FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains how in scenario, when you are advertising default-route (0.0.0.0/0) with command “#set capability-default-originate enable”, you want to change some parameters of this route before sending it to neighbor. Most of the time, you would prepend as-path. For route advertised like this, standard route-map that you are using for all advertised prefixes will not work.
Solution Diagram:
FGT1 < eBGP > FGT2
From FGT2 you are sending prefixes to FGT1 including default-route. You want to prepend as-path to all routes leaving FGT2.
FGT2 (root) # show router bgp
#config router bgp set as 65000 set router-id 2.2.2.2 config neighbor edit "10.109.16.85" set capability-default-originate enable set soft-reconfiguration enable set remote-as 65001 set route-map-out "prepend_all" next end config network edit 1 set prefix 2.2.2.2 255.255.255.255 next end end
FGT2 (root) # show router route-map
#config router route-map edit "prepend_default_route" config rule edit 1 set match-ip-address "default_route_only" set set-aspath "65000 65000" next end next edit "prepend_all" config rule edit 1 set match-ip-address "any_prefix" set set-aspath "65000 65000 65000 65000" next end next end
FGT2 (root) # show router prefix-list
#config router prefix-list edit "any_prefix" config rule edit 1 set prefix any unset ge unset le next end next
Status on FGT1:
FGT1 # get router info bgp neighbors 10.109.16.62 received-routes BGP table version is 9, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.109.16.62 0 0 65000 i <-/-> *> 2.2.2.2/32 10.109.16.62 0 0 65000 65000 65000 65000 65000 i <-/->
Total number of prefixes 2
Subnet 2.2.2.2 is received with correct as-path, but default-route not. Solution is to use option “default-originate-routemap” that will appear in cli only if capability-default-originate is enabled.
FGT2 (root) # show router prefix-list
#config router prefix-list edit "default_route_only" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next end
FGT2 (root) # show router route-map
#config router route-map edit "prepend_default_route" config rule edit 1 set match-ip-address "default_route_only" set set-aspath "65000 65000" next end next
FGT3 (root) # show router bgp
#config router bgp set as 65000 set router-id 2.2.2.2 config neighbor edit "10.109.16.85" set capability-default-originate enable set soft-reconfiguration enable set default-originate-routemap "prepend_default_route" <<<< set remote-as 65001 set route-map-out "prepend_all" next end
Status on FGT1 now:
FGT1 # get router info bgp neighbors 10.109.16.62 received-routes BGP table version is 9, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.109.16.62 0 0 65000 65000 65000 i <-/-> *> 2.2.2.2/32 10.109.16.62 0 0 65000 65000 65000 65000 65000 i <-/->
