Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sidp
New Contributor III

Fortigate OSPF stop inter-area distribution

I found the following article about ospf inter-area distribution.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-OSPF-to-filter-Inter-Area-rout...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuration-of-OSPF-Stub-Totally-Stub-NS...

 

OSPF and Fortigate are fairly new to me... I am planning to replace a Cisco Firepower with a Fortigate.

 

Currently on the Cisco firepower there are two opsf processes configured. One has area id 0 and the other has area-id 10 and both are connected to two different cisco switches. Because of the two ospf processes the areas are separated which means cisco-sw2 doesn't receive any routes from area 10. Since Fortigate doesn't support more than one ospf process I have to find another solution.

 

cisco-sw1---area-id 10---Fortigate(Cisco FTD)---area-id 0---cisco-sw2

 

How can I prevent Fortigate from distributing learned routes from area 10 to 0 (sw2)?

 

Current Fortigate config:

fortigate # show router ospf 
config router ospf
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
edit 0.0.0.10
set type stub
next
end
config ospf-interface
edit "clientvpn"
set interface "port2.505"
set dead-interval 40
set hello-interval 10
next
edit "dmvpn"
set interface "port2.503"
set dead-interval 40
set hello-interval 10
next
edit "inside"
set interface "inside"
set dead-interval 40
set hello-interval 10
next
edit "transit"
set interface "port2.506"
set dead-interval 40
set hello-interval 10
next
end
config network
edit 1
set prefix 10.30.15.0 255.255.255.240
next
edit 2
set prefix 10.30.13.0 255.255.255.240
next
edit 3
set prefix 10.30.14.0 255.255.255.240
next
edit 4
set prefix 10.30.16.0 255.255.255.240
set area 0.0.0.10
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
end
config redistribute "isis"
end
end

 

1 Solution
srajeswaran

Thanks for testing that. I just verified this in LAB and I am able to restrict the external routes entering area0 by making the area10 nssa and then apply the route filter we configured earlier.

 

1. Configure Area10 as NSSA on both Fortigate and Switch

2. Configure route filter as below

config router prefix-list
edit "FILTER_AREA_10_NETWORKS"
config rule
edit 1
set action deny
set prefix any
next
end
next
end

 

3. Apply this filter under Area10 as "Out" direction (default direction)

edit 0.0.0.10
set type nssa
config filter-list
edit 1
set list "FILTER_AREA_10_NETWORKS"
next
end
next

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

25 REPLIES 25
srajeswaran

There is typo in that sentence and needs correction. The configuration specified under "Area 0" is actually Area1(0.0.0.1) and under "Area1" it is Area0 (0.0.0.0)

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

sidp
New Contributor III

It doesn't matter in which area and in which direction I set the filter, i tried it all and nothing changes... still can see all the area10 routes on the switch in area 0.

 

 

srajeswaran

Can you confirm the area10 route/sub-net that is not getting filtered?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

sidp
New Contributor III

Yes, I always check it with some routes I'm 100% sure they are from area10 switch.

srajeswaran

As per the LSDB update shared earlier, the only subnet in area10 is only one subnet- 10.30.16.0

 

Can you please confirm?

 

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

sidp
New Contributor III

10.30.16.0/28 is just the network between Fortigate and cisco-sw1 in area 10 so they can communicate with each other.

Fortigate has an interface with the ip 10.30.16.1 and switch has 10.30.16.14.

 

The list of routes Fortigate is learning from the switch in area 10 contains hundreds of routes.

srajeswaran

I just noticed one thing, there are a lot of external routes present in Area10 LSDB, but area 10 is configured as stub

 

edit 0.0.0.10
set type stub
next
end

 The LSDB output ideally should mention stub, but I don't see that in your output. Can you confirm if Area10 is stub or regular area?

 

Ideally if the area is stub, we don't expect to see the external routes.

 

And if we are trying to block/filter the external routes, than can be done only on the ASBR and not ABR. The same filter need to be applied on the ASBR router.

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

sidp
New Contributor III

It was configured as stub just for testing because nothing seems to work. I removed it afterwards.

 

It is not just about the public IPs, I need to filter any route from area 10 for area 0 no matter if it is private or public.

srajeswaran

Are you referring to below routes?

 

Link ID ADV Router Age Seq# CkSum Flag Route Tag
10.0.9.0 4.4.4.4 1678 80000222 4119 0012 E2 10.0.9.0/24 0
10.0.10.0 4.4.4.4 165 80000223 e53a 0012 E2 10.0.10.0/23 0
10.0.12.0 4.4.4.4 1677 80000222 2037 0012 E2 10.0.12.0/24 0
10.0.13.0 4.4.4.4 1677 80000222 1541 0012 E2 10.0.13.0/24 0
10.0.15.0 4.4.4.4 163 80000223 b366 0012 E2 10.0.15.0/24 0
...long list...
Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

sidp
New Contributor III

Exactly, there are hundreds of such routes from the switch in area10.

Labels
Top Kudoed Authors