This article explains how to connect OSPF areas using a virtual-link.
Indeed, in OSPF rules, all areas need to be
connected directly to Area 0 (backbone). But in some cases, it is not possible
to physically connect area to backbone. For this purpose, virtual-links
can be used to establish connection to backbone area through non-backbone area.
Virtual-links are established between area border routers.
Diagram consists of 3 firewalls. Loopbacks on firewall FGT1 will simulate networks in area 2, not connected to backbone area.
200.0.0.0/24
200.0.1.0/24 < AREA 2> FGT1 < - AREA1 10.222.0.0/20 - > FGT2 < - AREA0 10.223.0.0/20 - > FGT3
200.0.2.0/24
Router IDs:
FGT1 – 1.1.1.1
FGT2 – 2.2.2.2
FGT3 – 3.3.3.3
After basic OSPF configuration, all neighbors are in FULL state, but networks 200.0.x.0/24 are not reachable on FGT3:
FG3:
FGT3 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 Full/ - 00:00:39 10.223.0.184 port1
FGT3 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 2.2.2.2/32 is directly connected, T
C 10.109.16.0/20 is directly connected, wan1
O IA 10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:06:50
C 10.223.0.0/20 is directly connected, port1
C 192.168.100.0/24 is directly connected, lan
To fix this, configure virtual links between FGT1 and FGT2. These routers are area border routers for area2/area1 and area1/area0 respectively.
Important note: Virtual link is configured between router-ids (not actual IP). Also, virtual-link needs to be configured under area, that is used as transit – in our case transit area is Area1:
FGT1:
#FGT1 # show router ospf
config router ospf
set router-id 1.1.1.1
config area
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 2.2.2.2 <<< Router ID of the peer
next
end
next
edit 0.0.0.2
next
FGT2:
#FGT2 # show router ospf
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
edit 0.0.0.1
config virtual-link
edit "Area1_Virtual_link"
set peer 1.1.1.1 <<< Router ID of the peer
next
end
next
end
If needed, virtual-link also supports md5 authentication
FGT2 # get router info ospf virtual-links
Virtual Link VLINK0 to router 1.1.1.1 is up
Process ID 0, VRF 0, Router ID 2.2.2.2, Cost: 1
Transit area 0.0.0.1 via interface port1
Local address 10.222.0.184/32
Remote address 10.222.0.85/32
Transmit Delay is 1 sec, State Point-To-Point,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Adjacency state Full
FGT2 # get router info ospf neighbor
OSPF process 0, VRF 0:
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 Full/ - 00:00:40 10.222.0.85 port1
3.3.3.3 1 Full/ - 00:00:30 10.223.0.62 port2
1.1.1.1 1 Full/ - 00:00:38 10.222.0.85 VLINK0
And final verification that virtual-link is correctly configured is that on FGT3, there are 3 additional routes:
FGT3 # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1
C 2.2.2.2/32 is directly connected, T
C 10.109.16.0/20 is directly connected, wan1
O IA 10.222.0.0/20 [110/2] via 10.223.0.184, port1, 00:19:09
C 10.223.0.0/20 is directly connected, port1
C 192.168.100.0/24 is directly connected, lan
O IA 200.0.0.0/24 [110/102] via 10.223.0.184, port1, 00:06:38
O IA 200.0.1.0/24 [110/102] via 10.223.0.184, port1, 00:06:38
O IA 200.0.2.0/24 [110/102] via 10.223.0.184, port1, 00:00:27
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.