Technical Tip: BGP configuration example to prevent a FortiGate from redistributing BGP routes learned from a specific peer
Description
This article provides a BGP configuration example to prevent a FortiGate from redistributing BGP routes learned from a specific peer to another specific peer.
Scope
- FortiGate or VDOM in NAT mode
- Example given for FortiOS 4.0 and above
Solution
The following diagram illustrates this example:
Expectations, requirements:
- FGT2 must not redistribute to FGT3 the BGP routes learned from FGT1, while there must be no impact on the other FortiGate.
- FGT1 announces the following routes in BGP:
- 10.10.10.0/24
- 10.160.0.0/23
- 172.31.224.0/23
- FGT3 announces the following routes in BGP:
- 10.158.0.0/23
- 192.168.182.0/23
- FGT4 announces the following routes in BGP:
- 10.161.0.0/23
- 10.162.0.0/23
Note:
From v7.6.0, firewall address and address groups can be used to advertise as BGP network prefixes. Refer to the following document for more information: BGP network prefixes utilize firewall addresses and groups
Configuration:
To achieve the outcome defined above, an access-list and an outbound route-map (route-map-out) can be applied on the middle-most FGT2 FortiGate. Only relevant parts of FGT2's configuration are provided in the following CLI configuration:
config router access-list
edit 'match_fgt1'
config rule
edit 1
set prefix 172.131.224.136 255.255.255.255
set exact-match enable
next
end
next
edit 'match_fgt4'
config rule
edit 1
set prefix 172.31.224.66 255.255.255.255
set exact-match enable
next
end
next
end
config router route-map
edit 'route_map_out_deny_fgt1'
config rule
edit 2
set match-ip-nexthop 'match_fgt4'
next
edit 3
set action deny
set match-ip-nexthop 'match_fgt1'
next
end
next
end
config router bgp
set as 65110
set router-id 172.31.224.110
config neighbor
edit '172.31.224.136'
set remote-as 65136
next
edit '192.168.182.78'
set remote-as 65078
set route-map-out 'route_map_out_deny_fgt1'
next
edit '172.31.224.66'
set remote-as 65066
next
end
end
Verification - Before Configuring the route-map on FGT2:
Note below that all FortiGates have all BGP routes in their routing table.
FGT1 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
C 10.10.10.0/24 is directly connected, port4
B 10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:00:00
C 10.160.0.0/23 is directly connected, port2
B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:00
B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:00
C 172.31.224.0/23 is directly connected, port1
B 192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:00:00
FGT2 # get router info bgp network
BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 172.31.224.136 0 0 65136 ?
*> 10.158.0.0/23 192.168.182.78 0 0 65078 ?
*> 10.160.0.0/23 172.31.224.136 0 0 65136 ?
*> 10.161.0.0/23 172.31.224.66 0 0 65066 ?
*> 10.162.0.0/23 172.31.224.66 0 0 65066 ?
* 172.31.224.0/23 172.31.224.66 0 0 65066 ?
*> 172.31.224.136 0 0 65136 ?
*> 192.168.182.0/23 192.168.182.78 0 0 65078 ?
Total number of prefixes 7
FGT2 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
B 10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:57
B 10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:57
B 10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:57
B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52
B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52
C 172.31.224.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, port2
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B 10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:01:17
C 10.158.0.0/23 is directly connected, internal
B 10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:01:17
B 10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:50
B 10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:50
B 172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:01:17
C 192.168.182.0/23 is directly connected, wan1
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan1
B 10.10.10.0/24 [20/0] via 172.31.224.136, wan1, 00:01:29
B 10.158.0.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29
B 10.160.0.0/23 [20/0] via 172.31.224.136, wan1, 00:01:29
C 10.161.0.0/23 is directly connected, wan1
C 10.162.0.0/23 is directly connected, wan1
C 172.31.224.0/23 is directly connected, wan1
B 192.168.182.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29
Verification - After configuring the route-map on FGT2:
Note that all FortiGates have all BGP routes in their routing table except FGT3.
FGT1 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
C 10.10.10.0/24 is directly connected, port4
B 10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:00:52
C 10.160.0.0/23 is directly connected, port2
B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52
B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52
C 172.31.224.0/23 is directly connected, port1
B 192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:00:52
FGT2 # get router info bgp network
BGP table version is 2, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 172.31.224.136 0 0 65136 ?
*> 10.158.0.0/23 192.168.182.78 0 0 65078 ?
*> 10.160.0.0/23 172.31.224.136 0 0 65136 ?
*> 10.161.0.0/23 172.31.224.66 0 0 65066 ?
*> 10.162.0.0/23 172.31.224.66 0 0 65066 ?
* 172.31.224.0/23 172.31.224.66 0 0 65066 ?
*> 172.31.224.136 0 0 65136 ?
*> 192.168.182.0/23 192.168.182.78 0 0 65078 ?
Total number of prefixes 7
FGT2 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1
B 10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:02:18
B 10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:02:18
B 10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:02:18
B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:13
B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:13
C 172.31.224.0/23 is directly connected, port1
C 192.168.182.0/23 is directly connected, port2
FGT2 # get router info bgp route-map route_map_out_deny_fgt1
BGP table version is 2, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.161.0.0/23 172.31.224.66 0 0 65066 ?
*> 10.162.0.0/23 172.31.224.66 0 0 65066 ?
* 172.31.224.0/23 172.31.224.66 0 0 65066 ?
Total number of prefixes 3
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1
C 10.158.0.0/23 is directly connected, internal
B 10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:23
B 10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:23
C 192.168.182.0/23 is directly connected, wan1
Note that the routes above announced by FGT1 are no longer present on FGT3.
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan1
B 10.10.10.0/24 [20/0] via 172.31.224.136, wan1, 00:01:29
B 10.158.0.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29
B 10.160.0.0/23 [20/0] via 172.31.224.136, wan1, 00:01:29
C 10.161.0.0/23 is directly connected, wan1
C 10.162.0.0/23 is directly connected, wan1
C 172.31.224.0/23 is directly connected, wan1
B 192.168.182.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29
Related article: