Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cknipe
New Contributor

Battling to understand OSPF filters

Hi All,

 

I'm having a bit of an issue understanding the Forti route-maps and prefix lists.  Whilst I concur there are many examples and documentation, there's no real clear explanation of what it all does and how it works... Sorry if I am missing this after my 20+ years in the networking field, maybe I'm just getting too old.

 

In any case, given the below:

config router prefix-list edit "RFC1918"   set comments "Matches RFC1918 Addresses"   config rule     edit 1       set prefix 10.0.0.0 255.0.0.0       unset ge       unset le     next     edit 2       set prefix 172.16.0.0 255.240.0.0       unset ge       unset le     next     edit 3       set prefix 192.168.0.0 255.255.0.0       unset ge       unset le     next   end   next end

 

config router route-map   edit "RFC1918"     set comments "Permit only RFC1918 via OSPF"     config rule     edit 1       set match-ip-address "RFC1918"     next     edit 2       set action deny     next   end   next end

 

config router ospf   set router-id 192.168.0.10   config area     edit 192.168.1.8     next   end   config ospf-interface     edit "internal7"       set interface "internal7"       set dead-interval 40       set hello-interval 10     next   end   config network     edit 1       set prefix 192.168.1.8 255.255.255.252       set area 192.168.1.8     next   end   config redistribute "connected"     set routemap "RFC1918"   end   config redistribute "static"     set routemap "RFC1918"   end end

 

What will the Fortigates do with class full routes inside 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16?

 

Essentially I want to distribute ALL RFC1918 routes, but drop anything from being advertised that is NOT within the RFC1918 address space.

 

10.1.0.0/25 should pass.

1.1.1.1/23 should drop.

 

Is my configuration adequate?

 

2 Solutions
Toshi_Esumi
Esteemed Contributor III

Just like any other routers ex. Cisco, if you do:

    ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8

it would match only 10/8 exactly. If you want to match anything in 10/8, you need to do:

    ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8 ge 8

 

FortiGate isn't different:

    edit 1       set prefix 10.0.0.0 255.0.0.0       set ge 8       unset le     next

View solution in original post

emnoc
Esteemed Contributor III

Agreed, so in your example they will match only those prefixesy=, you need to use  "le" and|or "ge" and the route map will honor that.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

Just like any other routers ex. Cisco, if you do:

    ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8

it would match only 10/8 exactly. If you want to match anything in 10/8, you need to do:

    ip prefix-list 10slash8 seq 10 permit 10.0.0.0/8 ge 8

 

FortiGate isn't different:

    edit 1       set prefix 10.0.0.0 255.0.0.0       set ge 8       unset le     next

emnoc
Esteemed Contributor III

Agreed, so in your example they will match only those prefixesy=, you need to use  "le" and|or "ge" and the route map will honor that.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors