FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff
Article Id 265347
Description This article describes how to filter BGP AS-PATH list with route-maps.
Scope FortiGate v6.4, v7.0, v7.2, or v7.4.
Solution

Consider the following network diagram:

BGP AS PATH.jpg

 

  • The FortiGate device is located in AS400 and has a peering connection with AS300.
  • AS300 is receiving the route 100.100.100.0/24 from AS100 and the route 200.200.200.0/24 from AS200.
  • The network administrator aims to apply a filter to block the routes advertised by AS100 while permitting all other routes using AS-PATH with route-maps.

Before applying the route-map:

 

get router info bgp neighbors 169.254.1.2 routes
VRF 0 BGP table version is 1, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 100.100.100.0/24 169.254.1.2 0 0 300 100 i <-/-> <-- Needs to be filtered
*> 200.200.200.0/24 169.254.1.2 0 0 300 200 i <-/->


To filter routes using AS-PATH with route maps on a FortiGate device, follow the steps below:

 

Step 1: Create an AS-PATH list to match routes originating from AS100.

 

config router aspath-list

edit "AS100"

config rule

edit 1

set action permit

set regexp "_100$"

next

end

next

end

 

Note: This step creates an AS-PATH list named 'AS100' and defines a rule that permits routes with AS-PATH ending in '_100'. This will match all the routes originated from AS100.

 

Step 2: Create a route map and reference the created AS-PATH list from Step 1.

 

config router route-ma

edit "RM_INBOUND"

config rule

edit 1

set action deny

set match-as-path "AS100"

next

edit 2

set action permit

next

end

next

end

 

Note: Rule id #1 is configured to deny routes that match the AS-PATH list 'AS100'. Rule id #2 is set to permit all other routes that do not match rule id #1.
 

Step 3: Apply the route map as an inbound filter for the BGP neighbor.

 

config router bgp

config neighbor

edit "169.254.1.2"

set route-map-in "RM_INBOUND"

next

end

end

 

Note: After applying the route-map, it may be necessary to perform an inbound refresh to update the BGP routing table.

 

After applying the route-map:

 

get router info bgp neighbors 169.254.1.2 routes
VRF 0 BGP table version is 1, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 200.200.200.0/24 169.254.1.2 0 0 0 300 200 i <-/1>

Total number of prefixes 1

Contributors