router route-map
Use this command to add, edit, or delete route maps. To use the command to limit the number of received or advertised BGP and RIP routes and routing updates using route maps, see “Using route maps with BGP” and “config redistribute” under router rip.
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations. Compared to access lists, route maps support enhanced packet-matching criteria. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes:
- When a single matching
match-*
rule is found, changes to the routing information are made as defined through the rule’sset-ip-nexthop
,set-metric
,set-metric-type
, and/orset-tag
settings. - If no matching rule is found, no changes are made to the routing information.
- When more than one
match-*
rule is defined, all of the definedmatch-*
rules must evaluate to TRUE or the routing information is not changed. - If no
match-*
rules are defined, the FortiGate unit makes changes to the routing information only when all of the defaultmatch-*
rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map to take effect, it must be called by a FortiGate unit routing process.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
config rule edit <id> set set-route-tag <integer> |
Route tag for routing table. |
config router route-map edit {name} # Configure route maps. set name {string} Name. size[35] set comments {string} Optional comments. size[127] config rule edit {id} # Rule. set id {integer} Rule ID. range[0-4294967295] set action {permit | deny} Action. permit Permit. deny Deny. set match-as-path {string} Match BGP AS path list. size[35] - datasource(s): router.aspath-list.name set match-community {string} Match BGP community list. size[35] - datasource(s): router.community-list.name set match-community-exact {enable | disable} Enable/disable exact matching of communities. set match-origin {none | egp | igp | incomplete} Match BGP origin code. none None. egp Remote EGP. igp Local IGP. incomplete Unknown heritage. set match-interface {string} Match interface configuration. size[15] - datasource(s): system.interface.name set match-ip-address {string} Match IP address permitted by access-list or prefix-list. size[35] - datasource(s): router.access-list.name,router.prefix-list.name set match-ip6-address {string} Match IPv6 address permitted by access-list6 or prefix-list6. size[35] - datasource(s): router.access-list6.name,router.prefix-list6.name set match-ip-nexthop {string} Match next hop IP address passed by access-list or prefix-list. size[35] - datasource(s): router.access-list.name,router.prefix-list.name set match-ip6-nexthop {string} Match next hop IPv6 address passed by access-list6 or prefix-list6. size[35] - datasource(s): router.access-list6.name,router.prefix-list6.name set match-metric {integer} Match metric for redistribute routes. range[0-4294967295] set match-route-type {1 | 2 | none} Match route type. 1 External type 1. 2 External type 2. none No type specified. set match-tag {integer} Match tag. range[0-4294967295] set set-aggregator-as {integer} BGP aggregator AS. range[0-4294967295] set set-aggregator-ip {ipv4 address any} BGP aggregator IP. set set-aspath-action {prepend | replace} Specify preferred action of set-aspath. prepend Prepend. replace Replace. config set-aspath edit {as} # Prepend BGP AS path attribute. set as {string} AS number (0 - 42949672). NOTE: Use quotes for repeating numbers, e.g.: "1 1 2" size[64] next set set-atomic-aggregate {enable | disable} Enable/disable BGP atomic aggregate attribute. set set-community-delete {string} Delete communities matching community list. size[35] - datasource(s): router.community-list.name config set-community edit {community} # BGP community attribute. set community {string} Attribute: AA|AA:NN|internet|local-AS|no-advertise|no-export. size[64] next set set-community-additive {enable | disable} Enable/disable adding set-community to existing community. set set-dampening-reachability-half-life {integer} Reachability half-life time for the penalty (1 - 45 min, 0 = unset). range[0-45] set set-dampening-reuse {integer} Value to start reusing a route (1 - 20000, 0 = unset). range[0-20000] set set-dampening-suppress {integer} Value to start suppressing a route (1 - 20000, 0 = unset). range[0-20000] set set-dampening-max-suppress {integer} Maximum duration to suppress a route (1 - 255 min, 0 = unset). range[0-255] set set-dampening-unreachability-half-life {integer} Unreachability Half-life time for the penalty (1 - 45 min, 0 = unset) range[0-45] config set-extcommunity-rt edit {community} # Route Target extended community. set community {string} AA:NN. size[64] next config set-extcommunity-soo edit {community} # Site-of-Origin extended community. set community {string} AA:NN size[64] next set set-ip-nexthop {ipv4 address} IP address of next hop. set set-ip6-nexthop {ipv6 address} IPv6 global address of next hop. set set-ip6-nexthop-local {ipv6 address} IPv6 local address of next hop. set set-local-preference {integer} BGP local preference path attribute. range[0-4294967295] set set-metric {integer} Metric value. range[0-4294967295] set set-metric-type {1 | 2 | none} Metric type. 1 External type 1. 2 External type 2. none No type specified. set set-originator-id {ipv4 address any} BGP originator ID attribute. set set-origin {none | egp | igp | incomplete} BGP origin code. none None. egp Remote EGP. igp Local IGP. incomplete Unknown heritage. set set-tag {integer} Tag value. range[0-4294967295] set set-weight {integer} BGP weight for routing table. range[0-4294967295] set set-flags {integer} BGP flags value (0 - 65535) range[0-65535] set match-flags {integer} BGP flag value to match (0 - 65535) range[0-65535] set set-route-tag {integer} Route tag for routing table. range[0-4294967295] next next end
Additional information
The following section is for those options that require additional explanation.
edit
Enter a name for an individual route map. The other settings for this command will be within the context of these route maps and therefore under config rule variables
.
config rule variables
edit
This edit will be for the editing and creation of rules within the route maps.
action
Enter permit
to permit routes that match this rule.
Enter deny
to deny routes that match this rule.
match-interface
Enter the name of the local FortiGate unit interface that will be used to match route interfaces.
match-ip-address
Match a route if the destination address is included in the specified access list or prefix list.
match-ip6-address
Match a route if the destination IPv6 address is included in the specified access6 list or prefix6 list.
match-ip-nexthop
Match a route that has a next-hop router address included in the specified access list or prefix list.
match-ip6-nexthop
Match a route that has a next-hop router address included in the specified access6 list or prefix6 list.
match-metric
Match a route with the specified metric. The metric can be a number from 1 to 16.
match-route-type
Match a route that has the external type set to 1 or 2.
match-tag
This field is available when set-tag
is set.
Match a route that has the specified tag.
set-ip-nexthop
Set the next-hop router address for a matched route.
set-ip6-nexthop
Set the next-hop router IPv6 address for a matched route.
set-ip6-nexthop-local
Set the next-hop router local IPv6 address for a matched route.
set-metric
Set a metric value of 1 to 16 for a matched route.
set-metric-type
Set the type for a matched route.
set-tag
Set a tag value for a matched route.
Example This example shows how to add a route map list named rtmp2 with two rules. The first rule denies routes that match the IP addresses in an access list named acc_list2. The second rule permits routes that match a metric of 2 and changes the metric to 4. config router route-map edit rtmp2 config rule edit 1 set match-ip-address acc_list2 set action deny next edit 2 set match-metric 2 set action permit set set-metric 4 end end |
Using route maps with BGP
When a connection is established between BGP peers, the two peers exchange all of their BGP route entries. Afterward, they exchange updates that only include changes to the existing routing information. Several BGP entries may be present in a route-map table. You can limit the number of received or advertised BGP route and routing updates using route maps. Use the config router route-map
command to create, edit, or delete a route map.
When you specify a route map for the dampening-route-map value through the config
router bgp command (see router bgp), the
FortiGate unit ignores global dampening settings. You cannot set global dampening settings for
the FortiGate unit and then override those values through a route map. |
config rule variables
match-as-path
Enter the AS-path list name that will be used to match BGP route prefixes. You must create the AS-path list before it can be selected here.
match-community
Enter the community list name that will be used to match BGP routes according to their COMMUNITY attributes. You must create the community list before it can be selected here.
match-community-exact
This field is only available when match-community
is set.
Enable or disable an exact match of the BGP route community specified by the match-community
field.
match-origin
Enter a value to compare to the ORIGIN attribute of a routing update:
egp
- set the value to the NLRI learned from the Exterior Gateway Protocol (EGP). The FortiGate unit has the second-highest preference for routes of this type.igp
- set the value to the NLRI learned from a protocol internal to the originating AS. The FortiGate unit has the highest preference for routes learned through Internal Gateway Protocol (IGP).incomplete
- match routes that were learned some other way (for example, through redistribution).none
- disable the matching of BGP routes based on the origin of the route.
set-aggregator-as
Set the originating AS of an aggregated route. The value specifies at which AS the aggregate route originated. The range is from 1 to 65,535. The set aggregator- ip
value must also be set to further identify the originating AS.
set-aggregator-ip
This field is available when set-aggregator-as
is set.
Set the IP address of the BGP router that originated the aggregate route. The value should be identical to the FortiGate unit router-id
value (see router bgp).
set-aspath
Modify the FortiGate unit AS_PATH attribute and add to it the AS numbers of the AS path belonging to a BGP route. The resulting path describes the autonomous systems along the route to the destination specified by the NLRI. The range is from 1 to 65,535.
The set-aspath
value is added to the beginning of the AS_SEQUENCE segment of the AS_PATH attribute of incoming routes, or to the end of the AS_SEQUENCE segment of the AS_PATH attribute of outgoing routes.
Enclose all AS numbers in quotes if there are multiple occurrences of the same id_integer. Otherwise the AS path may be incomplete.
set-atomic-aggregate
Enable or disable a warning to upstream routers through the ATOMIC_AGGREGATE attribute that address aggregation has occurred on an aggregate route. This value does not have to be specified when an as-set
value is specified in the aggregate-address table (see “config aggregate-address, config aggregate-address6” on page 339).
set-community-delete
Remove the COMMUNITY attributes from the BGP routes identified in the specified community list. You must create the community list first before it can be selected here (see router community-list).
set-community
Set the COMMUNITY attribute of a BGP route.
- Use decimal notation to set a specific COMMUNITY attribute for the route. The value has the syntax
AA:NN
, whereAA
represents an AS, andNN
is the community identifier. Delimit complex expressions with double-quotation marks (for example,"123:234 345:456"
). - To make the route part of the Internet community, select internet.
- To make the route part of the LOCAL_AS community, select local-AS.
- To make the route part of the NO_ADVERTISE community, select no-advertise.
- To make the route part of the NO_EXPORT community, select no-export.
set-community-additive
This field is available when set-community
is set. Enable or disable the appending of the set-community
value to a BGP route.
set-dampeningreachability-half-life
Set the dampening reachability half-life of a BGP route (in minutes). The range is from 1 to 45.
set-dampening-reuse
Set the value at which a dampened BGP route will be reused. The range is from 1 to 20 000. If you set set-dampening-reuse
, you must also set set-dampening-suppress
and set-dampening-maxsuppress
.
set-dampening-suppress
Set the limit at which a BGP route may be suppressed. The range is from 1 to 20 000. See also dampening-suppress
under router bgp.
set-dampening-maxsuppress
Set maximum time (in minutes) that a BGP route can be suppressed. The range is from 1 to 255. See also dampening-max-suppress-time
in dampeningmax-suppress-time <minutes_integer>
under router bgp.
set-dampening-unreachability-half-life
Set the unreachability half-life of a BGP route (in minutes). The range is from 1 to 45. See also dampening-unreachability-half-life
under router bgp.
set-extcommunity-rt
Set the target extended community (in decimal notation) of a BGP route. The COMMUNITY attribute value has the syntax AA:NN
, where AA
represents an AS, and NN
is the community identifier.
set-extcommunity-soo
Set the site-of-origin extended community (in decimal notation) of a BGP route. The COMMUNITY attribute value has the syntax AA:NN
, where AA
represents an AS, and NN
is the community identifier.
set-local-preference
Set the LOCAL_PREF value of an IBGP route. The value is advertised to IBGP peers. The range is from 0 to 4,294,967,295. A higher number signifies a preferred route among multiple routes to the same destination.
set-originator-id
Set the ORIGINATOR_ID attribute, which is equivalent to the router-id
of the originator of the route in the local AS. Route reflectors use this value to prevent routing loops.
set-origin
Set the ORIGIN attribute of a local BGP route. Choose one of:
egp
- set the value to the NLRI learned from the Exterior Gateway Protocol (EGP).igp
- set the value to the NLRI learned from a protocol internal to the originating AS.incomplete
- if not egp or igp.none
- disable the ORIGIN attribute.
set-weight
Set the weight of a BGP route. A route’s weight has the most influence when two identical BGP routes are compared. A higher number signifies a greater preference. The range is from 0 to 2,147,483,647.