Description
This article describes how to configure OSPF route filtering using the 'distribute-route-map-in' CLI command.
Note: Distribute-route-map-in feature to filter routes in OSPF, is useful only in case if filter LSA type 5 (External ) routes or matching the TAG value needs to be done.
Scope
FortiGate
Solution
10.150.6.140/32 is received as an O E2 route, and the Administrator decided to remove the route and do not have the privilege to access the router advertising 10.150.6.140/32. In OSPF Intra-Area, LSA filtering is also not allowed.
Using distribute-route-map-in, it is possible to filter/prevent routes in the OSPF database from entering the routing table.
Note, OSPF route filtering within an area can cause a route black hole since the OSPF filtering can only filter the route from the routing table, other OSPF neighbors' SPF calculation might route the traffic for the filtered route to the user, and since the user is filtering the route, the traffic might match another route and get misrouted.
Routing table before filtering.
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
O 10.0.0.0/20 [110/2] via 10.150.6.139, port3, 15:13:24
C 10.5.16.0/20 is directly connected, port1
C 10.5.48.0/20 is directly connected, port2
C 10.150.0.0/20 is directly connected, port3
O E2 10.150.6.140/32 [110/10] via 10.150.6.139, port3, 00:00:03---Intent to filter/prevent route
C 10.150.48.0/20 is directly connected, port4
C 10.152.0.0/20 is directly connected, port5
OSPF database
get router info ospf database brief
OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 1045 800002f4 9f82 0012 1
2.2.2.2 2.2.2.2 177 80000026 fc08 0012 2
3.3.3.3 3.3.3.3 923 800002f3 9769 0031 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
10.0.6.136 1.1.1.1 1465 80000022 425d 0012
10.150.7.250 3.3.3.3 153 80000023 b5ce 0031
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.150.6.140 1.1.1.1 1275 80000004 d1bc 0012 E2 10.150.6.140/32 1500 <- It is possible to filter via TAG.
OSPF configuration.
- Configure prefix-list to match subnet.
config router prefix-list
edit "IP_Negate"
config rule
edit 1
set prefix 10.1.1.1 255.255.255.255
unset ge
unset le
next
end
next
end
- Configure route-map to match the tag and set action.
config router route-map
edit "IP_Negate_route_map"
config rule
edit 1
set action deny
set match-ip-address "IP_Negate" <- Assign prefix-list.
set match-tag 1500
unset set-ip-nexthop
unset set-ip6-nexthop
unset set-ip6-nexthop-local
unset set-originator-id
next
end
next
end
- Use distribute-route-map-in to refer to the match condition and action.
config router ospf
set router-id 3.3.3.3
set distribute-route-map-in "IP_Negate_route_map"
config area
edit 0.0.0.0
next
end
Note: Route filtering via distribute-route-map-in is only allowed in the inward direction since OSPF route filtering is not allowed in the same area.
After filtering.
get router info ospf database brief
OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 855 800002f6 9b84 0002 1
2.2.2.2 2.2.2.2 1510 80000026 fc08 0012 2
3.3.3.3 3.3.3.3 425 800002f4 956a 0031 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
10.0.6.136 1.1.1.1 967 80000023 405e 0012
10.150.7.250 3.3.3.3 1485 80000023 b5ce 0031
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.150.6.140 1.1.1.1 859 80000005 acfe 0202 E2 10.150.6.140/32 1500 F
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
O 10.0.0.0/20 [110/2] via 10.150.6.139, port3, 17:20:33
C 10.5.16.0/20 is directly connected, port1
C 10.5.48.0/20 is directly connected, port2
C 10.150.0.0/20 is directly connected, port3
C 10.150.48.0/20 is directly connected, port4
C 10.152.0.0/20 is directly connected, port5
