BGP conditional advertisement
BGP conditional advertisement allows the router to advertise a route only when certain conditions are met. Multiple conditions can be used together, with conditional route map entries treated as an AND operator, and IPv6 is supported.
Multiple conditions example
In this example, the FortiGate only advertises routes to its neighbor 2.2.2.2 if it learns multiple BGP routes defined in its conditional route map entry. All conditionals must be met.
To configure multiple conditions in BGP conditional advertisements:
- Configure the IPv4 prefix list:
config router prefix-list edit "281" config rule edit 1 set prefix 172.28.1.0 255.255.255.0 unset ge unset le next end next edit "282" config rule edit 1 set prefix 172.28.2.0 255.255.255.0 unset ge unset le next end next edit "222" config rule edit 1 set prefix 172.22.2.0 255.255.255.0 unset ge unset le next end next end - Configure the IPv4 route maps:
config router route-map edit "2814" config rule edit 1 set match-ip-address "281" next end next edit "2224" config rule edit 1 set match-ip-address "222" next end next edit "2824" config rule edit 1 set match-ip-address "282" next end next end - Configure the IPv6 prefix list:
config router prefix-list6 edit "adv-2226" config rule edit 1 set prefix6 2003:172:22:1::/64 unset ge unset le next end next edit "list6-1" config rule edit 1 set prefix6 2003:172:28:1::/64 unset ge unset le next end next edit "list6-2" config rule edit 1 set prefix6 2003:172:28:2::/64 unset ge unset le next end next end - Configure the IPv6 route maps:
config router route-map edit "map-2226" config rule edit 1 set match-ip6-address "adv-2226" next end next edit "map-2816" config rule edit 1 set match-ip6-address "list6-1" next end next edit "map-2826" config rule edit 1 set match-ip6-address "list6-2" next end next end - Configure the BGP settings:
config router bgp config neighbor edit "2.2.2.2" config conditional-advertise edit "2224" set condition-routemap "2814" "2824" set condition-type non-exist next end next edit "2003::2:2:2:2" config conditional-advertise6 edit "map-2226" set condition-routemap "map-2816" "map-2826" next end set route-reflector-client6 enable next end end
To verify the IPv4 conditional advertisements:
# get router info bgp neighbors 2.2.2.2
...
Conditional advertise-map:
Adv-map 2224root 2814root, cond-state 0-1
2824root, cond-state 0-1
...
In this output, the condition is that the routes in route maps 2814 and 2824 do not exist. However, routes for 2814 and 2224 exist, so the conditions are not met.
To verify the IPv6 conditional advertisements:
# get router info6 bgp neighbors 2003::2:2:2:2
...
Conditional advertise-map:
Adv-map map-2226root map-2816root, cond-state 1-1
map-2826root, cond-state 1-0
...
In this output, the condition is that the routes in route maps map-2816 and map-2826 exist. However, routes for map-2816 exist, but map-2826 does not, so the conditions are not met.
To view the conditional route maps:
# diagnose ip router command show-vrf root show running router bgp ... neighbor 2.2.2.2 advertise-map 2224root exist-map 2814root neighbor 2.2.2.2 advertise-map 2224root exist-map 2824root ... ... ! address-family ipv6 neighbor 2003::2:2:2:2 advertise-map map-2226root non-exist-map map-2816root neighbor 2003::2:2:2:2 advertise-map map-2226root non-exist-map map-2826root !
IPv6 example 1
In this example, the FortiGate advertises its local network to the secondary router when the primary router is down. The FortiGate detects the primary router is down in the absence of a learned route.
-
When the FortiGate learns route 2003:172:28:1::/64 from the primary router, it does not advertise its local route (2003:172:22:1::/64) to the secondary router.
-
When the FortiGate does not learn route 2003:17:28:1::/64 from the primary router, advertises its local route (2003:172:22:1::/64) to the secondary router.
-
The BGP conditional advertisement condition is set to be true if the condition route map (2003:172:28:1::/64) is not matched (
non-exist).
