Purpose
This article provides a BGP configuration example to prevent a FortiGate from redistributing BGP routes learned from a specific peer to another specific peer.
Scope
Diagram
The following diagram illustrates this example :
Expectations, Requirements
Configuration
This will be achieved by configuring access-list and a route-map-out on Fortigate 2 (FGT2).
Only relevant parts of FortiGate 2 (FGT2) are provided in CLI format :
Verification
FGT1 # get router info routing-table all
FGT2 # get router info bgp network
FGT2 # get router info routing-table all
FGT3 # get router info routing-table all
FGT4 # get router info routing-table all
FGT1 # get router info routing-table all
FGT2 # get router info bgp network
FGT2 # get router info routing-table all
FGT2 # get router info bgp route-map route_map_out_deny_fgt1
FGT3 # get router info routing-table all
See above that routes announced by FGT1 are no longer present.
FGT4 # get router info routing-table all
This article provides a BGP configuration example to prevent a FortiGate from redistributing BGP routes learned from a specific peer to another specific peer.
Scope
- FortiGate or VDOM in NAT mode
- Example given for FortiOS 4.0 and above
Diagram
The following diagram illustrates this example :
Expectations, Requirements
- FGT2 must not redistribute to FGT3 the BGP routes learned from FGT1, while there must be no impact on the other FortiGate
- FGT1 is announcing in BGP the following routes :
- 10.10.10.0/24
- 10.160.0.0/23
- 172.31.224.0/23
- FGT3 is announcing in BGP the following routes :
- 10.158.0.0/23
- 192.168.182.0/23
- FGT4 is announcing in BGP the following routes :
- 10.161.0.0/23
- 10.162.0.0/23
Configuration
This will be achieved by configuring access-list and a route-map-out on Fortigate 2 (FGT2).
Only relevant parts of FortiGate 2 (FGT2) are provided in CLI format :
| config router access-list edit "match_fgt1" config rule edit 1 set prefix 172.131.224.136 255.255.255.255 set exact-match enable next end next edit "match_fgt4" config rule edit 1 set prefix 172.31.224.66 255.255.255.255 set exact-match enable next end next end config router route-map edit "route_map_out_deny_fgt1" config rule edit 2 set match-ip-nexthop "match_fgt4" next edit 3 set action deny set match-ip-nexthop "match_fgt1" next end next end config router bgp set as 65110 config neighbor edit "172.31.224.136" set remote-as 65136 next edit "192.168.182.78" set remote-as 65078 set route-map-out "route_map_out_deny_fgt1" next edit "172.31.224.66" set remote-as 65066 next end set router-id 172.31.224.110 end |
Verification
Verifications before configuring the route map on FGT2 :
Note below that all FortiGate have all BGP routes in their routing tableFGT1 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1 C 10.10.10.0/24 is directly connected, port4 B 10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:00:00 C 10.160.0.0/23 is directly connected, port2 B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:00 B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:00 C 172.31.224.0/23 is directly connected, port1 B 192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:00:00 |
FGT2 # get router info bgp network
BGP table version is 3, local router ID is 172.31.224.110 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 172.31.224.136 0 0 65136 ? *> 10.158.0.0/23 192.168.182.78 0 0 65078 ? *> 10.160.0.0/23 172.31.224.136 0 0 65136 ? *> 10.161.0.0/23 172.31.224.66 0 0 65066 ? *> 10.162.0.0/23 172.31.224.66 0 0 65066 ? * 172.31.224.0/23 172.31.224.66 0 0 65066 ? *> 172.31.224.136 0 0 65136 ? *> 192.168.182.0/23 192.168.182.78 0 0 65078 ? Total number of prefixes 7 |
FGT2 # get router info routing-table all
|
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1 B 10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:01:17 C 10.158.0.0/23 is directly connected, internal B 10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:01:17 B 10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:50 B 10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:50 B 172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:01:17 C 192.168.182.0/23 is directly connected, wan1 |
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan1 B 10.10.10.0/24 [20/0] via 172.31.224.136, wan1, 00:01:29 B 10.158.0.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29 B 10.160.0.0/23 [20/0] via 172.31.224.136, wan1, 00:01:29 C 10.161.0.0/23 is directly connected, wan1 C 10.162.0.0/23 is directly connected, wan1 C 172.31.224.0/23 is directly connected, wan1 B 192.168.182.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29 |
Verifications after configuring the route map on FGT2 :
Note below that all FortiGate have all BGP routes in their routing table except FGT3FGT1 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, port1 C 10.10.10.0/24 is directly connected, port4 B 10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:00:52 C 10.160.0.0/23 is directly connected, port2 B 10.161.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52 B 10.162.0.0/23 [20/0] via 172.31.224.66, port1, 00:00:52 C 172.31.224.0/23 is directly connected, port1 B 192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:00:52 |
FGT2 # get router info bgp network
BGP table version is 2, local router ID is 172.31.224.110 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 172.31.224.136 0 0 65136 ? *> 10.158.0.0/23 192.168.182.78 0 0 65078 ? *> 10.160.0.0/23 172.31.224.136 0 0 65136 ? *> 10.161.0.0/23 172.31.224.66 0 0 65066 ? *> 10.162.0.0/23 172.31.224.66 0 0 65066 ? * 172.31.224.0/23 172.31.224.66 0 0 65066 ? *> 172.31.224.136 0 0 65136 ? *> 192.168.182.0/23 192.168.182.78 0 0 65078 ? Total number of prefixes 7 |
|
BGP table version is 2, local router ID is 172.31.224.110 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.161.0.0/23 172.31.224.66 0 0 65066 ? *> 10.162.0.0/23 172.31.224.66 0 0 65066 ? * 172.31.224.0/23 172.31.224.66 0 0 65066 ? Total number of prefixes 3 |
FGT3 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 192.168.183.254, wan1 C 10.158.0.0/23 is directly connected, internal B 10.161.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:23 B 10.162.0.0/23 [20/0] via 192.168.182.110, wan1, 00:03:23 C 192.168.182.0/23 is directly connected, wan1 |
See above that routes announced by FGT1 are no longer present.
FGT4 # get router info routing-table all
S* 0.0.0.0/0 [10/0] via 172.31.225.254, wan1 B 10.10.10.0/24 [20/0] via 172.31.224.136, wan1, 00:01:29 B 10.158.0.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29 B 10.160.0.0/23 [20/0] via 172.31.224.136, wan1, 00:01:29 C 10.161.0.0/23 is directly connected, wan1 C 10.162.0.0/23 is directly connected, wan1 C 172.31.224.0/23 is directly connected, wan1 B 192.168.182.0/23 [20/0] via 172.31.224.110, wan1, 00:01:29 |
Related Articles
