Skip to main content
gfranceschi
Staff
gfranceschi
Staff
December 1, 2009

Technical Tip: BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers

  • December 1, 2009
  • 0 replies
  • 5560 views

Description


This article provides a BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers.

 

Diagram:

The following diagram illustrates this example:

 

kb1.png

 

Expectations and requirements:

  • FGT2 must advertise specific BGP routes learned from FGT1, to FGT3 and FGT4:

  • FGT3 must learn only route 10.10.10.0/24.

  • FGT4 must learn only route 10.160.0.0/23

  • FGT1 is announcing in BGP the following routes:

    • 10.10.10.0/24

    • 10.160.0.0/23

    • 172.31.224.0/23

 

  • FGT3 is announcing in BGP the following routes:

    • 10.158.0.0/23

    • 192.168.182.0/23

 

  • FGT4 is announcing in BGP the following routes:

    • 10.161.0.0/23

    • 10.162.0.0/23

 

  • FGT3 and FGT4 are NOT BGP peers.

Note

From v7.6.0, firewall addresses and address groups can be used to advertise as BGP network prefixes. Refer to the following document for more information: BGP network prefixes utilize firewall addresses and groups


Scope

  • FortiGate or VDOM in NAT mode.
  • Example given for FortiOS 4.0 and above.


Solution

 

Configuring access-list and a route-map-out on FortiGate 2 (FGT2) will filter and force the routes advertisements.

Only the relevant parts of FortiGate 2 (FGT2) are provided in CLI format:

 

config router access-list
    edit "match_fgt4"
            config rule
                edit 1
                    set prefix 10.160.0.0 255.255.254.0
                    set exact-match enable
                next
            end
    next
    edit "match_fgt3"
            config rule
                edit 1
                    set prefix 10.10.10.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "route_map_out_fgt3"
            config rule
                edit 1
                    set match-ip-address "match_fgt3"
                next
            end
    next
    edit "route_map_out_fgt4"
            config rule
                edit 1
                    set match-ip-address "match_fgt4"
                next
            end
    next
end

config router bgp
    set as 65110
        config neighbor
            edit "172.31.224.136"
                set remote-as 65136
            next
            edit "192.168.182.78"
                set remote-as 65078
                set route-map-out "route_map_out_fgt3"
            next
            edit "192.168.182.66"
                set remote-as 65066
                set route-map-out "route_map_out_fgt4"
            next
        end
    set router-id 172.31.224.110
end

 

Verifications before configuring FGT2:

 

FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:06
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2


FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:04
C       10.158.0.0/23 is directly connected, internal
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
B       10.161.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       10.162.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
C       192.168.182.0/23 is directly connected, wan1


FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:51
B       10.158.0.0/23 [20/0] via 192.168.182.78, wan1, 00:06:51
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       192.168.182.0/23 is directly connected, wan1

 

Verifications after applying the route map on FGT2:

 

FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:31
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2


FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:00:48
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1


FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:36
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
C       192.168.182.0/23 is directly connected, wan1

    Terms & ConditionsAccessibility statement