Redistributing OSFP routes into BGP

blackout · ‎10-29-2025

Hey all

Using a 'hybrid' network model with Fortigate 80F and a Cisco catalyst 9200L
Forti handles the routing and is relayed to Cisco.

Im trying to relay OSPF routes learnt by Fortigate into iBGP handled by our ISP, however its not working.
i can see in Forti that the routes are connected locally but not propagated into BGP

I get routes from BGP so i can confirm that its working atleast one way, but not the other.

Im trying to propagate 10.0.1.1 10.0.2.1 10.0.3.1 all /25 to BGP for advertised routing

get router info bgp summary

VRF 0 BGP router identifier 172.16.0.10, local AS number 65500
BGP table version is 6
8 BGP AS-PATH entries
0 BGP community entries

Neighbor   V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.0.9 4      65535     473     449        5    0    0 03:14:03      130

Total number of neighbors 1


corenet0-a #

get router info bgp summary

VRF 0 BGP router identifier 172.16.0.10, local AS number 65500
BGP table version is 6
8 BGP AS-PATH entries
0 BGP community entries

Neighbor   V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.16.0.9 4      65535     473     449        5    0    0 03:14:03      130

Total number of neighbors 1


corenet0-a # get router info bgp neighbors
VRF 0 neighbor table:
BGP neighbor is 172.16.0.9, remote AS 65535, local AS 65500, external link
  BGP version 4, remote router REDACTED
  BGP state = Established, up for 03:14:32
  Last read 00:00:17, hold time is 90, keepalive interval is 30 seconds
  Configured hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (old and new)
    Address family IPv4 Unicast: advertised and received
    Address family VPNv4 Unicast: advertised
    Address family IPv6 Unicast: advertised
    Address family VPNv6 Unicast: advertised
    Address family L2VPN EVPN: advertised
  Received 474 messages, 0 notifications, 0 in queue
  Sent 450 messages, 0 notifications, 0 in queue
  Route refresh request: received 0, sent 0
  NLRI treated as withdraw: 0
  Minimum time between advertisement runs is 30 seconds
  Update source is VLAN22-MPLS

 For address family: IPv4 Unicast
  BGP table version 6, neighbor version 5
  Index 1, Offset 0, Mask 0x2
  NEXT_HOP is always this router
  Community attribute sent to this neighbor (both)
  Outbound path policy configured
  Route map for outgoing advertisements is *RM_OSPF_TO_BGProot
  130 accepted prefixes, 130 prefixes in rib
  6 announced prefixes

 For address family: VPNv4 Unicast
  BGP table version 1, neighbor version 1
  Index 1, Offset 0, Mask 0x2
  Community attribute sent to this neighbor (both)
  0 accepted prefixes, 0 prefixes in rib
  0 announced prefixes

 For address family: IPv6 Unicast

get router info bgp neighbors 172.16.0.9 advertised-routes 
VRF 0 BGP table version is 6, local router ID is 172.16.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*> 10.0.0.0/30      172.16.0.10                        32768        0 ? <-/->
*> 10.0.1.0/25      172.16.0.10                        32768        0 ? <-/->
*> 10.0.2.0/25      172.16.0.10                        32768        0 ? <-/->
*> 10.0.3.0/25      172.16.0.10                        32768        0 ? <-/->
*> 10.0.4.0/25      172.16.0.10                        32768        0 ? <-/->
*> 172.16.0.8/29    172.16.0.10                        32768        0 ? <-/->

Total number of prefixes 6

get router info ospf route

OSPF process 0:
Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2

C  10.0.0.0/30 [1] is directly connected, vlan9-control, Area 0.0.0.0
C  10.0.1.0/25 [1] is directly connected, VLAN11-Users, Area 0.0.0.0
C  10.0.2.0/25 [1] is directly connected, VLAN12-aux, Area 0.0.0.0
C  10.0.3.0/25 [1] is directly connected, VLAN13-Core, Area 0.0.0.0
C  10.0.4.0/25 [1] is directly connected, VLAN14-dmz, Area 0.0.0.0

ElwinBERRAR · ‎10-29-2025

Hi From what I see, the FortiGate is already advertising the /25 routes since they show up under advertised routes. So it’s likely just a filtering issue on the provider side or something in the outbound route map.

Elwin

View solution in original post

Toshi_Esumi · ‎10-29-2025

First, between the FGT and Cisco, it's eBGP since AS numbers are different. Not sure what is not working. If it's locally connected route, you don't have to get them restributed between OSPF and BGP. They can get them redistributed from either RIB or directly from connected routes.
If OSPF or BGP is learning routes from outside over the routing protocol, you might want/need to redistribute/relay between them.

Toshi

ElwinBERRAR · ‎10-29-2025

Hi From what I see, the FortiGate is already advertising the /25 routes since they show up under advertised routes. So it’s likely just a filtering issue on the provider side or something in the outbound route map.

Elwin

blackout · ‎10-30-2025

Thanks! Defining the routes i needed to propagate in the outbound route map fixed the issue.

i see them showing up on my distant end device now.

get router info bgp neighbors 172.16.0.1 received-routes
VRF 0 BGP table version is 4, local router ID is 172.16.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 172.16.0.1 0 0 65400 3292 65108 44398 65168 ? <-/->
*> 10.0.0.0/25 172.16.0.1 0 0 65400 3292 65535 i <-/->
*> 10.0.1.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->
*> 10.0.2.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->
*> 10.0.3.0/25 172.16.0.1 0 0 65400 3292 65535 65500 ? <-/->

Follow-up question: i'd expect them show up in the GUI Routing > BGP Paths, but they dont.
Any idea why, and should i be scared that they show up as incomplete? <?> tag

ElwinBERRAR · ‎10-30-2025

Great to hear that it worked!

