Fortigate настройка OSPF

И так есть необходимость поднять динамический протокол между Fortigate  и Cisco  :

Конфигурация Cisco OSPF :

interface GigabitEthernet0/17
 description ### Link to Fortigate
 no switchport
 ip address 10.254.254.89 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 1234567890
 ip ospf network point-to-point
 load-interval 30
end



router ospf 10
 router-id 192.168.255.6
 log-adjacency-changes detail
 passive-interface default
 no passive-interface GigabitEthernet0/17
 network 10.254.254.24 0.0.0.3 area 0
 network 10.254.254.32 0.0.0.3 area 0
 network 10.254.254.36 0.0.0.3 area 0
 network 10.254.254.64 0.0.0.3 area 0
 network 10.254.254.88 0.0.0.3 area 0
 network 192.168.80.0 0.0.0.255 area 0
 network 192.168.81.0 0.0.0.255 area 0
 network 192.168.82.0 0.0.0.255 area 0
 network 192.168.83.0 0.0.0.255 area 0
 network 192.168.84.0 0.0.0.255 area 0
 network 192.168.85.0 0.0.0.255 area 0
 network 192.168.86.0 0.0.0.255 area 0
 network 192.168.87.0 0.0.0.255 area 0
 network 192.168.88.0 0.0.0.255 area 0
 network 192.168.89.0 0.0.0.255 area 0
 network 192.168.91.0 0.0.0.255 area 0
 network 192.168.94.0 0.0.0.255 area 0
 network 192.168.95.0 0.0.0.255 area 0
 network 192.168.255.6 0.0.0.0 area 0

Конфигурация Fortigate OSPF :

FGT6HD3917801002 (ospf) # show
config router ospf
 set router-id 192.168.255.7
 config area
 edit 0.0.0.0
 next
 end
 config ospf-interface
 edit "PORT11"
 set interface "port11"
 set ip 10.254.254.90
 set authentication md5
 set md5-key 1 "ENC 3ZkWVdBdOqgDCw/mYsjh2/ftfesa"
 set dead-interval 40
 set hello-interval 10
 set network-type point-to-point
 next
 end
 config network
 edit 1
 set prefix 192.168.93.0 255.255.255.0
 next
 edit 2
 set prefix 192.168.255.7 255.255.255.255
 next
 edit 3
 set prefix 10.254.254.88 255.255.255.252
 next
 end
 config redistribute "connected"
 end
 config redistribute "static"
 end
 config redistribute "rip"
 end
 config redistribute "bgp"
 end
 config redistribute "isis"
 end
end

 

Надо отметить что без опции #set network-type point-to-point — у меня не взлетало автоматом

Все сети которые перечислены в блоке config network будут анонсироваться соседям , не много забегая в будущее если включить опцию анонсировать все connected сети — то действие опции  config network не будет очитыватся

Так же для диагностики возможных проблем будут полезны следующие команды :

 

FGT6HD3917801002 (VDOM2) # get router info ospf neighbor

OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
192.168.255.6 1 Full/ - 00:00:38 10.254.254.89 port11

 

FGT6HD3917801002 (VDOM2) # get router info ospf status
 Routing Process "ospf 0" with ID 192.168.255.7
 Process uptime is 21 hours 42 minutes
 Process bound to VRF default
 Conforms to RFC2328, and RFC1583Compatibility flag is disabled
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Do not support Restarting
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Refresh timer 10 secs
 Number of incomming current DD exchange neighbors 0/5
 Number of outgoing current DD exchange neighbors 0/5
 Number of external LSA 87. Checksum 0x2E37BD
 Number of opaque AS LSA 0. Checksum 0x000000
 Number of non-default external LSA 86
 External LSA database is unlimited.
 Number of LSA originated 20
 Number of LSA received 570
 Number of areas attached to this router: 2
 Area 0.0.0.0 (BACKBONE)
 Number of interfaces in this area is 3(3)
 Number of fully adjacent neighbors in this area is 1
 Area has no authentication
 SPF algorithm last executed 00:00:29.290 ago
 SPF algorithm executed 27 times
 Number of LSA 17. Checksum 0x08ed37
 Area 0.0.0.10 (Inactive)
 Number of interfaces in this area is 0(0)
 Number of fully adjacent neighbors in this area is 0
 Number of fully adjacent virtual neighbors through this area is 0
 Area has no authentication
 SPF algorithm last executed 21:14:34.290 ago
 SPF algorithm executed 8 times
 Number of LSA 1. Checksum 0x00fc5b

 

FGT6HD3917801002 (VDOM2) # get router info ospf interface
port10 is up, line protocol is up
 Internet Address 192.168.93.1/24, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type BROADCAST, Cost: 1
 Transmit Delay is 1 sec, State DR, Priority 1
 Designated Router (ID) 192.168.255.7, Interface Address 192.168.93.1
 No backup designated router on this network
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
 Hello due in 00:00:08
 Neighbor Count is 0, Adjacent neighbor count is 0
 Crypt Sequence Number is 353114
 Hello received 0 sent 7650, DD received 0 sent 0
 LS-Req received 0 sent 0, LS-Upd received 0 sent 0
 LS-Ack received 0 sent 0, Discarded 0
port11 is up, line protocol is up
 Internet Address 10.254.254.90/30, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type BROADCAST, Cost: 1
 Transmit Delay is 1 sec, State DR, Priority 1
 Designated Router (ID) 192.168.255.7, Interface Address 10.254.254.90
 Backup Designated Router (ID) 192.168.255.6, Interface Address 10.254.254.89
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
 Hello due in 00:00:06
 Neighbor Count is 1, Adjacent neighbor count is 1
 Crypt Sequence Number is 427960
 Hello received 476 sent 709, DD received 18 sent 14
 LS-Req received 4 sent 4, LS-Upd received 58 sent 14
 LS-Ack received 9 sent 25, Discarded 0
loopback is up, line protocol is up
 Internet Address 192.168.255.7/32, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type LOOPBACK, Cost: 100
 Transmit Delay is 1 sec, State Loopback
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

 

FGT6HD3917801002 (VDOM2) # get router info protocols
Routing Protocol is "rip"
 Sending updates every 30 seconds with +/-50%
 Timeout after 180 seconds, garbage collect after 120 seconds
 Outgoing update filter list for all interface is not set
 Incoming update filter list for all interface is not set
 Default redistribution metric is 1
 Maximum output metric is 15
 Redistributing:
 Default version control: send version 2, receive version 2
 Interface Send Recv Key-chain
 Routing for Networks:
 Routing Information Sources:
 Gateway Distance Last Update Bad Packets Bad Routes
 Distance: (default is 120)

Routing Protocol is "ospf 0"
 Invalid after 0 seconds, hold down 0, flushed after 0
 Outgoing update filter list for all interfaces is
 Incoming update filter list for all interfaces is
 Redistributing:
 Routing for Networks:
 10.254.254.88/30
 192.168.93.0/24
 192.168.255.7/32
 Routing Information Sources:
 Gateway Distance Last Update
 Distance: (default is 110)
 Address Mask Distance List


Routing Protocol is "isis"
 System ID: 0000.0000.0000
 Area addr: Non-configured
 IS type: level-1-2
 Number of Neighbors: 0

 

FGT6HD3917801002 (VDOM2) # get router info ospf interface
port10 is up, line protocol is up
 Internet Address 192.168.93.1/24, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type BROADCAST, Cost: 1
 Transmit Delay is 1 sec, State DR, Priority 1
 Designated Router (ID) 192.168.255.7, Interface Address 192.168.93.1
 No backup designated router on this network
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
 Hello due in 00:00:10
 Neighbor Count is 0, Adjacent neighbor count is 0
 Crypt Sequence Number is 353114
 Hello received 0 sent 7660, DD received 0 sent 0
 LS-Req received 0 sent 0, LS-Upd received 0 sent 0
 LS-Ack received 0 sent 0, Discarded 0
port11 is up, line protocol is up
 Internet Address 10.254.254.90/30, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type BROADCAST, Cost: 1
 Transmit Delay is 1 sec, State DR, Priority 1
 Designated Router (ID) 192.168.255.7, Interface Address 10.254.254.90
 Backup Designated Router (ID) 192.168.255.6, Interface Address 10.254.254.89
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5
 Hello due in 00:00:08
 Neighbor Count is 1, Adjacent neighbor count is 1
 Crypt Sequence Number is 427970
 Hello received 487 sent 719, DD received 18 sent 14
 LS-Req received 4 sent 4, LS-Upd received 58 sent 14
 LS-Ack received 9 sent 25, Discarded 0
loopback is up, line protocol is up
 Internet Address 192.168.255.7/32, Area 0.0.0.0, MTU 1500
 Process ID 0, Router ID 192.168.255.7, Network Type LOOPBACK, Cost: 100
 Transmit Delay is 1 sec, State Loopback
 Timer intervals configured, Hello 10.000, Dead 40, Wait 40, Retransmit 5

 

Так же весьма полезно посмотреть ходят ли  пакеты в снифере :

 

FGT6HD3917801002 (VDOM2) # diagnose sniffer packet any "proto 89" 4
interfaces=[any]
filters=[proto 89]
1.348230 port11 in 10.254.254.89 -> 224.0.0.5: ip-proto-89 200
1.383842 port11 in 10.254.254.89 -> 224.0.0.5: ip-proto-89 76
1.419362 port11 in 10.254.254.89 -> 224.0.0.5: ip-proto-89 1472
1.453684 port11 in 10.254.254.89 -> 224.0.0.5: ip-proto-89 440
1.728804 port11 out 10.254.254.90 -> 224.0.0.5: ip-proto-89 1100
2.258948 port11 out 10.254.254.90 -> 224.0.0.5: ip-proto-89 64
5.303992 port11 in 10.254.254.89 -> 224.0.0.5: ip-proto-89 100

И конечно же запуск дебага :

FGT# diagnose ip router ospf all (enable|disable)
FGT# diagnose ip router ospf level info -> Requested for FortiOS V4.x
FGT# diagnose debug enable

OSPF: RECV[Hello]: From 192.168.182.106 via external:192.168.182.58 (192.168.182
.106 -> 224.0.0.5)
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 52
OSPF: Router ID 192.168.182.106
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0xaa91
OSPF: AuType 0
OSPF: Hello
OSPF: N etworkMask 255.255.254.0
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 192.168.182.106
OSPF: BDRouter 192.168.182.58
OSPF: # Neighbors 2
OSPF: Neighbor 192.168.182.58
OSPF: Neighbor 192.168.182.110
OSPF: -----------------------------------------------------
OSPF: NFSM[external:192.168.182.58-192.168.182.106]: Full (HelloReceived)
OSPF: NFSM[external:192.168.182.58-192.168.182.106]: nfsm_ignore called
OSPF: NFSM[external:192.168.182.58-192.168.182.106]: Full (2-WayReceived)
OSPF: LSA[MaxAge]: Maxage walker finished (0.000074 sec)
OSPF: IFSM[internal:10.161.0.58]: Hello timer expire
OSPF: SEND[Hello]: To 224.0.0.5 via internal:10.161.0.58, length 44
OSPF: -----------------------------------------------------
OSPF: Header
OSPF: Version 2
OSPF: Type 1 (Hello)
OSPF: Packet Len 44
OSPF: Router ID 192.168.182.58
OSPF: Area ID 0.0.0.0
OSPF: Checksum 0x7be0
OSPF: AuType 0
OSPF: Hello
OSPF: NetworkMask 255.255.254.0
OSPF: HelloInterval 10
OSPF: Options 0x2 (*|-|-|-|-|-|E|-)
OSPF: RtrPriority 1
OSPF: RtrDeadInterval 40
OSPF: DRouter 10.161.0.58
OSPF: BDRouter 0.0.0.0
OSPF: # Neighbors 0