Technical Tip: BGP route advertisements using 'set match-interface' under route-maps

sagha · ‎12-13-2020

Description
This article describes how to use 'set match-interface' under 'config router route-map' to allow or deny the advertisements of routes via BGP.

Solution
Below is the basic BGP configuration:

BGP configuration:

# config router bgp
   set as 64540
   set router-id 10.120.0.2
# config neighbor
   edit "10.120.0.1"
        set remote-as 64540
   next
end
# config redistribute "connected"
   set status enable
end
end

BGP Routing table:

FGT_test # get router info bgp network
BGP table version is 1, local router ID is 10.120.0.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.0.0.0/20      0.0.0.0                            32768        0 ? <-/1>
*> 10.1.10.0/24     0.0.0.0                            32768        0 ? <-/1>
*> 10.5.16.0/20     0.0.0.0                            32768        0 ? <-/1>

Total number of prefixes 3

In the above output, we can see that 10.1.10.0/24 is part of the BGP network.

The network is configured on the following interface as follows:

# config system interface
    edit "loopback1"
        set vdom "root"
        set ip 10.1.10.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set snmp-index 7
    next
end

Here, the configuration is implemented to block this loopback1 network to be advertised to BGP peer.

1) Create a prefix list that allows everything.

# config router prefix-list
    edit "all_prefixes"
        # config rule
            edit 1
                set prefix any
                unset ge
                unset le
            next
        end
    next
end

2) Create a route map with the first entry deny on a specific interface and second entry allow all IPs.

# config router route-map
    edit "Filter_route"
        # config rule
            edit 1
                set action deny
                set match-interface "loopback1"
            next
            edit 2
                set match-ip-address "all_prefixes"
            next
        end
    next
end

3) Apply the route map to redistribute connected.

# config router bgp
   set as 64540
   set router-id 10.120.0.2
# config neighbor
   edit "10.120.0.1"
        set remote-as 64540
   next
end
# config redistribute "connected"
   set status enable
   set route-map "Filter_route"
next
end
end

4) The IP subnet of that interface will not be appearing in the BGP routing table afterward.

FGT_test # get router info bgp network
BGP table version is 1, local router ID is 10.120.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.0.0.0/20      0.0.0.0                            32768        0 ? <-/1>
*> 10.5.16.0/20     0.0.0.0                            32768        0 ? <-/1>

5) The same can be implemented in a scenario where you want to advertise only a single connected route to BGP peer and not all the connected route.

For that, the route-map needs to change accordingly with rest of the configuration staying the same:

# config router route-map
    edit "Filter_route"
        # config rule
            edit 1
                set action allow
                set match-interface "loopback1"
            next
            edit 2
                set action deny
                set match-ip-address "all_prefixes"
            next
        end
    next
end

Related articles.
https://docs.fortinet.com/document/fortigate/6.2.6/cli-reference/528620/router-route-map
https://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/548620/router-route-map