Hello,
I have stucked in one subject . I have environmement which has routing protocol is "OSPF" . HQ-test : 60.60.60.0/24
BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24.
HQ-Test & BCN-Test is connected via VPN
Hq-Test & Test-Branch is connected via VPN.
I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked. I add also routing tables from all sites
Could you have any idea for the solution?
[style="background-color: #ff0000;"]HQ-TEST routing table:[/style]
HQ-TEST (VPN-VDOM) # get router info routing-table allS* 0.0.0.0/0 [5/0] via X.X.X.129, internal7C 1.20.255.19/32 is directly connected, VPN-Tst-BCN_0C 1.20.255.20/32 is directly connected, VPN-Tst-BCN_0O 1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mC 1.20.255.59/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0C 1.20.255.60/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0C 1.20.255.248/30 is directly connected, root2VPN1O 1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19hO 60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mC 62.96.202.128/27 is directly connected, internal7S 66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0O 66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mC 169.253.0.1/32 is directly connected, OSPF_LoopbackO 169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19hO 169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19hO 169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
[style="background-color: #ff0000;"]BCN-TST routing table:[/style]
BCN-TEST (VPN-VDOM) # get router info routing-table allS* 0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2C 1.20.255.19/32 is directly connected, VPN-HQ-TstC 1.20.255.20/32 is directly connected, VPN-HQ-TstO 1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00hC 1.20.255.44/30 is directly connected, root2VPN1O 1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00hO 169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mC 169.253.0.7/32 is directly connected, OSPF-VPNO 169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18hO 169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
Hello, by definition, with OSPF, you should have the same OSPF database in all routers in a specific area. If you want to filter, you need to use different area, or use distribute-list-in on your test branch.
Benoit
Depending on your goal, if you don't want Branch to reach BCN, but still want to use OSPF area 0 for all locations, you should just NOT to set a policy/policies to allow the access.
Playing with OSPF filtering is painful regardless of the vendor as all databases have to be the same on all routers then you are only left with filtering what gets installed in RIB of a specific router, then you have to maintain this mess, but there are some good ideas here https://forum.fortinet.com/tm.aspx?m=146241
Hi , Yes I saw this post. but it is useless for my case. I need more detail information. Do you have any idea or solution?
options: filtering the route or install static routes that have a higher admin distance to override the OSPF. You have been given numerous methods to correct or control this.
Ken Felix
PCNSE
NSE
StrongSwan
Ozz,
if you need some example about filtering OSPF, you can go to the KB documentation of Fortinet. Search for "OSPF filtering" , and you will find some article that can help you to solve your issue. I recommend these two articles linked to what I recommended previously: * distribute-list-in example: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30259
* inter-area filtering: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33624 Best regards Benoit
I really think you shouldn't be putting all of these vdoms in at least one area0 of OSPF domain while OSPF is designed to share the topology inside an area. To me you're trying to break OSFP design.
Instead, I would set eBGP between HQ VPN-VDOM, BCN VPN-VDOM and Branch root-VDOM, then use OSPF inside HQ and inside BCN, so that those VPN-VDOMs would be ASBR in the OSPF domain and you can control what to import/export using route-maps between OSPF and BGP.
eBGP would better and simpler but a lot of people are nervous about BGP. You could set backbne area 0 between the vpn-dom and set the root-vdoms or links to such as a opsf area 1 area 2 area 3 and then filter at the ABR but that would be a lot of work also
OP why do yo need to filter advertisements ? Sounds like you network address topology needs to be rethought. I would double check you do NOT have CIDR overlaps.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.