Hey everyone!
We are trying to limit distributed BGP routes to neighbors using "set match-interface" for the source of the route. The issue we are having is that this does not seem to work together with neighbor route-map-out.
As a work around, we are using set match-interface on redistribute connected and redistribute static and setting tags to later filter on the neighbor route-map-out.
The question is how does "set match interface" actually work on a route-map-out. Documentation seemed very scarce on this topic. I am guessing it is matching the interface the neighbor is on, and not actually the source of the route?
Any ideas?
Thanks in advance,
RK
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786
"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.
I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786
"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.
Thanks Toshi!
Guess I was hoping it was more like Cisco's and allow me to skip the step of having two route-maps
https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/match-ip-address.html
match interface Distributes any routes that have their next hop out one of the interfaces specified.
You can still filter the prefix configured on the interface in a route-map, instead of using "match-interface", and apply the route-map to route-map-out. That's what we regularly do so we never used "match-interface" so far.
But on the other hand, filtering as closest to the source as possible is always a good mantra to have.
This part of routing protocol implementation is vendor proprietary. Each like Fortinet, Cisco, Juniper, etc. seems to be different some ways with my experience. Until you test each yourself, you wouldn't be able to know.
toshiesumi wrote:Hi Toshi - thanks, that's exactly what I needed! ;)I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786
"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.
I have to exclude WAN interfaces in my iBGP setup (don't want public IPs being redistributed internally) and this is the only solution that works.
F.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.