OSPF Route Map Filter

johndj1982 · ‎11-04-2014

Hi,

I would like to ask if there's a way in fortinet to filter ospf routes from a ospf router using ospf advertising id (ospf-id). Something similar to "match ip route-source" in cisco.

I want to simulate this kind of policy in fortinet, see output below. This is a cisco output. My goal here is to block a specific routes advertised by ospf router 172.32.102.3

ip prefix-list ROUTES_FR_MPLS seq 1 permit 10.2.76.0/24 ip prefix-list ROUTES_FR_MPLS seq 2 permit 10.2.76.2/32 ip prefix-list ROUTES_FR_MPLS seq 3 permit 10.2.76.3/32 ip prefix-list ROUTES_FR_MPLS seq 4 permit 10.2.108.0/24 ip prefix-list ROUTES_FR_MPLS seq 5 permit 10.2.108.2/32 ip prefix-list ROUTES_FR_MPLS seq 6 permit 10.2.108.3/32 ip prefix-list ROUTES_FR_MPLS seq 7 permit 10.180.8.0/25 ip prefix-list ROUTES_FR_MPLS seq 8 permit 10.86.46.0/24 ip prefix-list ROUTES_FR_MPLS seq 9 permit 10.86.47.0/24 ! access-list 1 permit host 172.32.102.3 access-list 1 remark OSPF_ID ! route-map FILTER_ROUTES deny 1 match ip address prefix-list ROUTES_FR_VZON match ip route-source 1 ! route-map FILTER_ROUTES permit 2 ! end

Thanks,

Benoit_Rech_FTNT · ‎11-04-2014

Hello,

There is not such matching "function" is FortiOS.

All the filtering capabilities on OSPF through route-map are described here: http://docs-legacy.fortinet.com//fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/confi...

If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".

Benoit

emnoc · ‎11-05-2014

I think you can do it

config router prefix-list edit "droprts" config rule edit 1 set prefix 10.2.76.0 255.255.255.0 unset ge unset le next edit 2 set prefix 10.2.76.2 255.255.255.255 unset ge unset le next edit 3 set prefix 10.2.76.3 255.255.255.255 unset ge unset le next edit 4 set prefix 10.2.108.0 255.255.255.0 unset ge unset le next edit 5 set prefix 10.2.108.2 255.255.255.255 unset ge unset le next edit 6 set prefix 10.2.108.3 255.255.255.255 unset ge unset le next edit 7 set prefix 10.180.8.0 255.255.255.128 unset ge unset le next edit 8 set prefix 10.86.46.0 255.255.255.0 unset ge unset le next edit 9 set prefix 10.86.47.0 255.255.255.0 unset ge unset le next end next end

and

config router prefix-list edit "mplsqw" set comments "ROUTES_FR_MPLS that we want to ignore OSPF RT XYZ" config rule edit 1 set prefix 172.32.102.3 255.255.255.255 unset ge unset le next end

and then you built it into a route map

You will have to match maybe the next-hop and the prefixes and apply the deny action

config router route-map edit "dropospf" config rule edit 1 set action deny set match-ip-address "droprts" set match-ip-nexthop "mplsgq" set set-metric 2147483647 next edit 50

set action accept next end next end

NOTE: I like to apply the max ospf metric to these routes also. As stated in another post for ospf filtering , LSA table will NOT be modified.

Try the above and review it and see it it works, but that's the same thing as the cisco route-map and fortinet has copy almost everything that the cisco has done to some degree. Ideally you would have the upstream filter it.

If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".

That would work but he would still need to apply a prefix list for the tagged routes. If the upstream was savoy they could tag these routes with an unique tag but to blindly drop tag XYZ would not be a very good thing.

If you do use a match-tag be advise, this could lead into other unwanted conditions if any of the items changes;

SP changes router and ospf tag

TAG is removed

other routes uses the same ospf-tag

just food for thought

PCNSE

NSE

StrongSwan

OSPF Route Map Filter

Nominate a Forum Post for Knowledge Article Creation