Access Lists

Access lists are filters used by FortiGate unit RIP and OSPF routing. An access list provides a list of IP addresses and the action to take for them — essentially an access list makes it easy to group addresses that will be treated the same into the same group, independent of their subnets or other matching qualities. You add a rule for each address or subnet that you want to include, specifying the action to take for it. For example if you wanted all traffic from one department to be routed a particular way, even in different buildings, you can add all the addresses to an access list and then handle that list all at once.

Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.

The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.

Access lists greatly speed up configuration and network management. When there is a problem, you can check each list instead of individual addresses. Also its easier to troubleshoot since if all addresses on one list have problems, it eliminates many possible causes right away.

If you are using the RIPng or OSPF+ IPv6 protocols you will need to use access-list6, the IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.

For example, if you want to create an access list called test_list that only allows an exact match of

10.10.10.10 and 11.11.11.11, enter the command:

config router access-list edit test_list

config rule edit 1

set prefix 10.10.10.10 255.255.255.255 set action allow

set exact-match enable next

edit 2

set prefix 11.11.11.11 255.255.255.255 set action allow

set exact-match enable end

end

Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6 equivalents of

10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:

config router access-list6 edit test_list_ip6

config rule edit 1

set prefix6 2002:A0A:A0A:0:0:0:0:0:/48 set action deny

next edit 2

set prefix6 2002:B0B:B0B:0:0:0:0:0/48 set action deny

end end

To use an access_list, you must call it from a routing protocol such as RIP. The following example uses the access_list from the earlier example called test_list to match routes coming in on the port1 interface. When there is a match, it will add 3 to the hop count metric for those routes to artificially increase . Enter the following command:

config router rip config offset-list

edit 5

set access-list test_list set direction in

set interface port1

set offset 3

set status enable end

If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose

 

How RIP works

As one of the original modern dynamic routing protocols, RIP is straightforward. Its routing algorithm is not complex, there are some options to allow fine tuning, and it’s relatively simple to configure RIP on FortiGate units.

From RFC 1058:

Distance vector algorithms are based on the exchange of only a small amount of information. Each entity (gateway or host) that participates in the routing protocol is assumed to keep information about all of the destinations within the system. Generally, information about all entities connected to one network is summarized by a single entry, which describes the route to all destinations on that network.

This section includes:

• RIP versus static routing
• RIP metric — hop count
• The Bellman–Ford routing algorithm l  Passive versus active RIP interfaces l  RIP packet structure