BGP conditional advertisements for IPv6 prefix when IPv4 prefix conditions are met and vice-versa
|
This information is also available in the FortiOS 7.4 Administration Guide: |
BGP conditional advertisement allows the router to advertise a route only when certain conditions are met. Multiple conditions can be used together, with conditional route map entries treated as an AND operator. The FortiGate supports conditional advertisement of IPv4 and IPv6 route maps with edit <advertise-routemap> under config conditional-advertise, and supports configuring IPv4 and IPv6 route maps as conditions with the condition-routemap setting.
The FortiGate can cross-check conditions involving IPv4 and IPv6 route maps and perform conditional advertisements accordingly when those conditions are met. The global option, cross-family-conditional-adv in the BGP configuration settings allows this cross-checking to occur.
config router bgp
set cross-family-conditional-adv {enable | disable}
config conditional-advertise
edit <advertise-routemap>
set advertise-routemap <string>
set condition-routemap <name1>, <name2>, ...
set condition-type {exist | non-exist}
next
end
end
By default, the cross-family-conditional-adv setting is disabled. When disabled, the FortiGate will only check conditional route maps against the routing information base (RIB) of the IP address family (IPv4 or IPv6) that corresponds to the IP address family of the route map to be advertised conditionally.
For example, for an IPv6 conditional advertisement, if IPv4 conditional route maps have been configured, then the FortiGate will not meet any of these conditions because IPv4 routes will not exist in the IPv6 RIB. The same behavior applies for an IPv4 conditional advertisement, namely, that the FortiGate will not meet any configured IPv6 conditions since these routes will not exist in the IPv4 RIB. If routes do not match a conditional route map, then the condition is considered non-existent.
IPv4 and IPv6 BGP conditional advertisements using advertising and conditional route maps of the same IP address family are already supported in previous versions of FortiOS.
NAT64 example
In this example, the FortiGate uses NAT64 where the LAN via Router1 uses IPv6 and where Router2 is the internet gateway using IPv4.
|
|
This example assumes a pure NAT64 design with the following expectations:
|
The administrator of the FortiGate has the following requirements, which are implemented using IPv4 and IPv6 conditional advertisements:
-
The FortiGate needs to announce IPv4 pools for NAT translation towards the internet gateway only if the IPv6 prefix exists in the routing table.
-
The FortiGate needs to advertise the IPv6 address towards the LAN only if the IPv4 default route exists on the FortiGate.
The below diagram details the flow of routing advertisements:
The prefixes defined in IPv4 route map 2814 and IPv6 route map map-281 both exist, so the FortiGate advertises the route map prefix in route-map 2224 (172.22.2.0/255.255.255.0) to its BGP neighbor 2.2.2.2.
For IPv6 neighbor 2003::2:2:2:2, the prefixes defined in IPv4 route map 2874 and IPv6 route map map-38 both do not exist, and the condition-type is set to non-exist, so the FortiGate advertises the route map prefix in route map map-222 (2003:172:22:1::/64) to its BGP neighbor 2003::2:2:2:2.
When the global cross-family-conditional-adv enabled, this is the only time the FortiGate will cross-check the address family; otherwise, it only checks the corresponding conditional map and treats the cross-family addresses as non-existent.
To configure the BGP settings with address family cross-checking:
config router bgp
set as 65412
set router-id 1.1.1.1
set ibgp-multipath enable
set network-import-check disable
set cluster-id 1.1.1.1
set graceful-restart enable
set cross-family-conditional-adv enable
config neighbor
edit "3.3.3.3"
set activate6 disable
set capability-graceful-restart enable
set soft-reconfiguration enable
set prefix-list-out "local-out"
set remote-as 65412
set route-map-out "as-prepend"
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
set route-reflector-client enable
next
edit "2.2.2.2"
set advertisement-interval 5
set activate6 disable
set capability-graceful-restart enable
set soft-reconfiguration enable
set remote-as 65412
set keep-alive-timer 34
set holdtime-timer 90
set update-source "loopback1"
config conditional-advertise
edit "2224"
set condition-routemap "2814" "map-281"
next
end
set route-reflector-client enable
next
edit "2003::2:2:2:2"
set advertisement-interval 5
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration enable
set soft-reconfiguration6 enable
set remote-as 65412
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
config conditional-advertise6
edit "map-222"
set condition-routemap "map-38" "2874"
set condition-type non-exist
next
end
set route-reflector-client6 enable
next
edit "2003::3:3:3:3"
set advertisement-interval 5
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration6 enable
set remote-as 65412
set route-map-in6 "community-del777"
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
next
end
config network
edit 1
set prefix 172.27.1.0 255.255.255.0
next
edit 2
set prefix 172.27.2.0 255.255.255.0
next
edit 3
set prefix 172.22.2.0 255.255.255.0
next
end
config network6
edit 1
set prefix6 2003:172:22:1::/64
next
end
end
To verify the BGP status and the BGP routing table for IPv4:
# get router info bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 2 6 BGP AS-PATH entries 2 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2.2.2.2 4 65412 100 148 2 0 0 00:42:22 3 3.3.3.3 4 65412 99 99 2 0 0 00:42:05 6 6.6.6.6 4 20 0 0 0 0 0 never Idle (Admin) 10.100.1.1 4 20 100 107 2 0 0 00:43:43 2 10.100.1.5 4 20 53 57 2 0 0 00:43:42 0 Total number of neighbors 5 Condition route map: 2814, state 1, use 3 map-281, state 1, use 3
To verify the BGP status and the BGP routing table for IPv6:
# get router info6 bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 3 6 BGP AS-PATH entries 2 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 6.6.6.6 4 20 0 0 0 0 0 never Idle (Admin) 10.100.1.1 4 20 100 108 3 0 0 00:43:51 0 10.100.1.5 4 20 53 57 3 0 0 00:43:50 0 2003::2:2:2:2 4 65412 98 118 3 0 0 00:42:25 1 2003::3:3:3:3 4 65412 102 100 2 0 0 00:42:20 3 Total number of neighbors 5 Condition route map: map-38, state 0, use 3 2874, state 0, use 3
To verify the BGP routing table for IPv4 and confirm the conditional advertisement occurred:
# get router info routing-table bgp Routing table for VRF=0 B 172.22.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:00:03, [1/0] B 172.27.1.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.5.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.6.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.7.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.8.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.29.1.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.29.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0]
To verify the BGP routing table for IPv6 and confirm the conditional advertisement occurred:
# get router info6 routing-table bgp Routing table for VRF=0 B 2003:172:22:1::/64 [200/0] via 2003::1:1:1:1 (recursive via 2003:172:16:203::1, agg2), 00:00:01, [1024/0] B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via fe80::a5b:eff:feeb:ca45, port1), 00:37:59, [1024/0] B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via fe80::a5b:eff:feeb:ca45, port1), 00:37:59, [1024/0]
Behavior when address family cross-checking is disabled
Using a similar BGP configuration with cross-family-conditional-adv disabled, note the following behavior based on the condition type.
When the condition type is set to exist:
config router bgp
set cross-family-conditional-adv disable
config neighbor
edit "2.2.2.2"
config conditional-advertise
edit "222v4"
set condition-routemap "4-281" "6-281"
set condition-type exist
next
end
next
end
end
The FortiGate will only check the IPv4 RIB table to see if there is a matching IP address for each route map. Any IPv6 address under the route map will not get checked in the corresponding IPv6 RIB table, and the condition result will be non-existent. The 222v4 route map will not advertise to its neighbor because the result is non-existent, while the condition type is existent.
When the condition type is set to non-exist:
config router bgp
set cross-family-conditional-adv disable
config neighbor
edit "2003::2:2:2:2"
config conditional-advertise6
edit "v6-222"
set condition-routemap "v6-238" "v4-287"
set condition-type non-exist
next
end
next
end
end
If the v6-238 IPv6 prefix does not exist in the IPv6 RIB table, then the FortiGate will only check v4-287 in the IPv6 RIB table. The FortiGate will not find it because it is an IPv4 address. Since the condition type is also non-exist, route v6-222 will be advertised to its neighbor.