FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
echia
Staff
Staff
Article Id 194442

Description

 

This article only demonstrates how to include BGP path attributes in the BGP community list.

It is not required to use BGP community list to perform AS-PATH prepend in BGP routing table. 

AS-Path prepend can be done without BGP community list.


Diagram:



Expectations, and Requirements:

 

 Network 5.1.1.0/24 is advertised in the routing update of BGP by FGT1 & FGT2.

·        FGT1 will set the community list 65002:1 to the route 5.1.1.0/24 to its neighbor 10.1.1.2.

 

·        FGT2 will set the community list 65003:1 to the route 5.1.1.0/24 to its neighbor 10.1.2.2.

 

·        FGT3 will first match the community list with the route received and accordingly prepend the AS-PATH to it.


Configuration:

 

FGT3:

 

FGT3 # show router community-list

config router community-list

    edit "65002:1"

        config rule

            edit 1

                set action permit

                set match "65002:1"

            next

        end

    next

    edit "65003:1"

        config rule

            edit 1

                set action permit

                set match "65003:1"

            next

        end

    next

end

 

FGT3:

 

FGT3 # show router route-map

config router route-map

    edit "route_map_1"

        config rule

            edit 1

                set match-community "65002:1"

                set set-aspath "65002 65002 65002"

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

            edit 2

                set match-community "65003:1"

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

 

FGT3 #

FGT3 # show router bgp

config router bgp

    set as 65001

    set router-id 3.3.3.3

    config neighbor

        edit "10.1.1.1"

            set remote-as 65002

            set route-map-in "route_map_1"

        next

        edit "10.1.2.1"

            set remote-as 65003

            set route-map-in "route_map_1"

        next

    end

 

FGT1:

 

FGT1 # show router access-list

config router access-list

    edit "net_5.1.1.0"

        config rule

            edit 1

                set prefix 5.1.1.0 255.255.255.0

                set exact-match enable

            next

        end

    next

end

 

FGT1 # show router route-map

config router route-map

    edit "community_set"

        config rule

            edit 1

                set match-ip-address "net_5.1.1.0"

                set set-community "65002:1"

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

 

FGT1 #

FGT1 # show router bgp

config router bgp

    set as 65002

    set router-id 1.1.1.1

    config neighbor

        edit "10.1.1.2"

            set remote-as 65001

            set route-map-out "community_set"

        next

    end

    config network

        edit 1

            set prefix 5.1.1.0 255.255.255.0

        next

    end

 

FGT2: 

 

FortiGate-VM64-KVM # show router access-list

config router access-list

    edit "net_5.1.1.0"

        config rule

            edit 1

                set prefix 5.1.1.0 255.255.255.0

                set exact-match enable

            next

        end

    next

end

FortiGate-VM64-KVM # show router route-map

config router route-map

    edit "communit_set"

        config rule

            edit 1

                set match-ip-address "net_5.1.1.0"

                set set-community "65003:1"

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

 

FortiGate-VM64-KVM #

FortiGate-VM64-KVM # show router bgp

config router bgp

    set as 65003

    set router-id 2.2.2.2

    config neighbor

        edit "10.1.2.2"

            set remote-as 65001

            set route-map-out "communit_set" 

        next

    end

    config network

        edit 1

            set prefix 5.1.1.0 255.255.255.0

        next

    end

 

 

 

FGT3 snippets:

 

 

 

 

 

 

Failover is performed by disconnection of link between FGT3 and FGT2:

 

The routing table of FGT3 is changed: