Skip to main content
make_beer_not_war
make_beer_not_war
New Member
September 1, 2020
Solved

Route map to stop advertising certain prefixes in BGP

  • September 1, 2020
  • 2 replies
  • 19852 views

I'm having trouble applying a route map to stop a FortiGate 201E from advertising certain connected subnets via BGP.

 

In my examples below I've only shown one prefix. I actually have 6 I want to stop advertising. I also want this FGT to continue advertising the default route.

 

I've tried a prefix list with the deny action set on the rules, and applying the route map to the neighbor, like this

 

config router prefix-list 
edit "ISP_allowed_eBGP" 
config rule

edit 1
set action deny
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next

 

edit 2
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next

end

end

 

config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address "ISP_allowed_eBGP"
next
end
next
end

 

conf router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 

I also tried 2 cresting separate prefix lists and setting the deny action on the rules within the route map, like this:

config router prefix-list
edit "ISP_deny_eBGP"
config rule
edit 1
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
end
next

 

edit ISP_permit_eBGP
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next

end

 

config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address ISP_deny_eBGP
set action deny
next

 

edit 2
set match-ip-address ISP_permit_eBGP
set action permit
next
end

 

config router bgp

config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 

 

Both of these attempts failed. "get router info bgp neighbors 10.10.10.189 advertised-routes" shows that 10.10.10.184/29 is still being advertised.

Something I didn't try yet is putting the route map under the redistribute connected config, like this: 

config redistribute "connected"
 set status enable
 set route-map "ISP_allowed_eBGP_route_map"
end

 

Is that correct approach? If so, why would that work and not the other 2 attempts. Please help me to understand what I've done wrong and the correct approach to achieve what I want.

Thanks in advance.

Best answer by Yurisk

You have 3 ways (with slight variations) of achieving this:

[ol]
  •  Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then apply this prefix list under BGP peer with 
    set prefix-list-out <name of the prefix list>
  • Create prefix-list that explicitly lists, one by one, all network you DON'T WANT to advertise, still with action "permit". THen create route-map with 1st action "deny" using this prefix-list, and followed by the next entry in the route-map with action "allow" but without any prefix, which means "allow any nets not matched in the previous "deny" entry. Then apply this route-map out under the BGP peer.
  • Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then use this prefix-list in a route-map, which in turn apply under "router bgp" "redistribute connected". This is preferred way as you always want to filter closest to the source.[/ol]

    NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map. 

    You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/ 

    • 2 replies

    emnoc
    emnoc
    New Member
    September 1, 2020

    Did you clear the bgp router process after applying the route-map?

     

    I would do a diag debug and gather details

     

     

    e.g

     

      diag ip router bgp updates out en

      diag debug enable

     

    Ken Felix

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 1, 2020

    For the first one, edit 2 is questionable. I would set like below:

    edit 2

      set prefix any

      unset ge

      unset le

    next

     

    edit 1 looks fine. At least that's what I did for some cases and worked.

    make_beer_not_war
    make_beer_not_warAuthor
    New Member
    September 1, 2020

    Thanks, for your advice. I would have thought that

    set prefix 0.0.0.0 0.0.0.0

    unset ge
    set le 32

     

    is functionally equivalent to

     
    set prefix any
     
    unset ge
     
    unset le
     
    But the latter is certainly simpler. I'll give it a go.
    Benoit_Rech_FTNT
    Staff
    Benoit_Rech_FTNT
    Staff
    September 14, 2020
    Hello,
    Don't forget that when you perform configuration changes on a BGP neighbor, then you have to restart the connection with the peer, unless "soft-configuration" is enabled. Example: exec router clear bgp ip x.x.x.x   You can also check which prefixes are sent to the BGP peer using  get router info bgp neighbors x.x.x.x advertised-routes
     
    Best regards, Benoit
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement