Advanced inter-area OSPF example
This example sets up an OSPF network at a large office. There are three areas, each with two routers. Typically OSPF areas would not be this small, and if they were the areas would be combined into one bigger area. However, the stub area services the accounting department which is very sensitive about their network and do not want any of their network information broadcast through the rest of the company. The backbone area contains the bulk of the company network devices. The regular area was established for various reasons such as hosting the company servers on a separate area with extra security.
One area is a small stub area that has no independent Internet connection, and only one connection to the backbone area. That connection between the stub area and the backbone area is only through a default route. No routes outside the stub area are advertised into that area. Another area is the backbone, which is connected to the other two areas. The third area has the Internet connection, and all traffic to and from the Internet must use that area’s connection. If that traffic comes from the stub area, then that traffic is treating the backbone like a transit area that only uses it to get to another area.
In the stub area, a subnet of computers is running the RIP routing protocol and those routes must be redistributed into the OSPF areas.
This section includes the following topics:
Network layout and assumptions
There are four FortiGate units in this network topology acting as OSPF routers:
Advanced inter-area OSPF network topology
Area 1.1.1.1 is a stub area with one FortiGate unit OSPF router called Router1 (DR). Its only access outside of that area is a default route to the backbone area, which is how it accesses the Internet. Traffic must go from the stub area, through the backbone, to the third area to reach the Internet. The backbone area in this configuration is called a transit area. Also in area 1.1.1.1 there is a RIP router that will be providing routes to the OSPF area through redistribution.
Area 0.0.0.0 is the backbone area, and has two FortiGate unit routers named Router2 (BDR) and Router3 (DR).
Area 2.2.2.2 is a regular area that has an Internet connection accessed by both the other two OSPF areas. There is only one FortiGate unit router in this area called Router4 (DR). This area is more secure and requires MD5 authentication by routers.
All areas have user networks connected, but they are not important for configuring the network layout for this example.
Internal interfaces are connected to internal user networks only. External1 interfaces are connected to the 10.11.110.0 network, joining Area 1.1.1.1 and Area 0.0.0.0.
External2 interfaces are connected to the 10.11.111.0 network, joining Area 0.0.0.0 and Area 2.2.2.2. The ISP interface is called ISP.
Routers, areas, interfaces, IP addresses for advanced OSPF network
| Router1 (DR) |
1.1.1.1 - stub area
(Accounting) |
port1 (internal) |
10.11.101.1 |
| port2 (external1) |
10.11.110.1 |
| Router2 (BDR) |
0.0.0.0 - backbone area
( R&D Network) |
port1 (internal) |
10.11.102.2 |
| port2 (external1) |
10.11.110.2 |
| port3 (external2) |
10.11.111.2 |
| Router3 (DR) |
0.0.0.0 - backbone area
(R&D Network) |
port1 (internal) |
10.11.103.3 |
| port2 (external1) |
10.11.110.3 |
| port3 (external2) |
10.11.111.3 |
| Router4 (DR) |
2.2.2.2 - regular area
(Network Admin) |
port1 (internal) |
10.11.104.4 |
| port2 (external2) |
10.11.111.4 |
| port3 (ISP) |
172.20.120.4 |
Note that other subnets can be added to the internal interfaces without changing the configuration.
Assumptions
- The FortiGate units used in this example have interfaces named port1, port2, and port3.
- All FortiGate units in this example have factory default configuration with FortiOS 4.0 MR2 firmware installed, and are in NAT/Route operation mode.
- During configuration, if settings are not directly referred to they will be left at default settings.
- Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in both directions.
- This OSPF network is not connected to any other OSPF areas outside of this example.
- The Internet connection is always available.
- Other devices may be on the network, but do not affect this configuration.
Configuring the FortiGate units
This section configures the basic settings on the FortiGate units to be OSPF routers. These configurations include multiple interface settings, and hostname.
There are four FortiGate units in this example. The two units in the backbone area can be configured exactly the same except for IP addresses, so only router3 (the DR) configuration will be given with notes indicating router2 (the BDR) IP addresses.
Configuring the FortiGate units includes:
Configuring Router1
Router1 is part of the Accounting network stub area (1.1.1.1).
To configure Router1 interfaces - web-based manager
- Go to Dashboard > System Information.
- Next to hostname, select Change.
- Enter a hostname of
Router1, and select OK.
- Go to Network > Interfaces, edit port1, set the following information, and select OK.
| Alias |
internal |
| IP/Network Mask |
10.11.101.1/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Accounting network |
| Administrative Status |
Up |
- Edit port2, set the following information, and select OK.
| Alias |
External1 |
| IP/Network Mask |
10.11.110.1/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Backbone network and Internet |
| Administrative Status |
Up |
Configuring Router2
Router2 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
Router2 has three interfaces configured; one to the internal network, and two to Router3 for redundancy.
To configure Router2 interfaces - web-based manager
- Go to Dashboard > System Information.
- Next to hostname, select Change.
- Enter a hostname of
Router2, and select OK.
- Go to Network > Interfaces, edit port1 (internal), set the following information, and select OK.
| Alias |
internal |
| IP/Network Mask |
10.11.102.2/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Internal RnD network |
| Administrative Status |
Up |
- Edit port2 (external1), set the following information, and select OK.
| Alias |
external1 |
| IP/Network Mask |
10.11.110.2/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Router3 first connection |
| Administrative Status |
Up |
- Edit port3 (external2), set the following information, and select OK.
| Alias |
external2 |
| IP/Network Mask |
10.11.111.2/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Router3 second connection |
| Administrative Status |
Up |
Configuring Router3
Router3 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
To configure Router3 interfaces - web-based manager
- Go to Dashboard > System Information.
- Next to hostname, select Change.
- Enter a hostname of
Router3, and select OK.
