Purpose
This article gives a configuration example on how to achieve the following with BGP:
- Announce routes in BGP with network prefix or redistribute policies.
- Accept ONLY a default route from a BGP peer.
Scope
FortiGate or VDOM in NAT mode.
Diagram
The following diagram is used to illustrate this example. The focus for the configuration is on FGT-1.
except the default route
Expectations, Requirements
The requirement on FGT-1 is:
- Announce 192.168.0.0/21 to the BGP peer FGT_ISP. For this example, 192.168.0.0/21 is a valid static route on FGT-1 but it could be any type of route.
- Accept only the default route from the BGP peer FGT_ISP and deny all other updates.
Configuration
FGT-1 configuration
Only the relevant parts of configuration are given. For more information about configuring BGP see the related articles.
A - To announce 192.168.0.0/21, there are 2 solutions :
A.1- Based on a redistribute Policy
|
config router bgp
config redistribute static << static is used in this example because 192.198.0.0/21 is a set status enable static route, it must be adapted to each situation end end |
This will redistribute all static routes that are effectively present in the routing table.
A.2- Based on network prefix:
A.2- Based on network prefix:
| config router bgp config network edit 1 set prefix 192.168.0.0 255.255.248.0 next end end |
With this option and as for the route redistribution policy, the FortiGate will look for an EXACT matching route in the routing table before distributing it.
Note that using the "config network" method will advertise the NLRI with the origin type of incomplete.
B - To accept only the default route the BGP peer FGT_ISP
Create 1) a prefix list to ONLY match the default route , 2) a route map link to this prefix list , and 3) associate this rpute map to the BGP peer, in ingress
Note that using the "config network" method will advertise the NLRI with the origin type of incomplete.
B - To accept only the default route the BGP peer FGT_ISP
Create 1) a prefix list to ONLY match the default route , 2) a route map link to this prefix list , and 3) associate this rpute map to the BGP peer, in ingress
| config router prefix-list edit "only_dflt" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next end config router route-map edit "only_default_route" config rule edit 1 set match-ip-address "only_dflt" next end next end config router bgp set as 2 config neighbor edit 10.142.0.110 set remote-as 1 set route-map-in "only_default_route" next end set router-id 10.142.0.205 end |
Verification
Verification on FGT-1 before implementing the route map
| FGT-1 (bgp) # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default B* 0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:02:18 B 1.1.1.1/32 [20/0] via 10.142.0.110, wan1, 00:02:18 S 2.2.2.2/32 [10/0] via 192.168.183.254, wan2 O 10.128.0.0/10 [110/0] is a summary, Null, 00:02:23 C 10.142.0.0/23 is directly connected, wan1 B 10.160.0.0/23 [20/0] via 10.142.0.110, wan1, 00:02:18 C 10.161.0.0/30 is directly connected, Inter-vdom10 C 10.161.0.1/32 is directly connected, Inter-vdom10 C 10.161.0.4/30 is directly connected, Inter-vdom20 C 10.161.0.5/32 is directly connected, Inter-vdom20 B 192.168.0.0/16 [20/0] via 10.142.0.110, wan1, 00:02:18 S 192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10 B 192.168.168.0/24 [20/0] via 10.142.0.110, wan1, 00:02:18 S 192.168.171.0/24 [10/0] via 192.168.183.254, wan2 C 192.168.182.0/23 is directly connected, wan2 |
Verification on FGT-1 after implementing the route map
| FGT-1 (root) # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default B* 0.0.0.0/0 [20/0] via 10.142.0.110, wan1, 00:05:58 S 2.2.2.2/32 [10/0] via 192.168.183.254, wan2 O 10.128.0.0/10 [110/0] is a summary, Null, 00:06:03 C 10.142.0.0/23 is directly connected, wan1 O 10.160.0.0/23 [110/200] via 10.161.0.2, Inter-vdom10, 00:05:39 C 10.161.0.0/30 is directly connected, Inter-vdom10 C 10.161.0.1/32 is directly connected, Inter-vdom10 C 10.161.0.4/30 is directly connected, Inter-vdom20 C 10.161.0.5/32 is directly connected, Inter-vdom20 S 192.168.0.0/21 [10/0] via 10.161.0.2, Inter-vdom10 S 192.168.171.0/24 [10/0] via 192.168.183.254, wan2 C 192.168.182.0/23 is directly connected, wan2 |
Verification of routes received on FGT_ISP
| FGT_ISP (bgp) # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 192.168.183.254, port1 S 1.1.1.1/32 [10/0] via 192.168.183.254, port1 C 10.142.0.0/23 is directly connected, port6 C 10.160.0.0/23 is directly connected, port2 S 192.168.0.0/16 [10/0] via 192.168.183.254, port1 B 192.168.0.0/21 [20/0] via 10.142.0.205, port6, 00:09:01 S 192.168.168.0/24 [10/0] via 192.168.183.254, port1 C 192.168.182.0/23 is directly connected, port1 |
Related Articles
Technical Note : How to implement BGP route summary (aggregation) on a FortiGate
