FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to use 'set match-interface' under 'config router route-map' to allow or deny the advertisements of routes via BGP.
Solution Below is the basic BGP configuration:
BGP configuration:
# config router bgp set as 64540 set router-id 10.120.0.2 # config neighbor edit "10.120.0.1" set remote-as 64540 next end # config redistribute "connected" set status enable end end
BGP Routing table:
FGT_test # get router info bgp network BGP table version is 1, local router ID is 10.120.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.0.0.0/20 0.0.0.0 32768 0 ? <-/1> *> 10.1.10.0/24 0.0.0.0 32768 0 ? <-/1> *> 10.5.16.0/20 0.0.0.0 32768 0 ? <-/1>
Total number of prefixes 3
In the above output, we can see that 10.1.10.0/24 is part of the BGP network.
The network is configured on the following interface as follows:
# config system interface edit "loopback1" set vdom "root" set ip 10.1.10.1 255.255.255.0 set allowaccess ping set type loopback set snmp-index 7 next end
Here, the configuration is implemented to block this loopback1 network to be advertised to BGP peer.
1) Create a prefix list that allows everything.
# config router prefix-list edit "all_prefixes" # config rule edit 1 set prefix any unset ge unset le next end next end
2) Create a route map with the first entry deny on a specific interface and second entry allow all IPs.
# config router route-map edit "Filter_route" # config rule edit 1 set action deny set match-interface "loopback1" next edit 2 set match-ip-address "all_prefixes" next end next end
3) Apply the route map to redistribute connected.
# config router bgp set as 64540 set router-id 10.120.0.2 # config neighbor edit "10.120.0.1" set remote-as 64540 next end # config redistribute "connected" set status enable set route-map "Filter_route" next end end
4) The IP subnet of that interface will not be appearing in the BGP routing table afterward.
FGT_test # get router info bgp network BGP table version is 1, local router ID is 10.120.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.0.0.0/20 0.0.0.0 32768 0 ? <-/1> *> 10.5.16.0/20 0.0.0.0 32768 0 ? <-/1>
5) The same can be implemented in a scenario where you want to advertise only a single connected route to BGP peer and not all the connected route.
For that, the route-map needs to change accordingly with rest of the configuration staying the same:
# config router route-map edit "Filter_route" # config rule edit 1 set action allow set match-interface "loopback1" next edit 2 set action deny set match-ip-address "all_prefixes" next end next end
