Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ncat
New Contributor II

FortiGate6.2 BGP filter

 

ncat.png【background】
 I'M TRYING TO CONNECT THE THREE LOCATIONS WITH IPSEC AND ROUTE THEM USING BGP.
【Prerequisite configuration】
 All locations are Fortigate 50E using OS 6.2
 - FOR A DIRECT IPSEC ROUTE WITH AS65001<->AS65002, ALL SUBORDINATE SEGMENTS ARE LISTED IN THE ROUTING TABLE.
 - IPSEC routes between AS65001<->AS65010 / AS65002<->AS65010 are also listed in the routing table for all subordinate segments.
 - When going through a AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow to AS65001 and AS65002.
【question】
 - Assuming that BGP is used for routing, what kind of settings should be made to "When routing via AS65010 such as AS65001<->AS65010<->AS65002, routing information should not flow between AS65001 and AS65002."?

2 Solutions
adimailig

@ncat 

You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

Best Regards,

Arnold Dimailig
TAC Engineer

View solution in original post

Toshi_Esumi
SuperUser
SuperUser

You don't have to do anything special since simple triangle topology with different AS at three sites.

At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).

The same goes with all other routes at both 65001 and 65002.

Toshi

View solution in original post

7 REPLIES 7
adimailig
Staff
Staff

@ncat 

You may refer to below guide on how to block/deny advertisement of specific routes to your peer.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Block-Advertising-and-Receiving-of-...

Best Regards,

Arnold Dimailig
TAC Engineer
ncat
New Contributor II

@adimailig 

Thanks for the answer.
I checked the GUI as you said, but there is no place where you can set it.
I think it's probably because I'm using FortiOS 6.2 and a slightly older OS, but with the corresponding OS
Is there a way to set it up? (I'm thinking it's probably going to be a CUI setting.)

adimailig

@ncat 

You may refer to below guide for CLI configuration
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-an-Access-list-on-a-Route-Map-that-...

Best Regards,

Arnold Dimailig
TAC Engineer
ncat
New Contributor II

Thanks for the answer. Since it was successfully filtered, this matter will be closed. Thanks

adimailig

Glad to help @ncat .
Thank you.

Best Regards,

Arnold Dimailig
TAC Engineer
Toshi_Esumi
SuperUser
SuperUser

You don't have to do anything special since simple triangle topology with different AS at three sites.

At AS=65001, it would get 192.168.20.0/24 from both AS=65002 and AS=65010. However, the AS path is different between them:
- AS=65002 route's AS path: 65002
- AS=65010 route's AS path: 65010 65002
Due to 4) in the route selection rules below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
AS=65001 chooses AS=65002 route as the best route (shortest AS path).

The same goes with all other routes at both 65001 and 65002.

Toshi

ncat
New Contributor II

Thanks for the answer. Since it was successfully filtered, this matter will be closed, but I learned again from the movement of BGP.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors