Basic OSPFv3 example
In this example, three FortiGate devices are configured in an OSPF network.
-
1st Floor FortiGate is the Designated Router (DR). It has the highest priority and the lowest IP address, to ensure that it becomes the DR.
-
2nd Floor FortiGate is the Backup Designated Router (BDR). It has a high priority to ensure that it becomes the BDR.
-
Enterprise Core FortiGate is the Autonomous System Border Router (ASBR). It routes all traffic to the ISP BGP router for internet access. It redistributes routes from BGP and advertises a default route to its neighbors. It can allow different types of routes, learned outside of OSPF, to be used in OSPF. Different metrics can be assigned to these routes to make them more or less preferred than regular OSPF routes. Route maps could be used to further control what prefixes are advertised or received from the ISP.
|
Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment. The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information. |
|
FortiGate |
Interface |
IP address |
|---|---|---|
| 1st Floor FortiGate (DR) | loopback | 1.1.1.1 |
| port1 | 2001:db8:d0c:2::1/64 | |
| port2 | 2001:db8:d0c:1::2/64 | |
| port3 | 2001:db8:d0c:4::1/64 | |
| 2nd Floor FortiGate (BDR) | loopback | 2.2.2.2 |
| port1 | 2001:db8:d0c:2::2/64 | |
| port2 | 2001:db8:d0c:3::2/64 | |
| port3 | 2001:db8:d0c:5::1/64 | |
| Enterprise Core FortiGate (ASBR) | loopback | 13.13.13.13 |
| port1 | 2001:db8:d0c:1::1/64 | |
| port2 | 2001:db8:d0c:3::1/64 | |
| port3 | 2001:db8:d0c:6::1/64 |
-
Firewall policies are already configured to allow unfiltered traffic in both directions between all of the connected interfaces.
-
The interfaces are already configured. The cost for all of the interfaces is left at 0.
-
The OSPF network belongs to Area 0, and is not connected to any other OSPF networks. All of the routers are part of the backbone 0.0.0.0 area, so no inter-area communications are needed.
-
Enterprise Core FortiGate redistributes BGP routes into the OSPF AS and peers with the ISP BGP Router over eBGP. For information about configuring BGP, see Basic IPv6 BGP example.
-
The ISP IPv6 address is 2001:db8:d0c:6::2/64.
1st Floor FortiGate
To configure 1st Floor FortiGate in the CLI:
config router ospf6
set router-id 1.1.1.1
config area
edit 0.0.0.0
next
end
config ospf6-interface
edit "1st-Floor-FortiGate-Internal-DR"
set interface "port1"
set priority 255
set dead-interval 40
set hello-interval 10
next
edit "1st-Floor-FortiGate-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
edit "1st-Floor-FortiGate-Internal"
set interface "port3"
set dead-interval 40
set hello-interval 10
next
end
2nd Floor FortiGate
To configure 2nd Floor FortiGate in the CLI:
config router ospf6
set router-id 2.2.2.2
config area
edit 0.0.0.0
next
end
config ospf6-interface
edit "2nd-Floor-FortiGate-Internal"
set interface "port1"
set priority 250
set dead-interval 40
set hello-interval 10
next
edit "2nd-Floor-FortiGate-External"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
edit "2nd-Floor-FortiGate-Internal1"
set interface "port3"
set dead-interval 40
set hello-interval 10
next
end
Enterprise Core FortiGate
To configure Enterprise Core FortiGate in the CLI:
config router ospf6
set default-information-originate enable
set router-id 13.13.13.13
config area
edit 0.0.0.0
next
end
config ospf6-interface
edit "Enterprise-Core-FortiGate-Internal"
set interface "port1"
set dead-interval 40
set hello-interval 10
next
edit "Enterprise-Core-FortiGate-Internal2"
set interface "port2"
set dead-interval 40
set hello-interval 10
next
end
config redistribute "bgp"
set status enable
end
end
Testing and configuration
Both the network connectivity and OSPF routing are tested. When a link goes down, routes should converge as expected.
