Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

router {ospf | ospf6}

Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate unit. More information on OSPF can be found in RFC 2328.

OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).

Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and if a timer runs out on a connection then that router is declared down. BFD then communicates this information to the routing protocol and the routing information is updated. BFD support can only be configured through the CLI.

config router ospf
    set abr-type {cisco | ibm | shortcut | standard}   Area border router type.
            cisco     Cisco.
            ibm       IBM.
            shortcut  Shortcut.
            standard  Standard.
    set auto-cost-ref-bandwidth {integer}   Reference bandwidth in terms of megabits per second. range[1-1000000]
    set distance-external {integer}   Administrative external distance. range[1-255]
    set distance-inter-area {integer}   Administrative inter-area distance. range[1-255]
    set distance-intra-area {integer}   Administrative intra-area distance. range[1-255]
    set database-overflow {enable | disable}   Enable/disable database overflow.
    set database-overflow-max-lsas {integer}   Database overflow maximum LSAs. range[0-4294967295]
    set database-overflow-time-to-recover {integer}   Database overflow time to recover (sec). range[0-65535]
    set default-information-originate {enable | always | disable}   Enable/disable generation of default route.
    set default-information-metric {integer}   Default information metric. range[1-16777214]
    set default-information-metric-type {1 | 2}   Default information metric type.
            1  Type 1.
            2  Type 2.
    set default-information-route-map {string}   Default information route map. size[35] - datasource(s): router.route-map.name
    set default-metric {integer}   Default metric of redistribute routes. range[1-16777214]
    set distance {integer}   Distance of the route. range[1-255]
    set rfc1583-compatible {enable | disable}   Enable/disable RFC1583 compatibility.
    set router-id {ipv4 address any}   Router ID.
    set spf-timers {string}   SPF calculation frequency.
    set bfd {enable | disable}   Bidirectional Forwarding Detection (BFD).
    set log-neighbour-changes {enable | disable}   Enable logging of OSPF neighbour's changes
    set distribute-list-in {string}   Filter incoming routes. size[35] - datasource(s): router.access-list.name,router.prefix-list.name
    set distribute-route-map-in {string}   Filter incoming external routes by route-map. size[35] - datasource(s): router.route-map.name
    set restart-mode {none | lls | graceful-restart}   OSPF restart mode (graceful or LLS).
            none              Hitless restart disabled.
            lls               LLS mode.
            graceful-restart  Graceful Restart Mode.
    set restart-period {integer}   Graceful restart period. range[1-3600]
    config area
        edit {id}
        # OSPF area configuration.
            set id {ipv4 address any}   Area entry IP address.
            set shortcut {disable | enable | default}   Enable/disable shortcut option.
            set authentication {none | text | md5}   Authentication type.
                    none  None.
                    text  Text.
                    md5   MD5.
            set default-cost {integer}   Summary default cost of stub or NSSA area. range[0-4294967295]
            set nssa-translator-role {candidate | never | always}   NSSA translator role type.
                    candidate  Candidate.
                    never      Never.
                    always     Always.
            set stub-type {no-summary | summary}   Stub summary setting.
                    no-summary  No summary.
                    summary     Summary.
            set type {regular | nssa | stub}   Area type setting.
                    regular  Regular.
                    nssa     NSSA.
                    stub     Stub.
            set nssa-default-information-originate {enable | always | disable}   Redistribute, advertise, or do not originate Type-7 default route into NSSA area.
            set nssa-default-information-originate-metric {integer}   OSPF default metric. range[0-16777214]
            set nssa-default-information-originate-metric-type {1 | 2}   OSPF metric type for default routes.
                    1  Type 1.
                    2  Type 2.
            set nssa-redistribution {enable | disable}   Enable/disable redistribute into NSSA area.
            config range
                edit {id}
                # OSPF area range configuration.
                    set id {integer}   Range entry ID. range[0-4294967295]
                    set prefix {ipv4 classnet any}   Prefix.
                    set advertise {disable | enable}   Enable/disable advertise status.
                    set substitute {ipv4 classnet any}   Substitute prefix.
                    set substitute-status {enable | disable}   Enable/disable substitute status.
                next
            config virtual-link
                edit {name}
                # OSPF virtual link configuration.
                    set name {string}   Virtual link entry name. size[35]
                    set authentication {none | text | md5}   Authentication type.
                            none  None.
                            text  Text.
                            md5   MD5.
                    set authentication-key {password_string}   Authentication key. size[8]
                    set md5-key {string}   MD5 key.
                    set dead-interval {integer}   Dead interval. range[1-65535]
                    set hello-interval {integer}   Hello interval. range[1-65535]
                    set retransmit-interval {integer}   Retransmit interval. range[1-65535]
                    set transmit-delay {integer}   Transmit delay. range[1-65535]
                    set peer {ipv4 address any}   Peer IP.
                next
            config filter-list
                edit {id}
                # OSPF area filter-list configuration.
                    set id {integer}   Filter list entry ID. range[0-4294967295]
                    set list {string}   Access-list or prefix-list name. size[35] - datasource(s): router.access-list.name,router.prefix-list.name
                    set direction {in | out}   Direction.
                            in   In.
                            out  Out.
                next
        next
    config ospf-interface
        edit {name}
        # OSPF interface configuration.
            set name {string}   Interface entry name. size[35]
            set interface {string}   Configuration interface name. size[15] - datasource(s): system.interface.name
            set ip {ipv4 address}   IP address.
            set authentication {none | text | md5}   Authentication type.
                    none  None.
                    text  Text.
                    md5   MD5.
            set authentication-key {password_string}   Authentication key. size[8]
            set md5-key {string}   MD5 key.
            set prefix-length {integer}   Prefix length. range[0-32]
            set retransmit-interval {integer}   Retransmit interval. range[1-65535]
            set transmit-delay {integer}   Transmit delay. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   Priority. range[0-255]
            set dead-interval {integer}   Dead interval. range[0-65535]
            set hello-interval {integer}   Hello interval. range[0-65535]
            set hello-multiplier {integer}   Number of hello packets within dead interval. range[3-10]
            set database-filter-out {enable | disable}   Enable/disable control of flooding out LSAs.
            set mtu {integer}   MTU for database description packets. range[576-65535]
            set mtu-ignore {enable | disable}   Enable/disable ignore MTU.
            set network-type {option}   Network type.
                    broadcast                          Broadcast.
                    non-broadcast                      Non-broadcast.
                    point-to-point                     Point-to-point.
                    point-to-multipoint                Point-to-multipoint.
                    point-to-multipoint-non-broadcast  Point-to-multipoint and non-broadcast.
            set bfd {global | enable | disable}   Bidirectional Forwarding Detection (BFD).
            set status {disable | enable}   Enable/disable status.
            set resync-timeout {integer}   Graceful restart neighbor resynchronization timeout. range[1-3600]
        next
    config network
        edit {id}
        # OSPF network configuration.
            set id {integer}   Network entry ID. range[0-4294967295]
            set prefix {ipv4 classnet}   Prefix.
            set area {ipv4 address any}   Attach the network to area.
        next
    config neighbor
        edit {id}
        # OSPF neighbor configuration are used when OSPF runs on non-broadcast media
            set id {integer}   Neighbor entry ID. range[0-4294967295]
            set ip {ipv4 address}   Interface IP address of the neighbor.
            set poll-interval {integer}   Poll interval time in seconds. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   Priority. range[0-255]
        next
    config passive-interface
        edit {name}
        # Passive interface configuration.
            set name {string}   Passive interface name. size[64] - datasource(s): system.interface.name
        next
    config summary-address
        edit {id}
        # IP address summary configuration.
            set id {integer}   Summary address entry ID. range[0-4294967295]
            set prefix {ipv4 classnet}   Prefix.
            set tag {integer}   Tag value. range[0-4294967295]
            set advertise {disable | enable}   Enable/disable advertise status.
        next
    config distribute-list
        edit {id}
        # Distribute list configuration.
            set id {integer}   Distribute list entry ID. range[0-4294967295]
            set access-list {string}   Access list name. size[35] - datasource(s): router.access-list.name
            set protocol {connected | static | rip}   Protocol type.
                    connected  Connected type.
                    static     Static type.
                    rip        RIP type.
        next
    config redistribute
        edit {name}
        # Redistribute configuration.
            set name {string}   Redistribute name. size[35]
            set status {enable | disable}   status
            set metric {integer}   Redistribute metric setting. range[0-16777214]
            set routemap {string}   Route map name. size[35] - datasource(s): router.route-map.name
            set metric-type {1 | 2}   Metric type.
                    1  Type 1.
                    2  Type 2.
            set tag {integer}   Tag value. range[0-4294967295]
        next
end
config router ospf6
    set abr-type {cisco | ibm | standard}   Area border router type.
            cisco     Cisco.
            ibm       IBM.
            standard  Standard.
    set auto-cost-ref-bandwidth {integer}   Reference bandwidth in terms of megabits per second. range[1-1000000]
    set default-information-originate {enable | always | disable}   Enable/disable generation of default route.
    set log-neighbour-changes {enable | disable}   Enable logging of OSPFv3 neighbour's changes
    set default-information-metric {integer}   Default information metric. range[1-16777214]
    set default-information-metric-type {1 | 2}   Default information metric type.
            1  Type 1.
            2  Type 2.
    set default-information-route-map {string}   Default information route map. size[35] - datasource(s): router.route-map.name
    set default-metric {integer}   Default metric of redistribute routes. range[1-16777214]
    set router-id {ipv4 address any}   A.B.C.D, in IPv4 address format.
    set spf-timers {string}   SPF calculation frequency.
    set bfd {enable | disable}   Enable/disable Bidirectional Forwarding Detection (BFD).
    config area
        edit {id}
        # OSPF6 area configuration.
            set id {ipv4 address any}   Area entry IP address.
            set default-cost {integer}   Summary default cost of stub or NSSA area. range[0-16777215]
            set nssa-translator-role {candidate | never | always}   NSSA translator role type.
                    candidate  Candidate.
                    never      Never.
                    always     Always.
            set stub-type {no-summary | summary}   Stub summary setting.
                    no-summary  No summary.
                    summary     Summary.
            set type {regular | nssa | stub}   Area type setting.
                    regular  Regular.
                    nssa     NSSA.
                    stub     Stub.
            set nssa-default-information-originate {enable | disable}   Enable/disable originate type 7 default into NSSA area.
            set nssa-default-information-originate-metric {integer}   OSPFv3 default metric. range[0-16777214]
            set nssa-default-information-originate-metric-type {1 | 2}   OSPFv3 metric type for default routes.
                    1  Type 1.
                    2  Type 2.
            set nssa-redistribution {enable | disable}   Enable/disable redistribute into NSSA area.
            config range
                edit {id}
                # OSPF6 area range configuration.
                    set id {integer}   Range entry ID. range[0-4294967295]
                    set prefix6 {ipv6 network}   IPv6 prefix.
                    set advertise {disable | enable}   Enable/disable advertise status.
                next
            config virtual-link
                edit {name}
                # OSPF6 virtual link configuration.
                    set name {string}   Virtual link entry name. size[35]
                    set dead-interval {integer}   Dead interval. range[1-65535]
                    set hello-interval {integer}   Hello interval. range[1-65535]
                    set retransmit-interval {integer}   Retransmit interval. range[1-65535]
                    set transmit-delay {integer}   Transmit delay. range[1-65535]
                    set peer {ipv4 address any}   A.B.C.D, peer router ID.
                next
        next
    config ospf6-interface
        edit {name}
        # OSPF6 interface configuration.
            set name {string}   Interface entry name. size[35]
            set area-id {ipv4 address any}   A.B.C.D, in IPv4 address format.
            set interface {string}   Configuration interface name. size[15] - datasource(s): system.interface.name
            set retransmit-interval {integer}   Retransmit interval. range[1-65535]
            set transmit-delay {integer}   Transmit delay. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   priority range[0-255]
            set dead-interval {integer}   Dead interval. range[1-65535]
            set hello-interval {integer}   Hello interval. range[1-65535]
            set status {disable | enable}   Enable/disable OSPF6 routing on this interface.
            set network-type {option}   Network type.
                    broadcast                          broadcast
                    point-to-point                     point-to-point
                    non-broadcast                      non-broadcast
                    point-to-multipoint                point-to-multipoint
                    point-to-multipoint-non-broadcast  point-to-multipoint and non-broadcast.
            set bfd {global | enable | disable}   Enable/disable Bidirectional Forwarding Detection (BFD).
            set mtu {integer}   MTU for OSPFv3 packets. range[576-65535]
            set mtu-ignore {enable | disable}   Enable/disable ignoring MTU field in DBD packets.
            config neighbor
                edit {ip6}
                # OSPFv3 neighbors are used when OSPFv3 runs on non-broadcast media
                    set ip6 {ipv6 address}   IPv6 link local address of the neighbor.
                    set poll-interval {integer}   Poll interval time in seconds. range[1-65535]
                    set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
                    set priority {integer}   priority range[0-255]
                next
        next
    config redistribute
        edit {name}
        # Redistribute configuration.
            set name {string}   Redistribute name. size[35]
            set status {enable | disable}   status
            set metric {integer}   Redistribute metric setting. range[0-16777214]
            set routemap {string}   Route map name. size[35] - datasource(s): router.route-map.name
            set metric-type {1 | 2}   Metric type.
                    1  Type 1.
                    2  Type 2.
        next
    config passive-interface
        edit {name}
        # Passive interface configuration.
            set name {string}   Passive interface name. size[64] - datasource(s): system.interface.name
        next
    config summary-address
        edit {id}
        # IPv6 address summary configuration.
            set id {integer}   Summary address entry ID. range[0-4294967295]
            set prefix6 {ipv6 network}   IPv6 prefix.
            set advertise {disable | enable}   Enable/disable advertise status.
            set tag {integer}   Tag value. range[0-4294967295]
        next
end

