Fortinet black logo

Administration Guide

Route filtering with a distribution list

Route filtering with a distribution list

During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In some situations, advertising routes from one peer to another might need to be prevented.

The Basic BGP example explains using a route map to filter routes that are learned from iBGP to prevent them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one peer from being advertised to another peer.

  • A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources to external peers. Users, routers, and other server all reside in the OSPF area.

  • The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It is connected to the OSPF area using its DMZ interface.

  • Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on the external BGP AS, are not known.

  • Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP peers.

  • Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as IPv6, graceful restart, BFD, and so on.

  • It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used. To tighten security, only the required services should be allowed inbound to the various servers.

  • In a real life scenario, public IP addresses would be used in place of private IP addresses.

Configuring BGP

In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from Peer 1 are blocked when updates are sent to Peer 2.

Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the peers using ECMP. See Equal cost multi-path for more information.

To configure BGP in the GUI:
  1. Configure an access list to block Peer 1 routes:

    1. Go to Network > Routing Objects and click Create New > Access List.

    2. Set Name to block_peer1.

    3. In the Rules table, click Create New.

    4. Set Action to Deny.

    5. Enable Exact Match and specify the prefix 172.21.111.0 255.255.255.0.

    6. Click OK.

    7. Click OK.

  2. Configure BGP:

    1. Go to Network > BGP.

    2. Set Local AS to 65001

    3. Set Router ID to 10.11.201.110.

    4. In the Neighbors table, click Create New and set the following:

      IP

      172.21.111.5

      Remote AS

      65001

    5. Click OK.

    6. In the Neighbors table, click Create New again and set the following:

      IP

      172.22.222.5

      Remote AS

      65001

      Distribute list out

      Enable, and select the block_peer1 access list.

    7. Click OK.

    8. Under IPv4 Redistribute, enable OSPF and select ALL.

    9. Expand Best Path Selection and enable EBGP multi path.

    10. Click Apply.

To configure BGP in the CLI:
  1. Configure an access list to block Peer 1 routes:

    config router access-list
        edit "block_peer1"
            config rule
                edit 1
                    set action deny
                    set prefix 172.21.111.0 255.255.255.0
                    set exact-match enable
                next
            end
        next
    end
  2. Configure BGP:

    config router bgp
        set as 65001
        set router-id 10.11.201.110
        set ebgp-multipath enable
        config neighbor
            edit "172.21.111.5"
                set remote-as 65001
            next
            edit "172.22.222.5"
                set distribute-list-out "block_peer1"
                set remote-as 65001
            next
        end
        config redistribute "ospf"
            set status enable
        end  
    end

Configuring OSPF

In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.

To configure OSPF in the GUI:
  1. Go to Network > OSPF.

  2. Set Router ID to 10.11.201.110.

  3. In the Areas table, click Create New and set the following:

    Area ID

    0.0.0.0

    Type

    Regular

    Authentication

    None

  4. Click OK.

  5. In the Networks table, click Create New and set the following:

    Area

    0.0.0.0

    IP/Netmask

    10.11.201.0 255.255.255.0

  6. Click OK.

  7. In the Interfaces table, click Create New and set the following:

    Name

    OSPF_dmz_network

    Interface

    dmz

  8. Click OK.

  9. Enable Redistribute BGP and set Metric value to 1.

  10. Click Apply.

To configure OSPF in the CLI:
config router ospf
    set router-id 10.11.201.110
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "OSPF_dmz_network"
            set interface "dmz"
        next
    end
    config network
        edit 1
            set prefix 10.11.201.0 255.255.255.0
        next
    end
    config redistribute "bgp"
        set status enable
        set metric 1
    end
end

Testing the configuration

To test this configuration, run the standard connectivity checks, and also make sure that routes are being passed between protocols as expected. Use the following checklist to help verify that the FortiGate is configured successfully:

  1. Check that the FortiGate has established peering with BGP Peer 1 and Peer 2:

    # get router info bgp summary
    # get router info bgp neighbors
  2. Check that the FortiGate has formed adjacency with OSPF neighbors:

    # get router info ospf status
    # get router info ospf neighbors
  3. Check the routing table on the FortiGate to make sure that routes from both OSPF and BGP are included:

    # get router info routing-table all
  4. Check devices in the OSPF network for internet connectivity and to confirm that routes redistributed from BGP are in their routing tables.

  5. Check the routing table on Peer 2 to confirm that no routes from Peer 1 are included.

  6. Check that the routes from the internal OSPF network are redistributed to Peer 1 and Peer 2.

  7. Verify connectivity to the HTTP and email servers.

Route filtering with a distribution list

During BGP operations, routes can be propagated between BGP peers and redistributed from other routing protocols. In some situations, advertising routes from one peer to another might need to be prevented.

The Basic BGP example explains using a route map to filter routes that are learned from iBGP to prevent them from propagating to an eBGP peer. In this example, a distribution list is used to prevent certain routes from one peer from being advertised to another peer.

  • A company has its own web and email servers in an OSPF area, and needs to advertise routes to these resources to external peers. Users, routers, and other server all reside in the OSPF area.

  • The FortiGate acts as the BGP border router, redistributing routes from the company's network to its BGP peers. It is connected to the OSPF area using its DMZ interface.

  • Two ISP managed BGP peers in an AS (Peer 1 and Peer 2) are used to access the internet, and routes must not to be advertised from Peer 1 to Peer 2. The manufacturers of these routers, and information about other devices on the external BGP AS, are not known.

  • Routes to the BGP peers are redistributed so that external locations can access the web and email servers in the OSPF area. The FortiGate device's external interfaces and the BGP peers are in different ASs, and form eBGP peers.

  • Other networking devices must be configured for BGP. The peer routers must be updated with the FortiGate device's BGP information, including IP addresses, AS number, and any specific capabilities that are used, such as IPv6, graceful restart, BFD, and so on.

  • It is assumed that security policies have been configured to allow traffic between the networks and NAT is not used. To tighten security, only the required services should be allowed inbound to the various servers.

  • In a real life scenario, public IP addresses would be used in place of private IP addresses.

Configuring BGP

In this example, Peer 1 routes are blocked from being advertised to Peer 2 using an access list. All incoming routes from Peer 1 are blocked when updates are sent to Peer 2.

Routes learned from OSPF are redistributed into BGP. EBGP multi path is enabled to load-balance traffic between the peers using ECMP. See Equal cost multi-path for more information.

To configure BGP in the GUI:
  1. Configure an access list to block Peer 1 routes:

    1. Go to Network > Routing Objects and click Create New > Access List.

    2. Set Name to block_peer1.

    3. In the Rules table, click Create New.

    4. Set Action to Deny.

    5. Enable Exact Match and specify the prefix 172.21.111.0 255.255.255.0.

    6. Click OK.

    7. Click OK.

  2. Configure BGP:

    1. Go to Network > BGP.

    2. Set Local AS to 65001

    3. Set Router ID to 10.11.201.110.

    4. In the Neighbors table, click Create New and set the following:

      IP

      172.21.111.5

      Remote AS

      65001

    5. Click OK.

    6. In the Neighbors table, click Create New again and set the following:

      IP

      172.22.222.5

      Remote AS

      65001

      Distribute list out

      Enable, and select the block_peer1 access list.

    7. Click OK.

    8. Under IPv4 Redistribute, enable OSPF and select ALL.

    9. Expand Best Path Selection and enable EBGP multi path.

    10. Click Apply.

To configure BGP in the CLI:
  1. Configure an access list to block Peer 1 routes:

    config router access-list
        edit "block_peer1"
            config rule
                edit 1
                    set action deny
                    set prefix 172.21.111.0 255.255.255.0
                    set exact-match enable
                next
            end
        next
    end
  2. Configure BGP:

    config router bgp
        set as 65001
        set router-id 10.11.201.110
        set ebgp-multipath enable
        config neighbor
            edit "172.21.111.5"
                set remote-as 65001
            next
            edit "172.22.222.5"
                set distribute-list-out "block_peer1"
                set remote-as 65001
            next
        end
        config redistribute "ospf"
            set status enable
        end  
    end

Configuring OSPF

In this example, all of the traffic is within the one OSPF area, and there are other OSPF routers in the network. When adjacencies are formed, other routers receive the routes advertised from the FortiGate that are redistributed from BGP.

To configure OSPF in the GUI:
  1. Go to Network > OSPF.

  2. Set Router ID to 10.11.201.110.

  3. In the Areas table, click Create New and set the following:

    Area ID

    0.0.0.0

    Type

    Regular

    Authentication

    None

  4. Click OK.

  5. In the Networks table, click Create New and set the following:

    Area

    0.0.0.0

    IP/Netmask

    10.11.201.0 255.255.255.0

  6. Click OK.

  7. In the Interfaces table, click Create New and set the following:

    Name

    OSPF_dmz_network

    Interface

    dmz

  8. Click OK.

  9. Enable Redistribute BGP and set Metric value to 1.

  10. Click Apply.

To configure OSPF in the CLI:
config router ospf
    set router-id 10.11.201.110
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "OSPF_dmz_network"
            set interface "dmz"
        next
    end
    config network
        edit 1
            set prefix 10.11.201.0 255.255.255.0
        next
    end
    config redistribute "bgp"
        set status enable
        set metric 1
    end
end

Testing the configuration

To test this configuration, run the standard connectivity checks, and also make sure that routes are being passed between protocols as expected. Use the following checklist to help verify that the FortiGate is configured successfully:

  1. Check that the FortiGate has established peering with BGP Peer 1 and Peer 2:

    # get router info bgp summary
    # get router info bgp neighbors
  2. Check that the FortiGate has formed adjacency with OSPF neighbors:

    # get router info ospf status
    # get router info ospf neighbors
  3. Check the routing table on the FortiGate to make sure that routes from both OSPF and BGP are included:

    # get router info routing-table all
  4. Check devices in the OSPF network for internet connectivity and to confirm that routes redistributed from BGP are in their routing tables.

  5. Check the routing table on Peer 2 to confirm that no routes from Peer 1 are included.

  6. Check that the routes from the internal OSPF network are redistributed to Peer 1 and Peer 2.

  7. Verify connectivity to the HTTP and email servers.