FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how in scenario, when default-route is advertising (0.0.0.0/0) with command 'set capability-default-originate enable', change some parameters of this route before sending it to neighbor. Most of the time, prepend as-path.
For route advertised like this, standard route-map that used for all advertised prefixes will not work. Setup.
FGT1 < eBGP > FGT2
FGT2 is sending prefixes to FGT1 including default-route. Now it is possible to prepend as-path to all routes leaving FGT2.
Solution
FGT2 (root) # show router bgp
#config router bgp set as 65000 set router-id 2.2.2.2 # config neighbor edit "10.109.16.85" set capability-default-originate enable set soft-reconfiguration enable set remote-as 65001 set route-map-out "prepend_all" next end # config network edit 1 set prefix 2.2.2.2 255.255.255.255 next end end
FGT2 (root) # show router route-map
#config router route-map edit "prepend_default_route" # config rule edit 1 set match-ip-address "default_route_only" set set-aspath "65000 65000" next end next edit "prepend_all" # config rule edit 1 set match-ip-address "any_prefix" set set-aspath "65000 65000 65000 65000" next end next end
FGT2 (root) # show router prefix-list
#config router prefix-list edit "any_prefix" # config rule edit 1 set prefix any unset ge unset le next end next
Status on FGT1:
FGT1 # get router info bgp neighbors 10.109.16.62 received-routes
Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.109.16.62 0 0 65000 i <-/-> *> 2.2.2.2/32 10.109.16.62 0 0 65000 65000 65000 65000 65000 i <-/->
Total number of prefixes 2
Subnet 2.2.2.2 is received with correct as-path, but default-route not. Solution is to use option 'default-originate-routemap' that will appear in CLI only if capability-default-originate is enabled.
FGT2 (root) # show router prefix-list
# config router prefix-list edit "default_route_only" # config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next end FGT2 (root) # show router route-map
# config router route-map edit "prepend_default_route" # config rule edit 1 set match-ip-address "default_route_only" set set-aspath "65000 65000" next end next FGT3 (root) # show router bgp
# config router bgp set as 65000 set router-id 2.2.2.2 # config neighbor edit "10.109.16.85" set capability-default-originate enable set soft-reconfiguration enable set default-originate-routemap "prepend_default_route" <----- set remote-as 65001 set route-map-out "prepend_all" next end
Status on FGT1 now:
FGT1 # get router info bgp neighbors 10.109.16.62 received-routes
Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.109.16.62 0 0 65000 65000 65000 i <-/-> *> 2.2.2.2/32 10.109.16.62 0 0 65000 65000 65000 65000 65000 i <-/->
