Technical Tip: Filtering incoming RIP routes using distribute-list
Purpose
In RIP v2 there are several methods to filter routes received and advertised to other network elements.
This article describes an example to filter received and advertise routes using distribute-list.
This article describes an example to filter received and advertise routes using distribute-list.
Diagram
FGT-1 and FGT-2 are directly connected as shown below. Both are running RIPv2
Expectations, Requirements
In this example, FGT-2 only needs to learn 172.16.0.0/16 network through RIP.
Configuration
Initial configuration
FGT-1
FGT-2
FGT-1
FGT-1 # show sys int port10
config system interface
edit "port10"
set vdom "root"
set ip 10.10.10.78 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct probe-response capwap
set type physical
set snmp-index 10
next
end
FGT-1 # show router rip
config router rip
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
edit 2
set prefix 192.168.2.0 255.255.255.0
next
edit 3
set prefix 192.168.3.0 255.255.255.0
next
edit 4
set prefix 192.168.4.0 255.255.255.0
next
edit 5
set prefix 192.168.5.0 255.255.255.0
next
edit 172
set prefix 172.16.0.0 255.255.0.0
next
edit 10
set prefix 10.0.0.0 255.0.0.0
next
end
end
FGT-2
FGT-2 # show sys int port10
config system interface
edit "port10"
set vdom "root"
set ip 10.10.10.79 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap
set type physical
set snmp-index 10
next
end
FGT-2 # show router rip
config router rip
config network
edit 10
set prefix 10.0.0.0 255.0.0.0
next
end
Verification
FGT-2 is receiving RIP updates for all networks as shown below:
Use sniffer packet to capture RIP routing updates sent from FGT-1 to FGT-2.
FGT-2
FGT-2 # get router info routing-table rip
R 172.16.0.0/16 [120/2] via 10.10.10.78, port10, 11:19:00 ---> This is the required network
R 192.168.1.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R 192.168.2.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R 192.168.3.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R 192.168.4.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R 192.168.5.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
Use sniffer packet to capture RIP routing updates sent from FGT-1 to FGT-2.
FGT-2
# diagnose sniffer packet port10 'src host 10.10.10.78 and udp and port 520' 6 0 a
Troubleshooting
There are two options to achieve this network requirement, the first one from the FGT-2 perspective and the second one from the FGT-1 perspective.
Option 1: Filter incoming routes in FGT-2
FGT-2
1) Configure an Access-list to permit prefix 172.16.0.0/24
2) Configure distribute-list on inbound direction, on interface Port 10 which is the interface that is receiving routes.
Option 2: Filter outbound routes in FGT-1
1) Configure an Access-list to permit prefix 172.16.0.0/24
2) Configure distribute-list outbound direction, on interface Port 10, which is the interface that is sending the routes.
Verification
After distribute-list has been configured, FGT-2’s Routing Table must contain only 172.16.0.0/16 Network received from FGT-1.
Routing update after configuration
Packet capture
Option 1: Filter incoming routes in FGT-2
FGT-2
1) Configure an Access-list to permit prefix 172.16.0.0/24
config router access-list
edit "RIP_FILTER_IN"
config rule
edit 1
set prefix 172.6.0.0 255.255.0.0
set exact-match enable
next
end
next
end
2) Configure distribute-list on inbound direction, on interface Port 10 which is the interface that is receiving routes.
config router rip
config distribute-list
edit 1
set status enable
set direction in
set listname "RIP_FILTER_IN"
set interface "port10"
next
end
Option 2: Filter outbound routes in FGT-1
1) Configure an Access-list to permit prefix 172.16.0.0/24
config router access-list
edit "RIP_FILTER_OUT"
config rule
edit 1
set prefix 172.6.0.0 255.255.0.0
set exact-match enable
next
end
next
end
2) Configure distribute-list outbound direction, on interface Port 10, which is the interface that is sending the routes.
config router rip
config distribute-list
edit 1
set status enable
set direction in
set listname "RIP_FILTER_OUT"
set interface "port10"
next
end
Verification
After distribute-list has been configured, FGT-2’s Routing Table must contain only 172.16.0.0/16 Network received from FGT-1.
FGT-2 # get router info routing-table rip
R 172.16.0.0/16 [120/2] via 10.10.10.78, port10, 05:08:08
Routing update after configuration
Packet capture
#diagnose sniffer packet any ‘host 224.0.0.9’ 6 0 a
#diagnose sniffer packet any ‘udp and port 520’ 6 0 a