【background】
I'M TRYING TO CONNECT THE THREE LOCATIONS WITH IPSEC AND ROUTE THEM USING BGP.
【Prerequisite configuration】
All locations are Fortigate 50E using OS 6.2
- FOR A DIRECT IPSEC ROUTE WITH AS65001<->AS65002, ALL SUBORDINATE SEGMENTS ARE LISTED IN THE ROUTING TABLE.
- IPSEC routes between AS65001<->AS65010 / AS65002<->AS65010 are also listed in the routing table for all subordinate segments.
- When going through a AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow to AS65001 and AS65002.
【question】
- Assuming that BGP is used for routing, what kind of settings should be made to "When routing via AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow between AS65001 and AS65002."?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@ncat
You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...
You don't have to do anything special since simple triangle topology with different AS at three sites.
At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).
The same goes with all other routes at both 65001 and 65002.
Toshi
@ncat
You may refer to below guide on how to block/deny advertisement of specific routes to your peer.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Block-Advertising-and-Receiving-of-...
Thanks for the answer.
I checked the GUI as you said, but there is no place where you can set it.
I think it's probably because I'm using FortiOS 6.2 and a slightly older OS, but with the corresponding OS
Is there a way to set it up? (I'm thinking it's probably going to be a CUI setting.)
@ncat
You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...
Thanks for the answer. Since it was successfully filtered, this matter will be closed. Thanks
Glad to help @ncat .
Thank you.
You don't have to do anything special since simple triangle topology with different AS at three sites.
At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).
The same goes with all other routes at both 65001 and 65002.
Toshi
Thanks for the answer. Since it was successfully filtered, this matter will be closed, but I learned again from the movement of BGP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.