| Description | This article explains how to configure a FortiGate to accept only the IPv6 default route (::/0) from Internet Service Providers (ISPs) and filter out all other advertised IPv6 prefixes. Additionally, it describes how to configure the FortiGate to prefer the default route received from ISP1 (wan1) while keeping ISP2 (wan2) as the secondary IPv6 path for redundancy. |
| Scope | FortiGate. |
| Solution |
Both ISPs advertise the following routes toward the FortiGate:
::/0
2001:4860:4860::8888
2001:4860:4860::8844
The goal is to ensure that only the default route (::/0) is accepted and installed in the FortiGate routing table, and that ISP1’s route is preferred over ISP2’s.
Step 1: Verify Existing BGP Configuration:
Initial BGP configuration without filtering:
FG # show router bgp
config router bgp
set as 65000
set router-id 1.1.1.1
set ebgp-multipath enable
config neighbor
edit "fd12:3456:789a:1::1"
set soft-reconfiguration6 enable
set remote-as 65001
set weight 1000
next
edit "fd12:3456:789a:2::1"
set soft-reconfiguration6 enable
set remote-as 65002
next
end
BGP Route Table Before Filtering:
FG # get router info6 bgp network
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
VRF 0 BGP table version is 6, local router ID is 1.1.1.1
Network Next Hop Metric LocPrf Weight RouteTag Path
*> ::/0 fd12:3456:789a:1::1(fe80::9:fff:fe00:802)
0 1000 0 65001 ? <-/1>
* fd12:3456:789a:2::1(fe80::9:fff:fe00:903)
0 0 0 65002 ? <-/->
*> 2001:4860:4860::8844/128
fd12:3456:789a:1::1(fe80::9:fff:fe00:802)
0 1000 0 65001 i <-/1>
* fd12:3456:789a:2::1(fe80::9:fff:fe00:903)
0 0 0 65002 i <-/->
*> 2001:4860:4860::8888/128
fd12:3456:789a:1::1(fe80::9:fff:fe00:802)
0 1000 0 65001 i <-/1>
* fd12:3456:789a:2::1(fe80::9:fff:fe00:903)
0 0 0 65002 i <-/->
Total number of prefixes 3
The FortiGate currently accepts three prefixes from both ISPs: one default and two specific routes.
Step 2: Create a Prefix List to Permit Only the Default Route:
A prefix list is used to filter inbound IPv6 routes. Only the ::/0 default route will be allowed.
FG # show router prefix-list6
config router prefix-list6
edit "Prefix-List-In-IPv6"
config rule
edit 1
set prefix6 ::/0
unset ge
unset le
next
end
next
end
This prefix list matches only the default route (::/0) and denies all other routes implicitly.
Step 3: Create a Route Map to Apply the Filter:
Associate the prefix list with a route map for inbound BGP route filtering.
FG # show router route-map
config router route-map
edit "IPv6-Roue-Map"
config rule
edit 1
set match-ip6-address "Prefix-List-In-IPv6"
unset set-ip-prefsrc
next
end
next
end
This route map ensures that only prefixes matching Prefix-List-In-IPv6 (i.e., ::/0) are accepted.
Step 4: Apply Route Map and Adjust Path Preference:
Apply the route map to both BGP neighbors and assign different weights to set preference.
FG # show router bgp
config router bgp
set as 65000
set router-id 1.1.1.1
set ebgp-multipath enable
config neighbor
edit "fd12:3456:789a:1::1"
set soft-reconfiguration6 enable
set remote-as 65001
set route-map-in6 "IPv6-Roue-Map"
set weight 200
next
edit "fd12:3456:789a:2::1"
set soft-reconfiguration6 enable
set route-map-in6 "IPv6-Roue-Map"
set remote-as 65002
set weight 100
next
end
Step 5: Verify Filtered Routes and Path Selection:
After applying the prefix list and route map, only the default route should remain in the BGP table.
FG # get router info6 bgp network
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
VRF 0 BGP table version is 2, local router ID is 1.1.1.1
Network Next Hop Metric LocPrf Weight RouteTag Path
*> ::/0 fd12:3456:789a:1::1(fe80::9:fff:fe00:802)
0 200 0 65001 ? <-/1>
* fd12:3456:789a:2::1(fe80::9:fff:fe00:903)
0 100 0 65002 ? <-/->
Total number of prefixes 1
|
