Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JohnDevNet_FTNT
Staff
Staff

Created on ‎02-12-2017 07:45 PM Edited on ‎12-20-2021 07:07 AM By Anonymous

Article Id 196666

Technical Tip: Filtering incoming RIP routes using distribute-list

Purpose

In RIP v2 there are several methods to filter routes received and advertised to other network elements.

This article describes an example to filter received and advertise routes using distribute-list.


Diagram

FGT-1 and FGT-2 are directly connected as shown below.  Both are running RIPv2
jdominguez_FD40232_tn_FD40232-1.jpg


Expectations, Requirements

In this example, FGT-2 only needs to learn 172.16.0.0/16 network through RIP.


Configuration

Initial configuration

FGT-1
FGT-1 # show sys int port10
config system interface
    edit "port10"
        set vdom "root"
        set ip 10.10.10.78 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct probe-response capwap
        set type physical
        set snmp-index 10
    next
end

FGT-1 # show router rip
config router rip
        config network
            edit 1
                set prefix 192.168.1.0 255.255.255.0
            next
            edit 2
                set prefix 192.168.2.0 255.255.255.0
            next
            edit 3
                set prefix 192.168.3.0 255.255.255.0
            next
            edit 4
                set prefix 192.168.4.0 255.255.255.0
            next
            edit 5
                set prefix 192.168.5.0 255.255.255.0
            next
            edit 172
                set prefix 172.16.0.0 255.255.0.0
            next
            edit 10
                set prefix 10.0.0.0 255.0.0.0
            next
        end
end

FGT-2
FGT-2 # show sys int port10
config system interface
    edit "port10"
        set vdom "root"
        set ip 10.10.10.79 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap
        set type physical
        set snmp-index 10
    next
end

FGT-2 # show router rip
config router rip
    config network
        edit 10
            set prefix 10.0.0.0 255.0.0.0
        next
end


Verification

FGT-2 is receiving RIP updates for all networks as shown below:
FGT-2 # get router info routing-table rip
R       172.16.0.0/16 [120/2] via 10.10.10.78, port10, 11:19:00    ---> This is the required network
R       192.168.1.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R       192.168.2.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R       192.168.3.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R       192.168.4.0/24 [120/2] via 10.10.10.78, port10, 00:00:22
R       192.168.5.0/24 [120/2] via 10.10.10.78, port10, 00:00:22

Use sniffer packet to capture RIP routing updates sent from FGT-1 to FGT-2.

FGT-2
 # diagnose sniffer packet port10 'src host 10.10.10.78 and udp and port 520' 6 0 a
jdominguez_FD40232_SNIFFER-FIRST.JPG


Troubleshooting

There are two options to achieve this network requirement, the first one from the FGT-2 perspective and the second one from the FGT-1 perspective.

Option 1: Filter incoming routes in FGT-2

FGT-2

1)  Configure an Access-list to permit prefix 172.16.0.0/24
config router access-list
    edit "RIP_FILTER_IN"
            config rule
                edit 1
                    set prefix 172.6.0.0 255.255.0.0
                    set exact-match enable
                next
            end
    next
end

2)  Configure distribute-list on inbound direction, on interface Port 10 which is the interface that is receiving routes.
  config router rip
    config distribute-list
        edit 1
            set status enable
            set direction in
            set listname "RIP_FILTER_IN"
            set interface "port10"
        next
    end

Option 2: Filter outbound routes in FGT-1

1)  Configure an Access-list to permit prefix 172.16.0.0/24
 config router access-list
    edit "RIP_FILTER_OUT"
            config rule
                edit 1
                    set prefix 172.6.0.0 255.255.0.0
                    set exact-match enable
                next
            end
    next
end

2)  Configure distribute-list outbound direction, on interface Port 10, which is the interface that is sending the routes.
  config router rip
    config distribute-list
        edit 1
            set status enable
            set direction in
            set listname "RIP_FILTER_OUT"
            set interface "port10"
        next
    end

Verification

After distribute-list has been configured, FGT-2’s Routing Table must contain only 172.16.0.0/16 Network received from FGT-1.
FGT-2 # get router info routing-table rip

R       172.16.0.0/16 [120/2] via 10.10.10.78, port10, 05:08:08

Routing update after configuration

Packet capture
#diagnose sniffer packet any ‘host 224.0.0.9’ 6 0 a
#diagnose sniffer packet any ‘udp and port 520’ 6 0 a
jdominguez_FD40232_SNIFFER-AFTER.JPG

 

Labels:
1699
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.