How to filter OSPF advertised routes

asgspl · ‎02-24-2017

Hi Guys,

I'm trying to switch my national ipsec vpn site-to-site network from static routing to ospf. Each branch's got around 6 subnets from which only 4 should be routed via the ipsec tunnel. Using static routing it's easy since I add only what exactly I need.

My VPN network it's using a star topology and it might change to an extended star.

I've started with 2 branches, the HQ and a branch.

Everything works fine except that I'm not able to filter what routes are been advertised via OSPF since I'm using "config redistribute "connected""

Attached is a lab I did to test it, but still no luck. The routers in the diagram I've attached are FG-70D's.

I've tried:

- prefix-list with in and out on both sides - no luck

- access list with in and out on both sides - no luck

I'm missing something here, right ?!?!

Hope the diagram will give you a clear idea of what I wan to achieve.

Cheers,

Tony

support12 · ‎02-26-2017

This is for router A and for router B change 192.168.102.0 for 172.16.102.2 config router prefix-list edit "Redistribute-Connected" config rule edit 1 set action deny set prefix 192.168.102.0 255.255.255.0 unset ge unset le next edit 4 set prefix any unset ge unset le next end next end config router route-map edit "Filter-Connected" config rule edit 1 set match-ip-address "Redistribute-Connected" next end next end config router ospf config redistribute "connected" set routemap "Filter-Connected" end end

View solution in original post

YamGoD · ‎03-13-2020

In general, the scheme of filtering can be represented as follows.

If the route fell into the OSPF domain, then on routers it can be controlled by import policies from the OSPF database to the routing table. The LSA will be contained in the databases of all OSPF routers, however the policy can control the existence of a route in the routing table. For example, in addition to router B, you will have one more router C (RouterA -- RouterB -- RouterC). Import policy filtering on B will not prohibit the transfer of LSA further to С, therefore, the injection of a route in the OSPF area by router forces it to be filtered (by import policies, not export policies) on all routers, which is time-consuming.

Import policy implemented in Fortigate using distribute-list-in configuration section. In your case on Router B:

############# Import policy example ##################

[style="background-color: #ffffff;"] config router access-list[/style] [style="background-color: #ffffff;"] edit connected_to_ospf_import[/style] [style="background-color: #ffffff;"] config rule[/style] [style="background-color: #ffffff;"] edit 1[/style] [style="background-color: #ffffff;"] set action deny[/style] [style="background-color: #ffffff;"] set prefix 192.168.102.0/24 #remote prefix but not local one (172.17.102.0/24)[/style] [style="background-color: #ffffff;"] set exact-match enable #if you have for example 192.168.102.128/25 and you need only deny #192.168.102.0/24 but not its subnets[/style] [style="background-color: #ffffff;"] next[/style] [style="background-color: #ffffff;"] edit 2[/style] [style="background-color: #ffffff;"] set action permit[/style] [style="background-color: #ffffff;"] set prefix any[/style] [style="background-color: #ffffff;"] next[/style] [style="background-color: #ffffff;"] end[/style] [style="background-color: #ffffff;"] next[/style] [style="background-color: #ffffff;"] end[/style] [style="background-color: #ffffff;"] config router ospf[/style] [style="background-color: #ffffff;"] set distribute-list-in connected_to_ospf_import[/style]

##############################################

In order to prohibit the route from entering the OSPF domain, you can use export policies. Export policy implemented in Fortigate by using acccess-list in distribute-list configuration section or by using route-map in redistribute configuration section. In your case on Router B (and you try to use it on router A, which is not correct): ############ Distribute list example ################### ROUTER B# config router access-list edit connected_to_ospf_export config rule edit 1 set action deny set prefix 172.16.102.0/24 #local prefix injected into OSPF on router itself (not remote prefix) set exact-match enable next edit 2 set action permit set prefix any next end next end config router ospf config distribute-list edit 1 set access-list connected_to_ospf_export set protocol connected #by default next end end ################################################### ############ Route map example ###################### config router access-list edit connected_to_ospf_export_acl config rule edit 1 set action deny set prefix 172.16.102.0/24 #local prefix injected into OSPF on router itself (but not remote prefix) set exact-match enable next edit 2 set action permit set prefix any next end next end config router route-map edit connected_to_ospf_export_rm config rule edit 1 set action permit set match-ip-address connected_to_ospf_export_acl next end next end config router ospf config redistribute “connected” set status enable set routemap connected_to_ospf_export_rm end end