To configure BGP conditional advertisement with IPv6:
- Configure the IPv6 prefix lists:
config router prefix-list6 edit "adv-222" config rule edit 1 set prefix6 2003:172:22:1::/64 unset ge unset le next end next edit "lrn-281" config rule edit 1 set prefix6 2003:172:28:1::/64 unset ge unset le next end next end - Configure the route maps:
config router route-map edit "map-221" config rule edit 1 set match-ip6-address "adv-222" next end next edit "map-281" config rule edit 1 set match-ip6-address "lrn-281" next end next end - Configure BGP:
config router bgp set as 65412 set router-id 1.1.1.1 set ibgp-multipath enable set network-import-check disable set graceful-restart enable config neighbor edit "2003::2:2:2:2" set soft-reconfiguration6 enable set remote-as 65412 set update-source "loopback1" config conditional-advertise6 edit "map-221" set condition-routemap "map-281" set condition-type non-exist next end next edit "2003::3:3:3:3" set soft-reconfiguration6 enable set remote-as 65412 set update-source "loopback1" next end endIn this configuration, if route map
map-281does not exist, then the FortiGate advertises route mapmap-221to neighbor 2003::2:2:2:2. - Verify the routing table:
# get router info6 routing-table bgp B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via ****::***:***:****:****, port9), 01:23:45 B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via ****::***:***:****:****, port9), 23:09:22
When the FortiGate learns 2003:172:28:1::/64, it will not advertise its local route 2003:172:22:1::/64 to neighbor 2003::2:2:2:2. If the FortiGate has not learned 2003:172:28:1::/64, it will advertise its local route 2003:172:22:1::/64 to neighbor 2003::2:2:2:2.
IPv6 example 2
With the same IPv6 prefix lists and route maps, when the FortiGate does learn 2003:172:28:1::/64, it advertises local route 2003:172:22:1::/64 to the secondary router. The BGP conditional advertisement condition is set to be true if the condition route map is matched (exist).
To configure BGP conditional advertisement with IPv6:
- Configure BGP:
config router bgp config neighbor edit "2003::2:2:2:2" config conditional-advertise6 edit "map-221" set condition-routemap "map-281" set condition-type exist next end next end end - Verify the routing table:
# get router info6 routing-table bgp B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via ****::***:***:****:****, port9), 01:23:45 B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via ****::***:***:****:****, port9), 23:09:22
When the FortiGate learns 2003:172:28:1::/64, it will advertise its local route 2003:172:22:1::/64 to neighbor 2003::2:2:2:2. If the FortiGate has not learned route 2003:172:28:1::/64, it will not advertise its local route 2003:172:22:1::/64 to neighbor 2003::2:2:2:2.
BGP conditional advertisements for IPv6 prefix when IPv4 prefix conditions are met and vice-versa
The FortiGate supports conditional advertisement of IPv4 and IPv6 route maps with edit <advertise-routemap> under config conditional-advertise, and supports configuring IPv4 and IPv6 route maps as conditions with the condition-routemap setting.
The FortiGate can cross-check conditions involving IPv4 and IPv6 route maps and perform conditional advertisements accordingly when those conditions are met. The global option, cross-family-conditional-adv in the BGP configuration settings allows this cross-checking to occur.
config router bgp
set cross-family-conditional-adv {enable | disable}
config conditional-advertise
edit <advertise-routemap>
set advertise-routemap <string>
set condition-routemap <name1>, <name2>, ...
set condition-type {exist | non-exist}
next
end
end
By default, the cross-family-conditional-adv setting is disabled. When disabled, the FortiGate will only check conditional route maps against the routing information base (RIB) of the IP address family (IPv4 or IPv6) that corresponds to the IP address family of the route map to be advertised conditionally.
For example, for an IPv6 conditional advertisement, if IPv4 conditional route maps have been configured, then the FortiGate will not meet any of these conditions because IPv4 routes will not exist in the IPv6 RIB. The same behavior applies for an IPv4 conditional advertisement, namely, that the FortiGate will not meet any configured IPv6 conditions since these routes will not exist in the IPv4 RIB. If routes do not match a conditional route map, then the condition is considered non-existent.
IPv4 and IPv6 BGP conditional advertisements using advertising and conditional route maps of the same IP address family are already supported in previous versions of FortiOS.
DS-Lite example
In this example, the FortiGate acts as a Dual-Stack Lite (DS-Lite) address family transition router (AFTR) where the customer equipment (CE) network via Router1 uses IPv6 and where Router2 is the internet gateway using IPv4.
The administrator of the AFTR has the following requirements:
-
The FortiGate needs to announce IPv4 pools for NAT translation towards the internet gateway only if the IPv6 B4 prefix exists in the routing table.
-
The FortiGate needs to advertise the DS-Lite termination IPv6 address towards the CE network only if the IPv4 default route exists on the FortiGate.
The prefixes defined in IPv4 route map 2814 and IPv6 route map map-281 both exist, so the FortiGate advertises the route map prefix in route-map 2224 (172.22.2.0/255.255.255.0) to its BGP neighbor 2.2.2.2.
For IPv6 neighbor 2003::2:2:2:2, the prefixes defined in IPv4 route map 2874 and IPv6 route map map-38 both do not exist, and the condition-type is set to non-exist, so the FortiGate advertises the route map prefix in route map map-222 (2003:172:22:1::/64) to its BGP neighbor 2003::2:2:2:2.
When the global cross-family-conditional-adv enabled, this is the only time the FortiGate will cross-check the address family; otherwise, it only checks the corresponding conditional map and treats the cross-family addresses as non-existent.
To configure the conditional advertisement to BGP neighbor 2.2.2.2 and its conditional route maps:
-
Configure the IPv4 prefix lists:
config router prefix-list edit "281" config rule edit 1 set prefix 172.28.1.0 255.255.255.0 unset ge unset le next end next edit "222" config rule edit 1 set prefix 172.22.2.0 255.255.255.0 unset ge unset le next end next end -
Configure the IPv6 prefix list:
config router prefix-list6 edit "list6-1" config rule edit 1 set prefix6 2003:172:28:1::/64 unset ge unset le next end next end -
Configure the route maps:
config router route-map edit "2814" config rule edit 1 set match-ip-address "281" next end next edit "map-281" config rule edit 1 set match-ip6-address "list6-1" next end next edit "2224" config rule edit 1 set match-ip-address "222" next end next end
To configure the conditional advertisement to BGP neighbor 2003::2.2.2.2 and its conditional route maps:
-
Configure the IPv4 prefix list:
config router prefix-list edit "287" config rule edit 1 set prefix 172.28.7.0 255.255.255.0 unset ge unset le next end next end -
Configure the IPv6 prefix lists:
config router prefix-list6 edit "list6-38" config rule edit 1 set prefix6 2003:172:38:1::/64 unset ge unset le next end next edit "adv-222" config rule edit 1 set prefix6 2003:172:22:1::/64 unset ge unset le next end next end -
Configure the route maps:
config router route-map edit "2874" config rule edit 1 set match-ip-address “287” next end next edit "map-38" config rule edit 1 set match-ip6-address "list6-38" next end next edit "map-222" config rule edit 1 set match-ip6-address "adv-222" next end next end
To configure the BGP settings with address family cross-checking:
config router bgp
set as 65412
set router-id 1.1.1.1
set ibgp-multipath enable
set network-import-check disable
set cluster-id 1.1.1.1
set graceful-restart enable
set cross-family-conditional-adv enable
config neighbor
edit "3.3.3.3"
set activate6 disable
set capability-graceful-restart enable
set soft-reconfiguration enable
set prefix-list-out "local-out"
set remote-as 65412
set route-map-out "as-prepend"
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
set route-reflector-client enable
next
edit "2.2.2.2"
set advertisement-interval 5
set activate6 disable
set capability-graceful-restart enable
set soft-reconfiguration enable
set remote-as 65412
set keep-alive-timer 34
set holdtime-timer 90
set update-source "loopback1"
config conditional-advertise
edit "2224"
set condition-routemap "2814" "map-281"
next
end
set route-reflector-client enable
next
edit "2003::2:2:2:2"
set advertisement-interval 5
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration enable
set soft-reconfiguration6 enable
set remote-as 65412
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
config conditional-advertise6
edit "map-222"
set condition-routemap "map-38" "2874"
