Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asgspl
New Contributor

Created on ‎02-24-2017 01:15 PM

How to filter OSPF advertised routes

Hi Guys,

I'm trying to switch my national ipsec vpn site-to-site network from static routing to ospf. Each branch's got around 6 subnets from which only 4 should be routed via the ipsec tunnel. Using static routing it's easy since I add only what exactly I need.

My VPN network it's using a star topology and it might change to an extended star.

I've started with 2 branches, the HQ and a branch.

Everything works fine except that I'm not able to filter what routes are been advertised via OSPF since I'm using "config redistribute "connected""

Attached is a lab I did to test it, but still no luck. The routers in the diagram I've attached are FG-70D's.

I've tried:

- prefix-list with in and out on both sides - no luck

- access list with in and out on both sides - no luck

 

I'm missing something here, right ?!?!

Hope the diagram will give you a clear idea of what I wan to achieve.

 

Cheers,

Tony

Preview file
185 KB
69385
0 Kudos
1 Solution
support12
New Contributor III

Created on ‎02-26-2017 01:08 PM

This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list     edit "Redistribute-Connected"             config rule                 edit 1                     set action deny                     set prefix 192.168.102.0 255.255.255.0                     unset ge                     unset le                 next                 edit 4                     set prefix any                     unset ge                     unset le                 next             end     next end config router route-map     edit "Filter-Connected"             config rule                 edit 1                     set match-ip-address "Redistribute-Connected"                 next             end     next end config router ospf         config redistribute "connected"             set routemap "Filter-Connected"         end end

View solution in original post

46016
0 Kudos
10 REPLIES 10
YamGoD
New Contributor

Created on ‎03-13-2020 01:57 AM

In general, the scheme of filtering can be represented as follows.

 

     

    If the route fell into the OSPF domain, then on routers it can be controlled by import policies from the OSPF database to the routing table. The LSA will be contained in the databases of all OSPF routers, however the policy can control the existence of a route in the routing table.         For example, in addition to router B, you will have one more router C (RouterA -- RouterB -- RouterC). Import policy filtering on B will not prohibit the transfer of LSA further to С, therefore, the injection of a route in the OSPF area by router forces it to be filtered (by import policies, not export policies) on all routers, which is time-consuming.

 

        Import policy implemented in Fortigate using distribute-list-in configuration section. In your case on Router B:

 

############# Import policy example ##################

 [style="background-color: #ffffff;"]  config router access-list[/style] [style="background-color: #ffffff;"]        edit connected_to_ospf_import[/style] [style="background-color: #ffffff;"]            config rule[/style] [style="background-color: #ffffff;"]                edit 1[/style] [style="background-color: #ffffff;"]                    set action deny[/style] [style="background-color: #ffffff;"]                    set prefix 192.168.102.0/24     #remote prefix but not local one (172.17.102.0/24)[/style] [style="background-color: #ffffff;"]                    set exact-match enable            #if you have for example 192.168.102.128/25 and you need only deny                                                                             #192.168.102.0/24 but not its subnets[/style] [style="background-color: #ffffff;"]                next[/style] [style="background-color: #ffffff;"]                edit 2[/style] [style="background-color: #ffffff;"]                    set action permit[/style] [style="background-color: #ffffff;"]                    set prefix any[/style] [style="background-color: #ffffff;"]                next[/style] [style="background-color: #ffffff;"]            end[/style] [style="background-color: #ffffff;"]        next[/style] [style="background-color: #ffffff;"]    end[/style] [style="background-color: #ffffff;"]    config router ospf[/style] [style="background-color: #ffffff;"]        set distribute-list-in connected_to_ospf_import[/style]

 ##############################################

        In order to prohibit the route from entering the OSPF domain, you can use export policies.             Export policy implemented in Fortigate by using acccess-list in distribute-list configuration section or by using route-map in redistribute configuration section. In your case on Router B (and you try to use it on router A, which is not correct): ############ Distribute list example ###################     ROUTER B#         config router access-list                                                                 edit connected_to_ospf_export                                 config rule                 edit 1                     set action deny                     set prefix 172.16.102.0/24 #local prefix injected into OSPF on router itself (not remote prefix)                     set exact-match enable                 next                 edit 2                     set action permit                     set prefix any                 next             end         next     end     config router ospf         config distribute-list             edit 1                 set access-list connected_to_ospf_export                 set protocol connected #by default             next         end     end ################################################### ############ Route map example ######################     config router access-list                                                                 edit connected_to_ospf_export_acl                                 config rule                 edit 1                     set action deny                     set prefix 172.16.102.0/24 #local prefix injected into OSPF on router itself (but not remote prefix)                     set exact-match enable                 next                 edit 2                     set action permit                     set prefix any                 next             end         next     end     config router route-map         edit connected_to_ospf_export_rm             config rule                 edit 1                     set action permit                     set match-ip-address connected_to_ospf_export_acl                 next             end         next     end     config router ospf         config redistribute “connected”             set status enable             set routemap connected_to_ospf_export_rm         end     end

 

Preview file
79 KB
20185
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.