Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎12-01-2009 01:50 AM Edited on ‎01-30-2024 02:39 AM By Community Manager

Article Id 198685

Technical Note : BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers

Description
This article provides a BGP configuration example to force/prevent a FortiGate from advertising some BGP routes to specific BGP peers.

 

Diagram

The following diagram illustrates this example :

rmetzger_bgp_2.jpg

Expectations and requirements

  • FGT2 must advertise specific BGP routes learned from FGT1, to FGT3 and FGT4:

FGT3 must learn only route 10.10.10.0/24
FGT4 must learn only route 10.160.0.0/23

  • FGT1 is announcing in BGP the following routes:

10.10.10.0/24
10.160.0.0/23
172.31.224.0/23

  • FGT3 is announcing in BGP the following routes:

10.158.0.0/23
192.168.182.0/23

  • FGT4 is announcing in BGP the following routes:

10.161.0.0/23
10.162.0.0/23

  • FGT3 and FGT4 are NOT BGP peers.


Scope

  • FortiGate or VDOM in NAT mode.
  • Example given for FortiOS 4.0 and above.


Solution

Configuring access-list and a route-map-out on FortiGate 2 (FGT2) will filter and force the routes advertisements.

Only the relevant parts of FortiGate 2 (FGT2) are provided in CLI format:

config router access-list
    edit "match_fgt4"
            config rule
                edit 1
                    set prefix 10.160.0.0 255.255.254.0
                    set exact-match enable
                next
            end
    next
    edit "match_fgt3"
            config rule
                edit 1
                    set prefix 10.10.10.0 255.255.255.0
                    set exact-match enable
                next
            end
    next
end

config router route-map
    edit "route_map_out_fgt3"
            config rule
                edit 1
                    set match-ip-address "match_fgt3"
                next
            end
    next
    edit "route_map_out_fgt4"
            config rule
                edit 1
                    set match-ip-address "match_fgt4"
                next
            end
    next
end


config router bgp
    set as 65110
        config neighbor
            edit "172.31.224.136"
                set remote-as 65136
            next
            edit "192.168.182.78"
                set remote-as 65078
                set route-map-out "route_map_out_fgt3"
            next
            edit "192.168.182.66"
                set remote-as 65066
                set route-map-out "route_map_out_fgt4"
            next
        end
    set router-id 172.31.224.110
end




 

Verifications before configuring FGT2 :

FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:06
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:06
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:01
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2



FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:04
C       10.158.0.0/23 is directly connected, internal
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
B       10.161.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       10.162.0.0/23 [20/0] via 192.168.182.66, wan1, 00:05:35
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:04
C       192.168.182.0/23 is directly connected, wan1



FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:06:51
B       10.158.0.0/23 [20/0] via 192.168.182.78, wan1, 00:06:51
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
B       172.31.224.0/23 [20/0] via 192.168.182.110, wan1, 00:06:51
C       192.168.182.0/23 is directly connected, wan1

 

 

Verifications after applying the route map on FGT2 :


FGT2 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:00:31
B       10.160.0.0/23 [20/0] via 172.31.224.136, port1, 00:00:31
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:00:26
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2



FGT3 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:00:48
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1



FGT4 # get router info routing-table all

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.160.0.0/23 [20/0] via 192.168.182.110, wan1, 00:00:36
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
C       192.168.182.0/23 is directly connected, wan1

 

Labels:
4116
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.