Using a prefix-list to restrict route advertisements

darrencarr · ‎02-08-2012

Hi all, I am faced with a situation in which we are using RIP in our environment to advertise routes to a parter (not ideal I know but this is just the way it is right now). I am trying to restrict the routes that are advertised to the partner using a prefix-list. Please see my configuration below. I only want to advertise routes 10.1.x.x <=24, 10.2.x.x <=24 and 10.3.x.x <=24 but it doesn' t seem to work? Can somebody point out an obvious mistake? show router rip edit 2 set interface " *" set listname " adv_*_*" set status enable next config router prefix-list edit " adv_*_*" config rule edit 10 set prefix 10.1.0.0 255.255.0.0 unset ge set le 24 next edit 20 set prefix 10.2.0.0 255.255.0.0 unset ge set le 24 next edit 30 set prefix 10.3.0.0 255.255.0.0 unset ge set le 24 next edit 40 set action deny set prefix 0.0.0.0 0.0.0.0 unset ge set le 32 next end next end Thanks

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

emnoc · ‎02-08-2012

edit 40 set action deny set prefix 0.0.0.0 0.0.0.0 unset ge set le 32 next end next end

I think you need to change seq#4 to be maybe 0.0.0.0 255.255.255.255, they way yo have it now, that would only deny 0.0.0.0/0 or specifically 0.0.0.0 / 0.0.0.0 your default route. fwiw, Another trick we use to do back in my pioneering days of the internet ( the 80s), that was somewhat easier and applicable if you had a small RIPv1/2 table, was just to allow all of your prefixes out and set the max hop count on the ones that you didn' t want routed on. The other RIP routers would not install the routes into table

PCNSE

NSE

StrongSwan

emnoc · ‎02-08-2012

config router prefix-list

Hey i just checked my firewall and what I posted was wrong, you can do the following edit 50 set prefix any set action deny and delete seq #40 and that should be good. Simple and easy.

PCNSE

NSE

StrongSwan

darrencarr · ‎02-08-2012

Hi Emnoc, Thanks for the advice. Simple and obvious solution :) Cheers, D

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

emnoc · ‎02-09-2012

FWIW here' s the other method config router access-list edit " listname" edit 1 set prefix 10.1.0.0 255.255.255.0 set action deny edit 2 set prefix 10.2.0.0 255.255.255.0 set action deny edit 3 set prefix 10.3.0.0 255.255.255.0 set action deny edit 3 set prefix any set action permit end Then under config router rip config offset-list edit 1 set access-list " listname" set direction out set interface " wan1" # note: set the metric to the max allowed for RIP @ 16 set offset 16 set status enable end Different camps prefer to poison the routing table with routes. Both methods would achieve the same outcome. The above sample is great when you want to drop routes being sent to you or offsetting the route entries if you have a more preferred path or want to control to some degree a redundant link and which one is used. YMMV

PCNSE

NSE

StrongSwan

Using a prefix-list to restrict route advertisements

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website