routing prefix-list to deny all

boneyard · ‎06-13-2022

to perform some tests safely on a FortiGate (FortiOS 6.4) doing BGP i was trying to setup a prefix-list that denies all prefixes and apply that the BGP neighbour section via set prefix-list-in / set prefix-list-out.

as a prefix-list contains a implicit deny at the end i was expecting an "empty" one would be enough.

config router prefix-list
edit "deny-all"

set comments "deny all prefixes"
next
end

but this doesn't deny anything until i add a rule for dummy prefix with the deny action. then it behaves like i wanted to.

anyone that knows / can confirm a rule for a dummy prefix with deny action is required here?

Toshi_Esumi · ‎06-13-2022

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

Toshi

View solution in original post

Toshi_Esumi · ‎06-13-2022

You have to match all fixes by "set prefix any" otherwise it does capture anything to "deny".

Below is ours matching everything but "permit" them. This one is used for our case to deny everything with a route-map referring this prefix-list. In your case you need "set action deny" instead.

config router prefix-list

edit "ALL-Routes"
    config rule
      edit 1
        set prefix any
        unset ge
        unset le
      next
    end
next
end

Toshi

boneyard · ‎06-13-2022

thanks Toshi, but isn't there a implicit deny for prefix any at the end of the prefix-list?

when i add some entry (say for 1.2.3.4 255.255.255.255) it will deny everything else, so then the implicit deny acts right? but without any rules it doesn't filter, although the implicit deny should be there then right?

Toshi_Esumi · ‎06-13-2022

I don't think "implicit deny" is a correct term to describe prefix-list's default behavior. It implicitly doesn't match anything unless you explicitly specify. Implicit deny is regularly used to describe the behavior of route-maps. Was there in any documentation you've read?

You just need to test it to verify the default behavior, which you already found out a half of it yourself.

<edit>

The test result you've got is because if you create a prefix-list it's "permit" by default as in my example. That's why the specific prefix was allowed but anything else was denied.

</edit>

Toshi

boneyard · ‎06-17-2022

>> I don't think "implicit deny" is a correct term to describe prefix-list's default behavior.

yeah, that seems to be the case. i think i read this somewhere but dont have a source currently, perhaps it is the mix up with route map.

i was looking for some confirmation and got that now, thank you.

gdtoro · ‎08-25-2023

• If the prefix list is empty, all prefixes are permitted.

routing prefix-list to deny all

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website