BGP 路由过滤
2025/10/29大约 11 分钟
BGP 路由过滤
网络需求
在 BGP 路由中通过 prefix-list + route-map 实现路由过滤功能。
网络拓扑
OSPF 邻居:
- FortiGate 与内网 Switch 建立 OSPF 邻居。
- Switch 发布内网网段路由,宣告给 FortiGate。
BGP 邻居:
FortiGate 与 Router1 建立 eBGP 邻居。
FortiGate 与 Router2 建立 eBGP 邻居。
路由学习:
- FortiGate 将学习到的 OSPF 路由重发布到两个 eBGP 邻居。
- FortiGate 将从 Router1 和 Router2 学习到的 BGP 路由重发布到 OSPF 邻居。
- Router1 和 Router2 都向 FortiGate 发布默认路由。
- FortiGate 从 Router1 学习到的 BGP 路由不能发布给 Router2。
- FortiGate 从 Router1 和 Router2 学习到的 BGP 默认路由不能发布给 Router2 和 Router1。
配置步骤
基础配置
FortiGate 的接口配置。
config system interface edit "port2" set vdom "root" set ip 101.103.1.2 255.255.255.0 set allowaccess ping set alias "WAN1" next edit "port3" set vdom "root" set ip 202.103.1.2 255.255.255.0 set allowaccess ping set alias "WAN2" next edit "port4" set vdom "root" set ip 10.10.254.1 255.255.255.0 set allowaccess ping set alias "DMZ" next end配置安全策略,放通 FortiGate、Switch、Router 间的流量,按需配置其他安全策略(略)。
OSPF(FortiGate to Switch)
配置 FortiGate 的 OSPF,将 BGP 路由重发布至 OSPF。
config router ospf
set router-id 10.10.254.1
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.254.0 255.255.255.0
next
end
config redistribute "bgp"
set status enable
end
endBGP(FortiGate to Router)
在 FortiGate 上配置 2 个 prefix-list:
- 一个 prefix-list 匹配 Router1 宣告的 BGP 路由 101.103.2.0/24,不设置 ge 和 le(表示严格匹配),动作为 permit(表示匹配)。
- 另一个 prefix-list 匹配 Router1 和 Router2 宣告的默认路由,不设置 ge 和 le(表示严格匹配),动作为 permit(表示匹配)。
config router prefix-list edit "Block_101.103.2.0/24" config rule edit 1 set prefix 101.103.2.0 255.255.255.0 unset ge unset le next end next edit "Block_0.0.0.0/0" config rule edit 1 set prefix 0.0.0.0 0.0.0.0 unset ge unset le next end next end在 FortiGate 上配置 Route-map 引用 prefix-list,FortiGate 从 Router1 学习到的 BGP 细化路由不能发布给 Router2,FortiGate 从 Router1 和 Router2 学习到的 BGP 默认路由不能发布给 Router2 和 Router1,其他路由条目可以正常宣告。
- 序号 10:匹配条件为 Router1 宣告网段的 prefix-list:Block_101.103.2.0/24,动作为 deny(表示拒绝)。
- 序号 20:匹配条件为 prefix-list:Block_0.0.0.0/0,动作为 deny(表示拒绝)。
- 序号 100:匹配条件为 any,即所有路由,动作为 permit(表示允许)。
config router route-map edit "RMP_out" config rule edit 10 set action deny set match-ip-address "Block_101.103.2.0/24" next edit 20 set action deny set match-ip-address "Block_0.0.0.0/0" next edit 100 next end next end在 FortiGate 上配置 BGP,在邻居 Router1 和 Router2 上分别使用 route-map-out 调用上步创建的 route-map,重发布 OSPF 路由,开启 ebgp-multipath。
config router bgp set as 65001 set router-id 101.103.1.2 set ebgp-multipath enable config neighbor edit "101.103.1.1" set soft-reconfiguration enable set route-map-out "RMP_out" set remote-as 65002 next edit "202.103.1.1" set soft-reconfiguration enable set route-map-out "RMP_out" set remote-as 65003 next end config redistribute "ospf" set status enable end end在 Router1(使用 FortiGate 模拟)上配置 BGP,向 FortiGate 发布自身网段和默认路由。
config router bgp set as 65002 set router-id 101.103.1.1 config neighbor edit "101.103.1.2" set capability-default-originate enable set soft-reconfiguration enable set remote-as 65001 next end config network edit 1 set prefix 101.103.2.0 255.255.255.0 next end end在 Router2(使用 FortiGate 模拟)上配置 BGP,向 FortiGate 发布自身网段和默认路由。
config router bgp set as 65003 set router-id 202.103.1.1 config neighbor edit "202.103.1.2" set capability-default-originate enable set soft-reconfiguration enable set remote-as 65001 next end config network edit 1 set prefix 202.103.2.0 255.255.255.0 next end end
