Description | This article describes how to advertise a static route with a gateway IP in the BGP or ADVPN. |
Scope | FortiOS 6. x.x, 7. x.x. |
Solution |
If an advertised static route in the BGP includes a gateway IP, the BGP next hop address will point to the gateway address of the static route by default.
For example:
HUBFGT-Kvm57(10.10.1.1)-------ADVPN/BGP-------(10.10.1.3)SpokeFGT-kvm51(Static route :10.220.230.0, Gateway IP:10.15.16.2)
Spoke Firewall:
Static route with a gateway IP:
show router static config router static edit 1 set dst 10.220.230.0 255.255.255.0 set gateway 10.15.16.2 set device "port4" next end
BGP summary on the spoke firewall:
get router info bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
get router info bgp neighbors 10.10.1.1 advertise Network Next Hop Metric LocPrf Weight RouteTag Path
BGP routes on the hub:
get router info bgp neighbors 10.10.1.3 received-routes Network Next Hop Metric LocPrf Weight RouteTag Path
This will cause communication failure to the network 10.220.230.0/24 from the Hub firewall because the Hub is unaware of the routing information for 10.15.16.2. The Hub will direct the traffic to subnet 10.220.230.0/24 using the default route.
get router info routing-table details 10.15.16.2 Routing table for VRF=0
To solve this problem, enable the next-hop-self command in the BGP configuration of the spoke firewall:
config neighbor show config neighbor edit "10.10.1.1" set next-hop-self enable set soft-reconfiguration enable set prefix-list-out "static" set remote-as 65400 next end
get router info bgp neighbors 10.10.1.1 advertise Network Next Hop Metric LocPrf Weight RouteTag Path
get router info bgp neighbors 10.10.1.3 received-routes Network Next Hop Metric LocPrf Weight RouteTag Path
get router info routing-table details 10.10.1.3 Routing table for VRF=0 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.