Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: How to filter OSPF advertised routes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter OSPF advertised routes
Hi Guys,
I'm trying to switch my national ipsec vpn site-to-site network from static routing to ospf. Each branch's got around 6 subnets from which only 4 should be routed via the ipsec tunnel. Using static routing it's easy since I add only what exactly I need.
My VPN network it's using a star topology and it might change to an extended star.
I've started with 2 branches, the HQ and a branch.
Everything works fine except that I'm not able to filter what routes are been advertised via OSPF since I'm using "config redistribute "connected""
Attached is a lab I did to test it, but still no luck. The routers in the diagram I've attached are FG-70D's.
I've tried:
- prefix-list with in and out on both sides - no luck
- access list with in and out on both sides - no luck
I'm missing something here, right ?!?!
Hope the diagram will give you a clear idea of what I wan to achieve.
Cheers,
Tony
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list edit "Redistribute-Connected" config rule edit 1 set action deny set prefix 192.168.102.0 255.255.255.0 unset ge unset le next edit 4 set prefix any unset ge unset le next end next end config router route-map edit "Filter-Connected" config rule edit 1 set match-ip-address "Redistribute-Connected" next end next end config router ospf config redistribute "connected" set routemap "Filter-Connected" end end
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use config router access list to perform this task
http://kb.fortinet.com/kb....do?externalID=FD36851
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mike,
I've been trying for the last few hours to use the method mention in your link but doesn't work and has a weird behavior as well.
I'm adding an access list on router_A as follows:
Router_A # show router access-list
[size="2"]config router access-list[/size] [size="2"] edit "OSPF_Filter"[/size] [size="2"] config rule[/size] [size="2"] edit 1[/size] [size="2"] set action deny[/size] [size="2"] set prefix 172.16.102.0 255.255.255.0[/size] [size="2"] set exact-match enable[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] next[/size] [size="2"]end[/size]
[size="2"]OSPF config looks like this:[/size]
[size="2"]Router_A # show router ospf[/size] [size="2"]config router ospf[/size] [size="2"] set abr-type cisco[/size] [size="2"] set router-id 0.0.0.1[/size] [size="2"] config area[/size] [size="2"] edit 0.0.0.0[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config ospf-interface[/size] [size="2"] edit "WAN1_TO_B"[/size] [size="2"] set interface "TO_B"[/size] [size="2"] set dead-interval 40[/size] [size="2"] set hello-interval 10[/size] [size="2"] set network-type point-to-point[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config network[/size] [size="2"] edit 1[/size] [size="2"] set prefix 10.101.1.1 255.255.255.255[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config distribute-list[/size] [size="2"] edit 1[/size] [size="2"] set access-list "OSPF_Filter"[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config redistribute "connected"[/size] [size="2"] set status enable[/size] [size="2"] end[/size] [size="2"] config redistribute "static"[/size] [size="2"] end[/size] [size="2"] config redistribute "rip"[/size] [size="2"] end[/size] [size="2"] config redistribute "bgp"[/size] [size="2"] end[/size] [size="2"] config redistribute "isis"[/size] [size="2"] end[/size] [size="2"]end[/size]
[size="2"]All I get is this:[/size]
[size="2"]Router_A # get router info ospf database brief[/size]
[size="2"]Router Link States (Area 0.0.0.0)[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 835 8000003b 36a0 0021 3[/size] [size="2"]0.0.0.2 0.0.0.2 842 80000038 24b3 0002 3[/size]
[size="2"]AS External Link States[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 874 80000008 9820 0002 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1454 80000008 d479 0002 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1424 80000008 5747 0002 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 1704 80000008 4c51 0002 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 1784 80000008 415b 0002 E2 172.16.102.0/24 0[/size]
[size="2"]Router_A # get router info ospf database brief[/size]
[size="2"]Router Link States (Area 0.0.0.0)[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 835 8000003b 36a0 0021 3[/size] [size="2"]0.0.0.2 0.0.0.2 842 80000038 24b3 0002 3[/size]
[size="2"]AS External Link States[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 874 80000008 9820 0002 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1454 80000008 d479 0002 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1424 80000008 5747 0002 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 1704 80000008 4c51 0002 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 1784 80000008 415b 0002 E2 172.16.102.0/24 0[/size]
[size="2"]Not sure if you've noticed, but I'm on router_A and instead to filter the route in green, I'm actually filtering all my connected networks/routes.[/size]
Am I missing something here ?
Below is the OSPF output from Router_B:
[size="2"]Router_B # get router info ospf database brief[/size]
[size="2"]Router Link States (Area 0.0.0.0)[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Link count[/size] [size="2"]0.0.0.1 0.0.0.1 1133 8000003b 36a0 0012 3[/size] [size="2"]0.0.0.2 0.0.0.2 1138 80000038 24b3 0021 3[/size]
[size="2"]AS External Link States[/size]
[size="2"]Link ID ADV Router Age Seq# CkSum Flag Route Tag[/size] [size="2"]10.0.0.0 0.0.0.2 1170 80000008 9820 0031 E2 10.0.0.0/30 0[/size] [size="2"]10.101.1.1 0.0.0.2 1750 80000008 d479 0031 E2 10.101.1.1/32 0[/size] [size="2"]172.16.100.0 0.0.0.2 1720 80000008 5747 0031 E2 172.16.100.0/24 0[/size] [size="2"]172.16.101.0 0.0.0.2 190 80000009 4a52 0031 E2 172.16.101.0/24 0[/size] [size="2"]172.16.102.0 0.0.0.2 270 80000009 3f5c 0031 E2 172.16.102.0/24 0[/size]
[size="2"]Router_B # get router info routing-table all [/size] [size="2"]Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP[/size] [size="2"] O - OSPF, IA - OSPF inter area[/size] [size="2"] N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2[/size] [size="2"] E1 - OSPF external type 1, E2 - OSPF external type 2[/size] [size="2"] i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area[/size] [size="2"] * - candidate default[/size]
[size="2"]C 10.0.0.0/30 is directly connected, wan1[/size] [size="2"]C 10.101.1.1/32 is directly connected, TO_A[/size] [size="2"]C 10.101.1.2/32 is directly connected, TO_A[/size] [size="2"]C 172.16.100.0/24 is directly connected, internal1[/size] [size="2"]C 172.16.101.0/24 is directly connected, internal2[/size] [size="2"]C 172.16.102.0/24 is directly connected, internal3[/size]
Cheers,
Tony
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
After some struggle, I've managed to prevent the routing table to be populated with I don't want.
This is not affecting, filter, OSPF LS updates and doesn't impact the LSDB nor the LSAs redistribution.
This is just a filter acting on the routing table.
What I've done:
[left]Router_B # show router prefix-list [size="2"]config router prefix-list[/size] [size="2"] edit "OSPF-Filter"[/size] [size="2"]config rule[/size] [size="2"]edit 1[/size] [size="2"]set action deny[/size] [size="2"]set prefix 192.168.102.0 255.255.255.0[/size] [size="2"]unset ge[/size] [size="2"]unset le[/size] [size="2"]next[/size] [size="2"]edit 2[/size] [size="2"] set prefix any[/size] [size="2"] unset ge[/size] [size="2"] unset le[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"]next[/size] [size="2"]end[/size][/left]
[size="2"]Router_B # show router ospf [/size] [size="2"]config router ospf[/size] [size="2"] set abr-type cisco[/size] [size="2"] set router-id 0.0.0.2[/size] [size="2"] set distribute-list-in "OSPF-Filter"[/size] [size="2"] config area[/size] [size="2"] edit 0.0.0.0[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config ospf-interface[/size] [size="2"] edit "WAN1_TO_A"[/size] [size="2"] set interface "TO_A"[/size] [size="2"] set dead-interval 40[/size] [size="2"] set hello-interval 10[/size] [size="2"] set network-type point-to-point[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config network[/size] [size="2"] edit 1[/size] [size="2"] set prefix 10.101.1.2 255.255.255.255[/size] [size="2"] next[/size] [size="2"] end[/size] [size="2"] config redistribute "connected"[/size] [size="2"] set status enable[/size] [size="2"] end[/size] [size="2"] config redistribute "static"[/size] [size="2"] end[/size] [size="2"] config redistribute "rip"[/size] [size="2"] end[/size] [size="2"] config redistribute "bgp"[/size] [size="2"] end[/size] [size="2"] config redistribute "isis"[/size] [size="2"] end[/size] [size="2"]end[/size]
[size="2"]The result:[/size]
[size="2"]The database still contains all routes, including the one in red.[/size]
Router_B # get router info ospf database brief
Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Flag Link count 0.0.0.1 0.0.0.1 852 80000042 28a7 0002 3 0.0.0.2 0.0.0.2 845 80000040 14bb 0021 3
AS External Link States
Link ID ADV Router Age Seq# CkSum Flag Route Tag 10.0.0.0 0.0.0.1 1153 80000001 ac14 0002 E2 10.0.0.0/30 0 10.0.0.0 0.0.0.2 861 80000001 a619 0021 E2 10.0.0.0/30 0 10.101.1.1 0.0.0.2 861 80000001 e272 0021 E2 10.101.1.1/32 0 10.101.1.2 0.0.0.1 1153 80000001 de76 0002 E2 10.101.1.2/32 0 172.16.100.0 0.0.0.2 861 80000001 6540 0021 E2 172.16.100.0/24 0 172.16.101.0 0.0.0.2 861 80000001 5a4a 0021 E2 172.16.101.0/24 0 172.16.102.0 0.0.0.2 861 80000001 4f54 0021 E2 172.16.102.0/24 0 192.168.100.0 0.0.0.1 1153 80000001 3fba 0002 E2 192.168.100.0/24 0 192.168.101.0 0.0.0.1 1153 80000001 34c4 0002 E2 192.168.101.0/24 0 [size="2"]192.168.102.0 0.0.0.1 35 80000002 27cf 0012 E2 192.168.102.0/24 0[/size]
But the routing table, doesn't:
Router_B # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
C 10.0.0.0/30 is directly connected, wan1 C 10.101.1.1/32 is directly connected, TO_A C 10.101.1.2/32 is directly connected, TO_A C 172.16.100.0/24 is directly connected, internal1 C 172.16.101.0/24 is directly connected, internal2 C 172.16.102.0/24 is directly connected, internal3 [size="2"]O E2 192.168.100.0/24 [110/10] via 10.101.1.1, TO_A, 00:15:39[/size] [size="2"]O E2 192.168.101.0/24 [110/10] via 10.101.1.1, TO_A, 00:15:39[/size]
Now, it's all good, but, I would really really like to stop the route been distributed from the router it belongs too.
This means, Router_A should not send that route at all.
Cheers,
Tony
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and delete this from both
[size="2"]set distribute-list-in "OSPF-Filter"[/size]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list edit "Redistribute-Connected" config rule edit 1 set action deny set prefix 192.168.102.0 255.255.255.0 unset ge unset le next edit 4 set prefix any unset ge unset le next end next end config router route-map edit "Filter-Connected" config rule edit 1 set match-ip-address "Redistribute-Connected" next end next end config router ospf config redistribute "connected" set routemap "Filter-Connected" end end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your replies. I'll try to reproduce this on my testing environment and I'll let you guys know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Advanced Routing for FortiOS 5.2
Fortinet Technologies Inc.
Page 56
"Route maps
[size="2"]Route maps are a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations. Compared to access lists, route maps support enhanced packet-matching. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. Route maps can be used for limiting both received route updates, and sent route updates. This can include the redistribution of routes learned from other types of routing. For example if you don’t want to advertise local static routes to external networks, you could use a route map to accomplish this."[/size]
Thank you Edwin, works like a charm.
Personal note:
I would recommend that every tech who's thinking to play with dynamic routing to read from scratch the whole
"FortiOS™ Handbook - Advanced Routing VERSION 5.2.2" and try to reproduce every example in the lab.
Cheers,
Tony
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 5.4 version of Advanced Routing doesn't have a PDF version. The online help version is at:
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/HB_intro.htm
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tarn,
I've seen this one but din't read it yet. My boxes were running 5.2.10 so I've preferred reading the old advanced routing handbook. Upgrading my boxes to 5.4.4 is the next step.
Thanks for your reply.
Cheers,
Tony
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Filter small range from bigger advertise... 246 Views
- FortiGate cheatsheet FortiOS 7.4 3135 Views
- Redirect VIP to Internet with Central... 711 Views
- ping from one of the wan... 802 Views
- OSPF redistributed routes filtering 676 Views
Labels
-
FortiGate
8,442 -
FortiClient
1,708 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
545 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
405 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
215 -
FortiWeb
199 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
135 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
33 -
Certificate
32 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1647 | |
| 1070 | |
| 751 | |
| 443 | |
| 214 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.