Description
This article describes how to use 'set match-interface' under 'config router route-map' to allow or deny the advertisements of routes via BGP.
Scope
FortiGate.
Solution
The following is the basic BGP configuration:
BGP configuration:
config router bgp
set as 64540
set router-id 10.120.0.2
config neighbor
edit "10.120.0.1"
set remote-as 64540
next
end
config redistribute "connected"
set status enable
end
end
BGP Routing table:
FGT_test # get router info bgp network
BGP table version is 1, local router ID is 10.120.0.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.0.0.0/20 0.0.0.0 32768 0 ? <-/1>
*> 10.1.10.0/24 0.0.0.0 32768 0 ? <-/1>
*> 10.5.16.0/20 0.0.0.0 32768 0 ? <-/1>
Total number of prefixes 3
In the above output, it can be observed that 10.1.10.0/24 is part of the BGP network.
The network is configured on the following interface as follows:
config system interface
edit "loopback1"
set vdom "root"
set ip 10.1.10.1 255.255.255.0
set allowaccess ping
set type loopback
set snmp-index 7
next
end
Here, the configuration is implemented to block this loopback1 network to be advertised to the BGP peer.
- Create a prefix list that allows everything.
config router prefix-list
edit "all_prefixes"
config rule
edit 1
set prefix any
unset ge
unset le
next
end
next
end
- Create a route map with the first entry set to 'deny' on a specific interface and second entry allow all IPs.
config router route-map
edit "Filter_route"
config rule
edit 1
set action deny
set match-interface "loopback1"
next
edit 2
set match-ip-address "all_prefixes"
next
end
next
end
- Apply the route map to redistribute connected.
config router bgp
set as 64540
set router-id 10.120.0.2
config neighbor
edit "10.120.0.1"
set remote-as 64540
next
end
config redistribute "connected"
set status enable
set route-map "Filter_route"
next
end
end
- The IP subnet of that interface will not be appearing in the BGP routing table afterward.
FGT_test # get router info bgp network
BGP table version is 1, local router ID is 10.120.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.0.0.0/20 0.0.0.0 32768 0 ? <-/1>
*> 10.5.16.0/20 0.0.0.0 32768 0 ? <-/1>
- The same can be implemented in a scenario where only a single connected route is intended to be advertised to the BGP peer, and not all of the connected routes.
For that, the route-map needs to change accordingly with the rest of the configuration staying the same:
config router route-map
edit "Filter_route"
config rule
edit 1
set action permit
set match-interface "loopback1"
next
edit 2
set action deny
set match-ip-address "all_prefixes"
next
end
next
end
Note: If the route-map is configured with the 'set match-interface' feature, it must be applied under the 'redistribute connected' BGP configuration, not under a specific neighbor configuration. Otherwise, it will not function correctly.
Related articles:
