FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 198739
Description
This article presents an example to control OSPF routes when 2 routers have got parallel (redundant) links to each other.

The following scenario illustrates this example :

10.160.0.0/23 [ FGT1 ] --- wan1 ----- [ FGT2 ] ---- 192.168.182.0/23 + default route
------------- [------] --- wan2 ----- [------]


OSPF is enabled on all interfaces of FGT1 and FGT2.


Requirements :
  • FGT1 should learn the network 192.168.182.0/23 and the default route only via wan1
  • FGT2 should learn the network 10.160.0.0/23 only via wan1
  • wan2 should be used as backup link only

Scope
All FortiOS

Solution
The solution described hereafter is based on the OSPF interface cost.

Step 1:  situation with default settings


FGT1 # get router  info  ospf  neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.2.2.2          1   Full/Backup     00:00:33    10.182.0.187    wan1
10.2.2.2          1   Full/Backup     00:00:31    10.183.0.187    wan2


FGT1 # get router info routing-table ospf
O*E2    0.0.0.0/0 [110/10] via 10.183.0.187, wan2, 00:00:01
                            [110/10] via 10.182.0.187, wan1, 00:00:01
O       192.168.182.0/23 [110/20] via 10.183.0.187, wan2, 00:02:04
                                       [110/20] via 10.182.0.187, wan1, 00:02:04

  
FGT2 # get router info ospf  neighbor
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.1          1   Full/DR         00:00:38    10.182.0.57     wan1
10.1.1.1          1   Full/DR         00:00:38    10.183.0.57     wan2


FGT2 # get router info routing-table ospf
O       10.160.0.0/23 [110/20] via 10.183.0.57, wan2, 00:00:39
                                  [110/20] via 10.182.0.57, wan1, 00:00:39


We see from the above that two adjacencies are brought up, and due to ECMP, both FortiGate learn each route from wan1 and wan2


Step 2:  Controlling route on FGT2

The cost of the wan2 interface is increased to 200 (10 being default in this situation).

FGT2 # config router ospf
           config ospf-interface
               edit "WAN2_higher_cost"
               set cost 200
               set interface "wan2"
           next
       end
      
  • There are no route changes on FGT1 :

FGT1 # get router info  routing-table ospf
O*E2    0.0.0.0/0 [110/10] via 10.183.0.187, wan2, 00:07:33
                            [110/10] via 10.182.0.187, wan1, 00:07:33
O       192.168.182.0/23 [110/20] via 10.183.0.187, wan2, 00:07:33
                                        [110/20] via 10.182.0.187, wan1, 00:07:33

  • But FGT2 now only learns the remote route via wan1 :

FGT2 # get router info routing-table ospf
O       10.160.0.0/23 [110/20] via 10.182.0.57, wan1, 00:05:18       
   

  • LSDB check on FGT1 and FGT2 :

FGT1 # get router info  ospf  database  router lsa
   Router Link States (Area 0.0.0.0)

  LS age: 16
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.1.1.1
  Advertising Router: 10.1.1.1
  LS Seq Number: 8000000f
  Checksum: 0xd97c
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.160.0.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.187
     (Link Data) Router Interface address: 10.183.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.187
     (Link Data) Router Interface address: 10.182.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 10


  LS age: 21
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x2 : ASBR
  LS Type: router-LSA
  Link State ID: 10.2.2.2
  Advertising Router: 10.2.2.2
  LS Seq Number: 80000013
  Checksum: 0x48c8
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.182.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.187
     (Link Data) Router Interface address: 10.183.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 200

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.187
     (Link Data) Router Interface address: 10.182.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 10

                  
FGT2 # get router info ospf database router lsa

                Router Link States (Area 0.0.0.0)

  LS age: 258
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.1.1.1
  Advertising Router: 10.1.1.1
  LS Seq Number: 80000008
  Checksum: 0x5b07
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.160.0.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.57
     (Link Data) Router Interface address: 10.183.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.57
     (Link Data) Router Interface address: 10.182.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 10


  LS age: 257
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x2 : ASBR
  LS Type: router-LSA
  Link State ID: 10.2.2.2
  Advertising Router: 10.2.2.2
  LS Seq Number: 8000000c
  Checksum: 0xc953
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.182.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.57
     (Link Data) Router Interface address: 10.183.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 200

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.57
     (Link Data) Router Interface address: 10.182.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 10


Step 3:  Controlling route o FGT1


  • The cost of the wan2 interface is increased to 200 (10 being default in this situation).
 
FGT1 # config router ospf
        config ospf-interface
            edit "WAN2_higher_cost"
                set cost 200
                set interface "wan2"
            next
        end
end

  • Now both FGT1 and FGT2 have only one route, via wan1
FGT1 # get router info  routing-table ospf
O*E2    0.0.0.0/0              [110/10] via 10.182.0.187, wan1, 00:00:40
O         192.168.182.0/23 [110/20] via 10.182.0.187, wan1, 00:00:40


FGT2 # get router info routing-table ospf
O       10.160.0.0/23 [110/20] via 10.182.0.57, wan1, 00:09:37

  • LSDB check on FGT1 :

FGT1 # get router info  ospf  database  router lsa

                Router Link States (Area 0.0.0.0)

  LS age: 81
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x0
  LS Type: router-LSA
  Link State ID: 10.1.1.1
  Advertising Router: 10.1.1.1
  LS Seq Number: 8000000b
  Checksum: 0xe637
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 10.160.0.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.187
     (Link Data) Router Interface address: 10.183.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 200

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.57
     (Link Data) Router Interface address: 10.182.0.57
      Number of TOS metrics: 0
       TOS 0 Metric: 10

  LS age: 83
  Options: 0x2 (*|-|-|-|-|-|E|-)
  Flags: 0x2 : ASBR
  LS Type: router-LSA
  Link State ID: 10.2.2.2
  Advertising Router: 10.2.2.2
  LS Seq Number: 8000000e
  Checksum: 0xfc9b
  Length: 60
   Number of Links: 3

    Link connected to: Stub Network
     (Link ID) Network/subnet number: 192.168.182.0
     (Link Data) Network Mask: 255.255.254.0
      Number of TOS metrics: 0
       TOS 0 Metric: 10

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.183.0.187
     (Link Data) Router Interface address: 10.183.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 200

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.182.0.57
     (Link Data) Router Interface address: 10.182.0.187
      Number of TOS metrics: 0
       TOS 0 Metric: 10


Step4 : Route redundancy verification


When wan1 is brought down, the OSPF routes over wan2 are in the routing tables :

FGT1 # get router info  routing-table ospf
FGT1 # get router info  routing-table ospf
O*E2    0.0.0.0/0              [110/10] via 10.183.0.187, wan2, 00:00:06
O         192.168.182.0/23 [110/210] via 10.183.0.187, wan2, 00:00:06

FGT2 # get router info routing-table ospf
O       10.160.0.0/23 [110/210] via 10.183.0.57, wan2, 00:00:14



Contributors