Hello,
I have stucked in one subject . I have environmement which has routing protocol is "OSPF" . HQ-test : 60.60.60.0/24
BCN-Test:70.70.70.0/24. Test-Branc:66.66.66.0/24.
HQ-Test & BCN-Test is connected via VPN
Hq-Test & Test-Branch is connected via VPN.
I dont want to advertise Test-Branch Ip block to Bcn-Test , I have tried access-list & prefix list. It has not worked. I add also routing tables from all sites
Could you have any idea for the solution?
[style="background-color: #ff0000;"]HQ-TEST routing table:[/style]
HQ-TEST (VPN-VDOM) # get router info routing-table allS* 0.0.0.0/0 [5/0] via X.X.X.129, internal7C 1.20.255.19/32 is directly connected, VPN-Tst-BCN_0C 1.20.255.20/32 is directly connected, VPN-Tst-BCN_0O 1.20.255.40/30 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 1.20.255.44/30 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mC 1.20.255.59/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0C 1.20.255.60/32 is directly connected, VPN_Bnch2_Dp is directly connected, VPN_Bnch2_Dp_0C 1.20.255.248/30 is directly connected, root2VPN1O 1.20.255.252/30 [110/200] via 1.20.255.249, root2VPN1, 01w4d19hO 60.60.60.0/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.128/26 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.208/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.224/28 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mO 60.60.60.248/29 [110/101] via 1.20.255.249, root2VPN1, 2d20h28mC 62.96.202.128/27 is directly connected, internal7S 66.66.66.0/24 [15/0] via 95.91.224.231, VPN_Bnch2_Dp_0O 66.66.66.64/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.128/26 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.224/28 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 66.66.66.240/29 [110/101] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48O 70.70.70.64/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.128/26 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.208/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.224/28 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 70.70.70.248/29 [110/201] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mC 169.253.0.1/32 is directly connected, OSPF_LoopbackO 169.253.0.2/32 [110/400] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.3/32 [110/200] via 1.20.255.249, root2VPN1, 01w4d19hO 169.253.0.5/32 [110/300] via 1.20.255.249, root2VPN1, 01w4d19hO 169.253.0.7/32 [110/200] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.10/32 [110/300] via 1.20.255.20, VPN-Tst-BCN_0, 2d18h39mO 169.253.0.66/32 [110/200] via 1.20.255.60, VPN_Bnch2_Dp_0, 02:26:48
[style="background-color: #ff0000;"]BCN-TST routing table:[/style]
BCN-TEST (VPN-VDOM) # get router info routing-table allS* 0.0.0.0/0 [5/0] via Y.Y.Y.1, wan2C 1.20.255.19/32 is directly connected, VPN-HQ-TstC 1.20.255.20/32 is directly connected, VPN-HQ-TstO 1.20.255.40/30 [110/200] via 1.20.255.45, root2VPN1, 01w4d00hC 1.20.255.44/30 is directly connected, root2VPN1O 1.20.255.59/32 [110/100] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.60/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.248/30 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 1.20.255.252/30 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.0/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.208/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 60.60.60.248/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 66.66.66.64/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.128/26 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.224/28 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 66.66.66.240/29 [110/201] via 1.20.255.19, VPN-HQ-Tst, 02:27:20O 70.70.70.64/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.128/26 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.208/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.224/28 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 70.70.70.248/29 [110/101] via 1.20.255.45, root2VPN1, 2d20h30mO 169.253.0.1/32 [110/200] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 169.253.0.2/32 [110/300] via 1.20.255.45, root2VPN1, 01w4d00hO 169.253.0.3/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mO 169.253.0.5/32 [110/400] via 1.20.255.19, VPN-HQ-Tst, 2d18h40mC 169.253.0.7/32 is directly connected, OSPF-VPNO 169.253.0.10/32 [110/200] via 1.20.255.45, root2VPN1, 01w4d18hO 169.253.0.66/32 [110/300] via 1.20.255.19, VPN-HQ-Tst, 02:27:20
I can not change topolgy OSPF to BGP .. Normally I will connect Test-Branch to BCN-TEST. Why I need to stop advertising Branch blok from HQ site to the BCN site.
but BCN-Tst also has also vpn connection to the Branch office. ( I can not create the senario , because of my lack of sources, like static IP ) if I write this acl to Bcn-tst , it will no accept the branch site blok from branch..
I have an another idea, if I run two vrf in backbone ara , it may work but I am not sure. If I have time, I will try..
Dear Ozz,
Please send us your ospf configuration and the ACLs.
Thanks
Hi Ozz,
If you apply a ACL into area configuration, It means that you want to filter between differents area. In your case you only have one area.
I think you have to apply your ACL directly on the FGT BCN-test with the following configuration :
config router access
edit "ac_drop_66" config rule
edit 1 set action deny set prefix 66.66.66.0 255.255.255.0 set exact-match enable next edit 2 set action permit set prefix any next end next end
config router ospf
set distribute-list-in "ac_drop_66"
end
Thanks,
CCH
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.