Fortinet Community

Trixsta101 · ‎03-09-2022

Hi,

Have bgp peers set up currently but it's sending all internal routes to our ISP. id like to advertise only 111.69.40.246/29 (example IP) to them. Restricting all internal connected from being adverstived.

What i have done so far

config router bgp
config network
edit 1
set prefix 111.69.40.246 255.255.255.248

Config router bgp
set network-import-check disable
end

Can i appy a prefix-list to the neighbor config? Or do i apply a prefix-list to a route map and apply the route map to the neighbor config? Would this work below

config router prefix-list
edit "WWW_OUT"
config rule
edit 1
set prefix 111.69.40.246 255.255.255.248
unset ge
unset le
next
edit 5
set action deny
set prefix any
unset ge
unset le
next
end
next
end

Many thanks

Toshi_Esumi · ‎03-09-2022

You could try applying it directly to the neighbor with "set prefix-list-out". But I recommend you compose a route-map and wrap the prefix-list around for future flexibility then apply it to the neighbor with "set route-map-out". With that way, you don't have to have the "deny all" section in the prefix-list because route-map has implicit deny at the end. You can add different prefix-list for either deny or permit in the same route-map when you need.

config router route-map

edit "Limit-Advertisement"

config rule

edit 1

set action permit (default value)

set match-ip-address "WWW_OUT"

Toshi

Trixsta101 · ‎03-09-2022

Thank you will give this a try and get back to you.

Toshi_Esumi · ‎03-09-2022

You probably know already, but to check it you can use "get router info bgp neighbors <neighbor_IP> advertised-routes".

Trixsta101 · ‎03-09-2022

Thanks,

So the prefix-list can simply be

config rule
edit 1
set prefix 111.69.4.246 255.255.255.248
unset ge
unset le
next
end

Toshi_Esumi · ‎03-09-2022

Yes. The route-map would look for only the prefix to match.

Toshi

Trixsta101 · ‎03-10-2022

Hi,

Made the changes, but checking get router info bgp neighbors <neighbor_IP> advertised-routes" the IP listed in the prefix list doest show?

It has stopped all the internal routes which is great.

Any Ideal why it won't advertise?

config rule
edit 1
set prefix 111.69.4.246 255.255.255.248
unset ge
unset le
next
end

to the route map

config router route-map

edit "Limit-Advertisement"

config rule

edit 1

set match-ip-address "WWW_OUT"

Then applied to neighbor

set bfd enable
set soft-reconfiguration enable
set remote-as 4200002015
set route-map-in "Primary_ISP_WWW"
set route-map-out "Limit-Advertisement"
next
end

Toshi_Esumi · ‎03-10-2022

111.69.4.246 is not the subnet address of the /29. 111.69.4.240 is. Take a look at the routing table or BGP table what's in there. Should be 111.69.4.240/29. You need to match that with your prefix-list.

Toshi_Esumi · ‎03-10-2022

Also, based on your original post "sending all internal routes" the /29 was advertised among all other routes when you didn't apply the route-map/prefix-list to the neighbor. But now I'm not sure.

If the IP is configured on an interface of the FGT, it's not going into BGP domain until you configure re-advertisement of "connected" routes. If that's the case, you need to configure below in BGP.

config router bgp

config redistribute "connected"
set status enable

end
end

Then check the BGP table (not routing-table(RIB)) with below. Just expect it might show a lot and you might need to "grep" the output.

get router info bgp network

Toshi

Fortinet Community

Need to advertise single route to ISP but Block all Internal routes