Technical Note : FortiGate BGP configuration to make a multi-homed AS non-transit (using aspath-list and route-map)
Purpose
This articles provides a configuration example to make a multi-homed BGP AS non-transit
Scope
Diagram
Expectations, Requirements
The "Client" FortiGate should not announce to AS 65002 BGP routes learned from AS 65001, and vice versa
Configuration
Hereafter are the "Client" FortiGate CLI commands (only relevant parts of the configuration are provided).
Details :
The aspath-list below has a default implicit DENY action at the end of the list ; it will therefore 'permit' only empty path list announcements (from the local AS, as specified by the regular expression "^$") .
Verification
This articles provides a configuration example to make a multi-homed BGP AS non-transit
Scope
- FortiGate or VDOM in NAT mode
- All FortiOS
Diagram
Expectations, Requirements
The "Client" FortiGate should not announce to AS 65002 BGP routes learned from AS 65001, and vice versa
Configuration
Hereafter are the "Client" FortiGate CLI commands (only relevant parts of the configuration are provided).
Details :
The aspath-list below has a default implicit DENY action at the end of the list ; it will therefore 'permit' only empty path list announcements (from the local AS, as specified by the regular expression "^$") .
| config router aspath-list edit "empty-path" config rule edit 1 set action permit set regexp "^$" next end next end config router route-map edit "non-transit" config rule edit 1 set match-as-path "empty-path" next end next end config router bgp set as 65004 config neighbor edit "172.16.4.2" set remote-as 65001 set route-map-out "non-transit" next edit "172.16.4.6" set remote-as 65002 set route-map-out "non-transit" next end end |
Verification
- To verify the routes matching the "empty-path" access list, the following command can be used :
- To see all BGP AS paths, run the following command on the BGP peers :