Description
This article describes how to configure OSPF route filtering using the 'distribute-route-map-in' CLI command.
Note: Distribute-route-map-in feature to filter routes in OSPF, is useful only in case if filter LSA type 5 (External ) routes or matching the TAG value needs to be done.
Scope
FortiGate
Solution
10.150.6.140/32 is received as an O E2 route, and the Administrator decided to remove the route and do not have the privilege to access the router advertising 10.150.6.140/32. In OSPF Intra-Area, LSA filtering is also not allowed.
Using distribute-route-map-in, it is possible to filter/prevent routes from the OSPF database from entering the routing table.
Routing table before filtering.
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
O 10.0.0.0/20 [110/2] via 10.150.6.139, port3, 15:13:24
C 10.5.16.0/20 is directly connected, port1
C 10.5.48.0/20 is directly connected, port2
C 10.150.0.0/20 is directly connected, port3
O E2 10.150.6.140/32 [110/10] via 10.150.6.139, port3, 00:00:03---Intent to filter/prevent route
C 10.150.48.0/20 is directly connected, port4
C 10.152.0.0/20 is directly connected, port5
OSPF database
# get router info ospf database brief
OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 1045 800002f4 9f82 0012 1
2.2.2.2 2.2.2.2 177 80000026 fc08 0012 2
3.3.3.3 3.3.3.3 923 800002f3 9769 0031 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
10.0.6.136 1.1.1.1 1465 80000022 425d 0012
10.150.7.250 3.3.3.3 153 80000023 b5ce 0031
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.150.6.140 1.1.1.1 1275 80000004 d1bc 0012 E2 10.150.6.140/32 1500 <----- It is possible to filter via TAG.
OSPF configuration.
1) Configure prefix-list to match subnet.
# config router prefix-list
edit "1"
# config rule
edit 1
set prefix 10.1.1.1 255.255.255.255
unset ge
unset le
next
end
next
end
2) Configure route-map to match the tag and set action.
# config router route-map
edit "IP_Negate"
# config rule
edit 1
set action deny
set match-ip-address "IP_Negate"
set match-tag 1500
unset set-ip-nexthop
unset set-ip6-nexthop
unset set-ip6-nexthop-local
unset set-originator-id
next
end
next
end
3) Use distribute-route-map-in to refer to the match condition and action.
# config router ospf
set router-id 3.3.3.3
set distribute-route-map-in "IP_Negate"
# config area
edit 0.0.0.0
next
end
Note: Route filtering via distribute-route-map-in is only allowed in the inward direction since OSPF route filtering is not allowed in the same area.
After filtering.
# get router info ospf database brief
OSPF Router with ID (3.3.3.3) (Process ID 0, VRF 0)
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 855 800002f6 9b84 0002 1
2.2.2.2 2.2.2.2 1510 80000026 fc08 0012 2
3.3.3.3 3.3.3.3 425 800002f4 956a 0031 1
Net Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag
10.0.6.136 1.1.1.1 967 80000023 405e 0012
10.150.7.250 3.3.3.3 1485 80000023 b5ce 0031
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.150.6.140 1.1.1.1 859 80000005 acfe 0202 E2 10.150.6.140/32 1500 F
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.31.254, port1
O 10.0.0.0/20 [110/2] via 10.150.6.139, port3, 17:20:33
C 10.5.16.0/20 is directly connected, port1
C 10.5.48.0/20 is directly connected, port2
C 10.150.0.0/20 is directly connected, port3
C 10.150.48.0/20 is directly connected, port4
C 10.152.0.0/20 is directly connected, port5
