I have a loopback 10.222.80.1 configured (1)
I have advertised the same prefix in BGP. (2)
The BGP neighbor 10.4.10.1 in question is healthy with 159 routes received (3)
Why is this prefix not advertised via BGP? (4)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Each VRF routes are isolated so if your route is in VRF7, it will not be present in BGP databse/table on VRF1. You may configure VRF route leaking https://docs.fortinet.com/document/fortigate/6.4.0/new-features/834664/route-leaking-between-vrfs
Created on 12-16-2023 09:37 PM Edited on 12-16-2023 09:38 PM
This part of routing protocol implementation is not described by the standard (RFC) so it's up to each implementer. Just like admin distances are different between Cisco and Juniper (FGT is the same with Cisco), you can't expect "redistribution" behaviors are the same between Cisco and FGT.
I'm not so confident about my knowledge of the network statement. I almost never used it at least with BGP. Because if I redisctibute those routes, such as "connected", "static", "osfp", or what ever, into BGP, they're advertised to neighbors with some conditions without network statements.
That's why I didn't know about this loopback interface/prefix behavior with the network statement. Because it always works. I regularly use "config router prefix-list" to match whatever I want to advertise to nighbors, then use the prefix-list in "config router route-map" to actually match it for advertisement or filtering received routes from BGP neighbors.
Toshi
Created on 12-16-2023 09:23 PM Edited on 12-16-2023 09:26 PM
Ok. For my further test, If I used the "network" config in BGP for other non-loopback interfaces, they're advertised to my eBGP neighbor, but it doesn't advertise loopback interface to the same neighbor.
<under config router bgp>
config network
edit 1
set prefix 10.255.255.129 255.255.255.255
next
edit 2
set prefix 10.68.3.224 255.255.255.240
next
edit 3
set prefix 10.68.27.0 255.255.255.0
next
end
g40f-utm (root) # get router info bgp network 10.68.3.224
VRF 0 BGP routing table entry for 10.68.3.224/28
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.241.128.121
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Sat Dec 16 21:05:44 2023
fg40f-utm (root) # get router info bgp network 10.68.27.0
VRF 0 BGP routing table entry for 10.68.27.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.241.128.121
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Sat Dec 16 21:04:14 2023
fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Sat Dec 16 20:42:18 2023
Then, when I added "redistribute connected" -> set status enable
It started advertising it to the neighbor.
fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.241.128.121
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin incomplete, localpref 100, weight 32768, valid, sourced, best
Last update: Sat Dec 16 21:15:19 2023
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin IGP, localpref 100, weight 32768, valid, sourced, local
Last update: Sat Dec 16 20:42:18 2023
There should be a reason for this, which I don't know. Somebody from FTNT should be able to explain.
Toshi
@Toshi_Esumi that is very interesting and very very helpful
I will try the workaround you suggest
- Redistribute connected
- Prefix-list to limit what I want advertised
thanks!
Ok, I found another option. If you disable "network-import-check" for this loopback network, it still advertises it to neighbors without redistributing connected routes. I referred to below KB.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Advertise-a-BGP-route-not-present-in-the-r...
config router bgp
--<snip>--
config network
edit 1
set prefix 10.255.255.129 255.255.255.255
set network-import-check disable
next
edit 2
set prefix 10.68.3.224 255.255.255.240
next
edit 3
set prefix 10.68.27.0 255.255.255.0
next
end
config redistribute "connected"
end
fg40f-utm (root) # get router info bgp network 10.255.255.129
VRF 0 BGP routing table entry for 10.255.255.129/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.241.128.121
Original VRF 0
Local
0.0.0.0 from 0.0.0.0 (192.168.199.253)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Sat Dec 16 21:51:46 2023
So it must be filtering out the loopback route with import-check.
Toshi
Created on 12-16-2023 10:14 PM Edited on 12-16-2023 10:15 PM
It's not conclusive actually. It might have been dragging the state from when I enabled redistibution. When I removed all those config I added to BGP then re-configured from scratch only one network statement for the loopback interface then added "set network-import-check disable", it didn't advertise the route to the neighbor.
Toshi
Do you see the loopback address under bgp networks on FG40-Lab-6954S ? Can you run "get router info bgp network" and confirm?
@srajeswaran good question thank you. I was wondering/looking into a VRF angle on this matter. The loopback is in vrf=7 (Ref 2 in screenshot) and does in fact appear in the bgp database (is that the right term? BGP database or BGP routing table?) Ref 1 in screenshot
The overlay interface over which BGP is running is in fact in VRF 1 (Ref 3) Might this matter?
What if I build another overlay in vrf 7 (same as loopback)?
Each VRF routes are isolated so if your route is in VRF7, it will not be present in BGP databse/table on VRF1. You may configure VRF route leaking https://docs.fortinet.com/document/fortigate/6.4.0/new-features/834664/route-leaking-between-vrfs
Confirmed. Thanks @srajeswaran
Thanks @Toshi_Esumi
And all!!!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.