Description
This article describes how to redistribute BGP routes learned through different BGP Communities into OSPF. This solution requires FortiOS 6.4.3 or above (Bug ID# 644461).
Scope
FortiGate.
Solution
Consider the following example case:
- ROUTER 1 and FortiGate are in a BGP neighborship with ROUTER 1 advertising 192.168.233.0/24 to FORTIGATE using BGP-COMMUNITY: 6500:100 and 192.168.234.0/24 using BGP-COMMUNITY: 6501:101.
- FORTIGATE and ROUTER 2 are in OSPF Neighborship with each other.
- It is only desirable that BGP routes learned using BGP-COMMUNITY: 6500:100 be redistributed into OSPF.
1) Since BGP-COMMUNITY is specific to BGP protocol, it is not possible to use BGP-COMMUNITY to filter BGP routes to be redistributed into OSPF directly, but it is possible to use tags to tag the incoming routes learned using BGP-COMMUNITIES and then use the tags to redistribute the BGP routes into OSPF.
2) In the above example, verify the routes associated with the BGP community using the following command:
# get router info bgp network <route learnt>
3) Now, add an inbound route map on the BGP configuration on the FORTIGATE to tag the routes learned through BGP-COMMUNITY '6500:100' with a value of '200' and tag the routes learned through BGP-COMMUNITY '6501:101' with a value of '100'.
4) Add the community list and set match-action to permit for the BGP-COMMUNITIES.
# config router community-list
edit "6500:100"
config rule
edit 1
set action permit
set match "6500:100"
next
end
next
edit "6501:101"
config rule
edit 1
set action permit
set match "6501:101"
next
end
next
end
5) Create an inbound route map to tag the routes learned through their respective BGP-COMMUNITIES.
# config router route-map
edit "inbound"
config rule
edit 1
set match-community "6500:100" <- Created above
set set-tag 200
next
edit 2
set match-community "6501:101" <- Created above
set set-tag 100
next
end
end
6) Reference the inbound route-map in the BGP configuration of the FortiGate.
# config router bgp
set as 101
set router-id 172.16.1.1
config neighbor
edit "172.16.1.102"
set interface "lan"
set remote-as 100
set route-map-in "inbound" <- INBOUND ROUTE-MAP
next
end
end
7) Create a route map for the routes advertised by OSPF to match-tag 200 assigned to BGP routes learned using BGP-COMMUNITY '6500:100'.
# config router route-map
edit "outbound-OSPF"
config rule
edit 1
set match-tag 200 <- use routes with tag 200 only
next
end
next
end
8) Reference the route map for 'outbound-OSPF' in OSPF configuration of the FORTIGATE.
# config router ospf
set router-id 172.16.88.1
config area
edit 0.0.0.0
next
end
config ospf-interface
edit "ospf"
set interface "lan"
next
end
config network
edit 1
set prefix 0.0.0.0 0.0.0.0
next
end
config redistribute "connected"
end
config redistribute "static"
end
config redistribute "rip"
end
config redistribute "bgp"
set status enable <- Set redistribution status enable
set routemap "outbound-OSPF" <- Set route-map
end
config redistribute "isis"
end
end
Verification:
The routing table of ROUTER 2 should only see the 192.168.233.0/24 learned via OSPF from FORTIGATE.
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.