FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oguce
Staff
Staff
Description

 

This article describes the combination of 'ge' (greater than) and 'le' (less than) in one prefix-list and route-map and an example of usage of it.

 

Scope

 

FortiGate prefix-list in 7.0.3.

 

Solution


In this example, two FortiGate firewalls are connected to each other via BGP.

FGT-2 is advertising to FGT-1 routes:

 

10.10.1.0/24

10.10.1.0/25

10.10.1.0/26

10.10.1.0/27

10.10.1.0/28

 

FGT-1 has no prefix-list now so it’s installing all those subnets in the routing table.

If one wants to install only some specific routes from a specific subnet range, for example in FGT-1 if a user wants to install only routes:

 

10.10.1.0/25

10.10.1.0/26

10.10.1.0/27

And deny 10.10.1.0/24, 10.10.1.0/28

 

Prefix-list / Route map comes into play.

 

Configuration of FGT-1 without filtering those routes:

=======================================================================

FGT-1 # show router bgp

config router bgp

    set as 6501

    set router-id 1.1.1.1

    config neighbor

        edit "172.18.18.3"             <----- FGT-2 peer ip address.

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set remote-as 6500

        next

end

 

BGP route table looks like this:

 

==================================================================

FGT-1 # get router info bgp network

VRF 0 BGP table version is 3, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight RouteTag Path

*> 10.10.1.0/24     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/25     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/26     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/27     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/28     172.18.18.3              0             0        0 6500 ? <-/1>

 

Now configure a prefix-list to filter inbound routes to FGT-1 as below:

 

================================================================

# config router prefix-list

    edit "route-in"

        config rule

            edit 1

                set prefix 10.10.1.0 255.255.255.0

                set ge 25   -- match all prefixes greater than 25 subnet mask, so 25,26,27,28

                set le 27    -- match all prefix less than 27 subnet mask, so 27,26,25,24

            next

        end

    next

end

 

A combination of both 'ge' and 'le' will allow only subnets 10.10.1.0/25, 10.10.1.0/26, 10.10.1.0/27 to install in route table because subnets /25, /26, 27 are greater than/24 and less than/28:

 

24   ≤  25,26,27  ≤28

 

Now add the prefix-list in neighbor configuration in FGT-1 to filter inbound routes from FGT-2 as below:

 

=======================================================================

FGT-1 # show router bgp

config router bgp

    set as 6501

    set router-id 1.1.1.1

    config neighbor

        edit "172.18.18.3"

            set ebgp-enforce-multihop enable

            set soft-reconfiguration enable

            set prefix-list-in "route-in"     --- adding prefix-list

            set remote-as 6500

        next

    end

=======================================================================

 

After adding the prefix-list as a filter the routing table looks like this:

 

FGT-1 # get router info bgp network

VRF 0 BGP table version is 2, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

   Network          Next Hop            Metric LocPrf Weight RouteTag Path

*> 10.10.1.0/25     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/26     172.18.18.3              0             0        0 6500 ? <-/1>

*> 10.10.1.0/27     172.18.18.3              0             0        0 6500 ? <-/1>

 

So subnets 10.10.1.0/24 and 10.10.1.0/28 are not accepted by FGT-1 and not installed in routing table.

Contributors