Technical Tip: Filter out public IP addresses received from OSPF neighbors

Hassan97wsh · ‎08-13-2024

Description

This article describes how to use a prefix list to filter out public IP addresses learned by OSPF to prevent them from being added to the routing table.

Scope

FortiGate configured with OSPF.

Solution

A prefix list matching the private IP ranges of RFC1918 can be used in 'distribute-list-in' under 'config router ospf'.

Prefix list configuration:

config router prefix-list

edit "RFC_1918"

config rule

edit 1

set prefix 10.0.0.0 255.0.0.0

set le 32

set prefix 172.16.0.0 255.240.0.0

set le 32

set prefix 192.168.0.0 255.255.0.0

set le 32

Before applying the prefix list, the public IP 4.4.2.2 is received and added to the routing table:

get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2

O 4.4.2.2/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 10.0.0.0/24 [100] is directly connected, lo_10, Area 192.168.99.0
O 10.0.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 172.16.0.0/24 [100] is directly connected, lo_172_16, Area 192.168.99.0
O 172.16.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 192.168.0.0/24 [100] is directly connected, lo_192_168, Area 192.168.99.0
O 192.168.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 192.168.99.0/24 [1] is directly connected, port3, Area 192.168.99.0

get router info routing-table ospf
Routing table for VRF=0
O 4.4.2.2/32 [110/101] via 192.168.99.2, port3, 00:00:22, [1/0]
O 10.0.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:22, [1/0]
O 172.16.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:22, [1/0]
O 192.168.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:22, [1/0]

Applying the prefix list:

config router ospf

set distribute-list-in "RFC_1918"

end

The following is the routing table after applying the prefix list. The public IP 4.4.2.2 is received but not added to the routing table:

get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2

O 4.4.2.2/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 10.0.0.0/24 [100] is directly connected, lo_10, Area 192.168.99.0
O 10.0.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 172.16.0.0/24 [100] is directly connected, lo_172_16, Area 192.168.99.0
O 172.16.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 192.168.0.0/24 [100] is directly connected, lo_192_168, Area 192.168.99.0
O 192.168.1.254/32 [101] via 192.168.99.2, port3, Area 192.168.99.0
C 192.168.99.0/24 [1] is directly connected, port3, Area 192.168.99.0

get router info routing-table ospf
Routing table for VRF=0
O 10.0.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:19, [1/0]
O 172.16.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:19, [1/0]
O 192.168.1.254/32 [110/101] via 192.168.99.2, port3, 00:00:19, [1/0]