Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Schwierzeck
New Contributor

Filter on Area do not work

Hi there, I want to filter route information about the network 172.28.0.0/16 propagated from a peer in area 0.0.0.2. But it seams that this is not working properly. I get routing information form peer 10.9.9.2 in area 0.0.0.2 for the network 172.28.50.0/24. I can not exclude the network completely because it is used on the internal network. fw-01 # get router info routing-table ospf O E2    10.9.19.0/24 [110/0] via 10.9.9.2, port6, 00:17:16 O E2    172.28.50.0/24 [110/0] via 10.9.9.2, port6, 00:00:17 O E1    172.28.51.0/24 [110/11] via 10.2.2.10, port1, 00:05:48 Here is the configuration. config router access-list     edit "Internal_Nets"             config rule                 edit 1                     set action deny                     set prefix 172.28.0.0 255.255.0.0                     set exact-match disable                 next             end     next end config router ospf     set router-id 10.5.7.3         config area             edit 0.0.0.0             next             edit 0.0.0.2                     config filter-list                         edit 1                             set list "Internal_Nets"                             set direction in                         next                     end             next         end         config ospf-interface             edit "ethernet1"                 set interface "port1"                 set dead-interval 40                 set hello-interval 10             next             edit "ethernet2"                 set interface "port2"                 set dead-interval 40                 set hello-interval 10             next             edit "ethernet6"                 set interface "port6"                 set dead-interval 40                 set hello-interval 10             next         end         config network             edit 1                 set prefix 10.1.1.0 255.255.255.0             next             edit 2                 set prefix 10.2.2.0 255.255.255.0             next             edit 3                 set prefix 10.9.9.0 255.255.255.0                 set area 0.0.0.2             next         end         config redistribute "connected"             set status enable         end         config redistribute "static"             set status enable         end end

19 REPLIES 19
emnoc
Esteemed Contributor III

Personally I would not use acl but a prefix-list is more ideal.

 

config router prefix-list     edit "dropit"             config rule                 edit 1                     set action deny                     set prefix 172.28.50.0 255.255.255.0                     unset ge                     unset le                 next             end     next end

And then you apply that in your ospf definition.

 

 

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Schwierzeck
New Contributor

Thanks for your reply.

 

I clear the OSPF process, but this also did not work.

 

fw-01 # get router info ospf database brief Link ID         ADV Router      Age  Seq#     CkSum Flag Route              Tag 10.9.9.0        10.9.9.2       411  80000005 463b  0002 E2 10.9.19.0/264    0 172.28.50.0     10.9.9.2       1104 80000004 74e6  0002 E2 172.28.50.0/24  0 172.28.51.0     10.2.2.10    1355 80000004 be7c  0002 E1 172.28.51.0/24  0

 

 

emnoc
Esteemed Contributor III

FYI A ACL or Prefix-list will not drop the prefix from  ospf-database just the RIB.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Schwierzeck
New Contributor

Hi emnoc,

 

thank for your reply. But as I said, I clear the OSPF process with:

execute router clear ospf process

 

This will completly purge the OSPF database. As well the routing entries. But after a while it will be learn again.

 

I also tried the following prefix-list and bound it to the OSPF area as inbound filter.

 

fw-01 # show router prefix-list config router prefix-list

    edit "10_In_0.0.0.2"             config rule                 edit 1                     set prefix 10.9.0.0 255.255.                     unset ge                     unset le                 next                 edit 2                     set action deny                     set prefix 0.0.0.0 0.0.0.0                     unset ge                     unset le                 next             end     next

end

 

Best regards.

 

ashukla_FTNT
Staff
Staff

Type 5 LSA (E2) can only be filtered in ASBR (as per ospf standards).

If i understand correctly you are trying to filter it in ABR, which is not possible.

 

emnoc
Esteemed Contributor III

OP

 

The ospf-database and route table are two unique things but the latter is built from the ospf-database. If you filter the  prefix, the LSA will still be present but the route-table will not populated the route.

 

So you are using the get router info ospf database brief but have you checked the  route-table get router infor all or  get router info ospf route ?

 

Ideally ashukla is correct that filtering on a ASBR, the E1/E2 ospf-type  which can be injected via  ASBR ( a route pushed into OSPF by some redistribution other than  OSPF  ) should be filter by the ASBR  but that  might not applicable if the network attaching the OSPF segment is a multi-access with multiple other  devices.

If I had to guess, the  172.28.50.0/24 is being generated via "10.9.9.2" from a redistribution on that router.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Schwierzeck
New Contributor

Hi emnoc & ashukla,

 

the route is even present in the routing table.

 

fw-01 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [5/0] via 10.82.128.1, wan1
C 10.2.2.0/24 is directly connected, port1
C 10.2.22.0/24 is directly connected, port2
O E2 10.9.9.0/26 [60/0] via 10.9.0.70, port6, 00:22:45
C 10.9.9.64/26 is directly connected, port6
O E2 172.28.50.0/24 [60/0] via 10.9.0.70, port6, 00:22:45


fw-01 # get router info ospf route
C 10.2.135.0/24 [1] is directly connected, port1, Area 0.0.0.0
C 10.2.136.0/24 [10] is directly connected, port2, Area 0.0.0.0
E2 10.9.9.0/26 [10/0] via 10.9.0.70, port6
C 10.9.9.64/26 [10] is directly connected, port6, Area 0.0.0.2
E2 172.28.50.0/24 [10/0] via 10.9.0.70, port6

 

How can I achieve that the route does not appear in the table?

emnoc
Esteemed Contributor III

Show us what you have config  prefix-list and ospf configuration.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

Hey I just notice your advertising router is different than what you provided earlier, this shouldn't matter  but wanted to point it out.

 

O E2 172.28.50.0/24 [60/0] via 10.9.0.70, port6, 00:22:45



PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors