Route filtering with a distribution list
During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In some situations, advertising routes from one peer to another might need to be prevented.
The Basic BGP example explains using a route map to filter routes that are learned from iBGP to prevent them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one peer from being advertised to another peer.
-
A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources to external peers. Users, routers, and other server all reside in the OSPF area.
-
The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It is connected to the OSPF area using its DMZ interface.
-
Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on the external BGP AS, are not known.
-
Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP peers.
-
Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as IPv6, graceful restart, BFD, and so on.
-
It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used. To tighten security, only the required services should be allowed inbound to the various servers.
-
In a real life scenario, public IP addresses would be used in place of private IP addresses.
Configuring BGP
In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from Peer 1 are blocked when updates are sent to Peer 2.
Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the peers using ECMP. See Equal cost multi-path for more information.
To configure BGP in the GUI:
-
Configure an access list to block Peer 1 routes:
-
Go to Network > Routing Objects and click Create New > Access List.
-
Set Name to block_peer1.
-
In the Rules table, click Create New.
-
Set Action to Deny.
-
Enable Exact Match and specify the prefix 172.21.111.0 255.255.255.0.
-
Click OK.
-
Click OK.
-
-
Configure BGP:
-
Go to Network > BGP.
-
Set Local AS to 65001
-
Set Router ID to 10.11.201.110.
-
In the Neighbors table, click Create New and set the following:
IP
172.21.111.5
Remote AS
65001
-
Click OK.
-
In the Neighbors table, click Create New again and set the following:
IP
172.22.222.5
Remote AS
65001
Distribute list out
Enable, and select the block_peer1 access list.
-
Click OK.
-
Under IPv4 Redistribute, enable OSPF and select ALL.
-
Expand Best Path Selection and enable EBGP multi path.
-
Click Apply.
-
To configure BGP in the CLI:
-
Configure an access list to block Peer 1 routes:
config router access-list edit "block_peer1" config rule edit 1 set action deny set prefix 172.21.111.0 255.255.255.0 set exact-match enable next end next end
-
Configure BGP:
config router bgp set as 65001 set router-id 10.11.201.110 set ebgp-multipath enable config neighbor edit "172.21.111.5" set remote-as 65001 next edit "172.22.222.5" set distribute-list-out "block_peer1" set remote-as 65001 next end config redistribute "ospf" set status enable end end
Configuring OSPF
In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.
To configure OSPF in the GUI:
-
Go to Network > OSPF.
-
Set Router ID to 10.11.201.110.
-
In the Areas table, click Create New and set the following:
Area ID
0.0.0.0
Type
Regular
Authentication
None
-
Click OK.
-
In the Networks table, click Create New and set the following:
Area
0.0.0.0
IP/Netmask
10.11.201.0 255.255.255.0
-
Click OK.
-
In the Interfaces table, click Create New and set the following:
Name
OSPF_dmz_network
Interface
dmz
-
Click OK.
-
Enable Redistribute BGP and set Metric value to 1.
-
Click Apply.
To configure OSPF in the CLI:
config router ospf set router-id 10.11.201.110 config area edit 0.0.0.0 next end config ospf-interface edit "OSPF_dmz_network" set interface "dmz" next end config network edit 1 set prefix 10.11.201.0 255.255.255.0 next end config redistribute "bgp" set status enable set metric 1 end end
Testing the configuration
To test this configuration, run the standard connectivity checks, and also make sure that routes are being passed between protocols as expected. Use the following checklist to help verify that the FortiGate is configured successfully:
-
Check that the FortiGate has established peering with BGP Peer 1 and Peer 2:
# get router info bgp summary
# get router info bgp neighbors
-
Check that the FortiGate has formed adjacency with OSPF neighbors:
# get router info ospf status
# get router info ospf neighbors
-
Check the routing table on the FortiGate to make sure that routes from both OSPF and BGP are included:
# get router info routing-table all
-
Check devices in the OSPF network for internet connectivity and to confirm that routes redistributed from BGP are in their routing tables.
-
Check the routing table on Peer 2 to confirm that no routes from Peer 1 are included.
-
Check that the routes from the internal OSPF network are redistributed to Peer 1 and Peer 2.
-
Verify connectivity to the HTTP and email servers.