Technical Tip: Information about exact-match option available in access-list rule

nithincs · ‎02-21-2025

Description

This article describes the role of 'set exact-match' in the access-list rule.

Scope

FortiGate.

Solution

In the access-list rule, along with the prefix or wildcard, there is the option to set 'exact-match' to enable or disable.
The default vault for the 'exact match' is disabled.

This option will help the BGP daemon to learn or advertise the Routes to BGP neighbors as per the ACL configuration.

Here is an example:

FortiGate is connected to n/w1: 10.10.3.0/26, n/w2 :10.10.3.96/29, n/w3 :10.10.3.192/27, n/w4 :10.10.3.240/28, n/w5 :172.16.0.0/16 and n/w6 :192.168.181.0/24.

Fortinet # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
C *> 1.1.1.0/30 is directly connected, port1
C *> 10.10.3.0/26 is directly connected, Loopback3
C *> 10.10.3.96/29 is directly connected, Loopback6
C *> 10.10.3.192/27 is directly connected, Loopback4
C *> 10.10.3.240/28 is directly connected, Loopback5
C *> 172.16.0.0/16 is directly connected, port3
C *> 192.168.181.0/24 is directly connected, port2

config router bgp
set as 65412
config neighbor
edit "1.1.1.1"
set soft-reconfiguration enable
set remote-as 65412
set route-map-out "1"
next
end

config redistribute "connected"
set status enable
end

config router route-map
edit "1"
config rule
edit 1
set action deny
set match-ip-address "Block"
unset set-ip-prefsrc
next
edit 2
set match-ip-address "Allow_rest"
unset set-ip-prefsrc
next
end
next
end

Scenario 1:

config router access-list
edit "Block"
config rule
edit 1
set prefix 10.10.3.0 255.255.255.192
next
end
next
edit "Allow_rest"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
end

In the above config, access-list is defined to block 10.10.3.0/26 without 'exact-match' set to enable. This will only block n/w3 10.10.3.0/26 from advertising.

Fortinet # get router info bgp neighbors 1.1.1.1 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i1.1.1.0/30 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.96/29 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.192/27 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.240/28 1.1.1.2 100 32768 0 ? <-/->
*>i172.16.0.0 1.1.1.2 100 32768 0 ? <-/->
*>i192.168.181.0 1.1.1.2 100 32768 0 ? <-/->

Scenario 2:

However, if the prefix is defined as 10.10.3.0/25 (10.10.3.0 255.255.255.128), it will match the below-highlighted routes, and these routes will not be advertised as both the subnets fall under 10.10.3.0/25.

config router access-list
edit "Allow_rest"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
edit "Block"
config rule
edit 1
set prefix 10.10.3.0 255.255.255.128
next
end
next
end

Routing table for VRF=0
C *> 1.1.1.0/30 is directly connected, port1
C *> 10.10.3.0/26 is directly connected, Loopback3
C *> 10.10.3.96/29 is directly connected, Loopback6
C *> 10.10.3.192/27 is directly connected, Loopback4
C *> 10.10.3.240/28 is directly connected, Loopback5
C *> 172.16.0.0/16 is directly connected, port3
C *> 192.168.181.0/24 is directly connected, port2

Fortinet # get router info bgp neighbors 1.1.1.1 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i1.1.1.0/30 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.192/27 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.240/28 1.1.1.2 100 32768 0 ? <-/->
*>i172.16.0.0 1.1.1.2 100 32768 0 ? <-/->
*>i192.168.181.0 1.1.1.2 100 32768 0 ? <-/->

Total number of prefixes 5

Scenario 3:

If 'exact-match' is set, then BGP daemon will look for an exact matching route with a network ID, and the subnet mask is excluded from advertising; if there is no matching route available, then nothing is blocked.

config router access-list
edit "Allow_rest"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next

edit "Block"
config rule
edit 1
set prefix 10.10.3.0 255.255.255.128
set exact-match enable
next
end
next
end

Routing table for VRF=0 <<<<<<< no exact route available for 10.10.30.0/25
C *> 1.1.1.0/30 is directly connected, port1
C *> 10.10.3.0/26 is directly connected, Loopback3
C *> 10.10.3.96/29 is directly connected, Loopback6
C *> 10.10.3.192/27 is directly connected, Loopback4
C *> 10.10.3.240/28 is directly connected, Loopback5
C *> 172.16.0.0/16 is directly connected, port3
C *> 192.168.181.0/24 is directly connected, port2

All the connected routes are advertised to BGP neighbors.

Fortinet # get router info bgp neighbors 1.1.1.1 advertised-routes
VRF 0 BGP table version is 7, local router ID is 10.10.6.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i1.1.1.0/30 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.0/26 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.96/29 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.192/27 1.1.1.2 100 32768 0 ? <-/->
*>i10.10.3.240/28 1.1.1.2 100 32768 0 ? <-/->
*>i172.16.0.0 1.1.1.2 100 32768 0 ? <-/->
*>i192.168.181.0 1.1.1.2 100 32768 0 ? <-/->

Technical Tip: Information about exact-match option available in access-list rule

You are leaving our website