Regarding the GUI view, FortiGate doesn’t always display redistributed prefixes under BGP Paths, especially if they were learned dynamically or the table hasn’t refreshed yet.

The ? origin code simply means the routes were redistributed from another source, like OSPF or connected networks, so there’s nothing to worry about.

Elwin

Toshi_Esumi · ‎10-30-2025

To verify the result of outgoing route-maps, compare "get router info bgp neighbors [neighbor-ip(receiver)] advertised-routes" on the sender side and "get router info bgp neighbor [neighbor-ip(sender)] received-route" on the receiver side.

I never use GUI when debugging routing protocol. While CLI shows everything it can show, GUI shows only a part of it.

Toshi

blackout · ‎11-03-2025

Quick question:
i can route to the specified network, because it seems to in the BGP's default route, but if i create an inbound routemap to drop 0.0.0.0/0 from BGP then i cant route to them anymore.

if i look in bgp received routes using soft reconf i can see the routes, but they are not being directly accepted in my routing table.
Any ideas why? (example here is 10.0.8.0/25)

get router info bgp neighbors 172.16.0.9 received-routes
VRF 0 BGP table version is 1, local router ID is 172.16.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*> 0.0.0.0/0        172.16.0.9                             0        0 65535 3292 65108 44398 65168 ? <-/->
*> 10.0.0.0/25      172.16.0.10     0                      0        0 65535 i <-/->
*> 10.0.1.0/25      172.16.0.10                            0        0 65535 65500 ? <-/->
*> 10.0.2.0/25      172.16.0.10                            0        0 65535 65500 ? <-/->
*> 10.0.3.0/25      172.16.0.10                            0        0 65535 65500 ? <-/->
*> 10.0.8.0/25      172.16.0.9                             0        0 65535 3292 65400 65500 ? <-/->

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       * - candidate default

Routing table for VRF=0
B*      0.0.0.0/0 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:25:36, [1/0]
C       10.0.0.0/30 is directly connected, vlan9-control
C       10.0.1.0/25 is directly connected, VLAN11-Users
C       10.0.2.0/25 is directly connected, VLAN12-aux
C       10.0.3.0/25 is directly connected, VLAN13-Core
C       10.0.4.0/25 is directly connected, VLAN14-dmz
B       10.1.0.0/16 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:25:36, [1/0]
B       10.15.0.0/16 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:25:36, [1/0]

also i created a inbound routemap to accept all.

blackout · ‎11-03-2025

hey qucik question i advertise 10.0.8.0/25 but is not being propagated into routers routing table

get router info bgp neighbors 172.16.0.9 received-routes
VRF 0 BGP table version is 2, local router ID is 172.16.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0 172.16.0.9 0 0 65535 3292 65108 44398 65168 ? <-/->
*> 10.0.0.0/25 172.16.0.10 0 0 0 65535 i <-/->
*> 10.0.1.0/25 172.16.0.10 0 0 65535 65500 ? <-/->
*> 10.0.2.0/25 172.16.0.10 0 0 65535 65500 ? <-/->
*> 10.0.3.0/25 172.16.0.10 0 0 65535 65500 ? <-/->
*> 10.0.8.0/25 172.16.0.9 0 0 65535 3292 65400 65500 ? <-/->

but not in rib:

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
B* 0.0.0.0/0 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:11:44, [1/0]
C 10.0.0.0/30 is directly connected, vlan9-control
C 10.0.1.0/25 is directly connected, VLAN11-Users
C 10.0.2.0/25 is directly connected, VLAN12-aux
C 10.0.3.0/25 is directly connected, VLAN13-Core
C 10.0.4.0/25 is directly connected, VLAN14-dmz
B 10.1.0.0/16 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:11:44, [1/0]
B 10.15.0.0/16 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:11:44, [1/0]
B 10.16.155.132/32 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:11:44, [1/0]
B 10.37.1.24/29 [20/0] via 172.16.0.9 (recursive is directly connected, VLAN22-MPLS), 00:11:44, [1/0]
(ETC)

All other routes from BGP seems to be accepted, but not this one, i have similar issue with routes advertised in the opposite direction. All routing works via 0.0.0.0/0 but if i drop 0.0.0.0/0 via inbound routemap filtering then i cant route to 10.0.8.0/25.

Any ideas? i already talked to ISP (we have MPLS) and theyre blaming me.

funkylicious · ‎11-03-2025

hi,

most likely the reason that 10.0.8.0/25 network isnt installing in RIB is due to the fact that in the AS Path you have the AS 65500 ( which is also your local BGP AS if im not mistaken ) found and by default it's denied.

under, config router bgp you should do set allowas-in-enable enable and see afterwards if it gets installed, otherwise you can use the default route to reach it ( you should activate/use that setting with care, it can create a loop in your network ).

"jack of all trades, master of none"

Toshi_Esumi · ‎11-03-2025

Draw a simple diagram and put those AS numbers in. That would solve most topology, or iBGP+eBGP, related problems.

Toshi

Redistributing OSFP routes into BGP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website