Advanced inter-area OSPF example

This example sets up an OSPF network at a large office. There are three areas, each with two routers. Typically OSPF areas wouldn't be this small, and if they were, the areas would be combined into one larger area. However, the stub area services the accounting department whose members are very sensitive about their network and don't want their network information broadcasted through the rest of the company. The backbone area contains the bulk of the company's network devices. The regular area was established for various reasons, such as hosting the company servers in a separate area with extra security.

One area is a small stub area that has no independent Internet connection, and has only one connection to the backbone area. That connection between the stub area and the backbone area is only through a default route. No routes outside the stub area are advertised into that area. Another area is the backbone, which is connected to the other two areas. The third area has the Internet connection, and all traffic to and from the Internet must use that area’s connection. If that traffic comes from the stub area, then that traffic is treating the backbone like a transit area that only uses it to get to another area.

In the stub area, a subnet of computers is running the RIP routing protocol and those routes must be redistributed into the OSPF areas.

Network layout and assumptions

There are four FortiGate devices in this network topology, which are acting as OSPF routers:

Advanced inter-area OSPF network topology

Area 1.1.1.1 is a stub area with one FortiGate OSPF router called Router1 (DR). Its only access outside of that area is a default route to the backbone area, which is how it accesses the Internet. Traffic must go from the stub area, through the backbone, to the third area to reach the Internet. The backbone area in this configuration is called a transit area. Also, in area 1.1.1.1 there is a RIP router that will be providing routes to the OSPF area through redistribution.

Area 0.0.0.0 is the backbone area and has two FortiGate device routers named Router2 (BDR) and Router3 (DR).

Area 2.2.2.2 is a regular area that has an Internet connection accessed by both the other two OSPF areas. There is only one FortiGate device router in this area called Router4 (DR). This area is more secure and requires MD5 authentication by routers.

All areas have user networks connected but they're not important for configuring the network layout for this example.

Internal interfaces are connected to internal user networks only. External1 interfaces are connected to the 10.11.110.0 network, joining Area 1.1.1.1 and Area 0.0.0.0.

External2 interfaces are connected to the 10.11.111.0 network, joining Area 0.0.0.0 and Area 2.2.2.2. The ISP interface is called ISP.

Routers, areas, interfaces, and IP addresses for advanced OSPF network

Router name	Area number and type	Interface	IP address
Router1 (DR)	1.1.1.1 - stub area (Accounting)	port1 (internal)	10.11.101.1
		port2 (external1)	10.11.110.1
Router2 (BDR)	0.0.0.0 - backbone area ( R&D Network)	port1 (internal)	10.11.102.2
		port2 (external1)	10.11.110.2
		port3 (external2)	10.11.111.2
Router3 (DR)	0.0.0.0 - backbone area (R&D Network)	port1 (internal)	10.11.103.3
		port2 (external1)	10.11.110.3
		port3 (external2)	10.11.111.3
Router4 (DR)	2.2.2.2 - regular area (Network Admin)	port1 (internal)	10.11.104.4
		port2 (external2)	10.11.111.4
		port3 (ISP)	172.20.120.4

Note that other subnets can be added to the internal interfaces without changing the configuration.

Assumptions

• The FortiGate devices used in this example have interfaces named port1, port2, and port3.
• All FortiGate devices in this example have factory default configuration with FortiOS 4.0 MR2 firmware installed and are in NAT mode.
• During configuration, if settings are not directly referred to, they will be left at the default settings.
• Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in both directions.
• This OSPF network is not connected to any other OSPF areas outside of this example.
• The Internet connection is always available.
• Other devices may be on the network but do not affect this configuration.

Configuring the FortiGate devices

This section configures the basic settings on the FortiGate devices to be OSPF routers. These configurations include multiple interface settings and the hostname.

There are four FortiGate devices in this example. The two devices in the backbone area can be configured exactly the same except for IP addresses, so only the Router3 (the DR) configuration will be given, with notes indicating Router2's (the BDR) IP addresses.

Configuring the FortiGate devices includes:

• Configuring Router1
• Configuring Router2
• Configuring Router3
• Configuring Router4

Configuring Router1

Router1 is part of the Accounting network stub area (1.1.1.1).

To configure Router1 interfaces - GUI:

1. Go to System > Settings.
2. In the Host name field, enter a hostname of Router1 and select Apply.
3. Go to Network > Interfaces edit port1, set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.101.1/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Accounting network
Interface State	Enabled

4. Edit port2, set the following information and select OK.

Alias	External1
IP/Network Mask	10.11.110.1/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Backbone network and Internet
Interface State	Enabled

Configuring Router2

Router2 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.

Router2 has three interfaces configured: one to the internal network and two to Router3 for redundancy.

To configure Router2 interfaces - GUI:

1. Go to System > Settings.
2. In the Host name field, enter a hostname of Router2 and select Apply.
3. Go to Network > Interfaces, edit port1 (internal), set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.102.2/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Internal RnD network
Interface State	Enabled

4. Edit port2 (external1), set the following information and select OK.

Alias	external1
IP/Network Mask	10.11.110.2/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router3 first connection
Interface State	Enabled

5. Edit port3 (external2), set the following information and select OK.

Alias	external2
IP/Network Mask	10.11.111.2/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router3 second connection
Interface State	Enabled

Configuring Router3

Router3 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.

To configure Router3 interfaces - GUI:

1. Go to System > Settings.
2. In the Host name field, enter a hostname of Router3 and select Apply.
3. Go to Network > Interfaces, edit port1 (internal), set the following information, and select OK.

Alias	internal
IP/Network Mask	10.11.103.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Internal RnD network
Interface State	Enabled

4. Edit port2 (external1), set the following information and select OK.

Alias	external1
IP/Network Mask	10.11.110.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router2 first connection
Interface State	Enabled

5. Edit port3 (external2), set the following information and select OK.

Alias	external2
IP/Network Mask	10.11.111.3/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Router2 second connection
Interface State	Enabled

Configuring Router4

Router4 is part of the Network Administration regular area (2.2.2.2). This area provides Internet access for both area 1.1.1.1 and the backbone area.

This section configures interfaces and hostname.

To configure Router4 interfaces - GUI:

1. Go to System > Settings.
2. In the Host name field, enter a hostname of Router4 and select Apply.
3. Go to Network > Interfaces.
4. Edit port1 (internal).
5. Set the following information and select OK.

Alias	internal
IP/Network Mask	10.11.101.4/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Accounting network
Interface State	Enabled

6. Edit port2 (external2).
7. Set the following information and select OK.

Alias	external2
IP/Network Mask	10.11.110.4/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	Backbone and Accounting network
Interface State	Enabled

8. Edit port3 (ISP).
9. Set the following information and select OK.

Alias	ISP
IP/Network Mask	172.20.120.4/255.255.255.0
Administrative Access	HTTPS SSH PING
Description	ISP and Internet
Interface State	Enabled

Configuring OSPF on the FortiGate devices

Three of the routers are designated routers (DR) and one is a backup DR (BDR). This is achieved through the lowest router ID numbers, or OSPF priority settings.

Also, each area needs to be configured as each respective type of area: stub, backbone, or regular. This affects how routes are advertised into the area.

To configure OSPF on Router1 - GUI:

1. Go to Network > OSPF.
2. Enter 10.11.101.1 for the Router ID and select Apply.
3. In Areas, select Create New, set the following information, and select OK.

Area ID	1.1.1.1
Type	Stub
Authentication	None

4. In Networks, select Create New, set the following information, and select OK.

Area	1.1.1.1
IP/Netmask	10.11.101.0/255.255.255.0

5. In Interfaces, select Create New, set the following information, and select OK.

Name	Accounting
Interface	port1 (internal)
IP	10.11.101.1
Authentication	None

6. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone1
Interface	port2 (external1)
IP	10.11.110.1
Authentication	None

To configure OSPF on Router2 - GUI:

1. Go to Network > OSPF.
2. Enter 10.11.102.2 for the Router ID and select Apply.
3. In Areas, select Create New, set the following information, and select OK.

Area ID	0.0.0.0
Type	Regular
Authentication	None

4. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.102.2/255.255.255.0

5. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.110.2/255.255.255.0

6. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.111.2/255.255.255.0

7. In Interfaces, select Create New, set the following information, and select OK.

Name	RnD network
Interface	port1 (internal)
IP	10.11.102.2
Authentication	None

8. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone1
Interface	port2 (external1)
IP	10.11.110.2
Authentication	None

9. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone2
Interface	port3 (external2)
IP	10.11.111.2
Authentication	None

To configure OSPF on Router3 - GUI:

1. Go to Network > OSPF.
2. Enter 10.11.103.3 for the Router ID and select Apply.
3. In Areas, select Create New, set the following information, and select OK.

Area ID	0.0.0.0
Type	Regular
Authentication	None

4. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.102.3/255.255.255.0

5. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.110.3/255.255.255.0

6. In Networks, select Create New, set the following information, and select OK.

IP/Netmask	10.11.111.3/255.255.255.0
Area	0.0.0.0

7. In Interfaces, select Create New, set the following information, and select OK.

Name	RnD network
Interface	port1 (internal)
IP	10.11.103.3
Authentication	None

8. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone1
Interface	port2 (external1)
IP	10.11.110.3
Authentication	None

9. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone2
Interface	port3 (external2)
IP	10.11.111.3
Authentication	None

To configure OSPF on Router4 - GUI:

1. Go to Network > OSPF.
2. Enter 10.11.104.4 for the Router ID and then select Apply.
3. In Areas, select Create New.
4. Set the following information and select OK.

Area ID	2.2.2.2
Type	Regular
Authentication	None

5. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.104.0/255.255.255.0

6. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	10.11.111.0/255.255.255.0

7. In Networks, select Create New, set the following information, and select OK.

Area	0.0.0.0
IP/Netmask	172.20.120.0/255.255.255.0

8. In Interfaces, select Create New, set the following information, and select OK.

Name	Network Admin network
Interface	port1 (internal)
IP	10.11.104.4
Authentication	None

9. In Interfaces, select Create New, set the following information, and select OK.

Name	Backbone2
Interface	port2 (external2)
IP	10.11.111.4
Authentication	None

10. In Interfaces, select Create New, set the following information, and select OK.

Name	ISP
Interface	port3 (ISP)
IP	172.20.120.4
Authentication	None

Configuring other networking devices

All network devices on this network are running OSPF routing. The user networks (Accounting, R&D, and Network Administration) are part of one of the three areas.

The ISP needs to be notified of your network configuration for area 2.2.2.2. Your ISP won't advertise your areas externally as they're intended as internal areas. External areas have assigned unique numbers. The area numbers used in this example are similar to the 10.0.0.0 and 192.168.0.0 subnets used in internal networking.

Testing network configuration

There are two main areas to test in this network configuration: network connectivity and OSPF routing.

To test network connectivity, see if computers on the Accounting or R&D networks can access the Internet.

To test OSPF routing, check the routing tables on the FortiGate devices to ensure the expected OSPF routes are present. If you need help troubleshooting OSPF routing, see Troubleshooting OSPF.