Skip to main content
boneyard
boneyard
Valued Contributor
June 13, 2022
Solved

routing prefix-list to deny all

  • June 13, 2022
  • 4 replies
  • 10512 views

to perform some tests safely on a FortiGate (FortiOS 6.4) doing BGP i was trying to setup a prefix-list that denies all prefixes and apply that the BGP neighbour section via set prefix-list-in / set prefix-list-out.

 

as a prefix-list contains a implicit deny at the end i was expecting an "empty" one would be enough.

 

config router prefix-list
  edit "deny-all"

    set comments "deny all prefixes"
  next
end

 

but this doesn't deny anything until i add a rule for dummy prefix with the deny action. then it behaves like i wanted to.

 

anyone that knows / can confirm a rule for a dummy prefix with deny action is required here?

Best answer by Toshi_Esumi

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

 

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

 

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

 

Toshi

4 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 13, 2022

You have to match all fixes by "set prefix any" otherwise it does capture anything to "deny".

Below is ours matching everything but "permit" them. This one is used for our case to deny everything with a route-map referring this prefix-list. In your case you need "set action deny" instead.

 

config router prefix-list

  edit "ALL-Routes"
    config rule
      edit 1
        set prefix any
        unset ge
        unset le
      next
    end
  next
end

 

Toshi

boneyard
boneyardAuthor
Valued Contributor
June 13, 2022

thanks Toshi, but isn't there a implicit deny for prefix any at the end of the prefix-list?

 

when i add some entry (say for 1.2.3.4 255.255.255.255) it will deny everything else, so then the implicit deny acts right? but without any rules it doesn't filter, although the implicit deny should be there then right?

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
June 13, 2022

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

 

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

 

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

 

Toshi

boneyard
boneyardAuthor
Valued Contributor
June 17, 2022

>> I don't think "implicit deny" is a correct term to describe prefix-list's default behavior.

 

yeah, that seems to be the case. i think i read this somewhere but dont have a source currently, perhaps it is the mix up with route map.

 

i was looking for some confirmation and got that now, thank you.

gdtoro
gdtoro
New Member
August 25, 2023

• If the prefix list is empty, all prefixes are permitted.

Terms & ConditionsAccessibility statement