Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johndj1982
New Contributor

Created on ‎11-04-2014 10:34 PM

OSPF Route Map Filter

Hi,

 

I would like to ask if there's a way in fortinet to filter ospf routes from a ospf router using ospf advertising id (ospf-id). Something similar to "match ip route-source" in cisco.

 

I want to simulate this kind of policy in fortinet, see output below. This is a cisco output. My goal here is to block a specific routes advertised by ospf router 172.32.102.3

 

ip prefix-list ROUTES_FR_MPLS seq 1 permit 10.2.76.0/24 ip prefix-list ROUTES_FR_MPLS seq 2 permit 10.2.76.2/32 ip prefix-list ROUTES_FR_MPLS seq 3 permit 10.2.76.3/32 ip prefix-list ROUTES_FR_MPLS seq 4 permit 10.2.108.0/24 ip prefix-list ROUTES_FR_MPLS seq 5 permit 10.2.108.2/32 ip prefix-list ROUTES_FR_MPLS seq 6 permit 10.2.108.3/32 ip prefix-list ROUTES_FR_MPLS seq 7 permit 10.180.8.0/25 ip prefix-list ROUTES_FR_MPLS seq 8 permit 10.86.46.0/24 ip prefix-list ROUTES_FR_MPLS seq 9 permit 10.86.47.0/24 ! access-list 1 permit host 172.32.102.3 access-list 1 remark OSPF_ID ! route-map FILTER_ROUTES deny 1 match ip address prefix-list ROUTES_FR_VZON match ip route-source 1 ! route-map FILTER_ROUTES permit 2 ! end

 

Thanks,

13160
0 Kudos
2 REPLIES 2
Benoit_Rech_FTNT
Staff
Staff

Created on ‎11-04-2014 11:49 PM

Hello, 

 

There is not such matching "function" is FortiOS.

 

All the filtering capabilities on OSPF through route-map are described here: http://docs-legacy.fortinet.com//fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/confi...

 

If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".

 

Benoit 

1403
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎11-05-2014 02:08 AM

I think you can do it

 

config router prefix-list     edit "droprts"             config rule                 edit 1                     set prefix 10.2.76.0 255.255.255.0                     unset ge                     unset le                 next                 edit 2                     set prefix 10.2.76.2 255.255.255.255                     unset ge                     unset le                 next                 edit 3                     set prefix 10.2.76.3 255.255.255.255                     unset ge                     unset le                 next                 edit 4                     set prefix 10.2.108.0 255.255.255.0                     unset ge                     unset le                 next                 edit 5                     set prefix 10.2.108.2 255.255.255.255                     unset ge                     unset le                 next                 edit 6                     set prefix 10.2.108.3 255.255.255.255                     unset ge                     unset le                 next                 edit 7                     set prefix 10.180.8.0 255.255.255.128                     unset ge                     unset le                 next                 edit 8                     set prefix 10.86.46.0 255.255.255.0                     unset ge                     unset le                 next                 edit 9                     set prefix 10.86.47.0 255.255.255.0                     unset ge                     unset le                 next             end     next end

 

and

 

config router prefix-list     edit "mplsqw"         set comments "ROUTES_FR_MPLS that we want to ignore OSPF RT XYZ"             config rule                 edit 1                     set prefix 172.32.102.3 255.255.255.255                     unset ge                     unset le                 next             end

 

and then you built it into a route map

 

You will have to match maybe the next-hop and the prefixes and apply the deny action

 

 

config router route-map     edit "dropospf"             config rule                               edit 1                     set action deny                     set match-ip-address "droprts"                     set match-ip-nexthop "mplsgq"                     set set-metric 2147483647                 next                 edit 50

                   set action accept                 next             end     next end

 

NOTE:  I like to apply the max ospf metric to these routes also. As stated in another post for ospf filtering , LSA table will NOT be modified.

 

Try the above and review it and see it it works, but that's the same thing as the cisco route-map and fortinet has copy almost everything that the  cisco has done to some degree. Ideally  you would have the  upstream filter it.

 

If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".

 

That would work but he would still need to apply a prefix list for the tagged routes. If the upstream was savoy they could tag these routes with an unique tag but to blindly drop tag XYZ would not be a very good thing.

 

If you do use a match-tag be advise, this could lead into other unwanted conditions if any of the items changes;

 

    SP changes router and ospf tag

    TAG is removed

    other routes uses the same ospf-tag

 

just food for thought

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1403
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.