Why not advertised via BGP?

slouw · ‎12-16-2023

I have a loopback 10.222.80.1 configured (1)

I have advertised the same prefix in BGP. (2)

The BGP neighbor 10.4.10.1 in question is healthy with 159 routes received (3)

Why is this prefix not advertised via BGP? (4)

srajeswaran · ‎12-17-2023

Each VRF routes are isolated so if your route is in VRF7, it will not be present in BGP databse/table on VRF1. You may configure VRF route leaking https://docs.fortinet.com/document/fortigate/6.4.0/new-features/834664/route-leaking-between-vrfs

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

Toshi_Esumi · ‎12-16-2023

This part of routing protocol implementation is not described by the standard (RFC) so it's up to each implementer. Just like admin distances are different between Cisco and Juniper (FGT is the same with Cisco), you can't expect "redistribution" behaviors are the same between Cisco and FGT.

I'm not so confident about my knowledge of the network statement. I almost never used it at least with BGP. Because if I redisctibute those routes, such as "connected", "static", "osfp", or what ever, into BGP, they're advertised to neighbors with some conditions without network statements.

That's why I didn't know about this loopback interface/prefix behavior with the network statement. Because it always works. I regularly use "config router prefix-list" to match whatever I want to advertise to nighbors, then use the prefix-list in "config router route-map" to actually match it for advertisement or filtering received routes from BGP neighbors.

Toshi

Toshi_Esumi · ‎12-16-2023

Ok. For my further test, If I used the "network" config in BGP for other non-loopback interfaces, they're advertised to my eBGP neighbor, but it doesn't advertise loopback interface to the same neighbor.
<under config router bgp>
  config network
       edit 1
           set prefix 10.255.255.129 255.255.255.255
       next
       edit 2
           set prefix 10.68.3.224 255.255.255.240
       next
       edit 3
           set prefix 10.68.27.0 255.255.255.0
       next
   end

g40f-utm (root) # get router info bgp network 10.68.3.224
VRF 0 BGP routing table entry for 10.68.3.224/28
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
  10.241.128.121
Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
     Last update: Sat Dec 16 21:05:44 2023

fg40f-utm (root) # get router info bgp network 10.68.27.0
VRF 0 BGP routing table entry for 10.68.27.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
  10.241.128.121
Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
     Last update: Sat Dec 16 21:04:14 2023

fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
     Last update: Sat Dec 16 20:42:18 2023

Then, when I added "redistribute connected" -> set status enable
It started advertising it to the neighbor.

fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
  10.241.128.121
Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin incomplete, localpref 100, weight 32768, valid, sourced, best
     Last update: Sat Dec 16 21:15:19 2023

Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local
     Last update: Sat Dec 16 20:42:18 2023

There should be a reason for this, which I don't know. Somebody from FTNT should be able to explain.

Toshi

slouw · ‎12-16-2023

@Toshi_Esumi that is very interesting and very very helpful

I will try the workaround you suggest

- Redistribute connected

- Prefix-list to limit what I want advertised

thanks!

Toshi_Esumi · ‎12-16-2023

Ok, I found another option. If you disable "network-import-check" for this loopback network, it still advertises it to neighbors without redistributing connected routes. I referred to below KB.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Advertise-a-BGP-route-not-present-in-the-r...

config router bgp
--<snip>--
   config network
       edit 1
           set prefix 10.255.255.129 255.255.255.255
           set network-import-check disable
       next
       edit 2
           set prefix 10.68.3.224 255.255.255.240
       next
       edit 3
           set prefix 10.68.27.0 255.255.255.0
       next
   end
   config redistribute "connected"
   end

fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
  10.241.128.121
Original VRF 0
Local
   0.0.0.0 from 0.0.0.0 (192.168.199.253)
     Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
     Last update: Sat Dec 16 21:51:46 2023

So it must be filtering out the loopback route with import-check.

Toshi

Toshi_Esumi · ‎12-16-2023

It's not conclusive actually. It might have been dragging the state from when I enabled redistibution. When I removed all those config I added to BGP then re-configured from scratch only one network statement for the loopback interface then added "set network-import-check disable", it didn't advertise the route to the neighbor.

Toshi

srajeswaran · ‎12-16-2023

Do you see the loopback address under bgp networks on FG40-Lab-6954S ? Can you run "get router info bgp network" and confirm?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

slouw · ‎12-17-2023

@srajeswaran good question thank you. I was wondering/looking into a VRF angle on this matter. The loopback is in vrf=7 (Ref 2 in screenshot) and does in fact appear in the bgp database (is that the right term? BGP database or BGP routing table?) Ref 1 in screenshot

The overlay interface over which BGP is running is in fact in VRF 1 (Ref 3) Might this matter?

What if I build another overlay in vrf 7 (same as loopback)?

srajeswaran · ‎12-17-2023

Each VRF routes are isolated so if your route is in VRF7, it will not be present in BGP databse/table on VRF1. You may configure VRF route leaking https://docs.fortinet.com/document/fortigate/6.4.0/new-features/834664/route-leaking-between-vrfs

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

slouw · ‎12-18-2023

Confirmed. Thanks @srajeswaran
Thanks @Toshi_Esumi

And all!!!!