config router
Use the config router
commands to configure options related to routing protocols and packet forwarding:
- config router access-list
- config router access-list6
- config router aspath-list
- config router bgp
- config router community-list
- config router isis
- config router key-chain
- config router multicast
- config router multicast-flow
- config router ospf
- config router ospf6
- config router prefix-list
- config router prefix-list6
- config router rip
- config router route-map
- config router setting
- config router static
- config router static6
config router access-list
Use this command to configure an IPv4 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.
Syntax
config router access-list
edit <list_str>
set comments <comment_str>
config rule
edit <rule_int>
set action {deny | permit}
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set wildcard <IP_address>
set exact-match {enable | disable}
end
end
Variable |
Description |
Default |
<list_str> |
Enter the name of the access list.
|
No default |
comments <comment_str> |
Enter a descriptive comment. |
No default |
<rule_int> |
The rule identifier. |
No default |
action {deny | permit} |
Set whether the rule allows or denies the IPv4 address. |
permit |
prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any} |
Set the prefix to define regular filter criteria, such as NOTE: The access list name must be a digit in the range of 1-99. Strings are not supported. |
any |
wildcard <IP_address> |
Define Cisco-style wildcard filter criteria. NOTE: The access list name must contain at least one alphabetic character. |
No default |
exact-match {enable | disable} |
Set whether the rule looks for an exact match with the value in the prefix field. |
disable |
Example
This example shows how to configure an access list:
config router access-list
edit mylist
set comments "access list for RIP 1"
config rule
edit 1
set action permit
set prefix xxx.xx.xx.xx xxx.xxx.xxx.x
end
end
config router access-list6
Use this command to configure an IPv6 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.
Syntax
config router access-list6
edit <name_of_IPv6_access_list>
set comments <string>
config rule
edit <rule_ID>
set action {deny | permit}
set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}
set exact-match {enable | disable}
next
end
end
Variable |
Description |
Default |
<name_of_IPv6_access_list> |
Enter the name of the IPv6 access list. |
No default |
comments <string> |
Enter a descriptive comment. |
No default |
<rule_ID> |
The rule identifier. |
No default |
action {deny | permit} |
Set whether the rule allows or denies the IPv6 address. |
permit |
prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any} |
Set the IPv6 prefix to define regular filter criteria, such as |
No default |
exact-match {enable | disable} |
Set whether the rule looks for an exact match with the value in the prefix field. |
disable |
Example
This example shows how to configure an IPv6 access list:
config router access-list6
edit accesslist1
set comments "IPv6 access list"
config rule
edit 1
set action permit
set prefix6 fe80::a5b:eff:fef1:95e5
set exact-match disable
next
end
end
config router aspath-list
Use this command to set or unset Border Gateway Protocol (BGP) AS-path list parameters. By default, BGP uses an ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list of these AS numbers is called the AS path. You can filter BGP routes using AS path lists.
Use the config router aspath-list
command to define an access list that examines the AS_PATH attributes of BGP routes to match routes. Each entry in the list defines a rule for matching and selecting routes based on the setting of the AS_PATH attribute.
Syntax
config router aspath-list
edit <AS_path_list_name>
config rule
edit <rule_identifier>
set action {deny | permit}
set regexp <string>
end
end
Variable |
Description |
Default |
<AS_path_list_name> |
Enter the name of the AS path list. |
No default |
<rule_identifier> |
Enter a rule identifier. |
No default |
action {deny | permit} |
Set whether to permit or deny route-based operations, based on the routeʼs AS_PATH attribute. |
No default |
regexp <string> |
Specify the regular expression that will be compared to the AS_PATH attribute (for example, ^730$). The value is used to match AS numbers. Enclose a complex regular expression value within double-quotation marks. |
No default |
config router bgp
Use this command to configure Border Gateway Protocol version-4 (BGP-4) routing parameters. BGP can be used to perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains using an alternative route if a link between a FortiSwitch unit and a BGP peer (such as an ISP router) fails.
The following RFCs are supported:
- RFC1771—A Border Gateway Protocol 4 (BGP-4)
- RFC1965—Autonomous System Confederations for BGP
- RFC1997—BGP Communities Attribute
- RFC2545—Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
- RFC2796—BGP Route Reflection An alternative to full mesh IBGP
- RFC2858—Multiprotocol Extensions for BGP-4
- RFC2842—Capabilities Advertisement with BGP-4
- RFC2439—BGP Route Flap Damping
Syntax
config router bgp
set as <MANDATORY_router_AS_number>
set router-id <MANDATORY_IP_address>
set keepalive-timer <0-65535>
set holdtime-timer <0, 3-65535>
set always-compare-med {disable | enable}
set bestpath-as-path-ignore {disable | enable}
set bestpath-cmp-confed-aspath {disable | enable}
set bestpath-cmp-routerid {disable | enable}
set bestpath-med-confed {disable | enable}
set bestpath-med-missing-as-worst {disable | enable}
set client-to-client-reflection {disable | enable}
set dampening {disable | enable}
set dampening-reachability-half-life <1-45>
set dampening-reuse <1-20000>
set dampening-suppress <1-20000>
set dampening-max-suppress-time <1-255>
set deterministic-med {disable | enable}
set enforce-first-as {disable | enable}
set fast-external-failover {disable | enable}
set log-neighbor-changes {disable | enable}
set cluster-id <IP_address>
set confederation-identifier <1-4294967295>
set default-local-preference <0-4294967295>
set scan-time <5-60>
set maximum-paths-ebgp <1-64>
set bestpath-aspath-multipath-relax {disable | enable}
set maximum-paths-ibgp <1-64>
set distance-external <1-255>
set distance-internal <1-255>
set distance-local <1-255>
set graceful-stalepath-time <1-3600>
config admin-distance
edit <identifier>
set distance <1-255>
set neighbour-prefix <IP_address_netmask>
set route-list <string>
config aggregate-address
edit <identifier>
set as-set {disable | enable}
set prefix <IP_address_netmask>
set summary-only {disable | enable}
config neighbor
edit <IPv4_address>
set advertisement-interval <0-600>
set allowas-in-enable {disable | enable}
set allowas-in <1-10>
set attribute-unchanged {as-path | MED | next-hop}
set activate {disable | enable}
set bfd {disable | enable}
set capability-dynamic {disable | enable}
set capability-orf {both | none | receive | send}
set capability-default-originate {disable | enable}
set dont-capability-negotiate {disable | enable}
set ebgp-enforce-multihop {disable | enable}
set ebgp-multihop-ttl <1-255>
set ebgp-ttl-security-hops <1-254>
set next-hop-self {disable | enable}
set override-capability {disable | enable}
set passive {disable | enable}
set remove-private-as {disable | enable}
set route-server-client {disable | enable}
set shutdown {disable | enable}
set soft-reconfiguration {disable | enable}
set strict-capability-match {disable | enable}
set description <string>
set distribute-list-in <string>
set distribute-list-out <string>
set aspath-filter-list-in <string>
set aspath-filter-list-out <string>
set maximum-prefix <1-4294967295>
set prefix-list-in <string>
set prefix-list-out <string>
set remote-as <MANDATORY_1-4294967295>
set route-map-in <string>
set route-map-out <string>
set send-community {both | disable | extended | standard}
set keep-alive-timer <0-65535>
set holdtime-timer <0, 3-65535>
set connect-timer <0-65535>
set unsuppress-map <string>
set update-source {interface_name}
set weight <0-65535>
set password <string>
config network
edit <identifier>
set backdoor {disable | enable}
set prefix <IP_address_netmask>
set route-map <string>
config redistribute {connected | isis | ospf | rip | static}
set status {disable | enable}
set route-map <string>
end
end
Variable |
Description |
Default |
as <MANDATORY_router_AS_number> |
Mandatory. Enter an integer to specify the local autonomous system (AS) number of the FortiSwitch unit. The range is from 1 to 4 294 967 295. A value of 0 disables BGP (disabled by default). |
0 |
router-id <MANDATORY_IP_address> |
Mandatory. Specify a fixed identifier for the FortiSwitch unit. A value of 0.0.0.0 is not allowed. |
0.0.0.0 |
keepalive-timer <0-65535> |
How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions. |
60 |
holdtime-timer <0, 3-65535> |
How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster. |
180 |
always-compare-med {disable | enable} |
Always compare Multi-Exit Discriminator (MED). |
disable |
bestpath-as-path-ignore {disable | enable} |
AS_PATH is the BGP attribute that keeps track of each AS that a route advertisement has passed through; it helps prevent routing loops. Enable this option if you want BGP to not use the best AS path. Disable this option if you want BGP to use the best AS path. |
disable |
bestpath-cmp-confed-aspath {disable | enable} |
Enable or disable the comparison of the AS_CONFED_SEQUENCE attribute, which defines an ordered list of AS numbers representing a path from the FortiSwitch unit through autonomous systems within the local confederation. |
disable |
bestpath-cmp-routerid {disable | enable} |
Compare router ID for identical external BGP (EBGP) paths. |
disable |
bestpath-med-confed {disable | enable} |
Compare MED among confederation paths. |
disable |
bestpath-med-missing-as-worst {disable | enable} |
Enable or disable (by default) treating any confederation path with a missing MED metric as the least preferred path. |
disable |
client-to-client-reflection {disable | enable} |
Enable (by default) or disable client-to-client route reflection between internal BGP (IBGP) peers. If the clients are fully meshed, route reflection may be disabled. |
enable |
dampening {disable | enable} |
Enable or disable (by default) route-flap dampening on all BGP routes. A flapping route is unstable and continually transitions down and up (see RFC 2439). |
disable |
dampening-reachability-half-life <1-45> |
If you enable dampening, set the maximum time that a route can be suppressed (in minutes). A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time. |
15 |
dampening-reuse <1-20000> |
If you enable dampening, set a dampening reuse limit based on the number of accumulated penalties. If the penalty assigned to a flapping route decreases enough to fall below the specified limit, the route is not suppressed. |
750 |
dampening-suppress <1-20000> |
If you enable dampening, set a dampening-suppression limit based on the number of accumulated penalties. A route is suppressed (not advertised) when its penalty exceeds the specified limit. |
2000 |
dampening-max-suppress-time <1-255> |
If you enable dampening, set the maximum time that a route can be suppressed. A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time. |
60 |
deterministic-med {disable | enable} |
Enforce deterministic comparison of MED. |
disable |
enforce-first-as {disable | enable} |
Enforce first AS for EBGP routes. |
disable |
fast-external-failover {disable | enable} |
Reset peer BGP session if link goes down. |
enable |
log-neighbor-changes {disable | enable} |
Enable or disable logging of BGP neighborʼs changes. |
enable |
cluster-id <IP_address> |
Route reflector cluster ID. |
0.0.0.0 |
confederation-identifier <1-4294967295> |
Confederation identifier. |
0 |
default-local-preference <0-4294967295> |
Default local preference. |
100 |
scan-time <5-60> |
Background scanner interval (seconds). |
60 |
maximum-paths-ebgp <1-64> |
Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the External Border Gateway Protocol (EBGP). |
1 |
bestpath-aspath-multipath-relax {disable | enable} |
Enable or disable load sharing across routes that are the same length but have different autonomous system (AS) paths. |
disable |
maximum-paths-ibgp <1-64> |
Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the Internal Border Gateway Protocol (IBGP). |
1 |
distance-external <1-255> |
Distance for routes external to the AS. |
20 |
distance-internal <1-255> |
Distance for routes internal to the AS. |
200 |
distance-local <1-255> |
Distance for routes local to the AS. |
200 |
graceful-stalepath-time <1-3600> |
Time to hold stale paths of restarting neighbor(sec). |
360 |
config admin-distance |
||
<identifier> |
Enter an identifier to set administrative distance modifications for BGP routes. |
No default |
distance <1-255> |
Set the administrative distance to apply. |
0 |
neighbour-prefix <IP_address_netmask> |
Neighbor address prefix. Enter the class IP address and netmask with correction. |
0.0.0.0 0.0.0.0 |
route-list <string> |
The list of routes this distance will be applied to. |
No default |
config aggregate-address |
||
<identifier> |
Enter a BGP aggregate entry in the routing table.
When you aggregate routes, routing becomes less precise because path details are not readily available for routing purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized. |
No default |
as-set {disable | enable} |
Enable or disable the generation of an unordered list of AS numbers to include in the path information. |
disable |
prefix <IP_address_netmask> |
Aggregate prefix. The prefix 0.0.0.0 0.0.0.0 is not allowed. |
0.0.0.0 0.0.0.0 |
summary-only {disable | enable} |
Filter more specific routes from updates. |
disable |
config neighbor |
||
<IPv4_address> |
Enter the IPv4 address of the BGP neighbor. |
No default |
advertisement-interval <0-600> |
Set the minimum amount of time (in seconds) that the FortiSwitch unit waits before sending a BGP routing update to the BGP neighbor. |
30 |
allowas-in-enable {disable | enable} |
Enable to allow my AS in AS path (IPv4). |
disable |
allowas-in <1-10> |
If you enable allowas-in-enable, set the maximum number of occurrences of my AS numbers allowed (IPv4). |
No default |
attribute-unchanged {as-path | MED | next-hop} |
Propagate unchanged BGP attributes to the BGP neighbor using one of the following methods (IPv4):
|
No default |
activate {disable | enable} |
Enable address family IPv4 for this neighbor. |
enable |
bfd {disable | enable} |
Enable BFD for this neighbor. |
disable |
capability-dynamic {disable | enable} |
Advertise dynamic capability to this neighbor. |
disable |
capability-orf {both | none | receive | send} |
Enable advertising of Outbound Routing Filter (ORF) prefix-list capability to the BGP neighbor using one of the following methods (IPv4):
|
none |
capability-default-originate {disable | enable} |
Advertise default IPv4 route to this neighbor. |
disable |
dont-capability-negotiate {disable | enable} |
Do not negotiate capabilities with this neighbor. |
disable |
ebgp-enforce-multihop {disable | enable} |
Allow multi-hop EBGP neighbors. |
disable |
ebgp-multihop-ttl <1-255> |
If you enable ebgp-enforce-multihop, define a TTL value for BGP packets sent to the BGP neighbor. |
255 |
ebgp-ttl-security-hops <1-254> |
If you enable ebgp-enforce-multihop, specify the maximum number of hops to the EBGP peer. |
0 |
next-hop-self {disable | enable} |
Disable IPv4 next-hop calculation for this neighbor. |
disable |
override-capability {disable | enable} |
Override result of capability negotiation. |
disable |
passive {disable | enable} |
Disable sending of open messages to this neighbor. |
disable |
remove-private-as {disable | enable} |
Remove private AS number from IPv4 outbound updates. |
disable |
route-server-client {disable | enable} |
Configure IPv4 AS route server client. |
disable |
shutdown {disable | enable} |
Shutdown this neighbor. |
disable |
soft-reconfiguration {disable | enable} |
Allow IPv4 inbound soft reconfiguration. |
disable |
strict-capability-match {disable | enable} |
Enable strict capability matching. |
disable |
description <string> |
Description of this neighbor. |
No default |
distribute-list-in <string> |
Limit route updates from the BGP neighbor based on the Network Layer Reachability Information (NLRI) IP prefixes defined in the specified access list (IPv4). You must create the access list before it can be selected here. See config router access-list. |
No default |
distribute-list-out <string> |
Limit route updates to the BGP neighbor based on the NLRI defined in the specified access list (IPv4). You must create the access list before it can be selected here. See config router access-list. |
No default |
aspath-filter-list-in <string> |
BGP AS path filter for IPv4 inbound routes. You must create the AS path list before it can be selected here. See config router aspath-list. |
No default |
aspath-filter-list-out <string> |
BGP AS path filter for IPv4 outbound routes. You must create the AS path list before it can be selected here. See config router aspath-list. |
No default |
maximum-prefix <1-4294967295> |
Maximum number of IPv4 prefixes to accept from this peer. |
No default |
prefix-list-in <string> |
Limit route updates from a BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified prefix list (IPv4). The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list. |
No default |
prefix-list-out <string> |
Limit route updates to a BGP neighbor based on the NLRI in the specified prefix list (IPv4). The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list. |
No default |
remote-as <MANDATORY_1-4294967295> |
Mandatory. Adds a BGP neighbor to the FortiSwitch configuration and sets the AS number of the neighbor. If the number is identical to the AS number of the FortiSwitch unit, the FortiSwitch unit communicates with the neighbor using internal BGP (IBGP). Otherwise, the neighbor is an external peer, and the FortiSwitch unit uses EBGP to communicate with the neighbor. |
0 |
route-map-in <string> |
Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified route map (IPv4). You must create the route map before it can be selected here. See config router route-map. |
No default |
route-map-out <string> |
Limit route updates or change the attributes of route updates to the BGP neighbor according to the specified route map (IPv4). You must create the route map before it can be selected here. See config router route-map. |
No default |
send-community {both | disable | extended | standard} |
Enable sending the COMMUNITY attribute to the BGP neighbor using one of the following methods (IPv4):
|
both |
keep-alive-timer <0-65535> |
How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions. |
No default |
holdtime-timer <0, 3-65535> |
How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster. |
No default |
connect-timer <0-65535> |
Interval (in seconds) for connect timer. |
No default |
unsuppress-map <string> |
Specify the name of the route map to selectively unsuppress suppressed routes (IPv4). You must create the route map before it can be selected here. See config router route-map. |
No default |
update-source {interface_name} |
Interface to use as source IP/IPv6 address of TCP connections. |
No default |
weight <0-65535> |
Neighbor weight. |
No default |
password <string> |
Password used in MD5 authentication. |
No default |
config network |
||
<identifier> |
Enter an identifier. |
No default |
backdoor {disable | enable} |
Enable route as backdoor. |
disable |
prefix <IP_address_netmask> |
Set the network prefix. Use the class IP address and netmask with correction. |
0.0.0.0 0.0.0.0 |
route-map <string> |
Specify the name of the route map that will be used to modify the attributes of the route before it is advertised. You must create the route map before it can be selected here. See config router route-map. |
No default |
config redistribute {connected | isis | ospf | rip | static} |
||
status {disable | enable} |
You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF routes. BGP redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing domains, use the subcommand to redistribute routes to the various domains. |
disable |
route-map <string> |
Specify the name of the route map that identifies the routes to redistribute. If a route map is not specified, all routes are redistributed to BGP. You must create the route map before it can be selected here. See config router route-map. |
No default |
config router community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute.
Syntax
config router community-list
edit <community_list_name>
set type {expanded | standard}
config rule
edit <rule_identifier>
set action {deny | permit}
set regexp <regular_expression>
set match <community_number | internet | local-AS | no-advertise | no-export>
end
end
Variable |
Description |
Default |
<community_list_name> |
Enter a name for the community list. |
No default |
type {expanded | standard} |
Specify the type of community to match. |
standard |
<rule_identifier> |
Enter a rule identifier. |
No default |
action {deny | permit} |
Permit or deny route-based operations, based on the routeʼs COMMUNITY attribute. |
No default |
regexp <regular_expression> |
If you select an expanded community, specify an ordered list of COMMUNITY attributes as a regular expression. The value or values are used to match a community. Delimit a complex regular expression value using double-quotation marks. |
No default |
match <community_number | internet | local-AS | no-advertise | no-export> |
If you select a standard community, specify the criteria for matching a reserved community:
|
No default |
config router isis
Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between Autonomous Systems (AS).
IS-IS is a link state protocol that is well-suited to smaller networks. It is quick to configure and works well if there are no redundant paths. However, IS-IS updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good authentication, can not choose routes based on different quality-of-service methods, and can create network loops if you are not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.
While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures, largely due to its native support for IPv6 and its nondisruptive methods for splitting, merging, migrating, and renumbering network areas.
Syntax
config router isis
set auth-keychain-area <string>
set auth-keychain-domain <string>
set auth-mode-area {md5 | password}
set auth-mode-domain {md5 | password}
set auth-password-area <password>
set auth-password-domain <password>
set auth-sendonly-area {enable | disable}
set auth-sendonly-domain {enable | disable}
set default-information-level {level-1 | level-1-2 | level-2}
set default-information-metric <0-4261412864>
set default-information-originate {always | disable | enable}
set default-information-route-map <string>
set ignore-attached-bit {disable | enable}
set is-type {level-1 | level-1-2 | level-2-only}
set log-neighbour-changes {disable | enable}
set lsp-gen-interval-l1 <1-120>
set lsp-gen-interval-l2 <1-120>
set lsp-refresh-interval <1-65535>
set max-lsp-lifetime <350-65535>
set metric-style {narrow | transition | wide}
set overload-bit {disable | enable}
set redistribute-l1 {disable | enable}
set redistribute-l1-list <string>
set router-id <IP_address>
set spf-interval-exp-l1 <1-120>
set spf-interval-exp-l2 <1-120>
config interface
edit {IS-IS interface name}
set auth-keychain-hello <string>
set auth-mode-hello {md5 | password}
set auth-password-hello <password>
set bfd {enable | disable}
set circuit-type {level-1 | level-1-2 | level-2}
set csnp-interval-l1 <1-65535 seconds>
set csnp-interval-l2 <1-65535 seconds>
set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>
set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>
set hello-multiplier-l1 <2-100>
set hello-multiplier-l2 <2-100>
set hello-padding {disable | enable}
set metric-l1 <1-63>
set metric-l2 <1-63>
set passive {disable | enable}
set priority-l1 <0-127>
set priority-l2 <0-127>
set status {disable | enable}
set wide-metric-l1 <1-16777214>
set wide-metric-l2 <1-16777214>
config net
edit <identifier>
set <IS-IS net xx.xxxx. ... .xxxx.xx>
config redistribute {bgp | connected | ospf | rip | static}
set status {disable | enable}
set metric <0-4261412864>
set metric-type {external | internal}
set level {level-1 | level-1-2 | level-2}
set routemap <string>
config summary-address
edit <summary address entry identifier>
set level {level-1 | level-1-2 | level-2}
set prefix <IP address and netmask>
end
end
Variable |
Description |
Default |
auth-keychain-area <string> |
IS-IS area authentication keychain. This command is applicable when the areaʼs authentication mode is |
No default |
auth-keychain-domain <string> |
IS-IS domain authentication key-chain. This command is applicable when domainʼs auth mode is |
No default |
auth-mode-area {md5 | password} |
IS-IS area (level-1) authentication mode. |
password |
auth-mode-domain {md5 | password} |
IS-IS domain (level-2) authentication mode. |
password |
auth-password-area <password> |
IS-IS area (level-1) authentication password. This command is applicable when areaʼs authentication mode is |
No default |
auth-password-domain <password> |
IS-IS domain (level-2) authentication password. This command is applicable when domainʼs authentication mode is |
No default |
auth-sendonly-area {enable | disable} |
IS-IS area (level-1) authentication send-only. |
disable |
auth-sendonly-domain {enable | disable} |
IS-IS domain (level-2) authentication send-only. |
disable |
default-information-level {level-1 | level-1-2 | level-2} |
Distribute default route into levelʼs link-state packet (LSP). |
level-2 |
default-information-metric <0-4261412864> |
Default information metric. |
10 |
default-information-originate {always | disable | enable} |
Enable or disable the generation of a default route. |
disable |
default-information-route-map <string> |
The default information route map. |
No default |
ignore-attached-bit {disable | enable} |
Ignore attached bit on incoming level-1 LSP. |
disable |
is-type {level-1 | level-1-2 | level-2-only} |
Set the IS-IS level to use:
|
level-1-2 |
log-neighbour-changes {disable | enable} |
Enable logging of IS-IS neighborʼs changes |
enable |
lsp-gen-interval-l1 <1-120> |
Minimum interval for level-1 LSP regenerating. |
30 |
lsp-gen-interval-l2 <1-120> |
Minimum interval for level-2 LSP regenerating. |
30 |
lsp-refresh-interval <1-65535> |
LSP refresh time in seconds. |
900 |
max-lsp-lifetime <350-65535> |
Maximum LSP lifetime in seconds. |
1200 |
metric-style {narrow | transition | wide} |
Use old-style (ISO 10589) or new-style packet formats.
|
narrow |
overload-bit {disable | enable} |
Signal other routers not to use this bit in shortest-path-first (SPF). |
disable |
redistribute-l1 {disable | enable} |
Redistribute level-1 routes into level 2. |
enable |
redistribute-l1-list <string> |
Access-list for redistributing level-1 routes to level 2. |
No default |
router-id <IP_address> |
Router identifier. |
0.0.0.0 |
spf-interval-exp-l1 <1-120> |
Level-1 SPF minimum calculation delay in seconds. |
1 |
spf-interval-exp-l2 <1-120> |
Level-2 SPF minimum calculation delay in seconds. |
1 |
config interface |
||
{IS-IS interface name} |
Select the IS-IS interface name to configure. |
No default |
auth-keychain-hello <string> |
Hello protocol data unit (PDU) authentication keychain. This command is applicable when the hello packetʼs authentication mode is |
No default |
auth-mode-hello {md5 | password} |
Hello PDU authentication mode. |
password |
auth-password-hello <password> |
Hello PDU authentication password. This command is applicable when hello's authentication mode is |
No default |
bfd {enable | disable} |
Enable or disable bidirectional forwarding detection (BFD). |
enable |
circuit-type {level-1 | level-1-2 | level-2} |
Set the IS-IS circuit type to use for this interface:
|
level-1-2 |
csnp-interval-l1 <1-65535> |
Level-1 complete sequence number PDU (CSNP) interval, in number of seconds. |
10 |
csnp-interval-l2 <1-6553> |
Level-2 CSNP interval, in number of seconds. |
10 |
hello-interval-l1 <1-65535> |
Level-1 hello packet interval, in number of seconds. Use 0 for a 1-second hold time. |
10 |
hello-interval-l2 <1-65535> |
Level-2 hello packet interval, in number of seconds. Use 0 for a 1-second hold time. |
10 |
hello-multiplier-l1 <2-100> |
Level-1 multiplier for hello packet holding time. |
3 |
hello-multiplier-l2 <2-100> |
Level-2 multiplier for hello packet holding time. |
3 |
hello-padding {disable | enable} |
Enable padding to IS-IS hello packets. |
enable |
metric-l1 <1-63> |
Level-1 metric for interface. |
10 |
metric-l2 <1-63> |
Level-2 metric for interface. |
10 |
passive {disable | enable} |
Set this interface as passive. |
disable |
priority-l1 <0-127> |
Level-1 priority. |
64 |
priority-l2 <0-127> |
Level-2 priority. |
64 |
status {disable | enable} |
Enable or disable the interface for IS-IS. |
enable |
wide-metric-l1 <1-16777214> |
Level-1 wide metric for interface. |
10 |
wide-metric-l2 <1-16777214> |
Level-2 wide metric for interface. |
10 |
config net |
||
<identifier> |
An integer identifier; 0 is the lowest available identifier. |
No default |
<IS-IS net xx.xxxx. ... .xxxx.xx> |
Set the IS-IS network. |
No default |
config redistribute {bgp | connected | ospf | rip | static} |
||
status {disable | enable} |
Enable or disable the redistribution of routes from other routing protocols using IS-IS. |
disable |
metric <0-4261412864> |
Redistribution metric. |
10 |
metric-type {external | internal} |
Select |
external |
level {level-1 | level-1-2 | level-2} |
Set the IS-IS level to use for redistributing routes:
|
level1-2 |
routemap <string> |
Enter the route map name. You must create the route map before selecting it. See config router route-map. |
No default |
config summary-address |
||
<summary address entry identifier> |
Enter the summary address entry ID. The value range is 0-4294967295. |
|
level {level-1 | level-1-2 | level-2} |
Set the IS-IS level to use for the summary database:
|
level-2 |
prefix <IP address and netmask> |
Set the IP address and netmask for the prefix. |
0.0.0.0 0.0.0.0 |
config router key-chain
Use this command to configure a keychain. A keychain is a list of one or more authentication keys including its lifetime, which is how long each key is valid. Use keys with overlapping lifetimes to prevent the failure of routing updates.
Syntax
config router key-chain
edit <keychain_name>
config key
edit <keychain_int>
set key-string <key_str>
set accept-lifetime <START> <END>
set send-lifetime <START> <END>
end
end
end
Variable |
Description |
Default |
<keychain_name> |
Enter a name for your keychain. |
No default |
<keychain_int> |
Enter the keychain identifier. |
No default |
key-string <key_str> |
Enter a password string for the key. |
No default |
accept-lifetime <START> <END> |
Enter the lifetime of a received authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646. |
No default |
send-lifetime <START> <END> |
Enter the lifetime of a sent authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646. |
No default |
Example
This example shows how to add a key to a new keychain:
config router key-chain
edit keychain1
config key
edit 1
set key-string 1234567890
set accept-lifetime 01:02:03 1 8 2017 infinite
set send-lifetime 01:02:03 1 8 2017 infinite
end
end
config router multicast
A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).
You can configure a FortiSwitch unit to support PIM using the config router multicast
CLI command. When PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated with specific multicast groups.
Syntax
config router multicast
set multicast-routing {disable | enable}
config interface
edit {interface_name | internal | mgmt}
set pim-mode ssm-mode
set hello-interval <1-180>
set dr-priority <1-4294967295>
set multicast-flow <string>
config igmp
set query-interval <1-65535>
set query-max-response-time <1-25>
end
end
Variable |
Description |
Default |
multicast-routing {disable | enable} |
Enable or disable multicast routing. |
disable |
{interface_name | internal | mgmt} |
Set which interface to configure for multicast routing. |
No default |
pim-mode ssm-mode |
Set the PIM operation mode to SSM mode. |
ssm-mode |
hello-interval <1-180> |
Specify the amount of time that the FortiSwitch unit waits between sending hello messages to neighboring PIM routers. |
30 |
dr-priority <1-4294967295> |
Assign a priority to the FortiSwitch unit Designated Router (DR) candidacy. The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected. |
1 |
multicast-flow <string> |
Connect the named multicast flow to this interface. You must create the multicast flow before it can be selected here. See config router multicast-flow. |
No default |
query-interval <1-65535> |
Set the interval between queries to IGMP hosts (in seconds). |
125 |
query-max-response-time <1-25> |
Set the maximum time to wait for an IGMP query response (in seconds). |
10 |
config router multicast-flow
Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.
Syntax
config router multicast-flow
edit <name>
set comments <string>
config flows
edit <muliticast-flow_entry_identifier>
set group-addr <224-239.xxx.xxx.xxx>
set source-addr <IP_address>
end
end
Variable |
Description |
Default |
<name> |
Name of the multicast flow. |
No default |
<string> |
Enter an optional description of the multicast flow. |
No default |
<muliticast-flow_entry_identifier> |
Enter the multicast-flow entry identifier. |
No default |
group-addr <224-239.xxx.xxx.xxx> |
Enter the multicast group address (IPv4). |
0.0.0.0 |
source-addr <IP_address> |
Enter an IP address for the multicast source (IPv4). |
0.0.0.0 |
config router ospf
Use this command to configure OSPF routing for IPv4.
NOTE: You must have an advanced features license to use OSPF routing.
Syntax
config router ospf
set router-id <router_ipv4>
set abr-type {cisco | ibm | shortcut | standard}
set distance-external <external_int>
set distance-inter-area <inter_int>
set distance-intra-area <intra_int>
set default-information-originate {always | disable | enable}
set default-information-metric <metric_int>
set default-information-metric-type {1 | 2}
set default-information-route-map <map_str>
set distance <distance_int>
set rfc1583-compatible {disable | enable}
set spf-timers <delay_int> <hold_int>
set log-neighbour-changes {disable | enable}
set passive-interface <name_str>
config area
edit <area_ipv4>
set shortcut {default | disable | enable}
set type {nssa | regular | stub}
set default-cost <cost_int>
set stub-type {no-summary | summary}
set nssa-translator-role {always | candidate | never}
config filter-list
edit <filter_int>
set direction {in | out}
set list <list_str>
end
end
config range
edit <range_int>
set advertise {enable | disable}
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set substitute-status {enable | disable}
end
end
config virtual-link
edit <virtual_int>
set authentication {md5 | none | text}
set dead-interval <dead_int>
set hello-interval <hello_int>
set peer <peer_ipv4>
set retransmit-interval <retransmit_int>
set transmit-delay <transmit_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end
next
end
config interface
edit <interface_str>
set authentication {md5 | none | text}
set bfd {disable | enable | global}
set cost <cost_int>
set dead-interval <dead_int>
set hello-interval <hello_int>
set interface <string>
set mtu <mtu_int>
set mtu-ignore {disable | enable}
set priority <pritority_int>
set retransmit-interval <retransmit_int>
set transmit-delay <transmit_int>
config md5-keys
edit <key_ID>
set key <MD5_key>
next
end
next
end
config network
edit <network_int>
set area <area_ipv4>
set prefix <xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx>
end
end
config summary-address
edit <summary_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
set tag <tag_int>
next
end
config distribute-list
edit <distribute_int>
set access-list <access_str>
set protocol {bgp | connected | isis | rip | static}
next
end
config redistribute {bgp | connected | isis | rip | static}
set status {disable | enable}
set metric <metric_int>
set routemap <routemap_str>
set metric-type {1 | 2}
set tag <0-2147483647>
end
end
Variable |
Description |
Default |
router-id <router_ipv4> |
Required. Enter the IPv4 address of the OSPF router. |
No default |
abr-type {cisco | ibm | shortcut | standard} |
Enter the area border router (ABR) type. Set |
cisco |
distance-external <external_int> |
Set the OSPF route administrative external distance. The value range is from 0 to 255. |
0 |
distance-inter-area <inter_int> |
Set the OSPF route administrative inter-area distance. The value range is from 0 to 255. |
0 |
distance-intra-area <intra_int> |
Set the OSPF route administrative intra-area distance. The value range is from 0 to 255. |
0 |
default-information-originate {always | disable | enable} |
Enable or disable the generation of the default route into all external routing capable areas using the metric specified by the |
disable |
default-information-metric <metric_int> |
Set the metric value for the default route. The value range is from 1 to 16777214. |
10 |
default-information-metric-type {1 | 2} |
Set the metric type for the default route. |
2 |
default-information-route-map <map_str> |
Enter the name of the route map. |
No default |
distance <distance_int> |
Enter the distance of the route. The value range is from 1 to 255. |
110 |
rfc1583-compatible {disable | enable} |
Enable or disable RFC1583 compatibility. |
disable |
spf-timers <delay_int> <hold_int> |
Set the number of seconds before the shortest path first (SPF) is calculated and the number of seconds between consecutive SPF calculations. The range for each value is from 0 to 600. |
5 10 |
log-neighbour-changes {disable | enable} |
Enable or disable the logging of changes to the OSPF neighbor |
enable |
passive-interface <name_str> |
Select which interface to set to passive mode. |
No default |
config area |
||
<area_ipv4> |
Enter the IP address for the area. |
No default |
shortcut {default | disable | enable} |
Enable or disable whether shortcuts are allowed in the area. |
default |
type {nssa | regular | stub} |
Set the area type. |
regular |
default-cost <cost_int> |
If the area type is stub or not-so-stubby area (NSSA), set the cost of default-summary link state advertisements (LSAs) announced to stubby areas. The value range is 0-2147483647. |
1 |
stub-type {no-summary | summary} |
If the area type is stub or NSSA, set whether inter-area summaries can be used. |
summary |
nssa-translator-role {always | candidate | never} |
If the area type is NSSA, set the type of NSSA translator role. |
candidate |
config filter-list |
||
<filter_int> |
Enter the filter list identifier. |
No default |
direction {in | out} |
Set the direction to or from the area for the prefix list and access list. |
out |
list <list_str> |
Enter the access-list name or prefix-list name for the area. |
No default |
config range |
||
<range_int> |
Enter the range list identifier. |
No default |
advertise {enable | disable} |
Enable or disable the advertise status. If this option is set to |
enable |
prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the summary prefix. |
0.0.0.0 0.0.0.0 |
substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the substitute prefix. |
0.0.0.0 0.0.0.0 |
substitute-status {enable | disable} |
Enable or disable whether the substitute prefix is used instead of the prefix. |
disable |
config virtual-link |
||
<virtual_int> |
Enter the virtual-link identifier. |
No default |
authentication {md5 | none | text} |
Set the authentication type. |
none |
dead-interval <dead_int> |
Enter the dead interval. |
40 |
hello-interval <hello_int> |
Enter the hello interval. |
10 |
peer <peer_ipv4> |
Enter the IP address of the virtual link neighbor. |
0.0.0.0 |
retransmit-interval <retransmit_int> |
Enter the retransmit interval. |
5 |
transmit-delay <transmit_int> |
Enter the transmit delay. |
1 |
config md5-keys |
||
<key_ID> |
Enter the MD5 key identifier. |
No default |
<MD5_key> |
Enter a string up to 16 characters. |
No default |
config interface |
||
<interface_str> |
Enter the OSPF interface name. |
No default |
authentication {md5 | none | text} |
Set the authentication type for OSPF packets. |
none |
bfd {disable | enable | global} |
Enable or disable BFD on this interface. Set this option to |
global |
cost <cost_int> |
Enter the link cost on this interface. The value range is 0-65535. Set this option to 0 for auto-cost. |
10 |
dead-interval <dead_int> |
Enter the dead interval. |
40 |
hello-interval <hello_int> |
Enter the hello interval. |
10 |
interface <string> |
Set the interface. |
No default |
mtu <mtu_int> |
Enter the maximum transmission unit (MTU) size in bytes for the database description packets. The value range is 576-65535. |
1500 |
mtu-ignore {disable | enable} |
Set whether to use the MTU size. |
disable |
priority <priority_int> |
Set the router priority for this interface. the router with the highest priority is more eligible to become the designated router. Setting the option to 0 makes the router ineligible to become the designated router. The value range is 0-255. |
1 |
retransmit-interval <retransmit_int> |
Enter the retransmit interval. |
5 |
transmit-delay <transmit_int> |
Enter the transmit delay. |
1 |
config md5-keys |
||
<key_ID> |
Enter the MD5 key identifier. |
No default |
<MD5_key> |
Enter a string up to 16 characters. |
No default |
config network |
||
<network_int> |
Enter the network identifier. |
No default |
<area_ipv4> |
Enter the IPv4 address for the area. |
No default |
prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the IPv4 address and netmask. |
0.0.0.0 0.0.0.0 |
config summary-address |
||
<summary_int> |
Enter the identifier for the summary address. |
No default |
prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the IPv4 address and netmask. |
0.0.0.0 0.0.0.0 |
set tag <tag_int> |
Enter the tag value. The range is 0-2147483647. |
0 |
config distribute-list |
||
<distribute_int> |
Enter the distribute list identifier. |
No default |
access-list <access_str> |
Enter the access list name. |
No default |
protocol {bgp | connected | isis | rip | static} |
Set the protocol type. |
connected |
config redistribute {bgp | connected | isis | rip | static} |
||
redistribute {bgp | connected | isis | rip | static} |
Set the type of network to redistribute. |
No default |
status {disable | enable} |
Enable or disable the redistribution. |
disable |
metric <metric_int> |
Enter the metric for redistributed routes. |
10 |
routemap <routemap_str> |
Enter the route map name to filter the redistributed routes. |
No default |
metric-type {1 | 2} |
Set the metric type of redistributed routes. |
2 |
tag <0-2147483647> |
Set the tag value. |
0 |
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, create the network (set the network prefix and associate with an area), configure the IPv4 address summary, and redistribute the routes:
config router ospf
set router-id 20.1.1.1
config area
edit 0.0.0.0
next
edit 0.0.0.1
next
end
config interface
edit "ospf_1"
set interface "vlan10"
next
edit "ospf_2"
set interface "vlan20"
next
end
config network
edit 1
set area 0.0.0.1
set prefix 20.1.1.0 255.255.255.0
next
edit 2
set area 0.0.0.0
set prefix 10.1.1.0 255.255.255.0
next
end
config summary-address
edit 1
set prefix 40.1.0.0 255.255.0.0
next
end
config redistribute "connected"
set status enable
end
end
config router ospf6
Use this command to configure open shortest path first (OSPF) routing for IPv6.
NOTE: You must have an advanced features license to use OSPF routing.
Syntax
config router ospf6
set router-id <router_ipv4>
set spf-timers <delay_int> <hold_int> <max_int>
set log-neighbor-changes {disable | enable}
config area
edit <area_ipv4>
set type {regular | stub}
set stub-type {summary | no-summary}
config filter-list
edit <filter_int>
set direction {in | out}
set list <list_str>
next
end
config range
edit <range_int>
set advertise {enable | disable}
set prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
next
end
next
end
config interface
edit <interface_str>
set area-id <Required_IPv4_address>
set bfd {disable | enable}
set cost <cost_int>
set dead-interval <dead_int>
set hello-interval <hello_int>
set passive {disable | enable}
set priority <pritority_int>
set retransmit-interval <retransmit_int>
set status {enable | disable}
set transmit-delay <transmit_int>
next
end
config redistribute {connected | static}
set status {disable | enable}
set routemap <routemap_str>
end
end
Variable |
Description |
Default |
router-id <router_ipv4> |
Required. Enter the IPv4 address of the OSPF router. |
No default |
spf-timers <delay_int> <hold_int> <max_int> |
Set the number of milliseconds to delay before the shortest path first (SPF) is calculated, the initial number of milliseconds between consecutive SPF calculations, and the maximum number of milliseconds between consecutive SPF calculations. The range for each value is from 0 to 600. |
5 10 10 |
log-neighbor-changes {disable | enable} |
Enable or disable the logging of changes to the OSPF neighbor |
enable |
config area |
||
<area_ipv4> |
Enter the IPv4 address for the area. |
No default |
type {regular | stub} |
Set the area type to regular or stub. |
regular |
stub-type {summary | no-summary} |
If the |
summary |
config filter-list |
||
<filter_int> |
Enter the filter list identifier. |
No default |
direction {in | out} |
Set the direction to or from the area for the prefix list and access list. |
out |
list <list_str> |
Enter the IPv6 access-list name or IPv6 prefix-list name for the area. |
No default |
config range |
||
<range_int> |
Enter the range list identifier. |
No default |
advertise {enable | disable} |
Enable or disable the advertise status. If this option is set to |
enable |
prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx> |
Required. Enter the IPv6 prefix. |
No default |
config interface |
||
<interface_str> |
Enter the OSPF interface name. |
No default |
area-id <IPv4_address> |
Required. Enter the IPv4 address of the area. |
none |
bfd {disable | enable} |
Enable or disable bidirectional forwarding detection (BFD). |
disable |
cost <cost_int> |
Enter the link cost on this interface. The value range is 0-65535. |
10 |
dead-interval <dead_int> |
Enter the dead interval. |
40 |
hello-interval <hello_int> |
Enter the hello interval. |
10 |
passive {disable | enable} |
Enable or disable the passive interface. |
disable |
priority <priority_int> |
Set the router priority for this interface. the router with the highest priority is more eligible to become the designated router. Setting the option to 0 makes the router ineligible to become the designated router. The value range is 0-255. |
1 |
retransmit-interval <retransmit_int> |
Enter the retransmit interval. |
5 |
status {enable | disable} |
Enable or disable the IPv6 OSPF routing on this interface. |
enable |
transmit-delay <transmit_int> |
Enter the transmit delay. |
1 |
config redistribute {connected | static} |
||
status {disable | enable} |
Enable or disable the redistribution. |
disable |
routemap <routemap_str> |
Enter the route map name to filter the redistributed routes. |
No default |
Example
This example shows how to set the router identifier, create an area, configure the OSPF interface, and redistribute the routes:
config router ospf6 set router-id 10.11.101.1 config area edit 0.0.0.1 config filter-list edit 1 set direction in set list access1 next end config range edit 1 set advertise disable set prefix 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234/96 next end end config interface edit internal set area 0.0.0.1 set cost 100 set priority 100 set status enable next end config redistribute connected set status enable end end
config router prefix-list
Use this command to configure IPv4 prefix-based filtering.
NOTE: You must have an advanced features license.
Syntax
config router prefix-list
edit <list_int>
set comments <comment_str>
config rule
edit <rule_int)
set action {deny | permit}
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set ge <ge_int>
set le <le_int>
end
end
end
Variable |
Description |
Default |
<list_int> |
Enter the prefix list identifier. |
No default |
comments <comment_str> |
Enter a descriptive comment. |
No default |
rule_int |
Enter the rule identifier. |
No default |
action {deny | permit} |
Set the action to |
permit |
prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any} |
Set the prefix to define regular filter criteria, such as any or subnets. |
0.0.0.0 0.0.0.0 |
ge <ge_int> |
Enter the minimum IPv4 prefix length to be matched. The value range is between 0 and 32. The prefix list is used if the prefix length is greater than or equal to this value. |
No default |
le <le_int> |
Enter the maximum IPv4 prefix length to be matched. The value range is between 0 and 32. The prefix list is used if the prefix length is less than or equal to this value. |
No default |
config router prefix-list6
Use this command to configure IPv6 prefix-based filtering.
Syntax
config router prefix-list6
edit <name_of_IPv6_prefix_list>
set comments <string>
config rule
edit <rule_ID>
set action {deny | permit}
set prefix6 {<IPv6_prefix> | any}
set ge <0-128>
set le <0-128>
next
end
end
Variable |
Description |
Default |
<name_of_IPv6_prefix_list> |
Enter the name of the IPv6 prefix list. |
No default |
comments <string> |
Enter a descriptive comment. |
No default |
<rule_ID> |
Enter the rule identifier. |
No default |
action {deny | permit} |
Set the action to |
permit |
prefix6 {<IPv6_prefix> | any} |
Enter the IPV6 prefix to match or |
No default |
ge <0-128> |
Enter the minimum IPv6 prefix length to be matched. The IPv6 prefix list is used if the prefix length is greater than or equal to this value. |
No default |
le <0-128> |
Enter the maximum IPv6 prefix length to be matched. The IPv6 prefix list is used if the prefix length is less than or equal to this value. |
No default |
Example
This example shows how to specify which IPv6 prefixes are allowed in RA messages:
config router prefix-list6
edit prefixlist1
set comments "IPv6 prefix list"
config rule
edit 1
set action permit
set prefix6 any
set ge 50
set le 50
next
end
end
config router rip
Use these commands to configure RIP routing.
NOTE: You must have an advanced features license to use RIP routing.
The Routing Information Protocol (RIP) is a distance-vector routing protocol that works best in small networks that have no more than 15 hops. Each router maintains a routing table by sending out its routing updates and by asking neighbors for their routes. RIP is relatively simple to configure on FortiSwitch units but slow to respond to network outages. RIP is better than static routing but less scalable than open shortest path first (OSPF).
