Description
This article describes the combination of 'ge' (greater than or equal to) and 'le' (less than or equal to) in one prefix-list and route-map and an example of usage of it.
Scope
FortiGate prefix-list in 7.0.3.
Solution
In this example, two FortiGate firewalls are connected to each other via BGP.
FGT-2 is advertising to FGT-1 routes:
10.10.1.0/24
10.10.1.0/25
10.10.1.0/26
10.10.1.0/27
10.10.1.0/28
FGT-1 has no prefix-list now so it’s installing all those subnets in the routing table.
If one wants to install only some specific routes from a specific subnet range, for example in FGT-1 if a user wants to install only routes:
10.10.1.0/25
10.10.1.0/26
10.10.1.0/27
And deny 10.10.1.0/24, 10.10.1.0/28
Prefix-list / Route map comes into play.
Configuration of FGT-1 without filtering those routes:
=======================================================================
FGT-1 # show router bgp
config router bgp
set as 6501
set router-id 1.1.1.1
config neighbor
edit "172.18.18.3" <----- FGT-2 peer ip address.
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set remote-as 6500
next
end
BGP route table looks like this:
==================================================================
FGT-1 # get router info bgp network
VRF 0 BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.1.0/24 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/25 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/26 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/27 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/28 172.18.18.3 0 0 0 6500 ? <-/1>
Now configure a prefix-list to filter inbound routes to FGT-1 as below:
================================================================
# config router prefix-list
edit "route-in"
config rule
edit 1
set prefix 10.10.1.0 255.255.255.0
set ge 25 -- match all prefixes greater than or equal to 25 subnet mask, so 25,26,27,28
set le 27 -- match all prefix less than or equal to 27 subnet mask, so 27,26,25,24
next
end
next
end
A combination of both 'ge' and 'le' will allow only subnets 10.10.1.0/25, 10.10.1.0/26, 10.10.1.0/27 to install in route table because subnets /25, /26, 27 are greater than/24 and less than/28:
24 ≤ 25,26,27 ≤28
Now add the prefix-list in neighbor configuration in FGT-1 to filter inbound routes from FGT-2 as below:
=======================================================================
FGT-1 # show router bgp
config router bgp
set as 6501
set router-id 1.1.1.1
config neighbor
edit "172.18.18.3"
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set prefix-list-in "route-in" --- adding prefix-list
set remote-as 6500
next
end
=======================================================================
After adding the prefix-list as a filter the routing table looks like this:
FGT-1 # get router info bgp network
VRF 0 BGP table version is 2, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.1.0/25 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/26 172.18.18.3 0 0 0 6500 ? <-/1>
*> 10.10.1.0/27 172.18.18.3 0 0 0 6500 ? <-/1>
So subnets 10.10.1.0/24 and 10.10.1.0/28 are not accepted by FGT-1 and not installed in routing table.
The same outcome can be achieved by using the inverse logic, denying the prefix 10.10.1.0/24, 10.10.1.0/28 and allowing everything else:
config router prefix-list
edit "route-in"
config rule
edit 1
set action deny
set prefix 10.10.1.0 255.255.255.0
unset ge
unset le
next
edit 2
set action deny
set prefix 10.10.1.0 255.255.255.240
unset ge
unset le
next
edit 3
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next
end
The prefix 0.0.0.0/0 le 32 means all routes with all subnet masks less than or equal to 32, matching every possible prefix.
