BGP路由过滤

网络需求

在BGP路由中通过prefix-list + route-map实现路由过滤功能。

网络拓扑

image-20240117111857579

  1. OSPF邻居:

    • FortiGate与内网Switch建立OSPF邻居。
    • Switch发布内网网段路由,宣告给FortiGate。
  2. BGP邻居:

    • FortiGate与Router1建立eBGP邻居。

    • FortiGate与Router2建立eBGP邻居。

  3. 路由学习:

    • FortiGate将学习到的OSPF路由重发布到两个eBGP邻居。
    • FortiGate将从Router1和Router2学习到的BGP路由重发布到OSPF邻居。
    • Router1和Router2都向FortiGate发布默认路由。
    • FortiGate从Router1学习到的BGP路由不能发布给Router2。
    • FortiGate从Router1和Router2学习到的BGP默认路由不能发布给Router2和Router1。

配置步骤

基础配置

  1. FortiGate的接口配置。

    config system interface
        edit "port2"
            set vdom "root"
            set ip 101.103.1.2 255.255.255.0
            set allowaccess ping
            set alias "WAN1"
        next
        edit "port3"
            set vdom "root"
            set ip 202.103.1.2 255.255.255.0
            set allowaccess ping
            set alias "WAN2"
        next
        edit "port4"
            set vdom "root"
            set ip 10.10.254.1 255.255.255.0
            set allowaccess ping
            set alias "DMZ"
        next
    end
    
  2. 配置安全策略,放通FortiGate、Switch、Router间的流量,按需配置其他安全策略(略)。

OSPF(FortiGate to Switch)

配置FortiGate的OSPF,将BGP路由重发布至OSPF。

config router ospf
    set router-id 10.10.254.1
    config area
        edit 0.0.0.0
        next
    end
    config network
        edit 1
            set prefix 10.10.254.0 255.255.255.0
        next
    end
    config redistribute "bgp"
        set status enable
    end
end

BGP(FortiGate to Router)

  1. 在FortiGate上配置2个prefix-list:

    • 一个prefix-list匹配Router1宣告的BGP路由101.103.2.0/24,不设置ge和le(表示严格匹配),动作为permit(表示匹配)。
    • 另一个prefix-list匹配Router1和Router2宣告的默认路由,不设置ge和le(表示严格匹配),动作为permit(表示匹配)。
    config router prefix-list
        edit "Block_101.103.2.0/24"
            config rule
                edit 1
                    set prefix 101.103.2.0 255.255.255.0
                    unset ge
                    unset le
                next
            end
        next
        edit "Block_0.0.0.0/0"
            config rule
                edit 1
                    set prefix 0.0.0.0 0.0.0.0
                    unset ge
                    unset le
                next
            end
        next
    end
    
  2. 在FortiGate上配置Route-map引用prefix-list,FortiGate从Router1学习到的BGP细化路由不能发布给Router2,FortiGate从Router1和Router2学习到的BGP默认路由不能发布给Router2和Router1,其他路由条目可以正常宣告。

    • 序号10:匹配条件为Router1宣告网段的prefix-list:Block_101.103.2.0/24,动作为deny(表示拒绝)。
    • 序号20:匹配条件为prefix-list:Block_0.0.0.0/0,动作为deny(表示拒绝)。
    • 序号100:匹配条件为any,即所有路由,动作为permit(表示允许)。
    config router route-map
        edit "RMP_out"
            config rule
                edit 10
                    set action deny
                    set match-ip-address "Block_101.103.2.0/24"
                next
                edit 20
                    set action deny
                    set match-ip-address "Block_0.0.0.0/0"
                next
                edit 100
                next
            end
        next
    end
    
  3. 在FortiGate上配置BGP,在邻居Router1和Router2上分别使用route-map-out调用上步创建的route-map,重发布OSPF路由,开启ebgp-multipath。

    config router bgp
        set as 65001
        set router-id 101.103.1.2
        set ebgp-multipath enable
        config neighbor
            edit "101.103.1.1"
                set soft-reconfiguration enable
                set route-map-out "RMP_out"
                set remote-as 65002
            next
            edit "202.103.1.1"
                set soft-reconfiguration enable
                set route-map-out "RMP_out"
                set remote-as 65003
            next
        end
        config redistribute "ospf"
            set status enable
        end
    end
    