FortiSwitch supports RIP version 1 and RIP version 2:
- RIP version 1 uses classful addressing and broadcasting to send out updates to router neighbors. It does not support different sized subnets or classless inter-domain routing (CIDR) addressing.
- RIP version 2 supports classless routing and subnets of various sizes. Router authentication supports MD5 and authentication keys. Version 2 uses multicasting to reduce network traffic.
RIP uses three timers:
- The update timer determines the interval between routing updates. The default setting is 30 seconds.
- The timeout timer is the maximum time that a route is considered reachable while no updates are received for the route. The default setting is 180 seconds. The timeout timer setting should be at least three times longer than the update timer setting.
- The garbage timer is the is the how long that the FortiSwitch unit advertises a route as being unreachable before deleting the route from the routing table. The default setting is 120 seconds.
You can enable bidirectional forwarding detection (BFD) with RIP. BFD is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is declared to be down. BFD then communicates this information to RIP, and the routing information is updated.
Syntax
config router rip
set bfd {disable | enable}
set default-information-originate {disable | enable}
set default-metric <defaultmetric_int>
set garbage-timer <garbage_int>
set passive-interface <name_str>
set timeout-timer <timeout_int>
set update-timer <update_int>
set version {1 | 2}
config distance
edit <distanceid_int>
set access-list <access_string>
set distance <distance_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
end
config distribute-list
edit <distribute_int>
set direction {in | out}
set interface <interface_str>
set listname <listname_str>
set status {disable | enable}
end
config interface
edit <interface_str>
set auth-keychain <keychain_str>
set auth-mode {md5 | none |text}
set auth-string <password_str>
set receive-version {1 | 2 | both | global}
set send-version {1 | 2 | both | global}
set split-horizon-status {disable | enable}
set split-horizon {poisoned | regular}
end
config neighbor
edit <neighbor_int>
set <neighbor_ipv4>
end
config network
edit <network_int>
set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>
end
config offset-list
edit <offsetlist_int>
set access-list <accesslist_str>
set direction {in | out}
set interface {in | out}
set offset <offset_int>
set status {disable | enable}
end
config redistribute {bgp | connected | isis | ospf | static}
set status {disable | enable}
set metric <metric_int> (between 0 and 16)
set routemap <routemap_str>
end
end
Variable |
Description |
Default |
bfd {disable | enable} |
Enable or disable BFD. |
disable |
default-information-originate {disable | enable} |
Enable or disable whether a default route is advertised. |
disable |
default-metric <defaultmetric_int> |
Enter the default metric for redistributed routes. This setting does not affect connected routes. Use the |
1 |
garbage-timer <garbage_int> |
Enter the number of seconds before a route is removed from the routing table. |
120 |
passive-interface <name_str> |
Specify which interface to set to passive mode. In passive mode, multicast and unicast RIP packets are sent only to RIP neighbors. |
No default |
timeout-timer <timeout_int> |
Enter the number of seconds before a route is no longer valid. The route is not removed from the routing table until the neighboring RIP routers are notified that the route has been dropped. |
180 |
update-timer <update_int> |
Enter the number of seconds between when the complete routing table is sent to neighboring RIP routers. |
30 |
version {1 | 2} |
Set the RIP version for receiving and sending RIP packets. |
2 |
config distance |
||
<distanceid_int> |
Enter the distance identifier. |
No default |
access-list <access_string> |
Enter the access list for the route destination. The default RIP distance is used only when the routeʼs source IP address matches the specified prefix and the specified access list. |
No default |
distance <distance_int> |
Enter the default RIP distance. The value range is from 1 to 255. The default RIP distance is used only when the routeʼs source IP address matches the specified prefix and the specified access list. |
120 |
prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the prefix. |
0.0.0.0 0.0.0.0 |
config distribute-list |
||
<distribute_int> |
Enter the distribute list identifier. |
No default |
direction {in | out} |
Set the list direction. |
out |
interface <interface_str> |
Enter the RIP interface name for the distribute list. |
No default |
listname <listname_str> |
Enter the access or prefix list name. |
No default |
status {disable | enable} |
Enable or disable whether the distribute list is used. |
disable |
config interface |
||
<interface_str> |
Enter the interface name. |
No default |
auth-keychain <keychain_str> |
Enter the name of the keychain to use for this interface. |
No default |
auth-mode {md5 | none | text} |
Set the authentication mode used for packets.
RIP version 1 does not use authentication. If
NOTE: You must create a keychain first before you can use the MD5 authentication mode with RIP version 2. |
none |
auth-string <password_str> |
If the |
No default |
receive-version {1 | 2 | both | global} |
Set which version of RIP packets are accepted on this interface. Setting this option to |
global |
send-version {1 | 2 | both | global} |
Set which version of RIP packets are sent for this interface. Setting this option to |
global |
split-horizon-status {disable | enable} |
Enable or disable split horizon. |
enable |
split-horizon {poisoned | regular} |
Set the split-horizon type. |
regular |
config neighbor |
||
<neighbor_int> |
Enter a RIP neighbor identifier. |
No default |
<neighbor_ipv4> |
Enter an IP address for a RIP neighbor. Use this command if a RIP neighbor does not accept multicast packets. |
0.0.0.0 |
config network |
||
<network_int> |
Enter a network identifier. |
No default |
prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> |
Enter the prefix. |
0.0.0.0 0.0.0.0 |
config offset-list |
||
<offsetlist_int> |
Enter the offset list identifier. |
No default |
<accesslist_str> |
Enter the name of the access list. |
No default |
direction {in | out} |
Set the list direction. |
out |
interface {in | out} |
Set whether to filter incoming or outgoing packets. |
No default |
offset <offset_int> |
Enter the offset for incoming and outgoing metrics to routes learned using RIP. The value range is between 1 and 16. |
0 |
status {disable | enable} |
Enable or disable whether the offset list is used. |
disable |
config redistribute {bgp | connected | isis | ospf | static} |
||
redistribute {bgp | connected | isis | ospf | staticc} |
Redistribute routes so that they are included in RIP routing. |
connected |
status {disable | enable} |
Enable or disable whether the routes are redistributed. |
disable |
metric <metric_int> |
Enter the metric of the redistributed routes. The value range is between 0 and 16. |
0 |
routemap <routemap_str> |
Enter the route map name to filter the redistributed routes. |
No default |
Example
This example shows how to configure the RIP router and add authentication:
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
config router route-map
Use this command to configure a route map for BGP, IS-IS, OSPF, or RIP routing.
NOTE: You must have an advanced features license to use OSPF or RIP routing.