Additional information

The following section is for those options that require additional explanation.

abr-type

Specify the behavior of a FortiGate unit acting as an OSPF area border router (ABR) when it has multiple attached areas and has no backbone connection. Selecting the ABR type compatible with the routers on your network can reduce or eliminate the need for configuring and maintaining virtual links. For more information, see RFC 3509.

auto-cost-ref-bandwidth

Enter the Mbits per second for the reference bandwidth. Values can range from 1 to 65535.

bfd

Select one of the Bidirectional Forwarding Detection (BFD) options for this interface.

  • enable - start BFD on this interface
  • disable - stop BFD on this interface
  • global - use the global settings instead of explicitly setting BFD per interface.

 

database-overflow

Enable or disable dynamically limiting link state database size under overflow conditions. Enable this command for FortiGate units on a network with routers that may not be able to maintain a complete link state database because of limited resources.

database-overflow-max-lsas

If you have enabled database-overflow, set the limit for the number of external link state advertisements (LSAs) that the FortiGate unit can keep in its link state database before entering the overflow state. The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone. The valid range for lsas_integer is 0 to 4294967294.

 

database-overflow-time-to-recover

Enter the time, in seconds, after which the FortiGate unit will attempt to leave the overflow state. If seconds_integer is set to 0, the FortiGate unit will not leave the overflow state until restarted. The valid range for seconds_integer is 0 to 65535.

default-information-metric

Specify the metric for the default route set by the default-information-originate command. The valid range for metric_integer is 1 to 16777214.

default-information-metric-type

Specify the OSPF external metric type for the default route set by the default-information-originate command.

default-information-originate

Enter enable to advertise a default route into an OSPF routing domain.

