| Description | This article describes how to configure BGP to advertise only locally originated routes using an AS-path list. |
| Scope | FortiGate. |
| Solution |
By default, BGP advertises routes learned from one peer to another. In a dual-homed scenario, this behavior may cause routing loops.
One solution to block the advertisement of BGP routes learned from one BGP peer to another is to use a prefix list, where each subnet must be explicitly configured, as described in the article Technical Tip: How to control BGP route advertisement with prefix-list.
Using a prefix list can be prone to human error, especially in networks with a large number of subnets. As an alternative, using an AS-path list simplifies the configuration as there is no need to manually specify any subnets for route filtering.
Below is the BGP table output from each FortiGate before filtering. A next hop of 0.0.0.0 indicates a locally originated route.
FGT-A:
get router info bgp network <--- Shows the BGP database. VRF 0 BGP table version is 4, local router ID is 4.4.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 192.168.22.2 0 0 0 65002 i <-/1> *> 22.22.22.0/24 0.0.0.0 100 32768 0 i <-/1> *> 33.33.33.0/24 192.168.22.2 0 0 0 65002 65001 i <-/1>
FGT-B:
get router info bgp network Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
VRF 0 BGP table version is 13, local router ID is 3.3.3.3 Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 0.0.0.0 100 32768 0 i <-/1> *> 22.22.22.0/24 192.168.22.1 0 0 0 65000 i <-/1> *> 33.33.33.0/24 50.50.50.51 0 0 0 65001 i <-/1>
FGT-C:
get router info bgp network VRF 0 BGP table version is 3, local router ID is 50.50.50.51 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 50.50.50.52 0 0 0 65002 i <-/1> *> 22.22.22.0/24 50.50.50.52 0 0 0 65002 65000 i <-/1> *> 33.33.33.0/24 0.0.0.0 100 32768 0 i <-/1>
Since FGT-A and FGT-C have no direct BGP peering (i.e., FGT-B is acting as a transit router), route filtering will be applied on FGT-B only.
Configuration FGT-B using AS-path filtering:
Step 1: Create an aspath-list with regular expression '^$' to match the empty path. Locally originated routes in BGP have an empty path-list by default.
config router aspath-list edit "locally_orignated" config rule edit 1 set action permit set regexp "^$" next end next end
Step 2: Create a route-map and reference the aspath-list.
config router route-map edit "local_route_outbound" config rule edit 1 set match-as-path "locally_orignated" unset set-ip-prefsrc next end next end
Step 3: Apply the route-map as the route-map-out for each neighbor:
config router bgp set as 65002 set router-id 3.3.3.3 config neighbor edit "192.168.22.1" << FGT-A IP address set remote-as 65000 set route-map-out "local_route_outbound" next edit "50.50.50.51" << FGT-C IP address set remote-as 65001 set route-map-out "local_route_outbound" next end end
After the configuration, wait for the advertisement-interval (30 seconds by default) or soft clear the BGP to refresh the route advertisement. See the KB article: Technical Tip: BGP soft reset to refresh BGP routing table without tearing down existing peering ses....
execute router clear bgp all soft out
Below is the BGP network table output after filtering.
FGT-A:
get router info bgp network VRF 0 BGP table version is 4, local router ID is 4.4.4.4 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 192.168.22.2 0 0 0 65002 i <-/1> *> 22.22.22.0/24 0.0.0.0 100 32768 0 i <-/1>
FGT-B:
get router info bgp network Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
VRF 0 BGP table version is 13, local router ID is 3.3.3.3 Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 0.0.0.0 100 32768 0 i <-/1> *> 22.22.22.0/24 192.168.22.1 0 0 0 65000 i <-/1> *> 33.33.33.0/24 50.50.50.51 0 0 0 65001 i <-/1>
FGT-C:
get router info bgp network VRF 0 BGP table version is 4, local router ID is 50.50.50.51 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 50.50.50.52 0 0 0 65002 i <-/1> *> 33.33.33.0/24 0.0.0.0 100 32768 0 i <-/1>
After filtering, FGT-B now only advertises the locally originated route to FGT-A and FGT-C.
Related article: |
