Hello,
I have a following setup : - Fortigate is doing the NAT from public IPs to private IPs - Public IPs are announced by the fortigate to a connected router with OSPF - Public range IP is announced with a redistribute static OSPF configuration for a route pointing to a blackhole interface This behaviour is working fine with a standard OSPF area. However I want to change the OSPF standard area to a NSSA area. To avoid route consistency problems (you can check there if you want - but not needed, firewalls are R2 & R3 : https://supportforums.cis...route-redistribution), I need to enable OSPF on the interface where I am doing the static routing redistribution. The problem is that this interface is a blackhole interface. Is there anoter way to do this (using a loopback or someting else interface for static routing / enable ospf on the interface) ?
Thanks !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I need to enable OSPF on the interface where I am doing the static routing redistribution. The problem is that this interface is a blackhole interface
Where are you getting this from?
FWIW, here's an example of a BH route injection from a ospf vdom
next end config redistribute "connected" end config redistribute "static" set status enable set routemap "ospftagovr" set tag 289 end
my route-map that used for distribution controls;
SOC60D (root) # show router route-map config router route-map edit "redist-def" config rule edit 1 set match-ip-address "default" set set-tag 9999 next end next edit "ospftagovr" config rule edit 1 set match-ip-address "mymap" set set-metric 15678 set set-tag 8990 next edit 2 next end next end
my prefix-list ( i like prefix lists for ipv4 or ipv6 )
edit "mymap" config rule edit 1 set prefix 10.200.11.0 255.255.255.0 unset ge unset le next edit 2 set prefix 10.200.199.0 255.255.255.0 < -pointed to blackhole unset ge unset le next end next end
static pushing the route to blackhole
config router static edit 77 set dst 10.200.199.0 255.255.255.0 set blackhole enable next end
( and here how it looks at a another ospf router )
SOC60D (custA) # get route info routing-table ospf O E2 10.200.10.0/24 [110/10] via 192.168.10.1, root2custA1, 10:43:26 O E2 10.200.11.0/24 [110/15678] via 192.168.10.1, root2custA1, 10:43:26 O E2 10.200.199.0/24 [110/15678] via 192.168.10.1, root2custA1, 00:00:54 < route inject from static
LS age: 266 Options: 0x2 (*|-|-|-|-|-|E|-) LS Type: AS-external-LSA Link State ID: 10.200.199.0 (External Network Number) Advertising Router: 192.0.2.1 LS Seq Number: 80000001 Checksum: 0x8f28 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 15678 Forward Address: 0.0.0.0 External Route Tag: 8990
I hope that helps.
ken
PCNSE
NSE
StrongSwan
Hi Emnoc,
Thanks for your reply. The configuration you are giving is similar to the current configuration I am having with a standard OSPF area. (static routing to a blackhole interface and OSPF redistribute static command)
The problem is that I want to change the type of the OSPF area to a totally NSSA. The 'only' way I have found to have a consistent routing table on my routers, is to have a fortigate (was another router in my lab) where static routing is pointing to an enabled OSPF interface (on a fortigate it impossible with a blackhole interface, that's why I am asking if there is another method with a loopback interface or something else).
If you want to understand the problem, I have made a poste on cisco forums https://supportforums.cisco.com/discussion/12612446/ospf-totally-nssa-and-route-redistribution where I was explained the forwarding address specification in an NSSA area. R1 and R8 represents routers, R2 & R3 fortigates.
Nicolas
Okay I still don't understand your "exact" problem. Is this a metric or FA issue? or your concerns over E and N populated LSAs?
Have you pull the OSPF LSA database for the injected routed via static on the advertising or receiving OSPF routers & the fortigate?
You could use a static route with a next-hop and redistribute that but keep aware of any FA issues in the route entry. I will post something later when I get back to my lab showing a redistribution concept using a loopback address but it falls in the same concept of the blackhole.
In the mean time you can review this blog I wrote about pertaining with E1 redistributed routes and carrying the FA and metric calcuations.
http://socpuppet.blogspot.com/2013/08/forward-address-not-equal-0000-why.html
I would re-suggest that you query the actual OSPF database information on the routers and firewall involved. Also the cisco NSSA and compatibility could be a issue. Have you research "compatible rfc1587" ? BUT be very very careful if you explore this in a production routers and any routers that are no enable. You can get routing loops or other nasties.
PCNSE
NSE
StrongSwan
Hi Emnoc,
Sorry for late reply, I was sick. Thanks for you link, I will have a check (seems intersting)
The problem is that calculated routes in the routing table are not optimized (but this is OSPF behaviour). I have found a way to redistribute static routes on OSPF with a loopback interface (in point to point mode) instead of a blackhole. I do not know if this is recommended :
config system interface
edit "lopriv"
set vdom "root"
set ip 10.250.250.1 255.255.255.252
set allowaccess ping
set type loopback
set snmp-index 5
next
end
config router static
edit 1
set dst 90.10.10.0 255.255.255.0
set gateway 10.250.250.2
set device "lopriv"
next
end
config router ospf
set router-id 0.3.24.21
config area
edit 0.0.1.68
set type nssa
next
end
config ospf-interface
edit "AREA324_WAN1"
set interface "wan1"
set priority 0
next
edit "AREA324_WAN2"
set interface "wan2"
set priority 0
next
edit "AREA324_LO"
set interface "lopriv"
set priority 0
set network-type point-to-point
next
end
config network
edit 1
set prefix 10.30.24.0 255.255.255.0
set area 0.0.1.68
next
edit 2
set prefix 10.40.24.0 255.255.255.0
set area 0.0.1.68
next
edit 3
set prefix 10.250.250.0 255.255.255.252
set area 0.0.1.68
next
end
config redistribute "connected"
end
config redistribute "static"
set status enable
set metric-type 1
end
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.