Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

OSPF - how to "restrict" the routes propagate by ospf

Hello,

 

I test in my lab a solution for a customer. The goal of this lab is to implement OSPF over IPSEC. The schema is very basic :

- one Headoffice with one WAN connection (area 0.0.0.0 for internal trafic and area 1.1.1.1 for VPN). The firewall name "fortilab_HQ".

- two remote sites with two internet connections (firewall name fortilab_R2 and fortilab_R1)

 

I already configured my area, interface, ... The configuration is OK, but I would like to improve the configuration like that :

1) I configured the summary-address on all sites (10.200.0.0/16 for HQ, 10.201.0.0/16 for R1, 10.202.0.0/16 for R2). But my headoffice still propagate the route learned by ospf to my remote firewall :

(fortilab_R2) # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info
 
S    *> 0.0.0.0/0 [10/0] via 192.168.23.1, WAN1_R2
     *>           [10/0] via 192.168.24.1, WAN2_R2, [10/0]
O E2 *> 10.200.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:00:23
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:00:23
O IA *> 10.200.248.0/24 [110/111] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/111] via 192.168.30.13, VPN2_R2HQ, 00:03:36

 

 

(fortilab_HQ) # show router ospf 
config router ospf
    set router-id 1.1.1.1
        config area
            edit 0.0.0.0
            next
            edit 1.1.1.1
            next
        end
        config ospf-interface
            edit "OSPF_VPN1_R2"
                set interface "VPN1_R2"
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
            next
            edit "OSPF_VPN2_R2"
                set interface "VPN2_R2"
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
            next
            edit "OSPF_VPN1_R1"
                set interface "VPN1_R1"
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
            next
            edit "OSPF_VPN2_R1"
                set interface "VPN2_R1"
                set dead-interval 40
                set hello-interval 10
                set network-type point-to-point
            next
            edit "OSPF_Interco"
                set interface "INTERCORTR"
                set dead-interval 40
                set hello-interval 10
            next
        end
        config network
            edit 1
                set prefix 192.168.30.0 255.255.255.248
                set area 1.1.1.1
            next
            edit 2
                set prefix 192.168.30.8 255.255.255.248
                set area 1.1.1.1
            next
            edit 3
                set prefix 192.168.70.0 255.255.255.0
            next
        end
        config summary-address
            edit 1
                set prefix 10.200.0.0 255.255.0.0
            next
        end
        config redistribute "connected"
            set status enable
            set routemap "MapInternal"
        end
        config redistribute "static"
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
        config redistribute "isis"
        end
end
(fortilab_HQ) # show router access-list 
config router access-list
    edit "Internal"
            config rule
                edit 1
                    set prefix 10.200.0.0 255.255.0.0
                    set exact-match disable
                next
            end
    next
end
 
(fortilab_HQ) # show router route-map 
config router route-map
    edit "MapInternal"
            config rule
                edit 1
                    set match-ip-address "Internal"
                next
            end
    next
end

 

Is that possible to avoid the route "10.200.248.0" to be propagate ?

 

2) I would like to don't propagate the IP of the IPSEC interface IP to all my remote site. Is that possible to disable to propagation of these address (all my IPSEC interface are in subnet 192.168.30.0/24) ?

 

(fortilab_R2) # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info
 
S    *> 0.0.0.0/0 [10/0] via 192.168.23.1, WAN1_R2
     *>           [10/0] via 192.168.24.1, WAN2_R2, [10/0]
O E2 *> 10.200.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:00:23
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:00:23
O IA *> 10.200.248.0/24 [110/111] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/111] via 192.168.30.13, VPN2_R2HQ, 00:03:36
O E2 *> 10.201.0.0/16 [110/10] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>               [110/10] via 192.168.30.13, VPN2_R2HQ, 00:03:36
C    *> 10.202.101.0/24 is directly connected, R2_LAN_USER
C    *> 192.168.23.0/24 is directly connected, WAN1_R2
C    *> 192.168.24.0/24 is directly connected, WAN2_R2
O    *> 192.168.30.1/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
O    *> 192.168.30.2/32 [110/200] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/200] via 192.168.30.13, VPN2_R2HQ, 00:03:36
O    *> 192.168.30.5/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
O    *> 192.168.30.6/32 [110/200] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/200] via 192.168.30.13, VPN2_R2HQ, 00:03:36
O       192.168.30.9/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
                        [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
C    *> 192.168.30.9/32 is directly connected, VPN1_R2HQ
C    *> 192.168.30.10/32 is directly connected, VPN1_R2HQ
O       192.168.30.13/32 [110/100] via 192.168.30.9, VPN1_R2HQ, 00:03:36
                         [110/100] via 192.168.30.13, VPN2_R2HQ, 00:03:36
C    *> 192.168.30.13/32 is directly connected, VPN2_R2HQ
C    *> 192.168.30.14/32 is directly connected, VPN2_R2HQ
O IA *> 192.168.70.0/28 [110/101] via 192.168.30.9, VPN1_R2HQ, 00:03:36
     *>                 [110/101] via 192.168.30.13, VPN2_R2HQ, 00:03:36
    Thanks in advance ! And sorry for my english..   Lucas

 

6 REPLIES 6
emnoc
Esteemed Contributor III

Will that's a IA route, so do you have it populated via the network statement? and what filtering do you have now that's deployed?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

The subnet 10.200.248.0/24 is declared on my internal cisco router (in area 0.0.0.0)

 

(fortilab_HQ) # get router info ospf database router lsa                   Router Link States (Area 0.0.0.0)     LS age: 485   Options: 0x2 (*|-|-|-|-|-|E|-)   Flags: 0x3 : ABR ASBR   LS Type: router-LSA   Link State ID: 1.1.1.1    Advertising Router: 1.1.1.1   LS Seq Number: 80000074   Checksum: 0x8ae7   Length: 36    Number of Links: 1       Link connected to: a Transit Network      (Link ID) Designated Router address: 192.168.70.2      (Link Data) Router Interface address: 192.168.70.1       Number of TOS metrics: 0        TOS 0 Metric: 1       LS age: 1954   Options: 0x22 (*|-|DC|-|-|-|E|-)   Flags: 0x0   LS Type: router-LSA   Link State ID: 192.168.71.1    Advertising Router: 192.168.71.1   LS Seq Number: 8000006e   Checksum: 0x4fc0   Length: 48    Number of Links: 2       Link connected to: a Transit Network      (Link ID) Designated Router address: 192.168.70.2      (Link Data) Router Interface address: 192.168.70.2       Number of TOS metrics: 0        TOS 0 Metric: 10       Link connected to: Stub Network      (Link ID) Network/subnet number: 10.200.248.0      (Link Data) Network Mask: 255.255.255.0       Number of TOS metrics: 0        TOS 0 Metric: 10   I only do a "summary-address" on my HQ fortigate like this :

config summary-address edit 1 set prefix 10.200.0.0 255.255.0.0 next end

 

Thanks

emnoc
Esteemed Contributor III

That summary is a external route not a IA route. Look at you  route table.

 

A IA route is always path preferred over a ext type1 or type2. The real question is ; " do you really need to filter that IA route and if so why ? Do you have network-topo map explain your area0 bkbne and the other areas?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

emnoc wrote:
That summary is a external route not a IA route. Look at you  route table.

 

A IA route is always path preferred over a ext type1 or type2.

totally agreed (after reading a few more docs.. ;) )

 

emnoc wrote:
The real question is ; " do you really need to filter that IA route and if so why ? Do you have network-topo map explain your area0 bkbne and the other areas?

 

I would like to filter all IA to don't have a lot of route on my remote site. In this lab, I have only one IA, but my customer will have more than 70 subnets. So, for lisibility, i would like to summarized and route the subnet 10.200.0.0/16 through my VPN.

 

schema : http://imageshack.com/a/img911/6832/R2rTnG.png

 

Thanks

 

Lucas

romanr
Valued Contributor

Hey,

 

you should be able to do this kind of route summarization via the range setting in the area!

 

        config area             edit 1.2.3.4                     config range                         edit 1                             set prefix 1.2.0.0 255.255.0.0                         next                     end             next         end

emnoc
Esteemed Contributor III

You need to filter IA routes at the ABR. Once  again what's your network-topology between the cisco and fortigate for area0 and the other area(s).

 

In all fairness 70 ospf routes is not alot of routes by any means.  Route summarization is best at filtering and reduce  routes inject via type5 external LSA between areas.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors