| Description | This article describes how to stop FortiGate from announcing IPv6 prefix(es) to peer(s). |
| Scope | FortiGate v6.4 - v7.2. |
| Solution |
Use case: This is a scenario where FortiGate established a Site-to-Site IPSec VPN tunnel to Azure and form BGP over this tunnel so some prefixes (IPv4) could be announced to Azure. However, we received an email from Azure that they are getting unwanted IPv6 announcements from our network, which is not announced explicitly on the device peering with Azure.
How it happened: BGP1 and BGP2 are iBGP peers, BGP1 announced some IPv6 prefixes to BGP2 (we aren’t focusing on IPv4 announced prefix here, as Azure is fine with that), since Azure is an external BGP peer (eBGP), BGP2 is allowed to send over all prefixes received from BGP1 (internal BGP peer) to Azure.
Let’s see screenshots of announced and received prefixes (IPv4 & Ipv6) on BGP1, BGP2, and Azure.
1) BGP1 announced 2 IPv6 prefixes to BGP2:
2) BGP2 received the IPv6 announcement and also announced it to Azure, 20.20.20.3 (this is because Azure is an eBGP neighbor).
3) Azure received the announcements (IPv6 prefixes).
To stop this unwanted announcement, it is possible to use the command 'set activate6 disable' on BGP2 neighbor to Azure. It is enabled by default.
Now, on Azure or BGP2, IPv6 is no longer announced.
|
