| Description |
This article demonstrates how to redistribute static routes into BGP selectively, with FortiGate router ACL.
|
| Scope |
FortiGate v6.4, v7.0, and v7.2. |
| Solution |
Access lists are filters used by the FortiGate routing process (note: these are not same as a firewall access list).
ACL matches use a combination of 'IP & Mask' for granularity, as 10.0.0.0/8 is not same as 10.0.0.0/16, etc. It also has a feature called 'exact-match'. This tells FortiGate whether to match the Mask portion exactly (set exact-match enable), or to allow other masks. It may also specify whether FortiGate can match the exact Mask stated in the ACL configuration or any more specific Mask(s) when set exact-match disable is used. For example, 10.0.0.0/8 with exact-match disable will match 10.0.0.0/8 to 10.0.0.0/32.
Exact-match enable is the default configuration. To match more specific subnet masks with the ACL, disable exact-match.
This article will use a demonstration setup with two FortiGates (FG500D & FG300E):
FG500D has 5 static routes which the admin wants to access through FG300E. The two FortiGates are BGP peers on AS65555.
To accomplish this, the following steps are taken:
1. Configure ACL.
2. Feed the ACL into route-map, since route-map is the only tool that can be called under a BGP 'redistribute static' configuration.
3. Configure 'redistribute static' under BGP.
The result:
 |
