Thursday, March 19, 2015

OSPF E2 route filter Fortigate

How to filter OSPF typeE2 routes using a  distribution list on  FortiGate. Some times you need to filter OSPF routes inbound & that you received from a OSPF neighbor.

In this example, I'm receiving the following ospf routes;

We will filter the last ospf type-E2 route

Here's the basic steps;

1: 1st create prefix-list with deny action for the prefix(es) that you want to filter

2:  include a last match of any with an accept

3: apply the distribution list in the general ospf cfg

Now here's the cfg;

config router prefix-list
    edit "dropit"
            config rule
                edit 1
                    set action deny
                    set prefix
                    unset ge
                    unset le
                edit 2
                    set prefix
                    unset ge
                    set le 32

Ensure you have a any any cause to allow for all others,  insert any new filter rules with the exact match or criteria as required

Now build the distribution map in our general ospf configuration;

config router ospf 
   set distribute-list-in "dropit"

Keep in mind the ospf LSA database will always shows the  LSA for this network regardless if it's filter from RIB.

A distribution list is not the most ideal way of controlling route migrations, you should always control route dissemination at the source of the routing info imho.

And here's our ospf route infromation after we apply the filtering;

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  !  ! )=
      /  \

No comments:

Post a Comment