结果验证
FortiGate
在 FortiGate 上查看 OSPF 邻居状态与 OSPF 路由,可以看到和 Switch 建立了 OSPF 邻居,并学习到了 Switch 发布的 4 条 OSPF 路由。
FortiGate # get router info ospf neighbor OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 10.10.254.2 1 Full/DR 00:00:36 10.10.254.2 port4 FortiGate # get router info routing-table ospf Routing table for VRF=0 O 10.10.1.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0] O 10.10.2.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0] O 10.10.3.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0] O 10.10.4.0/24 [110/2] via 10.10.254.2, port4, 01:23:49, [1/0]在 FortiGate 上查看 BGP 邻居状态,可以看到和 Router1、Router2 分别建立了 BGP 邻居,并学习到路由。
重要
查看 BGP 邻居的详细信息,请使用
get router info bgp neighbors。FortiGate # get router info bgp summary VRF 0 BGP router identifier 101.103.1.2, local AS number 65001 BGP table version is 5 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 101.103.1.1 4 65002 101 117 5 0 0 01:25:48 2 202.103.1.1 4 65003 106 115 5 0 0 01:17:25 2 Total number of neighbors 2在 FortiGate 上查看从邻居 Router1 和 Router2 收到的路由条目,可以看到收到了 Router1/Router2 发布的自身网段路由和默认路由。
FortiGate # get router info bgp neighbors 101.103.1.1 received-routes VRF 0 BGP table version is 7, local router ID is 101.103.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 101.103.1.1 0 0 65002 i <-/-> *> 101.103.2.0/24 101.103.1.1 0 0 65002 i <-/-> Total number of prefixes 2 FortiGate # get router info bgp neighbors 202.103.1.1 received-routes VRF 0 BGP table version is 7, local router ID is 101.103.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 202.103.1.1 0 0 65003 i <-/-> *> 202.103.2.0 202.103.1.1 0 0 65003 i <-/-> Total number of prefixes 2在 FortiGate 上查看向邻居 Router1、Router2 发布的路由条目,可以看到 route-map-out 生效,没有将学习到的 Router1 的 BGP 路由发布给 Router2(但将学习到的 Router2 的 BGP 路由发布给了 Router1),没有发布从 Router1、Router2 学习到的默认路由,重发布了 OSPF 路由。
FortiGate # get router info bgp neighbors 101.103.1.1 advertised-routes VRF 0 BGP table version is 7, local router ID is 101.103.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 101.103.1.2 2 32768 0 ? <-/-> *> 10.10.2.0/24 101.103.1.2 2 32768 0 ? <-/-> *> 10.10.3.0/24 101.103.1.2 2 32768 0 ? <-/-> *> 10.10.4.0/24 101.103.1.2 2 32768 0 ? <-/-> *> 202.103.2.0 101.103.1.2 0 0 65003 i <-/-> Total number of prefixes 5 FortiGate # get router info bgp neighbors 202.103.1.1 advertised-routes VRF 0 BGP table version is 7, local router ID is 101.103.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 202.103.1.2 2 32768 0 ? <-/-> *> 10.10.2.0/24 202.103.1.2 2 32768 0 ? <-/-> *> 10.10.3.0/24 202.103.1.2 2 32768 0 ? <-/-> *> 10.10.4.0/24 202.103.1.2 2 32768 0 ? <-/-> Total number of prefixes 4在 FortiGate 上查看 BGP 路由数据库,可以看到 eBGP 路由的路径(AS-Path)信息。
FortiGate # get router info bgp network VRF 0 BGP table version is 7, local router ID is 101.103.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path * 0.0.0.0/0 202.103.1.1 0 0 0 65003 i <-/-> *> 101.103.1.1 0 0 0 65002 i <-/1> *> 10.10.1.0/24 10.10.254.2 2 32768 0 ? <-/1> *> 10.10.2.0/24 10.10.254.2 2 32768 0 ? <-/1> *> 10.10.3.0/24 10.10.254.2 2 32768 0 ? <-/1> *> 10.10.4.0/24 10.10.254.2 2 32768 0 ? <-/1> *> 101.103.2.0/24 101.103.1.1 0 0 0 65002 i <-/1> *> 202.103.2.0 202.103.1.1 0 0 0 65003 i <-/1> Total number of prefixes 7查看指定的某个 BGP 路由详细信息可以在该命令后加相应网段。
FortiGate # get router info bgp network 0.0.0.0 VRF 0 BGP routing table entry for 0.0.0.0/0 Paths: (2 available, best #2, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 65003 202.103.1.1 from 202.103.1.1 (202.103.1.1) Origin IGP metric 0, localpref 100, valid, external Last update: Wed Jan 17 11:32:12 2024 Original VRF 0 65002 101.103.1.1 from 101.103.1.1 (101.103.1.1) Origin IGP metric 0, localpref 100, valid, external, best Last update: Wed Jan 17 11:32:12 2024查看 FortiGate 的路由表中的 BGP 路由,由于开启了 ebgp-multipath,从 Router1 和 Router2 学习到的默认路由在路由表中负载。
FortiGate # get router info routing-table bgp Routing table for VRF=0 B* 0.0.0.0/0 [20/0] via 101.103.1.1 (recursive is directly connected, port2), 01:50:31, [1/0] [20/0] via 202.103.1.1 (recursive is directly connected, port3), 01:50:31, [1/0] B 101.103.2.0/24 [20/0] via 101.103.1.1 (recursive is directly connected, port2), 00:09:04, [1/0] B 202.103.2.0/24 [20/0] via 202.103.1.1 (recursive is directly connected, port3), 00:09:08, [1/0]
Router1
在 Router1 上查看 BGP 邻居状态,可以看到和 FortiGate 建立了 BGP 邻居,并学习到路由。
重要
查看 BGP 邻居的详细信息,请使用
get router info bgp neighbors。Router1 # get router info bgp summary VRF 0 BGP router identifier 101.103.1.1, local AS number 65002 BGP table version is 3 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 101.103.1.2 4 65001 126 112 2 0 0 01:34:48 5 Total number of neighbors 1在 Router1 上查看从 BGP 邻居收到的路由条目,可以看到学习到了 FortiGate 重发布的 OSPF 路由,以及 FortiGate 从 Router2 学习到的 BGP 路由。
Router1 # get router info bgp neighbors 101.103.1.2 received-routes VRF 0 BGP table version is 3, local router ID is 101.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 101.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.2.0/24 101.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.3.0/24 101.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.4.0/24 101.103.1.2 2 0 0 65001 ? <-/-> *> 202.103.2.0 101.103.1.2 0 0 65001 65003 i <-/-> Total number of prefixes 5在 Router1 上查看向邻居发布的路由条目,包含自身网段路由和默认路由。
Router1 # get router info bgp neighbors 101.103.1.2 advertised-routes VRF 0 BGP table version is 3, local router ID is 101.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 101.103.1.1 100 32768 0 i <-/-> *> 101.103.2.0/24 101.103.1.1 100 32768 0 i <-/-> Total number of prefixes 2在 Router1 上查看 BGP 路由数据库,可以看到 eBGP 路由的路径(AS-Path)信息。
Router1 # get router info bgp network VRF 0 BGP table version is 3, local router ID is 101.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 101.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.2.0/24 101.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.3.0/24 101.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.4.0/24 101.103.1.2 2 0 0 65001 ? <-/1> *> 101.103.2.0/24 0.0.0.0 100 32768 0 i <-/1> *> 202.103.2.0 101.103.1.2 0 0 0 65001 65003 i <-/1> Total number of prefixes 6查看指定的某个 BGP 路由详细信息可以在该命令后加相应网段。
Router1 # get router info bgp network 202.103.2.0 VRF 0 BGP routing table entry for 202.103.2.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 65001 65003 101.103.1.2 from 101.103.1.2 (101.103.1.2) Origin IGP metric 0, localpref 100, valid, external, best Last update: Wed Jan 17 11:32:27 2024查看 Router1 的路由表中的 BGP 路由,可以看到 Router1 从 FortiGate 学习到的路由均已被放入路由表(包含 FortiGate 重发布的 OSPF 路由,以及 FortiGate 从 Router2 学习到的 BGP 路由),eBGP 路由的 distance 为 20。
Router1 # get router info routing-table bgp Routing table for VRF=0 B 10.10.1.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0] B 10.10.2.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0] B 10.10.3.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0] B 10.10.4.0/24 [20/2] via 101.103.1.2 (recursive is directly connected, port2), 01:59:33, [1/0] B 202.103.2.0/24 [20/0] via 101.103.1.2 (recursive is directly connected, port2), 00:10:12, [1/0]
Router2
在 Router2 上查看 BGP 邻居状态,可以看到和 FortiGate 建立了 BGP 邻居,并学习到路由。
重要
查看 BGP 邻居的详细信息,请使用
get router info bgp neighbors。Router2 # get router info bgp summary VRF 0 BGP router identifier 202.103.1.1, local AS number 65003 BGP table version is 4 2 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 202.103.1.2 4 65001 156 147 3 0 0 01:52:16 4 Total number of neighbors 1在 Router2 上查看从 BGP 邻居收到的路由条目,可以看到学习到了 FortiGate 重发布的 OSPF 路由,没有 FortiGate 从 Router1 学习到的 BGP 路由。
Router2 # get router info bgp neighbors 202.103.1.2 received-routes VRF 0 BGP table version is 4, local router ID is 202.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 202.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.2.0/24 202.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.3.0/24 202.103.1.2 2 0 0 65001 ? <-/-> *> 10.10.4.0/24 202.103.1.2 2 0 0 65001 ? <-/-> Total number of prefixes 4在 Router2 上查看向邻居发布的路由条目,包含自身网段路由和默认路由。
Router2 # get router info bgp neighbors 202.103.1.2 advertised-routes VRF 0 BGP table version is 4, local router ID is 202.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 202.103.1.1 100 32768 0 i <-/-> *> 202.103.2.0 202.103.1.1 100 32768 0 i <-/-> Total number of prefixes 2在 Router2 上查看 BGP 路由数据库,可以看到 eBGP 路由的路径(AS-Path)信息。
Router2 # get router info bgp network VRF 0 BGP table version is 4, local router ID is 202.103.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 10.10.1.0/24 202.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.2.0/24 202.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.3.0/24 202.103.1.2 2 0 0 65001 ? <-/1> *> 10.10.4.0/24 202.103.1.2 2 0 0 65001 ? <-/1> *> 202.103.2.0 0.0.0.0 100 32768 0 i <-/1> Total number of prefixes 5查看指定的某个 BGP 路由详细信息可以在该命令后加相应网段。
Router2 # get router info bgp network 10.10.1.0 VRF 0 BGP routing table entry for 10.10.1.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 65001 202.103.1.2 from 202.103.1.2 (101.103.1.2) Origin incomplete metric 2, localpref 100, valid, external, best Last update: Wed Jan 17 11:32:27 2024查看 Router2 的路由表中的 BGP 路由,包含 FortiGate 重发布的 OSPF 路由,没有 FortiGate 从 Router1 学习到的路由,distance 为 20(eBGP 路由)。
Router2 # get router info routing-table bgp Routing table for VRF=0 B 10.10.1.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0] B 10.10.2.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0] B 10.10.3.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0] B 10.10.4.0/24 [20/2] via 202.103.1.2 (recursive is directly connected, port2), 01:43:33, [1/0]
Switch
在 Switch 上查看路由表,可以看到 Switch 学习到了 FortiGate 在 OSPF 中重发布的 BGP 路由。
Switch # get router info routing-table ospf
Routing table for VRF=0
O E2 101.103.2.0/24 [110/10] via 10.10.254.1, port2, 00:11:32, [1/0]
O E2 202.103.2.0/24 [110/10] via 10.10.254.1, port2, 00:11:36, [1/0]