Hi,
I would like to ask if there's a way in fortinet to filter ospf routes from a ospf router using ospf advertising id (ospf-id). Something similar to "match ip route-source" in cisco.
I want to simulate this kind of policy in fortinet, see output below. This is a cisco output. My goal here is to block a specific routes advertised by ospf router 172.32.102.3
ip prefix-list ROUTES_FR_MPLS seq 1 permit 10.2.76.0/24 ip prefix-list ROUTES_FR_MPLS seq 2 permit 10.2.76.2/32 ip prefix-list ROUTES_FR_MPLS seq 3 permit 10.2.76.3/32 ip prefix-list ROUTES_FR_MPLS seq 4 permit 10.2.108.0/24 ip prefix-list ROUTES_FR_MPLS seq 5 permit 10.2.108.2/32 ip prefix-list ROUTES_FR_MPLS seq 6 permit 10.2.108.3/32 ip prefix-list ROUTES_FR_MPLS seq 7 permit 10.180.8.0/25 ip prefix-list ROUTES_FR_MPLS seq 8 permit 10.86.46.0/24 ip prefix-list ROUTES_FR_MPLS seq 9 permit 10.86.47.0/24 ! access-list 1 permit host 172.32.102.3 access-list 1 remark OSPF_ID ! route-map FILTER_ROUTES deny 1 match ip address prefix-list ROUTES_FR_VZON match ip route-source 1 ! route-map FILTER_ROUTES permit 2 ! end
Thanks,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
There is not such matching "function" is FortiOS.
All the filtering capabilities on OSPF through route-map are described here: http://docs-legacy.fortinet.com//fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/confi...
If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".
Benoit
I think you can do it
config router prefix-list edit "droprts" config rule edit 1 set prefix 10.2.76.0 255.255.255.0 unset ge unset le next edit 2 set prefix 10.2.76.2 255.255.255.255 unset ge unset le next edit 3 set prefix 10.2.76.3 255.255.255.255 unset ge unset le next edit 4 set prefix 10.2.108.0 255.255.255.0 unset ge unset le next edit 5 set prefix 10.2.108.2 255.255.255.255 unset ge unset le next edit 6 set prefix 10.2.108.3 255.255.255.255 unset ge unset le next edit 7 set prefix 10.180.8.0 255.255.255.128 unset ge unset le next edit 8 set prefix 10.86.46.0 255.255.255.0 unset ge unset le next edit 9 set prefix 10.86.47.0 255.255.255.0 unset ge unset le next end next end
and
config router prefix-list edit "mplsqw" set comments "ROUTES_FR_MPLS that we want to ignore OSPF RT XYZ" config rule edit 1 set prefix 172.32.102.3 255.255.255.255 unset ge unset le next end
and then you built it into a route map
You will have to match maybe the next-hop and the prefixes and apply the deny action
config router route-map edit "dropospf" config rule edit 1 set action deny set match-ip-address "droprts" set match-ip-nexthop "mplsgq" set set-metric 2147483647 next edit 50
set action accept next end next end
NOTE: I like to apply the max ospf metric to these routes also. As stated in another post for ospf filtering , LSA table will NOT be modified.
Try the above and review it and see it it works, but that's the same thing as the cisco route-map and fortinet has copy almost everything that the cisco has done to some degree. Ideally you would have the upstream filter it.
If this is external routes, you can tag the routes at the source, and then filter them on the Fortigate using "match-tag".
That would work but he would still need to apply a prefix list for the tagged routes. If the upstream was savoy they could tag these routes with an unique tag but to blindly drop tag XYZ would not be a very good thing.
If you do use a match-tag be advise, this could lead into other unwanted conditions if any of the items changes;
SP changes router and ospf tag
TAG is removed
other routes uses the same ospf-tag
just food for thought
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.