Description
This article provides an example of how to configure OSPF route filtering with the filter-list CLI command.
See the related articles at the bottom for more information about the configuration of OSPF.
Scope
All FortiGate versions or any VDOM running NAT.
Solution
The filter-list can only be configured on the ABR for inbound or outbound LSA type-3 to prevent certain routes to be redistributed into other areas.
Before route filtering, FGT3 (router-id 3.3.3.3) receives all of the networks announced by 'FGT1' (router-id 1.1.1.1). In this example, route filtering will limit the received routes to 172.31.16.0/22. However, the command distribute-list in cannot be used on FGT3 because it is not a managed unit.
This article will explore configuring the filtering to occur on the Area Border Router (FGT2 (router-id 2.2.2.2)) with the filter-list command in the above example.
FGT1 (router-id 1.1.1.1) is connected to OSPF area 1 through the 'internal' interface.
All connected networks are connected through OSPF.
config router ospf
config area
edit 0.0.0.1
next
end
config network
edit 1
set area 0.0.0.1
set prefix 172.31.224.0 255.255.252.0
next
edit 2
set area 0.0.0.1
set prefix 172.31.228.0 255.255.252.0
next
edit 3
set area 0.0.0.1
set prefix 172.31.16.0 255.255.252.0
next
end
config ospf-interface
edit "VLAN224"
set authentication text
set authentication-key ENC TMAzBpmgRz8a00HX/T8cVmdys5ETpuCTFOyaMPve5Lj2EiVO6o8YZfn/7eHq5fxgUl++v4A4bupqSsQ10dqPYhb19w9HhoFPqSHipHimbTw6LK8m
set cost 10
set interface "internal"
next
end
set passive-interface "wan1" "wan2"
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
set router-id 1.1.1.1
end
FGT2 (router-id 2.2.2.2), acting as an ABR, is connected to OSPF area 0 and OSPF area 1.
This router will be configured to filter routes.
config router ospf
config area
edit 0.0.0.1
next
edit 0.0.0.0
next
end
config network
edit 1
set area 0.0.0.1
set prefix 172.31.224.0 255.255.252.0
next
edit 2
set prefix 172.31.192.0 255.255.252.0
next
end
config ospf-interface
edit "VLAN224"
set authentication text
set authentication-key ENC 0dhcO1DnhKDShYWw7TZrNfY/TmbYZrsPCcavh2+BqIjUjLGqr2KlESxEhUsS3aE84W3t2aQjYZH2x6OOOhD/qzDBLEXSOiR7DHwPbkrvuN2nVloz
set cost 10
set interface "wan1"
next
edit "VLAN192"
set authentication text
set authentication-key ENC 2nlve7rIZrC7fP0UohTWb4iC3v5/KMQiJP57djiMzCh9p0RaIGVh84zEAQbQod5SruVArIHr8uY2a9Dxte57+t46sHekTGLetz0S1+AbuLBWxS2b
set cost 10
set interface "wan2"
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
set router-id 2.2.2.2
end
FGT3 (router-id 3.3.3.3) is connected to OSPF area 0:
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 172.31.192.0 255.255.252.0
next
end
config ospf-interface
edit "VLAN192"
set authentication text
set authentication-key ENC hRpULJhpkshodPt1V7HBifBNqOTLRBzp8WUm57XOamIrJeIk4iUxFKlgk2SUNe48nfVnh1QxUc76/lYuyCFUOIgcwE138mnuuTSI4Xm96f4DL6TC
set cost 10
set interface "wan1"
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
set router-id 3.3.3.3
end
Below is a route-filtering configuration for FGT-2:
config router prefix-list
edit "FILTER_AREA_1_NETWORKS"
config rule
edit 1
set action deny
set prefix 172.31.228.0 255.255.252.0
unset ge
unset le
next
edit 2
set action deny
set prefix 172.31.224.0 255.255.252.0
unset ge
unset le
next
edit 3
set action permit
set prefix any
unset ge
unset le
next
end
next
end
Apply the filter-list either under area 1 with the 'out' direction or under area 0 with the 'in' direction.
Area 1:
config router ospf
config area
edit 0.0.0.1
config filter-list
edit 1
set list "FILTER_AREA_1_NETWORKS"
set direction out <--- Default direction value.
next
end
next
end
end
Or Area 0:
config router ospf
config area
edit 0.0.0.0
config filter-list
edit 1
set list "FILTER_AREA_1_NETWORKS"
set direction in
next
end
next
end
end
The following output shows FGT3 before route filtering:
get router info routing all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.120.0.0/22 is directly connected, internal
O IA 172.31.16.0/22 [110/10] via 172.31.192.126, wan1, 00:20:18
C 172.31.192.0/22 is directly connected, wan1
O IA 172.31.224.0/22 [110/20] via 172.31.192.126, wan1, 00:20:18
O IA 172.31.228.0/22 [110/10] via 172.31.192.126, wan1, 00:20:18
The received OSPF routes installed in the routing table are marked in bold. The aim of changing the filter-list was to have only the red one in the routing table of FGT3.
The following output shows FGT3 after route filtering:
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.120.0.0/22 is directly connected, internal
O IA 172.31.16.0/22 [110/30] via 172.31.192.126, wan1, 00:04:23
C 172.31.192.0/22 is directly connected, wan1
Troubleshooting in FGT3 before route filtering:
get router info ospf database brief
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
2.2.2.2 2.2.2.2 110 8000000a bd5d 0012 1
3.3.3.3 3.3.3.3 114 80000010 54ba 0021 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
172.31.192.125 3.3.3.3 114 80000001 79b9 0021
Summary Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Route
172.31.16.0 2.2.2.2 101 80000001 fd6a 0002 172.31.16.0/22
172.31.224.0 2.2.2.2 125 80000001 a001 0002 172.31.224.0/22
172.31.228.0 2.2.2.2 101 80000001 d8ba 0002 172.31.228.0/22
Troubleshooting in FGT3 after route filtering:
get router info ospf database brief
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
2.2.2.2 2.2.2.2 224 8000000a bd5d 0012 1
3.3.3.3 3.3.3.3 229 80000010 54ba 0021 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
172.31.192.125 3.3.3.3 229 80000001 79b9 0021
Summary Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Route
172.31.16.0 2.2.2.2 215 80000001 fd6a 0002 172.31.16.0/22
Filter-list can only filter type 3 (Inter-Area Prefix) link-state advertisements (LSAs).
Related articles:
- Technical Note: FortiGate OSPF distribute-list-in example to prevent routes from being in the routin....
- Technical Tip: FortiOS OSPF prefix list limitation.
- Technical Note: OSPF route summarization for LSAs Type3 (on ABR) and Type5 (on ASBR).
- Technical Note: OSPF configuration guide for ABR and ASBR settings.
