Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
make_beer_not_war
New Contributor II

Route map to stop advertising certain prefixes in BGP

I'm having trouble applying a route map to stop a FortiGate 201E from advertising certain connected subnets via BGP.

 

In my examples below I've only shown one prefix. I actually have 6 I want to stop advertising. I also want this FGT to continue advertising the default route.

 

I've tried a prefix list with the deny action set on the rules, and applying the route map to the neighbor, like this

 

config router prefix-list 
edit "ISP_allowed_eBGP"
config rule

edit 1
set action deny
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next

 

edit 2
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next

end

end

 

config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address "ISP_allowed_eBGP"
next
end
next
end

 

conf router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 

I also tried 2 cresting separate prefix lists and setting the deny action on the rules within the route map, like this:

config router prefix-list
edit "ISP_deny_eBGP"
config rule
edit 1
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
end
next

 

edit ISP_permit_eBGP
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next

end

 

config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address ISP_deny_eBGP
set action deny
next

 

edit 2
set match-ip-address ISP_permit_eBGP
set action permit
next
end

 

config router bgp

config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 

 

Both of these attempts failed. "get router info bgp neighbors 10.10.10.189 advertised-routes" shows that 10.10.10.184/29 is still being advertised.

Something I didn't try yet is putting the route map under the redistribute connected config, like this:

config redistribute "connected"
set status enable
set route-map "ISP_allowed_eBGP_route_map"
end

 

Is that correct approach? If so, why would that work and not the other 2 attempts. Please help me to understand what I've done wrong and the correct approach to achieve what I want.

Thanks in advance.

1 Solution
Yurisk
Valued Contributor

You have 3 ways (with slight variations) of achieving this:

[ol]
  •  Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then apply this prefix list under BGP peer with 
    set prefix-list-out <name of the prefix list>
  • Create prefix-list that explicitly lists, one by one, all network you DON'T WANT to advertise, still with action "permit". THen create route-map with 1st action "deny" using this prefix-list, and followed by the next entry in the route-map with action "allow" but without any prefix, which means "allow any nets not matched in the previous "deny" entry. Then apply this route-map out under the BGP peer.
  • Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then use this prefix-list in a route-map, which in turn apply under "router bgp" "redistribute connected". This is preferred way as you always want to filter closest to the source.[/ol]

    NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map. 

    You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/ 

  • Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.


    All opinions are mine only.

    View solution in original post

    8 REPLIES 8
    emnoc
    Esteemed Contributor III

    Did you clear the bgp router process after applying the route-map?

     

    I would do a diag debug and gather details

     

     

    e.g

     

      diag ip router bgp updates out en

      diag debug enable

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    Toshi_Esumi
    Esteemed Contributor II

    For the first one, edit 2 is questionable. I would set like below:

    edit 2

      set prefix any

      unset ge

      unset le

    next

     

    edit 1 looks fine. At least that's what I did for some cases and worked.

    make_beer_not_war

    Thanks, for your advice. I would have thought that

    set prefix 0.0.0.0 0.0.0.0

    unset ge
    set le 32

     

    is functionally equivalent to

    set prefix any

    unset ge

    unset le

     

    But the latter is certainly simpler. I'll give it a go.

    make_beer_not_war

    Thanks Ken. I did not clear BGP although I did wait a few minutes. I'll reapply the config tonight and try "execute router clear bgp all out", which I assume should have the required effect. I'll enable debugging before applying the config too.

     

    Do you have any advice on the correct approach to the route map, please? Would I set the deny action on the prefix list rule, or on the rule in the route map? Or both? And would I apply the route map to the neighbor, or apply it under the "config redistribute..." section (in my case it would be under redistribute connected)?

    Toshi_Esumi

    One more thing. I wouldn't apply the route-map to BGP neighbor clause, but to redistributed connected clause, not to go into BGP domain.

    Yurisk
    Valued Contributor

    You have 3 ways (with slight variations) of achieving this:

    [ol]
  •  Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then apply this prefix list under BGP peer with 
    set prefix-list-out <name of the prefix list>
  • Create prefix-list that explicitly lists, one by one, all network you DON'T WANT to advertise, still with action "permit". THen create route-map with 1st action "deny" using this prefix-list, and followed by the next entry in the route-map with action "allow" but without any prefix, which means "allow any nets not matched in the previous "deny" entry. Then apply this route-map out under the BGP peer.
  • Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then use this prefix-list in a route-map, which in turn apply under "router bgp" "redistribute connected". This is preferred way as you always want to filter closest to the source.[/ol]

    NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map. 

    You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/ 

  • Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.


    All opinions are mine only.
    make_beer_not_war

    Thank you everyone who offered advice here. What I ended up doing was creating a prefix list containing the routes I didn't want advertised (example below shows 1, but in reality I have 6), and a separate prefix list with a catch all (as I still want to advertise the default route):

    config router prefix-list

    edit "ISP_deny_eBGP"

     

    set comments "see SR #382641"

     

    config rule

     

    edit 1

     

    set prefix 10.10.10.184 255.255.255.248

     

    unset ge

     

    unset le

     

    next

     

    end

     

    next

     

    edit "ISP_permit_eBGP"

     

    config rule

     

    edit 1

     

    set prefix 0.0.0.0 0.0.0.0

     

    unset ge

     

    set le 32

     

    next

     

    end

     

    next

     

    end

    Then created a route map with the applicable allow and deny actions: 

    config router route-map

    edit "ISP_allowed_eBGP_route_map"

     

    set comments "see SR #382641"

     

    config rule

     

    edit 1

     

    set action deny

     

    set match-ip-address "ISP_deny_eBGP"

     

    next

     

    edit 2

     

    set match-ip-address "ISP_permit_eBGP"

     

    next

     

    end

     

    next

     

    end

     Then I added the route map to the redistribute static config:

    config router bgp

    config redistribute "connected"

     

    set status enable

     

    set route-map "ISP_allowed_eBGP_route_map"

     

    end

     

    end

     I did previously try adding the map to the neighbor using "set route-map-out" as per your example, but it didn't seem to work. Possibly though that is because I didn't wait long enough, and didn't know about "execute router clear bgp all out", to clear out the route table. Regardless, the above config achieved exactly what I want.

    Benoit_Rech_FTNT

    Hello,

    Don't forget that when you perform configuration changes on a BGP neighbor, then you have to restart the connection with the peer, unless "soft-configuration" is enabled. Example: exec router clear bgp ip x.x.x.x  You can also check which prefixes are sent to the BGP peer using  get router info bgp neighbors x.x.x.x advertised-routes

     

    Best regards, Benoit