|
Before the configuration:
FGT # get router info bgp neighbors 172.17.0.1 received-routes
VRF 0 BGP table version is 1, local router ID is 172.17.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 172.17.0.1 0 0 600 ? <-/-> <----- Receive default route from BGP peer.
*> 10.10.40.0/24 172.17.0.1 0 0 600 ? <-/->
*> 10.10.45.0/24 172.17.0.1 0 0 600 i <-/->
Total number of prefixes 3
FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
B 0.0.0.0/0 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:04:36, [1/0]
S *> 0.0.0.0/0 [10/0] via 10.47.31.254, port4, [1/0]
B *> 10.10.40.0/24 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:04:36, [1/0]
B *> 10.10.45.0/24 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:04:36, [1/0]
To do not have the default route via BGP neighbors, it is possible to configure access-list with exact match to deny it:
FGT #config router access-list
edit "deny_default"
config rule
edit 1
set action deny
set prefix 0.0.0.0 0.0.0.0
set exact-match enable
next
edit 2
set prefix any
next
end
next
end
Note:
Do not forget to include the prefix or access-list list entry 'any' and make sure it is the last entry in the list. Otherwise, if a prefix/access list is created with a single entry such as 'set prefix 0.0.0.0 0.0.0.0', this will block all BGP advertisements for the neighbor.
Access the access list to the BGP neighbor in the direction:
FGT #config router bgp
set as 3800
config neighbor
edit "172.17.0.1"
set soft-reconfiguration enable
set distribute-list-in "deny_default"
set remote-as 600
next
end
end
Restart the BGP 'execute router clear bgp ip 172.17.0.1 soft' and recheck the routing table.
After around 20 to 30 seconds to confirm it, the prefix will be received from the neighbors.
FGT # get router info bgp summary
VRF 0 BGP router identifier 172.17.0.2, local AS number 3800
BGP table version is 1
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.17.0.1 4 600 6499 6476 0 0 0 00:21:39 3
Total number of neighbors 1
The default will not show anymore:
FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info
Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via 10.47.31.254, port4, [1/0]
B *> 10.10.40.0/24 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:22:07, [1/0]
B *> 10.10.45.0/24 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:22:07, [1/0]
B *> 10.10.50.0/24 [20/0] via 172.17.0.1 (recursive via wirea26 tunnel 10.47.1.237), 00:22:07, [1/0]
|
