Hi,
i have a question about Route-Map rule evaluation. The online CLI reference says:
"When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the routing information is not changed"
This for me means that, if you have a route-map with 2 match-rules, both rule must match in order to do routing info change. But the behavior is not like that: if i set a route-map with 2 rules and 1 of these is not matching, the second rule is processed.
I need a mechanism to define to rules where, if the first is not matched, the second one is ignored: are route-maps the best way to do this?
Thank you,
Roberto
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Roberto
I think you can achieve what you want, but the CLI reference description is not very clear. What it means is that for any single rule that has multiple match statements, there is a logical AND on all the matches. You can have multiple rules on a route-map, and the rules are applied sequentially until either a rule evaluates to true or the end of the route-map is reached, evaluating to false.
What you seem to be asking for is a policy where you can explicitly deny based on not matching a rule. I'm not sure that's possible, but usually you can reformulate the logic so that you put all the requirements for explicitly matching parameters in prior order in the route-map, then you can explicitly deny what you need to and finally, perhaps, have a default permit.
So, for instance, if you wanted to specifically deny some combinations of port and metric, then allow any thing else on the same ports before denying by default, you could do this
config router route-map edit "test-map" config rule edit 1 set match-interface "port1" set match-metric 1000
set action deny next edit 2 set match-interface "port2" set match-metric 1000 set action deny
next
edit 3 set match-interface "port1" set action permit
next
edit 4 set match-interface "port2" set action permit
next
edit 5 set action deny
next
end
next end
I know this is an older post and maybe things have changed since this question was originally asked but you can have a rule with "set action deny" which will stop processing in a route-map.
For instance:
config router prefix-list
edit "deny_list"
config rule
edit 1
set prefix 10.0.0.0 255.255.255.0
unset ge
set le 32
next
end
next
end
config router route-map
edit "bgp_filter"
config rule
edit 1
set action deny
set match-ip-nexthop "deny_list"
unset set-ip-nexthop
unset set-ip6-nexthop
unset set-ip6-nexthop-local
unset set-originator-id
next
edit 2
unset set-ip-nexthop
unset set-ip6-nexthop
unset set-ip6-nexthop-local
unset set-originator-id
next
end
next
end
For any bgp neighbors that have "set route-map-out bgp_filter" the above would stop any outbound advertisements if the nexthop IP is in the 10.0.0.0/24 subnet by #1 in the route-map rule & everything else would be allowed by #2 in the route-map rule.
As I understand the route-map rules: they process sequentially until either an allow or deny is hit. If a rule doesn't specifically deny (such as with #2 above) it's set to allow be default.
If a route doesn't meet any of the rule match-* or you don't have a catch all (such as above), the fortigate will deny it by default.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.