Use always to advertise a default route even if the FortiGate unit does not have a default route in its routing table.

default-information-route-map

If you have set default-information-originate to always, and there is no default route in the routing table, you can configure a route map to define the parameters that OSPF uses to advertise the default route.

default-metric

Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.

distance

Configure the administrative distance for all OSPF routes. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. The valid range for distance_integer is 1 to 255.

distance-external

Change the administrative distance of all external OSPF routes. The range is from 1 to 255.

distance-inter-area

Change the administrative distance of all inter-area OSPF routes. The range is from 1 to 255.

distance-intra-area

Change the administrative distance of all intra-area OSPF routes. The range is from 1 to 255.

distribute-list-in

Limit route updates from the OSPF neighbor based on the Network Layer Reachability Information (NLRI) defined in the specified access list. You must create the access list before it can be selected here.

See router {access-list | access-list6}

passive-interface

OSPF routing information is not sent or received through the specified interface.

restart-mode

Select the restart mode from:

  • graceful-restart - (also known as hitless restart) when FortiGate unit goes down it advertises to neighbors how long it will be down to reduce traffic
  • lls - Enable Link-local Signaling (LLS) mode
  • none - hitless restart (graceful restart) is disabled

restart-period

Enter the time in seconds the restart is expected to take.

rfc1583-compatible

Enable or disable RFC 1583 compatibility. RFC 1583 compatibility should be enabled only when there is another OSPF router in the network that only supports RFC 1583.

When RFC 1583 compatibility is enabled, routers choose the path with the lowest cost. Otherwise, routers choose the lowest cost intra-area path through a non-backbone area.

router-id

Set the router ID. The router ID is a unique number, in IP address dotted decimal format, that is used to identify an OSPF router to other OSPF routers within an area. The router ID should not be changed while OSPF is running.

A router ID of 0.0.0.0 is not allowed.

spf-timers

Change the default shortest path first (SPF) calculation delay time and frequency.

The delay_integer is the time, in seconds, between when OSPF receives information that will require an SPF calculation and when it starts an SPF calculation. The valid range for delay_integer is 0 to 4294967295.

The hold_integer is the minimum time, in seconds, between consecutive SPF calculations. The valid range for hold_integer is 0 to 4294967295.

OSPF updates routes more quickly if the SPF timers are set low; however, this uses more CPU. A setting of 0 for spf-timers can quickly use up all available CPU.

config router ospf

Use this command to set the router ID of the FortiGate unit. Additional configuration options are supported.

  • The router-id field is required. All other fields are optional.
  • The descriptions of the variables for this subcommand are found above.

config area

Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs). There must be a backbone area that all areas can connect to. You can use a virtual link to connect areas that do not have a physical connection to the backbone. Routers within an OSPF area maintain link state databases for their own areas.

FortiGate units support the three main types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A stub area only has a default route to the rest of the OSPF routing domain. NSSA is a type of stub area that can import AS external routes and send them to the backbone, but cannot receive AS external routes from the backbone or other areas. All other areas are considered regular areas.

You can use access or prefix lists for OSPF area filter lists. For more information, see router {access-list | access-list6} and router {prefix-list | prefix-list6}.

You can use the config range subcommand to summarize routes at an area boundary. If the network numbers in an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are within the specified range.

You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone when the area has no direct connection to the backbone. A virtual link allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a stub area. Virtual links can only be set up between two ABRs.

note icon

If you define a filter list, the direction and list fields are required. If you define a range, the prefix field is required. If you define a virtual link, the peer field is required. All other fields are optional.

If you configure authentication for interfaces, the authentication configured for the area is overridden.

edit

Type the IP address of the area. An address of 0.0.0.0 indicates the backbone area.

authentication

Define the authentication used for OSPF packets sent and received in this area. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet, not the confidentiality of the information in the packet.

In text mode the key is sent in clear text over the network, and is only used to prevent network problems that can occur if a misconfigured router is mistakenly added to the area.

Authentication passwords or keys are defined per interface.

default-cost

Enter the metric to use for the summary default route in a stub area or not so stubby area (NSSA). A lower default cost indicates a more preferred route.

The valid range for cost_integer is 1 to 16777214.

nssa-default-information-originate

Enter enable to advertise a default route in a not so stubby area. Affects NSSA ABRs or NSSA Autonomous System Boundary Routers only.

nssa-default-information-originate-metric

Specify the metric (an integer) for the default route set by the nssa-default-information-originate field.

nssa-default-information-originate-metric-type

Specify the OSPF external metric type for the default route set by the nssa-default-information-originate field.

nssa-redistribution

Enable or disable redistributing routes into a NSSA area.

nssa-translator-role

A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain. Usually a NSSA will have only one NSSA border router acting as a translator for the NSSA.

You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA, even if other routers in the NSSA are also acting as translators.

You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA.

You can set the translator role to never to ensure this FortiGate unit never acts as the translator if it is in a NSSA.

shortcut

Use this command to specify area shortcut parameters.

stub-type

Enter no-summary to prevent an ABR sending summary LSAs into a stub area. Enter summary to allow an ABR to send summary LSAs into a stub area.

type

Set the area type:

  • Select nssa for a not so stubby area.
  • Select regular for a normal OSPF area.
  • Select stub for a stub area.

This is not available for area 0.0.0.0.

config filter-list variables

edit

Enter an ID number for the filter list. The number must be an integer.

direction

Set the direction for the filter.

  • Enter in to filter incoming packets.
  • Enter out to filter outgoing packets.
list

Enter the name of the access list or prefix list to use for this filter list.

config range variables

edit

Enter an ID number for the range. The number must be an integer in the 0 to 4,294,967,295 range.

advertise

Enable or disable advertising the specified range.

prefix

Specify the range of addresses to summarize. Format: x.x.x.x x.x.x.x.

substitute

Enter a prefix to advertise instead of the prefix defined for the range. Format: x.x.x.x x.x.x.x.The prefix 0.0.0.0 0.0.0.0 is not allowed.

substitute-status

Enable or disable using a substitute prefix.

config virtual-link variables

edit

Enter a name for the virtual link.

authentication

Define the type of authentication used for OSPF packets sent and received over this virtual link. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet, not the confidentiality of the information in the packet.

In text mode the key is sent in clear text over the network, and is only used only to prevent network problems that can occur if a misconfigured router is mistakenly added to the area.

authentication-key

Enter the password to use for text authentication. The maximum length for the authentication-key is 15 characters.

The authentication-key used must be the same on both ends of the virtual link.

This field is only available when authentication is set to text.

dead-interval

The time in seconds to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.

Both ends of the virtual link must use the same value for dead-interval.

The valid range for seconds_integer is 1 to 65535.

hello-interval

The time, in seconds, between hello packets.

Both ends of the virtual link must use the same value for hello-interval.

The value for dead-interval should be four times larger than the hello-interval value.

The valid range for seconds_integer is 1 to 65535.

md5-key

This field is available when authentication is set to md5.

Enter the key ID and password to use for MD5 authentication.

Example:

set md5-key 6 "ENCyYKaPSrY89CeXn66WUybbLZQ5YM="

 

Both ends of the virtual link must use the same key ID and key.

The valid range for id_integer is 1 to 255. key_str is an alphanumeric string of up to 16 characters.

peer

The router id of the remote ABR.

0.0.0.0 is not allowed.

retransmit-interval

The time, in seconds, to wait before sending a LSA retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

transmit-delay

The estimated time, in seconds, required to send a link state update packet on this virtual link.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the virtual link.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer is 1 to 65535.

 

note icon

Example:

This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20, and MD5 authentication.

config router ospf

config area

edit 15.1.1.1

set type stub

set stub-type summary

set default-cost 20

set authentication md5

end

end

note icon

Example:

This example shows how to use a filter list named acc_list1 to filter packets entering area 15.1.1.1.

config router ospf

config area

edit 15.1.1.1

config filter-list

edit 1

set direction in

set list acc_list1

end

end

note icon

Example:

This example shows how to set the prefix for range 1 of area 15.1.1.1.

config router ospf

config area

edit 15.1.1.1

config range

edit 1

set prefix 1.1.0.0 255.255.0.0

end

end

note icon

Example:

This example shows how to configure a virtual link.

config router ospf

config area

edit 15.1.1.1

config virtual-link

edit vlnk1

set peer 1.1.1.1

end

end

config distribute-list

Use this subcommand to filter the networks for routing updates using an access list. Routes not matched by any of the distribution lists will not be advertised.

You must configure the access list that you want the distribution list to use before you configure the distribution list. To configure an access list, see router {access-list | access-list6}.

The access-list and protocol fields are required.

edit

Enter an ID number for the distribution list. The number must be an integer.

access-list

Enter the name of the access list to use for this distribution list.

protocol

Advertise only the routes discovered by the specified protocol and that are permitted by the named access list.

note icon

Example:

This example shows how to configure distribution list 2 to use an access list named acc_list1 for all static routes.

config router ospf

config distribute-list

edit 2

set access-list acc_list1

set protocol static

end

end

config neighbor

Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. OSPF packets are unicast to the specified neighbor address. You can configure multiple neighbors.

The ip field is required. All other fields are optional.

edit

Enter an ID number for the OSPF neighbor. The number must be an integer.

cost

Enter the cost to use for this neighbor. The valid range for cost_integer is 1 to 65535.

ip

Enter the IP address of the neighbor.

poll-interval

Enter the time, in seconds, between hello packets sent to the neighbor in the down state. The value of the poll interval must be larger than the value of the hello interval. The valid range for seconds_integer is 1 to 65535.

priority

Enter a priority number for the neighbor. The valid range for priority_integer is 0 to 255.

note icon

Example

This example shows how to manually add a neighbor.

config router ospf

config neighbor

edit 1

set ip 192.168.21.63

end

end

config network

Use this subcommand to identify the interfaces to include in the specified OSPF area. The prefix field can define one or multiple interfaces.

The area and prefix fields are required.

edit

Enter an ID number for the network. The number must be an integer.

area

The ID number of the area to be associated with the prefix.

prefix

Enter the IP address and netmask for the OSPF network.

note icon

Example:

Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.

config router ospf

config network

edit 2

set area 10.1.1.1

set prefix 10.0.0.0 255.255.255.0

end

end

config ospf-interface

Use this subcommand to configure interface related OSPF settings.

The interface field is required. All other fields are optional. If you configure authentication for the interface, authentication for areas is not used.

edit

Enter a descriptive name for this OSPF interface configuration. To apply this configuration to a FortiGate unit interface, set the interface <name_str> attribute.

authentication

Define the authentication used for OSPF packets sent and received by this interface. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the update packet, not the confidentiality of the routing information in the packet.

In text mode the key is sent in clear text over the network, and is only used only to prevent network problems that can occur if a misconfigured router is mistakenly added to the network.

All routers on the network must use the same authentication type.

authentication-key

This field is available when authentication is set to text.

Enter the password to use for text authentication.

The authentication-key must be the same on all neighboring routers.

The maximum length for the authentication-key is 15 characters.

bfd

Select to enable Bi-directional Forwarding Detection (BFD). It is used to quickly detect hardware problems on the network.

This command enables this service on this interface.

cost

Specify the cost (metric) of the link. The cost is used for shortest path first calculations.

database-filter-out

Enable or disable flooding LSAs out of this interface.

dead-interval

The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.

All routers on the network must use the same value for dead-interval.

The valid range for seconds_integer is 1 to 65535.

hello-interval

The time, in seconds, between hello packets.

All routers on the network must use the same value for hello-interval.

The value of the dead-interval should be four times the value of the hello-interval.

The valid range for seconds_integer is 1 to 65535.

hello-multiplier

Enter the number of hello packets to send within the dead interval. Range 3-10. 0 disables.

interface

Enter the name of the interface to associate with this OSPF configuration. The interface might be a virtual IPSec or GRE interface.

ip

Enter the IP address of the interface named by the interface field.

It is possible to apply different OSPF configurations for different IP addresses defined on the same interface.

md5-key

This field is available when authentication is set to md5.

Enter the key ID and password to use for MD5 authentication.

Example:

set md5-key 6 "ENCyYKaPSrY89CeXn66WUybbLZQ5YM="

 

You can add more than one key ID and key pair per interface. However, you cannot unset one key without unsetting all of the keys.

The key ID and key must be the same on all neighboring routers.

The valid range for id_integer is 1 to 255. key_str is an alphanumeric string of up to 16 characters.

mtu

Change the Maximum Transmission Unit (MTU) size included in database description packets sent out this interface. The valid range for mtu_integer is 576 to 65535.

mtu-ignore

Use this command to control the way OSPF behaves when the Maximum Transmission Unit (MTU) in the sent and received database description packets does not match.

When mtu-ignore is enabled, OSPF will stop detecting mismatched MTUs and go ahead and form an adjacency.

When mtu-ignore is disabled, OSPF will detect mismatched MTUs and not form an adjacency.

mtu-ignore should only be enabled if it is not possible to reconfigure the MTUs so that they match on both ends of the attempted adjacency connection.

network-type

Specify the type of network to which the interface is connected.

OSPF supports four different types of network. This command specifies the behavior of the OSPF interface according to the network type. Choose one of:

  • broadcast
  • non-broadcast
  • point-to-multipoint
  • point-to-multipoint-non-broadcast
  • point-to-point

If you specify non-broadcast, you must also configure neighbors using “config neighbor”.

prefix-length

Set the size of the OSPF hello network mask. Range 0 to 32.

priority

Set the router priority for this interface.

Router priority is used during the election of a designated router (DR) and backup designated router (BDR).

An interface with router priority set to 0 can not be elected DR or BDR. The interface with the highest router priority wins the election. If there is a tie for router priority, router ID is used.

Point-to-point networks do not elect a DR or BDR; therefore, this setting has no effect on a point-to-point network.

The valid range for priority_integer is 0 to 255.

resync-timeout

Enter the synchronizing timeout for graceful restart interval in seconds. This is the period for this interface to synchronize with a neighbor.

retransmit-interval

The time, in seconds, to wait before sending a LSA retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

status

Enable or disable OSPF on this interface.

transmit-delay

The estimated time, in seconds, required to send a link state update packet on this interface.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the interface.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer is 1 to 65535.

note icon

Example

This example shows how to assign an OSPF interface configuration named test to the interface named internal and how to configure text authentication for this interface.

config router ospf

config ospf-interface

edit test

set interface internal

set ip 192.168.20.3

set authentication text

set authentication-key a2b3c4d5e

end

end

config redistribute

Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to the destination network.

The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries are defined as follows:

  • bgp — Redistribute routes learned from BGP.
  • connected — Redistribute routes learned from a direct connection to the destination network.
  • isis — Redistribute routes learned from ISIS.
  • static — Redistribute the static routes defined in the FortiGate unit routing table.
  • rip — Redistribute routes learned from RIP.

When you enter the subcommand, end the command with one of the four static entry names (that is, config redistribute {bgp | connected | isis | static | rip}).

All fields are optional.

 

metric

Enter the metric to be used for the redistributed routes. The range for the metric is from 1 to 16777214.

metric-type

Specify the external link type to be used for the redistributed routes.

routemap

Enter the name of the route map to use for the redistributed routes. For information on how to configure route maps, see router route-map.

status

Enable or disable redistributing routes.

tag

Specify a tag for redistributed routes. The valid range for integer variable is 0 to 4294967295.

note icon

Example

This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map named rtmp2.

config router ospf

config redistribute rip

set metric 3

set routemap rtmp2

set status enable

end

config summary-address

edit

Enter an ID number for the summary address. The

number must be an integer.

advertise

Advertise or suppress the summary route that matches the specified prefix.

prefix

Enter the prefix (IP address and netmask) to use for the summary route. The prefix 0.0.0.0 0.0.0.0 is not allowed.

tag

Specify a tag for the summary route.

The valid range for integer variable is 0 to 4294967295.

router {ospf | ospf6}

Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate unit. More information on OSPF can be found in RFC 2328.

OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router connected to more than one area is an area border router (ABR). Routing information is contained in a link state database. Routing information is communicated between routers using link state advertisements (LSAs).

Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and if a timer runs out on a connection then that router is declared down. BFD then communicates this information to the routing protocol and the routing information is updated. BFD support can only be configured through the CLI.

config router ospf
    set abr-type {cisco | ibm | shortcut | standard}   Area border router type.
            cisco     Cisco.
            ibm       IBM.
            shortcut  Shortcut.
            standard  Standard.
    set auto-cost-ref-bandwidth {integer}   Reference bandwidth in terms of megabits per second. range[1-1000000]
    set distance-external {integer}   Administrative external distance. range[1-255]
    set distance-inter-area {integer}   Administrative inter-area distance. range[1-255]
    set distance-intra-area {integer}   Administrative intra-area distance. range[1-255]
    set database-overflow {enable | disable}   Enable/disable database overflow.
    set database-overflow-max-lsas {integer}   Database overflow maximum LSAs. range[0-4294967295]
    set database-overflow-time-to-recover {integer}   Database overflow time to recover (sec). range[0-65535]
    set default-information-originate {enable | always | disable}   Enable/disable generation of default route.
    set default-information-metric {integer}   Default information metric. range[1-16777214]
    set default-information-metric-type {1 | 2}   Default information metric type.
            1  Type 1.
            2  Type 2.
    set default-information-route-map {string}   Default information route map. size[35] - datasource(s): router.route-map.name
    set default-metric {integer}   Default metric of redistribute routes. range[1-16777214]
    set distance {integer}   Distance of the route. range[1-255]
    set rfc1583-compatible {enable | disable}   Enable/disable RFC1583 compatibility.
    set router-id {ipv4 address any}   Router ID.
    set spf-timers {string}   SPF calculation frequency.
    set bfd {enable | disable}   Bidirectional Forwarding Detection (BFD).
    set log-neighbour-changes {enable | disable}   Enable logging of OSPF neighbour's changes
    set distribute-list-in {string}   Filter incoming routes. size[35] - datasource(s): router.access-list.name,router.prefix-list.name
    set distribute-route-map-in {string}   Filter incoming external routes by route-map. size[35] - datasource(s): router.route-map.name
    set restart-mode {none | lls | graceful-restart}   OSPF restart mode (graceful or LLS).
            none              Hitless restart disabled.
            lls               LLS mode.
            graceful-restart  Graceful Restart Mode.
    set restart-period {integer}   Graceful restart period. range[1-3600]
    config area
        edit {id}
        # OSPF area configuration.
            set id {ipv4 address any}   Area entry IP address.
            set shortcut {disable | enable | default}   Enable/disable shortcut option.
            set authentication {none | text | md5}   Authentication type.
                    none  None.
                    text  Text.
                    md5   MD5.
            set default-cost {integer}   Summary default cost of stub or NSSA area. range[0-4294967295]
            set nssa-translator-role {candidate | never | always}   NSSA translator role type.
                    candidate  Candidate.
                    never      Never.
                    always     Always.
            set stub-type {no-summary | summary}   Stub summary setting.
                    no-summary  No summary.
                    summary     Summary.
            set type {regular | nssa | stub}   Area type setting.
                    regular  Regular.
                    nssa     NSSA.
                    stub     Stub.
            set nssa-default-information-originate {enable | always | disable}   Redistribute, advertise, or do not originate Type-7 default route into NSSA area.
            set nssa-default-information-originate-metric {integer}   OSPF default metric. range[0-16777214]
            set nssa-default-information-originate-metric-type {1 | 2}   OSPF metric type for default routes.
                    1  Type 1.
                    2  Type 2.
            set nssa-redistribution {enable | disable}   Enable/disable redistribute into NSSA area.
            config range
                edit {id}
                # OSPF area range configuration.
                    set id {integer}   Range entry ID. range[0-4294967295]
                    set prefix {ipv4 classnet any}   Prefix.
                    set advertise {disable | enable}   Enable/disable advertise status.
                    set substitute {ipv4 classnet any}   Substitute prefix.
                    set substitute-status {enable | disable}   Enable/disable substitute status.
                next
            config virtual-link
                edit {name}
                # OSPF virtual link configuration.
                    set name {string}   Virtual link entry name. size[35]
                    set authentication {none | text | md5}   Authentication type.
                            none  None.
                            text  Text.
                            md5   MD5.
                    set authentication-key {password_string}   Authentication key. size[8]
                    set md5-key {string}   MD5 key.
                    set dead-interval {integer}   Dead interval. range[1-65535]
                    set hello-interval {integer}   Hello interval. range[1-65535]
                    set retransmit-interval {integer}   Retransmit interval. range[1-65535]
                    set transmit-delay {integer}   Transmit delay. range[1-65535]
                    set peer {ipv4 address any}   Peer IP.
                next
            config filter-list
                edit {id}
                # OSPF area filter-list configuration.
                    set id {integer}   Filter list entry ID. range[0-4294967295]
                    set list {string}   Access-list or prefix-list name. size[35] - datasource(s): router.access-list.name,router.prefix-list.name
                    set direction {in | out}   Direction.
                            in   In.
                            out  Out.
                next
        next
    config ospf-interface
        edit {name}
        # OSPF interface configuration.
            set name {string}   Interface entry name. size[35]
            set interface {string}   Configuration interface name. size[15] - datasource(s): system.interface.name
            set ip {ipv4 address}   IP address.
            set authentication {none | text | md5}   Authentication type.
                    none  None.
                    text  Text.
                    md5   MD5.
            set authentication-key {password_string}   Authentication key. size[8]
            set md5-key {string}   MD5 key.
            set prefix-length {integer}   Prefix length. range[0-32]
            set retransmit-interval {integer}   Retransmit interval. range[1-65535]
            set transmit-delay {integer}   Transmit delay. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   Priority. range[0-255]
            set dead-interval {integer}   Dead interval. range[0-65535]
            set hello-interval {integer}   Hello interval. range[0-65535]
            set hello-multiplier {integer}   Number of hello packets within dead interval. range[3-10]
            set database-filter-out {enable | disable}   Enable/disable control of flooding out LSAs.
            set mtu {integer}   MTU for database description packets. range[576-65535]
            set mtu-ignore {enable | disable}   Enable/disable ignore MTU.
            set network-type {option}   Network type.
                    broadcast                          Broadcast.
                    non-broadcast                      Non-broadcast.
                    point-to-point                     Point-to-point.
                    point-to-multipoint                Point-to-multipoint.
                    point-to-multipoint-non-broadcast  Point-to-multipoint and non-broadcast.
            set bfd {global | enable | disable}   Bidirectional Forwarding Detection (BFD).
            set status {disable | enable}   Enable/disable status.
            set resync-timeout {integer}   Graceful restart neighbor resynchronization timeout. range[1-3600]
        next
    config network
        edit {id}
        # OSPF network configuration.
            set id {integer}   Network entry ID. range[0-4294967295]
            set prefix {ipv4 classnet}   Prefix.
            set area {ipv4 address any}   Attach the network to area.
        next
    config neighbor
        edit {id}
        # OSPF neighbor configuration are used when OSPF runs on non-broadcast media
            set id {integer}   Neighbor entry ID. range[0-4294967295]
            set ip {ipv4 address}   Interface IP address of the neighbor.
            set poll-interval {integer}   Poll interval time in seconds. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   Priority. range[0-255]
        next
    config passive-interface
        edit {name}
        # Passive interface configuration.
            set name {string}   Passive interface name. size[64] - datasource(s): system.interface.name
        next
    config summary-address
        edit {id}
        # IP address summary configuration.
            set id {integer}   Summary address entry ID. range[0-4294967295]
            set prefix {ipv4 classnet}   Prefix.
            set tag {integer}   Tag value. range[0-4294967295]
            set advertise {disable | enable}   Enable/disable advertise status.
        next
    config distribute-list
        edit {id}
        # Distribute list configuration.
            set id {integer}   Distribute list entry ID. range[0-4294967295]
            set access-list {string}   Access list name. size[35] - datasource(s): router.access-list.name
            set protocol {connected | static | rip}   Protocol type.
                    connected  Connected type.
                    static     Static type.
                    rip        RIP type.
        next
    config redistribute
        edit {name}
        # Redistribute configuration.
            set name {string}   Redistribute name. size[35]
            set status {enable | disable}   status
            set metric {integer}   Redistribute metric setting. range[0-16777214]
            set routemap {string}   Route map name. size[35] - datasource(s): router.route-map.name
            set metric-type {1 | 2}   Metric type.
                    1  Type 1.
                    2  Type 2.
            set tag {integer}   Tag value. range[0-4294967295]
        next
end
config router ospf6
    set abr-type {cisco | ibm | standard}   Area border router type.
            cisco     Cisco.
            ibm       IBM.
            standard  Standard.
    set auto-cost-ref-bandwidth {integer}   Reference bandwidth in terms of megabits per second. range[1-1000000]
    set default-information-originate {enable | always | disable}   Enable/disable generation of default route.
    set log-neighbour-changes {enable | disable}   Enable logging of OSPFv3 neighbour's changes
    set default-information-metric {integer}   Default information metric. range[1-16777214]
    set default-information-metric-type {1 | 2}   Default information metric type.
            1  Type 1.
            2  Type 2.
    set default-information-route-map {string}   Default information route map. size[35] - datasource(s): router.route-map.name
    set default-metric {integer}   Default metric of redistribute routes. range[1-16777214]
    set router-id {ipv4 address any}   A.B.C.D, in IPv4 address format.
    set spf-timers {string}   SPF calculation frequency.
    set bfd {enable | disable}   Enable/disable Bidirectional Forwarding Detection (BFD).
    config area
        edit {id}
        # OSPF6 area configuration.
            set id {ipv4 address any}   Area entry IP address.
            set default-cost {integer}   Summary default cost of stub or NSSA area. range[0-16777215]
            set nssa-translator-role {candidate | never | always}   NSSA translator role type.
                    candidate  Candidate.
                    never      Never.
                    always     Always.
            set stub-type {no-summary | summary}   Stub summary setting.
                    no-summary  No summary.
                    summary     Summary.
            set type {regular | nssa | stub}   Area type setting.
                    regular  Regular.
                    nssa     NSSA.
                    stub     Stub.
            set nssa-default-information-originate {enable | disable}   Enable/disable originate type 7 default into NSSA area.
            set nssa-default-information-originate-metric {integer}   OSPFv3 default metric. range[0-16777214]
            set nssa-default-information-originate-metric-type {1 | 2}   OSPFv3 metric type for default routes.
                    1  Type 1.
                    2  Type 2.
            set nssa-redistribution {enable | disable}   Enable/disable redistribute into NSSA area.
            config range
                edit {id}
                # OSPF6 area range configuration.
                    set id {integer}   Range entry ID. range[0-4294967295]
                    set prefix6 {ipv6 network}   IPv6 prefix.
                    set advertise {disable | enable}   Enable/disable advertise status.
                next
            config virtual-link
                edit {name}
                # OSPF6 virtual link configuration.
                    set name {string}   Virtual link entry name. size[35]
                    set dead-interval {integer}   Dead interval. range[1-65535]
                    set hello-interval {integer}   Hello interval. range[1-65535]
                    set retransmit-interval {integer}   Retransmit interval. range[1-65535]
                    set transmit-delay {integer}   Transmit delay. range[1-65535]
                    set peer {ipv4 address any}   A.B.C.D, peer router ID.
                next
        next
    config ospf6-interface
        edit {name}
        # OSPF6 interface configuration.
            set name {string}   Interface entry name. size[35]
            set area-id {ipv4 address any}   A.B.C.D, in IPv4 address format.
            set interface {string}   Configuration interface name. size[15] - datasource(s): system.interface.name
            set retransmit-interval {integer}   Retransmit interval. range[1-65535]
            set transmit-delay {integer}   Transmit delay. range[1-65535]
            set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
            set priority {integer}   priority range[0-255]
            set dead-interval {integer}   Dead interval. range[1-65535]
            set hello-interval {integer}   Hello interval. range[1-65535]
            set status {disable | enable}   Enable/disable OSPF6 routing on this interface.
            set network-type {option}   Network type.
                    broadcast                          broadcast
                    point-to-point                     point-to-point
                    non-broadcast                      non-broadcast
                    point-to-multipoint                point-to-multipoint
                    point-to-multipoint-non-broadcast  point-to-multipoint and non-broadcast.
            set bfd {global | enable | disable}   Enable/disable Bidirectional Forwarding Detection (BFD).
            set mtu {integer}   MTU for OSPFv3 packets. range[576-65535]
            set mtu-ignore {enable | disable}   Enable/disable ignoring MTU field in DBD packets.
            config neighbor
                edit {ip6}
                # OSPFv3 neighbors are used when OSPFv3 runs on non-broadcast media
                    set ip6 {ipv6 address}   IPv6 link local address of the neighbor.
                    set poll-interval {integer}   Poll interval time in seconds. range[1-65535]
                    set cost {integer}   Cost of the interface, value range from 0 to 65535, 0 means auto-cost. range[0-65535]
                    set priority {integer}   priority range[0-255]
                next
        next
    config redistribute
        edit {name}
        # Redistribute configuration.
            set name {string}   Redistribute name. size[35]
            set status {enable | disable}   status
            set metric {integer}   Redistribute metric setting. range[0-16777214]
            set routemap {string}   Route map name. size[35] - datasource(s): router.route-map.name
            set metric-type {1 | 2}   Metric type.
                    1  Type 1.
                    2  Type 2.
        next
    config passive-interface
        edit {name}
        # Passive interface configuration.
            set name {string}   Passive interface name. size[64] - datasource(s): system.interface.name
        next
    config summary-address
        edit {id}
        # IPv6 address summary configuration.
            set id {integer}   Summary address entry ID. range[0-4294967295]
            set prefix6 {ipv6 network}   IPv6 prefix.
            set advertise {disable | enable}   Enable/disable advertise status.
            set tag {integer}   Tag value. range[0-4294967295]
        next
end

