Description
This article describes a prefix-list policy configuration example to control a FortiGate from advertising routes to the BGP peers.
Control the BGP routes using access-list, prefix-list, route-maps (or) combination of (access-list/prefix-list with route-maps).
Solution
For this example, the following topology will be used:
Assuming that the BGP configuration on the peer device acting neighbor is in an Established state:
The following is a FortiGate CLI configuration to block 10.10.1.0/24 network being advertise and allow any other network.
Create a prefix-list policy.
The following is a FortiGate CLI configuration to block 10.10.1.0/24 network being advertise and allow any other network.
Create a prefix-list policy.
show router prefix-list
config router prefix-list
edit "blockrule"
config rule
edit 1
set action deny
set prefix 10.10.1.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix any
unset ge
unset le
next
end
next
end
config router prefix-list
edit "blockrule"
config rule
edit 1
set action deny
set prefix 10.10.1.0 255.255.255.0
unset ge
unset le
next
edit 2
set prefix any
unset ge
unset le
next
end
next
end
Note that if the second entry does not have the 'any' prefix specified, none of the routes will be advertised even though they are not explicitly mentioned with the action set to 'deny'. In prefix-list, there should be an entry with the action set to 'permit' in order to be able to advertise the desired subnet(s). In the above configuration, 'set action permit' is not visible, because it is the default configuration of prefix-list entry.
Now, refer the prefix-list directly in the BGP configuration.
show router bgp
config router bgp
set as 100
set network-import-check disable
config neighbor
edit "10.5.20.160"
set prefix-list-out "blockrule"
set remote-as 101
next
end
config router bgp
set as 100
set network-import-check disable
config neighbor
edit "10.5.20.160"
set prefix-list-out "blockrule"
set remote-as 101
next
end
Note:
To control received-routes, apply the policy in the inbound direction using the command 'set prefix-list-in'.
Results:
Before configuring prefix-list:
To control received-routes, apply the policy in the inbound direction using the command 'set prefix-list-in'.
Results:
Before configuring prefix-list:
# get router info bgp neighbors 10.5.20.160 adv
VRF 0 BGP table version is 3, local router ID is 172.31.135.228
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.1.0/24 10.5.23.228 100 32768 0 i <-/->
*> 192.168.1.0 10.5.23.228 100 32768 0 i <-/->
*> 192.168.2.0 10.5.23.228 100 32768 0 i <-/->
Total number of prefixes 3
VRF 0 BGP table version is 3, local router ID is 172.31.135.228
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 10.10.1.0/24 10.5.23.228 100 32768 0 i <-/->
*> 192.168.1.0 10.5.23.228 100 32768 0 i <-/->
*> 192.168.2.0 10.5.23.228 100 32768 0 i <-/->
Total number of prefixes 3
After configuring prefix-list:
# get router info bgp neighbors 10.5.20.160 adv
VRF 0 BGP table version is 2, local router ID is 172.31.135.228
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 192.168.1.0 10.5.23.228 100 32768 0 i <-/->
*> 192.168.2.0 10.5.23.228 100 32768 0 i <-/->
Total number of prefixes 2
Related articles:
