FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 196092
Description
This article explains about restricting route advertisement only to immediate EBGP neighbours and not to advertise further using 'no-export' community string.

Solution
- The no-export BGP community is defined in RFC 1997: 'All routes received carrying a [BGP] communities attribute containing 'no-export' value MUST NOT be advertised outside a BGP confederation boundary' (i.e. outside our own AS, or across regular EBGP sessions).

- Each entry in the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute. T
The default rule in a community list (which the FortiGate applies last) denies the matching of all routes.


- The COMMUNITIES path attribute may be used with BGP version 2 and all subsequent versions of BGP unless specifically noted otherwise.

- In the below illustration, 'FGT1' will be advertising the subnet '172.168.10.0/24' with community attribute set with 'no-export' and the routes will be advertised only to the immediate neighbor i.e 'FGT2' and makes sure that the Matched routes are not advertised to EBGP peers further i.e towards 'FGT3'.

Diagram.



From CLI.

FGT1.

# config router route-map
    edit "community-test"
        # config rule
            edit 1
                set set-community "no-export"
            next
        end
    next
end

# config router bgp
    set as 65001
    set router-id 1.1.1.1
    # config neighbor
        edit "172.31.133.109"
            set soft-reconfiguration enable
            set remote-as 65002
            set route-map-out "community-test"
        next
    end
    # config network
        edit 2
            set prefix 172.168.10.0 255.255.255.0
        next
    end
Verification.

'FGT1'.
# get router info bgp summary
BGP router identifier 1.1.1.1, local AS number 65001
BGP table version is 10
1 BGP AS-PATH entries
1 BGP community entries
Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.31.133.109  4      65002    5815    5963        9    0    0 00:03:12        0
Total number of neighbors 1

# get router info bgp neighbors 172.31.133.109 advertised-routes

BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 172.168.10.0/24  172.31.133.31                 100  32768        0 i <-/->

Total number of prefixes 1
'FGT2'.
# get router info bgp summary
VRF 0 BGP router identifier 2.2.2.2, local AS number 65002
BGP table version is 3
1 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.31.133.31   4      65001    5571    5582        0    0    0 00:04:01        1
172.31.135.173  4      65003    5555    5584        2    0    0 00:04:02        0

Total number of neighbors 2

# get router info bgp neighbors 172.31.133.31 received-routes
VRF 0 BGP table version is 1, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 172.168.10.0/24  172.31.133.31                          0        0 65001 i <-/->

Total number of prefixes 1
'FGT3'.
# get router info bgp summary
BGP router identifier 3.3.3.3, local AS number 65003
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.31.133.109  4      65002    5646    5626        0    0    0 00:06:13        1

Total number of neighbors 1
When Community attribute is set in 'FGT1' (routes will not be observed here).
# get router info bgp neighbors 172.31.133.109 received-routes
When Community attribute is not set in 'FGT1'.
# get router info bgp neighbors 172.31.133.109 received-routes
BGP table version is 1, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 172.168.10.0/24  172.31.133.31                          0        0 65002 65001 i

Total number of prefixes 1


Contributors