Scribd
Upload
43 views5 pages

Acl, Route Map

ACL

Uploaded by

poovalingam.raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views5 pages

Acl, Route Map

ACL

Uploaded by

poovalingam.raj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Create an Access-list on a Route-Map that would deny

specific network on a BGP peering

Sample Topology:-

Requirements

This example will show how to create a route-map-in on the FortiGate2 that has an
access-list rule that would deny 10.10.30.0/24 from FortiGate1.

Configuration

FortiGate1 BGP GUI configuration:

FortiGate2 BGP GUI configuration:


FortiGate2 CLI configuration to deny 10.10.30.0/24 network and allow any other
network.

Access-list:

# show

# config router access-list


edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set prefix 10.10.30.0 255.255.255.0
set exact-match enable
next
end
next
edit "ALLOW_OTHER"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
end

Route-map:
# config router router-map
show

# config route route-map


edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set action deny
set match-ip-address "BLOCK_10.10.30.0/24"
next
edit 2
set match-ip-address "ALLOW_OTHER"
next
end
Then assign that route-map to the route-map-in of the FortiGate2 neighbor configuration
# config router bgp
# config neighbor
edit 192.168.175.230
end
show

# config router bgp


set as 20
set router-id 192.168.175.231
# config neighbor
edit "192.168.175.230"
set remote-as 10
set route-map-in "BLOCK_10.10.30.0/24"
next
end
# config redistribute "connected"
end
# config redistribute "rip"
end
# config redistribute "ospf"
end
# config redistribute "static"
end
# config redistribute "isis"
end
# config redistribute "connected"
end
# config redistribute "rip"
end
# config redistribute "ospf"
end
# config redistribute "static"
end
# config redistribute "isis"
end
end

Clear the BGP peering using this command for the route-map access-list to take effect:
# exec router clear bgp as 10 <------------ because the AS on
FortiGate1 is set to 10.

or
# exec router clear bgp all

Troubleshooting
To confirm that it is already being block, run these commands:

# diag ip router bgp all en


# diag ip router bgp level info
# diag debug en

Note: to stop the debugging of the BGP, run these commands:

# diag debug disable


# diag ip router bgp all disable
# diag ip router bgp level none

Here is the sample result:


# BGP: [NETWORK] Accept Thread: Incoming conn from host 192.168.175.230
(FD=24)
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 14
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 3
BGP: 192.168.175.230-Outgoing [NETWORK] FD=24, Sock Status: 0-Success
BGP: 192.168.175.230-Outgoing [FSM] State: Connect Event: 17
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Ver 4 MyAS 20 Holdtime 180
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 1, length 61
BGP: 192.168.175.230-Outgoing [DECODE] Open: Optional param len 32
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(old) for all
address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(new) for all
address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 192.168.175.230-Outgoing [FSM] State: OpenSent Event: 19
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 192.168.175.230-Outgoing [ENCODE] Keepalive: 28 KAlive msg(s) sent
BGP: bgp_keepalive_proc: notif_rcv 4-4
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 192.168.175.230-Outgoing [DECODE] KAlive: Received!
BGP: 192.168.175.230-Outgoing [FSM] State: OpenConfirm Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE:
neighbor 192.168.175.230 Up "
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 2, length 55
BGP: 192.168.175.230-Outgoing [DECODE] Update: Starting UPDATE decoding...
Bytes To Read (36), msg_size (36)
BGP: 192.168.175.230-Outgoing [DECODE] Update: NLRI Len(12)
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 27
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.10.0/24
BGP: 192.168.175.230-Outgoing [RIB] Update: Prefix 10.10.30.0/24 denied due
to route-map
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.20.0/24
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 34
BGP: [RIB] Scanning BGP Network Routes...

To make sure that the route 10.10.30.0/24 is not installed on the routing table of
FortiGate2, run this command:

# get router info routing-table all

Here is the result of this lab:

# get router info routing-table all

Routing table for VRF=0


Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default

B 10.10.10.0/24 [20/0] via 192.168.175.230, port1, 00:01:19


B 10.10.20.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
C 192.168.175.0/24 is directly connected, port1

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy