Description |
This article describes the additional steps required to replace the AS-PATH for any received BGP prefix for redistribution to another BGP peer.
As a general practice, BGP provides the capability of using AS-OVERRIDE in situations where there is a need to accept a prefix even though the AS-PATH of that prefix contains the local AS number of the receiving unit. |
Scope | FortiGate. |
Solution |
In this given topology, AS65512 has two geographically separated sites and prefix 9.7.3.8/32 is being advertised to AS65514(R3 FGT) from AS65513(R2). R2 has received this prefix from HQ AS65512(R1). Note, AS65512 at the branch side(Juniper device) is a VRF, let's call it router R4(vrf) for understanding.
In an MSP environment especially when the same device acting as a PE and CE device, route exchange occurs in a non-standard manner.
The use of the 'as-override' option works a little bit differently in FortiGate. Once use for any neighbor, this command will not replace the whole AS-PATH for the advertised prefix with its local AS number but will replace the AS number of the receiving neighbor only, and rest of the AS number remains intact as below: R4#get router info bgp neighbors 10.56.242.61 received-routes *> 9.7.3.8/32 10.56.242.61 0 0 64512 64514 65513 65512 i <-/-> <----- Behavior after allowas-in at R4 side, however, this solution still will not work in Juniper device as Juniper can still see 64513 AS number as its one of the vrf and will drop the route. R4#get router info bgp neighbors 10.56.242.61 received-routes
Configuration Change at FortiGate:
R3# config router route-map edit "aspath-test" # config rule edit 1 set match-as-path "path-test" set set-aspath-action replace <----- set set-aspath "10000" unset set-ip-nexthop unset set-ip6-nexthop unset set-ip6-nexthop-local unset set-originator-id next end next end !
R3# config router aspath-list edit "path-test" # config rule edit 1 set action permit set regexp ".*" next end next end
R3#config router bgp R3(bgp) # config neighbor R3(neighbor) edit 10.56.240.77 set advertisement-interval 1 set bfd enable set link-down-failover enable set next-hop-self enable set soft-reconfiguration enable set remote-as 65512 set route-map-out "aspath-test" <----- next end
Test:
R4#get router info bgp neighbors 10.56.242.61 received-routes | grep 9.7 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.