Syntax
config router route-map
edit <routemap_str>
set comments <comments_str>
set protocol {bgp | isis | ospf | ospf6 | rip | zebra}
config rule
edit <rule_int>
set action {deny | permit}
set match-as-path <string>
set match-community <string>
set match-interface {<interface_str> | internal | mgmt}
set match-ip-address <address_str>
set match-ip6-address <access-list6 or prefix-list6>
set match-ip-nexthop <nexthop_str>
set match-metric <metric_int>
set match-origin {egp | igp | incomplete | none}
set match-tag <tag_int>
set set-aggregator-as <1-4294967295>
set set-aspath <1-4294967295>
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
set set-community <community>
set set-extcommunity-rt <community>
set set-extcommunity-soo <community>
set set-ip-nexthop <class_ipv4>
set set-ip6-nexthop <IPv6_address>
set set-local-preference <1-4294967295>
set set-metric <setmetric_int>
set set-metric-type {1 | 2}
set set-origin {egp | igp | incomplete | none}
set set-originator-id <IP_address>
set set-tag <settag_int>
set set-weight <0-2147483647>
end
end
end
Variable |
Description |
Default |
<routemap_str> |
Enter the name for the individual route map. |
No default |
comments <comments_str> |
Enter a descriptive comment. |
No default |
protocol {bgp | isis | ospf | ospf6 | rip | zebra} |
Set the protocol to BGP, IS-IS, OSPF (IPv4 or IPv6), RIP, or the core router daemon. |
No default |
<rule_int> |
Enter the rule identifier. |
No default |
action {deny | permit} |
Set whether the rule permits or denies routes that match this rule. |
permit |
match-as-path <string> |
BGP only. Match the BGP Autonomous System (AS) path list. |
No default |
match-community <string> |
BGP only. Match the BGP community list. |
No default |
match-interface {<interface_str> | internal | mgmt} |
Set which interface will be matched. |
No default |
match-ip-address <address_str> |
Match the IPv4 address permitted by the IPv4 access list or IPv4 prefix list. |
No default |
match-ip6-address <access-list6 or prefix-list6> |
OSPF (IPv6) only. Match the IPv6 address permitted by the IPv6 access list or IPv6 prefix list. |
No default |
match-ip-nexthop <nexthop_str> |
Match the next-hop IP address passed by the access list or prefix list. |
No default |
match-metric <metric_int> |
BGP and RIP only. Enter the metric to be matched for redistributed routes. The value range is 0-2147483647. |
0 |
match-origin {egp | igp | incomplete | none} |
BGP only. Match the BGP origin code:
|
none |
match-tag <tag_int> |
Enter the tag to be matched. The value range is 0-2147483647. |
0 |
set-aggregator-as <1-4294967295> |
BGP only. Set the BGP aggregator AS. |
No default |
set-aspath <1-4294967295> |
BGP only. Prepend the BGP AS path attribute. Use quotation marks for repeating numbers, for example: |
No default |
set-atomic-aggregate {enable | disable} |
BGP only. Enable or disable the BGP atomic aggregate attribute. |
disable |
set-community-delete <string> |
BGP only. Delete communities matching the community list. |
No default |
set-community <community> |
BGP only. Set the BGP community attribute:
|
No default |
set-extcommunity-rt <community> |
BGP only. Set the Route-Target extended community: AA:NN |
No default |
set-extcommunity-soo <community> |
BGP only. Set the Site-of-Origin extended community: AA:NN |
No default |
set-ip-nexthop <class_ipv4> |
BGP and RIP only. Enter the IPv4 address of the next hop. |
0.0.0.0 |
set-ip6-nexthop <IPv6_address> |
OSPF (IPv6) only. Enter the IPv6 address of the next hop. |
No default |
set-local-preference <1-4294967295> |
BGP only. Set the BGP local-preference path attribute. |
0 |
set-metric <setmetric_int> |
Enter the route metric value. The value range is 0-2147483647. |
0 |
set-metric-type {1 | 2} |
BGP and OSPF only. Set the metric type to external-type1 or external-type2. |
external-type1 |
set-origin {egp | igp | incomplete | none} |
BGP only. Set the BGP origin code:
|
none |
set-originator-id <IP_address> |
BGP only. Set the BGP originator ID attribute. |
0.0.0.0 |
set-tag <settag_int> |
Enter the route tag value. The value range is 0-2147483647. |
0 |
set-weight <0-2147483647> |
BGP only. Set the BGP weight for the routing table. |
0 |
Example
This example shows how to configure the RIP router and add authentication:
config router route-map
edit myroutemap
set comments "route map for RIP routing"
set protocol rip
config rule
edit 1
set action permit
set match-interface internal
set match-metric 12
set match-tag 36
set set-ip-nexthop 128.8.0.0
set auth-mode text
set set-metric 48
set set-tag 72
end
end
config router setting
Use this command to set which routing table to use.
NOTE: You must have an advanced features license to use OSPF or RIP routing.
Syntax
config router setting
config filter-list
edit <routemap_int>
set protocol {any | bgp | connected | isis | ospf | rip | static}
set route-map <routemap_str>
end
end
Variable |
Description |
Default |
<routemap_int> |
Enter a route map identifier. |
No default |
protocol {any | bgp | connected | isis | ospf | rip | static} |
Set which protocol this route map applies to. |
connected |
route-map <routemap_str> |
Enter the route map name. |
No default |
Example
This example shows how to configure the RIP router and add authentication:
config router setting
config filter-list
edit 2
set protocol ospf
set route-map myroutemap
end
end
config router static
Use this command to add, edit, or delete static routes for IPv4 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
You can adjust the administrative distance of a route to indicate preference when more than one route to the same destination is available. The lower the administrative distance, the greater the preferability of the route. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the system compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiSwitch forwarding table. Any ties are resolved by comparing the routes’ priority, with lowest priority being preferred. As a result, the forwarding table only contains routes having the lowest distances to every possible destination.
After the system selects static routes for the forwarding table based on their administrative distances, the sequence numbers of those routes determines routing priority. When two routes to the same destination exist in the forwarding table, the system selects the route having the lowest sequence number.
Syntax
config router static
edit <sequence_number>
set bfd {enable | disable | global}
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set distance <1-255>
set dst <destination-address_IPv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_IPv4>
set status {enable | disable}
end
|
The |
Variable |
Description |
Default |
<sequence_number> |
Enter a sequence number for the static route. The sequence number may influence routing priority in the forwarding table. |
No default |
bfd {enable | disable | global} |
Enable or disable Bidirectional Forwarding on this interface. If you set the value to global, the BFD value for this interface is the same as the global BFD value. |
disable |
blackhole {enable | disable} |
Enable or disable dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. |
disable |
comment <comment_str> |
Optionally enter a descriptive comment. |
No default |
device <interface_name> |
This field is available when |
mgmt |
distance <1-255> |
Enter the administrative distance for the route. The distance value may influence route preference in the routing table. The range is an integer from 1-255. |
10 |
dst <destination-address_IPv4mask> |
Enter the destination IPv4 address and network mask for this route.
You can enter |
0.0.0.0 0.0.0.0 |
dynamic-gateway {enable | disable} |
When enabled, dynamic-gateway hides the gateway variable for a dynamic interface, such as a DHCP or PPPoE interface. When the interface connects or disconnects, the corresponding routing entries are updated to reflect the change. |
disable |
gateway <gateway-address_IPv4> |
This field is available when |
0.0.0.0 |
status {enable | disable} |
Enable this setting for the route to be added to the routing table. |
enable |
Example
This example shows how to configure a static route:
config router static
edit 1
set device mgmt
set gateway 192.168.0.10
set status enable
end
end
config router static6
Use this command to add, edit, or delete static routes for IPv6 traffic.
You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
You can adjust the administrative distance of a route to indicate preference when more than one route to the same destination is available. The lower the administrative distance, the greater the preferability of the route. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the system compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiSwitch forwarding table. As a result, the forwarding table only contains routes having the lowest distances to every possible destination.
Syntax
config router static6
edit <sequence_number>
set bfd {enable | disable}
set blackhole {enable | disable}
set comment <comment_str>
set device <interface_name>
set distance <1-255>
set dst <destination-address_IPv6mask>
set gateway <gateway-address_IPv6>
set status {enable | disable}
end
|
The |
Variable |
Description |
Default |
<sequence_number> |
Enter a sequence number for the static route. |
No default |
bfd {enable | disable} |
Enable or disable bidirectional forwarding detection (BFD). |
disable |
blackhole {enable | disable} |
Enable or disable dropping all packets that match this route. |
disable |
comment <comment_str> |
Optionally enter a descriptive comment. |
No default |
device <interface_name> |
Enter the name of the interface through which to route traffic. Enter ‘?’ to see a list of interfaces. |
No default |
distance <1-255> |
Enter the administrative distance for the route. The distance value may influence route preference in the routing table. The range is an integer from 1-255. |
10 |
dst <destination-address_IPv6mask> |
Enter the destination IPv6 address and network mask for this route. |
::/0 |
gateway <gateway-address_IPv6> |
Enter the IPv6 address of the next-hop router to which traffic is forwarded. |
:: |
status {enable | disable} |
Enable this setting for the route to be added to the routing table. |
enable |
Example
This example shows how to configure a static route for IPv6 traffic:
config router static6
edit 1
set dst 5555::/64
set gateway 4000::2
set status enable
end
end