
set vdom "root"
set ip 10.2.2.1 255.255.255.0
set allowaccess ping https
set type physical
next
edit "port1"
set vdom "root"
set ip 10.141.0.152 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback2"
set vdom "root"
set ip 10.0.0.2 255.255.255.255
set type loopback
next
end
config router ospf
config area
edit 0.0.0.1
set authentication md5
next
end
config network
edit 1
set area 0.0.0.1
set prefix 10.141.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.1
set prefix 10.2.2.0 255.255.255.0 #4#
next
edit 3
set area 0.0.0.1
set prefix 10.0.0.2 255.255.255.255 #4#
next
end
config ospf-interface
edit "area1_port1"
set authentication md5
set cost 10
set interface "port1"
set ip 10.141.0.152
set md5-key 1 "fortinet"
next
end
set router-id 10.0.0.2
end
Note: In this FGT2 configuration, it was necessary to create an OSPF interface for port1 (area 0.0.0.1) to access additional parameters other than the default ones.
FGT3:
config system interface
edit "internal"
set vdom "root"
set ip 10.3.3.1 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "port8"
set vdom "root"
set ip 10.142.0.155 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical
next
edit "lback3"
set vdom "root"
set ip 10.0.0.3 255.255.255.255
set type loopback
next
end
config router ospf
config area
edit 0.0.0.2
set type stub #1#
next
end
config network
edit 1
set area 0.0.0.2
set prefix 10.142.0.0 255.255.0.0 #4#
next
edit 2
set area 0.0.0.2
set prefix 10.0.0.3 255.255.255.255 #4#
next
end
set router-id 10.0.0.3
end
Verification:
Verify the OSPF neighbors and routing tables
FGT1:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/DR 00:00:35 10.141.0.152 port1
10.0.0.3 1 Full/DR 00:00:30 10.142.0.155 port8
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.183.254, internal
C 10.0.0.1/32 is directly connected, lback1
O 10.0.0.2/32 [110/110] via 10.141.0.152, port1, 01:34:05
O 10.0.0.3/32 [110/110] via 10.142.0.155, port8, 01:23:04
O 10.2.2.0/24 [110/20] via 10.141.0.152, port1, 02:54:11
S 10.5.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.3.0/24 [10/0] via 192.168.183.254, internal
S 10.6.6.0/24 [10/0] via 192.168.183.254, internal
C 10.141.0.0/23 is directly connected, port1
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
C 192.168.182.0/23 is directly connected, internal
• FGT2
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:31 10.141.0.151 port1
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.141.0.151, port1, 02:55:11
O IA 10.0.0.1/32 [110/110] via 10.141.0.151, port1, 01:35:18
C 10.0.0.2/32 is directly connected, lback2
O IA 10.0.0.3/32 [110/120] via 10.141.0.151, port1, 01:23:54
C 10.2.2.0/24 is directly connected, internal
O E2 10.5.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.3.0/24 [110/10] via 10.141.0.151, port1, 01:00:46
O E2 10.6.6.0/24 [110/10] via 10.141.0.151, port1, 01:00:30
C 10.141.0.0/23 is directly connected, port1
O IA 10.142.0.0/23 [110/20] via 10.141.0.151, port1, 02:55:11
C 10.160.0.0/23 is directly connected, external
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/DR 00:00:35 10.141.0.152 port1
10.0.0.3 1 Full/DR 00:00:30 10.142.0.155 port8
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.183.254, internal
C 10.0.0.1/32 is directly connected, lback1
O 10.0.0.2/32 [110/110] via 10.141.0.152, port1, 01:34:05
O 10.0.0.3/32 [110/110] via 10.142.0.155, port8, 01:23:04
O 10.2.2.0/24 [110/20] via 10.141.0.152, port1, 02:54:11
S 10.5.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.2.0/24 [10/0] via 192.168.183.254, internal
S 10.6.3.0/24 [10/0] via 192.168.183.254, internal
S 10.6.6.0/24 [10/0] via 192.168.183.254, internal
C 10.141.0.0/23 is directly connected, port1
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
C 192.168.182.0/23 is directly connected, internal
• FGT2
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:31 10.141.0.151 port1
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0 [110/10] via 10.141.0.151, port1, 02:55:11
O IA 10.0.0.1/32 [110/110] via 10.141.0.151, port1, 01:35:18
C 10.0.0.2/32 is directly connected, lback2
O IA 10.0.0.3/32 [110/120] via 10.141.0.151, port1, 01:23:54
C 10.2.2.0/24 is directly connected, internal
O E2 10.5.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.2.0/24 [110/10] via 10.141.0.151, port1, 01:02:14
O E2 10.6.3.0/24 [110/10] via 10.141.0.151, port1, 01:00:46
O E2 10.6.6.0/24 [110/10] via 10.141.0.151, port1, 01:00:30
C 10.141.0.0/23 is directly connected, port1
O IA 10.142.0.0/23 [110/20] via 10.141.0.151, port1, 02:55:11
C 10.160.0.0/23 is directly connected, external
FGT3:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:37 10.142.0.151 port8
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*IA 0.0.0.0/0 [110/20] via 10.142.0.151, port8, 02:53:09
O IA 10.0.0.1/32 [110/110] via 10.142.0.151, port8, 01:36:17
O IA 10.0.0.2/32 [110/120] via 10.142.0.151, port8, 01:35:55
C 10.0.0.3/32 is directly connected, lback3
O IA 10.2.2.0/24 [110/30] via 10.142.0.151, port8, 02:53:09
C 10.3.3.0/24 is directly connected, internal
O IA 10.141.0.0/23 [110/20] via 10.142.0.151, port8, 02:53:09
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 Full/Backup 00:00:37 10.142.0.151 port8
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*IA 0.0.0.0/0 [110/20] via 10.142.0.151, port8, 02:53:09
O IA 10.0.0.1/32 [110/110] via 10.142.0.151, port8, 01:36:17
O IA 10.0.0.2/32 [110/120] via 10.142.0.151, port8, 01:35:55
C 10.0.0.3/32 is directly connected, lback3
O IA 10.2.2.0/24 [110/30] via 10.142.0.151, port8, 02:53:09
C 10.3.3.0/24 is directly connected, internal
O IA 10.141.0.0/23 [110/20] via 10.142.0.151, port8, 02:53:09
C 10.142.0.0/23 is directly connected, port8
C 10.160.0.0/23 is directly connected, external
Troubleshooting:
Use the OSPF router command to check all the neighbors and LSDB:
get router info ospf <subcommand>
get router info ospf ?
database show ospf database information
interface show ospf interfaces
route show ospf routing table
neighbor show ospf neighbors
border-routers show ospf border routers
status show ospf status
virtual-links show ospf virtual links
For advanced troubleshooting, use the following command:
diag ip router ospf all enable (or disable to stop the trace)
Related articles:
