Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nicovpp
New Contributor

OSPF and static route redistribution

Hello,

 

I have a following setup : - Fortigate is doing the NAT from public IPs to private IPs - Public IPs are announced by the fortigate to a connected router with OSPF - Public range IP is announced with a redistribute static OSPF configuration for a route pointing to a blackhole interface This behaviour is working fine with a standard OSPF area. However I want to change the OSPF standard  area to a NSSA area. To avoid route consistency problems (you can check there if you want - but not needed, firewalls are R2 & R3 : https://supportforums.cis...route-redistribution), I need to enable OSPF on the interface where I am doing the static routing redistribution. The problem is that this interface is a blackhole interface. Is there anoter way to do this (using a loopback or someting else interface for static routing / enable ospf on the interface) ?

 

Thanks !

4 REPLIES 4
emnoc
Esteemed Contributor III

I need to enable OSPF on the interface where I am doing the static routing redistribution. The problem is that this interface is a blackhole interface

 

 

Where are you getting this from?

 

FWIW, here's an example of a BH route injection from a ospf vdom

 

 

      next         end         config redistribute "connected"         end         config redistribute "static"             set status enable             set routemap "ospftagovr"             set tag 289         end

 

 

my route-map that used for distribution controls;

 

SOC60D (root) # show router route-map config router route-map     edit "redist-def"             config rule                 edit 1                     set match-ip-address "default"                     set set-tag 9999                 next             end     next     edit "ospftagovr"             config rule                 edit 1                     set match-ip-address "mymap"                     set set-metric 15678                     set set-tag 8990                 next                 edit 2                 next             end     next end

 

my prefix-list ( i like prefix lists for ipv4 or ipv6 )

 

 edit "mymap"             config rule                 edit 1                     set prefix 10.200.11.0 255.255.255.0                     unset ge                     unset le                 next                 edit 2                     set prefix 10.200.199.0 255.255.255.0  < -pointed to blackhole                     unset ge                     unset le                 next             end     next end

 

static pushing the route to blackhole

 

 

config router static     edit 77         set dst 10.200.199.0 255.255.255.0         set blackhole enable     next end

 

( and here how it looks at a another ospf router )

 

 

SOC60D (custA) # get route info routing-table  ospf O E2    10.200.10.0/24 [110/10] via 192.168.10.1, root2custA1, 10:43:26 O E2    10.200.11.0/24 [110/15678] via 192.168.10.1, root2custA1, 10:43:26 O E2    10.200.199.0/24 [110/15678] via 192.168.10.1, root2custA1, 00:00:54   < route inject from static

 

 LS age: 266   Options: 0x2 (*|-|-|-|-|-|E|-)   LS Type: AS-external-LSA   Link State ID: 10.200.199.0 (External Network Number)   Advertising Router: 192.0.2.1   LS Seq Number: 80000001   Checksum: 0x8f28   Length: 36   Network Mask: /24         Metric Type: 2 (Larger than any link state path)         TOS: 0         Metric: 15678         Forward Address: 0.0.0.0         External Route Tag: 8990

 

 

 

I hope that helps.

 

ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nicovpp
New Contributor

Hi Emnoc,

 

Thanks for your reply. The configuration you are giving is similar to the current configuration I am having with a standard OSPF area. (static routing to a blackhole interface and OSPF redistribute static command)

 

The problem is that I want to change the type of the OSPF area to a totally NSSA. The 'only' way I have found to have a consistent routing table on my routers, is to have a fortigate (was another router in my lab) where static routing is pointing to an enabled OSPF interface (on a fortigate it impossible with a blackhole interface, that's why I am asking if there is another method with a loopback interface or something else).

 

If you want to understand the problem, I have made a poste on cisco forums https://supportforums.cisco.com/discussion/12612446/ospf-totally-nssa-and-route-redistribution where I was explained the forwarding address specification in an NSSA area. R1 and R8 represents routers, R2 & R3 fortigates.

 

Nicolas

 

 

emnoc
Esteemed Contributor III

 

Okay I still don't understand your "exact" problem. Is this a metric or FA issue? or your concerns over E and N populated LSAs?

 

Have you pull the OSPF LSA database for the injected  routed via static on the advertising or receiving  OSPF routers & the fortigate?

 

You could use a static route with a next-hop and redistribute  that but  keep aware of any FA issues in the route entry. I will post something later when I get back to my lab showing a redistribution concept using a loopback address but it falls in the same concept of the blackhole.

 

In the mean time you can review this blog I wrote about pertaining with E1 redistributed routes and carrying the FA and metric calcuations.

 

http://socpuppet.blogspot.com/2013/08/forward-address-not-equal-0000-why.html

 

I would re-suggest that you  query the actual  OSPF database information on the routers and firewall involved. Also the cisco NSSA and compatibility could be a issue.  Have  you research "compatible rfc1587"  ? BUT be very very careful if you explore this in a production routers and any routers that are no enable. You can get  routing loops or other nasties.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nicovpp
New Contributor

Hi Emnoc,

 

Sorry for late reply, I was sick. Thanks for you link, I will have a check (seems intersting)

 

The problem is that calculated routes in the routing table are not optimized (but this is OSPF behaviour). I have found a way to redistribute static routes on OSPF with a loopback interface (in point to point mode) instead of a blackhole. I do not know if this is recommended :

 

config system interface

    edit "lopriv"

        set vdom "root"

        set ip 10.250.250.1 255.255.255.252

        set allowaccess ping

        set type loopback

        set snmp-index 5

    next

end

config router static

    edit 1

        set dst 90.10.10.0 255.255.255.0

        set gateway 10.250.250.2

        set device "lopriv"

    next

end

config router ospf

    set router-id 0.3.24.21

        config area

            edit 0.0.1.68

                set type nssa

            next

        end

        config ospf-interface

            edit "AREA324_WAN1"

                set interface "wan1"

                set priority 0

            next

            edit "AREA324_WAN2"

                set interface "wan2"

                set priority 0

            next

            edit "AREA324_LO"

                set interface "lopriv"

                set priority 0

                set network-type point-to-point

            next

        end

        config network

            edit 1

                set prefix 10.30.24.0 255.255.255.0

                set area 0.0.1.68

            next

            edit 2

                set prefix 10.40.24.0 255.255.255.0

                set area 0.0.1.68

            next

            edit 3

                set prefix 10.250.250.0 255.255.255.252

                set area 0.0.1.68

            next

        end

        config redistribute "connected"

        end

        config redistribute "static"

            set status enable

            set metric-type 1

        end

end

Labels
Top Kudoed Authors