Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip : Controlling OSPF routes in case of...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article presents an example to control OSPF routes when 2 routers have got parallel (redundant) links to each other.
The following scenario illustrates this example :
10.160.0.0/23 [ FGT1 ] --- wan1 ----- [ FGT2 ] ---- 192.168.182.0/23 + default route
------------- [------] --- wan2 ----- [------]
OSPF is enabled on all interfaces of FGT1 and FGT2.
Requirements :
Scope
All FortiOS
Solution
The solution described hereafter is based on the OSPF interface cost.
FGT1 # get router info ospf neighbor
FGT1 # get router info routing-table ospf
FGT2 # get router info ospf neighbor
FGT2 # get router info routing-table ospf
We see from the above that two adjacencies are brought up, and due to ECMP, both FortiGate learn each route from wan1 and wan2
FGT1 # get router info routing-table ospf
FGT2 # get router info routing-table ospf
FGT1 # get router info ospf database router lsa
FGT2 # get router info ospf database router lsa
FGT2 # get router info routing-table ospf
FGT1 # get router info ospf database router lsa
When wan1 is brought down, the OSPF routes over wan2 are in the routing tables :
FGT1 # get router info routing-table ospf
FGT2 # get router info routing-table ospf
This article presents an example to control OSPF routes when 2 routers have got parallel (redundant) links to each other.
The following scenario illustrates this example :
10.160.0.0/23 [ FGT1 ] --- wan1 ----- [ FGT2 ] ---- 192.168.182.0/23 + default route
------------- [------] --- wan2 ----- [------]
OSPF is enabled on all interfaces of FGT1 and FGT2.
Requirements :
- FGT1 should learn the network 192.168.182.0/23 and the default route only via wan1
- FGT2 should learn the network 10.160.0.0/23 only via wan1
- wan2 should be used as backup link only
Scope
All FortiOS
Solution
The solution described hereafter is based on the OSPF interface cost.
Step 1: situation with default settings
FGT1 # get router info ospf neighbor
| OSPF process 0: Neighbor ID Pri State Dead Time Address Interface 10.2.2.2 1 Full/Backup 00:00:33 10.182.0.187 wan1 10.2.2.2 1 Full/Backup 00:00:31 10.183.0.187 wan2 |
FGT1 # get router info routing-table ospf
| O*E2 0.0.0.0/0 [110/10] via 10.183.0.187, wan2, 00:00:01 [110/10] via 10.182.0.187, wan1, 00:00:01 O 192.168.182.0/23 [110/20] via 10.183.0.187, wan2, 00:02:04 [110/20] via 10.182.0.187, wan1, 00:02:04 |
FGT2 # get router info ospf neighbor
| OSPF process 0: Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 1 Full/DR 00:00:38 10.182.0.57 wan1 10.1.1.1 1 Full/DR 00:00:38 10.183.0.57 wan2 |
FGT2 # get router info routing-table ospf
| O 10.160.0.0/23 [110/20] via 10.183.0.57, wan2, 00:00:39 [110/20] via 10.182.0.57, wan1, 00:00:39 |
We see from the above that two adjacencies are brought up, and due to ECMP, both FortiGate learn each route from wan1 and wan2
Step 2: Controlling route on FGT2
The cost of the wan2 interface is increased to 200 (10 being default in this situation).| FGT2 # config router ospf config ospf-interface edit "WAN2_higher_cost" set cost 200 set interface "wan2" next end |
- There are no route changes on FGT1 :
FGT1 # get router info routing-table ospf
| O*E2 0.0.0.0/0 [110/10] via 10.183.0.187, wan2, 00:07:33 [110/10] via 10.182.0.187, wan1, 00:07:33 O 192.168.182.0/23 [110/20] via 10.183.0.187, wan2, 00:07:33 [110/20] via 10.182.0.187, wan1, 00:07:33 |
- But FGT2 now only learns the remote route via wan1 :
FGT2 # get router info routing-table ospf
| O 10.160.0.0/23 [110/20] via 10.182.0.57, wan1, 00:05:18 |
- LSDB check on FGT1 and FGT2 :
FGT1 # get router info ospf database router lsa