  4. 在Router1(使用FortiGate模拟)上配置BGP,向FortiGate发布自身网段和默认路由。

    config router bgp
        set as 65002
        set router-id 101.103.1.1
        config neighbor
            edit "101.103.1.2"
                set capability-default-originate enable
                set soft-reconfiguration enable
                set remote-as 65001
            next
        end
        config network
            edit 1
                set prefix 101.103.2.0 255.255.255.0
            next
        end
    end
    
  5. 在Router2(使用FortiGate模拟)上配置BGP,向FortiGate发布自身网段和默认路由。

    config router bgp
        set as 65003
        set router-id 202.103.1.1
        config neighbor
            edit "202.103.1.2"
                set capability-default-originate enable
                set soft-reconfiguration enable
                set remote-as 65001
            next
        end
        config network
            edit 1
                set prefix 202.103.2.0 255.255.255.0
            next
        end
    end
    

结果验证

FortiGate

  1. 在FortiGate上查看OSPF邻居状态与OSPF路由,可以看到和Switch建立了OSPF邻居,并学习到了Switch发布的4条OSPF路由。

    FortiGate # get router info ospf neighbor 
    OSPF process 0, VRF 0:
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    10.10.254.2       1   Full/DR         00:00:36    10.10.254.2     port4
    
    FortiGate # get router info routing-table ospf 
    Routing table for VRF=0
    O       10.10.1.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0]
    O       10.10.2.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0]
    O       10.10.3.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0]
    O       10.10.4.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0]
    
  2. 在FortiGate上查看BGP邻居状态,可以看到和Router1、Router2分别建立了BGP邻居,并学习到路由。

    查看BGP邻居的详细信息,请使用“get router info bgp neighbors”。
    FortiGate # get router info bgp summary 
    
    VRF 0 BGP router identifier 101.103.1.2, local AS number 65001
    BGP table version is 5
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor    V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    101.103.1.1 4      65002     101     117        5    0    0 01:25:48        2
    202.103.1.1 4      65003     106     115        5    0    0 01:17:25        2
    
    Total number of neighbors 2
    
  3. 在FortiGate上查看从邻居Router1和Router2收到的路由条目,可以看到收到了Router1/Router2发布的自身网段路由和默认路由。

    FortiGate # get router info bgp neighbors 101.103.1.1 received-routes
    VRF 0 BGP table version is 7, local router ID is 101.103.1.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 0.0.0.0/0        101.103.1.1                            0        0 65002 i <-/->
    *> 101.103.2.0/24   101.103.1.1                            0        0 65002 i <-/->
    
    Total number of prefixes 2
    
    FortiGate # get router info bgp neighbors 202.103.1.1 received-routes
    VRF 0 BGP table version is 7, local router ID is 101.103.1.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 0.0.0.0/0        202.103.1.1                            0        0 65003 i <-/->
    *> 202.103.2.0      202.103.1.1                            0        0 65003 i <-/->
    
    Total number of prefixes 2
    
  4. 在FortiGate上查看向邻居Router1、Router2发布的路由条目,可以看到route-map-out生效,没有将学习到的Router1的BGP路由发布给Router2(但将学习到的Router2的BGP路由发布给了Router1),没有发布从Router1、Router2学习到的默认路由,重发布了OSPF路由。

    FortiGate # get router info bgp neighbors 101.103.1.1 advertised-routes
    VRF 0 BGP table version is 7, local router ID is 101.103.1.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     101.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.2.0/24     101.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.3.0/24     101.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.4.0/24     101.103.1.2     2                  32768        0 ? <-/->
    *> 202.103.2.0      101.103.1.2                            0        0 65003 i <-/->
    
    Total number of prefixes 5
    
    FortiGate # get router info bgp neighbors 202.103.1.1 advertised-routes
    VRF 0 BGP table version is 7, local router ID is 101.103.1.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     202.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.2.0/24     202.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.3.0/24     202.103.1.2     2                  32768        0 ? <-/->
    *> 10.10.4.0/24     202.103.1.2     2                  32768        0 ? <-/->
    
    Total number of prefixes 4
    
  5. 在FortiGate上查看BGP路由数据库,可以看到eBGP路由的路径(AS-Path)信息。

    FortiGate # get router info bgp network 
    VRF 0 BGP table version is 7, local router ID is 101.103.1.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *  0.0.0.0/0        202.103.1.1     0                      0        0 65003 i <-/->
    *>                  101.103.1.1     0                      0        0 65002 i <-/1>
    *> 10.10.1.0/24     10.10.254.2     2                  32768        0 ? <-/1>
    *> 10.10.2.0/24     10.10.254.2     2                  32768        0 ? <-/1>
    *> 10.10.3.0/24     10.10.254.2     2                  32768        0 ? <-/1>
    *> 10.10.4.0/24     10.10.254.2     2                  32768        0 ? <-/1>
    *> 101.103.2.0/24   101.103.1.1     0                      0        0 65002 i <-/1>
    *> 202.103.2.0      202.103.1.1     0                      0        0 65003 i <-/1>
    
    Total number of prefixes 7
    
  6. 查看指定的某个BGP路由详细信息可以在该命令后加相应网段。

    FortiGate # get router info bgp network 0.0.0.0
    VRF 0 BGP routing table entry for 0.0.0.0/0
    Paths: (2 available, best #2, table Default-IP-Routing-Table)
      Not advertised to any peer
      Original VRF 0
      65003
        202.103.1.1 from 202.103.1.1 (202.103.1.1)
          Origin IGP metric 0, localpref 100, valid, external
          Last update: Wed Jan 17 11:32:12 2024
    
      Original VRF 0
      65002
        101.103.1.1 from 101.103.1.1 (101.103.1.1)
          Origin IGP metric 0, localpref 100, valid, external, best
          Last update: Wed Jan 17 11:32:12 2024
    
  7. 查看FortiGate的路由表中的BGP路由,由于开启了ebgp-multipath,从Router1和Router2学习到的默认路由在路由表中负载。

    FortiGate # get router info routing-table bgp
    Routing table for VRF=0
    B*      0.0.0.0/0 [20/0] via 101.103.1.1 (recursive is directly connected, port2), 01:50:31, [1/0]
                      [20/0] via 202.103.1.1 (recursive is directly connected, port3), 01:50:31, [1/0]
    B       101.103.2.0/24 [20/0] via 101.103.1.1 (recursive is directly connected, port2), 00:09:04, [1/0]
    B       202.103.2.0/24 [20/0] via 202.103.1.1 (recursive is directly connected, port3), 00:09:08, [1/0]
    

Router1

  1. 在Router1上查看BGP邻居状态,可以看到和FortiGate建立了BGP邻居,并学习到路由。

    查看BGP邻居的详细信息,请使用“get router info bgp neighbors”。
    Router1 # get router info bgp summary 
    
    VRF 0 BGP router identifier 101.103.1.1, local AS number 65002
    BGP table version is 3
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor    V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    101.103.1.2 4      65001     126     112        2    0    0 01:34:48        5
    
    Total number of neighbors 1
    
  2. 在Router1上查看从BGP邻居收到的路由条目,可以看到学习到了FortiGate重发布的OSPF路由,以及FortiGate从Router2学习到的BGP路由。

    Router1 # get router info bgp neighbors 101.103.1.2 received-routes
    VRF 0 BGP table version is 3, local router ID is 101.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     101.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.2.0/24     101.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.3.0/24     101.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.4.0/24     101.103.1.2     2                      0        0 65001 ? <-/->
    *> 202.103.2.0      101.103.1.2                            0        0 65001 65003 i <-/->
    
    Total number of prefixes 5
    
  3. 在Router1上查看向邻居发布的路由条目,包含自身网段路由和默认路由。

    Router1 # get router info bgp neighbors 101.103.1.2 advertised-routes
    VRF 0 BGP table version is 3, local router ID is 101.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 0.0.0.0/0        101.103.1.1                   100  32768        0 i <-/->
    *> 101.103.2.0/24   101.103.1.1                   100  32768        0 i <-/->
    
    Total number of prefixes 2
    
  4. 在Router1上查看BGP路由数据库,可以看到eBGP路由的路径(AS-Path)信息。

    Router1 # get router info bgp network
    VRF 0 BGP table version is 3, local router ID is 101.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     101.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.2.0/24     101.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.3.0/24     101.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.4.0/24     101.103.1.2     2                      0        0 65001 ? <-/1>
    *> 101.103.2.0/24   0.0.0.0                       100  32768        0 i <-/1>
    *> 202.103.2.0      101.103.1.2     0                      0        0 65001 65003 i <-/1>
    
    Total number of prefixes 6
    
  5. 查看指定的某个BGP路由详细信息可以在该命令后加相应网段。

    Router1 # get router info bgp network 202.103.2.0
    VRF 0 BGP routing table entry for 202.103.2.0/24
    Paths: (1 available, best #1, table Default-IP-Routing-Table)
      Not advertised to any peer
      Original VRF 0
      65001 65003
        101.103.1.2 from 101.103.1.2 (101.103.1.2)
          Origin IGP metric 0, localpref 100, valid, external, best
          Last update: Wed Jan 17 11:32:27 2024
    