set condition-type non-exist
next
end
set route-reflector-client6 enable
next
edit "2003::3:3:3:3"
set advertisement-interval 5
set activate disable
set capability-graceful-restart6 enable
set soft-reconfiguration6 enable
set remote-as 65412
set route-map-in6 "community-del777"
set keep-alive-timer 30
set holdtime-timer 90
set update-source "loopback1"
next
end
config network
edit 1
set prefix 172.27.1.0 255.255.255.0
next
edit 2
set prefix 172.27.2.0 255.255.255.0
next
edit 3
set prefix 172.22.2.0 255.255.255.0
next
end
config network6
edit 1
set prefix6 2003:172:22:1::/64
next
end
end
To verify the BGP status and the BGP routing table for IPv4:
# get router info bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 2 6 BGP AS-PATH entries 2 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2.2.2.2 4 65412 100 148 2 0 0 00:42:22 3 3.3.3.3 4 65412 99 99 2 0 0 00:42:05 6 6.6.6.6 4 20 0 0 0 0 0 never Idle (Admin) 10.100.1.1 4 20 100 107 2 0 0 00:43:43 2 10.100.1.5 4 20 53 57 2 0 0 00:43:42 0 Total number of neighbors 5 Condition route map: 2814, state 1, use 3 map-281, state 1, use 3
To verify the BGP status and the BGP routing table for IPv6:
# get router info6 bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 3 6 BGP AS-PATH entries 2 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 6.6.6.6 4 20 0 0 0 0 0 never Idle (Admin) 10.100.1.1 4 20 100 108 3 0 0 00:43:51 0 10.100.1.5 4 20 53 57 3 0 0 00:43:50 0 2003::2:2:2:2 4 65412 98 118 3 0 0 00:42:25 1 2003::3:3:3:3 4 65412 102 100 2 0 0 00:42:20 3 Total number of neighbors 5 Condition route map: map-38, state 0, use 3 2874, state 0, use 3
To verify the BGP routing table for IPv4 and confirm the conditional advertisement occurred:
# get router info routing-table bgp Routing table for VRF=0 B 172.22.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:00:03, [1/0] B 172.27.1.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.5.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.6.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.7.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.27.8.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.29.1.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0] B 172.29.2.0/24 [200/0] via 1.1.1.1 (recursive via 172.16.203.1, agg2), 00:37:30, [1/0]
To verify the BGP routing table for IPv6 and confirm the conditional advertisement occurred:
# get router info6 routing-table bgp Routing table for VRF=0 B 2003:172:22:1::/64 [200/0] via 2003::1:1:1:1 (recursive via 2003:172:16:203::1, agg2), 00:00:01, [1024/0] B 2003:172:28:1::/64 [200/0] via 2003::3:3:3:3 (recursive via fe80::a5b:eff:feeb:ca45, port1), 00:37:59, [1024/0] B 2003:172:28:2::/64 [200/0] via 2003::3:3:3:3 (recursive via fe80::a5b:eff:feeb:ca45, port1), 00:37:59, [1024/0]
Behavior when address family cross-checking is disabled
Using a similar BGP configuration with cross-family-conditional-adv disabled, note the following behavior based on the condition type.
When the condition type is set to exist:
config router bgp
set cross-family-conditional-adv disable
config neighbor
edit "2.2.2.2"
config conditional-advertise
edit "222v4"
set condition-routemap "4-281" "6-281"
set condition-type exist
next
end
next
end
end
The FortiGate will only check the IPv4 RIB table to see if there is a matching IP address for each route map. Any IPv6 address under the route map will not get checked in the corresponding IPv6 RIB table, and the condition result will be non-existent. The 222v4 route map will not advertise to its neighbor because the result is non-existent, while the condition type is existent.
When the condition type is set to non-exist:
config router bgp
set cross-family-conditional-adv disable
config neighbor
edit "2003::2:2:2:2"
config conditional-advertise6
edit "v6-222"
set condition-routemap "v6-238" "v4-287"
set condition-type non-exist
next
end
next
end
end
If the v6-238 IPv6 prefix does not exist in the IPv6 RIB table, then the FortiGate will only check v4-287 in the IPv6 RIB table. The FortiGate will not find it because it is an IPv4 address. Since the condition type is also non-exist, route v6-222 will be advertised to its neighbor.