目录简介... 3 BGP 重发布进 OSPF 环境拓扑图... 3 BGP 重发布进 OSPF 路由过滤... 4 FGT200B 关键配置... 4 接口 IP 配置... 4 Route-Map... 4 BGP 的配置... 5 FGT100E 关键配置... 5 接口 IP 及 BGP

BGP 与 OSPF 之间重发布时使用 Route-Map 进行路由过滤版本 1.0 时间 2017 年 9 月 5 日星期二支持的版本 FortiGate v5.0 v5.2 v5.4 v5.6 作者状态反馈刘康明已审核 support_cn@fortinet.com

目录简介... 3 BGP 重发布进 OSPF 环境拓扑图... 3 BGP 重发布进 OSPF 路由过滤... 4 FGT200B 关键配置... 4 接口 IP 配置... 4 Route-Map... 4 BGP 的配置... 5 FGT100E 关键配置... 5 接口 IP 及 BGP 的配置... 5 Route-Map 的配置... 7 OSPF 的配置... 7 Cisco1814 关键配置... 9 OSFP 重发布进 BGP 环境拓扑图 ( 反过来重发布 )... 11 Cisco1814 关键配置... 11 FGT100E 关键配置... 12 接口 IP 及 OSPF 的配置... 12 Route-Map 的配置... 14 接口 IP 及 BGP 的配置... 14 FGT200B 关键配置... 16 接口 IP 及 BGP 的配置... 16 Fortinet 公司第 2 页 / 共 17 页 www.fortinet.com.cn

简介我们可能在有很多场景下会用到 BGP 和 OSPF, 比如 GRE Over IPsec 场景 IPsec VPN 直接运行路由协议场景 ADVPN 场景以及一些复杂路由的场景等, 同时也可能会使用到路由重发布这个功能, 既将 BGP 的路由重发布进入 OSPF, 或将 OSPF 的路由重发布进入 BGP, 但是如果想要在其中进行路由的过滤, 就需要用到 route-map 进行匹配和过滤, 从而实现重发布过程中路由过滤的功能本文主要针对以上情况下 FortiGate 如何配置 route-map 和调用路由策略, 要注意的是飞塔设备的 BGP 和 OSPF 之间的属性并不完全像 CISCO 那样调用, Fortinet 和 Cisco 的实现方法有一些差别, 按照下文中的方法就可以避免问题了 BGP 重发布进 OSPF 环境拓扑图 EBGP AS65500 AS65501 FGT200B FGT100E OSPF Area0 CISCO1814 Port9 DMZ WAN1 10.1.12.1 10.1.12.2 192.168.90.52 F0/0 Port11 Port12 192.168.90.57 192.168.11.0/24 192.168.12.0/24 BGP 路由重发布进 OSPF 且需过滤路由, 只有 192.168.11.0/24 可以重发布进 OSPF FortiGate 200B V5.2.11 FortiGate 100E V5.4.5 CISCO 1814 V 15.1(4)M4 本实验重点关注路由策略和重发布的部分, 路由规划策略等其他信息和配置忽 Fortinet 公司第 3 页 / 共 17 页 www.fortinet.com.cn

BGP 重发布进 OSPF 路由过滤 FGT200B 关键配置接口 IP 配置 config system interface edit "port11" set ip 192.168.11.254 255.255.255.0 set allowaccess ping https ssh http edit "port12" set ip 192.168.12.254 255.255.255.0 set allowaccess ping https ssh http edit "port9" set ip 10.1.12.1 255.255.255.0 set allowaccess ping https ssh http Route-Map config router access-list edit "net11" config rule edit 1 set prefix 192.168.11.0 255.255.255.0 set exact-match enable config router route-map edit "Metric_set_6550011" config rule edit 1 set match-ip-address "net11" set set-metric 6550011 Fortinet 公司第 4 页 / 共 17 页 www.fortinet.com.cn

edit 2 BGP 的配置 config router bgp set as 65500 set router-id 10.1.12.1 config neighbor edit "10.1.12.2" set soft-reconfiguration enable set remote-as 65501 set route-map-out "Metric_set_6550011" config network edit 1 set prefix 192.168.11.0 255.255.255.0 edit 2 set prefix 192.168.12.0 255.255.255.0 配置解析 : 将 192.168.11.0/24 在 BGP 中发布时打上 MED 值 6550011, 而 192.168.12.0/24 发布时不打任何 MED 值, 这样是为了在 FGT100E 的 Route-map 中方便调用这个 MED 值 FGT100E 关键配置接口 IP 及 BGP 的配置 config system interface edit "dmz" set ip 10.1.12.2 255.255.255.0 set allowaccess ping https ssh http Fortinet 公司第 5 页 / 共 17 页 www.fortinet.com.cn

edit "wan1" set ip 192.168.90.52 255.255.255.0 set allowaccess ping https ssh http config router bgp set as 65501 config neighbor edit "10.1.12.1" set soft-reconfiguration enable set remote-as 65500 FGT100E BGP 路由学习结果 : 此时 FGT100E 的 BGP 路由可以学习到 192.168.11.0/24 和 192.168.12.0/24 这两条 BGP 路由, 而 192.168.11.0/24 其 MED 值为 6550011, 而 192.168.12.0/24 的 MED 值为 0 FG100E4Q16003541 # get router info bgp network BGP table version is 5, local router ID is 192.168.90.52 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> 192.168.11.0 10.1.12.1 6550011 0 65500 i *> 192.168.12.0 10.1.12.1 0 0 65500 i Total number of prefixes 2 FG100E4Q16003541 # get router info routing-table all S* 0.0.0.0/0 [10/0] via 192.168.90.254, wan1 C 10.1.12.0/24 is directly connected, dmz B 192.168.11.0/24 [20/6550011] via 10.1.12.1, dmz, 01:17:56 B 192.168.12.0/24 [20/0] via 10.1.12.1, dmz, 01:17:56 C 192.168.90.0/24 is directly connected, wan1 FG100E4Q16003541 # get router info bgp network 192.168.11.0 BGP routing table entry for 192.168.11.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 65500 Fortinet 公司第 6 页 / 共 17 页 www.fortinet.com.cn

10.1.12.1 from 10.1.12.1 (10.1.12.1) Origin IGP metric 6550011, localpref 100, valid, external, best Last update: Wed Aug 30 17:55:19 2017 FG100E4Q16003541 # get router info bgp network 192.168.12.0 BGP routing table entry for 192.168.12.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 65500 10.1.12.1 from 10.1.12.1 (10.1.12.1) Origin IGP metric 0, localpref 100, valid, external, best Last update: Wed Aug 30 17:55:19 2017 Route-Map 的配置 config router route-map edit "route_map_re_bgp_to_ospf_med" config rule edit 1 set match-metric 6550011 set set-tag 6550011 edit 2 set match-tag 6550011 配置解析 : 首先, 匹配 MED 值 6550011(BGP 路由 192.168.11.0/24), 然后将这条路由设置 tag 为 6550011 然后, 只匹配 tag 6550011 的路由 (route-map 有隐藏默认的 deny all), 即只匹配 192.168.11.0/24 这条路由, 其他路由全部 deny OSPF 的配置 config router ospf set router-id 192.168.90.52 config area edit 0.0.0.0 Fortinet 公司第 7 页 / 共 17 页 www.fortinet.com.cn

config network edit 1 set prefix 192.168.90.0 255.255.255.0 config redistribute "bgp" set status enable set routemap "route_map_re_bgp_to_ospf_med" 配置解析 : OSPF 在重发布 BGP 路由的时候只需要调用上一步配置的 route-map 即可 FGT100E OSPF 路由发布结果 (5 类 LSA 只有一条 192.168.11.0/24): FG100E4Q16003541 # get router info ospf neighbor OSPF process 0: Neighbor ID Pri State Dead Time Address Interface 192.168.90.57 1 Full/DR 00:00:38 192.168.90.57 wan1 FG100E4Q16003541 # get router info ospf database brief Router Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum Flag Link count 192.168.90.52 192.168.90.52 755 80000008 a2b9 0031 1 192.168.90.57 192.168.90.57 1800 8000015b 647f 0012 1 Net Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum Flag 192.168.90.57 192.168.90.57 1053 80000005 81c5 0012 AS External Link States Link ID ADV Router Age Seq# CkSum Flag Route Tag 192.168.11.0 192.168.90.52 365 80000004 57b0 0031 E2 192.168.11.0/24 6550011 FG100E4Q16003541 # get router info ospf database external lsa 192.168.11.0 AS External Link States LS age: 380 Options: 0x2 (* - - - - - E -) LS Type: AS-external-LSA Link State ID: 192.168.11.0 (External Network Number) Advertising Router: 192.168.90.52 LS Seq Number: 80000004 Fortinet 公司第 8 页 / 共 17 页 www.fortinet.com.cn

Checksum: 0x57b0 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 10 Forward Address: 0.0.0.0 External Route Tag: 6550011 Cisco1814 关键配置 interface FastEthernet0/0 ip address 192.168.90.57 255.255.255.0! router ospf 10 router-id 192.168.90.57 network 192.168.90.0 0.0.0.255 area 0 CISCO 184 OSPF 路由学习结果 ( 只能学习到一条外部路由 192.168.11.0/24): Cisco-1814#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.90.52 1 FULL/BDR 00:00:38 192.168.90.52 FastEthernet0/0 Cisco-1814#show ip ospf database OSPF Router with ID (192.168.90.57) (Process ID 10) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 192.168.90.52 192.168.90.52 983 0x80000008 0x00A2B9 1 192.168.90.57 192.168.90.57 22 0x8000015C 0x006280 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 192.168.90.57 192.168.90.57 1279 0x80000005 0x0081C5 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 192.168.11.0 192.168.90.52 593 0x80000004 0x0057B0 6550011 Cisco-1814#show ip ospf database external OSPF Router with ID (192.168.90.57) (Process ID 10) Type-5 AS External Link States Fortinet 公司第 9 页 / 共 17 页 www.fortinet.com.cn

Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 597 Options: (No TOS-capability, No DC) LS Type: AS External Link Link State ID: 192.168.11.0 (External Network Number ) Advertising Router: 192.168.90.52 LS Seq Number: 80000004 Checksum: 0x57B0 Length: 36 Network Mask: /24 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 10 Forward Address: 0.0.0.0 External Route Tag: 6550011 Cisco-1814#show ip route S* 0.0.0.0/0 [100/0] via 192.168.90.254 O E2 192.168.11.0/24 [110/10] via 192.168.90.52, 01:36:33, FastEthernet0/0 192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.90.0/24 is directly connected, FastEthernet0/0 L 192.168.90.57/32 is directly connected, FastEthernet0/0 Fortinet 公司第 10 页 / 共 17 页 www.fortinet.com.cn

OSFP 重发布进 BGP 环境拓扑图 ( 反过来重发布 ) AS65500 AS65501 FGT200B EBGP OSPF FGT100E Area0 CISCO1814 Port9 DMZ WAN1 10.1.12.1 10.1.12.2 192.168.90.52 F0/0 Port11 Port12 192.168.90.57 OSPF 路由重发布进 BGP 且需过滤路由, 只有 172.16.11.0/24 可以重发布进 BGP 172.16.11.0/24 172.16.12.0/24 FortiGate 200B V5.2.11 FortiGate 100E V5.4.5 CISCO 1814 V 15.1(4)M4 本实验重点关注路由策略和重发布的部分, 路由规划策略等其他信息和配置忽略 Cisco1814 关键配置 interface FastEthernet0/0 ip address 192.168.90.57 255.255.255.0! interface FastEthernet0/1 ip address 172.16.12.254 255.255.255.0 secondary ip address 172.16.11.254 255.255.255.0! router ospf 10 router-id 192.168.90.57 network 172.16.11.0 0.0.0.255 area 0 network 172.16.12.0 0.0.0.255 area 0 network 192.168.90.0 0.0.0.255 area 0! Fortinet 公司第 11 页 / 共 17 页 www.fortinet.com.cn

FGT100E 关键配置接口 IP 及 OSPF 的配置 config system interface edit "dmz" set ip 10.1.12.2 255.255.255.0 set allowaccess ping https ssh http edit "wan1" set ip 192.168.90.52 255.255.255.0 set allowaccess ping https ssh http config router ospf set router-id 192.168.90.52 config area edit 0.0.0.0 config network edit 1 set prefix 192.168.90.0 255.255.255.0 FGT100E OSPF 路由学习结果 : FG100E4Q16003541 # get router info ospf neighbor OSPF process 0: Neighbor ID Pri State Dead Time Address Interface 192.168.90.57 1 Full/DR 00:00:39 192.168.90.57 wan1 FG100E4Q16003541 # get router info ospf database brief Router Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum Flag Link count 192.168.90.52 192.168.90.52 152 8000000b 96c4 0021 1 192.168.90.57 192.168.90.57 1681 8000015e ac81 0002 3 Net Link States (Area 0.0.0.0) Fortinet 公司第 12 页 / 共 17 页 www.fortinet.com.cn

Link ID ADV Router Age Seq# CkSum Flag 192.168.90.57 192.168.90.57 380 80000007 7dc7 001 FG100E4Q16003541 # get router info ospf database router lsa 192.168.90.57 Router Link States (Area 0.0.0.0) LS age: 1685 Options: 0x22 (* - DC - - - E -) Flags: 0x0 LS Type: router-lsa Link State ID: 192.168.90.57 Advertising Router: 192.168.90.57 LS Seq Number: 8000015e Checksum: 0xac81 Length: 60 Number of Links: 3 Link connected to: Stub Network (Link ID) Network/subnet number: 172.16.11.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metric: 1 Link connected to: Stub Network (Link ID) Network/subnet number: 172.16.12.0 (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metric: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 192.168.90.57 (Link Data) Router Interface address: 192.168.90.57 Number of TOS metrics: 0 TOS 0 Metric: 1 FG100E4Q16003541 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Fortinet 公司第 13 页 / 共 17 页 www.fortinet.com.cn

S* 0.0.0.0/0 [10/0] via 192.168.90.254, wan1 C 10.1.12.0/24 is directly connected, dmz O 172.16.11.0/24 [110/11] via 192.168.90.57, wan1, 00:28:16 O 172.16.12.0/24 [110/11] via 192.168.90.57, wan1, 00:28:06 C 192.168.90.0/24 is directly connected, wan1 Route-Map 的配置 config router prefix-list edit "net-172-16-11-0" config rule edit 1 set prefix 172.16.11.0 255.255.255.0 unset ge unset le config router route-map edit "route_map_re_ospf_to_bgp_tag" config rule edit 1 set match-ip-address "net-172-16-11-0" set set-tag 17216110 edit 3 set match-tag 17216110 配置解析 : 首先, 配置 prefix-list 或 access-list 匹配出想要的路由然后, 使用 route-map 将改路由打上 tag:17216110, 最后匹配 tag:172161110, 只有 tag 为 172161110 的才匹配, 其余的路由全部 deny(route-map 最后隐藏默认 deny) 接口 IP 及 BGP 的配置 config router bgp set as 65501 config neighbor Fortinet 公司第 14 页 / 共 17 页 www.fortinet.com.cn

edit "10.1.12.1" set soft-reconfiguration enable set remote-as 65500 config redistribute "ospf" set status enable set route-map "route_map_re_ospf_to_bgp_tag" FGT100E BGP 路由发布结果 : 此时 FGT100E 将学习到 192.168.11.0/24 和 192.168.12.0/24 这两条 OSPF 路由, 使用 Route-map 将 192.168.11.0/24 其 tag 值设置为 6550011, 而 192.168.12.0/24 的 tag 值设置为空, 在将 OSFP 路由重发布进入 BGP 的时候, 只匹配 tag 值为 6550011 的路由, 也就是说 BGP 只引入了 192.168.11.0/24 这条路由 FG100E4Q16003541 # get router info bgp summary BGP router identifier 192.168.90.52, local AS number 65501 BGP table version is 2 1 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.12.1 4 65500 342 344 1 0 0 00:05:04 0 Total number of neighbors 1 FG100E4Q16003541 # get router info bgp network BGP table version is 2, local router ID is 192.168.90.52 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.11.0/24 192.168.90.57 11 32768? Total number of prefixes 1 FG100E4Q16003541 # get router info bgp network 172.16.11.0/24 BGP routing table entry for 172.16.11.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 10.1.12.1 Fortinet 公司第 15 页 / 共 17 页 www.fortinet.com.cn

Local 192.168.90.57 from 0.0.0.0 (192.168.90.52) Origin incomplete metric 11, localpref 100, weight 32768, valid, sourced, best Last update: Mon Sep 4 23:26:55 2017 FGT200B 关键配置接口 IP 及 BGP 的配置 config system interface edit "port9" set ip 10.1.12.1 255.255.255.0 set allowaccess ping https ssh http config router bgp set as 65500 set router-id 10.1.12.1 config neighbor edit "10.1.12.2" set soft-reconfiguration enable set remote-as 65501 FGT200B BGP 路由学习结果 ( 只学习到了 FGT100E 过滤后的路由 172.16.11.0/24): FG200B3911608549 # get router info bgp summary BGP router identifier 10.1.12.1, local AS number 65500 BGP table version is 3 1 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.12.2 4 65501 341 346 0 0 0 00:10:03 1 Total number of neighbors 1 FG200B3911608549 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 Fortinet 公司第 16 页 / 共 17 页 www.fortinet.com.cn

E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default C 10.1.12.0/24 is directly connected, port9 B 172.16.11.0/24 [20/11] via 10.1.12.2, port9, 00:10:04 FG200B3911608549 # get router info bgp network BGP table version is 3, local router ID is 10.1.12.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.11.0/24 10.1.12.2 11 0 65501? Total number of prefixes 1 FG200B3911608549 # get router info bgp network 172.16.11.0/24 BGP routing table entry for 172.16.11.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 65501 10.1.12.2 from 10.1.12.2 (192.168.90.52) Origin incomplete metric 11, localpref 100, valid, external, best Last update: Mon Sep 4 23:21:50 2017 Fortinet 公司第 17 页 / 共 17 页 www.fortinet.com.cn

目录 简介... 3 BGP 重发布进 OSPF 环境拓扑图... 3 BGP 重发布进 OSPF 路由过滤... 4 FGT200B 关键配置... 4 接口 IP 配置... 4 Route-Map... 4 BGP 的配置... 5 FGT100E 关键配置... 5 接口 IP 及 BGP

目录简介... 3 BGP 重发布进 OSPF 环境拓扑图... 3 BGP 重发布进 OSPF 路由过滤... 4 FGT200B 关键配置... 4 接口 IP 配置... 4 Route-Map... 4 BGP 的配置... 5 FGT100E 关键配置... 5 接口 IP 及 BGP