PurposeThis article presents how to setup a FortiGate to advertise in RIP
only a default route on all RIP interfaces (i.e. not all RIP subnets), using prefix-list and distribute-list
ScopeAll FortiGate or VDOM running NAT mode
DiagramThe following diagram can illustrate this scenario :
10.160.0.205FGT1 other RIP routers] ====
port5 [
FGT2 ]
port6 ====== [
other RIP routers subnet subnet 10.160.0.0/23 192.168.182.0/25
We will see how to setup FGT2 and verify on FGT1
Expectations, RequirementsThe FortiGate
FGT2 must
only advertise the Default Route on all its interfaces, and NOT advertise the subnets of the RIP interfaces themselves, hence not advertise subnet 10.0.0.0 and 192.168.182.0
Configuration
- prefix-list rules are parsed from top to bottom
-
prefix-list follows a "stop on match" logic : when a rule has matched
(defined by prefix/ge/le), the specified action is used and no further
rules are inspected.
- there is an implicit block rules at the end of the rules list
- keywords 'ge' and 'le' may be used to define a pattern using the prefix as a border
- to match
a default route only, a
prefix list must be used ;
an access list can not be used
to match a default route.
CLI configuration for FGT2 :config router prefix-list
edit "only_dflt"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router rip
set default-information-originate enable
config distribute-list
edit 1
set interface "port5"
set listname "only_dflt"
set status enable
next
edit 2
set interface "port6"
set listname "only_dflt"
set status enable
next
end
config network
edit 1
set prefix 10.0.0.0 255.0.0.0
next
edit 2
set prefix 192.168.182.0 255.255.254.0
next
end
VerificationThis is what we see on the receiving RIP router (FGT1) in subnet 10.0.0.0 :
FGT1 #
get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
R* 0.0.0.0/0 [120/2] via 10.160.0.205, internal, 00:32:05
C 10.160.0.0/23 is directly connected, internal
TroubleshootingUse the following command to troubleshoot RIP updates . This has been used on FGT1 to see the incoming RIP updates from FGT2.
FGT1 #
diagnose ip router rip all enable (this will show all RIP updates sent by the Fortigate)...to stop it type " diagnose ip router rip all disable"
Example of output :
RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP: 0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP: 0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP: 0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: UPDATE: Update timer fire!