-
Working state
-
Enterprise Core FortiGate:
# get router info6 ospf neighbor OSPFv3 Process (root) Neighbor ID Pri State Dead Time Interface 1.1.1.1 1 Full/Backup 00:00:38 port1 2.2.2.2 1 Full/Backup 00:00:32 port2
# get router info6 ospf status Routing Process "OSPFv3 (root)" with ID 13.13.13.13 Process uptime is 28 minutes Do not support Restarting This router is an ASBR (injecting external routing information) SPF schedule delay 5 secs, Hold time between SPFs 10 secs Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs Number of incomming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum Sum 0x0000 Number of AS-Scoped Unknown LSA 0 Number of LSA originated 14 Number of LSA received 187 Number of areas in this router is 1 Area BACKBONE(0) Number of interfaces in this area is 2(2) SPF algorithm executed 36 times Number of LSA 9. Checksum Sum 0x2DB91 Number of Unknown LSA# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP, V - BGP VPNv6 * - candidate default Timers: Uptime Routing table for VRF=0 B* ::/0 [20/0] via fe80::20c:29ff:febc:eec2, port3, 00:02:56, [1024/0] C ::1/128 via ::, root, 00:17:23 B 64:ff9b::/96 [20/0] via fe80::20c:29ff:febc:eec2, port3, 00:02:56, [1024/0] C 2001:db8:d0c:1::/64 via ::, port1, 00:17:23 O 2001:db8:d0c:2::/64 [110/2] via fe80::20c:29ff:fe4d:f81f, port1, 00:16:36, [1024/0] [110/2] via fe80::20c:29ff:fe6b:b2c9, port2, 00:16:36, [1024/0] C 2001:db8:d0c:3::/64 via ::, port2, 00:17:23 O 2001:db8:d0c:4::/64 [110/2] via fe80::20c:29ff:fe4d:f81f, port1, 00:16:36, [1024/0] O 2001:db8:d0c:5::/64 [110/2] via fe80::20c:29ff:fe6b:b2c9, port2, 00:16:52, [1024/0] C 2001:db8:d0c:6::/64 via ::, port3, 00:17:23 -
2nd Floor FortiGate:
# get router info6 ospf neighbor OSPFv3 Process (root) Neighbor ID Pri State Dead Time Interface 1.1.1.1 255 Full/DR 00:00:35 port1 13.13.13.13 1 Full/DR 00:00:31 port2
# get router info6 ospf status Routing Process "OSPFv3 (root)" with ID 2.2.2.2 Process is not up SPF schedule delay 5 secs, Hold time between SPFs 10 secs Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs Number of incomming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum Sum 0x0000 Number of AS-Scoped Unknown LSA 0 Number of LSA originated 19 Number of LSA received 157 Number of areas in this router is 1 Area BACKBONE(0) Number of interfaces in this area is 2(2) SPF algorithm executed 32 times Number of LSA 9. Checksum Sum 0x2D793 Number of Unknown LSA# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP * - candidate default Timers: Uptime O*E2 ::/0 [110/10] via fe80::20c:29ff:fefc:185e, port2, 00:00:37 C ::1/128 via ::, root, 00:15:47 O E2 64:ff9b::/96 [110/10] via fe80::20c:29ff:fefc:185e, port2, 00:00:37 O 2001:db8:d0c:1::/64 [110/2] via fe80::20c:29ff:fe4d:f815, port1, 00:14:10 [110/2] via fe80::20c:29ff:fefc:185e, port2, 00:14:10 C 2001:db8:d0c:2::/64 via ::, port1, 00:15:47 C 2001:db8:d0c:3::/64 via ::, port2, 00:15:47 O 2001:db8:d0c:4::/64 [110/2] via fe80::20c:29ff:fe4d:f815, port1, 00:14:36 C 2001:db8:d0c:5::/64 via ::, port3, 00:15:47 C fe80::/64 via ::, port8, 00:15:47
The default route advertised by Enterprise Core FortiGate using
default-information-originateis considered an OSPF E2 route. Other routes redistributed from BGP are also E2 routes.-
1st Floor FortiGate:
# get router info6 ospf neighbor OSPFv3 Process (root) Neighbor ID Pri State Dead Time Interface 2.2.2.2 250 Full/Backup 00:00:33 port1 13.13.13.13 1 Full/DR 00:00:31 port2
# get router info6 ospf status Routing Process "OSPFv3 (root)" with ID 1.1.1.1 Process uptime is 38 minutes SPF schedule delay 5 secs, Hold time between SPFs 10 secs Minimum LSA interval 5 secs, Minimum LSA arrival 1 secs Number of incomming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum Sum 0x0000 Number of AS-Scoped Unknown LSA 0 Number of LSA originated 21 Number of LSA received 95 Number of areas in this router is 1 Area BACKBONE(0) Number of interfaces in this area is 2(2) SPF algorithm executed 30 times Number of LSA 9. Checksum Sum 0x2D793 Number of Unknown LSA 0# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP * - candidate default Timers: Uptime Routing table for VRF=0 O*E2 ::/0 [110/10] via fe80::20c:29ff:fefc:1854, port2, 00:00:12 C ::1/128 via ::, root, 00:15:10 O E2 64:ff9b::/96 [110/10] via fe80::20c:29ff:fefc:1854, port2, 00:00:12 C 2001:db8:d0c:1::/64 via ::, port2, 00:15:10 C 2001:db8:d0c:2::/64 via ::, port1, 00:15:10 O 2001:db8:d0c:3::/64 [110/2] via fe80::20c:29ff:fe6b:b2bf, port1, 00:13:45 [110/2] via fe80::20c:29ff:fefc:1854, port2, 00:13:45 C 2001:db8:d0c:4::/64 via ::, port3, 00:15:10 O 2001:db8:d0c:5::/64 [110/2] via fe80::20c:29ff:fe6b:b2bf, port1, 00:14:20 C fe80::/64 via ::, port3, 00:15:10
-
-
Link down state
If port1 is disconnected on Enterprise Core FortiGate:
-
Enterprise Core FortiGate:
# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP, V - BGP VPNv6 * - candidate default Timers: Uptime Routing table for VRF=0 B* ::/0 [20/0] via fe80::20c:29ff:febc:eec2, port3, 00:30:38, [1024/0] C ::1/128 via ::, root, 01:29:46 B 64:ff9b::/96 [20/0] via fe80::20c:29ff:febc:eec2, port3, 00:30:38, [1024/0] O 2001:db8:d0c:1::/ 64 [110/3] via fe80::20c:29ff:fe6b:b2c9, port2, 00:00:01, [1024/0] O 2001:db8:d0c:2::/64 [110/2] via fe80::20c:29ff:fe6b:b2c9, port2, 00:02:57, [1024/0] C 2001:db8:d0c:3::/64 via ::, port2, 01:29:46 O 2001:db8:d0c:4::/64 [110/3] via fe80::20c:29ff:fe6b:b2c9, port2, 00:02:24, [1024/0] O 2001:db8:d0c:5::/64 [110/2] via fe80::20c:29ff:fe6b:b2c9, port2, 00:36:14, [1024/0] C 2001:db8:d0c:6::/64 via ::, port3, 01:29:46 -
2nd Floor FortiGate:
# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP * - candidate default Timers: Uptime O*E2 ::/0 [110/10] via fe80::20c:29ff:fefc:185e, port2, 00:28:38 C ::1/128 via ::, root, 01:28:29 O E2 64:ff9b::/96 [110/10] via fe80::20c:29ff:fefc:185e, port2, 00:28:38F O 2001:db8:d0c:1::/64 [110/2] via fe80::20c:29ff:fe4d:f815, port1, 00:00:27 C 2001:db8:d0c:2::/64 via ::, port1, 01:28:29 C 2001:db8:d0c:3::/64 via ::, port2, 01:28:29 O 2001:db8:d0c:4::/64 [110/2] via fe80::20c:29ff:fe4d:f815, port1, 00:34:12 C 2001:db8:d0c:5::/64 via ::, port3, 01:28:29 C fe80::/64 via ::, port8, 01:28:29 -
1st Floor FortiGate:
# get router info6 routing-table IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP * - candidate default Timers: Uptime Routing table for VRF=0 O*E2 ::/0 [110/10] via fe80::20c:29ff:fe6b:b2bf, port1, 00:00:55 C ::1/128 via ::, root, 01:28:14 O E2 64:ff9b::/96 [110/10] via fe80::20c:29ff:fe6b:b2bf, port1, 00:00:55 C 2001:db8:d0c:1::/64 via ::, port2, 01:28:14 C 2001:db8:d0c:2::/64 via ::, port1, 01:28:14 O 2001:db8:d0c:3::/64 [110/2] via fe80::20c:29ff:fe6b:b2bf, port1, 00:00:56 C 2001:db8:d0c:4::/64 via ::, port3, 01:28:14 O 2001:db8:d0c:5::/64 [110/2] via fe80::20c:29ff:fe6b:b2bf, port1, 00:33:59 C fe80::/64 via ::, port3, 01:28:14
-