cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1074
Views
10
Helpful
16
Replies

FTD eBGP default route into OSPF

Support ACME
Level 1
Level 1

Dear ALL,

 

I'm setting up the the two tier firewall architecture( internet facing firewall is fortinet and the second tier firewall is cisco FTD), i received the default route  0.0.0.0 0.0.0.0 from fortinet firewall via eBGP(fortinet(ASN:64520) and cisco(ASN:64450) is using EBGP connection), I had created the route-map in OSPF redistribution for default route, but i can't receive it from the internal switch.

Anyone can help?

 

Network Diagram

 

Fortinet(ASN:64520)->eBGP<-Cisco FTD(ASN:64450)->OSPF<-Cisco C3750E

 

Thanks.

 

Support

1 Accepted Solution

Accepted Solutions

Hello
The fortinet has no bearing on using the ospf default originate within the ospf stanza

fortinet to asa  = bgp

asa to switch = ospf

So the default originate should work providing the default route from bgp is in the asa rib table

Note: using the

always

keyword will bypass this condition 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

16 Replies 16

Hello 
instead of redistributing the received ebgp default advertise it into ospf withdefault originate 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

i can't use the

default originate (default-information originate)

it is because the fortinet no announce the 0.0.0.0 0.0.0.0 , the routing default routing will learn the other site via OSPF. 

Jon Marshall
Hall of Fame
Hall of Fame

 

Try redistributing without the route map to narrow down where the problem is.

 

Jon

i had removed the

 route-map

but still can't learn the default route.

 

Just to confirm - 

 

you are definitely receiving the default route from the Fortinet and it is in the routing table on the ASA ?

 

on the switch it is not in the routing table, but is it in the OSPF database ?

 

Jon

you are definitely receiving the default route from the Fortinet and it is in the routing table on the ASA ?

 

ACME: Yes, i can see the default route on the FTD routing table.

 

on the switch it is not in the routing table, but is it in the OSPF database ?

 

ACME: Yes, only the default routing not in the routing table, other prefix is received.

 

Sorry that last bit - 

 

so the switch is receiving the default route but it is only in the OSPF database ? 

 

other prefixes are received, is that prefixes redistributed from BGP on the ASA ? 

 

Jon

so the switch is receiving the default route but it is only in the OSPF database ? 

ACME: May i know how to check it?

 

other prefixes are received, is that prefixes redistributed from BGP on the ASA ? 

ACME: Yes.

please help to check the screenshot

 

In your original post you said the Fortinet was receiving the default route via EBGP and that the ASA was running EBGP as well. 

 

When Paul suggested using

default-information originate

in OSPF you said you couldn't because the Fortinet was not announcing the default route. 

 

So is the ASA receiving the default route from the Fortinet or not ? 

 

If it is then use

default-information originate

as Paul suggested and if it isn't can you explain what the BGP configuration is for ? 

 

Jon

When Paul suggested using

default-information originate

in OSPF you said you couldn't because the Fortinet was not announcing the default route. 

 

ACME: The fortinet is generate the default routing to the ASA, if the fortinet found the internet down, it will not generate the default route to ASA.

 

So is the ASA receiving the default route from the Fortinet or not ? 

ACME: Yes.

 

If it is then use

default-information originate 

as Paul suggested and if it isn't can you explain what the BGP configuration is for ? 

ACME: i cant use the 

default-information originate

it is because i have two site, if the site A internet down , the default route are learn from site B via the OSPF. If I use the 

default-information originate

it will get the looping issue.

 

 

If you use

 default-information originate

and the default route from Fortinet stops being received then the default route is no longer advertised into OSPF. 

 

It would only keep being advertised if you used the

always

keyword in the command. 

 

Would this not work for you ? 

 

Jon

 

 

Hello
The fortinet has no bearing on using the ospf default originate within the ospf stanza

fortinet to asa  = bgp

asa to switch = ospf

So the default originate should work providing the default route from bgp is in the asa rib table

Note: using the

always

keyword will bypass this condition 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

it seems work, i 'm doing the verification.

thanks  paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco