Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

config router

Use the config router commands to configure options related to routing protocols and packet forwarding:

config router access-list

Use this command to configure an IPv4 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.

Syntax

config router access-list

edit <list_str>

set comments <comment_str>

config rule

edit <rule_int>

set action {deny | permit}

set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

set wildcard <IP_address>

set exact-match {enable | disable}

end

end

Variable

Description

Default

<list_str>

Enter the name of the access list.
  • If the name is a number in the range of 1-99, you can define Cisco-style wildcard filter criteria with the set wildcard <ip> command.
  • If the name has at least one alphabetic character, you can set the prefix to define regular filter criteria using the set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any} command.

No default

comments <comment_str>

Enter a descriptive comment.

No default

config rule

Configure the access-list rule.

<rule_int>

The rule identifier.

No default

action {deny | permit}

Set whether the rule allows or denies the IPv4 address.

permit

prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

Set the prefix to define regular filter criteria, such as any or subnets.

NOTE: The access list name must contain at least one alphabetic character.

any

wildcard <IP_address>

Define Cisco-style wildcard filter criteria.

NOTE: The access list name must be a digit in the range of 1-99. Strings are not supported.

No default

exact-match {enable | disable}

Set whether the rule looks for an exact match with the value in the prefix field.

disable

Example

This example shows how to configure an access list:

config router access-list

edit mylist

set comments "access list for RIP 1"

config rule

edit 1

set action permit

set prefix xxx.xx.xx.xx xxx.xxx.xxx.x

end

end

config router access-list6

Use this command to configure an IPv6 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.

Syntax

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

Variable

Description

Default

<name_of_IPv6_access_list>

Enter the name of the IPv6 access list.

No default

comments <string>

Enter a descriptive comment.

No default

config rule

Configure the IPv6 access-list rule.

<rule_ID>

The rule identifier.

No default

action {deny | permit}

Set whether the rule allows or denies the IPv6 address.

permit

prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

Set the IPv6 prefix to define regular filter criteria, such as any or X:X::X:X/M.

any

exact-match {enable | disable}

Set whether the rule looks for an exact match with the value in the prefix field.

disable

Example

This example shows how to configure an IPv6 access list:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

config router aspath-list

Use this command to set or unset Border Gateway Protocol (BGP) AS-path list parameters. By default, BGP uses an ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list of these AS numbers is called the AS path. You can filter BGP routes using AS path lists.

Use the config router aspath-list command to define an access list that examines the AS_PATH attributes of BGP routes to match routes. Each entry in the list defines a rule for matching and selecting routes based on the setting of the AS_PATH attribute.

Syntax

config router aspath-list

edit <AS_path_list_name>

config rule

edit <rule_identifier>

set action {deny | permit}

set regexp <string>

end

end

Variable

Description

Default

<AS_path_list_name>

Enter the name of the AS path list.

No default

config rule

Configure the AS path list rule.

<rule_identifier>

Enter a rule identifier.

No default

action {deny | permit}

Set whether to permit or deny route-based operations, based on the routeʼs AS_PATH attribute.

No default

regexp <string>

Specify the regular expression that will be compared to the AS_PATH attribute (for example, ^730$). The value is used to match AS numbers. Enclose a complex regular expression value within double-quotation marks.

No default

config router bgp

Use this command to configure Border Gateway Protocol version-4 (BGP-4) routing parameters. BGP can be used to perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains using an alternative route if a link between a FortiSwitch unit and a BGP peer (such as an ISP router) fails.

The following RFCs are supported:

  • RFC1771—A Border Gateway Protocol 4 (BGP-4)
  • RFC1965—Autonomous System Confederations for BGP
  • RFC1997—BGP Communities Attribute
  • RFC2545—Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
  • RFC2796—BGP Route Reflection An alternative to full mesh IBGP
  • RFC2858—Multiprotocol Extensions for BGP-4
  • RFC2842—Capabilities Advertisement with BGP-4
  • RFC2439—BGP Route Flap Damping

Syntax

config router bgp

set as <MANDATORY_router_AS_number>

set router-id <MANDATORY_IP_address>

set keepalive-timer <0-65535>

set holdtime-timer <0, 3-65535>

set always-compare-med {disable | enable}

set bestpath-as-path-ignore {disable | enable}

set bestpath-cmp-confed-aspath {disable | enable}

set bestpath-cmp-routerid {disable | enable}

set bestpath-med-confed {disable | enable}

set bestpath-med-missing-as-worst {disable | enable}

set client-to-client-reflection {disable | enable}

set dampening {disable | enable}

set dampening-reachability-half-life <1-45>

set dampening-reuse <1-20000>

set dampening-suppress <1-20000>

set dampening-max-suppress-time <1-255>

set deterministic-med {disable | enable}

set enforce-first-as {disable | enable}

set fast-external-failover {disable | enable}

set log-neighbour-changes {disable | enable}

set cluster-id <IP_address>

set confederation-identifier <1-4294967295>

set default-local-preference <0-4294967295>

set scan-time <5-60>

set maximum-paths-ebgp <1-64>

set bestpath-aspath-multipath-relax {disable | enable}

set maximum-paths-ibgp <1-64>

set distance-external <1-255>

set distance-internal <1-255>

set distance-local <1-255>

set graceful-stalepath-time <1-3600>

config admin-distance

edit <identifier>

set distance <1-255>

set neighbour-prefix <IP_address_netmask>

set route-list <string>

end

config aggregate-address

edit <identifier>

set as-set {disable | enable}

set prefix <IPv4_address_netmask>

set summary-only {disable | enable}

end

config aggregate-address6

edit <identifier>

set as-set {disable | enable}

set prefix <IPv6_address_netmask>

set summary-only {disable | enable}

end

config neighbor

edit "<IPv4_IPv6_address>"

set advertisement-interval <0-600>

set allowas-in-enable {disable | enable}

set allowas-in <1-10>

set allowas-in-enable6 {disable | enable}

set allowas-in6 <1-10>

set attribute-unchanged {as-path | MED | next-hop}

set attribute-unchanged6 {as-path | MED | next-hop}

set activate {disable | enable}

set activate6 {disable | enable}

set bfd {disable | enable}

set capability-dynamic {disable | enable}

set capability-orf {both | none | receive | send}

set capability-orf6 {both | none | receive | send}

set capability-default-originate {disable | enable}

set capability-default-originate6 {disable | enable}

set dont-capability-negotiate {disable | enable}

set ebgp-enforce-multihop {disable | enable}

set ebgp-multihop-ttl <1-255>

set ebgp-ttl-security-hops <1-254>

set next-hop-self {disable | enable}

set next-hop-self6 {disable | enable}

set override-capability {disable | enable}

set passive {disable | enable}

set remove-private-as {disable | enable}

set remove-private-as6 {disable | enable}

set route-reflector-client {disable | enable}

set route-reflector-client6 {disable | enable}

set route-server-client {disable | enable}

set route-server-client6 {disable | enable}

set shutdown {disable | enable}

set soft-reconfiguration {disable | enable}

set soft-reconfiguration6 {disable | enable}

set as-override {disable | enable}

set as-override6 {disable | enable}

set strict-capability-match {disable | enable}

set description <string>

set distribute-list-in <string>

set distribute-list-in6 <string>

set distribute-list-out <string>

set distribute-list-out6 <string>

set filter-list-in <string>

set filter-list-in6 <string>

set filter-list-out <string>

set filter-list-out6 <string>

set interface <interface_name>

set maximum-prefix <1-4294967295>

set maximum-prefix6 <1-4294967295>

set prefix-list-in <string>

set prefix-list-in6 <string>

set prefix-list-out <string>

set prefix-list-out6 <string>

set remote-as <MANDATORY_1-4294967295>

set route-map-in <string>

set route-map-in6 <string>

set route-map-out <string>

set route-map-out6 <string>

set send-community {both | disable | extended | standard}

set send-community6 {both | disable | extended | standard}

set keep-alive-timer <0-65535>

set holdtime-timer <0, 3-65535>

set connect-timer <0-65535>

set unsuppress-map <string>

set unsuppress-map6 <string>

set update-source {interface_name}

set weight <0-65535>

end

config network

edit <identifier>

set backdoor {disable | enable}

set prefix <IPv4_address_netmask>

set route-map <string>

end

config network6

edit <identifier>

set backdoor {disable | enable}

set prefix6 <IPv6_address_netmask>

set route-map <string>

end

config redistribute {connected | isis | ospf | rip | static}

set status {disable | enable}

set route-map <string>

end

config redistribute6 {connected | isis | ospf | rip | static}

set status {disable | enable}

set route-map <string>

end

end

Variable

Description

Default

as <MANDATORY_router_AS_number>

Mandatory. Enter an integer to specify the local autonomous system (AS) number of the FortiSwitch unit. The range is from 1 to 4 294 967 295. A value of 0 disables BGP (disabled by default).

0

router-id <MANDATORY_IP_address>

Mandatory. Specify a fixed identifier for the FortiSwitch unit. A value of 0.0.0.0 is not allowed.

0.0.0.0

keepalive-timer <0-65535>

How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions.

60

holdtime-timer <0, 3-65535>

How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster.

180

always-compare-med {disable | enable}

Always compare Multi-Exit Discriminator (MED).

disable

bestpath-as-path-ignore {disable | enable}

AS_PATH is the BGP attribute that keeps track of each AS that a route advertisement has passed through; it helps prevent routing loops. Enable this option if you want BGP to not use the best AS path. Disable this option if you want BGP to use the best AS path.

disable

bestpath-cmp-confed-aspath {disable | enable}

Enable or disable the comparison of the AS_CONFED_SEQUENCE attribute, which defines an ordered list of AS numbers representing a path from the FortiSwitch unit through autonomous systems within the local confederation.

disable

bestpath-cmp-routerid {disable | enable}

Compare router ID for identical external BGP (EBGP) paths.

disable

bestpath-med-confed {disable | enable}

Compare MED among confederation paths.

disable

bestpath-med-missing-as-worst {disable | enable}

Enable or disable (by default) treating any confederation path with a missing MED metric as the least preferred path.

disable

client-to-client-reflection {disable | enable}

Enable (by default) or disable client-to-client route reflection between internal BGP (IBGP) peers.

enable

dampening {disable | enable}

Enable or disable (by default) route-flap dampening on all BGP routes. A flapping route is unstable and continually transitions down and up (see RFC 2439).

disable

dampening-reachability-half-life <1-45>

If you enable dampening, set the maximum time that a route can be suppressed (in minutes). A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time.

15

dampening-reuse <1-20000>

If you enable dampening, set a dampening reuse limit based on the number of accumulated penalties. If the penalty assigned to a flapping route decreases enough to fall below the specified limit, the route is not suppressed.

750

dampening-suppress <1-20000>

If you enable dampening, set a dampening-suppression limit based on the number of accumulated penalties. A route is suppressed (not advertised) when its penalty exceeds the specified limit.

2000

dampening-max-suppress-time <1-255>

If you enable dampening, set the maximum time that a route can be suppressed. A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time.

60

deterministic-med {disable | enable}

Enforce deterministic comparison of MED.

disable

enforce-first-as {disable | enable}

Enforce first AS for EBGP routes.

disable

fast-external-failover {disable | enable}

Reset peer BGP session if link goes down.

enable

log-neighbour-changes {disable | enable}

Enable or disable logging of BGP neighborʼs changes.

enable

cluster-id <IP_address>

Route reflector cluster ID.

0.0.0.0

confederation-identifier <1-4294967295>

Confederation identifier.

0

default-local-preference <0-4294967295>

Default local preference.

100

scan-time <5-60>

Background scanner interval (seconds).

60

maximum-paths-ebgp <1-64>

Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the External Border Gateway Protocol (EBGP).

1

bestpath-aspath-multipath-relax {disable | enable}

Enable or disable load sharing across routes that are the same length but have different autonomous system (AS) paths.

disable

maximum-paths-ibgp <1-64>

Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the Internal Border Gateway Protocol (IBGP).

1

distance-external <1-255>

Distance for routes external to the AS.

20

distance-internal <1-255>

Distance for routes internal to the AS.

200

distance-local <1-255>

Distance for routes local to the AS.

200

graceful-stalepath-time <1-3600>

Time to hold stale paths of restarting neighbor(sec).

360

config admin-distance

Configure administrative distance modifications.

<identifier>

Enter an identifier to set administrative distance modifications for BGP routes.

No default

distance <1-255>

Set the administrative distance to apply.

0

neighbour-prefix <IP_address_netmask>

Neighbor address prefix. Enter the class IP address and netmask with correction.

0.0.0.0 0.0.0.0

route-list <string>

The access list of routes this distance will be applied to.

No default

config aggregate-address

Configure the table of BGP IPv4 aggregate addresses.

<identifier>

Enter a BGP aggregate entry in the routing table.

When you aggregate routes, routing becomes less precise because path details are not readily available for routing purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized.

No default

as-set {disable | enable}

Enable or disable the generation of an unordered list of AS numbers to include in the path information.

disable

prefix <IPv4_address_netmask>

Aggregate IPv4 prefix. The prefix 0.0.0.0 0.0.0.0 is not allowed.

No default

summary-only {disable | enable}

Enable or disable filtering more specific routes from updates.

disable

config aggregate-address6

Configure the table of BGP IPv6 aggregate addresses.

<identifier>

Enter a BGP aggregate entry in the routing table.

When you aggregate routes, routing becomes less precise because path details are not readily available for routing purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized.

No default

as-set {disable | enable}

Enable or disable the generation of an unordered list of AS numbers to include in the path information.

disable

prefix6 <IPv6_address_netmask>

Aggregate IPv6 prefix.

No default

summary-only {disable | enable}

Enable or disable filtering more specific routes from updates.

disable

config neighbor

Configure the BGP neighbor table.

<IPv4_IPv6_address>

Enter the IPv4 or IPv6 address of the BGP neighbor.

No default

advertisement-interval <0-600>

Set the minimum amount of time (in seconds) that the FortiSwitch unit waits before sending a BGP routing update to the BGP neighbor.

30

allowas-in-enable {disable | enable}

Enable to allow my AS-in-AS path (for IPv4).

disable

allowas-in <1-10>

If you enable allowas-in-enable, set the maximum number of occurrences of my AS numbers allowed (for IPv4).

No default

allowas-in-enable6 {disable | enable}

Enable to allow my AS-in-AS path (for IPv6).

disable

allowas-in6 <1-10>

If you enable allowas-in-enable6, set the maximum number of occurrences of my AS numbers allowed (for IPv6).

No default

attribute-unchanged {as-path | MED | next-hop}

Propagate unchanged BGP attributes to the BGP neighbor using one of the following methods (for IPv4):
  • To advertise unchanged next-hop attributes, select as-path.
  • To advertise unchanged MULTI_EXIT_DISC attributes, select med.
  • To keep the next-hop attribute as is, select next-hop.
  • An empty set (default) is a supported value.

No default

attribute-unchanged6 {as-path | MED | next-hop}

Propagate unchanged BGP attributes to the BGP neighbor using one of the following methods (for IPv6):

  • To advertise unchanged next-hop attributes, select as-path.
  • To advertise unchanged MULTI_EXIT_DISC attributes, select med.
  • To keep the next-hop attribute as is, select next-hop.
  • An empty set (default) is a supported value.

No default

activate {disable | enable}

Enable address family IPv4 for this neighbor.

enable

activate6 {disable | enable}

Enable address family IPv6 for this neighbor.

enable

bfd {disable | enable}

Enable BFD for this neighbor.

disable

capability-dynamic {disable | enable}

Advertise dynamic capability to this neighbor.

disable

capability-orf {both | none | receive | send}

Enable advertising of Outbound Routing Filter (ORF) prefix-list capability to the BGP neighbor using one of the following methods (for IPv4):
  • none: disable the advertising of ORF prefix-list capability.
  • receive: enable receive capability.
  • send: enable send capability.
  • both: enable send and receive capability.

none

capability-orf6 {both | none | receive | send}

Enable advertising of ORF prefix-list capability to the BGP neighbor using one of the following methods (for IPv6):

  • none: disable the advertising of ORF prefix-list capability.
  • receive: enable receive capability.
  • send: enable send capability.
  • both: enable send and receive capability.

none

capability-default-originate {disable | enable}

Advertise the default IPv4 route to this neighbor.

disable

capability-default-originate6 {disable | enable}

Advertise the default IPv6 route to this neighbor.

disable

dont-capability-negotiate {disable | enable}

Do not negotiate capabilities with this neighbor.

disable

ebgp-enforce-multihop {disable | enable}

Enable or disable the allowance of multi-hop EBGP neighbors.

disable

ebgp-multihop-ttl <1-255>

If you enable ebgp-enforce-multihop, define a TTL value for BGP packets sent to the BGP neighbor.

255

ebgp-ttl-security-hops <1-254>

If you enable ebgp-enforce-multihop, specify the maximum number of hops to the EBGP peer.

0

next-hop-self {disable | enable}

Enable or disable IPv4 next-hop calculation for this neighbor.

disable

next-hop-self6 {disable | enable}

Enable or disable IPv6 next-hop calculation for this neighbor.

disable

override-capability {disable | enable}

Enable or disable the overriding of the result of the capability negotiation.

disable

passive {disable | enable}

Enable or disable sending of open messages to this neighbor.

disable

remove-private-as {disable | enable}

Enable or disable the removal of the private AS number from the IPv4 outbound updates.

disable

remove-private-as6 {disable | enable}

Enable or disable the removal of the private AS number from the IPv6 outbound updates.

disable

route-reflector-client {disable | enable}

Enable or disable the IPv4 AS route reflector client.

disable

route-reflector-client6 {disable | enable}

Enable or disable the IPv6 AS route reflector client.

disable

route-server-client {disable | enable}

Enable or disable the IPv4 AS route server client.

disable

route-server-client6 {disable | enable}

Enable or disable the IPv6 AS route server client.

disable

shutdown {disable | enable}

Enable or disable the shutting down of this neighbor.

disable

soft-reconfiguration {disable | enable}

Enable or disable the allowance of IPv4 inbound soft reconfiguration.

disable

soft-reconfiguration6 {disable | enable}

Enable or disable the allowance of IPv6 inbound soft reconfiguration.

disable

as-override {disable | enable}

Enable or disable the replacement of the peer AS with own AS for IPv4.

disable

as-override6 {disable | enable}

Enable or disable the replacement of the peer AS with own AS for IPv6.

disable

strict-capability-match {disable | enable}

Enable or disable strict capability matching.

disable

description <string>

Enter a description of this neighbor.

No default

distribute-list-in <string>

Limit route updates from the BGP neighbor based on the Network Layer Reachability Information (NLRI) prefixes defined in the specified IPv4 access list. You must create the access list before it can be selected here. See config router access-list.

No default

distribute-list-in6 <string>

Limit route updates from the BGP neighbor based on the Network Layer Reachability Information (NLRI) prefixes defined in the specified IPv6 access list. You must create the access list before it can be selected here. See config router access-list6.

No default

distribute-list-out <string>

Limit route updates to the BGP neighbor based on the NLRI defined in the specified IPv4 access list. You must create the access list before it can be selected here. See config router access-list.

No default

distribute-list-out6 <string>

Limit route updates to the BGP neighbor based on the NLRI defined in the specified IPv6 access list. You must create the access list before it can be selected here. See config router access-list6.

No default

filter-list-in <string>

BGP AS path filter for IPv4 inbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-in6 <string>

BGP AS path filter for IPv6 inbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-out <string>

BGP AS path filter for IPv4 outbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-out6 <string>

BGP AS path filter for IPv6 outbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

interface <interface_name>

Set the interface.

No default

maximum-prefix <1-4294967295>

Enter the maximum number of IPv4 prefixes to accept from this peer.

unset

maximum-prefix6 <1-4294967295>

Enter the maximum number of IPv6 prefixes to accept from this peer.

unset

prefix-list-in <string>

Limit route updates from a BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified IPv4 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list.

No default

prefix-list-in6 <string>

Limit route updates from a BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified IPv6 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list6.

No default

prefix-list-out <string>

Limit route updates to a BGP neighbor based on the NLRI in the specified IPv4 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list.

No default

prefix-list-out6 <string>

Limit route updates to a BGP neighbor based on the NLRI in the specified IPv6 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list6.

No default

remote-as <MANDATORY_1-4294967295>

Mandatory. Adds a BGP neighbor to the FortiSwitch configuration and sets the AS number of the neighbor. If the number is identical to the AS number of the FortiSwitch unit, the FortiSwitch unit communicates with the neighbor using internal BGP (IBGP). Otherwise, the neighbor is an external peer, and the FortiSwitch unit uses EBGP to communicate with the neighbor.

0

route-map-in <string>

Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified IPv4 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-in6 <string>

Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified IPv6 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-out <string>

Limit route updates or change the attributes of route updates to the BGP neighbor according to the specified IPv4 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-out6 <string>

Limit route updates or change the attributes of route updates to the BGP neighbor according to the specified IPv6 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

send-community {both | disable | extended | standard}

Enable sending the COMMUNITY attribute to the BGP neighbor using one of the following methods (for IPv4):
  • standard: advertise standard capabilities
  • extended: advertise extended capabilities
  • both: advertise extended and standard capabilities (default)
  • disable: disable the advertising of the COMMUNITY attribute

both

send-community6 {both | disable | extended | standard}

Enable sending the COMMUNITY attribute to the BGP neighbor using one of the following methods (for IPv6):

  • standard: advertise standard capabilities
  • extended: advertise extended capabilities
  • both: advertise extended and standard capabilities (default)
  • disable: disable the advertising of the COMMUNITY attribute

both

keep-alive-timer <0-65535>

How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions.

No default

holdtime-timer <0, 3-65535>

How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster.

No default

connect-timer <0-65535>

Interval (in seconds) for connect timer.

No default

unsuppress-map <string>

Specify the name of the IPv4 route map to selectively unsuppress suppressed routes. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

unsuppress-map6 <string>

Specify the name of the IPv6 route map to selectively unsuppress suppressed routes. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

update-source {interface_name}

Interface to use as source IP/IPv6 address of TCP connections.

No default

weight <0-65535>

Neighbor weight.

No default

config network

Configure the BGP IPv4 network table.

<identifier>

Enter an identifier.

No default

backdoor {disable | enable}

Enable route as backdoor.

disable

prefix <IPv4_address_netmask>

Set the network IPv4 prefix. Use the class IPv4 address and netmask with correction.

0.0.0.0 0.0.0.0

route-map <string>

Specify the name of the route map. Only the route maps for this protocol are listed. See config router route-map.

No default

config network6

Configure the BGP IPv6 network table.

<identifier>

Enter an identifier.

No default

backdoor {disable | enable}

Enable route as backdoor.

disable

prefix <IPv6_address_netmask>

Set the network IPv6 prefix. Use the class IPv6 address and netmask with correction.

No default

route-map <string>

Specify the name of the route map. Only the route maps for this protocol are listed. See config router route-map.

No default

config redistribute {connected | isis | ospf | rip | static}

Configure the BGP IPv4 redistribute table.

status {disable | enable}

You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF IPv4 routes. BGP redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing domains, use the subcommand to redistribute routes to the various domains.

disable

route-map <string>

Specify the name of the route map that identifies the routes to redistribute. If a route map is not specified, all routes are redistributed to BGP. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

config redistribute6 {connected | isis | ospf | rip | static}

Configure the BGP IPv6 redistribute table.

status {disable | enable}

You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF IPv6 routes. BGP redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing domains, use the subcommand to redistribute routes to the various domains.

disable

route-map <string>

Specify the name of the route map that identifies the routes to redistribute. If a route map is not specified, all routes are redistributed to BGP. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

Example

This example shows how to configure internal BGP routing:

config router bgp

set as 6500

set router-id 1.2.3.4

config neighbor

edit "172.168.111.5"

set remote-as 6500

next

end

config network

edit 1

set prefix 192.168.2.0 255.255.255.0

next

end

config redistribute "connected"

end

end

end

config router community-list

Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute.

Syntax

config router community-list

edit <community_list_name>

set type {expanded | standard}

config rule

edit <rule_identifier>

set action {deny | permit}

set regexp <regular_expression>

set match <community_number | internet | local-AS | no-advertise | no-export>

end

end

Variable

Description

Default

<community_list_name>

Enter a name for the community list.

NOTE: If the community list name is a number in the range of 1-99, the type is set to standard by default. If the community list name is a number greather than 99, the type is set to expanded by default.

No default

type {expanded | standard}

Specify the type of community to match.

NOTE: This field is valid only when the community list name is not numeric.

standard

config rule

Configure the community list rule.

<rule_identifier>

Enter a rule identifier.

No default

action {deny | permit}

Permit or deny route-based operations, based on the routeʼs COMMUNITY attribute.

No default

regexp <regular_expression>

If you select an expanded community, specify an ordered list of COMMUNITY attributes as a regular expression. The value or values are used to match a community. Enclose a complex regular expression value within double-quotation marks.

No default

match <community_number | internet | local-AS | no-advertise | no-export>

If you select a standard community, specify the criteria for matching a reserved community:
  • Use decimal notation to match one or more COMMUNITY attributes having the syntax AA:NN, where AA represents an AS, and NN is the community identifier. Delimit complex expressions with double-quotation marks (for example, “123:234 345:456”).
  • To match all routes in the Internet community, type internet.
  • To match all routes in the LOCAL_AS community, type local-AS. Matched routes are not advertised locally.
  • To select all routes in the NO_ADVERTISE community, type no-advertise. Matched routes are not advertised.
  • To select all routes in the NO_EXPORT community, type no-export. Matched routes are not advertised to EBGP peers. If a confederation is configured, the routes are advertised within the confederation.

No default

config router isis

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between Autonomous Systems (AS).

Syntax

config router isis

set auth-keychain-area <string>

set auth-keychain-domain <string>

set auth-mode-area {md5 | password}

set auth-mode-domain {md5 | password}

set auth-password-area <password>

set auth-password-domain <password>

set auth-sendonly-area {enable | disable}

set auth-sendonly-domain {enable | disable}

set default-information-level {level-1 | level-1-2 | level-2}

set default-information-level6 {level-1 | level-1-2 | level-2}

set default-information-metric <0-4261412864>

set default-information-metric6 <0-4261412864>

set default-information-originate {always | disable | enable}

set default-information-originate6 {always | disable | enable}

set ignore-attached-bit {disable | enable}

set is-type {level-1 | level-1-2 | level-2-only}

set log-neighbour-changes {disable | enable}

set lsp-gen-interval-l1 <1-120>

set lsp-gen-interval-l2 <1-120>

set lsp-refresh-interval <1-65535>

set max-lsp-lifetime <350-65535>

set metric-style {narrow | transition | wide}

set overload-bit {disable | enable}

set redistribute-l1 {disable | enable}

set redistribute-l1-list <string>

set redistribute6-l1 {disable | enable}

set redistribute6-l1-list <string>

set router-id <IP_address>

set spf-interval-exp-l1 <1-120>

set spf-interval-exp-l2 <1-120>

config interface

edit <IS-IS interface name>

set auth-keychain-hello <string>

set auth-mode-hello {md5 | password}

set auth-password-hello <password>

set bfd {enable | disable}

set bfd6 {enable | disable}

set circuit-type {level-1 | level-1-2 | level-2}

set csnp-interval-l1 <1-65535 seconds>

set csnp-interval-l2 <1-65535 seconds>

set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>

set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>

set hello-multiplier-l1 <2-100>

set hello-multiplier-l2 <2-100>

set hello-padding {disable | enable}

set metric-l1 <1-63>

set metric-l2 <1-63>

set passive {disable | enable}

set priority-l1 <0-127>

set priority-l2 <0-127>

set status {disable | enable}

set status6 {disable | enable}

set wide-metric-l1 <1-16777214>

set wide-metric-l2 <1-16777214>

end

config net

edit <identifier>

set <IS-IS net xx.xxxx. ... .xxxx.xx>

end

config redistribute {bgp | connected | ospf | rip | static}

set status {disable | enable}

set metric <0-4261412864>

set metric-type {external | internal}

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

set status {disable | enable}

set metric <0-4261412864>

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config summary-address

edit <summary address entry identifier>

set level {level-1 | level-1-2 | level-2}

set prefix <IPv4 address and netmask>

end

config summary-address6

edit <summary address entry identifier>

set level {level-1 | level-1-2 | level-2}

set prefix6 <IPv6 address and netmask>

end

end

Variable

Description

Default

auth-keychain-area <string>

IS-IS area (level-1) authentication keychain. This command is applicable when the areaʼs authentication mode is md5.

No default

auth-keychain-domain <string>

IS-IS domain (level-2) authentication key-chain. This command is applicable when domainʼs auth mode is md5.

No default

auth-mode-area {md5 | password}

IS-IS area (level-1) authentication mode.

password

auth-mode-domain {md5 | password}

IS-IS domain (level-2) authentication mode.

password

auth-password-area <password>

IS-IS area (level-1) authentication password. This command is applicable when areaʼs authentication mode is password.

No default

auth-password-domain <password>

IS-IS domain (level-2) authentication password. This command is applicable when domainʼs authentication mode is password.

No default

auth-sendonly-area {enable | disable}

IS-IS area (level-1) authentication send-only.

disable

auth-sendonly-domain {enable | disable}

IS-IS domain (level-2) authentication send-only.

disable

default-information-level {level-1 | level-1-2 | level-2}

Distribute default IPv4 route into levelʼs link-state packet (LSP).

level-2

default-information-level6 {level-1 | level-1-2 | level-2}

Distribute default IPv6 route into levelʼs LSP.

level-2

default-information-metric <0-4261412864>

Default IPv4 information metric.

10

default-information-metric6 <0-4261412864>

Default IPv6 information metric.

10

default-information-originate {always | disable | enable}

Enable or disable the generation of an IPv4 default route.

disable

default-information-originate6 {always | disable | enable}

Enable or disable the generation of an IPv6 default route.

disable

ignore-attached-bit {disable | enable}

Ignore attached bit on incoming level-1 LSP.

disable

is-type {level-1 | level-1-2 | level-2-only}

Set the IS-IS level to use:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-1-2

log-neighbour-changes {disable | enable}

Enable logging of IS-IS neighborʼs changes

enable

lsp-gen-interval-l1 <1-120>

Minimum interval for level-1 LSP regenerating.

1

lsp-gen-interval-l2 <1-120>

Minimum interval for level-2 LSP regenerating.

1

lsp-refresh-interval <1-65535>

LSP refresh time in seconds.

900

max-lsp-lifetime <350-65535>

Maximum LSP lifetime in seconds.

1200

metric-style {narrow | transition | wide}

Use old-style (ISO 10589) or new-style packet formats.
  • narrow: Use the old style of TLVs with narrow metric (default)
  • transition: Send and accept both styles of TLVs during the transition.
  • wide: Use the new style of TLVs to carry a wider metric.

narrow

overload-bit {disable | enable}

Signal other routers not to use this bit in shortest-path-first (SPF).

disable

redistribute-l1 {disable | enable}

Redistribute level-1 IPv4 routes into level 2.

enable

redistribute-l1-list <string>

Access-list for redistributing level-1 IPv4 routes to level 2.

No default

redistribute6-l1 {disable | enable}

Redistribute level-1 IPv6 routes into level 2.

enable

redistribute6-l1-list <string>

Access-list for redistributing level-1 IPv6 routes to level 2.

No default

router-id <IP_address>

Router identifier.

0.0.0.0

spf-interval-exp-l1 <1-120>

Level-1 SPF minimum calculation delay in seconds.

1

spf-interval-exp-l2 <1-120>

Level-2 SPF minimum calculation delay in seconds.

1

config interface

Configure the IS-IS interface.

<IS-IS interface name>

Select the IS-IS interface name to configure.

No default

auth-keychain-hello <string>

Hello protocol data unit (PDU) authentication keychain. This command is applicable when the hello packetʼs authentication mode is md5.

No default

auth-mode-hello {md5 | password}

Hello PDU authentication mode.

password

auth-password-hello <password>

Hello PDU authentication password. This command is applicable when hello's authentication mode is password.

No default

bfd {enable | disable}

Enable or disable bidirectional forwarding detection (BFD) for IPv4 traffic.

disable

bfd6 {enable | disable}

Enable or disable BFD for IPv6 traffic.

disable

circuit-type {level-1 | level-1-2 | level-2}

Set the IS-IS circuit type to use for this interface:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-1-2

csnp-interval-l1 <1-65535>

Level-1 complete sequence number PDU (CSNP) interval, in number of seconds.

10

csnp-interval-l2 <1-6553>

Level-2 CSNP interval, in number of seconds.

10

hello-interval-l1 <1-65535>

Level-1 hello packet interval, in number of seconds. Use 0 for a 1-second hold time.

10

hello-interval-l2 <1-65535>

Level-2 hello packet interval, in number of seconds. Use 0 for a 1-second hold time.

10

hello-multiplier-l1 <2-100>

Level-1 multiplier for hello packet holding time.

3

hello-multiplier-l2 <2-100>

Level-2 multiplier for hello packet holding time.

3

hello-padding {disable | enable}

Enable padding to IS-IS hello packets.

enable

metric-l1 <1-63>

Level-1 metric for interface.

10

metric-l2 <1-63>

Level-2 metric for interface.

10

passive {disable | enable}

Set this interface as passive.

disable

priority-l1 <0-127>

Level-1 priority.

64

priority-l2 <0-127>

Level-2 priority.

64

status {disable | enable}

Enable or disable the interface for IS-IS for IPv4 traffic.

enable

status6 {disable | enable}

Enable or disable the interface for IS-IS for IPv6 traffic.

enable

wide-metric-l1 <1-16777214>

Level-1 wide metric for interface.

10

wide-metric-l2 <1-16777214>

Level-2 wide metric for interface.

10

config net

Configure the IS-IS network.

<identifier>

An integer identifier; 0 is the lowest available identifier.

No default

<IS-IS net xx.xxxx. ... .xxxx.xx>

Set the IS-IS network.

No default

config redistribute {bgp | connected | ospf | rip | static}

Configure the IS-IS redistribute IPv4 protocols.

status {disable | enable}

Enable or disable the redistribution of routes from other routing protocols using IS-IS.

disable

metric <0-4261412864>

Redistribution metric.

10

metric-type {external | internal}

Select external or internal for the metric type.

external

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for redistributing routes:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level1-2

routemap <string>

Enter the route map name.  Only the route maps for this protocol are listed. You must create the route map before selecting it. See config router route-map.

No default

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

Configure the IS-IS redistribute IPv6 protocols.

status {disable | enable}

Enable or disable the redistribution of routes from other routing protocols using IS-IS.

disable

metric <0-4261412864>

Redistribution metric.

10

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for redistributing routes:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level1-2

routemap <string>

Enter the route map name.  Only the route maps for this protocol are listed. You must create the route map before selecting it. See config router route-map.

No default

config summary-address

Configure the summarizing IPv4 address ranges in the IS-IS routing table.

<summary address entry identifier>

Enter the summary address entry ID. The value range is 0-4294967295.

No default

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for the summary database:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-2

prefix <IPv4 address and netmask>

Set the IPv4 address and netmask for the prefix.

No default

config summary-address6

Configure the summarizing IPv6 address ranges in the IS-IS routing table.

<summary address entry identifier>

Enter the summary address entry ID. The value range is 0-4294967295.

No default

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for the summary database:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-2

prefix6 <IPv6 address and netmask>

Set the IPv6 address and netmask for the prefix.

No default

Example

The following is an example of an IS-IS configuration for IPv4 traffic:

config router isis

set default-information-metric 60

config interface

edit "vlan100"

set circuit-type level-1

set priority-l1 80

set wide-metric-l1 200

next

edit "vlan102"

set circuit-type level-2

next

end

config net

edit 1

set net 49.0002.0000.0000.1048.00

next

end

set metric-style wide

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

end

config router key-chain

Use this command to configure a keychain. A keychain is a list of one or more authentication keys including its lifetime, which is how long each key is valid. Use keys with overlapping lifetimes to prevent the failure of routing updates.

Syntax

config router key-chain

edit <keychain_name>

config key

edit <keychain_int>

set key-string <key_str>

set accept-lifetime <START> <END>

set send-lifetime <START> <END>

end

end

end

Variable

Description

Default

<keychain_name>

Enter a name for your keychain.

No default

config key

Configure the key.

<keychain_int>

Enter the keychain identifier.

No default

key-string <key_str>

Enter a password string for the key.

No default

accept-lifetime <START> <END>

Enter the lifetime of a received authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
  • HH:MM:SS is the time of day then the lifetime starts in hours, minutes, and seconds.
  • DAY is the day of the month to start. The range is 1-31.
  • MONTH is the month of the year to start. The range is 1-12.
  • YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646.

No default

send-lifetime <START> <END>

Enter the lifetime of a sent authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
  • HH:MM:SS is the time of day then the lifetime starts in hours, minutes, and seconds.
  • DAY is the day of the month to start. The range is 1-31.
  • MONTH is the month of the year to start. The range is 1-12.
  • YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646.

No default

Example

This example shows how to add a key to a new keychain:

config router key-chain

edit keychain1

config key

edit 1

set key-string 1234567890

set accept-lifetime 01:02:03 1 8 2017 infinite

set send-lifetime 01:02:03 1 8 2017 infinite

end

end

config router multicast

A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).

You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated with specific multicast groups.

Syntax

config router multicast

set multicast-routing {disable | enable}

config interface

edit {interface_name | internal | mgmt}

set pim-mode ssm-mode

set hello-interval <1-180 seconds>

set dr-priority <1-4294967295>

set multicast-flow <string>

config igmp

set query-interval <1-1800 seconds>

set query-max-response-time <1-25 seconds>

end

end

Variable

Description

Default

multicast-routing {disable | enable}

Enable or disable multicast routing.

disable

{interface_name | internal | mgmt}

Set which interface to configure for multicast routing.

No default

pim-mode ssm-mode

Set the PIM operation mode to SSM mode.

ssm-mode

hello-interval <1-180 seconds>

Specify the amount of time that the FortiSwitch unit waits between sending hello messages to neighboring PIM routers.

30

dr-priority <1-4294967295>

Assign a priority to the FortiSwitch unit Designated Router (DR) candidacy. The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected.

1

multicast-flow <string>

Connect the named multicast flow to this interface. You must create the multicast flow before it can be selected here. See config router multicast-flow.

No default

config igmp

Configure the multicast-flow entries.

query-interval <1-1800 seconds>

Set the interval between queries to IGMP hosts.

125

query-max-response-time <1-25 seconds>

Set the maximum time to wait for an IGMP query response.

10

config router multicast-flow

Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.

Syntax

config router multicast-flow

edit <name>

set comments <string>

config flows

edit <muliticast-flow_entry_identifier>

set group-addr <224-239.xxx.xxx.xxx>

set group-addr-end <224-239.xxx.xxx.xxx>

set source-addr <IP_address>

end

end

Variable

Description

Default

<name>

Name of the multicast flow.

No default

<string>

Enter an optional description of the multicast flow.

No default

<muliticast-flow_entry_identifier>

Enter the multicast-flow entry identifier.

No default

group-addr <224-239.xxx.xxx.xxx>

Enter the starting multicast group address (IPv4).

0.0.0.0

group-addr-end <224-239.xxx.xxx.xxx>

Optional. Enter the ending multicast group address (IPv4). The range must not overlap other defined ranges.

0.0.0.0

source-addr <IP_address>

Enter an IP address for the multicast source (IPv4).

0.0.0.0

config router ospf

Use this command to configure OSPF routing for IPv4.

NOTE: You must have an advanced features license to use OSPF routing.

Syntax

config router ospf

set router-id <router_ipv4>

set abr-type {cisco | ibm | shortcut | standard}

set database-overflow {enable | disable}

set database-overflow-max-external-lsa <integer>

set database-overflow-time-to-recover <integer>

set distance-external <external_int>

set distance-inter-area <inter_int>

set distance-intra-area <intra_int>

set default-information-originate {always | disable | enable}

set default-information-metric <metric_int>

set default-information-metric-type {1 | 2}

set distance <distance_int>

set rfc1583-compatible {disable | enable}

set spf-timers <delay_int> <hold_int>

set log-neighbour-changes {disable | enable}

set passive-interface <name_str>

config area

edit <area_ipv4>

set shortcut {default | disable | enable}

set type {nssa | regular | stub}

set default-cost <cost_int>

set stub-type {no-summary | summary}

set nssa-translator-role {always | candidate | never}

config filter-list

edit <filter_int>

set direction {in | out}

set list <list_str>

end

end

config range

edit <range_int>

set advertise {enable | disable}

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set substitute-status {enable | disable}

end

end

config virtual-link

edit <virtual_int>

set authentication {md5 | none | text}

set dead-interval <dead_int>

set hello-interval <hello_int>

set peer <peer_ipv4>

set retransmit-interval <retransmit_int>

set transmit-delay <transmit_int>

next

end

next

end

config interface

edit <interface_str>

set authentication {md5 | none | text}

set cost <cost_int>

set dead-interval <dead_int>

set hello-interval <hello_int>

set mtu <mtu_int>

set mtu-ignore {disable | enable}

set priority <pritority_int>

set retransmit-interval <retransmit_int>

set transmit-delay <transmit_int>

set ucast-ttl <1-255>

config md5-keys

edit <key_ID>

set key <MD5_key>

next

end

next

end

config network

edit <network_int>

set area <area_ipv4>

set prefix <xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx>

end

end

config summary-address

edit <summary_int>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set tag <tag_int>

next

end

config distribute-list

edit <distribute_int>

set access-list <access_str>

set protocol {bgp | connected | isis | rip | static}

next

end

config redistribute {bgp | connected | isis | rip | static}

set status {disable | enable}

set metric <metric_int>

set routemap <routemap_str>

set metric-type {1 | 2}

set tag <0-2147483647>

end

config vrf

edit <VRF_ID>

set abr-type {cisco | ibm | shortcut | standard}

set database-overflow {enable | disable}

set database-overflow-max-external-lsa <integer>

set database-overflow-time-to-recover <integer>

set default-information-metric <metric_int>

set default-information-metric-type {1 | 2}

set default-information-originate {always | disable | enable}

set distance <distance_int>

set distance-external <external_int>

set distance-inter-area <inter_int>

set distance-intra-area <intra_int>

set log-neighbour-changes {disable | enable}

set passive-interface <name_str>

set rfc1583-compatible {disable | enable}

set router-id <router_ipv4>

set spf-timers <delay_int> <hold_int>

config area

edit <area_ipv4>

set shortcut {default | disable | enable}

set type {nssa | regular | stub}

set default-cost <cost_int>

set stub-type {no-summary | summary}

set nssa-translator-role {always | candidate | never}

config filter-list

edit <filter_int>

set direction {in | out}

set list <list_str>

end

end

config range

edit <range_int>

set advertise {enable | disable}

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set substitute-status {enable | disable}

end

end

config virtual-link

edit <virtual_int>

set authentication {none | text}

set dead-interval <dead_int>

set hello-interval <hello_int>

set peer <peer_ipv4>

set retransmit-interval <retransmit_int>

set transmit-delay <transmit_int>

next

end

next

end

config interface

edit <interface_str>

set authentication {none | text}

set cost <cost_int>

set dead-interval <dead_int>

set hello-interval <hello_int>

set mtu <mtu_int>

set mtu-ignore {disable | enable}

set priority <pritority_int>

set retransmit-interval <retransmit_int>

set transmit-delay <transmit_int>

config md5-keys

edit <key_ID>

set key <MD5_key>

next

end

next

end

config network

edit <network_int>

set area <area_ipv4>

set prefix <xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx>

end

end

config summary-address

edit <summary_int>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

set tag <tag_int>

next

end

config distribute-list

edit <distribute_int>

set access-list <access_str>

set protocol {bgp | connected | isis | rip | static}

next

end

config redistribute {connected | rip | static}

set status {disable | enable}

set metric <metric_int>

set routemap <routemap_str>

set metric-type {1 | 2}

set tag <0-2147483647>

next

end

next

end

Variable

Description

Default

router-id <router_ipv4>

Required. Enter the IPv4 address of the OSPF router.

No default

abr-type {cisco | ibm | shortcut | standard}

Enter the area border router (ABR) type. Set abr-type to cisco or ibm to allow routes through nonbackbone area when links to the backbone are down. For more information about this option, see RFC 3509, Alternative Implementations of OSPF Area Border Routers.

cisco

database-overflow {enable | disable}

Enable or disable protection against link-state database overflow.

disable

database-overflow-max-external-lsa <integer>

Set the maximum number of external link-state advertisements (LSAs) that are allowed in the link-state database. The value range is 0-2147483647. This option is available only if database-overflow is enabled.

10000

database-overflow-time-to-recover <integer>

Set the number of seconds before the router originates any external LSAs. The value range is 0-65535 seconds. This option is available only if database-overflow is enabled.

300

distance-external <external_int>

Set the OSPF route administrative external distance. The value range is from 0 to 255.

No default

distance-inter-area <inter_int>

Set the OSPF route administrative inter-area distance. The value range is from 0 to 255.

No default

distance-intra-area <intra_int>

Set the OSPF route administrative intra-area distance. The value range is from 0 to 255.

No default

default-information-originate {always | disable | enable}

Enable or disable the generation of the default route into all external routing capable areas using the metric specified by the default-information-metric value and the metric type specified by the default-information-metric-type value. Set the value to always for the default to always be advertised, even when the routing table contains no default.

disable

default-information-metric <metric_int>

Set the metric value for the default route. The value range is from 1 to 16777214.

10

default-information-metric-type {1 | 2}

Set the metric type for the default route.

2

distance <distance_int>

Set the OSPF route administrative distance. The value range is from 1 to 255.

110

rfc1583-compatible {disable | enable}

Enable or disable RFC1583 compatibility.

disable

spf-timers <delay_int> <hold_int>

Set the number of seconds before the shortest path first (SPF) is calculated and the number of seconds between consecutive SPF calculations. The range for each value is from 0 to 600.

5 10

log-neighbour-changes {disable | enable}

Enable or disable the logging of changes to the OSPF neighbor.

enable

passive-interface <name_str>

Select which interface to set to passive mode.

NOTE: You need to add the interface prefix under the config network command (under config router ospf).

No default

config area

Configure the OSPF area.

<area_ipv4>

Enter the IP address for the area.

No default

shortcut {default | disable | enable}

Enable or disable whether shortcuts are allowed in the area.

default

type {nssa | regular | stub}

Set the area type.

NOTE: This field is not applicable for the backbone area (0.0.0.0), which is set to regular type by default.

regular

default-cost <cost_int>

If the area type is stub or not-so-stubby area (NSSA), set the cost of default-summary LSAs announced to stubby areas. The value range is 0-2147483647.

1

stub-type {no-summary | summary}

If the area type is stub or NSSA, set whether inter-area summaries can be used.

summary

nssa-translator-role {always | candidate | never}

If the area type is NSSA, set the type of NSSA translator role.

candidate

config filter-list

Configure the OSPF area filter list.

<filter_int>

Enter the filter list identifier.

No default

direction {in | out}

Set the direction to or from the area for the prefix list and access list.

out

list <list_str>

Enter the access-list name or prefix-list name for the area.

No default

config range

Configure the OSPF area range.

<range_int>

Enter the range list identifier.

No default

advertise {enable | disable}

Enable or disable the advertise status. If this option is set to disable, the intra area paths from this range are not advertised in other areas.

enable

prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the summary prefix.

0.0.0.0 0.0.0.0

substitute <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the substitute prefix.

0.0.0.0 0.0.0.0

substitute-status {enable | disable}

Enable or disable whether the substitute prefix is used instead of the prefix.

disable

config virtual-link

Configure the OSPF virtual link.

<virtual_int>

Enter the virtual-link identifier.

No default

authentication {md5 | none | text}

Set the authentication type.

none

dead-interval <dead_int>

Enter the dead interval.

40

hello-interval <hello_int>

Enter the hello interval.

10

peer <peer_ipv4>

Enter the IP address of the virtual link neighbor.

0.0.0.0

retransmit-interval <retransmit_int>

Set the time between retransmitting lost link-state advertisement packets.

5

transmit-delay <transmit_int>

Enter the link-state packet transmit delay.

1

config md5-keys

These commands are applicable only when the virtual-link authentication field is set to md5.

<key_ID>

Enter the MD5 key identifier.

No default

<MD5_key>

Enter a string up to 16 characters.

No default

config interface

Configure the OSPF interface.

<interface_str>

Enter the OSPF interface name.

No default

authentication {md5 | none | text}

Set the authentication type for OSPF packets.

none

bfd {disable | enable}

Enable or disable BFD on this interface.

disable

cost <cost_int>

Enter the link cost on this interface. The value range is 0-65535. Set this option to 0 for auto-cost.

10

dead-interval <dead_int>

Enter the dead interval.

40

hello-interval <hello_int>

Enter the hello interval.

10

mtu <mtu_int>

Enter the maximum transmission unit (MTU) size in bytes for the database description packets. The value range is 576-65535.

Not set

mtu-ignore {disable | enable}

Set whether to use the MTU size.

disable

priority <priority_int>

Set the router priority for this interface. the router with the highest priority is more eligible to become the designated router. Setting the option to 0 makes the router ineligible to become the designated router. The value range is 0-255.

1

retransmit-interval <retransmit_int>

Set the time between retransmitting lost link-state advertisement packets.

5

transmit-delay <transmit_int>

Enter the link-state transmit delay.

1

ucast-ttl <1-255>

Specify how many seconds unicast messages are kept.

0

config md5-keys

Use these commands to add MD5 keys for the OSPF interface. These commands are applicable only when the interface authentication field is set to md5.

<key_ID>

Enter the MD5 key identifier.

No default

<MD5_key>

Enter a string up to 16 characters.

No default

config network

Use these commands to enable or disable OSPF on an IP network.

<network_int>

Enter the network identifier.

No default

<area_ipv4>

Enter the IPv4 address for the area.

No default

prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the IPv4 address and netmask.

No default

config summary-address

Configure the aggregate address for redistributed routes.

<summary_int>

Enter the identifier for the summary address.

No default

prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the IPv4 address and netmask.

No default

set tag <tag_int>

Enter the tag value. The range is 0-2147483647.

0

config distribute-list

Confgure the redistribute routes filter.

<distribute_int>

Enter the distribute list identifier.

No default

access-list <access_str>

Enter the access list name.

No default

protocol {bgp | connected | isis | rip | static}

Set the protocol type.

connected

config redistribute {bgp | connected | isis | rip | static}

Use these commands for the redistribute configuration.

redistribute {bgp | connected | isis | rip | static}

Set the type of network to redistribute.

No default

status {disable | enable}

Enable or disable the redistribution.

disable

metric <metric_int>

Enter the metric for redistributed routes.

10

routemap <routemap_str>

Enter the route map name to filter the redistributed routes. Only the route maps for this protocol are listed.

No default

metric-type {1 | 2}

Set the metric type of redistributed routes.

2

tag <0-2147483647>

Set the tag value.

No default

config vrf

Use these commands to create multiple routing tables within the same router.

 

<VRF_ID>

Use the same VRF identifier that was configured under the config router vrf command. The commands under config vrf are the same as the commands under config router ospf.

No default

Example

This example shows how to set the router identifier, create an area, configure the OSPF interface, create the network (set the network prefix and associate with an area), configure the IPv4 address summary, and redistribute the routes:

config router ospf

 

set router-id 20.1.1.1

 

config area

edit 0.0.0.0

next

edit 0.0.0.1

next

end

 

config interface

edit "ospf_1"

set interface "vlan10"

next

edit "ospf_2"

set interface "vlan20"

next

end

 

config network

edit 1

set area 0.0.0.1

set prefix 20.1.1.0 255.255.255.0

next

edit 2

set area 0.0.0.0

set prefix 10.1.1.0 255.255.255.0

next

end

 

config summary-address

edit 1

set prefix 40.1.0.0 255.255.0.0

next

end

 

config redistribute "connected"

set status enable

end

 

end

config router ospf6

Use this command to configure open shortest path first (OSPF) routing for IPv6.

NOTE: You must have an advanced features license to use OSPF routing.

Syntax

config router ospf6

set router-id <router_ipv4>

set spf-timers <delay_int> <hold_int> <max_int>

set log-neighbor-changes {disable | enable}

config area

edit <area_ipv4>

set type {regular | stub}

set stub-type {summary | no-summary}

config filter-list

edit <filter_int>

set direction {in | out}

set list <list_str>

next

end

config range

edit <range_int>

set advertise {enable | disable}

set prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

end

next

end

config interface

edit <interface_str>

set area-id <Required_IPv4_address>

set bfd {disable | enable}

set cost <cost_int>

set dead-interval <dead_int>

set hello-interval <hello_int>

set passive {disable | enable}

set priority <pritority_int>

set retransmit-interval <retransmit_int>

set status {enable | disable}

set transmit-delay <transmit_int>

next

end

config redistribute {connected | static}

set status {disable | enable}

set routemap <routemap_str>

end

end

Variable

Description

Default

router-id <router_ipv4>

Required. Enter the IPv4 address of the OSPF router.

No default

spf-timers <delay_int> <hold_int> <max_int>

Set the number of milliseconds to delay before the shortest path first (SPF) is calculated, the initial number of milliseconds between consecutive SPF calculations, and the maximum number of milliseconds between consecutive SPF calculations. The range for each value is from 0 to 600.

5 10 10

log-neighbor-changes {disable | enable}

Enable or disable the logging of changes to the OSPF neighbor

enable

config area

Configure the OSPF6 area.

<area_ipv4>

Enter the IPv4 address for the area.

No default

type {regular | stub}

Set the area type to regular or stub.

regular

stub-type {summary | no-summary}

If the type is set to stub, set the stub type to summary or no summary.

summary

config filter-list

Configure the OSPF6 area filter list.

<filter_int>

Enter the filter list identifier.

No default

direction {in | out}

Set the direction to or from the area for the prefix list and access list.

out

list <list_str>

Enter the IPv6 access-list name or IPv6 prefix-list name for the area.

No default

config range

Configure the OSPF6 area range.

<range_int>

Enter the range list identifier.

No default

advertise {enable | disable}

Enable or disable the advertise status. If this option is set to disable, the intra-area paths from this range are not advertised in other areas.

enable

prefix <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

Required. Enter the IPv6 prefix.

No default

config interface

Configure the OSPF6 interface.

<interface_str>

Enter the OSPF interface name.

No default

area-id <IPv4_address>

Required. Enter the IPv4 address of the area.

none

bfd {disable | enable}

Enable or disable bidirectional forwarding detection (BFD).

disable

cost <cost_int>

Enter the link cost on this interface. The value range is 0-65535.

10

dead-interval <dead_int>

Enter the dead interval.

40

hello-interval <hello_int>

Enter the hello interval.

10

passive {disable | enable}

Enable or disable the passive interface.

disable

priority <priority_int>

Set the router priority for this interface. the router with the highest priority is more eligible to become the designated router. Setting the option to 0 makes the router ineligible to become the designated router. The value range is 0-255.

1

retransmit-interval <retransmit_int>

Enter the time between retransmitting lost link-state advertisement packets.

5

status {enable | disable}

Enable or disable the IPv6 OSPF routing on this interface.

enable

transmit-delay <transmit_int>

Enter the link-state transmit delay.

1

config redistribute {connected | static}

Use these commands for the redistribute configuration.

status {disable | enable}

Enable or disable the redistribution.

disable

routemap <routemap_str>

Enter the route map name to filter the redistributed routes. Only the route maps for this protocol are listed.

No default

Example

This example shows how to set the router identifier, create an area, configure the OSPF interface, and redistribute the routes:

config router ospf6
	set router-id 10.11.101.1 
	config area
		edit 0.0.0.1
		config filter-list
			edit 1
				set direction in
				set list access1
			next
		end
		config range
			edit 1
				set advertise disable
				set prefix 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234/96
			next 
		end
	end
	config interface
		edit vlan35
			set area 0.0.0.1
			set cost 100
			set priority 100
			set status enable
		next
	end
	config redistribute connected
		set status enable
	end
end

config router policy

Use this command to create a policy to control routing.

Syntax

config router policy

config nexthop-group

edit <name_of_next-hop_group>

config nexthop

edit <configuration_identifier>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <string>

next

end

next

end

config pbr-map

edit <PBR_map_name>

set comments <string>

config rule

edit <rule_sequence_number>

set src <IPv4_address_mask>

set dst <IPv4_address_mask>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <string>

set nexthop-group name <string>

next

end

next

end

config interface

edit <interface_name>

set pbr-map-name <PBR_policy_map_name>

next

end

end

Variable

Description

 
config nexthop-group Configure the next-hop group using equal-cost multi-path (ECMP) routing.
<name_of_next-hop_group> Enter the name of the next-hop group. No default
config nexthop Configure the next hop.
<configuration_identifier> Enter the configuration identifier. No default
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <string> Enter the virtual routing and forwarding (VRF) instance name. No default
config pbr-map Configure the policy-based routing (PBR) map .
<PBR_map_name> Enter the name of the PBR map. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the PBR rule.
<rule_sequence_number> Enter a rule identifier. The range of values is 1-10000. No default
src <IPv4_address_mask> Enter the source IPv4 address and mask. 0.0.0.0 0.0.0.0
dst <IPv4_address_mask> Enter the destination IPv4 address and mask. 0.0.0.0 0.0.0.0
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <string> Enter the name of the VRF instance that the next-hop address belongs to. If the name is not specified, the default VRF is used. No default
nexthop-group name <string> Enter the next-hop group name. This setting is used for ECMP. No default
config interface Configure the interface.
<interface_name> Enter the name of the interface to configure. No default
pbr-map-name <PBR_map_name> Enter the name of the PBR map. The PBR map is created with the config pbr-map command. No default

Example

This example creates the “pbrmap1” policy for vlan10, which is an ingress switch virtual interface (SVI). The policy has three rules:

  • Rule 1 finds packets with a source address of 22.1.1.0/24 and forwards them to the next hop, 12.1.1.2, which belongs to the default VRF instance.
  • Rule 2 finds packets with a destination address of 33.1.1.0/24 and forwards them to the ECMP route with the two next-hop IP addresses in the next-hop group . Both next hops belong to the default VRF instance.
  • Rule 3 finds packets with a destination address of 11.1.1.0/24 and forwards them to the next hop, 13.1.1.2, which belongs to the “vrfv4” VRF instance.

 

config router policy

config nexthop-group

edit "nhgroup1"

config nexthop

edit 1

set nexthop-ip 12.1.1.4

next

edit 2

set nexthop-ip 12.1.1.5

next

end

next

end

config pbr-map

edit "pbrmap1"

config rule

edit 1

set src 22.1.1.0 255.255.255.0

set nexthop-ip 12.1.1.2

next

edit 2

set dst 33.1.1.0 255.255.255.0

set nexthop-group-name "nhgroup1"

next

edit 3

set src 11.1.1.0 255.255.255.0

set nexthop-ip 13.1.1.2

set nexthop-vrf-name "vrfv4"

next

end

next

end

config interface

edit "vlan10"

set pbr-map-name "pbrmap1"

next

end

end

config router prefix-list

Use this command to configure IPv4 prefix-based filtering.

Syntax

config router prefix-list

edit <list_int>

set comments <comment_str>

config rule

edit <rule_int)

set action {deny | permit}

set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

set ge <ge_int>

set le <le_int>

end

end

end

Variable

Description

Default

<list_int>

Enter the prefix list identifier.

No default

comments <comment_str>

Enter a descriptive comment.

No default

config rule

Configure the prefix-list rule.

<rule_int>

Enter the rule identifier.

No default

action {deny | permit}

Set the action to deny or permit.

permit

prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

Set the prefix to define regular filter criteria, such as any or subnets.

0.0.0.0 0.0.0.0

ge <ge_int>

Enter the minimum IPv4 prefix length to be matched. The value range is between 0 and 32. The prefix list is used if the prefix length is greater than or equal to this value.

No default

le <le_int>

Enter the maximum IPv4 prefix length to be matched. The value range is between 0 and 32. The prefix list is used if the prefix length is less than or equal to this value.

No default

config router prefix-list6

Use this command to configure IPv6 prefix-based filtering.

Syntax

config router prefix-list6

edit <name_of_IPv6_prefix_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<IPv6_prefix> | any}

set ge <0-128>

set le <0-128>

next

end

end

Variable

Description

Default

<name_of_IPv6_prefix_list>

Enter the name of the IPv6 prefix list.

No default

comments <string>

Enter a descriptive comment.

No default

config rule

Configure the IPv6 prefix list rule.

<rule_ID>

Enter the rule identifier.

No default

action {deny | permit}

Set the action to deny or permit.

permit

prefix6 {<IPv6_prefix> | any}

Enter the IPV6 prefix to match or any.

No default

ge <0-128>

Enter the minimum IPv6 prefix length to be matched. The IPv6 prefix list is used if the prefix length is greater than or equal to this value.

No default

le <0-128>

Enter the maximum IPv6 prefix length to be matched. The IPv6 prefix list is used if the prefix length is less than or equal to this value.

No default

Example

This example shows how to specify which IPv6 prefixes are allowed in RA messages:

config router prefix-list6

edit "r4"

config rule

edit 1

set action deny

set prefix6 "2001:4:4:4::4/64"

set ge 65

set le 128

next

edit 2

set action permit

set prefix6 "any"

next

end

next

end

config router rip

Use these commands to configure RIP routing with IPv4 addresses.

NOTE: You must have an advanced features license to use RIP routing.

Syntax

config router rip

set bfd {disable | enable}

set default-information-originate {disable | enable}

set default-metric <defaultmetric_int>

set garbage-timer <garbage_int>

set passive-interface <name_str>

set timeout-timer <timeout_int>

set update-timer <update_int>

set version {1 | 2}

config distance

edit <distanceid_int>

set access-list <access_string>

set distance <distance_int>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

end

config distribute-list

edit <distribute_int>

set direction {in | out}

set interface <interface_str>

set listname <listname_str>

set status {disable | enable}

end

config interface

edit <interface_str>

set auth-keychain <keychain_str>

set auth-mode {md5 | none |text}

set auth-string <password_str>

set receive-version {1 | 2 | both | global}

set send-version {1 | 2 | both | global}

set split-horizon-status {disable | enable}

set split-horizon {poisoned | regular}

end

config neighbor

edit <neighbor_int>

set <neighbor_ipv4>

end

config network

edit <network_int>

set prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

end

config offset-list

edit <offsetlist_int>

set access-list <accesslist_str>

set direction {in | out}

set interface {in | out}

set offset <offset_int>

set status {disable | enable}

end

config redistribute {bgp | connected | isis | ospf | static}

set status {disable | enable}

set metric <metric_int>

set routemap <routemap_str>

end

end

Variable

Description

Default

bfd {disable | enable}

Enable or disable BFD.

disable

default-information-originate {disable | enable}

Enable or disable whether a default route is advertised.

disable

default-metric <defaultmetric_int>

Enter the default metric for redistributed routes. This setting does not affect connected routes. The range of values is 1-16. Use the config redistribute connected or config offset-list command to set the metric value for connected routes.

1

garbage-timer <garbage_int>

Enter the number of seconds before a route is removed from the routing table. The range of values is 5-2147483647.

120

passive-interface <name_str>

Specify which interface to set to passive mode.

You need to add the interface prefix under config network (under config router rip).

No default

timeout-timer <timeout_int>

Enter the number of seconds before a route is no longer valid. The route is not removed from the routing table until the neighboring RIP routers are notified that the route has been dropped. The range of values is 5-2147483647.

180

update-timer <update_int>

Enter the number of seconds between when the complete routing table is sent to neighboring RIP routers. The range of values is 5-2147483647.

30

version {1 | 2}

Set the RIP version for receiving and sending RIP packets.

2

config distance

Set the admin distance based on the route prefix and RIP neighbor IP.

<distanceid_int>

Enter the distance identifier.

No default

access-list <access_string>

Enter the access list to match RIP routes.

No default

distance <distance_int>

Enter the RIP admin distance. The value range is from 1 to 255.

120

prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the RIP neighbor IP prefix. Enter 0.0.0.0/0 to match all RIP neighbors.

0.0.0.0 0.0.0.0

config distribute-list

Filter networks from routing updates.

<distribute_int>

Enter the distribute list identifier.

No default

direction {in | out}

Set the list direction.

out

interface <interface_str>

Enter the RIP interface name for the distribute list.

No default

listname <listname_str>

Enter the access or prefix list name.

No default

status {disable | enable}

Enable or disable whether the distribute list is used.

disable

config interface

RIP interface configuration.

<interface_str>

Enter the interface name.

No default

auth-keychain <keychain_str>

Enter the name of the keychain to use for this interface.

No default

auth-mode {md5 | none | text}

Set the authentication mode used for packets.

 

RIP version 1 does not use authentication. If auth-mode is set to md5 or text for RIP version 1, routing updates are ignored.

 

NOTE: You must create a keychain first before you can use the MD5 authentication mode with RIP version 2.

none

auth-string <password_str>

If the auth-mode is set to text, enter a password that is less than 16 characters long.

No default

receive-version {1 | 2 | both | global}

Set which version of RIP packets are accepted on this interface. Setting this option to both accepts RIP version 1 and 2. Setting this option to global uses the global RIP version. This setting overrides the global RIP version setting.

global

send-version {1 | 2 | both | global}

Set which version of RIP packets are sent for this interface. Setting this option to both sends RIP version 1 and 2. Setting this option to global uses the global RIP version. This setting overrides the global RIP version setting.

global

split-horizon-status {disable | enable}

Enable or disable split horizon.

enable

split-horizon {poisoned | regular}

Set the split-horizon type.

regular

config neighbor

Specify a neighbor router. These commands are required only when OSPF runs on nonbroadcast media.

<neighbor_int>

Enter a RIP neighbor identifier.

No default

<neighbor_ipv4>

Enter an IP address for a RIP neighbor. Use this command if a RIP neighbor does not accept multicast packets.

0.0.0.0

config network

Enable RIP routing on an IP network.

<network_int>

Enter a network identifier.

No default

prefix <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx>

Enter the prefix.

No default

config offset-list

Configure the offset list to modify the RIP metric.

<offsetlist_int>

Enter the offset list identifier.

No default

<accesslist_str>

Enter the name of the access list.

No default

direction {in | out}

Set the list direction.

out

interface {in | out}

Set whether to filter incoming or outgoing packets.

No default

offset <offset_int>

Enter the offset for incoming and outgoing metrics to routes learned using RIP. The value range is between 1 and 16.

0

status {disable | enable}

Enable or disable whether the offset list is used.

enable

config redistribute {bgp | connected | isis | ospf | static}

Redistribute configuration.

redistribute {bgp | connected | isis | ospf | staticc}

Redistribute routes so that they are included in RIP routing.

No default

status {disable | enable}

Enable or disable whether the routes are redistributed.

disable

metric <metric_int>

Enter the metric of the redistributed routes. The value range is between 0 and 16.

0

routemap <routemap_str>

Enter the route map name to filter the redistributed routes. Only the route maps for this protocol are listed.

No default

Example

This example shows how to configure the RIP router and add authentication:

config router rip

config network

edit 1

set prefix 170.38.65.0/24

next

edit 2

set prefix 128.8.0.0/16

next

end

config interface

edit "vlan35"

set auth-mode text

set auth-string simplepw1

next

end

end

config router ripng

Use these commands to configure RIP routing with IPv6 addresses.

NOTE: You must have an advanced features license to use RIP routing.

Syntax

config router ripng

set bfd {disable | enable}

set default-information-originate {disable | enable}

set default-metric <defaultmetric_int>

set garbage-timer <garbage_int>

set timeout-timer <timeout_int>

set update-timer <update_int>

config aggregate-address

edit <aggregate-address_entry_ID_int>

set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

end

config distribute-list

edit <distribute_int>

set direction {in | out}

set interface <interface_str>

set listname <listname_str>

set status {disable | enable}

end

config interface

edit <interface_str>

set passive {disable | enable}

set split-horizon-status {disable | enable}

set split-horizon {poisoned | regular}

end

config offset-list

edit <offsetlist_int>

set access-list6 <accesslist_str>

set direction {in | out}

set interface {in | out}

set offset <offset_int>

set status {disable | enable}

end

config redistribute {bgp | connected | isis | ospf6 | static}

set status {disable | enable}

set metric <metric_int>

set routemap <routemap_str>

end

end

Variable

Description

Default

bfd {disable | enable}

Enable or disable BFD.

disable

default-information-originate {disable | enable}

Enable or disable whether a default route is advertised.

disable

default-metric <defaultmetric_int>

Enter the default metric for redistributed routes. This setting does not affect connected routes. Use the config redistribute connected command to set the metric value for connected routes. The range of values is 1-16.

1

garbage-timer <garbage_int>

Enter the number of seconds before a route is removed from the routing table after it is no longer valid. The range of values is 5-2147483647.

120

timeout-timer <timeout_int>

Enter the number of seconds before a route is no longer valid. The route is not removed from the routing table until the garbage timer expires. The range of values is 5-2147483647.

180

update-timer <update_int>

Enter the number of seconds between when the complete routing table is sent to neighboring RIP routers. The range of values is 5-2147483647.

30

config aggregate-address

Set the aggregate RIPng route announcement.

<aggregate-address_entry_ID_int>

Enter the identifier for the aggregate-address entry.

No default

prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

Enter the IPv6 prefix.

No default

config distribute-list

Filter networks in routing updates.

<distribute_int>

Enter the distribute list identifier.

No default

direction {in | out}

Set the list direction.

out

interface <interface_str>

Enter the RIP interface name for the distribute list.

No default

listname <listname_str>

Enter the IPv6 access or prefix list name.

No default

status {disable | enable}

Enable or disable whether the distribute list is used.

enable

config interface

RIPng interface configuration.

<interface_str>

Enter the interface name.

No default

passive {disable | enable}

Enable or disable whether to suppress routing updates on an interface.

disable

split-horizon-status {disable | enable}

Enable or disable split horizon.

enable

split-horizon {poisoned | regular}

Set the split-horizon type.

regular

config offset-list

Configure the offset list to modify the RIPng metric.

<offsetlist_int>

Enter the offset list identifier.

No default

access-list6 <accesslist_str>

Enter the name of the IPv6 access list.

No default

direction {in | out}

Set the list direction.

out

interface {in | out}

Set the interface to which the offset-list will be applied.

No default

offset <offset_int>

Enter the offset for incoming and outgoing metrics to routes learned using RIP. The value range is between 1 and 16.

0

status {disable | enable}

Enable or disable whether the offset list is used.

enable

config redistribute {bgp | connected | isis | ospf6 | static}

Redistribute configuration.

status {disable | enable}

Enable or disable whether the routes are redistributed.

disable

metric <metric_int>

Enter the metric of the redistributed routes. The value range is between 0 and 16.

0

routemap <routemap_str>

Enter the route map name to filter the redistributed routes. Only the route maps for this protocol are listed.

No default

config router route-map

Use this command to configure a route map for BGP, IS-IS, OSPF, or RIP routing.

NOTE: You must have an advanced features license to use BGP, IS-IS, OSPF, or RIP routing.

Syntax

config router route-map

edit <routemap_str>

set comments <comments_str>

set protocol {bgp | isis | isis6 | ospf | ospf6 | rip | ripng | zebra}

config rule

edit <rule_int>

set action {deny | permit}

set match-as-path <string>

set match-community <string>

set match-interface {<interface_str> | internal | mgmt}

set match-ip-address <address_str>

set match-ip6-address <access-list6 or prefix-list6>

set match-ip-nexthop <nexthop_str>

set match-metric <metric_int>

set match-origin {egp | igp | incomplete | none}

set match-tag <tag_int>

set set-aggregator-as <1-4294967295>

set set-aggregator-ip <IPv4_address>

set set-aspath <1-4294967295>

set set-atomic-aggregate {enable | disable}

set set-community-delete <string>

set set-community <community>

set set-extcommunity-rt <community>

set set-extcommunity-soo <community>

set set-ip-nexthop <class_ipv4>

set set-ip6-nexthop <IPv6_address>

set set-ip6-nexthop-local <IPv6_address>

set set-local-preference <1-4294967295>

set set-metric <setmetric_int>

set set-metric-type {1 | 2}

set set-origin {egp | igp | incomplete | none}

set set-originator-id <IP_address>

set set-tag <settag_int>

set set-weight <0-2147483647>

end

end

end

Variable

Description

Default

<routemap_str>

Enter the name for the individual route map.

No default

comments <comments_str>

Enter a descriptive comment.

No default

protocol {bgp | isis | isis6 | ospf | ospf6 | rip | ripng | zebra}

Mandatory. Set the protocol to BGP, IS-IS, OSPF (IPv4 or IPv6), RIP (IPv4 or IPv6), or the core router daemon.

No default

config rule

Configure the route-map rule.

<rule_int>

Enter the rule identifier.

No default

action {deny | permit}

Set whether the rule permits or denies routes that match this rule.

permit

match-as-path <string>

Match the BGP Autonomous System (AS) path list.

No default

match-community <string>

Match the BGP community list.

No default

match-interface {<interface_str> | internal | mgmt}

Set which interface will be matched.

No default

match-ip-address <address_str>

Match the IPv4 address permitted by the IPv4 access list or IPv4 prefix list.

No default

match-ip6-address <access-list6 or prefix-list6>

Match the IPv6 address permitted by the IPv6 access list or IPv6 prefix list.

No default

match-ip-nexthop <nexthop_str>

Match the next-hop IP address passed by the access list or prefix list.

No default

match-metric <metric_int>

Enter the metric to be matched for redistributed routes. The value range is 0-2147483647.

0

match-origin {egp | igp | incomplete | none}

Match the BGP origin code:
  • egp—Set the value to the NLRI learned from the Exterior Gateway Protocol (EGP).
  • igp—Set the value to the NLRI learned from a protocol internal to the originating AS.
  • incomplete—Match routes that were learned some other way (for example, through redistribution).
  • none—Disable the matching of BGP routes based on the origin of the route.

none

match-tag <tag_int>

Enter the tag to be matched. The value range is 0-2147483647.

0

set-aggregator-as <1-4294967295>

Set the BGP aggregator AS.

No default

set-aggregator-ip <IPv4_address>

Set the IPv4 address for the BGP aggregator.

 

This option is visible only when set-aggregator-as is set.

0.0.0.0

set-aspath <1-4294967295>

Prepend the BGP AS path attribute. Use quotation marks for repeating numbers, for example: "1 1 2"

No default

set-atomic-aggregate {enable | disable}

Enable or disable the BGP atomic aggregate attribute.

disable

set-community-delete <string>

Delete communities matching the community list.

No default

set-community <community>

Set the BGP community attribute:
  • Use decimal notation to set a specific COMMUNITY attribute for the route. The value has the syntax AA:NN, where AA represents an AS, and NN is the community identifier. Delimit complex expressions with double-quotation marks (for example, "123:234 345:456").
  • To make the route part of the Internet community, select internet.
  • To make the route part of the LOCAL_AS community, select local-AS.
  • To make the route part of the NO_ADVERTISE community, select no-advertise.
  • To make the route part of the NO_EXPORT community, select no-export.

No default

set-extcommunity-rt <community>

Set the Route-Target extended community: AA:NN

No default

set-extcommunity-soo <community>

Set the Site-of-Origin extended community: AA:NN

No default

set-ip-nexthop <class_ipv4>

Enter the IPv4 address of the next hop.

0.0.0.0

set-ip6-nexthop <IPv6_address>

Enter the IPv6 global address of the next hop.

No default

set-ip6-nexthop-local <IPv6_address>

Enter the IPv6 local address of the next hop.

No default

set-local-preference <1-4294967295>

Set the BGP local-preference path attribute.

0

set-metric <setmetric_int>

Enter the route metric value. The value range is 0-2147483647.

0

set-metric-type {1 | 2}

Set the metric type to external-type1 or external-type2.

external-type1

set-origin {egp | igp | incomplete | none}

Set the BGP origin code:
  • egp—Set the value to the NLRI learned from the Exterior Gateway Protocol (EGP).
  • igp—Set the value to the NLRI learned from a protocol internal to the originating AS.
  • incomplete—If not egp or igp.
  • none—Disable the ORIGIN attribute.

none

set-originator-id <IP_address>

Set the BGP originator ID attribute.

0.0.0.0

set-tag <settag_int>

Enter the route tag value. The value range is 0-2147483647.

0

set-weight <0-2147483647>

Set the BGP weight for the routing table.

0

Example

This example shows how to configure the RIP router and add authentication:

config router route-map

edit myroutemap

set comments "route map for RIP routing"

set protocol rip

config rule

edit 1

set action permit

set match-interface internal

set match-metric 12

set match-tag 36

set set-ip-nexthop 128.8.0.0

set auth-mode text

set set-metric 48

set set-tag 72

end

end

config router setting

Use this command to filter incoming protocol routes in RIB. You can filter protocol routes so that they are not added in the RIB routing table.

NOTE: You must have an advanced features license to use BGP, IS-IS, OSPF, or RIP routing.

Syntax

config router setting

config filter-list

edit <filter_list_ID>

set protocol {any | any6 | bgp | bgp6 | isis | isis6 | ospf | ospf6 | rip | ripng | static | static6}

set route-map <route_map_name>

end

end

Variable

Description

Default

<filter_list_ID>

Enter a filter-list identifier.

No default

protocol {any | any6 | bgp | bgp6 | isis | isis6 | ospf | ospf6 | rip | ripng | static | static6}

Specify which protocol routes that the filter will be applied to:

  • any: any IPv4 protocol.
  • any6: any IPv6 protocol.
  • bgp: IPv4 BGP.
  • bgp6: IPv6 BGP.
  • isis: IPv4 IS-IS.
  • isis6: IPv6 IS-IS.
  • ospf: IPv4 OSPF.
  • ospf6: IPv6 OSPF.
  • rip: IPv4 RIP.
  • ripng: IPv6 RIP.
  • static: IPv4 static.
  • static6: IPv6 static.

No default

route-map <route_map_name>

Enter the route map name. Only a route map created with the protocol set to zebra can be applied here.

No default

Example

This example shows how to filter incoming protocol routes in RIB:

config router setting

config filter-list

edit 2

set protocol ospf

set route-map myroutemap

end

end

config router static

Use this command to add, edit, or delete static routes for IPv4 traffic.

You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

Syntax

config router static

edit <sequence_number>

set bfd {enable | disable}

set blackhole {enable | disable}

set comment <comment_str>

set device <interface_name>

set distance <1-255>

set dst <destination-address_IPv4mask>

set dynamic-gateway {enable | disable}

set gateway <gateway-address_IPv4>

set status {enable | disable}

set vrf <string>

end

Variable

Description

Default

<sequence_number>

Enter a sequence number for the static route.

No default

bfd {enable | disable}

Enable or disable Bidirectional Forwarding for the route gateway.

disable

blackhole {enable | disable}

Enable or disable dropping all packets that match this route.

disable

comment <comment_str>

Optionally enter a descriptive comment.

No default

device <interface_name>

Enter the name of the interface through which to route traffic. Enter ‘?’ to see a list of interfaces.

No default

distance <1-255>

Enter the administrative distance for the route. The range is an integer from 1-255.

10

dst <destination-address_IPv4mask>

Enter the destination IPv4 address and network mask for this route. You can enter 0.0.0.0/0 to create a new static default route.

0.0.0.0 0.0.0.0

dynamic-gateway {enable | disable}

When enabled, the route gateway IP is obtained using DHCP running on the provided routeʼs device interface.

disable

gateway <gateway-address_IPv4>

Enter the IPv4 address of the next-hop router to which traffic is forwarded.

No default

status {enable | disable}

Enable this setting for the route to be added to the routing table.

enable

vrf <string>

Assign the specified virtual routing and forwarding (VRF) instance to this static route.

After the static route is created, the VRF instance cannot be changed or unset.

No default

Example

This example shows how to configure a static route:

config router static

edit 1

set gateway 192.168.0.10

set status enable

end

end

config router static6

Use this command to add, edit, or delete static routes for IPv6 traffic.

You add static routes to manually control traffic exiting the FortiSwitch unit. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.

Syntax

config router static6

edit <sequence_number>

set bfd {enable | disable}

set blackhole {enable | disable}

set comment <comment_str>

set device <interface_name>

set distance <1-255>

set dst <destination-address_IPv6mask>

set gateway <gateway-address_IPv6>

set status {enable | disable}

set vrf <string>

end

 

The dst and gateway fields are required when blackhole is disabled. When blackhole is enabled, the dst field is required. All other fields are optional.

Variable

Description

Default

<sequence_number>

Enter a sequence number for the static route.

No default

bfd {enable | disable}

Enable or disable bidirectional forwarding detection (BFD) for the gateway.

disable

blackhole {enable | disable}

Enable or disable dropping all packets that match this route.

disable

comment <comment_str>

Optionally enter a descriptive comment.

No default

device <interface_name>

Enter the name of the interface through which to route traffic. Enter ‘?’ to see a list of interfaces.

No default

distance <1-255>

Enter the administrative distance for the route. The range is an integer from 1-255.

10

dst <destination-address_IPv6mask>

Enter the destination IPv6 address and network mask for this route.

::/0

gateway <gateway-address_IPv6>

Enter the IPv6 address of the next-hop router to which traffic is forwarded.

::

status {enable | disable}

Enable this setting for the route to be added to the routing table.

enable

vrf <string>

Assign the specified virtual routing and forwarding (VRF) instance to this static route.

After the static route is created, the VRF instance cannot be changed or unset.

No default

Example

This example shows how to configure a static route for IPv6 traffic:

config router static6

edit 1

set dst 5555::/64

set gateway 4000::2

set status enable

end

end

config router vrf

Use these commands to create virtual routing and forwarding (VRF) instances.

Syntax

config router vrf

edit <VRF_name>

set vrfid <integer>

end

Variable

Description

Default

<VRF_name>

Enter the name of the VRF instance.

The name cannot match the name of any switch virtual interface (SVI).

No default

vrfid <integer>

Set the VRF identifier. The range of values is 1-1023.

You cannot use 252, 253, 254, or 255. After the VRF instance is created, the VRF ID cannot be changed.

0

Example

This example shows how to configure two VRF instances:

config router vrf

edit vrfv4

set vrfid 1

next

edit vrfv6

set vrfid 2

next

end

config router

Use the config router commands to configure options related to routing protocols and packet forwarding:

config router access-list

Use this command to configure an IPv4 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.

Syntax

config router access-list

edit <list_str>

set comments <comment_str>

config rule

edit <rule_int>

set action {deny | permit}

set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

set wildcard <IP_address>

set exact-match {enable | disable}

end

end

Variable

Description

Default

<list_str>

Enter the name of the access list.
  • If the name is a number in the range of 1-99, you can define Cisco-style wildcard filter criteria with the set wildcard <ip> command.
  • If the name has at least one alphabetic character, you can set the prefix to define regular filter criteria using the set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any} command.

No default

comments <comment_str>

Enter a descriptive comment.

No default

config rule

Configure the access-list rule.

<rule_int>

The rule identifier.

No default

action {deny | permit}

Set whether the rule allows or denies the IPv4 address.

permit

prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}

Set the prefix to define regular filter criteria, such as any or subnets.

NOTE: The access list name must contain at least one alphabetic character.

any

wildcard <IP_address>

Define Cisco-style wildcard filter criteria.

NOTE: The access list name must be a digit in the range of 1-99. Strings are not supported.

No default

exact-match {enable | disable}

Set whether the rule looks for an exact match with the value in the prefix field.

disable

Example

This example shows how to configure an access list:

config router access-list

edit mylist

set comments "access list for RIP 1"

config rule

edit 1

set action permit

set prefix xxx.xx.xx.xx xxx.xxx.xxx.x

end

end

config router access-list6

Use this command to configure an IPv6 access list. An access list is a list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.

Syntax

config router access-list6

edit <name_of_IPv6_access_list>

set comments <string>

config rule

edit <rule_ID>

set action {deny | permit}

set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

set exact-match {enable | disable}

next

end

end

Variable

Description

Default

<name_of_IPv6_access_list>

Enter the name of the IPv6 access list.

No default

comments <string>

Enter a descriptive comment.

No default

config rule

Configure the IPv6 access-list rule.

<rule_ID>

The rule identifier.

No default

action {deny | permit}

Set whether the rule allows or denies the IPv6 address.

permit

prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

Set the IPv6 prefix to define regular filter criteria, such as any or X:X::X:X/M.

any

exact-match {enable | disable}

Set whether the rule looks for an exact match with the value in the prefix field.

disable

Example

This example shows how to configure an IPv6 access list:

config router access-list6

edit accesslist1

set comments "IPv6 access list"

config rule

edit 1

set action permit

set prefix6 fe80::a5b:eff:fef1:95e5

set exact-match disable

next

end

end

config router aspath-list

Use this command to set or unset Border Gateway Protocol (BGP) AS-path list parameters. By default, BGP uses an ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. A list of these AS numbers is called the AS path. You can filter BGP routes using AS path lists.

Use the config router aspath-list command to define an access list that examines the AS_PATH attributes of BGP routes to match routes. Each entry in the list defines a rule for matching and selecting routes based on the setting of the AS_PATH attribute.

Syntax

config router aspath-list

edit <AS_path_list_name>

config rule

edit <rule_identifier>

set action {deny | permit}

set regexp <string>

end

end

Variable

Description

Default

<AS_path_list_name>

Enter the name of the AS path list.

No default

config rule

Configure the AS path list rule.

<rule_identifier>

Enter a rule identifier.

No default

action {deny | permit}

Set whether to permit or deny route-based operations, based on the routeʼs AS_PATH attribute.

No default

regexp <string>

Specify the regular expression that will be compared to the AS_PATH attribute (for example, ^730$). The value is used to match AS numbers. Enclose a complex regular expression value within double-quotation marks.

No default

config router bgp

Use this command to configure Border Gateway Protocol version-4 (BGP-4) routing parameters. BGP can be used to perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains using an alternative route if a link between a FortiSwitch unit and a BGP peer (such as an ISP router) fails.

The following RFCs are supported:

  • RFC1771—A Border Gateway Protocol 4 (BGP-4)
  • RFC1965—Autonomous System Confederations for BGP
  • RFC1997—BGP Communities Attribute
  • RFC2545—Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
  • RFC2796—BGP Route Reflection An alternative to full mesh IBGP
  • RFC2858—Multiprotocol Extensions for BGP-4
  • RFC2842—Capabilities Advertisement with BGP-4
  • RFC2439—BGP Route Flap Damping

Syntax

config router bgp

set as <MANDATORY_router_AS_number>

set router-id <MANDATORY_IP_address>

set keepalive-timer <0-65535>

set holdtime-timer <0, 3-65535>

set always-compare-med {disable | enable}

set bestpath-as-path-ignore {disable | enable}

set bestpath-cmp-confed-aspath {disable | enable}

set bestpath-cmp-routerid {disable | enable}

set bestpath-med-confed {disable | enable}

set bestpath-med-missing-as-worst {disable | enable}

set client-to-client-reflection {disable | enable}

set dampening {disable | enable}

set dampening-reachability-half-life <1-45>

set dampening-reuse <1-20000>

set dampening-suppress <1-20000>

set dampening-max-suppress-time <1-255>

set deterministic-med {disable | enable}

set enforce-first-as {disable | enable}

set fast-external-failover {disable | enable}

set log-neighbour-changes {disable | enable}

set cluster-id <IP_address>

set confederation-identifier <1-4294967295>

set default-local-preference <0-4294967295>

set scan-time <5-60>

set maximum-paths-ebgp <1-64>

set bestpath-aspath-multipath-relax {disable | enable}

set maximum-paths-ibgp <1-64>

set distance-external <1-255>

set distance-internal <1-255>

set distance-local <1-255>

set graceful-stalepath-time <1-3600>

config admin-distance

edit <identifier>

set distance <1-255>

set neighbour-prefix <IP_address_netmask>

set route-list <string>

end

config aggregate-address

edit <identifier>

set as-set {disable | enable}

set prefix <IPv4_address_netmask>

set summary-only {disable | enable}

end

config aggregate-address6

edit <identifier>

set as-set {disable | enable}

set prefix <IPv6_address_netmask>

set summary-only {disable | enable}

end

config neighbor

edit "<IPv4_IPv6_address>"

set advertisement-interval <0-600>

set allowas-in-enable {disable | enable}

set allowas-in <1-10>

set allowas-in-enable6 {disable | enable}

set allowas-in6 <1-10>

set attribute-unchanged {as-path | MED | next-hop}

set attribute-unchanged6 {as-path | MED | next-hop}

set activate {disable | enable}

set activate6 {disable | enable}

set bfd {disable | enable}

set capability-dynamic {disable | enable}

set capability-orf {both | none | receive | send}

set capability-orf6 {both | none | receive | send}

set capability-default-originate {disable | enable}

set capability-default-originate6 {disable | enable}

set dont-capability-negotiate {disable | enable}

set ebgp-enforce-multihop {disable | enable}

set ebgp-multihop-ttl <1-255>

set ebgp-ttl-security-hops <1-254>

set next-hop-self {disable | enable}

set next-hop-self6 {disable | enable}

set override-capability {disable | enable}

set passive {disable | enable}

set remove-private-as {disable | enable}

set remove-private-as6 {disable | enable}

set route-reflector-client {disable | enable}

set route-reflector-client6 {disable | enable}

set route-server-client {disable | enable}

set route-server-client6 {disable | enable}

set shutdown {disable | enable}

set soft-reconfiguration {disable | enable}

set soft-reconfiguration6 {disable | enable}

set as-override {disable | enable}

set as-override6 {disable | enable}

set strict-capability-match {disable | enable}

set description <string>

set distribute-list-in <string>

set distribute-list-in6 <string>

set distribute-list-out <string>

set distribute-list-out6 <string>

set filter-list-in <string>

set filter-list-in6 <string>

set filter-list-out <string>

set filter-list-out6 <string>

set interface <interface_name>

set maximum-prefix <1-4294967295>

set maximum-prefix6 <1-4294967295>

set prefix-list-in <string>

set prefix-list-in6 <string>

set prefix-list-out <string>

set prefix-list-out6 <string>

set remote-as <MANDATORY_1-4294967295>

set route-map-in <string>

set route-map-in6 <string>

set route-map-out <string>

set route-map-out6 <string>

set send-community {both | disable | extended | standard}

set send-community6 {both | disable | extended | standard}

set keep-alive-timer <0-65535>

set holdtime-timer <0, 3-65535>

set connect-timer <0-65535>

set unsuppress-map <string>

set unsuppress-map6 <string>

set update-source {interface_name}

set weight <0-65535>

end

config network

edit <identifier>

set backdoor {disable | enable}

set prefix <IPv4_address_netmask>

set route-map <string>

end

config network6

edit <identifier>

set backdoor {disable | enable}

set prefix6 <IPv6_address_netmask>

set route-map <string>

end

config redistribute {connected | isis | ospf | rip | static}

set status {disable | enable}

set route-map <string>

end

config redistribute6 {connected | isis | ospf | rip | static}

set status {disable | enable}

set route-map <string>

end

end

Variable

Description

Default

as <MANDATORY_router_AS_number>

Mandatory. Enter an integer to specify the local autonomous system (AS) number of the FortiSwitch unit. The range is from 1 to 4 294 967 295. A value of 0 disables BGP (disabled by default).

0

router-id <MANDATORY_IP_address>

Mandatory. Specify a fixed identifier for the FortiSwitch unit. A value of 0.0.0.0 is not allowed.

0.0.0.0

keepalive-timer <0-65535>

How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions.

60

holdtime-timer <0, 3-65535>

How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster.

180

always-compare-med {disable | enable}

Always compare Multi-Exit Discriminator (MED).

disable

bestpath-as-path-ignore {disable | enable}

AS_PATH is the BGP attribute that keeps track of each AS that a route advertisement has passed through; it helps prevent routing loops. Enable this option if you want BGP to not use the best AS path. Disable this option if you want BGP to use the best AS path.

disable

bestpath-cmp-confed-aspath {disable | enable}

Enable or disable the comparison of the AS_CONFED_SEQUENCE attribute, which defines an ordered list of AS numbers representing a path from the FortiSwitch unit through autonomous systems within the local confederation.

disable

bestpath-cmp-routerid {disable | enable}

Compare router ID for identical external BGP (EBGP) paths.

disable

bestpath-med-confed {disable | enable}

Compare MED among confederation paths.

disable

bestpath-med-missing-as-worst {disable | enable}

Enable or disable (by default) treating any confederation path with a missing MED metric as the least preferred path.

disable

client-to-client-reflection {disable | enable}

Enable (by default) or disable client-to-client route reflection between internal BGP (IBGP) peers.

enable

dampening {disable | enable}

Enable or disable (by default) route-flap dampening on all BGP routes. A flapping route is unstable and continually transitions down and up (see RFC 2439).

disable

dampening-reachability-half-life <1-45>

If you enable dampening, set the maximum time that a route can be suppressed (in minutes). A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time.

15

dampening-reuse <1-20000>

If you enable dampening, set a dampening reuse limit based on the number of accumulated penalties. If the penalty assigned to a flapping route decreases enough to fall below the specified limit, the route is not suppressed.

750

dampening-suppress <1-20000>

If you enable dampening, set a dampening-suppression limit based on the number of accumulated penalties. A route is suppressed (not advertised) when its penalty exceeds the specified limit.

2000

dampening-max-suppress-time <1-255>

If you enable dampening, set the maximum time that a route can be suppressed. A route can continue to accumulate penalties while it is suppressed. However, the route cannot be suppressed longer than the maximum time.

60

deterministic-med {disable | enable}

Enforce deterministic comparison of MED.

disable

enforce-first-as {disable | enable}

Enforce first AS for EBGP routes.

disable

fast-external-failover {disable | enable}

Reset peer BGP session if link goes down.

enable

log-neighbour-changes {disable | enable}

Enable or disable logging of BGP neighborʼs changes.

enable

cluster-id <IP_address>

Route reflector cluster ID.

0.0.0.0

confederation-identifier <1-4294967295>

Confederation identifier.

0

default-local-preference <0-4294967295>

Default local preference.

100

scan-time <5-60>

Background scanner interval (seconds).

60

maximum-paths-ebgp <1-64>

Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the External Border Gateway Protocol (EBGP).

1

bestpath-aspath-multipath-relax {disable | enable}

Enable or disable load sharing across routes that are the same length but have different autonomous system (AS) paths.

disable

maximum-paths-ibgp <1-64>

Set the maximum number of paths for equal-cost multi-path (ECMP) routing using the Internal Border Gateway Protocol (IBGP).

1

distance-external <1-255>

Distance for routes external to the AS.

20

distance-internal <1-255>

Distance for routes internal to the AS.

200

distance-local <1-255>

Distance for routes local to the AS.

200

graceful-stalepath-time <1-3600>

Time to hold stale paths of restarting neighbor(sec).

360

config admin-distance

Configure administrative distance modifications.

<identifier>

Enter an identifier to set administrative distance modifications for BGP routes.

No default

distance <1-255>

Set the administrative distance to apply.

0

neighbour-prefix <IP_address_netmask>

Neighbor address prefix. Enter the class IP address and netmask with correction.

0.0.0.0 0.0.0.0

route-list <string>

The access list of routes this distance will be applied to.

No default

config aggregate-address

Configure the table of BGP IPv4 aggregate addresses.

<identifier>

Enter a BGP aggregate entry in the routing table.

When you aggregate routes, routing becomes less precise because path details are not readily available for routing purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized.

No default

as-set {disable | enable}

Enable or disable the generation of an unordered list of AS numbers to include in the path information.

disable

prefix <IPv4_address_netmask>

Aggregate IPv4 prefix. The prefix 0.0.0.0 0.0.0.0 is not allowed.

No default

summary-only {disable | enable}

Enable or disable filtering more specific routes from updates.

disable

config aggregate-address6

Configure the table of BGP IPv6 aggregate addresses.

<identifier>

Enter a BGP aggregate entry in the routing table.

When you aggregate routes, routing becomes less precise because path details are not readily available for routing purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized.

No default

as-set {disable | enable}

Enable or disable the generation of an unordered list of AS numbers to include in the path information.

disable

prefix6 <IPv6_address_netmask>

Aggregate IPv6 prefix.

No default

summary-only {disable | enable}

Enable or disable filtering more specific routes from updates.

disable

config neighbor

Configure the BGP neighbor table.

<IPv4_IPv6_address>

Enter the IPv4 or IPv6 address of the BGP neighbor.

No default

advertisement-interval <0-600>

Set the minimum amount of time (in seconds) that the FortiSwitch unit waits before sending a BGP routing update to the BGP neighbor.

30

allowas-in-enable {disable | enable}

Enable to allow my AS-in-AS path (for IPv4).

disable

allowas-in <1-10>

If you enable allowas-in-enable, set the maximum number of occurrences of my AS numbers allowed (for IPv4).

No default

allowas-in-enable6 {disable | enable}

Enable to allow my AS-in-AS path (for IPv6).

disable

allowas-in6 <1-10>

If you enable allowas-in-enable6, set the maximum number of occurrences of my AS numbers allowed (for IPv6).

No default

attribute-unchanged {as-path | MED | next-hop}

Propagate unchanged BGP attributes to the BGP neighbor using one of the following methods (for IPv4):
  • To advertise unchanged next-hop attributes, select as-path.
  • To advertise unchanged MULTI_EXIT_DISC attributes, select med.
  • To keep the next-hop attribute as is, select next-hop.
  • An empty set (default) is a supported value.

No default

attribute-unchanged6 {as-path | MED | next-hop}

Propagate unchanged BGP attributes to the BGP neighbor using one of the following methods (for IPv6):

  • To advertise unchanged next-hop attributes, select as-path.
  • To advertise unchanged MULTI_EXIT_DISC attributes, select med.
  • To keep the next-hop attribute as is, select next-hop.
  • An empty set (default) is a supported value.

No default

activate {disable | enable}

Enable address family IPv4 for this neighbor.

enable

activate6 {disable | enable}

Enable address family IPv6 for this neighbor.

enable

bfd {disable | enable}

Enable BFD for this neighbor.

disable

capability-dynamic {disable | enable}

Advertise dynamic capability to this neighbor.

disable

capability-orf {both | none | receive | send}

Enable advertising of Outbound Routing Filter (ORF) prefix-list capability to the BGP neighbor using one of the following methods (for IPv4):
  • none: disable the advertising of ORF prefix-list capability.
  • receive: enable receive capability.
  • send: enable send capability.
  • both: enable send and receive capability.

none

capability-orf6 {both | none | receive | send}

Enable advertising of ORF prefix-list capability to the BGP neighbor using one of the following methods (for IPv6):

  • none: disable the advertising of ORF prefix-list capability.
  • receive: enable receive capability.
  • send: enable send capability.
  • both: enable send and receive capability.

none

capability-default-originate {disable | enable}

Advertise the default IPv4 route to this neighbor.

disable

capability-default-originate6 {disable | enable}

Advertise the default IPv6 route to this neighbor.

disable

dont-capability-negotiate {disable | enable}

Do not negotiate capabilities with this neighbor.

disable

ebgp-enforce-multihop {disable | enable}

Enable or disable the allowance of multi-hop EBGP neighbors.

disable

ebgp-multihop-ttl <1-255>

If you enable ebgp-enforce-multihop, define a TTL value for BGP packets sent to the BGP neighbor.

255

ebgp-ttl-security-hops <1-254>

If you enable ebgp-enforce-multihop, specify the maximum number of hops to the EBGP peer.

0

next-hop-self {disable | enable}

Enable or disable IPv4 next-hop calculation for this neighbor.

disable

next-hop-self6 {disable | enable}

Enable or disable IPv6 next-hop calculation for this neighbor.

disable

override-capability {disable | enable}

Enable or disable the overriding of the result of the capability negotiation.

disable

passive {disable | enable}

Enable or disable sending of open messages to this neighbor.

disable

remove-private-as {disable | enable}

Enable or disable the removal of the private AS number from the IPv4 outbound updates.

disable

remove-private-as6 {disable | enable}

Enable or disable the removal of the private AS number from the IPv6 outbound updates.

disable

route-reflector-client {disable | enable}

Enable or disable the IPv4 AS route reflector client.

disable

route-reflector-client6 {disable | enable}

Enable or disable the IPv6 AS route reflector client.

disable

route-server-client {disable | enable}

Enable or disable the IPv4 AS route server client.

disable

route-server-client6 {disable | enable}

Enable or disable the IPv6 AS route server client.

disable

shutdown {disable | enable}

Enable or disable the shutting down of this neighbor.

disable

soft-reconfiguration {disable | enable}

Enable or disable the allowance of IPv4 inbound soft reconfiguration.

disable

soft-reconfiguration6 {disable | enable}

Enable or disable the allowance of IPv6 inbound soft reconfiguration.

disable

as-override {disable | enable}

Enable or disable the replacement of the peer AS with own AS for IPv4.

disable

as-override6 {disable | enable}

Enable or disable the replacement of the peer AS with own AS for IPv6.

disable

strict-capability-match {disable | enable}

Enable or disable strict capability matching.

disable

description <string>

Enter a description of this neighbor.

No default

distribute-list-in <string>

Limit route updates from the BGP neighbor based on the Network Layer Reachability Information (NLRI) prefixes defined in the specified IPv4 access list. You must create the access list before it can be selected here. See config router access-list.

No default

distribute-list-in6 <string>

Limit route updates from the BGP neighbor based on the Network Layer Reachability Information (NLRI) prefixes defined in the specified IPv6 access list. You must create the access list before it can be selected here. See config router access-list6.

No default

distribute-list-out <string>

Limit route updates to the BGP neighbor based on the NLRI defined in the specified IPv4 access list. You must create the access list before it can be selected here. See config router access-list.

No default

distribute-list-out6 <string>

Limit route updates to the BGP neighbor based on the NLRI defined in the specified IPv6 access list. You must create the access list before it can be selected here. See config router access-list6.

No default

filter-list-in <string>

BGP AS path filter for IPv4 inbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-in6 <string>

BGP AS path filter for IPv6 inbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-out <string>

BGP AS path filter for IPv4 outbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

filter-list-out6 <string>

BGP AS path filter for IPv6 outbound routes. You must create the AS path list before it can be selected here. See config router aspath-list.

No default

interface <interface_name>

Set the interface.

No default

maximum-prefix <1-4294967295>

Enter the maximum number of IPv4 prefixes to accept from this peer.

unset

maximum-prefix6 <1-4294967295>

Enter the maximum number of IPv6 prefixes to accept from this peer.

unset

prefix-list-in <string>

Limit route updates from a BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified IPv4 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list.

No default

prefix-list-in6 <string>

Limit route updates from a BGP neighbor based on the Network Layer Reachability Information (NLRI) in the specified IPv6 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list6.

No default

prefix-list-out <string>

Limit route updates to a BGP neighbor based on the NLRI in the specified IPv4 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list.

No default

prefix-list-out6 <string>

Limit route updates to a BGP neighbor based on the NLRI in the specified IPv6 prefix list. The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. See config router prefix-list6.

No default

remote-as <MANDATORY_1-4294967295>

Mandatory. Adds a BGP neighbor to the FortiSwitch configuration and sets the AS number of the neighbor. If the number is identical to the AS number of the FortiSwitch unit, the FortiSwitch unit communicates with the neighbor using internal BGP (IBGP). Otherwise, the neighbor is an external peer, and the FortiSwitch unit uses EBGP to communicate with the neighbor.

0

route-map-in <string>

Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified IPv4 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-in6 <string>

Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified IPv6 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-out <string>

Limit route updates or change the attributes of route updates to the BGP neighbor according to the specified IPv4 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

route-map-out6 <string>

Limit route updates or change the attributes of route updates to the BGP neighbor according to the specified IPv6 route map. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

send-community {both | disable | extended | standard}

Enable sending the COMMUNITY attribute to the BGP neighbor using one of the following methods (for IPv4):
  • standard: advertise standard capabilities
  • extended: advertise extended capabilities
  • both: advertise extended and standard capabilities (default)
  • disable: disable the advertising of the COMMUNITY attribute

both

send-community6 {both | disable | extended | standard}

Enable sending the COMMUNITY attribute to the BGP neighbor using one of the following methods (for IPv6):

  • standard: advertise standard capabilities
  • extended: advertise extended capabilities
  • both: advertise extended and standard capabilities (default)
  • disable: disable the advertising of the COMMUNITY attribute

both

keep-alive-timer <0-65535>

How often (in seconds) the router sends out keepalive messages to neighbor routers to maintain those sessions.

No default

holdtime-timer <0, 3-65535>

How long (in seconds) the router will wait for a keepalive message before declaring a router offline. A shorter time will find an off-line router faster.

No default

connect-timer <0-65535>

Interval (in seconds) for connect timer.

No default

unsuppress-map <string>

Specify the name of the IPv4 route map to selectively unsuppress suppressed routes. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

unsuppress-map6 <string>

Specify the name of the IPv6 route map to selectively unsuppress suppressed routes. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

update-source {interface_name}

Interface to use as source IP/IPv6 address of TCP connections.

No default

weight <0-65535>

Neighbor weight.

No default

config network

Configure the BGP IPv4 network table.

<identifier>

Enter an identifier.

No default

backdoor {disable | enable}

Enable route as backdoor.

disable

prefix <IPv4_address_netmask>

Set the network IPv4 prefix. Use the class IPv4 address and netmask with correction.

0.0.0.0 0.0.0.0

route-map <string>

Specify the name of the route map. Only the route maps for this protocol are listed. See config router route-map.

No default

config network6

Configure the BGP IPv6 network table.

<identifier>

Enter an identifier.

No default

backdoor {disable | enable}

Enable route as backdoor.

disable

prefix <IPv6_address_netmask>

Set the network IPv6 prefix. Use the class IPv6 address and netmask with correction.

No default

route-map <string>

Specify the name of the route map. Only the route maps for this protocol are listed. See config router route-map.

No default

config redistribute {connected | isis | ospf | rip | static}

Configure the BGP IPv4 redistribute table.

status {disable | enable}

You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF IPv4 routes. BGP redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing domains, use the subcommand to redistribute routes to the various domains.

disable

route-map <string>

Specify the name of the route map that identifies the routes to redistribute. If a route map is not specified, all routes are redistributed to BGP. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

config redistribute6 {connected | isis | ospf | rip | static}

Configure the BGP IPv6 redistribute table.

status {disable | enable}

You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF IPv6 routes. BGP redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing domains, use the subcommand to redistribute routes to the various domains.

disable

route-map <string>

Specify the name of the route map that identifies the routes to redistribute. If a route map is not specified, all routes are redistributed to BGP. Only the route maps for this protocol are listed. You must create the route map before it can be selected here. See config router route-map.

No default

Example

This example shows how to configure internal BGP routing:

config router bgp

set as 6500

set router-id 1.2.3.4

config neighbor

edit "172.168.111.5"

set remote-as 6500

next

end

config network

edit 1

set prefix 192.168.2.0 255.255.255.0

next

end

config redistribute "connected"

end

end

end

config router community-list

Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute.

Syntax

config router community-list

edit <community_list_name>

set type {expanded | standard}

config rule

edit <rule_identifier>

set action {deny | permit}

set regexp <regular_expression>

set match <community_number | internet | local-AS | no-advertise | no-export>

end

end

Variable

Description

Default

<community_list_name>

Enter a name for the community list.

NOTE: If the community list name is a number in the range of 1-99, the type is set to standard by default. If the community list name is a number greather than 99, the type is set to expanded by default.

No default

type {expanded | standard}

Specify the type of community to match.

NOTE: This field is valid only when the community list name is not numeric.

standard

config rule

Configure the community list rule.

<rule_identifier>

Enter a rule identifier.

No default

action {deny | permit}

Permit or deny route-based operations, based on the routeʼs COMMUNITY attribute.

No default

regexp <regular_expression>

If you select an expanded community, specify an ordered list of COMMUNITY attributes as a regular expression. The value or values are used to match a community. Enclose a complex regular expression value within double-quotation marks.

No default

match <community_number | internet | local-AS | no-advertise | no-export>

If you select a standard community, specify the criteria for matching a reserved community:
  • Use decimal notation to match one or more COMMUNITY attributes having the syntax AA:NN, where AA represents an AS, and NN is the community identifier. Delimit complex expressions with double-quotation marks (for example, “123:234 345:456”).
  • To match all routes in the Internet community, type internet.
  • To match all routes in the LOCAL_AS community, type local-AS. Matched routes are not advertised locally.
  • To select all routes in the NO_ADVERTISE community, type no-advertise. Matched routes are not advertised.
  • To select all routes in the NO_EXPORT community, type no-export. Matched routes are not advertised to EBGP peers. If a confederation is configured, the routes are advertised within the confederation.

No default

config router isis

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that is not intended to be used between Autonomous Systems (AS).

Syntax

config router isis

set auth-keychain-area <string>

set auth-keychain-domain <string>

set auth-mode-area {md5 | password}

set auth-mode-domain {md5 | password}

set auth-password-area <password>

set auth-password-domain <password>

set auth-sendonly-area {enable | disable}

set auth-sendonly-domain {enable | disable}

set default-information-level {level-1 | level-1-2 | level-2}

set default-information-level6 {level-1 | level-1-2 | level-2}

set default-information-metric <0-4261412864>

set default-information-metric6 <0-4261412864>

set default-information-originate {always | disable | enable}

set default-information-originate6 {always | disable | enable}

set ignore-attached-bit {disable | enable}

set is-type {level-1 | level-1-2 | level-2-only}

set log-neighbour-changes {disable | enable}

set lsp-gen-interval-l1 <1-120>

set lsp-gen-interval-l2 <1-120>

set lsp-refresh-interval <1-65535>

set max-lsp-lifetime <350-65535>

set metric-style {narrow | transition | wide}

set overload-bit {disable | enable}

set redistribute-l1 {disable | enable}

set redistribute-l1-list <string>

set redistribute6-l1 {disable | enable}

set redistribute6-l1-list <string>

set router-id <IP_address>

set spf-interval-exp-l1 <1-120>

set spf-interval-exp-l2 <1-120>

config interface

edit <IS-IS interface name>

set auth-keychain-hello <string>

set auth-mode-hello {md5 | password}

set auth-password-hello <password>

set bfd {enable | disable}

set bfd6 {enable | disable}

set circuit-type {level-1 | level-1-2 | level-2}

set csnp-interval-l1 <1-65535 seconds>

set csnp-interval-l2 <1-65535 seconds>

set hello-interval-l1 <1-65535 seconds; 0 to use 1-second hold time>

set hello-interval-l2 <1-65535 seconds; 0 to use 1-second hold time>

set hello-multiplier-l1 <2-100>

set hello-multiplier-l2 <2-100>

set hello-padding {disable | enable}

set metric-l1 <1-63>

set metric-l2 <1-63>

set passive {disable | enable}

set priority-l1 <0-127>

set priority-l2 <0-127>

set status {disable | enable}

set status6 {disable | enable}

set wide-metric-l1 <1-16777214>

set wide-metric-l2 <1-16777214>

end

config net

edit <identifier>

set <IS-IS net xx.xxxx. ... .xxxx.xx>

end

config redistribute {bgp | connected | ospf | rip | static}

set status {disable | enable}

set metric <0-4261412864>

set metric-type {external | internal}

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

set status {disable | enable}

set metric <0-4261412864>

set level {level-1 | level-1-2 | level-2}

set routemap <string>

end

config summary-address

edit <summary address entry identifier>

set level {level-1 | level-1-2 | level-2}

set prefix <IPv4 address and netmask>

end

config summary-address6

edit <summary address entry identifier>

set level {level-1 | level-1-2 | level-2}

set prefix6 <IPv6 address and netmask>

end

end

Variable

Description

Default

auth-keychain-area <string>

IS-IS area (level-1) authentication keychain. This command is applicable when the areaʼs authentication mode is md5.

No default

auth-keychain-domain <string>

IS-IS domain (level-2) authentication key-chain. This command is applicable when domainʼs auth mode is md5.

No default

auth-mode-area {md5 | password}

IS-IS area (level-1) authentication mode.

password

auth-mode-domain {md5 | password}

IS-IS domain (level-2) authentication mode.

password

auth-password-area <password>

IS-IS area (level-1) authentication password. This command is applicable when areaʼs authentication mode is password.

No default

auth-password-domain <password>

IS-IS domain (level-2) authentication password. This command is applicable when domainʼs authentication mode is password.

No default

auth-sendonly-area {enable | disable}

IS-IS area (level-1) authentication send-only.

disable

auth-sendonly-domain {enable | disable}

IS-IS domain (level-2) authentication send-only.

disable

default-information-level {level-1 | level-1-2 | level-2}

Distribute default IPv4 route into levelʼs link-state packet (LSP).

level-2

default-information-level6 {level-1 | level-1-2 | level-2}

Distribute default IPv6 route into levelʼs LSP.

level-2

default-information-metric <0-4261412864>

Default IPv4 information metric.

10

default-information-metric6 <0-4261412864>

Default IPv6 information metric.

10

default-information-originate {always | disable | enable}

Enable or disable the generation of an IPv4 default route.

disable

default-information-originate6 {always | disable | enable}

Enable or disable the generation of an IPv6 default route.

disable

ignore-attached-bit {disable | enable}

Ignore attached bit on incoming level-1 LSP.

disable

is-type {level-1 | level-1-2 | level-2-only}

Set the IS-IS level to use:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-1-2

log-neighbour-changes {disable | enable}

Enable logging of IS-IS neighborʼs changes

enable

lsp-gen-interval-l1 <1-120>

Minimum interval for level-1 LSP regenerating.

1

lsp-gen-interval-l2 <1-120>

Minimum interval for level-2 LSP regenerating.

1

lsp-refresh-interval <1-65535>

LSP refresh time in seconds.

900

max-lsp-lifetime <350-65535>

Maximum LSP lifetime in seconds.

1200

metric-style {narrow | transition | wide}

Use old-style (ISO 10589) or new-style packet formats.
  • narrow: Use the old style of TLVs with narrow metric (default)
  • transition: Send and accept both styles of TLVs during the transition.
  • wide: Use the new style of TLVs to carry a wider metric.

narrow

overload-bit {disable | enable}

Signal other routers not to use this bit in shortest-path-first (SPF).

disable

redistribute-l1 {disable | enable}

Redistribute level-1 IPv4 routes into level 2.

enable

redistribute-l1-list <string>

Access-list for redistributing level-1 IPv4 routes to level 2.

No default

redistribute6-l1 {disable | enable}

Redistribute level-1 IPv6 routes into level 2.

enable

redistribute6-l1-list <string>

Access-list for redistributing level-1 IPv6 routes to level 2.

No default

router-id <IP_address>

Router identifier.

0.0.0.0

spf-interval-exp-l1 <1-120>

Level-1 SPF minimum calculation delay in seconds.

1

spf-interval-exp-l2 <1-120>

Level-2 SPF minimum calculation delay in seconds.

1

config interface

Configure the IS-IS interface.

<IS-IS interface name>

Select the IS-IS interface name to configure.

No default

auth-keychain-hello <string>

Hello protocol data unit (PDU) authentication keychain. This command is applicable when the hello packetʼs authentication mode is md5.

No default

auth-mode-hello {md5 | password}

Hello PDU authentication mode.

password

auth-password-hello <password>

Hello PDU authentication password. This command is applicable when hello's authentication mode is password.

No default

bfd {enable | disable}

Enable or disable bidirectional forwarding detection (BFD) for IPv4 traffic.

disable

bfd6 {enable | disable}

Enable or disable BFD for IPv6 traffic.

disable

circuit-type {level-1 | level-1-2 | level-2}

Set the IS-IS circuit type to use for this interface:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-1-2

csnp-interval-l1 <1-65535>

Level-1 complete sequence number PDU (CSNP) interval, in number of seconds.

10

csnp-interval-l2 <1-6553>

Level-2 CSNP interval, in number of seconds.

10

hello-interval-l1 <1-65535>

Level-1 hello packet interval, in number of seconds. Use 0 for a 1-second hold time.

10

hello-interval-l2 <1-65535>

Level-2 hello packet interval, in number of seconds. Use 0 for a 1-second hold time.

10

hello-multiplier-l1 <2-100>

Level-1 multiplier for hello packet holding time.

3

hello-multiplier-l2 <2-100>

Level-2 multiplier for hello packet holding time.

3

hello-padding {disable | enable}

Enable padding to IS-IS hello packets.

enable

metric-l1 <1-63>

Level-1 metric for interface.

10

metric-l2 <1-63>

Level-2 metric for interface.

10

passive {disable | enable}

Set this interface as passive.

disable

priority-l1 <0-127>

Level-1 priority.

64

priority-l2 <0-127>

Level-2 priority.

64

status {disable | enable}

Enable or disable the interface for IS-IS for IPv4 traffic.

enable

status6 {disable | enable}

Enable or disable the interface for IS-IS for IPv6 traffic.

enable

wide-metric-l1 <1-16777214>

Level-1 wide metric for interface.

10

wide-metric-l2 <1-16777214>

Level-2 wide metric for interface.

10

config net

Configure the IS-IS network.

<identifier>

An integer identifier; 0 is the lowest available identifier.

No default

<IS-IS net xx.xxxx. ... .xxxx.xx>

Set the IS-IS network.

No default

config redistribute {bgp | connected | ospf | rip | static}

Configure the IS-IS redistribute IPv4 protocols.

status {disable | enable}

Enable or disable the redistribution of routes from other routing protocols using IS-IS.

disable

metric <0-4261412864>

Redistribution metric.

10

metric-type {external | internal}

Select external or internal for the metric type.

external

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for redistributing routes:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level1-2

routemap <string>

Enter the route map name.  Only the route maps for this protocol are listed. You must create the route map before selecting it. See config router route-map.

No default

config redistribute6 {bgp6 | connected | ospf6 | ripng | static}

Configure the IS-IS redistribute IPv6 protocols.

status {disable | enable}

Enable or disable the redistribution of routes from other routing protocols using IS-IS.

disable

metric <0-4261412864>

Redistribution metric.

10

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for redistributing routes:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level1-2

routemap <string>

Enter the route map name.  Only the route maps for this protocol are listed. You must create the route map before selecting it. See config router route-map.

No default

config summary-address

Configure the summarizing IPv4 address ranges in the IS-IS routing table.

<summary address entry identifier>

Enter the summary address entry ID. The value range is 0-4294967295.

No default

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for the summary database:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-2

prefix <IPv4 address and netmask>

Set the IPv4 address and netmask for the prefix.

No default

config summary-address6

Configure the summarizing IPv6 address ranges in the IS-IS routing table.

<summary address entry identifier>

Enter the summary address entry ID. The value range is 0-4294967295.

No default

level {level-1 | level-1-2 | level-2}

Set the IS-IS level to use for the summary database:
  • level-1: intra-area
  • level-1-2: both intra-area and inter-area
  • level-2-only: inter-area

level-2

prefix6 <IPv6 address and netmask>

Set the IPv6 address and netmask for the prefix.

No default

Example

The following is an example of an IS-IS configuration for IPv4 traffic:

config router isis

set default-information-metric 60

config interface

edit "vlan100"

set circuit-type level-1

set priority-l1 80

set wide-metric-l1 200

next

edit "vlan102"

set circuit-type level-2

next

end

config net

edit 1

set net 49.0002.0000.0000.1048.00

next

end

set metric-style wide

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "bgp"

end

config redistribute "static"

end

end

config router key-chain

Use this command to configure a keychain. A keychain is a list of one or more authentication keys including its lifetime, which is how long each key is valid. Use keys with overlapping lifetimes to prevent the failure of routing updates.

Syntax

config router key-chain

edit <keychain_name>

config key

edit <keychain_int>

set key-string <key_str>

set accept-lifetime <START> <END>

set send-lifetime <START> <END>

end

end

end

Variable

Description

Default

<keychain_name>

Enter a name for your keychain.

No default

config key

Configure the key.

<keychain_int>

Enter the keychain identifier.

No default

key-string <key_str>

Enter a password string for the key.

No default

accept-lifetime <START> <END>

Enter the lifetime of a received authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
  • HH:MM:SS is the time of day then the lifetime starts in hours, minutes, and seconds.
  • DAY is the day of the month to start. The range is 1-31.
  • MONTH is the month of the year to start. The range is 1-12.
  • YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646.

No default

send-lifetime <START> <END>

Enter the lifetime of a sent authentication key. START and END use the format of HH:MM:SS DAY MONTH YEAR where:
  • HH:MM:SS is the time of day then the lifetime starts in hours, minutes, and seconds.
  • DAY is the day of the month to start. The range is 1-31.
  • MONTH is the month of the year to start. The range is 1-12.
  • YEAR is the year to start. The range is 1993-2035.
END can also be set to infinite or <duration>, which is the number of seconds that the key is valid. the range of <duration> is 1-2147483646.

No default

Example

This example shows how to add a key to a new keychain:

config router key-chain

edit keychain1

config key

edit 1

set key-string 1234567890

set accept-lifetime 01:02:03 1 8 2017 infinite

set send-lifetime 01:02:03 1 8 2017 infinite

end

end

config router multicast

A FortiSwitch unit can operate as a Protocol Independent Multicast (PIM) version-4 router. FortiSwitchOS supports PIM source-specific multicast (SSM) and version 3 of Internet Group Management Protocol (IGMP).

You can configure a FortiSwitch unit to support PIM using the config router multicast CLI command. When PIM is enabled, the FortiSwitch unit allocates memory to manage mapping information. The FortiSwitch unit communicates with neighboring PIM routers to acquire mapping information and, if required, processes the multicast traffic associated with specific multicast groups.

Syntax

config router multicast

set multicast-routing {disable | enable}

config interface

edit {interface_name | internal | mgmt}

set pim-mode ssm-mode

set hello-interval <1-180 seconds>

set dr-priority <1-4294967295>

set multicast-flow <string>

config igmp

set query-interval <1-1800 seconds>

set query-max-response-time <1-25 seconds>

end

end

Variable

Description

Default

multicast-routing {disable | enable}

Enable or disable multicast routing.

disable

{interface_name | internal | mgmt}

Set which interface to configure for multicast routing.

No default

pim-mode ssm-mode

Set the PIM operation mode to SSM mode.

ssm-mode

hello-interval <1-180 seconds>

Specify the amount of time that the FortiSwitch unit waits between sending hello messages to neighboring PIM routers.

30

dr-priority <1-4294967295>

Assign a priority to the FortiSwitch unit Designated Router (DR) candidacy. The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected.

1

multicast-flow <string>

Connect the named multicast flow to this interface. You must create the multicast flow before it can be selected here. See config router multicast-flow.

No default

config igmp

Configure the multicast-flow entries.

query-interval <1-1800 seconds>

Set the interval between queries to IGMP hosts.

125

query-max-response-time <1-25 seconds>

Set the maximum time to wait for an IGMP query response.

10

config router multicast-flow

Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.

Syntax

config router multicast-flow

edit <name>

set comments <string>

config flows

edit <muliticast-flow_entry_identifier>

set group-addr <224-239.xxx.xxx.xxx>

set group-addr-end <224-239.xxx.xxx.xxx>

<