Description
This article gives a configuration example of how to achieve the following with BGP:
- Announce routes in BGP with network prefixes or redistribute policies.
- Accept ONLY a default route from a BGP peer.
Scope
FortiGate or VDOM in NAT mode.
Diagram:
The following diagram is used to illustrate this example. The focus of the configuration is on FGT-1.
Expectations, Requirements.
The requirement on FGT-1 is:
- Announce 192.168.0.0/21 to the BGP peer FGT_ISP. For this example, 192.168.0.0/21 is a valid static route on FGT-1, but it could be any type of route.
- Accept only the default route from the BGP peer FGT_ISP and deny all other updates.
FGT-1 configuration.
Only the relevant parts of the configuration are given. For more information about configuring BGP, see the related articles.- To announce 192.168.0.0/21, there are 2 solutions :
-
Based on a redistribute Policy.
-
config router bgp
config redistribute static <- static is used in this example because 192.168.0.0/21 is a static route; it must be adapted to each situation.
set status enable
end
end
This will redistribute all static routes that are effectively present in the routing table.
2. Based on network prefix:
2. Based on network prefix:
config router bgp
config network
edit 1
set prefix 192.168.0.0 255.255.248.0
next
end
end
With this option, and as for the route redistribution policy, the FortiGate will look for an exact matching route in the routing table before distributing it. This is because the prefixes need to be installed on the RIB first, either by static routes, directly connected, or learned by other dynamic routing protocols. This is not a FortiOS design but how the BGP protocol works.
Note that using the 'config network' method will advertise the NLRI with the origin type of incomplete.
Note that using the 'config network' method will advertise the NLRI with the origin type of incomplete.
- To accept only the default route, the BGP peer FGT_ISP.
config router prefix-list
edit "only_dflt"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit "only_default_route"
config rule
edit 1
set match-ip-address "only_dflt"
next
end
next
end
config router bgp
set as 2
config neighbor
edit 10.142.0.110
set remote-as 1
set route-map-in "only_default_route"
next
end
set router-id 10.142.0.205
end
edit "only_dflt"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit "only_default_route"
config rule
edit 1
set match-ip-address "only_dflt"
next
end
next
end
config router bgp
set as 2
config neighbor
edit 10.142.0.110
set remote-as 1
set route-map-in "only_default_route"
next
end
set router-id 10.142.0.205
end
Verification.
Verification on FGT-1 before implementing the route map.
FGT-1 (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B* 0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:02:18
B 1.1.1.1/32 [20/0] via 10.142.0.110, wan1, 00:02:18
S 2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O 10.128.0.0/10 [110/0] is a summary, Null, 00:02:23
C 10.142.0.0/23 is directly connected, wan1
B 10.160.0.0/23 [20/0] via 10.142.0.110, wan1, 00:02:18
C 10.161.0.0/30 is directly connected, Inter-vdom10
C 10.161.0.1/32 is directly connected, Inter-vdom10
C 10.161.0.4/30 is directly connected, Inter-vdom20
C 10.161.0.5/32 is directly connected, Inter-vdom20
B 192.168.0.0/16 [20/0] via 10.142.0.110, wan1, 00:02:18
S 192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
B 192.168.168.0/24 [20/0] via 10.142.0.110, wan1, 00:02:18
S 192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C 192.168.182.0/23 is directly connected, wan2
Verification on FGT-1 after implementing the route map.
FGT-1 (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B* 0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:05:58
S 2.2.2.2/32 [10/0] via 192.168.183.254, wan2
O 10.128.0.0/10 [110/0] is a summary, Null, 00:06:03
C 10.142.0.0/23 is directly connected, wan1
O 10.160.0.0/23 [110/200] via 10.161.0.2, Inter-vdom10, 00:05:39
C 10.161.0.0/30 is directly connected, Inter-vdom10
C 10.161.0.1/32 is directly connected, Inter-vdom10
C 10.161.0.4/30 is directly connected, Inter-vdom20
C 10.161.0.5/32 is directly connected, Inter-vdom20
S 192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10
S 192.168.171.0/24 [10/0] via 192.168.183.254, wan2
C 192.168.182.0/23 is directly connected, wan2
Verification of routes received on FGT_ISP.
FGT_ISP (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.183.254, port1
S 1.1.1.1/32 [10/0] via 192.168.183.254, port1
C 10.142.0.0/23 is directly connected, port6
C 10.160.0.0/23 is directly connected, port2
S 192.168.0.0/16 [10/0] via 192.168.183.254, port1
B 192.168.0.0/21 [20/0] via 10.142.0.205, port6, 00:09:01
S 192.168.168.0/24 [10/0] via 192.168.183.254, port1
C 192.168.182.0/23 is directly connected, port1
Related articles:
Technical Note : How to implement BGP route summary (aggregation) on a FortiGate
