FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 189692
Purpose
This article describes how to configure BGP community strings to be added to path attributes for some NLRI (route updates), and control BGP routes advertisements by community

Scope
  • FortiGate or VDOM in NAT mode
  • Example given for FortiOS 4.0 and above

Diagram
The following diagram illustrates this example :

rmetzger_bgp_2.jpg

Expectations, Requirements
  • FGT2 must redistribute the BGP routes to FGT3 and FGT4 as described below :
    • only routes announced with community string  65110:1 are advertised to FGT3
    • only routes announced with community string  65110:2 are advertised to FGT4
  • FGT1 must announce in BGP the following routes :
  • 10.10.10.0/24    with community string  65110:1
  • 20.20.20.0/24    with community string  65110:2
  • 10.160.0.0/23   without community string
  • 172.31.224.0/23  without community string
  • FGT3 is announcing in BGP the following routes :
  • 10.158.0.0/23   
  • 192.168.182.0/23
  • FGT4 is announcing in BGP the following routes :
  • 10.161.0.0/23  
  • 10.162.0.0/23  
  • FGT3 and FGT4 are NOT BGP peers

Configuration
This will be achieved by configuring an access-list and a route-map-out on FortiGate1 (FGT1) and FortiGate 2 (FGT2) .
Only relevant parts of the configuration are provided in CLI format .

FGT1


config router access-list
    edit "net10"
            config rule
                edit 1
                    set prefix 10.10.10.0 255.255.255.0
                    set exact-match disable
                next
            end
    next
    edit "net20"
            config rule
                edit 1
                    set prefix 20.20.20.0 255.255.255.0
                    set exact-match disable
                next
            end
    next
end

config router route-map
    edit "community_set"
            config rule
                edit 1
                    set match-ip-address "net10"
                        set set-community "65110:1"
                next
                edit 2
                    set match-ip-address "net20"
                        set set-community "65110:2"
                next
            end
    next
end

config router bgp
    set as 65136
        config neighbor
            edit "172.31.224.110"
                set remote-as 65110
                set route-map-out "community_set"
            next
        end
        config network
            edit 1
                set prefix 10.0.0.0 255.0.0.0
            next
            edit 2
                set prefix 172.31.224.0 255.255.254.0
            next
        end
        config redistribute "connected"
            set status enable
        end
    set router-id 172.31.224.136
end


execute router restart


# WARNING #
This last command is needed to make all previous settings effective. It will however bring down and up all routing instances (BGP,OSPF...) for a short period of time which will depend on each routing protocol convergence time.


FGT2


config router community-list
    edit "community1"
            config rule
                edit 1
                    set action permit
                    set match "65110:1"
                next
            end
    next
    edit "community2"
            config rule
                edit 1
                    set action permit
                    set match "65110:2"
                next
            end
    next
end

config router route-map
     edit "route_map_out_fgt3"
            config rule
                edit 1
                    set match-community "community1"
                next
            end
    next
    edit "route_map_out_fgt4"
            config rule
                edit 1
                    set match-community "community2"
                next
            end
    next
end

config router bgp
    set as 65110
        config neighbor
            edit "172.31.224.136"
                set remote-as 65136
            next
            edit "192.168.182.78"
                set remote-as 65078
                set route-map-out "route_map_out_fgt3"
            next
            edit "192.168.182.66"
                set remote-as 65066
                set route-map-out "route_map_out_fgt4"
            next
        end
    set router-id 172.31.224.110
end

execute router restart


# WARNING #

This last command is needed to make all previous settings effective. It will however bring down and up all routing instances (BGP,OSPF...) for a short period of time which will depend on each routing protocol convergence time.



Verification

Verification steps on FGT1 to FGT4

See on FGT3 and FGT4 only 1 BGP route being received


FGT1 # get router info bgp route-map community_set

BGP table version is 3, local router ID is 172.31.224.136
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    0.0.0.0                            32768 ?
*> 20.20.20.0/24    0.0.0.0                            32768 ?

Total number of prefixes 2





FGT1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
C       10.10.10.0/24 is directly connected, port4
B       10.158.0.0/23 [20/0] via 172.31.224.110, port1, 00:39:41
C       10.160.0.0/23 is directly connected, port2
B       10.161.0.0/23 [20/0] via 172.31.224.110, port1, 00:39:41
B       10.162.0.0/23 [20/0] via 172.31.224.110, port1, 00:39:41
C       20.20.20.0/24 is directly connected, port4
C       172.31.224.0/23 is directly connected, port1
B       192.168.182.0/23 [20/0] via 172.31.224.110, port1, 00:39:41





FGT2 # get router info bgp summary

BGP router identifier 172.31.224.110, local AS number 65110
BGP table version is 3
3 BGP AS-PATH entries
2 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.31.224.136  4 65136      50      49        2    0    0 00:40:30        2
192.168.182.66  4 65066      49      49        2    0    0 00:40:25        3
192.168.182.78  4 65078      49      49        1    0    0 00:40:30        2

Total number of neighbors 3




FGT2 # get router info bgp community-info

Address Refcnt Community
[0x404237b8] (2) 65110:1
[0x40423788] (2) 65110:2




FGT2 # get router info bgp community 65110:1

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info bgp community 65110:2

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info bgp community-list community1

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info bgp community-list community2

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info bgp route-map route_map_out_fgt3

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info bgp route-map route_map_out_fgt4

BGP table version is 3, local router ID is 172.31.224.110
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    172.31.224.136           0             0 65136 ?

Total number of prefixes 1





FGT2 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 172.31.225.254, port1
B       10.10.10.0/24 [20/0] via 172.31.224.136, port1, 00:43:26
B       10.158.0.0/23 [20/0] via 192.168.182.78, port2, 00:43:26
B       10.161.0.0/23 [20/0] via 192.168.182.66, port2, 00:43:21
B       10.162.0.0/23 [20/0] via 192.168.182.66, port2, 00:43:21
B       20.20.20.0/24 [20/0] via 172.31.224.136, port1, 00:43:26
C       172.31.224.0/23 is directly connected, port1
C       192.168.182.0/23 is directly connected, port2




FGT3 # get router info routing-table all

codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
B       10.10.10.0/24 [20/0] via 192.168.182.110, wan1, 00:43:37
C       10.158.0.0/23 is directly connected, internal
C       192.168.182.0/23 is directly connected, wan1




FGT3 # get router info bgp community-info

Address Refcnt Community
[0x404247ac] (1) 65110:1




FGT3 # get router info bgp community 65110:1

BGP table version is 28, local router ID is 192.168.182.78
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.0/24    192.168.182.110          0             0 65110 65136 ?

Total number of prefixes 1




FGT4 # get router info  routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 192.168.183.254, wan1
C       10.161.0.0/23 is directly connected, wan1
C       10.162.0.0/23 is directly connected, wan1
B       20.20.20.0/24 [20/0] via 192.168.182.110, wan1, 16:07:46
C       192.168.182.0/23 is directly connected, wan1



FGT4 # get router info bgp community-info

Address Refcnt Community
[0x8c601a0] (1) 65110:2




FGT4 (root) # get router info bgp community 65110:2

BGP table version is 7, local router ID is 192.168.182.66
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.0/24    192.168.182.110          0             0 65110 65136 ?

Total number of prefixes 1








Contributors