Purpose
This article describes how to configure an access-list on a route-map that would deny specific routes on BGP.
Diagram
Expectations, Requirements
This example will show how to create a route-map-in on the FortiGate2 that has an access-list rule that would deny 10.10.30.0/24 from FortiGate1.
Configuration
This article describes how to configure an access-list on a route-map that would deny specific routes on BGP.
Diagram
Expectations, Requirements
This example will show how to create a route-map-in on the FortiGate2 that has an access-list rule that would deny 10.10.30.0/24 from FortiGate1.
Configuration
FortiGate1 BGP GUI configuration:
FortiGate2 BGP GUI configuration:FortiGate2 CLI configuration to deny 10.10.30.0/24 network and allow any other network.Access-list:# showRoute-map:
# config router access-list
edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set prefix 10.10.30.0 255.255.255.0
set exact-match enable
next
end
next
edit "ALLOW_OTHER"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
end# config router router-mapshow# config route route-mapedit "BLOCK_10.10.30.0/24"config ruleedit 1set action denyset match-ip-address "BLOCK_10.10.30.0/24"nextedit 2set match-ip-address "ALLOW_OTHER"nextendThen assign that route-map to the route-map-in of the FortiGate2 neighbor configuration# config router bgp# config neighboredit 192.168.175.230endshow# config router bgpset as 20set router-id 192.168.175.231# config neighboredit "192.168.175.230"set remote-as 10set route-map-in "BLOCK_10.10.30.0/24"nextend# config redistribute "connected"end# config redistribute "rip"end# config redistribute "ospf"end# config redistribute "static"end# config redistribute "isis"end# config redistribute "connected"end# config redistribute "rip"end# config redistribute "ospf"end# config redistribute "static"end# config redistribute "isis"endendClear the BGP peering using this command for the route-map access-list to take effect:# exec router clear bgp as 10 <------------ because the AS on FortiGate1 is set to 10.or# exec router clear bgp all
Troubleshooting
To confirm that it is already being block, run these commands:# diag ip router bgp all enNote: to stop the debugging of the BGP, run these commands:
# diag ip router bgp level info
# diag debug en# diag debug disableHere is the sample result:
# diag ip router bgp all disable
# diag ip router bgp level none# BGP: [NETWORK] Accept Thread: Incoming conn from host 192.168.175.230 (FD=24)To make sure that the route 10.10.30.0/24 is not installed on the routing table of FortiGate2, run this command:
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 14
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 3
BGP: 192.168.175.230-Outgoing [NETWORK] FD=24, Sock Status: 0-Success
BGP: 192.168.175.230-Outgoing [FSM] State: Connect Event: 17
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Ver 4 MyAS 20 Holdtime 180
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 1, length 61
BGP: 192.168.175.230-Outgoing [DECODE] Open: Optional param len 32
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(old) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(new) for all address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len 6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 192.168.175.230-Outgoing [FSM] State: OpenSent Event: 19
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 192.168.175.230-Outgoing [ENCODE] Keepalive: 28 KAlive msg(s) sent
BGP: bgp_keepalive_proc: notif_rcv 4-4
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 192.168.175.230-Outgoing [DECODE] KAlive: Received!
BGP: 192.168.175.230-Outgoing [FSM] State: OpenConfirm Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE: neighbor 192.168.175.230 Up "
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 2, length 55
BGP: 192.168.175.230-Outgoing [DECODE] Update: Starting UPDATE decoding... Bytes To Read (36), msg_size (36)
BGP: 192.168.175.230-Outgoing [DECODE] Update: NLRI Len(12)
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 27
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.10.0/24
BGP: 192.168.175.230-Outgoing [RIB] Update: Prefix 10.10.30.0/24 denied due to route-map
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.20.0/24
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 34
BGP: [RIB] Scanning BGP Network Routes...# get router info routing-table allHere is the result of this lab:# get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B 10.10.10.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
B 10.10.20.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
C 192.168.175.0/24 is directly connected, port1
