Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jvaishnav
Staff
Staff

Created on ‎10-31-2020 08:31 AM Edited on ‎06-02-2025 10:15 PM By Moderator

Article Id 194831

Technical Tip: IBGP and EBGP Support in VRF

Description

 

This article describes the feature: IBGP and EBGP Support in VRF.
Support is included for internal and external border gateway protocols (IBGP and EBGP) in virtual routing and forwarding (VRF).

Scope


For version 6.4.3.

Solution


FortiGate can establish neighbor connections with other FortiGates or routers, and the learned routes are put into different VRF tables according to the neighbor's settings.

This example uses the following topology:



 
BGP routes learned from the Router1 neighbor are put into vrf10.
BGP routes learned from the Router2 neighbor are put into vrf20.
 
To configure this example:
 
config system interface
    edit port1
        set vrf 10
    next
    edit port2
        set vrf 20
    next
end
config router bgp
    config neighbor
        edit "192.168.1.1"
            set update-source port1
        next
        edit "192.168.2.1"
            set interface port2
        next
    end
end
 
Results.

Using the above topology:
Both Router1 and Router2 establish OSPF and BGP neighbors with the FortiGate.
 
Router1 advertises 10.10.1.0/24 into OSPF and 10.10.2.0/24 into BGP.
Router2 advertises 20.20.1.0/24 into OSPF and 20.20.2.0/24 into BGP.
 
When port1 and port2 have not set VRF, all of the routing is in VRF=0:
 
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
Routing table for VRF=0:
 
S*      0.0.0.0/0 [5/0] via 10.0.1.254, port9
C       10.0.1.0/24 is directly connected, port9
O       10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B       10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
O       20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B       20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C       192.168.1.0/24 is directly connected, port1
C       192.168.2.0/24 is directly connected, port2
 
After VRF is set for BGP, BGP routes are added to the VRF tables along with OSPF and connected routes:
 
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
Routing table for VRF=0.
 
S*      0.0.0.0/0 [5/0] via 10.0.1.254, port9
C       10.0.1.0/24 is directly connected, port9
 
Routing table for VRF=10.
 
O       10.10.1.0/24 [110/10] via 192.168.1.1, port1, 00:18:31
B       10.10.2.0/24 [20/200] via 192.168.1.1, port1, 00:01:31
C       192.168.1.0/24 is directly connected, port1
 
Routing table for VRF=20.
 
O       20.20.1.0/22 [110/10] via 192.168.2.1, port2, 00:19:05
B       20.20.2.0/24 [20/200] via 192.168.2.1, port2, 00:01:31
C       192.168.2.0/24 is directly connected, port2
 
BGP neighbor groups.
 
This feature is also supported in the BGP neighbor groups. For example:
 
config router bgp
    config neighbor-group
        edit "FGT"
            set update-source "port1"
        next
    end
    config neighbor-range
        edit 1
            set prefix 172.16.201.0 255.255.255.0
            set neighbor-group "FGT"
        next
    end
end
 
Note that the set interface command is not supported.
 
In scenarios like BGP routes not importing into a different VRF other than the default VRF, which received routes show are being received in that VRF, but they are not in the table, it needs to verify that the BGP neighbor is configured to operate within VRF. BGP neighbors are tied to specific interfaces, and the interface’s VRF determines the routing table.
 
config router bgp
    config neighbor
        edit "<neighbor-ip>"
            set interface <interface-in-vrf like vrf 10 or 20>
            set update-source < interface-in-vrf like vrf 10 or 20>
        next
    end
end
 
By default, FortiGate’s BGP advertises prefixes to all VRFs unless restricted by a route map. If the route is appearing in VRF 0, it might be advertised without VRF-specific filtering.
Checking if a route map is applied to control advertisements:
 
config router route-map
    edit "VRF_10"
        config rule
            edit 1
                set match-ip-address <prefix-list>
                set match-vrf 10
            next
        end
    next
end

config router bgp
    config network
        edit <id>
            set prefix <prefix>
            set route-map "VRF_10"
        next
    end
end
 
Related document:
Labels:
5010
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.