Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
simonpt
New Contributor III

RIP router access list

I' m trying to prevent some connected routes on our FortiGate from being distributed via RIP. I' ve tried creating an access list but I' m doing it in our production environment and inadvertantly blocked all routes at one stage, so I' d rather seek help and get it right first time. Basically I want to filter out three routes from being distributed (10.10.80.0/24, 192.168.130.0/24, 192.168.131.0/24) and allow all others through. This is how I entered my access list:
config router access-list
     edit " rip_distribute_list" 
             config rule
                 edit 1
                     set action deny
                     set prefix 10.10.80.0 255.255.255.0
                     set exact-match enable
                 next
                 edit 2
                     set action deny
                     set prefix 192.168.130.0 255.255.255.0
                     set exact-match enable
                 next
                 edit 3
                     set action deny
                     set prefix 192.168.131.0 255.255.255.0
                     set exact-match enable
                 next
                 edit 4
                     set action permit
                     set prefix 0.0.0.0 0.0.0.0
                     set exact-match disable
                 next
             end
     next
 end
And this is how I tied it into the RIP config:
config router rip
         config distribute-list
             edit 1
                 set interface " port1" 
                 set listname " rip_distribute_list" 
                 set status enable
             next
         end
         .
         .
However when I did a show of the access list, rule 4 ended up looking like this:
                edit 4
                     set exact-match disable
                 next
Can someone please confirm if this will work as intended and, if not, how best to do it? Thanks - Simon
3 REPLIES 3
g3rman
New Contributor

Hi Simon, that will work. The Fortinet automatically assumes 0.0.0.0 if there is no address specified. Our access lists for OSPF look the same. We are switching away from using access lists though to only advertising specific networks. In Router -> Dynamic -> RIP -> Networks rather than creating network 0.0.0.0.0/0 you can advertise individual networks instead that are behind the firewall. That way you don' t have to worry about access lists.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
simonpt
New Contributor III

Hi g3rman Thanks very much. I enabled the access list and it worked as expected. I like your other suggestion too, but I' m not sure if it quite works that way. We' re advertising 10.10.0.0/16 which accounts for the 10.10.80.0/24 route coming through, but it doesn' t stop 192.168.130.0/24 and 192.168.131.0/24 from coming through, hence I' ve had to resort to the access list. These last two networks are connected VLANs.
g3rman
New Contributor

Make sure you have " redistribute connected" disabled in the RIP -> Advanced Options section. Then it will only distribute the networks that are explicitly listed in the " Networks" section.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
Labels
Top Kudoed Authors