  6. 查看Router1的路由表中的BGP路由,可以看到Router1从FortiGate学习到的路由均已被放入路由表(包含FortiGate重发布的OSPF路由,以及FortiGate从Router2学习到的BGP路由),eBGP路由的distance为20。

    Router1 # get router info routing-table bgp
    Routing table for VRF=0
    B       10.10.1.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0]
    B       10.10.2.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0]
    B       10.10.3.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0]
    B       10.10.4.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0]
    B       202.103.2.0/24 [20/0] via 101.103.1.2 (recursive is directly connected, port2), 00:10:12, [1/0]
    

Router2

  1. 在Router2上查看BGP邻居状态,可以看到和FortiGate建立了BGP邻居,并学习到路由。

    查看BGP邻居的详细信息,请使用“get router info bgp neighbors”。
    Router2 # get router info bgp summary 
    
    VRF 0 BGP router identifier 202.103.1.1, local AS number 65003
    BGP table version is 4
    2 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor    V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    202.103.1.2 4      65001     156     147        3    0    0 01:52:16        4
    
    Total number of neighbors 1
    
  2. 在Router2上查看从BGP邻居收到的路由条目,可以看到学习到了FortiGate重发布的OSPF路由,没有FortiGate从Router1学习到的BGP路由。

    Router2 # get router info bgp neighbors 202.103.1.2 received-routes 
    VRF 0 BGP table version is 4, local router ID is 202.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     202.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.2.0/24     202.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.3.0/24     202.103.1.2     2                      0        0 65001 ? <-/->
    *> 10.10.4.0/24     202.103.1.2     2                      0        0 65001 ? <-/->
    
    Total number of prefixes 4
    
  3. 在Router2上查看向邻居发布的路由条目,包含自身网段路由和默认路由。

    Router2 # get router info bgp neighbors 202.103.1.2 advertised-routes 
    VRF 0 BGP table version is 4, local router ID is 202.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 0.0.0.0/0        202.103.1.1                   100  32768        0 i <-/->
    *> 202.103.2.0      202.103.1.1                   100  32768        0 i <-/->
    
    Total number of prefixes 2
    
  4. 在Router2上查看BGP路由数据库,可以看到eBGP路由的路径(AS-Path)信息。

    Router2 # get router info bgp network
    VRF 0 BGP table version is 4, local router ID is 202.103.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric     LocPrf Weight RouteTag Path
    *> 10.10.1.0/24     202.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.2.0/24     202.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.3.0/24     202.103.1.2     2                      0        0 65001 ? <-/1>
    *> 10.10.4.0/24     202.103.1.2     2                      0        0 65001 ? <-/1>
    *> 202.103.2.0      0.0.0.0                       100  32768        0 i <-/1>
    
    Total number of prefixes 5
    
  5. 查看指定的某个BGP路由详细信息可以在该命令后加相应网段。

    Router2 # get router info bgp network 10.10.1.0
    VRF 0 BGP routing table entry for 10.10.1.0/24
    Paths: (1 available, best #1, table Default-IP-Routing-Table)
      Not advertised to any peer
      Original VRF 0
      65001
        202.103.1.2 from 202.103.1.2 (101.103.1.2)
          Origin incomplete metric 2, localpref 100, valid, external, best
          Last update: Wed Jan 17 11:32:27 2024
    
  6. 查看Router2的路由表中的BGP路由,包含FortiGate重发布的OSPF路由,没有FortiGate从Router1学习到的路由,distance为20(eBGP路由)。

    Router2 # get router info routing-table bgp
    Routing table for VRF=0
    B       10.10.1.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0]
    B       10.10.2.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0]
    B       10.10.3.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0]
    B       10.10.4.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0]
    

Switch

在Switch上查看路由表,可以看到Switch学习到了FortiGate在OSPF中重发布的BGP路由。

Switch # get router info routing-table ospf
Routing table for VRF=0
O E2    101.103.2.0/24 [110/10] via 10.10.254.1, port2, 00:11:32, [1/0]
O E2    202.103.2.0/24 [110/10] via 10.10.254.1, port2, 00:11:36, [1/0]

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-17 17:39:42

results matching ""

    No results matching ""