Create an Access-list on a Route-Map that would deny

specific network on a BGP peering

Sample Topology:-

Requirements

This example will show how to create a route-map-in on the FortiGate2 that has an
access-list rule that would deny 10.10.30.0/24 from FortiGate1.

Configuration

FortiGate1 BGP GUI configuration:

FortiGate2 BGP GUI configuration:

FortiGate2 CLI configuration to deny 10.10.30.0/24 network and allow any other
network.

Access-list:

# show

# config router access-list

edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set prefix 10.10.30.0 255.255.255.0
set exact-match enable
next
end
next
edit "ALLOW_OTHER"
config rule
edit 1
set prefix any
set exact-match enable
next
end
next
end

Route-map:
# config router router-map
show

# config route route-map

edit "BLOCK_10.10.30.0/24"
config rule
edit 1
set action deny
set match-ip-address "BLOCK_10.10.30.0/24"
next
edit 2
set match-ip-address "ALLOW_OTHER"
next
end
Then assign that route-map to the route-map-in of the FortiGate2 neighbor configuration
# config router bgp
# config neighbor
edit 192.168.175.230
end
show

# config router bgp

set as 20
set router-id 192.168.175.231
# config neighbor
edit "192.168.175.230"
set remote-as 10
set route-map-in "BLOCK_10.10.30.0/24"
next
end
# config redistribute "connected"
end
# config redistribute "rip"
end
# config redistribute "ospf"
end
# config redistribute "static"
end
# config redistribute "isis"
end
# config redistribute "connected"
end
# config redistribute "rip"
end
# config redistribute "ospf"
end
# config redistribute "static"
end
# config redistribute "isis"
end
end

Clear the BGP peering using this command for the route-map access-list to take effect:
# exec router clear bgp as 10 <------------ because the AS on
FortiGate1 is set to 10.

or
# exec router clear bgp all

Troubleshooting
To confirm that it is already being block, run these commands:

# diag ip router bgp all en

# diag ip router bgp level info
# diag debug en

Note: to stop the debugging of the BGP, run these commands:

# diag debug disable

# diag ip router bgp all disable
# diag ip router bgp level none

Here is the sample result:

# BGP: [NETWORK] Accept Thread: Incoming conn from host 192.168.175.230
(FD=24)
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 14
BGP: 192.168.175.230-Outgoing [FSM] State: Idle Event: 3
BGP: 192.168.175.230-Outgoing [NETWORK] FD=24, Sock Status: 0-Success
BGP: 192.168.175.230-Outgoing [FSM] State: Connect Event: 17
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Ver 4 MyAS 20 Holdtime 180
BGP: 192.168.175.230-Outgoing [ENCODE] Open: Msg-Size 61
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 1, length 61
BGP: 192.168.175.230-Outgoing [DECODE] Open: Optional param len 32
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 1, Cap Len 4
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 128, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(old) for all
address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
2
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 2, Cap Len 0
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: RR Cap(new) for all
address-families
BGP: 192.168.175.230-Outgoing [DECODE] Open Opt: Option Type 2, Option Len
6
BGP: 192.168.175.230-Outgoing [DECODE] Open Cap: Cap Code 65, Cap Len 4
BGP: 192.168.175.230-Outgoing [FSM] State: OpenSent Event: 19
BGP: 192.168.175.230-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 192.168.175.230-Outgoing [ENCODE] Keepalive: 28 KAlive msg(s) sent
BGP: bgp_keepalive_proc: notif_rcv 4-4
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 4, length 19
BGP: 192.168.175.230-Outgoing [DECODE] KAlive: Received!
BGP: 192.168.175.230-Outgoing [FSM] State: OpenConfirm Event: 26
id=20300 logdesc="BGP neighbor status changed" msg="BGP: %BGP-5-ADJCHANGE:
neighbor 192.168.175.230 Up "
BGP: 192.168.175.230-Outgoing [DECODE] Msg-Hdr: type 2, length 55
BGP: 192.168.175.230-Outgoing [DECODE] Update: Starting UPDATE decoding...
Bytes To Read (36), msg_size (36)
BGP: 192.168.175.230-Outgoing [DECODE] Update: NLRI Len(12)
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 27
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.10.0/24
BGP: 192.168.175.230-Outgoing [RIB] Update: Prefix 10.10.30.0/24 denied due
to route-map
BGP: 192.168.175.230-Outgoing [RIB] Update: Received Prefix 10.10.20.0/24
BGP: 192.168.175.230-Outgoing [FSM] State: Established Event: 34
BGP: [RIB] Scanning BGP Network Routes...

To make sure that the route 10.10.30.0/24 is not installed on the routing table of
FortiGate2, run this command:

# get router info routing-table all

Here is the result of this lab:

# get router info routing-table all

Routing table for VRF=0

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default

B 10.10.10.0/24 [20/0] via 192.168.175.230, port1, 00:01:19

B 10.10.20.0/24 [20/0] via 192.168.175.230, port1, 00:01:19
C 192.168.175.0/24 is directly connected, port1