FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 198785
Purpose
This article presents how to setup a FortiGate  to advertise in RIP only a default route on all  RIP interfaces (i.e. not all RIP subnets), using prefix-list and distribute-list

Scope
All FortiGate or VDOM running NAT mode

Diagram
The following diagram can illustrate this scenario :

                                                    10.160.0.205
FGT1 other RIP routers] ==== port5  [ FGT2 ] port6 ====== [ other RIP routers
                                subnet                                                subnet
                          10.160.0.0/23                                        192.168.182.0/25


We will see how to setup FGT2 and verify on FGT1

Expectations, Requirements
The FortiGate FGT2 must only advertise the Default Route on all its interfaces, and NOT advertise the subnets of the RIP interfaces themselves, hence not advertise subnet 10.0.0.0 and 192.168.182.0

Configuration

rmetzger_note_icon.JPG

- prefix-list rules are parsed from top to bottom

- prefix-list follows a "stop on match" logic : when a rule has matched (defined by prefix/ge/le), the specified action is used and no further rules are inspected.
-  there is an implicit block rules at the end of the rules list
- keywords 'ge' and 'le' may be used to define a pattern using the prefix as a border

- to match a default route only, a prefix list must be used ; an access list can not be used to match a default route.


CLI configuration for  FGT2 :

config router prefix-list
edit "only_dflt"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end


config router rip
set default-information-originate enable
config distribute-list
edit 1
set interface "port5"
set listname "only_dflt"
set status enable
next
edit 2
set interface "port6"
set listname "only_dflt"
set status enable
next
end
config network
edit 1
set prefix 10.0.0.0 255.0.0.0
next
edit 2
set prefix 192.168.182.0 255.255.254.0
next
end


Verification
This is what we see on the  receiving  RIP router (FGT1) in subnet 10.0.0.0 :

FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

R*      0.0.0.0/0 [120/2] via 10.160.0.205, internal, 00:32:05
C       10.160.0.0/23 is directly connected, internal


Troubleshooting
Use the following command to troubleshoot RIP updates . This has been used on FGT1 to see the incoming RIP updates from FGT2.

FGT1 # diagnose ip router rip all enable

(this will show all RIP updates sent by the Fortigate)...to stop it type " diagnose ip router rip all disable"


Example of output :


RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP:   0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP:   0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: RECV[internal]: Receive from 10.160.0.205:520
RIP: RECV[internal]: RESPONSE version 2 packet size 24
RIP:   0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: UPDATE: Update timer fire!

Contributors