Hi All,
I'm having a bit of an issue understanding the Forti route-maps and prefix lists. Whilst I concur there are many examples and documentation, there's no real clear explanation of what it all does and how it works... Sorry if I am missing this after my 20+ years in the networking field, maybe I'm just getting too old.
In any case, given the below:
config router prefix-list edit "RFC1918" set comments "Matches RFC1918 Addresses" config rule edit 1 set prefix 10.0.0.0 255.0.0.0 unset ge unset le next edit 2 set prefix 172.16.0.0 255.240.0.0 unset ge unset le next edit 3 set prefix 192.168.0.0 255.255.0.0 unset ge unset le next end next end
config router route-map edit "RFC1918" set comments "Permit only RFC1918 via OSPF" config rule edit 1 set match-ip-address "RFC1918" next edit 2 set action deny next end next end
config router ospf set router-id 192.168.0.10 config area edit 192.168.1.8 next end config ospf-interface edit "internal7" set interface "internal7" set dead-interval 40 set hello-interval 10 next end config network edit 1 set prefix 192.168.1.8 255.255.255.252 set area 192.168.1.8 next end config redistribute "connected" set routemap "RFC1918" end config redistribute "static" set routemap "RFC1918" end end
What will the Fortigates do with class full routes inside 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16?
Essentially I want to distribute ALL RFC1918 routes, but drop anything from being advertised that is NOT within the RFC1918 address space.
10.1.0.0/25 should pass.
1.1.1.1/23 should drop.
Is my configuration adequate?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just like any other routers ex. Cisco, if you do:
ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8
it would match only 10/8 exactly. If you want to match anything in 10/8, you need to do:
ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8 ge 8
FortiGate isn't different:
edit 1 set prefix 10.0.0.0 255.0.0.0 set ge 8 unset le next
Agreed, so in your example they will match only those prefixesy=, you need to use "le" and|or "ge" and the route map will honor that.
Ken Felix
PCNSE
NSE
StrongSwan
Just like any other routers ex. Cisco, if you do:
ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8
it would match only 10/8 exactly. If you want to match anything in 10/8, you need to do:
ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8 ge 8
FortiGate isn't different:
edit 1 set prefix 10.0.0.0 255.0.0.0 set ge 8 unset le next
Agreed, so in your example they will match only those prefixesy=, you need to use "le" and|or "ge" and the route map will honor that.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.