Static routes redistribition over OSPF

DamianE · ‎11-08-2023

I have a Fortgate connected with others using OSPF, this one have some static routes that need to be redistributed over OSPF, so I configured to redistribute all. But now I need to add some static routes that will not to be redistributed.

I found this Technical tip https://community.fortinet.com/t5/FortiGate/Technical-Tip-OSPF-static-routes-redistribution-example/...

Is not exacly what i need but i try to adjust like this....

 config router access-list
    edit "NOT-Redistribute"
    config rule
        edit 1
            set prefix 10.241.224.0/19
            set exact-match enable
            set action deny
          next
        edit 2
            set prefix 192.168.192.0/20
            set exact-match enable
            set action deny
          next
        edit 3
            set prefix 10.241.48.0/20
            set exact-match enable
            set action deny
          next
      end
  end
    edit "Redistribute-ALL"
    config rule
        edit 1
            set prefix 0.0.0.0/0
            set exact-match enable
            set action accept
          next
      end
  end

end


config router route-map
    edit "static-to-ospf"
    config rule
          edit 1
            set match-ip-address "NOT-Redistribute"
          next
	  edit 2
            set match-ip-address "Redistribute-ALL"
          next
        end
    end
end

Step 3: Use the route-map.

config router ospf
  config redistribute "static"
    set status enable
    set routemap "static-to-ospf"
  end
end

I think that wiht this it will redistribute all static routes except the 3 listed in NOT-Redistribute

Im right?

kcheng · ‎11-08-2023

Hi @DamianE

Say that you have 10 static routes, and you wanted to filter the 3 mentioned in your post, you do not need to have 2 access list. It can be done with one access-list as below:

config router access-list
    edit "NOT-Redistribute"
    config rule
        edit 1
            set prefix 10.241.224.0/19
            set exact-match enable
            set action deny
          next
        edit 2
            set prefix 192.168.192.0/20
            set exact-match enable
            set action deny
          next
        edit 3
            set prefix 10.241.48.0/20
            set exact-match enable
            set action deny
          next
         edit 4
            set prefix any
          next
      end
  end

Then, you apply the access-list to route-map and apply the route-map to the ospf settings:

config router route-map
    edit "static-to-ospf"
    config rule
          edit 1
            set match-ip-address "NOT-Redistribute"
          next
        end
    end
end

Step 3: Use the route-map.

config router ospf
  config redistribute "static"
    set status enable
    set routemap "static-to-ospf"
  end
end

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

Toshi_Esumi · ‎11-08-2023

If you still want to separate "allow-all", probably this is the one you wanted to follow.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

It could be more flexible when you can to have mulitple "deny" access-lists by grouping them.

I would use "config router prefix-list" though instead of "config router access-list". A little more intuitive if your background is L3 routers, like Cisco, Juniper, etc.

Toshi

View solution in original post

kcheng · ‎11-08-2023

Hi @DamianE

Say that you have 10 static routes, and you wanted to filter the 3 mentioned in your post, you do not need to have 2 access list. It can be done with one access-list as below:

config router access-list
    edit "NOT-Redistribute"
    config rule
        edit 1
            set prefix 10.241.224.0/19
            set exact-match enable
            set action deny
          next
        edit 2
            set prefix 192.168.192.0/20
            set exact-match enable
            set action deny
          next
        edit 3
            set prefix 10.241.48.0/20
            set exact-match enable
            set action deny
          next
         edit 4
            set prefix any
          next
      end
  end

Then, you apply the access-list to route-map and apply the route-map to the ospf settings:

config router route-map
    edit "static-to-ospf"
    config rule
          edit 1
            set match-ip-address "NOT-Redistribute"
          next
        end
    end
end

Step 3: Use the route-map.

config router ospf
  config redistribute "static"
    set status enable
    set routemap "static-to-ospf"
  end
end

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.

DamianE · ‎11-08-2023

I try just like you propose, it's more elegant

Thanks!!?

Toshi_Esumi · ‎11-08-2023

If you still want to separate "allow-all", probably this is the one you wanted to follow.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

It could be more flexible when you can to have mulitple "deny" access-lists by grouping them.

I would use "config router prefix-list" though instead of "config router access-list". A little more intuitive if your background is L3 routers, like Cisco, Juniper, etc.

Toshi

Toshi_Esumi · ‎11-08-2023

Although the KB I referred to was based on BGP, the access-list and route-map part should be the same with OSPF. Especially when they're applied to static route re-distribution.

Toshi

Static routes redistribition over OSPF

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website