Technical Tip: BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers

gfranceschi · ‎12-01-2009

Description

This article provides a BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers.

Diagram:

The following diagram illustrates this example:

Expectations and requirements:

FGT2 must advertise specific BGP routes learned from FGT1, to FGT3 and FGT4:
FGT3 must learn only route 10.10.10.0/24.
FGT4 must learn only route 10.160.0.0/23
FGT1 is announcing in BGP the following routes:
- 10.10.10.0/24
- 10.160.0.0/23
- 172.31.224.0/23

FGT3 is announcing in BGP the following routes:
- 10.158.0.0/23
- 192.168.182.0/23

FGT4 is announcing in BGP the following routes:
- 10.161.0.0/23
- 10.162.0.0/23

FGT3 and FGT4 are NOT BGP peers.

Note:

From v7.6.0, firewall addresses and address groups can be used to advertise as BGP network prefixes. Refer to the following document for more information: BGP network prefixes utilize firewall addresses and groups

Scope

FortiGate or VDOM in NAT mode.
Example given for FortiOS 4.0 and above.

Solution

Configuring access-list and a route-map-out on FortiGate 2 (FGT2) will filter and force the routes advertisements.

Only the relevant parts of FortiGate 2 (FGT2) are provided in CLI format:

config router access-list
    edit "match_fgt4"
            config rule
                edit 1
                    set prefix 10.160.0.0 255.255.254.0
                    set exact-match enable
                next
            end
    next
    edit "match_fgt3"
            config rule
                edit 1
                    set prefix 10.10.10.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "route_map_out_fgt3"
            config rule
                edit 1
                    set match-ip-address "match_fgt3"
                next
            end
    next
    edit "route_map_out_fgt4"
            config rule
                edit 1
                    set match-ip-address "match_fgt4"
                next
            end
    next
end

config router bgp
    set as 65110
        config neighbor
            edit "172.31.224.136"
                set remote-as 65136
            next
            edit "192.168.182.78"
                set remote-as 65078
                set route-map-out "route_map_out_fgt3"
            next
            edit "192.168.182.66"
                set remote-as 65066
                set route-map-out "route_map_out_fgt4"
            next
        end
    set router-id 172.31.224.110
end

Verifications before configuring FGT2:

FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:06
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2

FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:04
C       10.158.0.0/23 is directly connected, internal
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
B       10.161.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       10.162.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
C       192.168.182.0/23 is directly connected, wan1

FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:51
B       10.158.0.0/23 [20/0] via 192.168.182.78, wan1, 00:06:51
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       192.168.182.0/23 is directly connected, wan1

Verifications after applying the route map on FGT2:

FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:31
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2

FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:00:48
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1

FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:36
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
C       192.168.182.0/23 is directly connected, wan1

Technical Tip: BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers

You are leaving our website