I have addressed all of the interfaces of my Fortigate (FGT) with subnets of network 65.65.65.0/24. Additionally, I have some virtual IPs (VIPs) defined that map addresses from 65.65.64.0/24 to corresponding addresses in 65.65.65.0/24. For example:
65.65.64.1 -> 65.65.65.1
This is not a garden-variety configuration, mapping one public subnet to another. The reasons are complex, involving BGP, portable subnets, multiple data centers. The bottom line, I need the FGT to NAT this traffic.
My initial solution to this problem was static routes. However, this becomes difficult to maintain as the network grows in complexity (we're definitely into that territory). What I want to do is advertise a subnet of 65.65.64.0/24 via OSPF. In the Fortigate, it's not as easy as saying "inject this subnet into OSPF." My solution, create a loopback interface on the FGT, and redistribute the connected subnet into OSPF.
- Create a Loopback network interface, with an address in the subnet you want to advertise. It doesn't seem to make a difference what address you use.
edit "port-loopback"set vdom "root"set ip 65.65.64.1 255.255.255.192set type loopbackset description "Loopback interface used to provide route for portable addresses."set snmp-index 28next
- Create a prefix-list entry that identifies the loopback subnet.
edit "connected-to-ospf-v4"set comments "Define connected routes to export to OSPF"config ruleedit 10set prefix 65.65.64.0 255.255.255.192unset geunset lenext
- Create a route-map that uses the prefix list.
edit "rm-connected-to-ospf"set comments "Defines IPv4 connected routes to redistribute to OSPF"config ruleedit 10set match-ip-address "connected-to-ospf-v4"nextendnext
- Configure OSPF to redistribute connected networks.
config redistribute "connected"set status enableset routemap "rm-connected-to-ospf"end
No comments:
Post a Comment