| Router Link States (Area 0.0.0.0) LS age: 16 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x0 LS Type: router-LSA Link State ID: 10.1.1.1 Advertising Router: 10.1.1.1 LS Seq Number: 8000000f Checksum: 0xd97c Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 10.160.0.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.187 (Link Data) Router Interface address: 10.183.0.57 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.187 (Link Data) Router Interface address: 10.182.0.57 Number of TOS metrics: 0 TOS 0 Metric: 10 LS age: 21 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x2 : ASBR LS Type: router-LSA Link State ID: 10.2.2.2 Advertising Router: 10.2.2.2 LS Seq Number: 80000013 Checksum: 0x48c8 Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 192.168.182.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.187 (Link Data) Router Interface address: 10.183.0.187 Number of TOS metrics: 0 TOS 0 Metric: 200 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.187 (Link Data) Router Interface address: 10.182.0.187 Number of TOS metrics: 0 TOS 0 Metric: 10 |
FGT2 # get router info ospf database router lsa
Router Link States (Area 0.0.0.0) LS age: 258 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x0 LS Type: router-LSA Link State ID: 10.1.1.1 Advertising Router: 10.1.1.1 LS Seq Number: 80000008 Checksum: 0x5b07 Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 10.160.0.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.57 (Link Data) Router Interface address: 10.183.0.57 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.57 (Link Data) Router Interface address: 10.182.0.57 Number of TOS metrics: 0 TOS 0 Metric: 10 LS age: 257 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x2 : ASBR LS Type: router-LSA Link State ID: 10.2.2.2 Advertising Router: 10.2.2.2 LS Seq Number: 8000000c Checksum: 0xc953 Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 192.168.182.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.57 (Link Data) Router Interface address: 10.183.0.187 Number of TOS metrics: 0 TOS 0 Metric: 200 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.57 (Link Data) Router Interface address: 10.182.0.187 Number of TOS metrics: 0 TOS 0 Metric: 10 |
Step 3: Controlling route o FGT1
- The cost of the wan2 interface is increased to 200 (10 being default in this situation).
| FGT1 # config router ospf config ospf-interface edit "WAN2_higher_cost" set cost 200 set interface "wan2" next end end |
- Now both FGT1 and FGT2 have only one route, via wan1
| O*E2 0.0.0.0/0 [110/10] via 10.182.0.187, wan1, 00:00:40 O 192.168.182.0/23 [110/20] via 10.182.0.187, wan1, 00:00:40 |
FGT2 # get router info routing-table ospf
| O 10.160.0.0/23 [110/20] via 10.182.0.57, wan1, 00:09:37 |
- LSDB check on FGT1 :
FGT1 # get router info ospf database router lsa
Router Link States (Area 0.0.0.0) LS age: 81 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x0 LS Type: router-LSA Link State ID: 10.1.1.1 Advertising Router: 10.1.1.1 LS Seq Number: 8000000b Checksum: 0xe637 Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 10.160.0.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.187 (Link Data) Router Interface address: 10.183.0.57 Number of TOS metrics: 0 TOS 0 Metric: 200 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.57 (Link Data) Router Interface address: 10.182.0.57 Number of TOS metrics: 0 TOS 0 Metric: 10 LS age: 83 Options: 0x2 (*|-|-|-|-|-|E|-) Flags: 0x2 : ASBR LS Type: router-LSA Link State ID: 10.2.2.2 Advertising Router: 10.2.2.2 LS Seq Number: 8000000e Checksum: 0xfc9b Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 192.168.182.0 (Link Data) Network Mask: 255.255.254.0 Number of TOS metrics: 0 TOS 0 Metric: 10 Link connected to: a Transit Network (Link ID) Designated Router address: 10.183.0.187 (Link Data) Router Interface address: 10.183.0.187 Number of TOS metrics: 0 TOS 0 Metric: 200 Link connected to: a Transit Network (Link ID) Designated Router address: 10.182.0.57 (Link Data) Router Interface address: 10.182.0.187 Number of TOS metrics: 0 TOS 0 Metric: 10 |
Step4 : Route redundancy verification
When wan1 is brought down, the OSPF routes over wan2 are in the routing tables :
FGT1 # get router info routing-table ospf
| FGT1 # get router info routing-table ospf O*E2 0.0.0.0/0 [110/10] via 10.183.0.187, wan2, 00:00:06 O 192.168.182.0/23 [110/210] via 10.183.0.187, wan2, 00:00:06 |
FGT2 # get router info routing-table ospf
| O 10.160.0.0/23 [110/210] via 10.183.0.57, wan2, 00:00:14 |
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.