BGP does not install route in RIB if the next hop is a blackhole, RTBH configuration
Good day everyone,
I am trying to understand why - is it a bug/normal behavior/or my misunderstanding, and your help is much appreciated.
Problem: FGVM learns via BGP some route, then using route-map, sets its next hop to dummy address 192.0.2.1, which in turn exists as Static route with type blackhole on the very same FG. But FG refuses to actually install this learned route in RIB.
The idea is to implement Remotely Triggered Black Hole Routing (RTBH).
The route in question is 192.168.15.15/32.
Present in routing DB, but missing in RIB:
NYC-brdr # get router info routing all
S 192.0.2.1/32 [10/0] is a summary, Null B 192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 220.127.116.11), 05:35:14
NYC-brdr # get router info routing-table database S *> 192.0.2.1/32 [10/0] is a summary, Null B *> 192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 18.104.22.168), 05:18:09 B > 192.168.15.15/32 [200/0] via 192.0.2.1, Null0 (recursive is a summary, Null, 00:00:39
NYC-brdr # get router info bgp network 192.168.15.15
BGP routing table entry for 192.168.15.15/32 Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer) Not advertised to any peer Local 192.0.2.1 from 10.10.10.16 (10.10.10.14) Origin incomplete metric 0, localpref 110, valid, internal, best Community: no-export Originator: 10.10.10.14, Cluster list: 10.10.10.16 Last update: Thu Aug 6 10:28:49 2020
config router static edit 1 set dst 192.0.2.1 255.255.255.255 set blackhole enable next
Route-map that sets the next-hop (just in case, don't think related):
config router route-map edit "core-in" config rule edit 1 set match-community "blackhole-777" <-- the route comes to this FG with this community set set set-community "no-export" set set-ip-nexthop 192.0.2.1 next
If I change the static route from blackhole to regular one, to say point to Loopback, FG does install the learned route 192.168.15.15 in RIB:
config router static edit 1 set status disable set dst 192.0.2.1 255.255.255.255 set blackhole enable next edit 2 set dst 192.0.2.1 255.255.255.255 set device "Loop1" next
# get router info routing all
S 192.0.2.1/32 [10/0] is directly connected, Loop1 B 192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 22.214.171.124), 03:23:19 B 192.168.15.15/32 [200/0] via 192.0.2.1 (recursive is directly connected, Loop1), 00:02:49
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.