FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JaskiratM
Staff
Staff
Article Id 240300

Description

 

This article describes how to redistribute BGP routes learned through different BGP Communities into OSPF. This solution requires FortiOS 6.4.3 or above (Bug ID# 644461).

 

Scope

 

FortiGate.

 

Solution

 

Consider the following example case:

 

JaskiratM_0-1671515226600.png

 

- ROUTER 1 and FortiGate are in a BGP neighborship with ROUTER 1 advertising 192.168.233.0/24 to FORTIGATE using BGP-COMMUNITY: 6500:100 and 192.168.234.0/24 using BGP-COMMUNITY: 6501:101.

 

- FORTIGATE and ROUTER 2 are in OSPF Neighborship with each other.

 

- It is only desirable that BGP routes learned using BGP-COMMUNITY: 6500:100 be redistributed into OSPF.

 

1) Since BGP-COMMUNITY is specific to BGP protocol, it is not possible to use BGP-COMMUNITY to filter BGP routes to be redistributed into OSPF directly, but it is possible to use tags to tag the incoming routes learned using BGP-COMMUNITIES and then use the tags to redistribute the BGP routes into OSPF.

 

2) In the above example, verify the routes associated with the BGP community using the following command:

 

# get router info bgp network <route learnt>

 

JaskiratM_1-1671515268414.png

 

3) Now, add an inbound route map on the BGP configuration on the FORTIGATE to tag the routes learned through BGP-COMMUNITY '6500:100' with a value of '200' and tag the routes learned through BGP-COMMUNITY '6501:101' with a value of '100'.

 

4) Add the community list and set match-action to permit for the BGP-COMMUNITIES.

# config router community-list

    edit "6500:100"

        config rule

            edit 1

                set action permit

                set match "6500:100"

            next

        end

    next

    edit "6501:101"

        config rule

            edit 1

                set action permit

                set match "6501:101"

            next

        end

    next

end

 

5) Create an inbound route map to tag the routes learned through their respective BGP-COMMUNITIES.

 

# config router route-map

    edit "inbound"

        config rule

            edit 1

                set match-community "6500:100"  <- Created above

                set set-tag 200

            next

            edit 2

                set match-community "6501:101"  <- Created above

                set set-tag 100

            next

        end

end

 

6) Reference the inbound route-map in the BGP configuration of the FortiGate.

 

# config router bgp

    set as 101

    set router-id 172.16.1.1

    config neighbor

        edit "172.16.1.102"

            set interface "lan"

            set remote-as 100

            set route-map-in "inbound"   <- INBOUND ROUTE-MAP

        next

    end

end

 

7) Create a route map for the routes advertised by OSPF to match-tag 200 assigned to BGP routes learned using BGP-COMMUNITY '6500:100'.

 

# config router route-map

    edit "outbound-OSPF"

        config rule

            edit 1

                set match-tag 200 <- use routes with tag 200 only

            next

        end

    next

end

 

8) Reference the route map for 'outbound-OSPF' in OSPF configuration of the FORTIGATE.

 

# config router ospf

    set router-id 172.16.88.1

    config area

        edit 0.0.0.0

        next

    end

    config ospf-interface

        edit "ospf"

            set interface "lan"

        next

    end

    config network

        edit 1

            set prefix 0.0.0.0 0.0.0.0

        next

    end

    config redistribute "connected"

    end

    config redistribute "static"

    end

    config redistribute "rip"

    end

    config redistribute "bgp"

        set status enable        <- Set redistribution status enable

        set routemap "outbound-OSPF"    <- Set route-map

    end

    config redistribute "isis"

    end

end

 

Verification:

 

The routing table of ROUTER 2 should only see the 192.168.233.0/24 learned via OSPF from FORTIGATE.

 

JaskiratM_2-1671515471698.png

 

Related documents:

- https://community.fortinet.com/t5/FortiGate/How-to-use-BGP-community-list-to-include-BGP-path-attrib...

- https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-control-filter-OSPF-route-redistri...