Fortigate BGP not sharing direct connected routes.

Question

I have the below config, and seem to have an issue where the fortigate isn't sharing the direct connected routes, between BGP peers.

Example.drawio.png

Fortigate
Interfaces
aggregateinterf: IP 172.19.0.6 255.255.255.248. No Vlan.

MGMT: IP 192.168.183.58 255.255.255.192, VLAN 200, Parent: aggregateinterf
CCTV: IP 192.168.183.190 255.255.255.192, VLAN 250, Parent: aggregateinterf.

Switch

VRF WAN
VRF LAN
VRF MGMT

VRF CCTV

SVI: WAN, IP 172.19.0.2/29, VRF WAN, VLAN 101.

SVI: CCTV, IP 192.168.183.130/26, VRF CCTV, VLAN 250

SVI MGMT, IP 192.168.183.2/26, VRF MGMT, VLAN 200
SVI: LAN1, IP 192.168.168.1/24, VRF LAN, VLAN 300
SVI: LAN2, IP 192.168.169.1/24, VRF LAN, VLAN 301

On the switch, I leak the routes between LAN and WAN.

I have BGP peering from the switch as below.
VRF WAN to aggregateinterf, 172.19.0.6/29
VRF MGMT to MGMT vlan, 192.168.183.58/26

Now BGP is established and I can see the fortigate as the default route.
The issue I am having is, the fortigate is not advertising each interfaces connected route to the other VRFs on the switch.

in the outgoing routes, I would expect the below
neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6
192.168.183.0/26 via 172.16.0.6

192.168.183.128/26 via 172.16.0.6

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

172.19.0.0/29 via 192.168.183.58

192.168.183.128/26 via 192.168.183.58

What I actually get is below.

neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

Config is below.

LAB-FW # show router prefix-list config router prefix-list     edit "MGMT-OUT"         config rule             edit 1                 set prefix 192.168.183.64 255.255.255.192                 unset ge                 unset le             next         end     next     edit "LAN-OUT"         config rule             edit 1                 set prefix 192.168.183.0 255.255.255.0                 unset ge                 unset le             next         end     next end  LAB-FW # show router route-map config router route-map     edit "MGMT-OUT"         config rule             edit 1                 set match-ip-address "MGMT-OUT"             next         end     next     edit "LAN-OUT"         config rule             edit 1                 set match-ip-address "LAN-OUT"             next         end     next end  LAB-FW # show router bgp config router bgp     set as 65000     set router-id 172.16.0.6     set ebgp-multipath enable     set cluster-id 172.16.0.6     config neighbor         edit "172.19.0.2"             set capability-default-originate enable             set interface "aggregateinterf"             set remote-as 64600             set route-map-out "LAN-OUT"             set keep-alive-timer 2             set holdtime-timer 10         next         edit "192.168.183.2"             set capability-default-originate enable             set interface "MGMT"             set remote-as 64600             set route-map-out "MGMT-OUT"             set keep-alive-timer 2             set holdtime-timer 10         end     end     config network         edit 1             set prefix 192.168.0.0 255.255.0.0         next     end     config network6         edit 1             set prefix6 ::/128         next     end     config redistribute "connected"         set status enable     end     config redistribute "rip"     end     config redistribute "ospf"     end     config redistribute "static"     end     config redistribute "isis"     end     config redistribute6 "connected"     end     config redistribute6 "rip"     end     config redistribute6 "ospf"     end     config redistribute6 "static"     end     config redistribute6 "isis"     end end  LAB-FW # get router info bgp neighbors 172.19.0.2 advertised-routes VRF 0 BGP table version is 4, local router ID is 172.16.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete     Network          Next Hop            Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0        172.19.0.6                    100  32768        0 i <-/->  Total number of prefixes 1  LAB-FW # get router info bgp neighbors 192.168.183.2 advertised-routes VRF 0 BGP table version is 3, local router ID is 172.16.0.6 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete     Network          Next Hop            Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0        192.168.183.58                100  32768        0 i <-/->  Total number of prefixes 1  LAB-FW # show system interface config system interface     edit "aggregateinterf"         set vdom "root"         set ip 172.19.0.6 255.255.255.248         set allowaccess ping snmp fgfm         set type aggregate         set member "port1" "port2"         set device-identification enable         set device-user-identification disable         set lldp-reception enable         set lldp-transmission enable         set role lan         set snmp-index 15     next     edit "MGMT"         set vdom "root"         set ip 192.168.183.58 255.255.255.192         set allowaccess ping https ssh http fgfm         set alias "MGMT"         set device-identification enable         set role lan         set snmp-index 16         set interface "aggregateinterf"         set vlanid 200     next     edit "CCTV"         set vdom "root"         set ip 192.168.183.190 255.255.255.192         set allowaccess ping         set alias "CCTV"         set device-identification enable         set role lan         set snmp-index 17         set interface "aggregateinterf"         set vlanid 250     next end

funkylicious · Accepted Answer

hi, several things i would change/add to the config

- in the prefix-list LAN-OUT, you have 192.168.183.0/24 but that network is actually broken down into 2 separate /26 nets, so I would be specific in it with the actual networks that also exist in your routing table/directly configured.

- i am more of a set prefix-list-IN and -OUT kinda person in regards to what specific routes i want to filter inbound and out, rather than using route-maps for that since i dont want to make any kinda changes to the bgp params sent/received along with those networks.

- any dont see the interfaces belonging to a vrf different from 0 ( default ), so I guess its only on the SVI relevant

after that, you can do a flap of the session and see how it looks.

L.E. you can also have a look at, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Advertise-a-BGP-route-not-present-in-the-routing/ta-p/197723 in order to advertise the whole /24 net

Toshi_Esumi · Answer

Probably multiple ways to "make it work". But the bottom line is those VRF neighbors are the same router or a single cluster of routers from the FGT's view because AS is the same between them. If you want the FGT to act as the GW between VRFs, you should set a different AS at each VRF.
Otherwise you need iBGP neighboring between those VRFs.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded