FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jvaishnav
Staff
Staff
Description
Support is included for internal and external border gateway protocols (IBGP and EBGP) in virtual routing and forwarding (VRF).

This article describes this feature.

Scope
For version 6.4.3.

Solution
FortiGate can establish neighbor connections with other FortiGates or routers, and the learned routes are put into different VRF tables according to the neighbor's settings.

This example uses the following topology:





BGP routes learned from the Router1 neighbor are put into vrf10.
BGP routes learned from the Router2 neighbor are put into vrf20.

To configure this example:
# config system interface
    edit port1
        set vrf 10
    next
    edit port2
        set vrf 20
    next
end
# config router bgp
    # config neighbor

        edit "192.168.1.1"
            set update-source port1
        next
        edit "192.168.2.1"
            set interface port2
        next
    end
end
Results.

Using the above topology:
Both Router1 and Router2 establish OSPF and BGP neighbor with the FortiGate.

Router1 advertises 10.10.1.0/24 into OSPF and 10.10.2.0/24 into BGP.
Router2 advertises 20.20.1.0/24 into OSPF and 20.20.2.0/24 into BGP.

When port1 and port2 have not set VRF, all of the routing is in VRF=0:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [5/0] via 10.0.1.254, port9
C       10.0.1.0/24 is directly connected, port9
O       10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B       10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
O       20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B       20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C       192.168.1.0/24 is directly connected, port1
C       192.168.2.0/24 is directly connected, port2
After VRF is set for BGP, BGP routes are added to the VRF tables along with OSPF and connected routes:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
Routing table for VRF=0.
S*      0.0.0.0/0 [5/0] via 10.0.1.254, port9
C       10.0.1.0/24 is directly connected, port9
Routing table for VRF=10.
O       10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B       10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
C       192.168.1.0/24 is directly connected, port1
Routing table for VRF=20.
O       20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B       20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C       192.168.2.0/24 is directly connected, port2
BGP neighbor groups.

This feature is also supported in the BGP neighbor groups. For example:
# config router bgp
# config neighbor-group

    edit "FGT"
        set update-source "port1"
    next
end
# config neighbor-range
    edit 1
        set prefix 172.16.201.0 255.255.255.0
        set neighbor-group "FGT"
    next
end
end
Note that the set interface command is not supported.

Contributors