I found the following article about ospf inter-area distribution.
OSPF and Fortigate are fairly new to me... I am planning to replace a Cisco Firepower with a Fortigate.
Currently on the Cisco firepower there are two opsf processes configured. One has area id 0 and the other has area-id 10 and both are connected to two different cisco switches. Because of the two ospf processes the areas are separated which means cisco-sw2 doesn't receive any routes from area 10. Since Fortigate doesn't support more than one ospf process I have to find another solution.
cisco-sw1---area-id 10---Fortigate(Cisco FTD)---area-id 0---cisco-sw2
How can I prevent Fortigate from distributing learned routes from area 10 to 0 (sw2)?
Current Fortigate config:
fortigate # show router ospf
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
edit 0.0.0.10
set type stub
next
end
config ospf-interface
edit "clientvpn"
set interface "port2.505"
set dead-interval 40
set hello-interval 10
next
edit "dmvpn"
set interface "port2.503"
set dead-interval 40
set hello-interval 10
next
edit "inside"
set interface "inside"
set dead-interval 40
set hello-interval 10
next
edit "transit"
set interface "port2.506"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.30.15.0 255.255.255.240
next
edit 2
set prefix 10.30.13.0 255.255.255.240
next
edit 3
set prefix 10.30.14.0 255.255.255.240
next
edit 4
set prefix 10.30.16.0 255.255.255.240
set area 0.0.0.10
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thanks for testing that. I just verified this in LAB and I am able to restrict the external routes entering area0 by making the area10 nssa and then apply the route filter we configured earlier.
1. Configure Area10 as NSSA on both Fortigate and Switch
2. Configure route filter as below
config router prefix-list
edit "FILTER_AREA_10_NETWORKS"
config rule
edit 1
set action deny
set prefix any
next
end
next
end
3. Apply this filter under Area10 as "Out" direction (default direction)
edit 0.0.0.10
set type nssa
config filter-list
edit 1
set list "FILTER_AREA_10_NETWORKS"
next
end
next
There is typo in that sentence and needs correction. The configuration specified under "Area 0" is actually Area1(0.0.0.1) and under "Area1" it is Area0 (0.0.0.0)
It doesn't matter in which area and in which direction I set the filter, i tried it all and nothing changes... still can see all the area10 routes on the switch in area 0.
Can you confirm the area10 route/sub-net that is not getting filtered?
Yes, I always check it with some routes I'm 100% sure they are from area10 switch.
As per the LSDB update shared earlier, the only subnet in area10 is only one subnet- 10.30.16.0
Can you please confirm?
10.30.16.0/28 is just the network between Fortigate and cisco-sw1 in area 10 so they can communicate with each other.
Fortigate has an interface with the ip 10.30.16.1 and switch has 10.30.16.14.
The list of routes Fortigate is learning from the switch in area 10 contains hundreds of routes.
I just noticed one thing, there are a lot of external routes present in Area10 LSDB, but area 10 is configured as stub
edit 0.0.0.10
set type stub
next
end
The LSDB output ideally should mention stub, but I don't see that in your output. Can you confirm if Area10 is stub or regular area?
Ideally if the area is stub, we don't expect to see the external routes.
And if we are trying to block/filter the external routes, than can be done only on the ASBR and not ABR. The same filter need to be applied on the ASBR router.
It was configured as stub just for testing because nothing seems to work. I removed it afterwards.
It is not just about the public IPs, I need to filter any route from area 10 for area 0 no matter if it is private or public.
Are you referring to below routes?
Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.0.9.0 4.4.4.4 1678 80000222 4119 0012 E2 10.0.9.0/24 0
10.0.10.0 4.4.4.4 165 80000223 e53a 0012 E2 10.0.10.0/23 0
10.0.12.0 4.4.4.4 1677 80000222 2037 0012 E2 10.0.12.0/24 0
10.0.13.0 4.4.4.4 1677 80000222 1541 0012 E2 10.0.13.0/24 0
10.0.15.0 4.4.4.4 163 80000223 b366 0012 E2 10.0.15.0/24 0
...long list...
Exactly, there are hundreds of such routes from the switch in area10.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.