Tag Archives: AS Path

Fortinet AS Path filtering with Regular Expressions

Recently I had a project where 1 Fortigate had two MPLS networks connected for redundant connections. These two MPLS networks were from different providers. I had a few problems where networks from other peers were transiting through my device to be advertised out to these links. I did not want this to happen. There are many ways to do this exact thing, but what I did was use an AS path filter with regular expressions to find anything passing through my remote peers and block them going out on the opposite peer. The image below will sum up what I just wrote a little better:

Path-filtering

So as with almost all BGP commands on Fortinet – they have to be done through CLI. The following are the commands needed to create the AS-Path list, Create the Route map, then apply the route map to our neighbor. We are using regular expressions to map grab our AS path, you might say what the heck is a regular expression? Here is a link that explains how to put an expression together http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ . If you notice what I am doing “_65000_” This basically says that if 65000 is in the AS Path block it. the _ is a space so my expression reads – Anything before 65000 or after 65000 gets blocked. For example, if you wanted to block routes that originate from 65000 you could do “_65000” or “_65000$” The dollar sign means that is the end of the string, so nothing else beyond that.

config router aspath-list
edit Match-L3
config rule
edit 10
set action deny
set regexp _65000_
end
next

edit Match-WS
config rule
edit 10
set action deny
set regexp _65400_
end
end

config router route-map
edit Block-WS
config rule
edit 10
set match-as-path Match-WS
next
edit 11 — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
end
next

edit Block-L3
config rule
edit 10
set match-as-path Match-L3
next — Note- There is a deny all on the Routemap, this rule 11 basically says permit anything else
edit 11
end
end

config neighbor
edit “2.2.2.1”
set capability-default-originate enable
set remote-as 65400
set route-map-out “Block-L3”
set send-community6 disable
next

edit “1.1.1.1”
set remote-as 65000
set route-map-out “Block-WS”
set send-community6 disable
next
end

Now we have to flush those routes, we can do this with the command:

exe router clear bgp ip 1.1.1.1 soft out
exe router clear bgp ip 2.2.2.1 soft out

After you clear you should see a good drop in routes being advertised to those neighbors.

get router infor  bgp neigh 1.1.1.1 advertised-routes

 

Fortigate BGP AS Path prepending

Docs.fortinet.com is always the best place to get any Fortinet info.

Fortinet like most firewall vendors supports almost all Dynamic routing protocols. BGP is one, the GUI has simple to setup BGP options, but many do not exist in CLI, which might be for the best. In this post I will show how to create a Route-map and prepend the AS path influence ISP/neighbor routing.

First lets talk about why you would want to prepend an AS path. You would want to do this to influence how neighbors get to your routes. For example, if you had two ISPs, or neighbors and wanted to broadcast your routes to both neighbors, but wanted everyone to take neighbor 1 to get to your router, with a backup of Neighbor 2 you could prepend the AS path and make this happen.

BGP is a very deep protocol and there are many different ways to influence routing. Routers will always take the shortest AS path to get to its destination so that is the preferred method for this.

Steps:

– Add BGP neighbors/networks – you can do this in GUI

– In CLI create route-map and use the commands to prepend YOUR AS path

– Assign Route-map to neighbor

– Clear BGP routes.

 

Create BGP in GUI.

This includes our AS number, the Neighbors and their AS numbers, and our networks we are advertising.

Image

Route-map Creation

Lets then drop to CLI and create our Route-map

Image

Commands:

config router route-map

config “Name”¬† —- create route map

edit rule X — from there you can set your Prepend

set set-aspath “x x x “

set action permit — I did not add this in the image. Routes will be blocked if this is not added.

end

Assigning Route-map

Now lets assign the route map to our neighbor. Since we are wanting to control how routing will get to us, we will apply this route map to outgoing routes.

Image

the command “set route-map-out” is what sets the route map on the outbound routes.

Last but not least, lets clear the IP routes so our prepend takes effect. You can do this through the command:

exe router clear bgp ip x.x.x.x out

This will clear all routes from this neighbor. If this is a live production network, it would be better to run the command:

exe router clear bgp ip x.x.x.x soft out

A soft reset uses stored prefix information to reconfigure and activate BGP routing tables without tearing down existing peering sessions. Soft reconfiguration uses stored update information, at the cost of additional memory for storing the updates, to allow you to apply new BGP policy without disrupting the network. Soft reconfiguration can be configured for inbound or outbound sessions.

Status

So now we need to take a look at the routes we are sending out to see if our AS has actually be altered. After resetting the peer it might take a minute or two before this shows up correctly.

Image

The command is:

get router info bgp neighbors x.x.x.x advertised-routes

That’s it!

Now we are controlling how devices will get to our networks in a Dual homed situation (two connections to ISPs). The querying devices will always take the lower AS path to get to its destination.