Additional information

The following section is for those options that require additional explanation.

abr-type

Specify the behavior of a FortiGate unit acting as an OSPF area border router (ABR) when it has multiple attached areas and has no backbone connection. Selecting the ABR type compatible with the routers on your network can reduce or eliminate the need for configuring and maintaining virtual links. For more information, see RFC 3509.

auto-cost-ref-bandwidth

Enter the Mbits per second for the reference bandwidth. Values can range from 1 to 65535.

bfd

Select one of the Bidirectional Forwarding Detection (BFD) options for this interface.

  • enable - start BFD on this interface
  • disable - stop BFD on this interface
  • global - use the global settings instead of explicitly setting BFD per interface.

 

database-overflow

Enable or disable dynamically limiting link state database size under overflow conditions. Enable this command for FortiGate units on a network with routers that may not be able to maintain a complete link state database because of limited resources.

database-overflow-max-lsas

If you have enabled database-overflow, set the limit for the number of external link state advertisements (LSAs) that the FortiGate unit can keep in its link state database before entering the overflow state. The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone. The valid range for lsas_integer is 0 to 4294967294.

 

database-overflow-time-to-recover

Enter the time, in seconds, after which the FortiGate unit will attempt to leave the overflow state. If seconds_integer is set to 0, the FortiGate unit will not leave the overflow state until restarted. The valid range for seconds_integer is 0 to 65535.

default-information-metric

Specify the metric for the default route set by the default-information-originate command. The valid range for metric_integer is 1 to 16777214.

default-information-metric-type

Specify the OSPF external metric type for the default route set by the default-information-originate command.

default-information-originate

Enter enable to advertise a default route into an OSPF routing domain.

Use always to advertise a default route even if the FortiGate unit does not have a default route in its routing table.

default-information-route-map

If you have set default-information-originate to always, and there is no default route in the routing table, you can configure a route map to define the parameters that OSPF uses to advertise the default route.

default-metric

Specify the default metric that OSPF should use for redistributed routes. The valid range for metric_integer is 1 to 16777214.

distance

Configure the administrative distance for all OSPF routes. Using administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. The valid range for distance_integer is 1 to 255.

distance-external

Change the administrative distance of all external OSPF routes. The range is from 1 to 255.

distance-inter-area

Change the administrative distance of all inter-area OSPF routes. The range is from 1 to 255.

distance-intra-area

Change the administrative distance of all intra-area OSPF routes. The range is from 1 to 255.

distribute-list-in

Limit route updates from the OSPF neighbor based on the Network Layer Reachability Information (NLRI) defined in the specified access list. You must create the access list before it can be selected here.

