FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
imathew
Staff
Staff

Description


This article describes how to configure OSPF route filtering using the 'distribute-route-map-in' CLI command.


Note: Distribute-route-map-in feature to filter routes in OSPF, is useful only in case if filter LSA type 5 (External ) routes or matching the TAG value needs to be done.

 

Scope


FortiGate


Solution


10.150.6.140/32 is received as an O E2 route, and the Administrator decided to remove the route and do not have the privilege to access the router advertising 10.150.6.140/32. In OSPF Intra-Area, LSA filtering is also not allowed.
Using distribute-route-map-in, it is possible to filter/prevent routes from the OSPF database from entering the routing table.

Routing table before filtering.

 

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 10.5.31.254, port1
O       10.0.0.0/20 [110/2] via 10.150.6.139, port3, 15:13:24
C       10.5.16.0/20 is directly connected, port1
C       10.5.48.0/20 is directly connected, port2
C       10.150.0.0/20 is directly connected, port3
O E2    10.150.6.140/32 [110/10] via 10.150.6.139, port3, 00:00:03---Intent to filter/prevent route
C       10.150.48.0/20 is directly connected, port4
C       10.152.0.0/20 is directly connected, port5

 

OSPF database

 

# get router info ospf  database brief
            OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
                Router Link States (Area 0.0.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
1.1.1.1         1.1.1.1         1045 800002f4 9f82  0012 1
2.2.2.2         2.2.2.2         177  80000026 fc08  0012 2
3.3.3.3         3.3.3.3         923  800002f3 9769  0031 1
               Net Link States (Area 0.0.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag
10.0.6.136      1.1.1.1         1465 80000022 425d  0012
10.150.7.250    3.3.3.3         153  80000023 b5ce  0031
                AS External Link States
Link ID         ADV Router      Age  Seq#     CkSum Flag Route              Tag
10.150.6.140    1.1.1.1         1275 80000004 d1bc  0012 E2 10.150.6.140/32 1500 <----- It is possible to filter via TAG.

 

OSPF configuration.

1) Configure prefix-list to match subnet.

 

# config router prefix-list
    edit "1"
        # config rule
            edit 1
                set prefix 10.1.1.1 255.255.255.255
                unset ge
                unset le
            next
        end
    next
end

 

2) Configure route-map to match the tag and set action.

 

# config router route-map
    edit "IP_Negate"
        # config rule
            edit 1
                set action deny
                set match-ip-address "IP_Negate"
                set match-tag 1500
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

 

3) Use distribute-route-map-in to refer to the match condition and action.

 

# config router ospf
    set router-id 3.3.3.3
    set distribute-route-map-in "IP_Negate"
    # config area
        edit 0.0.0.0
        next
    end

 

Note: Route filtering via distribute-route-map-in is only allowed in the inward direction since OSPF route filtering is not allowed in the same area.

After filtering.

 

# get router info ospf database brief
            OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
                Router Link States (Area 0.0.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag Link count
1.1.1.1         1.1.1.1         855  800002f6 9b84  0002 1
2.2.2.2         2.2.2.2         1510 80000026 fc08  0012 2
3.3.3.3         3.3.3.3         425  800002f4 956a  0031 1
                Net Link States (Area 0.0.0.0)
Link ID         ADV Router      Age  Seq#     CkSum Flag
10.0.6.136      1.1.1.1         967  80000023 405e  0012
10.150.7.250    3.3.3.3         1485 80000023 b5ce  0031
               AS External Link States
Link ID         ADV Router      Age  Seq#     CkSum Flag Route              Tag
10.150.6.140    1.1.1.1         859  80000005 acfe  0202 E2 10.150.6.140/32 1500 F

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 10.5.31.254, port1
O       10.0.0.0/20 [110/2] via 10.150.6.139, port3, 17:20:33
C       10.5.16.0/20 is directly connected, port1
C       10.5.48.0/20 is directly connected, port2
C       10.150.0.0/20 is directly connected, port3
C       10.150.48.0/20 is directly connected, port4
C       10.152.0.0/20 is directly connected, port5

 

Contributors