Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheUsD
New Contributor III

Created on ‎04-24-2023 07:11 PM

Block/Filter routes from OSPF

Hello,
I am very new to OSFP and still getting my feet wet. 
I have three Fortigates using OSFP in one area. There is an IP-SEC tunnel from Router A to Router B and an IP-SEC tunnel from Router A to Router C. Both Router B and C need the subnets from Router A (which is working). Router A needs to know the subnets of Router B and Router C (which is working). However, Router B and Router C do not need to know the subnets of each other and not show up in each other's routing table.

How do I prevent Router B's routes showing up in Router C?

 

If possible, I would just like to know the search criteria and/or key words I need to look up. I'm not sure what the process is called. I would have thought that I could have two areas, say area 0.0.0.0 for Router A and B and area 0.0.0.1 for Router A (using the same subnets) and Router C. Sadly, that doesn't seem to be the case.

 

OSPF.png

Labels:
1528
0 Kudos
7 REPLIES 7
srajeswaran
Staff
Staff

Created on ‎04-24-2023 10:43 PM

OSPF works based on areas and every single router on same area will have the same LSDB, which means they will be aware about the connected networks in that area. We cannot restrict/filter that.

 

The routes may not be active if there are other active/preferred routes to the same subnet, but the OSPF database will have the entries.

 

If we need to have separate route tables/ospf db,  we need to use different area and then you can apply filters on ABR to restrict specific routes being advertised from the areas . Below article explains the filtering configuration.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-OSPF-to-filter-Inter-Area-rout...

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1509
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-25-2023 08:33 AM

As @srajeswaran said with OSPF you wouldn't be able to manipulate advertising routes unless you separate those to different areas. And it would get very difficult to manage when your network/subnets grow.
If you want to use a routing protocol and manipulate routes granularly, eBGP would work better. But in your case, there is no alternative paths between three routers. So even static routing is more suitable. Router C's super subnet would be 10.0.0.0/11.

 

Toshi

Toshi

 

1490
0 Kudos
TheUsD
New Contributor III

Created on ‎04-25-2023 01:22 PM

Thank you both @srajeswaran  and @Toshi_Esumi

The goal to not allow Router C see Router B's subnets is that Router B is a separate company than Router C. I have always been a fan of static routes and that how both sites were setup prior to exploring OSPF. While I manage all Three routers and the Router C and B customers would never the routes or know about them, and there are not firewall rules in place to allow traffic to pass over, I still feel it is necessary to ensure there is full separation. 

 

Does Fortigate support eBGP? from my understanding, this was a cisco proprietary functionality.

1479
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-25-2023 02:01 PM

BGP is a standardized protocol, which is controlling routing over the internet.
https://en.wikipedia.org/wiki/Border_Gateway_Protocol
There are some differences per implementation for some behaviors, which is NOT defined by the standards. But you mostly wouldn't encounter any issues when you connect Cisco routers, FortiGate, Juniper, Palo Alto or whoever supports BGP together. 

 

We use BGP ourselves with FGTs to control our customers' traffic flows because it's the best option to manipulate routes with secondary, tertiary and more. We use VDOMs to completely isolate each customer though before going out to the internet. As an MSP/MSSP, we're obligated not to share one customer's routing-table with another customer's.

 

Toshi

1474
0 Kudos
TheUsD
New Contributor III

Created on ‎04-25-2023 07:30 PM

Thank you, @Toshi_Esumi  Do any of your customers that sit in other VDOMs connect to any services you host, such as FortiAnlayzer, FortiManager? If so, how do you allow the gates to reach the services that are in other VDOMs. Inter-VDOM links?

 

Studying my layout some more...Is it possible approach to solve my goal using the proposed idea?

 

On Router A, set an IP address of 192.168.255.1/29 on the IP-SEC tunnel interface (VTI) to Router B, and place an IP address of 192.168.255.2/29 on Router B's VTI.

 

On Router A to Router C, I placed an IP address of 192.168.255.16/29 on Router A's VTI and placed an IP address of 192.168.255.18/29 on VTI for Router C. 

On Router A, I enable "Redistribute Connected" and advertise 192.168.255.0/29 to area 0.0.0.0 (area for Router A and B to peer on). Next, advertise 192.168.255.16/29 for area 0.0.0.1 (area for Router A and C to peer on)

 

On Router B and C, I will advertise the subnets I listed above.

 

On Router B, Advertise network 192.168.255.16/29 on Area 0.0.0.1. On Router A advertise 192.168.255.0/29 on area 0.0.0.0 and and C, I advertise the listed subnets above, leaving Redistribute Connected disabled. 

1461
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to TheUsD

Created on ‎04-25-2023 08:38 PM Edited on ‎04-25-2023 08:41 PM

FMG and FAZ access from/to multi-VDOM FGTs are going/coming out/in through a management VDOM by default for all VDOMs. Only in case if any VDOMs/customers have individual FMG/FAZ accessed only by them, you would set up "override" to connect the VDOMs to those separate destinations, which we haven't done so far. While both FMG and FAZ can be set up with ADOMs so that each customer can have their own partition access.

 

For OSPF, you should ask others like @srajeswaran for particular set up, while I don't deal with OSPF so often. But your router B and C needs to be ABR just like FGT2 in the KB @srajeswaran refered to and have area 0 toward router A and a different area for your customer sides, so that those customer's interface/subnets can be filtered when they come across the area borders. I would set different area like 1 and 2 for B and C to avoid "split area".

 

If you decide to use BGP instead, I can be more helpful as well as other experts at FTNT in this Forum.

 

Toshi

1460
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎04-25-2023 09:30 PM

Probably I misspoke. When you connect a multi-vdom FGT to an FMG, all VDOMs are registered at the FMG. And you can't split and only some VDOMs to another FMG.

1455
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.