Technical Tip: IPv6 Default Route Filtering and Preferred IPv6 Path Selection using BGP
| Description | This article explains how to configure a FortiGate to accept only the IPv6 default route (::/0) from Internet Service Providers (ISPs) and filter out all other advertised IPv6 prefixes. Additionally, it describes how to configure the FortiGate to prefer the default route received from ISP1 (wan1) while keeping ISP2 (wan2) as the secondary IPv6 path for redundancy. |
| Scope | FortiGate. |
| Solution |
Both ISPs advertise the following routes toward the FortiGate:
::/0 2001:4860:4860::8888 2001:4860:4860::8844 The goal is to ensure that only the default route (::/0) is accepted and installed in the FortiGate routing table, and that ISP1’s route is preferred over ISP2’s. Step 1: Verify Existing BGP Configuration: Initial BGP configuration without filtering: FG # show router bgp config router bgp set as 65000 set router-id 1.1.1.1 set ebgp-multipath enable config neighbor edit "fd12:3456:789a:1::1" set soft-reconfiguration6 enable set remote-as 65001 set weight 1000 next edit "fd12:3456:789a:2::1" set soft-reconfiguration6 enable set remote-as 65002 next end BGP Route Table Before Filtering: FG # get router info6 bgp network Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete VRF 0 BGP table version is 6, local router ID is 1.1.1.1 Network Next Hop Metric LocPrf Weight RouteTag Path *> ::/0 fd12:3456:789a:1::1(fe80::9:fff:fe00:802) 0 1000 0 65001 ? <-/1> * fd12:3456:789a:2::1(fe80::9:fff:fe00:903) 0 0 0 65002 ? <-/-> *> 2001:4860:4860::8844/128 fd12:3456:789a:1::1(fe80::9:fff:fe00:802) 0 1000 0 65001 i <-/1> * fd12:3456:789a:2::1(fe80::9:fff:fe00:903) 0 0 0 65002 i <-/-> *> 2001:4860:4860::8888/128 fd12:3456:789a:1::1(fe80::9:fff:fe00:802) 0 1000 0 65001 i <-/1> * fd12:3456:789a:2::1(fe80::9:fff:fe00:903) 0 0 0 65002 i <-/-> Total number of prefixes 3 The FortiGate currently accepts three prefixes from both ISPs: one default and two specific routes. Step 2: Create a Prefix List to Permit Only the Default Route: A prefix list is used to filter inbound IPv6 routes. Only the ::/0 default route will be allowed. FG # show router prefix-list6 config router prefix-list6 edit "Prefix-List-In-IPv6" config rule edit 1 set prefix6 ::/0 unset ge unset le next end next end This prefix list matches only the default route (::/0) and denies all other routes implicitly. Step 3: Create a Route Map to Apply the Filter: Associate the prefix list with a route map for inbound BGP route filtering. FG # show router route-map config router route-map edit "IPv6-Roue-Map" config rule edit 1 set match-ip6-address "Prefix-List-In-IPv6" unset set-ip-prefsrc next end next end This route map ensures that only prefixes matching Prefix-List-In-IPv6 (i.e., ::/0) are accepted. Step 4: Apply Route Map and Adjust Path Preference: Apply the route map to both BGP neighbors and assign different weights to set preference.
FG # show router bgp config router bgp set as 65000 set router-id 1.1.1.1 set ebgp-multipath enable config neighbor edit "fd12:3456:789a:1::1" set soft-reconfiguration6 enable set remote-as 65001 set route-map-in6 "IPv6-Roue-Map" set weight 200 next edit "fd12:3456:789a:2::1" set soft-reconfiguration6 enable set route-map-in6 "IPv6-Roue-Map" set remote-as 65002 set weight 100 next end
Step 5: Verify Filtered Routes and Path Selection: After applying the prefix list and route map, only the default route should remain in the BGP table. FG # get router info6 bgp network Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete VRF 0 BGP table version is 2, local router ID is 1.1.1.1 Network Next Hop Metric LocPrf Weight RouteTag Path *> ::/0 fd12:3456:789a:1::1(fe80::9:fff:fe00:802) 0 200 0 65001 ? <-/1> * fd12:3456:789a:2::1(fe80::9:fff:fe00:903) 0 100 0 65002 ? <-/-> Total number of prefixes 1
|
