Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Trixsta101
New Contributor II

Need to advertise single route to ISP but Block all Internal routes

Hi,

 

Have bgp peers set up currently but it's sending all internal routes to our ISP. id like to advertise only 111.69.40.246/29 (example IP) to them. Restricting all internal connected from being adverstived.

 

What i have done so far

 

config router bgp
config network
edit 1
set prefix 111.69.40.246 255.255.255.248

 

Config router bgp
set network-import-check disable
end

 

Can i appy a prefix-list to the neighbor  config? Or do i apply a prefix-list to a route map and apply the route map to the neighbor config?  Would this work below

 

config router prefix-list
edit "WWW_OUT"
config rule
edit 1
set prefix 111.69.40.246 255.255.255.248
unset ge
unset le
next
edit 5
set action deny
set prefix any
unset ge
unset le
next
end
next
end

 

Many thanks

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

You could try applying it directly to the neighbor with "set prefix-list-out". But I recommend you compose a route-map and wrap the prefix-list around for future flexibility then apply it to the neighbor with "set route-map-out". With that way, you don't have to have the "deny all" section in the prefix-list because route-map has implicit deny at the end. You can add different prefix-list for either deny or permit in the same route-map when you need.

 

config router route-map

  edit "Limit-Advertisement"

    config rule

      edit 1

        set action permit  (default value)

        set match-ip-address "WWW_OUT"

      next

    end

  next

end

 

Toshi

 

 

Trixsta101

Thank you will give this a try and get back to you.

Toshi_Esumi
Esteemed Contributor III

You probably know already, but to check it you can use "get router info bgp neighbors <neighbor_IP> advertised-routes".

Trixsta101

Thanks,

 

So the prefix-list can simply be

 

config rule
edit 1
set prefix 111.69.4.246 255.255.255.248
unset ge
unset le
next
end

Toshi_Esumi
Esteemed Contributor III

Yes. The route-map would look for only the prefix to match.

 

Toshi

Trixsta101

Hi,

 

Made the changes, but checking get router info bgp neighbors <neighbor_IP> advertised-routes" the IP listed in the prefix list doest show? 

It has stopped all the internal routes which is great.

 

Any Ideal why it won't advertise?

 

config rule
edit 1
set prefix 111.69.4.246 255.255.255.248
unset ge
unset le
next
end

 

to the route map 

 

config router route-map

  edit "Limit-Advertisement"

    config rule

      edit 1

        set match-ip-address "WWW_OUT"

      next

    end

  next

end

 

Then applied to neighbor

 

set bfd enable
set soft-reconfiguration enable
set remote-as 4200002015
set route-map-in "Primary_ISP_WWW"
set route-map-out "Limit-Advertisement"
next
end

 

Toshi_Esumi
Esteemed Contributor III

111.69.4.246 is not the subnet address of the /29. 111.69.4.240 is. Take a look at the routing table or BGP table what's in there. Should be 111.69.4.240/29. You need to match that with your prefix-list.


  

Toshi_Esumi
Esteemed Contributor III

Also, based on your original post "sending all internal routes" the /29 was advertised among all other routes when you didn't apply the route-map/prefix-list to the neighbor. But now I'm not sure.

If the IP is configured on an interface of the FGT, it's not going into BGP domain until you configure re-advertisement of "connected" routes. If that's the case, you need to configure below in BGP.

 

config router bgp

  config redistribute "connected"
    set status enable

  end
end

 

Then check the BGP table (not routing-table(RIB)) with below. Just expect it might show a lot and you might need to "grep" the output.

 

get router info bgp network

 

 

Toshi

Labels
Top Kudoed Authors