Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎10-23-2023 02:34 AM

Article Id 280437

Technical Tip: How to prevent OSPF packets being sent on the secondary IP

Description This article describes how to prevent OSPF peering with a secondary IP address on the Interface.
Scope FortiGate.
Solution

The following configuration applies to this topology:

 

FortiGate (port9 20.0.0.2) <---> FortiGate 2 (20.0.0.1 & 20.0.0.100 port16)


show system interface port9

config system interface

edit "port9"

set vdom "root"
set ip 20.0.0.2 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 9

next

end

 

The primary & secondary IP configured on FortiGate 2:

 

show system interface port16

config system interface

edit "port16"

set vdom "root"

set ip 20.0.0.1 255.255.255.0

set allowaccess ping

set type physical

set snmp-index 18

set secondary-IP enable

config secondaryip

edit 1

set ip 20.0.0.100 255.255.255.0
set allowaccess ping

next

end

 

show router ospf

config router ospf

set router-id 20.0.0.2

config area

edit 0.0.0.0

next

end

config ospf-interface <-- Broadcast is the default setting.

edit "Port9"

set interface "port9"

next

end

config network

edit 1

set prefix 20.0.0.0 255.255.255.0

next

end

 

show router ospf

config router ospf

set router-id 20.0.0.1

config area

edit 0.0.0.0

next

end

config ospf-interface <-- Broadcast is the default setting.

edit "Port16"

set interface "port16"
set ip 20.0.0.100

next

end

config network

edit 1

set prefix 20.0.0.0 255.255.255.0

next

end

 

get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
20.0.0.1 1 Init/DROther 00:00:37 20.0.0.1 port9
20.0.0.1 1 Init/DROther 00:00:36 20.0.0.100 port9

 

Here, the first FortiGate has successfully formed neighborship with the primary and secondary IP.

 

To avoid this, use the following configuration:


config router ospf

set router-id 20.0.0.2

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "Port9"

set interface "port9"
set network-type point-to-point

next

end

config network

edit 1

set prefix 20.0.0.0 255.255.255.0

next

end


show router ospf

config router ospf

set router-id 20.0.0.1

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "Port16"

set interface "port16"

set ip 20.0.0.100

set network-type point-to-point

next

end

config network

edit 1

set prefix 20.0.0.0 255.255.255.0

next

end


get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
20.0.0.1 1 Init/ - 00:00:36 20.0.0.100 port9

 

  • network-type point-to-point:  FortiGate 2 will use the primary IP 20.0.0.1 by default to form a adjacency with neighbor 20.0.0.2.
    Note: network-type point-to-point must be configured on both FortiGates.
  • set ip 20.0.0.100: The FortiGate will use the secondary IP 20.0.0.100 to form adjacency with neighbor 20.0.0.2.
592
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.