Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bohra_ajay
New Contributor

Dual Homed BGP - Redistribution

Hello All,

 

I'm new to Fortigate. I've one Fotigate 40C with FortiOS 5.2.

 

I have 2 ISPs A & B with BGP. I've terminated both the ISP on WAN1 and WAN2 Ports and have configured the same as suggested in the below KB, followed every word (except for IPs :) ) :

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-advanced-routing-52/Routing_BGP/D...

 

All was working, but now the BGP routes of ISP A are being redistributed to ISP B and vice versa, which created a loop like problem in my network and it went down. I had to shut the port of ISP B.

 

I am looking for the solution, so that the BGP routes of ISPs are not redistributed to each other and the failover works perfectly.

 

Please help me on this. Thanks

Ajay Bohra

1 Solution
emnoc
Esteemed Contributor III

Okay a few items, 1st off the  ISP  that  redistributing are not doing things correctly. You are being a transit.

 

2nd,  YOU are not doing things correctly either ;)

 

What you can do

 

1:  craft a route-map with distribution that allows just origination from  your  AS

or 

 

2: set the  prefixes to be advertise

 

config access-list

 

edit "export1"

 

config rule

 

edit 1

 

set prefix 192.10.1.0 255.255.255.0

 

set exact-match enable

next

 

edit 2

 

set action deny

 

end

 

 

{bgp neighors }

 

 

config neighbor

 

edit x.x.x.x

 

set remote-as 7701

 

set distribute-list-out "export1"

 

next

 

That would be one way to quickly drop and filter all routes. Just add  more rules b4 your deny if you have multiple prefixes. 

 

A route-map and prefixlist can be used also;

 

 

config router prefix-list

    edit "outprefixes"

            config rule

                edit 1

                    set prefix 172.9.1.0/240

                    unset ge

                    unset le

                next

            end

    next

end

 

# add more rules for each prefix you want to send

 

config router route-map

    edit "myexporte"

            config rule

                edit 1

                    set match-ip-address "outprefixes""

                next

            end

    next

end

 

 

Just defined the route-map per under each BGP neighbor  

 

 

config neighbor             edit x.x.x.x                 set remote-as 7701                 set route-map-out "myexporte"             next

            edit y.y.y.y                 set remote-as 7701                 set route-map-out "myexporte"             next         end

 

using a route map you can do many other items like set tags and  control routes that way also. I personally like to tag inbound  routes with the  ISP ASN and then set a single filter that says  if tag match blahblahblah  drop.

 

50/50 ymmv  but play around with either of the two examples to get a control on your  BGP advertises. Your ISP should be doing this by default and dropping advertisements from that other ISP-ASN but than again  a lot of ISP do not do a good job with route-control and  this is how  google prefixes where just recently hack 1/2 weeks ago ;(

 

Ken Felix

 

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
emnoc
Esteemed Contributor III

Okay a few items, 1st off the  ISP  that  redistributing are not doing things correctly. You are being a transit.

 

2nd,  YOU are not doing things correctly either ;)

 

What you can do

 

1:  craft a route-map with distribution that allows just origination from  your  AS

or 

 

2: set the  prefixes to be advertise

 

config access-list

 

edit "export1"

 

config rule

 

edit 1

 

set prefix 192.10.1.0 255.255.255.0

 

set exact-match enable

next

 

edit 2

 

set action deny

 

end

 

 

{bgp neighors }

 

 

config neighbor

 

edit x.x.x.x

 

set remote-as 7701

 

set distribute-list-out "export1"

 

next

 

That would be one way to quickly drop and filter all routes. Just add  more rules b4 your deny if you have multiple prefixes. 

 

A route-map and prefixlist can be used also;

 

 

config router prefix-list

    edit "outprefixes"

            config rule

                edit 1

                    set prefix 172.9.1.0/240

                    unset ge

                    unset le

                next

            end

    next

end

 

# add more rules for each prefix you want to send

 

config router route-map

    edit "myexporte"

            config rule

                edit 1

                    set match-ip-address "outprefixes""

                next

            end

    next

end

 

 

Just defined the route-map per under each BGP neighbor  

 

 

config neighbor             edit x.x.x.x                 set remote-as 7701                 set route-map-out "myexporte"             next

            edit y.y.y.y                 set remote-as 7701                 set route-map-out "myexporte"             next         end

 

using a route map you can do many other items like set tags and  control routes that way also. I personally like to tag inbound  routes with the  ISP ASN and then set a single filter that says  if tag match blahblahblah  drop.

 

50/50 ymmv  but play around with either of the two examples to get a control on your  BGP advertises. Your ISP should be doing this by default and dropping advertisements from that other ISP-ASN but than again  a lot of ISP do not do a good job with route-control and  this is how  google prefixes where just recently hack 1/2 weeks ago ;(

 

Ken Felix

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bohra_ajay

Hello Ken,

 

thanks for the suggestion. I had googled earlier and tried using Prefix-List, but somewhere I was doing something wrong.

 

I created and applied the Prefix-List as suggested by you and its working :)

 

Thanks Again.

Labels
Top Kudoed Authors