Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
journeyman
Contributor

OSPF filter inter-area routes using filter-list

Hi All, FD33624 shows how to prevent route propagation from one area to another by creating a prefix-list and applying that to the source area using filter-list. The example is:
config router ospf
    config area
       edit 0.0.0.1
          config filter-list
             edit 1
                set list " FILTER_AREA_1_NETWORKS" 
                set direction out
 (next, end, next, end, end)
where the routes are to be withheld from area 0.0.0.0. In our case FGT1 is the ABR and is a member of both area 0.0.0.0 and 0.0.0.2. Area 0.0.0.0 provides a lot of routes we want to prevent reaching area 0.0.0.2. FGT2 is in area 0.0.0.2 Our configuration in FGT1 is:
config router prefix-list
     edit " pfx-filter-from-area-0" 
             config rule
                 edit 1
                     set prefix 192.168.80.0 255.255.255.0
                     set ge 25
                     set le 32
                 next
                 edit 2
                     set prefix 172.17.0.0 255.255.255.0
                 next
                 edit 3
                     set action deny
                     set prefix any
 (next, end, next, end)
 config router ospf
         config area
             edit 0.0.0.0
                     config filter-list
                         edit 1
                             set list " pfx-filter-from-area-0" 
                         next
                     end
             next
             edit 0.0.0.2
 (next, end, end)
The prefix list applies to area 0.0.0.0 using the default " set direction out" . This should be sufficient but it does not work. The routes displayed in FGT2 by the command " get router info OSPF route" do not reflect the filter-list in FGT1. Could the prefix be applied to area 0.0.0.2 using set direction in, instead? What reasons could explain this not working as intended? Also is there any way to debug at FGT1 (the ABR)? Note, we can fix this with distribute-list-in at FGT2, but I' d rather be elegant if I can.
2 REPLIES 2
emnoc
Esteemed Contributor III

You should really deploy ospf stubs in situations like this. If you don' t want routing information propagated then use the best practices and create stubs. Prefix-list are not the best or smart approach.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
journeyman

Thanks for setting me on the right track with this, will do. After your comment I notice that the KB article is for suppressing routes from area x into area 0 (opposite to my needs which are, as you say, stubby).
Labels
Top Kudoed Authors