Fortinet black logo

Administration Guide

Access lists

Access lists

Access lists are simple lists used for filtering routes based on a prefix consisting of an IPv4 or IPv6 address and netmask.

To configure an IPv4 access list:
config router access-list
    edit <name>
        config rule
            edit <id>
                set action {permit | deny}
                set prefix <IPv4_address>
                set wildcard <wildcard_filter>
                set exact-match {enable | disable}
            next
        end
    next
end
To configure an IPv6 access list:
config router access-list6
    edit <name>
        config rule
            edit <id>
                set action {permit | deny}
                set prefix <IPv6_address>
                set exact-match {enable | disable}
            next
        end
    next
end

In RIP, an access list can be used in the distribute-list setting to filter received or advertised routes, or in an offset-list to offset the hop count metric for a specific prefix.

To use an access list in RIP:
config router rip
    config distribute-list
        edit <id>
            set direction {in | out}
            set listname <string>
        next
    end
    config offset-list
        edit <id>
            set direction {in | out}
            set access-list <string>
            set offset <integer>
        next
    end
end

listname <string>

Enter the distribute access or prefix list name.

access-list <string>

Enter the access list name.

In OSPF, an access list can be used in the distribute-list-in setting to act as a filter to prevent a certain route from being inserted into the routing table. An access list can also be used in the distribute-list to filter the routes that can be distributed from other protocols.

To use an access list in OSPF:
config router ospf
    set distribute-list-in <string>
    config distribute-list
        edit <id>
            set access-list <string>
            set protocol {connected | static | rip}
        next
    end
end

distribute-list-in <string>

Enter the filter for incoming routes.

access-list <string>

Enter the access list name.

In BGP, an access list can be used to filter updates from a neighbor or to a neighbor.

To use an access list in BGP:
config router bgp
    config neighbor
        edit <ip>
            set distribute-list-in <string>
            set distribute-list-in6 <string>
            set distribute-list-in-vpnv4 <string>
            set distribute-list-out <string>
            set distribute-list-out6 <string>
            set distribute-list-out-vpnv4 <string>
        next
    end
end

distribute-list-in <string>

Enter the filter for IPv4 updates from this neighbor.

distribute-list-in6 <string>

Enter the filter for IPv6 updates from this neighbor.

distribute-list-in-vpnv4 <string>

Enter the filter for VPNv4 updates from this neighbor.

distribute-list-out <string>

Enter the filter for IPv4 updates to this neighbor.

distribute-list-out6 <string>

Enter the filter for IPv6 updates to this neighbor.

distribute-list-out-vpnv4 <string>

Enter the filter for VPNv4 updates to this neighbor.

In a route map, an access list can be used to match IP addresses and next hops.

To use an access list in a route map:
config router route-map
    edit <name>
        config rule
            edit <id>
                set match-ip-address <string>
                set match-ip6-address <string>
                set match-ip-nexthop <string>
                set match-ip6-nexthop <string>
            next
        end
    next
end

match-ip-address <string>

Match an IPv4 address permitted by access-list or prefix-list.

match-ip6-address <string>

Match an IPv6 address permitted by access-list6 or prefix-list6.

match-ip-nexthop <string>

Match a next hop IPv4 address passed by access-list or prefix-list.

match-ip6-nexthop <string>

Match a next hop IPv6 address passed by access-list6 or prefix-list6.

Access lists

Access lists are simple lists used for filtering routes based on a prefix consisting of an IPv4 or IPv6 address and netmask.

To configure an IPv4 access list:
config router access-list
    edit <name>
        config rule
            edit <id>
                set action {permit | deny}
                set prefix <IPv4_address>
                set wildcard <wildcard_filter>
                set exact-match {enable | disable}
            next
        end
    next
end
To configure an IPv6 access list:
config router access-list6
    edit <name>
        config rule
            edit <id>
                set action {permit | deny}
                set prefix <IPv6_address>
                set exact-match {enable | disable}
            next
        end
    next
end

In RIP, an access list can be used in the distribute-list setting to filter received or advertised routes, or in an offset-list to offset the hop count metric for a specific prefix.

To use an access list in RIP:
config router rip
    config distribute-list
        edit <id>
            set direction {in | out}
            set listname <string>
        next
    end
    config offset-list
        edit <id>
            set direction {in | out}
            set access-list <string>
            set offset <integer>
        next
    end
end

listname <string>

Enter the distribute access or prefix list name.

access-list <string>

Enter the access list name.

In OSPF, an access list can be used in the distribute-list-in setting to act as a filter to prevent a certain route from being inserted into the routing table. An access list can also be used in the distribute-list to filter the routes that can be distributed from other protocols.

To use an access list in OSPF:
config router ospf
    set distribute-list-in <string>
    config distribute-list
        edit <id>
            set access-list <string>
            set protocol {connected | static | rip}
        next
    end
end

distribute-list-in <string>

Enter the filter for incoming routes.

access-list <string>

Enter the access list name.

In BGP, an access list can be used to filter updates from a neighbor or to a neighbor.

To use an access list in BGP:
config router bgp
    config neighbor
        edit <ip>
            set distribute-list-in <string>
            set distribute-list-in6 <string>
            set distribute-list-in-vpnv4 <string>
            set distribute-list-out <string>
            set distribute-list-out6 <string>
            set distribute-list-out-vpnv4 <string>
        next
    end
end

distribute-list-in <string>

Enter the filter for IPv4 updates from this neighbor.

distribute-list-in6 <string>

Enter the filter for IPv6 updates from this neighbor.

distribute-list-in-vpnv4 <string>

Enter the filter for VPNv4 updates from this neighbor.

distribute-list-out <string>

Enter the filter for IPv4 updates to this neighbor.

distribute-list-out6 <string>

Enter the filter for IPv6 updates to this neighbor.

distribute-list-out-vpnv4 <string>

Enter the filter for VPNv4 updates to this neighbor.

In a route map, an access list can be used to match IP addresses and next hops.

To use an access list in a route map:
config router route-map
    edit <name>
        config rule
            edit <id>
                set match-ip-address <string>
                set match-ip6-address <string>
                set match-ip-nexthop <string>
                set match-ip6-nexthop <string>
            next
        end
    next
end

match-ip-address <string>

Match an IPv4 address permitted by access-list or prefix-list.

match-ip6-address <string>

Match an IPv6 address permitted by access-list6 or prefix-list6.

match-ip-nexthop <string>

Match a next hop IPv4 address passed by access-list or prefix-list.

match-ip6-nexthop <string>

Match a next hop IPv6 address passed by access-list6 or prefix-list6.