Fortigate – filtering inbound BGP routes from neighbors, including Default
Posted by on March 20, 2016
The other night I had need to stop receiving a default route advertised from my BGP peer. I also thought it would be helpful for anyone that is needing to do this – and to help myself, since I forget often, to write it up.
First thing we need to do is create a Prefix list to either allow or deny the routes we want. In this case I want to filter out the default route that is being propagated to me.
config router prefix-list
.
The things to note, rule 10 – I match that route exact (default). then in rule 100 I allow any other prefix – hence the “le 32”. that means anything that starts from 0.0.0.0/0-32 and since the 0/0 is blocked already in policy 10- everything else is allowed.
The we need to create our Route map to allow these routes on our in bound direction
config router route-map
Then lets apply the route-map to our peer.
config router bgp
After applying the route-map to the inbound direction we need to clear BGP either soft, or full to make our routing changes take effect.
Run this command to check the BGP advertisements for changes, and synchronize after that.
exe router clear bgp all in soft, or clear both directions (softly) with exe router clear bgp all soft
That should do it, and you will see the default route disappear from the routes learned from your peer. You can also do this to filter routes to any destination network.
I think, this we can do it by
denying 0.0.0.0/0 in first rule with unset le unset ge -> Deny
and in second rule, we can mask as prefix as any and unset le and unset ge -> Allow
Isn’t it ?
Hello,
Thanks for sharing this article. I tried applying route-map in however i’m still learning default route from peer.
Do you know what filter I can use to learn only specific route for example learn only 192.168.1.0/24 route from peer?
Thanks again
for sure. Change the names of the prefix/map to whatever you would like. Definitively run the clear soft, or BGP clear command to make sure this takes effect. If it doesn’t work let me know and we can work directly together on it.
config router prefix-list
edit BGP-IN-PREFIX
config rule
edit 10
set prefix 192.168.1.0/24
next
end
end
config router route-map
edit BGP-IN-MAP
config rule
edit 10
set match-ip-address BGP-IN-PREFIX
set action permit
next
end
end
config router bgp
configure neighbor
edit 1.1.1.1
set route-map-in BGP-IN-MAP
end
end
exe router clear bgp ip all soft
Hello,
It seems fortigate allows you to apply bgp prefix-list-in and prefix-list-out as a neighbor configuration. I don’t understand the necessity to call the prefix-list in a route-map if you can use the prefix-list-in/out directly on the neigbhor configuration. Perhaps just more than one way to skin a cat or is there specific reason to use the route-map?
Thanks!
Hey Brandon, Thanks for the comment! Using a prefix-list will allow you to do exactly this, so thank you for mentioning it. In BGP there are 20 ways to do everything, its choosing the best option for you. I like route maps because it gives you the flexibility to modify incoming/outgoing metrics, preference, etc. Its definitely a little more trouble, but if you have to modify things frequently it might be a good option.