See router {access-list | access-list6}

passive-interface

OSPF routing information is not sent or received through the specified interface.

restart-mode

Select the restart mode from:

  • graceful-restart - (also known as hitless restart) when FortiGate unit goes down it advertises to neighbors how long it will be down to reduce traffic
  • lls - Enable Link-local Signaling (LLS) mode
  • none - hitless restart (graceful restart) is disabled

restart-period

Enter the time in seconds the restart is expected to take.

rfc1583-compatible

Enable or disable RFC 1583 compatibility. RFC 1583 compatibility should be enabled only when there is another OSPF router in the network that only supports RFC 1583.

When RFC 1583 compatibility is enabled, routers choose the path with the lowest cost. Otherwise, routers choose the lowest cost intra-area path through a non-backbone area.

router-id

Set the router ID. The router ID is a unique number, in IP address dotted decimal format, that is used to identify an OSPF router to other OSPF routers within an area. The router ID should not be changed while OSPF is running.

A router ID of 0.0.0.0 is not allowed.

spf-timers

Change the default shortest path first (SPF) calculation delay time and frequency.

The delay_integer is the time, in seconds, between when OSPF receives information that will require an SPF calculation and when it starts an SPF calculation. The valid range for delay_integer is 0 to 4294967295.

The hold_integer is the minimum time, in seconds, between consecutive SPF calculations. The valid range for hold_integer is 0 to 4294967295.

OSPF updates routes more quickly if the SPF timers are set low; however, this uses more CPU. A setting of 0 for spf-timers can quickly use up all available CPU.

config router ospf

Use this command to set the router ID of the FortiGate unit. Additional configuration options are supported.

  • The router-id field is required. All other fields are optional.
  • The descriptions of the variables for this subcommand are found above.

config area

Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs). There must be a backbone area that all areas can connect to. You can use a virtual link to connect areas that do not have a physical connection to the backbone. Routers within an OSPF area maintain link state databases for their own areas.

FortiGate units support the three main types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A stub area only has a default route to the rest of the OSPF routing domain. NSSA is a type of stub area that can import AS external routes and send them to the backbone, but cannot receive AS external routes from the backbone or other areas. All other areas are considered regular areas.

You can use access or prefix lists for OSPF area filter lists. For more information, see router {access-list | access-list6} and router {prefix-list | prefix-list6}.

You can use the config range subcommand to summarize routes at an area boundary. If the network numbers in an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are within the specified range.

You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone when the area has no direct connection to the backbone. A virtual link allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a stub area. Virtual links can only be set up between two ABRs.

note icon

If you define a filter list, the direction and list fields are required. If you define a range, the prefix field is required. If you define a virtual link, the peer field is required. All other fields are optional.

If you configure authentication for interfaces, the authentication configured for the area is overridden.

edit

Type the IP address of the area. An address of 0.0.0.0 indicates the backbone area.

authentication

Define the authentication used for OSPF packets sent and received in this area. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet, not the confidentiality of the information in the packet.

In text mode the key is sent in clear text over the network, and is only used to prevent network problems that can occur if a misconfigured router is mistakenly added to the area.

Authentication passwords or keys are defined per interface.

default-cost

Enter the metric to use for the summary default route in a stub area or not so stubby area (NSSA). A lower default cost indicates a more preferred route.

The valid range for cost_integer is 1 to 16777214.

nssa-default-information-originate

Enter enable to advertise a default route in a not so stubby area. Affects NSSA ABRs or NSSA Autonomous System Boundary Routers only.

nssa-default-information-originate-metric

Specify the metric (an integer) for the default route set by the nssa-default-information-originate field.

nssa-default-information-originate-metric-type

Specify the OSPF external metric type for the default route set by the nssa-default-information-originate field.

nssa-redistribution

Enable or disable redistributing routes into a NSSA area.

nssa-translator-role

A NSSA border router can translate the Type 7 LSAs used for external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain. Usually a NSSA will have only one NSSA border router acting as a translator for the NSSA.

You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA, even if other routers in the NSSA are also acting as translators.

You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA.

You can set the translator role to never to ensure this FortiGate unit never acts as the translator if it is in a NSSA.

shortcut

Use this command to specify area shortcut parameters.

stub-type

Enter no-summary to prevent an ABR sending summary LSAs into a stub area. Enter summary to allow an ABR to send summary LSAs into a stub area.

type

Set the area type:

  • Select nssa for a not so stubby area.
  • Select regular for a normal OSPF area.
  • Select stub for a stub area.

This is not available for area 0.0.0.0.

config filter-list variables

edit

Enter an ID number for the filter list. The number must be an integer.

direction

Set the direction for the filter.

  • Enter in to filter incoming packets.
  • Enter out to filter outgoing packets.
list

Enter the name of the access list or prefix list to use for this filter list.

config range variables

edit

Enter an ID number for the range. The number must be an integer in the 0 to 4,294,967,295 range.

advertise

Enable or disable advertising the specified range.

prefix

Specify the range of addresses to summarize. Format: x.x.x.x x.x.x.x.

substitute

Enter a prefix to advertise instead of the prefix defined for the range. Format: x.x.x.x x.x.x.x.The prefix 0.0.0.0 0.0.0.0 is not allowed.

substitute-status

Enable or disable using a substitute prefix.

config virtual-link variables

edit

Enter a name for the virtual link.

authentication

Define the type of authentication used for OSPF packets sent and received over this virtual link. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet, not the confidentiality of the information in the packet.

In text mode the key is sent in clear text over the network, and is only used only to prevent network problems that can occur if a misconfigured router is mistakenly added to the area.

authentication-key

Enter the password to use for text authentication. The maximum length for the authentication-key is 15 characters.

The authentication-key used must be the same on both ends of the virtual link.

This field is only available when authentication is set to text.

dead-interval

The time in seconds to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.

Both ends of the virtual link must use the same value for dead-interval.

The valid range for seconds_integer is 1 to 65535.

hello-interval

The time, in seconds, between hello packets.

Both ends of the virtual link must use the same value for hello-interval.

The value for dead-interval should be four times larger than the hello-interval value.

The valid range for seconds_integer is 1 to 65535.

md5-key

This field is available when authentication is set to md5.

Enter the key ID and password to use for MD5 authentication.

Example:

set md5-key 6 "ENCyYKaPSrY89CeXn66WUybbLZQ5YM="

 

Both ends of the virtual link must use the same key ID and key.

The valid range for id_integer is 1 to 255. key_str is an alphanumeric string of up to 16 characters.

peer

The router id of the remote ABR.

0.0.0.0 is not allowed.

retransmit-interval

The time, in seconds, to wait before sending a LSA retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

transmit-delay

The estimated time, in seconds, required to send a link state update packet on this virtual link.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the virtual link.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer is 1 to 65535.

 

note icon

Example:

This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20, and MD5 authentication.

config router ospf

config area

edit 15.1.1.1

set type stub

set stub-type summary

set default-cost 20

set authentication md5

end

end

note icon

Example:

This example shows how to use a filter list named acc_list1 to filter packets entering area 15.1.1.1.

config router ospf

config area

edit 15.1.1.1

config filter-list

edit 1

set direction in

set list acc_list1

end

end

note icon

Example:

This example shows how to set the prefix for range 1 of area 15.1.1.1.

config router ospf

config area

edit 15.1.1.1

config range

edit 1

set prefix 1.1.0.0 255.255.0.0

end

end

note icon

Example:

This example shows how to configure a virtual link.

config router ospf

config area

edit 15.1.1.1

config virtual-link

edit vlnk1

set peer 1.1.1.1

end

end

config distribute-list

Use this subcommand to filter the networks for routing updates using an access list. Routes not matched by any of the distribution lists will not be advertised.

