FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff
Staff
Article Id 370214
Description This article explains why a route-map-out does not modify BGP attributes when FortiGate is acting as a BGP Route Reflector.
Scope FortiGate v6.4.2 and later.
Solution

BGP Route Reflection, defined in RFC 4456, is a method to avoid the IBGP requirement that each BGP peer within an Autonomous System (AS) form neighborships with every other BGP peer in the AS.

 

A BGP speaker acting as a Route-Reflector advertises any prefix learned from IBGP peers to all its route-reflector clients within the same local AS.

According to Section 10 of RFC 4456, a route reflector should not modify NEXT_HOP, AS_PATH, LOCAL_PREF, or MED (metric) for reflected routes. FortiOS implements this recommendation by not applying any attribute changes from a route-map-out, including any changes to other BGP attributes such as community.


A FortiGate is configured as a route reflector by enabling route-reflector-client under the BGP neighbor or neighbor-group, as demonstrated in the article 'Technical Tip: Configuring BGP route reflector'. 

The next hop for reflected routes can be changed to the reflector's IP address without using a route-map, as described in the article 'Technical Tip: How to modify BGP next hop for route reflector peering'.

Example: 

 

Configuration of the HUB FortiGate configured as route reflector:

 

config router bgp

set as 65000

config neighbor

edit "172.16.255.29"  <--- SPOKE1 IP address.

set remote-as 65000
set route-map-in "HUB-RM_SPOKE1-INBOUND"
set route-reflector-client enable

next

edit "172.16.255.32"  <--- SPOKE2 IP address.

set remote-as 65000
set route-map-out "HUB-RM_SPOKE2-OUTBOUND"
set route-reflector-client enable

next

end

config network

edit 1

set prefix 10.255.255.1 255.255.255.255  <--- Network injected into BGP by HUB.

next

end

end

 

SPOKE1 has advertised the networks 10.29.100.0/24 and 10.255.255.29/32 to HUB.

 

HUB # get router info bgp neighbors 172.16.255.29 routes
VRF 0 BGP table version is 44, local router ID is 10.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

 

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.29.100.0/24 172.16.255.29 0 100 0 0 i <-/1>  <----- Routes advertised by SPOKE1 and installed in HUB RIB.
*>i10.255.255.29/32 172.16.255.29 0 100 0 0 i <-/1>

Total number of prefixes 2

 

Since HUB is a route reflector, it advertises both networks learned from SPOKE1 to SPOKE2 as reflected routes.

 

HUB # get router info bgp neighbors 172.16.255.32 advertised-routes
VRF 0 BGP table version is 44, local router ID is 10.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

 

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.29.100.0/24 172.16.255.29 100 0 0 i <-/->     <----- Reflected route originally advertised by SPOKE1.
*>i10.255.255.1/32 172.16.255.1 500 32768 0 i <-/-> <----- Additional route injected by HUB bgp network statement.
*>i10.255.255.29/32 172.16.255.29 100 0 0 i <-/->  <----- Reflected route originally advertised by SPOKE1.

Total number of prefixes 3


HUB has a route-map-out configured to modify Local Preferences and community lists for routes advertised to SPOKE2.

 

However, BGP diagnostics on SPOKE2 show this modification is only performed for the non-reflected prefix 10.255.255.1/32.

 

config router route-map

edit "HUB-RM_SPOKE2-OUTBOUND"

set comments "Hub route-map for routes advertised to Spoke 2."

config rule

edit 1

set set-community "65000:1"

unset set-ip-prefsrc

set set-local-preference 500

next

end

next

end

 

SPOKE2 # get router info bgp neighbors 172.16.255.1 routes
VRF 0 BGP table version is 16, local router ID is 10.255.255.30
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

 

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.29.100.0/24 172.16.255.29 0 100 0 0 i <-/1>
*>i10.255.255.1/32 172.16.255.1 0 500 0 0 i <-/1>
*>i10.255.255.29/32 172.16.255.29 0 100 0 0 i <-/1>

Total number of prefixes 3

 

SPOKE2 # get router info bgp network 10.255.255.1
VRF 0 BGP routing table entry for 10.255.255.1/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)

Not advertised to any peer
Original VRF 0
Local

172.16.255.1 from 172.16.255.1 (10.255.255.1)

Origin IGP metric 0, localpref 500, valid, internal, best
Community: 65000:1
Last update: Tue Jan 14 16:53:49 2025

 

Local Preference is not changed for the other reflected routes, and no community attribute was added. This is by design. Reflected routes can be identified by whether they include the 'Originator' and 'Cluster list' attributes.

 

SPOKE2 # get router info bgp network 10.29.100.0
VRF 0 BGP routing table entry for 10.29.100.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)

Not advertised to any peer
Original VRF 0
Local

172.16.255.29 from 172.16.255.1 (10.255.255.29)

Origin IGP metric 0, localpref 100, valid, internal, best
Originator: 10.255.255.29, Cluster list: 10.255.255.1
Last update: Tue Jan 14 16:54:35 2025

 

SPOKE2 # get router info bgp network 10.255.255.29
VRF 0 BGP routing table entry for 10.255.255.29/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)

Not advertised to any peer
Original VRF 0
Local

172.16.255.29 from 172.16.255.1 (10.255.255.29)

Origin IGP metric 0, localpref 100, valid, internal, best
Originator: 10.255.255.29, Cluster list: 10.255.255.1
Last update: Tue Jan 14 16:54:35 2025

 

Modifying BGP attributes of reflected routes:
To manipulate attributes for routes reflected from SPOKE1 to SPOKE2 through HUB, an administrator may update any of the following locations:

  • SPOKE1's route-map-out to HUB.
  • HUB's route-map-in from SPOKE1.
  • SPOKE2's route-map-in from HUB.

 

Note that route-map changes only take effect after a route flap or BGP soft reset and advertisement-interval, see the article 'Technical Tip: BGP soft reset...'.

 

The restriction on modifying BGP attributes does not apply to removing reflected routes. A route reflector can block a reflected route from being advertised to a specific route reflector client using route-map-out, distribute-list, or any other BGP route filtering method.

 

Contributors