Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎05-02-2009 08:39 AM Edited on ‎08-08-2024 08:34 AM By Moderator

Article Id 191012

Technical Tip: Simple OSPF configuration with 2 FortiGates in the same area

Description

 

This article describes the basic steps to configure FortiGates in a simple OSPF scenario.

It includes the network diagram, requirements, configuration, and routing tables of all FortiGates.


Scope

  • All FortiGate models
  • FortiGate or VDOM in NAT mode only

 

Solution


Diagram:

The following network diagram will be used as an example to illustrate how to setup OSPF.
 
rmetzger_FD30030_simple_ospf_setup.jpeg

 


Expectations, Requirements:

Basic requirements:

  • FGT1 will become automatically ASBR as it will advertise its static default routes 
  • All locally connected interfaces must have OSPF enabled and the corresponding subnet be advertised as OSPF internal routes (not external) 

 

Note: The use of loopback interfaces into this OSPF scenario is a simple rule that eases the OSPF troubleshooting and administration, where the OSPF router ID will be set identically to the loopback interface.

 

Note: To enable OSPF on an interface, it is only necessary to add it into the network/prefix list. To enable all interfaces with a single setting, use the prefix '0.0.0.0  0.0.0.0'. FGT1 has got this setting as an example.


Configuration:

Note: Only the relevant parts of the configuration are given.

 

FGT1:

 

config system interface

edit "internal"

set vdom "root"
set ip 192.168.182.151 255.255.254.0
set allowaccess ping https ssh http telnet
set type physical

next

edit "lback1"

set vdom "root"
set ip 10.0.0.1 255.255.255.255
set type loopback

end

config router static

edit 0

set device "internal"
set gateway 192.168.183.254

end

 

config router ospf

set default-information-originate enable
set router-id 10.0.0.1

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "ospf"

set interface "lback1"

next

end

config network

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end

end

 

config system interface

edit "internal"

set vdom "root"
set ip 192.168.182.152 255.255.254.0
set allowaccess ping https
set type physical

next

edit "lback2"

set vdom "root"
set ip 10.0.0.2 255.255.255.255
set type loopback

next

end

config router ospf

set router-id 10.0.0.2

config area

edit 0.0.0.0

next

end

config ospf-interface

edit "ospf"

set interface "lback2"

next

end

config network

edit 1

set prefix 192.168.182.0 255.255.254.0

next

edit 2

set prefix 10.0.0.2 255.255.255.255

next

end

config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end

end


Verification:

 

Verification on FGT1. Examples of commands that can be used :

get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.2          1   Full/DROther    00:00:37    192.168.182.152 internal

 

FGT1 # get router info ospf interface
internal is up, line protocol is up
  Internet Address 192.168.182.151/23, Area 0.0.0.0, MTU 1500
  Process ID 0, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State Backup, Priority 1
  Designated Router (ID) 0.0.0.205, Interface Address 192.168.182.205
  Backup Designated Router (ID) 10.0.0.1, Interface Address 192.168.182.151
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Neighbor Count is 2, Adjacent neighbor count is 2
  Crypt Sequence Number is 6411628
  Hello received 106 sent 90, DD received 12 sent 14
  LS-Req received 0 sent 1, LS-Upd received 20 sent 19
  LS-Ack received 13 sent 15, Discarded 177


FGT1 # get router info ospf status
Routing Process "ospf 0" with ID 10.0.0.1
Process uptime is 17 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Do not support Restarting
This router is an ASBR (injecting external routing information)
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Refresh timer 10 secs
Number of incomming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 1. Checksum 0x00A321
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 9
Number of areas attached to this router: 1
Area 0.0.0.0 (BACKBONE)
Number of interfaces in this area is 5(6)
Number of fully adjacent neighbors in this area is 3
Area has no authentication
SPF algorithm last executed 00:01:32.740 ago
SPF algorithm executed 8 times
Number of LSA 4. Checksum 0x02089b


FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, internal
C       10.0.0.1/32 is directly connected, lback1
O       10.0.0.2/32 [110/110] via 192.168.182.152, internal, 00:00:22
C       192.168.182.0/23 is directly connected, internal

Verification on FGT2. Examples of commands that can be used:

FGT2 # get router info ospf neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   Full/Backup     00:00:31    192.168.182.151 internal


FGT2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

O*E2    0.0.0.0/0 [110/10] via 192.168.183.254, internal, 00:03:04
O       10.0.0.1/32 [110/110] via 192.168.182.151, internal, 00:09:36
C       10.0.0.2/32 is directly connected, lback2
C       192.168.182.0/23 is directly connected, internal


Troubleshooting:

 

Packet capture for OSPF packets:

 

diag sniffer packet any 'proto 89' 6 0 a


OSPF process debug:

 

diag debug reset
diag debug console timestamp enable
diag ip router ospf all enable
diag ip router ospf level info
diag debug enable

 

To stop the debugging, enter the following:

 

diag debug disable
diag debug reset

21794
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.