| Description | This article explains how to configure a summary address on an OSPF Area Border Router (ABR) and describes how route summarization and the associated null route function. |
| Scope | FortiGate. |
| Solution |
FG1 (ABR) received four routes from FortiGate3 (20.0.0.2) in Area 1.
FortiGate1-ABR (root) # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 Full/DR 00:00:37 10.0.0.2 port4
3.3.3.3 1 Full/DR 00:00:31 20.0.0.2 port5
FortiGate1-ABR (root) # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
C 10.0.0.0/24 is directly connected, port4
C 20.0.0.0/24 is directly connected, port5
O 172.16.1.0/24 [110/101] via 20.0.0.2, port5, 00:15:57, [1/0] <-----
O 172.16.2.0/24 [110/101] via 20.0.0.2, port5, 00:15:57, [1/0] <-----
O 172.16.3.0/24 [110/101] via 20.0.0.2, port5, 00:15:57, [1/0] <-----
O 172.16.4.0/24 [110/101] via 20.0.0.2, port5, 00:15:57, [1/0] <-----
For route summarization to work, all areas must maintain consistent LSDBs. Therefore, OSPF summarization can only be performed on border routers, specifically, Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs). In this case, FortiGate1-ABR acts as the ABR between the two areas.
FortiGate1-ABR (root) # show router ospf
config router ospf
set abr-type cisco
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
edit 0.0.0.1
config range
edit 1
set prefix 172.16.0.0 255.255.248.0 <---- Summarization.
next
end
next
end
FortiGate1-ABR (root) # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
C 10.0.0.0/24 is directly connected, port4
C 20.0.0.0/24 is directly connected, port5
O 172.16.0.0/21 [110/0] is a summary, Null, 00:20:41, [1/0] <-----
O 172.16.1.0/24 [110/101] via 20.0.0.2, port5, 00:20:41, [1/0]
O 172.16.2.0/24 [110/101] via 20.0.0.2, port5, 00:20:41, [1/0]
O 172.16.3.0/24 [110/101] via 20.0.0.2, port5, 00:20:41, [1/0]
O 172.16.4.0/24 [110/101] via 20.0.0.2, port5, 00:20:41, [1/0]
After applying the range command, the ABR installs a summary null route. This is expected behavior because it is configured as a /29 summary route covering the range 172.16.0.x to 172.16.7.x, while the actual networks present are only 172.16.1.x to 172.16.4.x.
For example, if the summary null route did not exist and a host connected to FortiGate1 tried to reach 172.16.0.1/24 (which falls within the summary range), the traffic would be forwarded, even though the destination does not exist, potentially causing routing loops. The null route ensures such traffic is safely discarded, preventing blackholing or loops for non-existent destinations within the summary range.
The summary null route cannot be removed. In scenarios where excluding the summary route is required, direct removal is not possible. Instead, a more specific static route can be added to override the null route behavior.
FortiGate2 # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.0.0.1, port3, [1/0]
C 10.0.0.0/24 is directly connected, port3
C 10.254.1.0/24 is directly connected, port1
O IA 20.0.0.0/24 [110/2] via 10.0.0.1, port3, 00:29:32, [1/0]
O IA 172.16.0.0/21 [110/102] via 10.0.0.1, port3, 00:29:26, [1/0] <--- FortiGate2 Received only summary route as expected.
|
