Technical Tip: BGP configuration example to prevent a FortiGate from redistributing BGP routes to a specific peer

Description

This article provides a BGP configuration example to prevent a FortiGate from redistributing BGP routes to a specific peer.

Scope

Diagram
The following diagram illustrates this example :



Solution

Example 1:

• FGT2 must not redistribute any BGP routes to FGT3, while there must be no impact on the other FortiGate
• FGT1 is announcing in BGP the following routes :
  • 10.10.10.0/24   
  • 10.160.0.0/23   
  • 172.31.224.0/23 
• FGT3 is announcing in BGP the following routes :
  • 10.158.0.0/23   
  • 192.168.182.0/23
• FGT4 is announcing in BGP the following routes :
  • 10.161.0.0/23  
  • 10.162.0.0/23  

Note: 

From v7.6.0, firewall addresses and address groups can be used to advertise as BGP network prefixes. Refer to the following  document for more information: BGP network prefixes utilize firewall addresses and groups  

Example 2:

• FGT2 must advertise to FGT1 and FGT4 only its local subnet 192.168.182.0/23
• FGT2 must not re-advertise to FGT1 the routes advertised by FGT4, and to FGT4 the routes advertised by FGT1

Configuration.

Configuration for example 1:

This will be achieved by configuring an access-list and a route-map-out on Fortigate 2 (FGT2) .
Only relevant parts of FortiGate 2 (FGT2) are provided in CLI format:

config router access-list

edit "match_all_routes"

config rule

edit 1

set action deny

set exact-match disable

next

end

next

end

config router route-map

edit "route_map_out_deny_all"

config rule

edit 1

set action deny

set match-ip-address "match_all_routes"

next

end

next

end

config router bgp

set as 65110

config neighbor

edit "172.31.224.136"

set remote-as 65136

next

edit "192.168.182.78"

set remote-as 65078

set route-map-out "route_map_out_deny_all"

next

edit "172.31.224.66"

set remote-as 65066

next

end

set router-id 172.31.224.110

end

Configuration for example 2:

config router access-list

edit "only_local_subnet"

config rule

edit 1

set action permit

set prefix 192.168.182.0 255.255.254.0

set exact-match enable

next

edit 2

set action deny

set prefix any

set exact-match disable

next

end

next

end

config router route-map

edit "only_local_subnets"

config rule

edit 1

set match-ip-address "only_local_subnets"

next

end

next

end

config router bgp

config neighbor

edit "172.31.224.136"

set remote-as 65136

set route-map-out "only_local_subnets"

next

edit "172.31.224.66"

set remote-as 65066

set route-map-out "only_local_subnets"

next

edit "192.168.182.78"

set remote-as 65078

next

end

end

Example 1 Verification:

Before configuring the route map on FGT2:

FGT1 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
C       10.10.10.0/24 is directly connected, port4
B       10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:02:54
C       10.160.0.0/23 is directly connected, port2
B       10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
B       10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
C       172.31.224.0/23 is directly connected, port1
B       192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:02:54

FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:04:07
C       10.158.0.0/23 is directly connected, internal
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:04:07
B       10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:41
B       10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:41
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:04:07
C       192.168.182.0/23 is directly connected, wan1

After configuring the route map on FGT2:

See below that the routing table of FGT1 has not been altered.

FGT1 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
C       10.10.10.0/24 is directly connected, port4
B       10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:02:54
C       10.160.0.0/23 is directly connected, port2
B       10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
B       10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:02:54
C       172.31.224.0/23 is directly connected, port1
B       192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:02:54

FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1

Related article:

Technical Note : BGP configuration example to prevent a FortiGate from redistributing BGP routes learned from a specific peer