Hi there,
I have two FTGs where I wanted to exclude a WAN IP when redistribute connected networks, FGT1 works just fine, FGT2 doesn't:
FGT1:
config router rip
config network
edit 1
set prefix 192.168.100.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
set metric 10
set routemap "RIP"
end
config interface
edit "wan2"
set receive-version 2
set send-version 2
next
end
end
config router route-map
edit "RIP"
config rule
edit 1
set action deny
set match-interface "wan1"
next
edit 2
next
end
next
end
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm
set type physical
set alias "StarLink"
set lldp-reception enable
set monitor-bandwidth enable
set role wan
set snmp-index 1
next
Whatever I get on wan1 interface is being excluded from RIP.
FGT2:
config router rip
set default-metric 15
config network
edit 1
set prefix 192.168.9.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
set metric 1
set routemap "RIP"
end
config redistribute "static"
set metric 3
end
config interface
edit "LAN"
set receive-version 2
set send-version 2
next
end
end
config router route-map
edit "RIP"
config rule
edit 1
set action deny
set match-interface "UFB"
next
edit 2
next
end
next
end
edit "wan1"
set vdom "root"
set allowaccess ping
set type physical
set alias "MyUFB"
set device-identification enable
set snmp-index 1
next
edit "UFB"
set vdom "root"
set mode pppoe
set allowaccess ping
set role wan
set snmp-index 10
set username "user"
set password ENC password
set interface "wan1"
set vlanid 10
next
So, I tried to include wan1 as a match-interface together with "UFB" interface but still no luck. As of today my only way is to manually add IP addresses to the route-map list but this will stop working next time it renews the pppoe DHCP lease.
Any suggestions would be much appreciated.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello DenJSnz,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello DenJSnz,
We are still looking an answer for your question.
We will come back to you ASAP.
Thanks,
Hello,
With match interface, as you concluded, it will block any route via that interface.
I can suggest to use prefix-list inside of route-map. As you have DHCP, I am assuming that it should be still IP from some network range. And you can put this network range in prefix list. Or other way around is just manually list subnets that you want to allow and block everything else.
Hi, thanks for the suggestion. I'm not sure if we're on the same page though, I don't think the match-interface is blocking any route... what it does for me it excludes the IP address on the matched interface from the RIP advertisement and that's exactly how I would like this to be. It does work that way on the FGT1 where I have an IP address directly on the wan interface. But it doesn't work on the FGT2 where the IP address is actually on the sub-interface (vlan10) of the wan interface. Thanks.
Hello,
That depends if you have multiple routes via that interface. To be honest, RIP I did not test for the very long time. If the match-interface VLAN does not work, feel free to open TAC ticket, to verify if is not a bug.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.