Description
This article describes an example of how to prevent a subnet from being injected into the routing table.
Note that this does not filter OSPF LS updates and has no impact on the LSDB and the LSAs redistribution. It is a filter that acts only on the routing table.
Refer to the related articles for more information and examples.
Scope
FortiGate or VDOM operating in NAT mode.
Solution
Example 1 : This example will drop network 10.162.106.0/24 only.
Step 1: Configure the prefix list :
config router prefix-list
edit "drop_10.162.106"
config rule
edit 1
set action deny
set prefix 10.162.106.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix any (#1)
unset ge
unset le
next
end
next
end
Step 2: Configure OSPF to use the prefix-list and a distribute list :
config router ospf
config area
edit 0.0.0.0
next
end
set distribute-list-in "drop_10.162.106"
end
Notes on the prefix-list logic:
- Rules are parsed from top to bottom.
- Prefix-list follows a 'stop on match' logic: when a rule has matched (defined by prefix/ge/le), the specified action is used and no further rules are inspected.
-
There is an implicit block rule at the end of the rules list.
-
Keywords 'ge' and 'le' may be used to define a pattern using the prefix as a border (ge = greater or equal to, le = less than or equal to).
-
The keyword 'any' as prefix (#1) can be used as a 'match all' filter.
Verification:
- Before the configuration:
get router info routing all
C 10.126.0.0/24 is directly connected, wan2
O E2 10.162.102.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.103.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.104.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.105.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.106.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
get router info routing all
C 10.126.0.0/24 is directly connected, wan2
O E2 10.162.102.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.103.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.104.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
O E2 10.162.105.0/24 [110/10] via 10.126.0.69, wan2, 00:31:04
Extract from the LSDB: this shows that there is NO impact on the LSDB :
FGT # get router info ospf database brief
[...]
As External Link States:
Link ID ADV Router Age Seq# CkSum Route Tag
10.162.102.0 0.0.0.69 642 0x80000336 0xc84a E2 10.162.102.0/24 0
10.162.103.0 0.0.0.69 1372 0x800003e4 0x6003 E2 10.162.103.0/24 0
10.162.104.0 0.0.0.69 1412 0x800003e3 0x570c E2 10.162.104.0/24 0
10.162.105.0 0.0.0.69 1332 0x80000336 0xa768 E2 10.162.105.0/24 0
10.162.106.0 0.0.0.69 862 0x80000335 0x9e71 E2 10.162.106.0/24 0
Example 2 : This will allow subnet 10.0.0.0/8 , 172.0.0.0/8, 192.168.0.0/16 , and drop others
Step 1 : Configure the prefix-list
config router prefix-list
edit "AllowCertain"
config rule
edit 1
set prefix 10.0.0.0 254.0.0.0
set ge 8
unset le
next
edit 2
set prefix 172.0.0.0 254.0.0.0
set ge 8
unset le
next
edit 3
set prefix 192.168.0.0 255.254.0.0
set ge 16
unset le
next
edit 4
set action deny
set prefix any
unset ge
unset le
next
end
next
end
Step 2 : Apply prefix-list
config router ospf
set distribute-list-in AllowCertain
Result :
Before :
get router info routing-table ospf
Routing table for VRF=0
O E2 10.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:58
O E2 10.0.0.0/9 [110/10] via 10.200.1.254, port1, 00:07:28
O 10.0.1.0/24 [110/101] via 192.168.1.10, ToVDOM11, 00:07:28
O IA 10.0.2.0/24 [110/102] via 10.200.1.2, port1, 00:07:28
O E2 13.20.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 20.200.10.0/26 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 30.0.0.0/24 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 30.0.0.0/26 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 42.15.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 52.60.1.0/32 [110/10] via 10.200.1.254, port1, 00:07:28
O E2 172.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:07:28
O 172.16.10.3/32 [110/200] via 192.168.1.2, Front0, 00:07:28
O IA 172.16.20.1/32 [110/201] via 10.200.1.2, port1, 00:07:28
O IA 172.16.20.2/32 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 172.16.20.3/32 [110/201] via 10.200.1.2, port1, 00:07:28
O 172.16.20.254/32 [110/101] via 10.200.1.254, port1, 00:07:28
O E2 192.168.0.0/16 [110/10] via 10.200.1.254, port1, 00:07:28
O 192.168.1.16/30 [110/200] via 192.168.1.2, Front0, 00:07:28
[110/200] via 192.168.1.10, ToVDOM11, 00:07:28
O IA 192.168.2.0/30 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 192.168.2.8/30 [110/101] via 10.200.1.2, port1, 00:07:28
O IA 192.168.2.16/30 [110/201] via 10.200.1.2, port1, 00:07:28
After:
get router info routing-table ospf
Routing table for VRF=0
O E2 10.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:02
O E2 10.0.0.0/9 [110/10] via 10.200.1.254, port1, 00:00:02
O 10.0.1.0/24 [110/101] via 192.168.1.10, ToVDOM11, 00:00:02
O IA 10.0.2.0/24 [110/102] via 10.200.1.2, port1, 00:00:02
O E2 172.0.0.0/8 [110/10] via 10.200.1.254, port1, 00:00:02
O 172.16.10.3/32 [110/200] via 192.168.1.2, Front0, 00:00:02
O IA 172.16.20.1/32 [110/201] via 10.200.1.2, port1, 00:00:02
O IA 172.16.20.2/32 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 172.16.20.3/32 [110/201] via 10.200.1.2, port1, 00:00:02
O 172.16.20.254/32 [110/101] via 10.200.1.254, port1, 00:00:02
O E2 192.168.0.0/16 [110/10] via 10.200.1.254, port1, 00:00:02
O 192.168.1.16/30 [110/200] via 192.168.1.2, Front0, 00:00:02
[110/200] via 192.168.1.10, ToVDOM11, 00:00:02
O IA 192.168.2.0/30 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 192.168.2.8/30 [110/101] via 10.200.1.2, port1, 00:00:02
O IA 192.168.2.16/30 [110/201] via 10.200.1.2, port1, 00:00:02
