Filtering (BGP) routes

Last time setup some IPsec S2S connections between multiple Fortigate firewalls and of course running BGP between them.

In short:

Hub site must know all routes from Spokes. But only transport 192.168.1.0/24 via BGP.

Spoke A (IP 192.168.254.2)must know only the route to the Hub
– Default route will remain on spoke location

Spoke B (IP 192.168.254.4) must know only the route to the Hub
– Default route will remain on spoke location

Since i’m running BGP all sites known each others routes and this is not what i want. Of course i know and configure the equipment in Spoke A & B, but let’s assume i don’t have that control. Then i want to use route-maps to filter :). And a route map can a prefix-list to make advanced filtering possible instead of a basic ACL.

So let’s start:

Prefix-list configuration:

config router prefix-list
    edit "only-local"
        config rule
            edit 1
                set prefix 192.168.1.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

Route-map configuration:

config router route-map
    edit "only_local_subnets"
        config rule
            edit 1
                set match-ip-address "only-local"
            next
        end
    next
end

BGP configuration:

config router bgp
    set as 65401
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.254.2"
            set soft-reconfiguration enable
            set remote-as 65402
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
        next
        edit "192.168.254.4"
            set soft-reconfiguration enable
            set remote-as 65403
            set route-map-out "only_local_subnets"
            set send-community6 disable
            set keep-alive-timer 1
            set holdtime-timer 5
            set connect-timer 5
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end  
    config redistribute6 "isis"
    end
end