BGP Route-map - set match-interface

rkinsp · ‎03-24-2021

Hey everyone!

We are trying to limit distributed BGP routes to neighbors using "set match-interface" for the source of the route. The issue we are having is that this does not seem to work together with neighbor route-map-out.

As a work around, we are using set match-interface on redistribute connected and redistribute static and setting tags to later filter on the neighbor route-map-out.

The question is how does "set match interface" actually work on a route-map-out. Documentation seemed very scarce on this topic. I am guessing it is matching the interface the neighbor is on, and not actually the source of the route?

Any ideas?

Thanks in advance,

RK

Toshi_Esumi · ‎03-24-2021

I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786

"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.

View solution in original post

Toshi_Esumi · ‎03-24-2021

I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786

"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.

rkinsp · ‎03-24-2021

Thanks Toshi!

Guess I was hoping it was more like Cisco's and allow me to skip the step of having two route-maps

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/match-ip-address.html

match interface

Distributes any routes that have their next hop out one of the interfaces specified.

Toshi_Esumi · ‎03-24-2021

You can still filter the prefix configured on the interface in a route-map, instead of using "match-interface", and apply the route-map to route-map-out. That's what we regularly do so we never used "match-interface" so far.

But on the other hand, filtering as closest to the source as possible is always a good mantra to have.

This part of routing protocol implementation is vendor proprietary. Each like Fortinet, Cisco, Juniper, etc. seems to be different some ways with my experience. Until you test each yourself, you wouldn't be able to know.

FlavioB · ‎04-21-2021

toshiesumi wrote:
I think your "work around" is actually the correct way to use "match-interface" in a route-map as in this KB.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD50786
"route-map-out" under neighbor config is to filter routes already in BGP table. So it wouldn't deal with the outside source, like other protocol like OSPF, static routes, or connected routes, etc. You have to use "match-interface" for connected route redistribution, which deals with interfaces.

Hi Toshi - thanks, that's exactly what I needed! ;)

I have to exclude WAN interfaces in my iBGP setup (don't want public IPs being redistributed internally) and this is the only solution that works.

F.

BGP Route-map - set match-interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website