Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie_arie
New Contributor III

Created on ‎06-11-2024 12:22 AM

Redistribute iBGP routes to OSPF in FortiGate

Hi,

I need to know whether iBGP routes that learnt in FortiGate can be redistributed to OSPF by default or not?

Because in other router like Cisco, iBGP can't be redistributed to OSPF by default, it needs command like 'bgp redistribute-internal'

 

Thank you

Labels:
1036
0 Kudos
2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-11-2024 11:25 PM Edited on ‎06-11-2024 11:49 PM

I was not sure about this either and I couldn't find any documentation as well. So, I decided to test it myself.
I set up three FGTs and one side is iBGP peering and the other side is OSFP peering and, of course, the middle one is redistributing from iBGP to OSPF. The config snippet at the middle FGT is below. 192.168.150.0/24 is advertised from iBGP neighbor. So I set a filter to allow only this prefix to be redistributed to OSPF side.

config router bgp
  set as 64512
  set router-id 10.10.1.2
  config neighbor
    edit "10.10.1.1"
      set next-hop-self enable
      set soft-reconfiguration enable
      set remote-as 64512
    next
  end
<snip>
end

config router ospf
  set router-id 10.10.11.2
  config area

    edit 0.0.0.0
    next
  end
  config network
    edit 1
      set prefix 10.10.11.0 255.255.255.252
    next
  end
  <snip>
  config redistribute "bgp"
    set status enable
    set routemap "allow_192_168_150_only"
  end
  <snip>
end

 

The result was below:
<both at ASBR FGT and OSPF neighbor FGT>

FortiGate-60E # get router info ospf database brief

                OSPF Router with ID (10.10.11.2) (Process ID 0, VRF 0)

                   Router Link States (Area 0.0.0.0)

Link ID       ADV Router Age  Seq#        CkSum Flag Link count
10.10.11.1 10.10.11.1   748   80000005 e1e9    0012 1
10.10.11.2 10.10.11.2   1565 80000006 dde9    0021 1

                  Net Link States (Area 0.0.0.0)

Link ID       ADV Router Age   Seq#        CkSum Flag
10.10.11.2 10.10.11.2    1538 80000002 7365    0031

                  AS External Link States

Link ID           ADV Router Age Seq#         CkSum Flag Route                       Tag
10.253.240.0 10.10.11.1   1168 80000002 3786    0012 E2 10.253.240.0/20 0
192.168.1.0 10.10.11.1     98     80000002 8ab2    0012 E2 192.168.1.0/24   0
192.168.150.0 10.10.11.2 1565 80000001 198e    0021 E2 192.168.150.0/24 0

Conclusion:
iBGP learned routes are redistributed to OSPF side without any special command to allow, which is the case for Cisco. (Juniper's route redistribution is always going through RIB, not directly from iBGP to OSPF, so it wouldn't apply).

Toshi

View solution in original post

948
srajeswaran
Staff
Staff
In response to Toshi_Esumi

Created on ‎06-11-2024 11:38 PM

You are fast, I just did this test and confirmed the same :)

 

image.png

 

image.png

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

940
8 REPLIES 8
arie_arie
New Contributor III
In response to HarshChavda

Created on ‎06-11-2024 08:11 PM

Hi,

In FortiGate, by default, the iBGP can redistribute to OSPF by using route-map and redistribute config, is it correct?

 

Thanks

967
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-11-2024 11:25 PM Edited on ‎06-11-2024 11:49 PM

I was not sure about this either and I couldn't find any documentation as well. So, I decided to test it myself.
I set up three FGTs and one side is iBGP peering and the other side is OSFP peering and, of course, the middle one is redistributing from iBGP to OSPF. The config snippet at the middle FGT is below. 192.168.150.0/24 is advertised from iBGP neighbor. So I set a filter to allow only this prefix to be redistributed to OSPF side.

config router bgp
  set as 64512
  set router-id 10.10.1.2
  config neighbor
    edit "10.10.1.1"
      set next-hop-self enable
      set soft-reconfiguration enable
      set remote-as 64512
    next
  end
<snip>
end

config router ospf
  set router-id 10.10.11.2
  config area

    edit 0.0.0.0
    next
  end
  config network
    edit 1
      set prefix 10.10.11.0 255.255.255.252
    next
  end
  <snip>
  config redistribute "bgp"
    set status enable
    set routemap "allow_192_168_150_only"
  end
  <snip>
end

 

The result was below:
<both at ASBR FGT and OSPF neighbor FGT>

FortiGate-60E # get router info ospf database brief

                OSPF Router with ID (10.10.11.2) (Process ID 0, VRF 0)

                   Router Link States (Area 0.0.0.0)

Link ID       ADV Router Age  Seq#        CkSum Flag Link count
10.10.11.1 10.10.11.1   748   80000005 e1e9    0012 1
10.10.11.2 10.10.11.2   1565 80000006 dde9    0021 1

                  Net Link States (Area 0.0.0.0)

Link ID       ADV Router Age   Seq#        CkSum Flag
10.10.11.2 10.10.11.2    1538 80000002 7365    0031

                  AS External Link States

Link ID           ADV Router Age Seq#         CkSum Flag Route                       Tag
10.253.240.0 10.10.11.1   1168 80000002 3786    0012 E2 10.253.240.0/20 0
192.168.1.0 10.10.11.1     98     80000002 8ab2    0012 E2 192.168.1.0/24   0
192.168.150.0 10.10.11.2 1565 80000001 198e    0021 E2 192.168.150.0/24 0

Conclusion:
iBGP learned routes are redistributed to OSPF side without any special command to allow, which is the case for Cisco. (Juniper's route redistribution is always going through RIB, not directly from iBGP to OSPF, so it wouldn't apply).

Toshi

949
srajeswaran
Staff
Staff
In response to Toshi_Esumi

Created on ‎06-11-2024 11:38 PM

You are fast, I just did this test and confirmed the same :)

 

image.png

 

image.png

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
941
Toshi_Esumi
SuperUser
SuperUser
In response to srajeswaran

Created on ‎06-11-2024 11:46 PM

haha, @srajeswaran, you're sooo slow.
It's interesting to find a FGT's behavior is different from Cisco's. For routing, FortiOS is almost strictly copied from Cisco IOS including the command line details.

Toshi

933
arie_arie
New Contributor III
In response to Toshi_Esumi

Created on ‎06-12-2024 02:46 AM

Yes, I also find a bit tricky in FortiGate, where the behavior is different from Cisco in term of redistribute iBGP to OSPF.

893
0 Kudos
arie_arie
New Contributor III
In response to Toshi_Esumi

Created on ‎06-12-2024 02:44 AM

Hi,

 

Thanks for the answer. Really helpful!

So, if I don't want to include iBGP routes into redistribution to OSPF, the option is to create route-map and deny the iBGP routes so that it wouldn't being redistributed to OSPF, am I correct?

 

Thank you

 

896
Toshi_Esumi
SuperUser
SuperUser
In response to arie_arie

Created on ‎06-12-2024 08:32 AM

yea, something like "set match-origin" in a route-map if you don't want to match individual prefixes. Probably this part is the same with Cisco.
FortiGate-60E (1) # set match-origin ?
none          None.
egp            Remote EGP.
igp             Local IGP.
incomplete Unknown heritage.

Toshi

864
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.