You must configure the access list that you want the distribution list to use before you configure the distribution list. To configure an access list, see router {access-list | access-list6}.

The access-list and protocol fields are required.

edit

Enter an ID number for the distribution list. The number must be an integer.

access-list

Enter the name of the access list to use for this distribution list.

protocol

Advertise only the routes discovered by the specified protocol and that are permitted by the named access list.

note icon

Example:

This example shows how to configure distribution list 2 to use an access list named acc_list1 for all static routes.

config router ospf

config distribute-list

edit 2

set access-list acc_list1

set protocol static

end

end

config neighbor

Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. OSPF packets are unicast to the specified neighbor address. You can configure multiple neighbors.

The ip field is required. All other fields are optional.

edit

Enter an ID number for the OSPF neighbor. The number must be an integer.

cost

Enter the cost to use for this neighbor. The valid range for cost_integer is 1 to 65535.

ip

Enter the IP address of the neighbor.

poll-interval

Enter the time, in seconds, between hello packets sent to the neighbor in the down state. The value of the poll interval must be larger than the value of the hello interval. The valid range for seconds_integer is 1 to 65535.

priority

Enter a priority number for the neighbor. The valid range for priority_integer is 0 to 255.

note icon

Example

This example shows how to manually add a neighbor.

config router ospf

config neighbor

edit 1

set ip 192.168.21.63

end

end

config network

Use this subcommand to identify the interfaces to include in the specified OSPF area. The prefix field can define one or multiple interfaces.

The area and prefix fields are required.

edit

Enter an ID number for the network. The number must be an integer.

area

The ID number of the area to be associated with the prefix.

prefix

Enter the IP address and netmask for the OSPF network.

note icon

Example:

Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.

config router ospf

config network

edit 2

set area 10.1.1.1

set prefix 10.0.0.0 255.255.255.0

end

end

config ospf-interface

Use this subcommand to configure interface related OSPF settings.

The interface field is required. All other fields are optional. If you configure authentication for the interface, authentication for areas is not used.

edit

Enter a descriptive name for this OSPF interface configuration. To apply this configuration to a FortiGate unit interface, set the interface <name_str> attribute.

authentication

Define the authentication used for OSPF packets sent and received by this interface. Choose one of:

  • none — no authentication is used.
  • text — the authentication key is sent as plain text.
  • md5 — the authentication key is used to generate an MD5 hash.

Both text mode and MD5 mode only guarantee the authenticity of the update packet, not the confidentiality of the routing information in the packet.

In text mode the key is sent in clear text over the network, and is only used only to prevent network problems that can occur if a misconfigured router is mistakenly added to the network.

All routers on the network must use the same authentication type.

authentication-key

This field is available when authentication is set to text.

Enter the password to use for text authentication.

The authentication-key must be the same on all neighboring routers.

The maximum length for the authentication-key is 15 characters.

bfd

Select to enable Bi-directional Forwarding Detection (BFD). It is used to quickly detect hardware problems on the network.

This command enables this service on this interface.

cost

Specify the cost (metric) of the link. The cost is used for shortest path first calculations.

database-filter-out

Enable or disable flooding LSAs out of this interface.

dead-interval

The time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.

All routers on the network must use the same value for dead-interval.

The valid range for seconds_integer is 1 to 65535.

hello-interval

The time, in seconds, between hello packets.

All routers on the network must use the same value for hello-interval.

The value of the dead-interval should be four times the value of the hello-interval.

The valid range for seconds_integer is 1 to 65535.

hello-multiplier

Enter the number of hello packets to send within the dead interval. Range 3-10. 0 disables.

interface

Enter the name of the interface to associate with this OSPF configuration. The interface might be a virtual IPSec or GRE interface.

ip

Enter the IP address of the interface named by the interface field.

It is possible to apply different OSPF configurations for different IP addresses defined on the same interface.

md5-key

This field is available when authentication is set to md5.

Enter the key ID and password to use for MD5 authentication.

Example:

set md5-key 6 "ENCyYKaPSrY89CeXn66WUybbLZQ5YM="

 

You can add more than one key ID and key pair per interface. However, you cannot unset one key without unsetting all of the keys.

The key ID and key must be the same on all neighboring routers.

The valid range for id_integer is 1 to 255. key_str is an alphanumeric string of up to 16 characters.

mtu

Change the Maximum Transmission Unit (MTU) size included in database description packets sent out this interface. The valid range for mtu_integer is 576 to 65535.

mtu-ignore

Use this command to control the way OSPF behaves when the Maximum Transmission Unit (MTU) in the sent and received database description packets does not match.

When mtu-ignore is enabled, OSPF will stop detecting mismatched MTUs and go ahead and form an adjacency.

When mtu-ignore is disabled, OSPF will detect mismatched MTUs and not form an adjacency.

mtu-ignore should only be enabled if it is not possible to reconfigure the MTUs so that they match on both ends of the attempted adjacency connection.

network-type

Specify the type of network to which the interface is connected.

OSPF supports four different types of network. This command specifies the behavior of the OSPF interface according to the network type. Choose one of:

  • broadcast
  • non-broadcast
  • point-to-multipoint
  • point-to-multipoint-non-broadcast
  • point-to-point

If you specify non-broadcast, you must also configure neighbors using “config neighbor”.

prefix-length

Set the size of the OSPF hello network mask. Range 0 to 32.

priority

Set the router priority for this interface.

Router priority is used during the election of a designated router (DR) and backup designated router (BDR).

An interface with router priority set to 0 can not be elected DR or BDR. The interface with the highest router priority wins the election. If there is a tie for router priority, router ID is used.

Point-to-point networks do not elect a DR or BDR; therefore, this setting has no effect on a point-to-point network.

The valid range for priority_integer is 0 to 255.

resync-timeout

Enter the synchronizing timeout for graceful restart interval in seconds. This is the period for this interface to synchronize with a neighbor.

retransmit-interval

The time, in seconds, to wait before sending a LSA retransmission. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. The valid range for seconds_integer is 1 to 65535.

status

Enable or disable OSPF on this interface.

transmit-delay

The estimated time, in seconds, required to send a link state update packet on this interface.

OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the interface.

Increase the value for transmit-delay on low speed links.

The valid range for seconds_integer is 1 to 65535.

note icon

Example

This example shows how to assign an OSPF interface configuration named test to the interface named internal and how to configure text authentication for this interface.

config router ospf

config ospf-interface

edit test

set interface internal

set ip 192.168.20.3

set authentication text

set authentication-key a2b3c4d5e

end

end

config redistribute

Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to the destination network.

The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries are defined as follows:

  • bgp — Redistribute routes learned from BGP.
  • connected — Redistribute routes learned from a direct connection to the destination network.
  • isis — Redistribute routes learned from ISIS.
  • static — Redistribute the static routes defined in the FortiGate unit routing table.
  • rip — Redistribute routes learned from RIP.

When you enter the subcommand, end the command with one of the four static entry names (that is, config redistribute {bgp | connected | isis | static | rip}).

All fields are optional.

 

metric

Enter the metric to be used for the redistributed routes. The range for the metric is from 1 to 16777214.

metric-type

Specify the external link type to be used for the redistributed routes.

routemap

Enter the name of the route map to use for the redistributed routes. For information on how to configure route maps, see router route-map.

status

Enable or disable redistributing routes.

tag

Specify a tag for redistributed routes. The valid range for integer variable is 0 to 4294967295.

note icon

Example

This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map named rtmp2.

config router ospf

config redistribute rip

set metric 3

set routemap rtmp2

set status enable

end

config summary-address

edit

Enter an ID number for the summary address. The

number must be an integer.

advertise

Advertise or suppress the summary route that matches the specified prefix.

prefix

Enter the prefix (IP address and netmask) to use for the summary route. The prefix 0.0.0.0 0.0.0.0 is not allowed.

tag

Specify a tag for the summary route.

The valid range for integer variable is 0 to 4294967295.