Hi there, I want to filter route information about the network 172.28.0.0/16 propagated from a peer in area 0.0.0.2. But it seams that this is not working properly. I get routing information form peer 10.9.9.2 in area 0.0.0.2 for the network 172.28.50.0/24. I can not exclude the network completely because it is used on the internal network. fw-01 # get router info routing-table ospf O E2 10.9.19.0/24 [110/0] via 10.9.9.2, port6, 00:17:16 O E2 172.28.50.0/24 [110/0] via 10.9.9.2, port6, 00:00:17 O E1 172.28.51.0/24 [110/11] via 10.2.2.10, port1, 00:05:48 Here is the configuration. config router access-list edit "Internal_Nets" config rule edit 1 set action deny set prefix 172.28.0.0 255.255.0.0 set exact-match disable next end next end config router ospf set router-id 10.5.7.3 config area edit 0.0.0.0 next edit 0.0.0.2 config filter-list edit 1 set list "Internal_Nets" set direction in next end next end config ospf-interface edit "ethernet1" set interface "port1" set dead-interval 40 set hello-interval 10 next edit "ethernet2" set interface "port2" set dead-interval 40 set hello-interval 10 next edit "ethernet6" set interface "port6" set dead-interval 40 set hello-interval 10 next end config network edit 1 set prefix 10.1.1.0 255.255.255.0 next edit 2 set prefix 10.2.2.0 255.255.255.0 next edit 3 set prefix 10.9.9.0 255.255.255.0 set area 0.0.0.2 next end config redistribute "connected" set status enable end config redistribute "static" set status enable end end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Personally I would not use acl but a prefix-list is more ideal.
config router prefix-list edit "dropit" config rule edit 1 set action deny set prefix 172.28.50.0 255.255.255.0 unset ge unset le next end next end
And then you apply that in your ospf definition.
PCNSE
NSE
StrongSwan
Thanks for your reply.
I clear the OSPF process, but this also did not work.
fw-01 # get router info ospf database brief Link ID ADV Router Age Seq# CkSum Flag Route Tag 10.9.9.0 10.9.9.2 411 80000005 463b 0002 E2 10.9.19.0/264 0 172.28.50.0 10.9.9.2 1104 80000004 74e6 0002 E2 172.28.50.0/24 0 172.28.51.0 10.2.2.10 1355 80000004 be7c 0002 E1 172.28.51.0/24 0
FYI A ACL or Prefix-list will not drop the prefix from ospf-database just the RIB.
PCNSE
NSE
StrongSwan
Hi emnoc,
thank for your reply. But as I said, I clear the OSPF process with:
execute router clear ospf process
This will completly purge the OSPF database. As well the routing entries. But after a while it will be learn again.
I also tried the following prefix-list and bound it to the OSPF area as inbound filter.
fw-01 # show router prefix-list config router prefix-list
edit "10_In_0.0.0.2" config rule edit 1 set prefix 10.9.0.0 255.255. unset ge unset le next edit 2 set action deny set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next
end
Best regards.
Type 5 LSA (E2) can only be filtered in ASBR (as per ospf standards).
If i understand correctly you are trying to filter it in ABR, which is not possible.
OP
The ospf-database and route table are two unique things but the latter is built from the ospf-database. If you filter the prefix, the LSA will still be present but the route-table will not populated the route.
So you are using the get router info ospf database brief but have you checked the route-table get router infor all or get router info ospf route ?
Ideally ashukla is correct that filtering on a ASBR, the E1/E2 ospf-type which can be injected via ASBR ( a route pushed into OSPF by some redistribution other than OSPF ) should be filter by the ASBR but that might not applicable if the network attaching the OSPF segment is a multi-access with multiple other devices.
If I had to guess, the 172.28.50.0/24 is being generated via "10.9.9.2" from a redistribution on that router.
PCNSE
NSE
StrongSwan
Hi emnoc & ashukla,
the route is even present in the routing table.
fw-01 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 10.82.128.1, wan1
C 10.2.2.0/24 is directly connected, port1
C 10.2.22.0/24 is directly connected, port2
O E2 10.9.9.0/26 [60/0] via 10.9.0.70, port6, 00:22:45
C 10.9.9.64/26 is directly connected, port6
O E2 172.28.50.0/24 [60/0] via 10.9.0.70, port6, 00:22:45
fw-01 # get router info ospf route
C 10.2.135.0/24 [1] is directly connected, port1, Area 0.0.0.0
C 10.2.136.0/24 [10] is directly connected, port2, Area 0.0.0.0
E2 10.9.9.0/26 [10/0] via 10.9.0.70, port6
C 10.9.9.64/26 [10] is directly connected, port6, Area 0.0.0.2
E2 172.28.50.0/24 [10/0] via 10.9.0.70, port6
How can I achieve that the route does not appear in the table?
Show us what you have config prefix-list and ospf configuration.
PCNSE
NSE
StrongSwan
Hey I just notice your advertising router is different than what you provided earlier, this shouldn't matter but wanted to point it out.
O E2 172.28.50.0/24 [60/0] via 10.9.0.70, port6, 00:22:45
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.