FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 198559

Purpose

This article provides an example of how to configure OSPF route summarization for Type3 (on ABR) and Type5 (on ASBR) LSAs.
 
See the related articles for more information about configuration OSPF.


Scope
All Fortigate or VDOM running NAT mode.
Diagram
The following network scenario is used for this example. Note the use of 3 VDOMs one FortiGate 1 (FGT1).


rmetzger_ospf_route_summary.JPG


Expectations, Requirements
FortiGate 2 (FGT2) has multiple IP addresses on its interface wan2, with OSPF enabled 10.142.0.1/23 --> 10.146.0.1/23, and multiple static routes that are advertised in OSPF : 10.102.0.0/23 --> 10.107.0.0/23.

The goal is to summarize all those routes across the areas and the routers.

Configuration

Notes.
 
1) The summary of external routes (LSAs Type5) can only be done on the ASBR that is originating those routes, this is FGT2 in the example

2) The summary of LSAs Type3 will be done on the ABR and controls the routes that will advertised into the other areas. In this example, this will be done on FGT1.

3) The command 'config summary-address' applies to ASBR summaries.

4) The commands 'config range, edit 1, set prefix 10.128.0.0 255.192.0.0' apply to ABR summaries.

5) The command 'set prefix 10.128.0.0 255.192.0.0' will cover the following range : 10.128.0.0 - 10.191.255.255.

6) The command 'set prefix 10.64.0.0 255.192.0.0' will cover the following range : 10.64.0.0 - 10.127.255.255.

OSPF configuration on FGT2 (area 0.0.0.1)

config router ospf
config area
edit 0.0.0.1
next
end
config network
edit 1
set area 0.0.0.1
set prefix 0.0.0.0 0.0.0.0
next
end
config redistribute "connected"
end
config redistribute "static"
set status enable
end
config redistribute "rip"
end
config redistribute "bgp"
end
set router-id 10.0.0.20
config summary-address <<< This applies to ASBRs
edit 1
set prefix 10.64.0.0 255.192.0.0
next
end
end



OSPF configuration of FGT1 - VDOM customer 1 (area 0.0.0.1)

config router ospf
config area
edit 0.0.0.1
next
end
config network
edit 1
set area 0.0.0.1
set prefix 0.0.0.0 0.0.0.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
set router-id 10.0.0.11
end

 

OSPF configuration of FGT1 - VDOM root (backbone area 0.0.0.0)

config router ospf
config area
edit 0.0.0.0
next
edit 0.0.0.1 <<< This applies to ABRs
config range
edit 1
set prefix 10.128.0.0 255.192.0.0
next
end
next
edit 0.0.0.2
next
end
config network
edit 1
set prefix 0.0.0.0 0.0.0.0
next
edit 2
set area 0.0.0.1
set prefix 10.161.0.0 255.255.255.252
next
edit 3
set area 0.0.0.2
set prefix 10.161.0.4 255.255.255.252
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
set router-id 10.0.0.10
end

 

OSPF configuration of FGT1 - VDOM customer2 (arear 0.0.0.2)

config router ospf
config area
edit 0.0.0.2
next
end
config network
edit 1
set area 0.0.0.2
set prefix 0.0.0.0 0.0.0.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
set router-id 10.0.0.30
end


Verification

 
Verification on FGT1 - VDOM customer1   (area 0.0.0.1)
 
FGT1 (customer1) # get router info routing-table  all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O E2    10.64.0.0/10 [110/10] via 10.160.0.187, internal, 00:56:36
O       10.142.0.0/23 [110/110] via 10.160.0.187, internal, 02:52:09
O       10.143.0.0/23 [110/110] via 10.160.0.187, internal, 02:47:36
O       10.144.0.0/23 [110/110] via 10.160.0.187, internal, 02:47:26
O       10.145.0.0/23 [110/110] via 10.160.0.187, internal, 02:47:26
O       10.146.0.0/23 [110/110] via 10.160.0.187, internal, 02:47:26
C       10.160.0.0/23 is directly connected, internal
C       10.161.0.0/30 is directly connected, Inter-vdom11
C       10.161.0.2/32 is directly connected, Inter-vdom11
O IA    10.161.0.4/30 [110/200] via 10.161.0.1, Inter-vdom11, 01:56:04
O IA    192.168.182.0/23 [110/110] via 10.161.0.1, Inter-vdom11, 02:22:43
 
Verification on FGT1 - VDOM root
 
FGT1 (root) # get router info ospf  database  brief

                Router Link States (Area 0.0.0.0)

Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.0.0.10       10.0.0.10       1500 80000014 c825  0031 1

                Summary Link States (Area 0.0.0.0)

Link ID         ADV Router      Age  Seq#     CkSum Flag Route
10.161.0.4      10.0.0.10       1070 80000004 6aca  0031 10.161.0.4/30

                ASBR-Summary Link States (Area 0.0.0.0)

Link ID         ADV Router      Age  Seq#     CkSum Flag
10.0.0.20       10.0.0.10       240  80000005 4b12  0031

                Router Link States (Area 0.0.0.1)

Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.0.0.10       10.0.0.10       20   8000000b 36a8  0031 2
10.0.0.11       10.0.0.11       1510 8000000b 95e3  0012 3
10.0.0.20       10.0.0.20       408  80000013 692f  0012 6

                Net Link States (Area 0.0.0.1)

Link ID         ADV Router      Age  Seq#     CkSum Flag
10.160.0.205    10.0.0.11       1090 80000006 fd97  0012

                Summary Link States (Area 0.0.0.1)

Link ID         ADV Router      Age  Seq#     CkSum Flag Route
10.161.0.4      10.0.0.10       1560 80000004 6aca  0031 10.161.0.4/30
192.168.182.0   10.0.0.10       1130 80000005 a07b  0031 192.168.182.0/23

                Router Link States (Area 0.0.0.2)

Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.0.0.10       10.0.0.10       1610 8000000a 873d  0031 2
10.0.0.30       10.0.0.30       1433 80000007 8e25  0012 2

                Summary Link States (Area 0.0.0.2)

Link ID         ADV Router      Age  Seq#     CkSum Flag Route
10.128.0.0      10.0.0.10       90   80000005 83a3  0031 10.128.0.0/10
192.168.182.0   10.0.0.10       1420 80000005 a07b  0031 192.168.182.0/23

                ASBR-Summary Link States (Area 0.0.0.2)

Link ID         ADV Router      Age  Seq#     CkSum Flag
10.0.0.20       10.0.0.10       1640 80000004 4d11  0031

                AS External Link States

Link ID         ADV Router      Age  Seq#     CkSum Flag Route              Tag
10.64.0.0       10.0.0.20       1198 80000002 efae  0012 E2 10.64.0.0/10    0
Verification on FGT1 - VDOM customer2    (area 0.0.0.2)

FGT1 (customer2) # get router info routing-table  all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O E2    10.64.0.0/10 [110/10] via 10.161.0.5, Inter-vdom21, 00:58:47
O IA    10.128.0.0/10 [110/310] via 10.161.0.5, Inter-vdom21, 02:00:07
C       10.161.0.4/30 is directly connected, Inter-vdom21
C       10.161.0.6/32 is directly connected, Inter-vdom21
O IA    192.168.182.0/23 [110/110] via 10.161.0.5, Inter-vdom21, 02:24:26



FGT1 (customer2) # get router info ospf  database  brief

                Router Link States (Area 0.0.0.2)
Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
10.0.0.10       10.0.0.10       1714 8000000a 873d  0012 2
10.0.0.30       10.0.0.30       1535 80000007 8e25  0031 2

                Summary Link States (Area 0.0.0.2)

Link ID         ADV Router      Age  Seq#     CkSum Flag Route
10.128.0.0      10.0.0.10       194  80000005 83a3  0012 10.128.0.0/10
192.168.182.0   10.0.0.10       1524 80000005 a07b  0012 192.168.182.0/23

                ASBR-Summary Link States (Area 0.0.0.2)

Link ID         ADV Router      Age  Seq#     CkSum Flag
10.0.0.20       10.0.0.10       1744 80000004 4d11  0012

                AS External Link States

Link ID         ADV Router      Age  Seq#     CkSum Flag Route              Tag
10.64.0.0       10.0.0.20       1302 80000002 efae  0012 E2 10.64.0.0/10    0


FGT1 (customer2) # get router info ospf  database  summary  lsa

                Summary Link States (Area 0.0.0.2)

  LS age: 241
  Options: 0x2 (*|-|-|-|-|-|E|-)
  LS Type: summary-LSA
  Link State ID: 10.128.0.0 (summary Network Number)
  Advertising Router: 10.0.0.10
  LS Seq Number: 80000005
  Checksum: 0x83a3
  Length: 28
  Network Mask: /10
        TOS: 0  Metric: 210

  LS age: 1571
  Options: 0x2 (*|-|-|-|-|-|E|-)
  LS Type: summary-LSA
  Link State ID: 192.168.182.0 (summary Network Number)
  Advertising Router: 10.0.0.10
  LS Seq Number: 80000005
  Checksum: 0xa07b
  Length: 28
  Network Mask: /23
        TOS: 0  Metric: 10

FGT1 (customer2) # get router info ospf  database  asbr-summary lsa

                ASBR-Summary Link States (Area 0.0.0.2)

  LS age: 57
  Options: 0x2 (*|-|-|-|-|-|E|-)
  LS Type: ASBR-summary-LSA
  Link State ID: 10.0.0.20 (AS Boundary Router address)
  Advertising Router: 10.0.0.10
  LS Seq Number: 80000005
  Checksum: 0x4b12
  Length: 28
  Network Mask: /0
        TOS: 0  Metric: 200


Troubleshooting
A common issue could be that on FGT2, the OSPF setting ' redistribute connected' is enabled ; this will have the consequence of advertising the local subnets 10.142.0.1/23 to 10.146.0.1/23 as LSA Type5 (External) instead of LSAs Type2 and will therefore invalidate the desired effect described in this scenario.

 

 

Contributors