Description |
This article describes how to configure the FortiGate to advertise, via BGP, static routes but filter the advertisement of the static default route. |
Scope | |
Solution |
In this setup, there are two units involved the HUB and the SPOKE.
On the hub there are two static routes:
192.0.2.0/24 via the MPLS network 0.0.0.0/0 via port1 (INTERNET)
Between the hub and the spoke BGP is running.
BGP is already configured, and peering is UP.
Enabling redistribution of static routes on the HUB will, as expected, redistribute both static routes – 0.0.0.0/0 and 192.0.2.0/0:
HUB # show router static config router static edit 1 set gateway 10.191.31.254 set device "port1" next edit 2 set dst 192.0.2.0 255.255.255.0 set gateway 172.16.100.2 set device "MPLS" next end
HUB # show router bgp # config router bg set as 65000 set router-id 172.16.102.1 # config neighbor edit "172.16.102.2" set soft-reconfiguration enable set remote-as 65000 next end # config redistribute "connected" end # config redistribute "rip" end # config redistribute "ospf" end # config redistribute "static" set status enable
SPOKE # get router info bgp neighbors 172.16.102.1 received-routes VRF 0 BGP table version is 1, local router ID is 172.16.102.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *>i0.0.0.0/0 10.191.31.254 100 0 0 ? <-/-> *>i192.0.2.0 172.16.100.2 100 0 0 ? <-/->
Total number of prefixes 2
In order to filter the default static route, a prefix list and a route-map are created to apply to the BGP neighbor configuration:
HUB # show router prefix-list # config router prefix-lis edit "Filter-default" # config rul edit 1 set action deny set prefix 0.0.0.0 0.0.0.0 unset ge unset le next edit 2 set prefix any unset ge unset le next end next end
HUB # show router route-map # config router route-ma edit "Filter-default" # config rul edit 1 set match-ip-address "Filter-default" unset set-ip-nexthop unset set-ip6-nexthop unset set-ip6-nexthop-local unset set-originator-id next end next end
HUB # show router bgp # config router bg set as 65000 set router-id 172.16.102.1 # config neighbo edit "172.16.102.2" set soft-reconfiguration enable set remote-as 65000 set route-map-out "Filter-default" next
For the new policy to take effect, the BGP session must be reset. For this, soft reset option is used to to refresh the BGP routing table without disturbing existing BGP peering sessions.
HUB # execute router clear bgp ip 172.16.102.2 soft
It is possible to confirm that the default static route is no longer advertised.
HUB # get router info bgp neighbors 172.16.102.2 advertised-routes VRF 0 BGP table version is 1, local router ID is 172.16.102.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *>i192.0.2.0 172.16.100.2 100 32768 0 ? <-/->
Total number of prefixes 1
Also on the spoke:
SPOKE # get router info bgp neighbors 172.16.102.1 received-routes VRF 0 BGP table version is 1, local router ID is 172.16.102.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *>i192.0.2.0 172.16.100.2 100 0 0 ? <-/->
Total number of prefixes 1
Between the hub and the spoke BGP is running. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.