Helpful ReplyHot!Route map to stop advertising certain prefixes in BGP

Author
make_beer_not_war
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 21:38:50
  • Status: offline
2020/08/31 17:39:15 (permalink) 6.0
0

Route map to stop advertising certain prefixes in BGP

I'm having trouble applying a route map to stop a FortiGate 201E from advertising certain connected subnets via BGP.
 
In my examples below I've only shown one prefix. I actually have 6 I want to stop advertising. I also want this FGT to continue advertising the default route.
 
I've tried a prefix list with the deny action set on the rules, and applying the route map to the neighbor, like this
 
config router prefix-list 
edit "ISP_allowed_eBGP"
config rule
edit 1
set action deny
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
 
edit 2
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
end
 
config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address "ISP_allowed_eBGP"
next
end
next
end
 
conf router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 
I also tried 2 cresting separate prefix lists and setting the deny action on the rules within the route map, like this:
config router prefix-list
edit "ISP_deny_eBGP"
config rule
edit 1
set prefix 10.10.10.184 255.255.255.248
unset ge
unset le
next
end
next
 
edit ISP_permit_eBGP
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32
next
end
next
end
 
config router route-map
edit "ISP_allowed_eBGP_route_map"
config rule
edit 1
set match-ip-address ISP_deny_eBGP
set action deny
next
 
edit 2
set match-ip-address ISP_permit_eBGP
set action permit
next
end
 
config router bgp
config neighbor
edit "10.10.10.189"
set route-map-out "ISP_allowed_eBGP_route_map"
next
end
end

 
 
Both of these attempts failed. "get router info bgp neighbors 10.10.10.189 advertised-routes" shows that 10.10.10.184/29 is still being advertised.
Something I didn't try yet is putting the route map under the redistribute connected config, like this:
config redistribute "connected"
set status enable
set route-map "ISP_allowed_eBGP_route_map"
end

 
Is that correct approach? If so, why would that work and not the other 2 attempts. Please help me to understand what I've done wrong and the correct approach to achieve what I want.
Thanks in advance.
#1
emnoc
Expert Member
  • Total Posts : 5769
  • Scores: 375
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 20:37:18 (permalink)
0
Did you clear the bgp router process after applying the route-map?
 
I would do a diag debug and gather details
 
 
e.g
 
  diag ip router bgp updates out en
  diag debug enable
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#2
Toshi Esumi
Expert Member
  • Total Posts : 2240
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 22:01:18 (permalink)
0
For the first one, edit 2 is questionable. I would set like below:
edit 2
  set prefix any
  unset ge
  unset le
next
 
edit 1 looks fine. At least that's what I did for some cases and worked.
#3
make_beer_not_war
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 21:38:50
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 22:01:53 (permalink)
0
Thanks Ken. I did not clear BGP although I did wait a few minutes. I'll reapply the config tonight and try "execute router clear bgp all out", which I assume should have the required effect. I'll enable debugging before applying the config too.
 
Do you have any advice on the correct approach to the route map, please? Would I set the deny action on the prefix list rule, or on the rule in the route map? Or both? And would I apply the route map to the neighbor, or apply it under the "config redistribute..." section (in my case it would be under redistribute connected)?
#4
make_beer_not_war
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 21:38:50
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 22:05:42 (permalink)
0
Thanks, for your advice. I would have thought that
set prefix 0.0.0.0 0.0.0.0
unset ge
set le 32

 
is functionally equivalent to

set prefix any
unset ge
unset le

 
But the latter is certainly simpler. I'll give it a go.
#5
Toshi Esumi
Expert Member
  • Total Posts : 2240
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 22:06:32 (permalink)
0
One more thing. I wouldn't apply the route-map to BGP neighbor clause, but to redistributed connected clause, not to go into BGP domain.
#6
Yurisk
Silver Member
  • Total Posts : 100
  • Scores: 22
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/08/31 22:30:36 (permalink) ☄ Helpfulby lobstercreed 2020/09/01 03:58:35
5 (2)
You have 3 ways (with slight variations) of achieving this:
  1.  Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then apply this prefix list under BGP peer with 
    set prefix-list-out <name of the prefix list>
  2. Create prefix-list that explicitly lists, one by one, all network you DON'T WANT to advertise, still with action "permit". THen create route-map with 1st action "deny" using this prefix-list, and followed by the next entry in the route-map with action "allow" but without any prefix, which means "allow any nets not matched in the previous "deny" entry. Then apply this route-map out under the BGP peer.
  3. Create prefix-list that explicitly lists, one by one, all networks you WANT to advertise, all as "permit". The nets that are not in this prefix list will be denied automatically. Then use this prefix-list in a route-map, which in turn apply under "router bgp" "redistribute connected". This is preferred way as you always want to filter closest to the source.
NOTE: It is a common practice to use "allow" only statements in prefix-lists when you later use them in a route-map. 
You may find more examples in my post: https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/ 
#7
make_beer_not_war
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 21:38:50
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/09/06 17:43:02 (permalink)
0
Thank you everyone who offered advice here. What I ended up doing was creating a prefix list containing the routes I didn't want advertised (example below shows 1, but in reality I have 6), and a separate prefix list with a catch all (as I still want to advertise the default route):
config router prefix-list

edit "ISP_deny_eBGP"
 

set comments "see SR #382641"
 

config rule
 

edit 1
 

set prefix 10.10.10.184 255.255.255.248
 

unset ge
 

unset le
 

next
 

end
 

next
 

edit "ISP_permit_eBGP"
 

config rule
 

edit 1
 

set prefix 0.0.0.0 0.0.0.0
 

unset ge
 

set le 32
 

next
 

end
 

next
 

end


Then created a route map with the applicable allow and deny actions: 
config router route-map

edit "ISP_allowed_eBGP_route_map"
 

set comments "see SR #382641"
 

config rule
 

edit 1
 

set action deny
 

set match-ip-address "ISP_deny_eBGP"
 

next
 

edit 2
 

set match-ip-address "ISP_permit_eBGP"
 

next
 

end
 

next
 

end


 Then I added the route map to the redistribute static config:
config router bgp

config redistribute "connected"
 

set status enable
 

set route-map "ISP_allowed_eBGP_route_map"
 

end
 

end


 I did previously try adding the map to the neighbor using "set route-map-out" as per your example, but it didn't seem to work. Possibly though that is because I didn't wait long enough, and didn't know about "execute router clear bgp all out", to clear out the route table. Regardless, the above config achieved exactly what I want.
#8
Benoit_Rech_FTNT
Bronze Member
  • Total Posts : 37
  • Scores: 5
  • Reward points: 0
  • Joined: 2013/06/04 02:38:46
  • Location: Sophia Antipolis (France)
  • Status: offline
Re: Route map to stop advertising certain prefixes in BGP 2020/09/13 23:44:16 (permalink)
0
Hello,
Don't forget that when you perform configuration changes on a BGP neighbor, then you have to restart the connection with the peer, unless "soft-configuration" is enabled.
Example: exec router clear bgp ip x.x.x.x 

You can also check which prefixes are sent to the BGP peer using 
get router info bgp neighbors x.x.x.x advertised-routes
 
Best regards,
Benoit
#9
Jump to:
© 2020 APG vNext Commercial Version 5.5