- Go to Network > Interfaces, edit port1 (internal), set the following information, and select OK.
| Alias |
internal |
| IP/Network Mask |
10.11.103.3/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Internal RnD network |
| Administrative Status |
Up |
- Edit port2 (external1), set the following information, and select OK.
| Alias |
external1 |
| IP/Network Mask |
10.11.110.3/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Router2 first connection |
| Administrative Status |
Up |
- Edit port3 (external2), set the following information, and select OK.
| Alias |
external2 |
| IP/Network Mask |
10.11.111.3/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Router2 second connection |
| Administrative Status |
Up |
Configuring Router4
Router4 is part of the Network Administration regular area (2.2.2.2). This area provides Internet access for both area 1.1.1.1 and the backbone area.
This section configures interfaces and hostname.
To configure Router4 interfaces - web-based manager
- Go to Dashboard > System Information.
- Next to hostname, select Change.
- Enter a hostname of
Router4, and select OK.
- Go to Network > Interfaces.
- Edit port1 (internal).
- Set the following information, and select OK.
| Alias |
internal |
| IP/Network Mask |
10.11.101.4/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Accounting network |
| Administrative Status |
Up |
- Edit port2 (external2).
- Set the following information, and select OK.
| Alias |
external2 |
| IP/Network Mask |
10.11.110.4/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
Backbone and Accounting network |
| Administrative Status |
Up |
- Edit port3 (ISP).
- Set the following information, and select OK.
| Alias |
ISP |
| IP/Network Mask |
172.20.120.4/255.255.255.0 |
| Administrative Access |
HTTPS SSH PING |
| Description |
ISP and Internet |
| Administrative Status |
Up |
Configuring OSPF on the FortiGate units
Three of the routers are designated routers (DR) and one is a backup DR (BDR). This is achieved through the lowest router ID numbers, or OSPF priority settings.
Also each area needs to be configured as each respective type of area - stub, backbone, or regular. This affects how routes are advertised into the area.
To configure OSPF on Router1 - web-based manager
- Go to Network > OSPF.
- Enter
10.11.101.1 for the Router ID and select Apply.
- In Areas, select Create New, set the following information, and select OK.
| Area |
1.1.1.1 |
| Type |
Stub |
| Authentication |
None |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.101.0/255.255.255.0 |
| Area |
1.1.1.1 |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Accounting |
| Interface |
port1 (internal) |
| IP |
10.11.101.1 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone1 |
| Interface |
port2 (external1) |
| IP |
10.11.110.1 |
| Authentication |
None |
To configure OSPF on Router2 - web-based manager
- Go to Network > OSPF.
- Enter
10.11.102.2 for the Router ID and select Apply.
- In Areas, select Create New, set the following information, and select OK.
| Area |
0.0.0.0 |
| Type |
Regular |
| Authentication |
None |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.102.2/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.110.2/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.111.2/255.255.255.0 |
| Area |
0.0.0.0 |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
RnD network |
| Interface |
port1 (internal) |
| IP |
10.11.102.2 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone1 |
| Interface |
port2 (external1) |
| IP |
10.11.110.2 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone2 |
| Interface |
port3 (external2) |
| IP |
10.11.111.2 |
| Authentication |
None |
To configure OSPF on Router3 - web-based manager
- Go to Network > OSPF.
- Enter
10.11.103.3 for the Router ID and then select Apply.
- In Areas, select Create New, set the following information, and then select OK.
| Area |
0.0.0.0 |
| Type |
Regular |
| Authentication |
None |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.102.3/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.110.3/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.111.3/255.255.255.0 |
| Area |
0.0.0.0 |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
RnD network |
| Interface |
port1 (internal) |
| IP |
10.11.103.3 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone1 |
| Interface |
port2 (external1) |
| IP |
10.11.110.3 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone2 |
| Interface |
port3 (external2) |
| IP |
10.11.111.3 |
| Authentication |
None |
To configure OSPF on Router4 - web-based manager
- Go to Network > OSPF.
- Enter
10.11.104.4 for the Router ID and then select Apply.
- In Areas, select Create New.
- Set the following information, and select OK.
| Area |
2.2.2.2 |
| Type |
Regular |
| Authentication |
None |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.104.0/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
10.11.111.0/255.255.255.0 |
| Area |
0.0.0.0 |
- In Networks, select Create New, set the following information, and select OK.
| IP/Netmask |
172.20.120.0/255.255.255.0 |
| Area |
0.0.0.0 |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Network Admin network |
| Interface |
port1 (internal) |
| IP |
10.11.104.4 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
Backbone2 |
| Interface |
port2 (external2) |
| IP |
10.11.111.4 |
| Authentication |
None |
- In Interfaces, select Create New, set the following information, and select OK.
| Name |
ISP |
| Interface |
port3 (ISP) |
| IP |
172.20.120.4 |
| Authentication |
None |
Configuring other networking devices
All network devices on this network are running OSPF routing. The user networks (Accounting, R&D, and Network Administration) are part of one of the three areas.
The ISP needs to be notified of your network configuration for area 2.2.2.2. Your ISP will not advertise your areas externally as they are intended as internal areas. External areas have assigned unique numbers. The area numbers used in this example are similar to the 10.0.0.0 and 192.168.0.0 subnets used in internal networking.
Testing network configuration
There are two main areas to test in this network configuration; network connectivity, and OSPF routing.
To test the network connectivity, see if computers on the Accounting or R&D networks can access the Internet. If you need to troubleshoot network connectivity, see the FortiOS Handbook Troubleshooting chapter.
To test the OSPF routing, check the routing tables on the FortiGate units to ensure the expected OSPF routes are present. If you need help troubleshooting OSPF routing, see Advanced inter-area OSPF example.
