Last time setup some IPsec S2S connections between multiple Fortigate firewalls and of course running BGP between them.
In short:
Hub site must know all routes from Spokes. But only transport 192.168.1.0/24 via BGP.
Spoke A (IP 192.168.254.2)must know only the route to the Hub
– Default route will remain on spoke location
Spoke B (IP 192.168.254.4) must know only the route to the Hub
– Default route will remain on spoke location
Since i’m running BGP all sites known each others routes and this is not what i want. Of course i know and configure the equipment in Spoke A & B, but let’s assume i don’t have that control. Then i want to use route-maps to filter :). And a route map can a prefix-list to make advanced filtering possible instead of a basic ACL.
So let’s start:
Prefix-list configuration:
config router prefix-list
edit "only-local"
config rule
edit 1
set prefix 192.168.1.0 255.255.255.0
unset ge
unset le
next
end
next
endRoute-map configuration:
config router route-map
edit "only_local_subnets"
config rule
edit 1
set match-ip-address "only-local"
next
end
next
endBGP configuration:
config router bgp
set as 65401
set router-id 1.1.1.1
config neighbor
edit "192.168.254.2"
set soft-reconfiguration enable
set remote-as 65402
set route-map-out "only_local_subnets"
set send-community6 disable
set keep-alive-timer 1
set holdtime-timer 5
set connect-timer 5
next
edit "192.168.254.4"
set soft-reconfiguration enable
set remote-as 65403
set route-map-out "only_local_subnets"
set send-community6 disable
set keep-alive-timer 1
set holdtime-timer 5
set connect-timer 5
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
