FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description
The community attribute is an optional transitive BGP attribute that can be assigned to a specific prefix and advertised to other neighbors.
When the neighbor receives the prefix it will examine the community value and take proper action whether it is filtering or modifying other attributes.

This article describes how to add the community string and how to further filter routes based on community string.

Solution


On FGT1.
-------------
Has to advertise both 10.220.0.0/20 and 10.210.0.0/20 to EBGP neighbor 'FGT2' such that ->
10.220.0.0/20 – advertised with community '7922:100'.
10.210.0.0/20 – advertised with community '7922:290'.
# config router access-list
    edit "add-community"
        # config rule
            edit 1
                set prefix 10.220.0.0 255.255.240.0
            next
        end
    next
    edit "add-community-2"
        # config rule
            edit 1
                set prefix 10.210.0.0 255.255.240.0
            next
        end
# config router route-map
    edit "add-community"
        # config rule
            edit 1
                set match-ip-address "add-community"    <----- 10.220.0.0/20.
                set set-community "7922:100"   
                set action permit
            next
            edit 2
                set match-ip-address "add-community-2"  <----- 10.210.0.0/20.
                set set-community "7922:290"
                set action permit
            next

FGT1 # sh router bgp
# config router bgp

    set as 65100
    set router-id 10.5.22.116
    # config neighbor
        edit "10.5.27.164"
            set soft-reconfiguration enable
            set remote-as 65200
            set route-map-out "add-community"           <-----
        next
Verification:
------------
On FGT1.
FGT1 # get router info bgp community-info
Address Refcnt Community
[0x7f3826d23b68] (1) 7922:290
[0x7f3826d23bb0] (1) 7922:100
FGT1 # get router info bgp neighbors "10.5.27.164" advertised-routes
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.210.0.0/20    10.5.22.116                   100  32768        0 i <-/->
*> 10.220.0.0/20    10.5.22.116                   100  32768        0 i <-/->
On FGT2.
FGT2 # get router info bgp community 7922:100
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.220.0.0/20    10.5.22.116              0             0        0 65100 i <-/1>
Total number of prefixes 1
FGT2 # get router info bgp community 7922:290
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.210.0.0/20    10.5.22.116              0             0        0 65100 i <-/1>
On FGT2.
-------------
Only advertise the routes with community '7922:100' to FGT3.
FGT2 # sh router community-list
# config router community-list

    edit "community-100"
        # config rule   
            edit 1
                set action permit
                set match "7922:100"
            next
# config router route-map
    edit "only-community-100"
        # config rule
            edit 1
                set match-community "community-100"
                set action permit
            next
            edit 2
                set action deny  --
            next
# config router bgp
    set as 65200
       # config neighbor
        edit "10.5.19.214"
            set remote-as 65300
            set route-map-out "only-community-100"      <-----
        next
    end
Verification.
-------------
On FGT3.
FGT3# get router info bgp community-info
Address Refcnt Community
[0x7f4c02777898] (1) 7922:100

FGT3 # get router info bgp neighbors "10.5.27.164" received-routes
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.220.0.0/20    10.5.22.116              0             0        0 65200 65100 i <-/1>

Contributors