Fortigate – filtering inbound BGP routes from neighbors, including Default

The other night I had need to stop receiving a default route advertised from my BGP peer. I  also thought it would be helpful for anyone that is needing to do this – and to help myself, since I forget often, to write it up.

First thing we need to do is create a Prefix list to either allow or deny the routes we want. In this case I want to filter out the default route that is being propagated to me.

config router prefix-list

prefix.

The things to note, rule 10 – I match that route exact (default). then in rule 100 I allow any other prefix – hence the “le 32”. that means anything that starts from 0.0.0.0/0-32 and since the 0/0 is blocked already in policy 10- everything else is allowed.

The we need to create our Route map to allow these routes on our in bound direction

config router route-map

Route-map

Then lets apply the route-map to our peer.

config router bgp

bgp

After applying the route-map to the inbound direction we need to clear BGP either soft, or full to make our routing changes take effect.

Run this command to check the BGP advertisements for changes, and synchronize after that.

exe router clear bgp all in soft, or clear both directions (softly) with exe router clear bgp all soft

That should do it, and you will see the default route disappear from the routes learned from your peer. You can also do this to filter routes to any destination network.

 

 

 

Advertisements

3 responses to “Fortigate – filtering inbound BGP routes from neighbors, including Default

  1. Waleed Khan March 17, 2018 at 10:55 pm

    I think, this we can do it by

    denying 0.0.0.0/0 in first rule with unset le unset ge -> Deny
    and in second rule, we can mask as prefix as any and unset le and unset ge -> Allow

    Isn’t it ?

  2. vishalthackerr March 21, 2018 at 10:35 am

    Hello,

    Thanks for sharing this article. I tried applying route-map in however i’m still learning default route from peer.

    Do you know what filter I can use to learn only specific route for example learn only 192.168.1.0/24 route from peer?

    Thanks again

  3. cjcott01 March 21, 2018 at 7:21 pm

    for sure. Change the names of the prefix/map to whatever you would like. Definitively run the clear soft, or BGP clear command to make sure this takes effect. If it doesn’t work let me know and we can work directly together on it.

    config router prefix-list
    edit BGP-IN-PREFIX
    config rule
    edit 10
    set prefix 192.168.1.0/24
    next
    end
    end

    config router route-map
    edit BGP-IN-MAP
    config rule
    edit 10
    set match-ip-address BGP-IN-PREFIX
    set action permit
    next
    end
    end

    config router bgp
    configure neighbor
    edit 1.1.1.1
    set route-map-in BGP-IN-MAP
    end
    end

    exe router clear bgp ip all soft

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: