Fortigate BGP not sharing direct connected routes.

JosephG · ‎02-02-2025

I have the below config, and seem to have an issue where the fortigate isn't sharing the direct connected routes, between BGP peers.

Fortigate
Interfaces
aggregateinterf: IP 172.19.0.6 255.255.255.248. No Vlan.

MGMT: IP 192.168.183.58 255.255.255.192, VLAN 200, Parent: aggregateinterf
CCTV: IP 192.168.183.190 255.255.255.192, VLAN 250, Parent: aggregateinterf.

Switch

VRF WAN
VRF LAN
VRF MGMT

VRF CCTV

SVI: WAN, IP 172.19.0.2/29, VRF WAN, VLAN 101.

SVI: CCTV, IP 192.168.183.130/26, VRF CCTV, VLAN 250

SVI MGMT, IP 192.168.183.2/26, VRF MGMT, VLAN 200
SVI: LAN1, IP 192.168.168.1/24, VRF LAN, VLAN 300
SVI: LAN2, IP 192.168.169.1/24, VRF LAN, VLAN 301

On the switch, I leak the routes between LAN and WAN.

I have BGP peering from the switch as below.
VRF WAN to aggregateinterf, 172.19.0.6/29
VRF MGMT to MGMT vlan, 192.168.183.58/26

Now BGP is established and I can see the fortigate as the default route.
The issue I am having is, the fortigate is not advertising each interfaces connected route to the other VRFs on the switch.

in the outgoing routes, I would expect the below
neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6
192.168.183.0/26 via 172.16.0.6

192.168.183.128/26 via 172.16.0.6

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

172.19.0.0/29 via 192.168.183.58

192.168.183.128/26 via 192.168.183.58

What I actually get is below.

neighour on aggregateinterf
0.0.0.0/0 via 172.16.0.6

neighbour on vlan MGMT

0.0.0.0/0 via 192.168.183.58

Config is below.

LAB-FW # show router prefix-list
config router prefix-list
    edit "MGMT-OUT"
        config rule
            edit 1
                set prefix 192.168.183.64 255.255.255.192
                unset ge
                unset le
            next
        end
    next
    edit "LAN-OUT"
        config rule
            edit 1
                set prefix 192.168.183.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

LAB-FW # show router route-map
config router route-map
    edit "MGMT-OUT"
        config rule
            edit 1
                set match-ip-address "MGMT-OUT"
            next
        end
    next
    edit "LAN-OUT"
        config rule
            edit 1
                set match-ip-address "LAN-OUT"
            next
        end
    next
end

LAB-FW # show router bgp
config router bgp
    set as 65000
    set router-id 172.16.0.6
    set ebgp-multipath enable
    set cluster-id 172.16.0.6
    config neighbor
        edit "172.19.0.2"
            set capability-default-originate enable
            set interface "aggregateinterf"
            set remote-as 64600
            set route-map-out "LAN-OUT"
            set keep-alive-timer 2
            set holdtime-timer 10
        next
        edit "192.168.183.2"
            set capability-default-originate enable
            set interface "MGMT"
            set remote-as 64600
            set route-map-out "MGMT-OUT"
            set keep-alive-timer 2
            set holdtime-timer 10
        end
    end
    config network
        edit 1
            set prefix 192.168.0.0 255.255.0.0
        next
    end
    config network6
        edit 1
            set prefix6 ::/128
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

LAB-FW # get router info bgp neighbors 172.19.0.2 advertised-routes
VRF 0 BGP table version is 4, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0        172.19.0.6                    100  32768        0 i <-/->

Total number of prefixes 1

LAB-FW # get router info bgp neighbors 192.168.183.2 advertised-routes
VRF 0 BGP table version is 3, local router ID is 172.16.0.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0        192.168.183.58                100  32768        0 i <-/->

Total number of prefixes 1

LAB-FW # show system interface
config system interface
    edit "aggregateinterf"
        set vdom "root"
        set ip 172.19.0.6 255.255.255.248
        set allowaccess ping snmp fgfm
        set type aggregate
        set member "port1" "port2"
        set device-identification enable
        set device-user-identification disable
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 15
    next
    edit "MGMT"
        set vdom "root"
        set ip 192.168.183.58 255.255.255.192
        set allowaccess ping https ssh http fgfm
        set alias "MGMT"
        set device-identification enable
        set role lan
        set snmp-index 16
        set interface "aggregateinterf"
        set vlanid 200
    next
    edit "CCTV"
        set vdom "root"
        set ip 192.168.183.190 255.255.255.192
        set allowaccess ping
        set alias "CCTV"
        set device-identification enable
        set role lan
        set snmp-index 17
        set interface "aggregateinterf"
        set vlanid 250
    next
end

funkylicious · ‎02-02-2025

hi, several things i would change/add to the config

- in the prefix-list LAN-OUT, you have 192.168.183.0/24 but that network is actually broken down into 2 separate /26 nets, so I would be specific in it with the actual networks that also exist in your routing table/directly configured.

- i am more of a set prefix-list-IN and -OUT kinda person in regards to what specific routes i want to filter inbound and out, rather than using route-maps for that since i dont want to make any kinda changes to the bgp params sent/received along with those networks.

- any dont see the interfaces belonging to a vrf different from 0 ( default ), so I guess its only on the SVI relevant

after that, you can do a flap of the session and see how it looks.

L.E. you can also have a look at, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Advertise-a-BGP-route-not-present-in-the-r... in order to advertise the whole /24 net

"jack of all trades, master of none"

View solution in original post

funkylicious · ‎02-02-2025

hi, several things i would change/add to the config

- in the prefix-list LAN-OUT, you have 192.168.183.0/24 but that network is actually broken down into 2 separate /26 nets, so I would be specific in it with the actual networks that also exist in your routing table/directly configured.

- i am more of a set prefix-list-IN and -OUT kinda person in regards to what specific routes i want to filter inbound and out, rather than using route-maps for that since i dont want to make any kinda changes to the bgp params sent/received along with those networks.

- any dont see the interfaces belonging to a vrf different from 0 ( default ), so I guess its only on the SVI relevant

after that, you can do a flap of the session and see how it looks.

L.E. you can also have a look at, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Advertise-a-BGP-route-not-present-in-the-r... in order to advertise the whole /24 net

"jack of all trades, master of none"

JosephG · ‎02-02-2025

That worked, thank you very much :)
Config below.

LAB-FW# show router route-map
config router route-map
    edit "MGMT-OUT"
        config rule
            edit 1
                set match-ip-address "MGMT-OUT"
            next
        end
    next
    edit "LAN-OUT"
        config rule
            edit 1
                set match-ip-address "LAN-OUT"
            next
        end
    next
    edit "CCTV-OUT"
        config rule
            edit 1
                set match-ip-address "CCTV-OUT"
            next
        end
    next
end

LAB-FW# show router prefix-list
config router prefix-list
    edit "MGMT-OUT"
        config rule
            edit 1
                set prefix 192.168.183.128 255.255.255.192
                unset ge
                unset le
            next
        end
    next
    edit "LAN-OUT"
        config rule
            edit 2
                set prefix 192.168.183.0 255.255.255.192
                unset ge
                unset le
            next
            edit 3
                set prefix 192.168.183.128 255.255.255.192
                unset ge
                unset le
            next
        end
    next
    edit "CCTV-OUT"
        config rule
            edit 1
                set prefix 192.168.183.0 255.255.255.192
                unset ge
                unset le
            next
        end
    next
end

LAB-FW#

Toshi_Esumi · ‎02-02-2025

Probably multiple ways to "make it work". But the bottom line is those VRF neighbors are the same router or a single cluster of routers from the FGT's view because AS is the same between them. If you want the FGT to act as the GW between VRFs, you should set a different AS at each VRF.
Otherwise you need iBGP neighboring between those VRFs.

Toshi

Fortigate BGP not sharing direct connected routes.

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website