Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Xav_FTNT
Staff
Staff

Created on ‎07-01-2009 06:38 AM Edited on ‎02-21-2025 01:12 AM By Moderator

Article Id 196101

Technical Tip: How to implement BGP route summary (aggregation) on a FortiGate

Description


This article describes the steps to announce multiple routes with one summary route in BGP.


Scope


All FortiGate or VDOM running in NAT mode.

 

Solution


Diagram:


Expectations, Requirements.

This article contains a summary of the following connected networks:
 
  • 10.162.0.0/255.255.254.0.
  • 10.162.2.0/255.255.254.0.
  • 10.162.4.0/255.255.254.0.

As the following summarized route: 10.162.0.0/16.


Configuration:

 

FortiGate-AS162 is the FortiGate which is the configuration of the route summary.

 
FGT-AS162 (bgp) # show

config router bgp
    config aggregate-address
        edit 1
            set prefix 10.162.0.0 255.255.0.0
            set summary-only enable <- Only the aggregate route is advertised.
        next
    end
    set as 162
        config neighbor
            edit 10.142.0.110
                set remote-as 1
            next
end
 
For the aggregate address to be advertised to the neighbor, at least one of its specific routes must be injected in the BGP RIB. So:

config network
    edit 1
        set prefix 10.162.0.0 255.255.254.0
    next
    edit 2
        set prefix 10.162.2.0 255.255.254.0
    next
    edit 3
        set prefix 10.162.4.0 255.255.254.0
    next
end

config redistribute "connected"
end

config redistribute "rip"
end

config redistribute "ospf"
end

config redistribute "static"
end

    set router-id 10.142.0.114
end

 


Verification:

 

FGT_ISP is the ISP's border router.

FortiGate-AS162 is the FortiGate on which is the configuration to the route summary.
 
The following commands will be used:
 
get router info bgp summary
get router info bgp neighbors
get router info bgp network
get router info routing-table all
 
FortiGate-AS162:

 

FGT-AS162 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.183.254, port1
B 1.1.1.1/32 [20/0] via 10.142.0.110, port2, 01:03:29
C 10.142.0.0/23 is directly connected, port2
B 10.160.0.0/23 [20/0] via 10.142.0.110, port2, 00:02:07
B 10.162.0.0/16 [20/0] is a summary, Null, 00:12:16
C 10.162.0.0/23 is directly connected, port3
C 10.162.2.0/23 is directly connected, port5
C 10.162.4.0/23 is directly connected, port6
B 192.168.0.0/16 [20/0] via 10.142.0.110, port2, 01:03:29
B 192.168.0.0/21 [20/0] via 10.142.0.205, port2, 01:03:29
B 192.168.168.0/24 [20/0] via 10.142.0.110, port2, 01:03:29
C 192.168.182.0/23 is directly connected, port1


See above the null route in the routing table to prevent routing loops.

 

FGT-AS162 # get router info bgp network
BGP table version is 9, local router ID is 10.142.0.114
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.142.0.110 0 0 1 ?
*> 10.160.0.0/23 10.142.0.110 0 0 1 i
*> 10.162.0.0/16 0.0.0.0 32768 i <- This is the summary that will be sent.
s> 10.162.0.0/23 0.0.0.0 100 32768 i
s> 10.162.2.0/23 0.0.0.0 100 32768 i
s> 10.162.4.0/23 0.0.0.0 100 32768 i
*> 192.168.0.0/16 10.142.0.110 0 0 1 ?
*> 192.168.0.0/21 10.142.0.205 0 0 1 2 i
*> 192.168.168.0 10.142.0.110 0 0 1 ?
Total number of prefixes 9

 

See above the 's' letter that precedes each route that is suppressed by BGP. Note that, if the 'summary-only' option is set to disable under the 'aggregate-address' configuration, those routes will not be suppressed.


On FGT_ISP:

 

FGT_ISP (bgp) # get router info bgp network
BGP table version is 18, local router ID is 10.142.0.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

 

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 192.168.183.254 32768 ?
*> 10.160.0.0/23 0.0.0.0 100 32768 i
*> 10.162.0.0/16 10.142.0.114 0 0 162 i
*> 192.168.0.0/16 192.168.183.254 32768 ?
*> 192.168.0.0/21 10.142.0.205 0 0 2 i
*> 192.168.168.0 192.168.183.254 32768 ?

 

Total number of prefixes 6

 

FGT_ISP (bgp) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

 

S 1.1.1.1/32 [10/0] via 192.168.183.254, port1
C 10.142.0.0/23 is directly connected, port6
C 10.160.0.0/23 is directly connected, port2
B 10.162.0.0/16 [20/0] via 10.142.0.114, port6, 01:04:08 <- This is the summary received on the peer.
S 192.168.0.0/16 [10/0] via 192.168.183.254, port1
B 192.168.0.0/21 [20/0] via 10.142.0.205, port6, 19:30:25
S 192.168.168.0/24 [10/0] via 192.168.183.254, port1
C 192.168.182.0/23 is directly connected, port1


Related articles:

Technical Note: Static NAT VIP accessible from 2 external interfaces with E-BGP peerings (dual-homin...

Technical Tip: Blackhole route for BGP Summarization 

Labels:
29665
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.