Skip to main content
Alex_Yap_FTNT
Staff & Editor
Alex_Yap_FTNT
Staff & Editor
February 23, 2010

Technical Tip: BGP AS-Path prepending configuration example

  • February 23, 2010
  • 0 replies
  • 71217 views
Description This article describes using AS-PATH prepending with BGP multi-homed configurations to influence inbound traffic when announcing a subnet to multiple providers.
Scope FortiGate.
Solution

Purpose:
For enterprise networks using BGP with a multi-homed solution (connected to more than one ISP). It is often required to design the internet link with a primary/backup setup where the lower speed/lower quality internet link should only be used when the primary link has failed.


Since both ISPs are independent, the local preference might be lower on the desired/primary internet link and resulting in the desired traffic flow through the lower speed/quality path.

Even though there is a higher local preference on the Primary ISP router and lower on the secondary ISP router, some reverse traffic may hit the FortiGate via the secondary ISP link.

As Local preference is a non-transitive attribute, routers in the Primary ISP exchange is only inside their own AS (AS65101 in the example) and cannot pass it to the Secondary ISP’s AS (AS65201). Due to this, Secondary ISP is unaware of the Local Preference value set on the Primary AS.

In this case, BGP route selection can be influenced by using the AS_PATH attribute with multiple copies of the local AS number (AS-path prepending).


Diagram:


kb_4907_1.png

 

Expectations, Requirements:
  • BGP route selection on an Internet router for the return path/traffic can be influenced by using AS_PATH, which is a transitive attribute.
  • BGP prefers the shortest AS path to reach the destination.
  • It is possible to manipulate the path used by the return traffic with AS_PATH prepending while advertising the FortiGate DMZ prefix 93.184.216.34/32 to the Secondary ISP rather than relying on the Local Preference configured at the ISP end.
  • Even if Secondary ISP AS65201 has to reach DMZ prefix 93.184.216.34/32 behind the FortiGate, it will prefer the Primary ISP AS65101 as the next hop. It is because FortiGate advertises this prefix to the Secondary ISP with a longer AS_PATH compared to the same prefix advertised by the Primary ISP.
  • To manipulate the outgoing traffic from the FortiGate and prioritize the Primary ISP connection over Secondary ISP, make sure to set a higher Local preference or Weight for Primary ISP BGP peer than the Secondary ISP peer.

 

Configuration:
Interface Configuration with WAN1 (Primary ISP) and WAN2 (Secondary ISP), DMZ is the prefix to be published out, which is simulated by a Loopback interface:

 

config system interface

    edit "port2"

        set vdom "root"
        set ip 202.1.1.1 255.255.255.240
        set allowaccess ping
        set type physical
        set alias "WAN1"

    next
    edit "port3"

        set vdom "root"
        set ip 202.2.2.1 255.255.255.240
        set allowaccess ping
        set type physical
        set alias "WAN2"

    next

    edit "DMZ"

        set vdom "root"
        set ip 93.184.216.34 255.255.255.255
        set allowaccess ping
        set type loopback

    next

end


Route-map to publish the AS-Path with pre-pending:

 

config router route-map

    edit "Secondary_ISP"

        config rule

            edit 1

                set set-aspath "65301 65301 65301"

            next

        end

    next

end

 

Route-map that sets a higher local preference for prefixes received from the Primary ISP:

 

config router route-map

    edit "Primary_ISP"

        config rule

            edit 1

                set set-local-preference 200

            next

        end

    next

end

 

The route-maps are applied to both BGP neighbors:

 

config router bgp

    set as 65301

        config neighbor

            edit "202.1.1.2"

                set remote-as 65101
                set route-map-in “Primary_ISP”

            next
            edit "202.2.2.2"

                set remote-as 65201
                set route-map-out "Secondary_ISP"

            next

        end

        config network

            edit 1

                set prefix 93.184.216.34 255.255.255.255

            next

        end

    set router-id 3.3.3.3

end

 

Verification:

The following output shows on the Secondary ISP router before the pre-pending technique is applied, the best path to reach 93.184.216.34/32 is via 202.2.2.1:

ISP2-R1 # get router info bgp network
BGP table version is 8, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

 S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

 

     Network        Next Hop       Metric LocPrf Weight RouteTag Path

*> 93.184.216.34/32 202.2.2.1            0             0        0 65301 i

* i                 101.1.1.1            0    100      0        0 65101 65301 i

*> 202.2.2.0/28     0.0.0.0                  100  32768        0 i

 

The following output shows on the Secondary ISP router after the pre-pending technique was applied, the best path to reach 93.184.216.34/32 is via 101.1.1.1 now:

ISP2-R1 # get router info bgp network
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

      Network       Next Hop       Metric LocPrf Weight RouteTag Path
*>i93.184.216.34/32 101.1.1.1            0    100      0        0 65101 65301 i
* 202.2.2.1                              0             0        0 65301 65301 65301 65301 i
*> 202.2.2.0/28     0.0.0.0                   100  32768        0 i


Related articles:
Technical Note: Configuring BGP on a FortiGate with single-homed eBGP peering, iBGP peering, access-list and OSPF

Technical Tip: BGP dual-home example - solution to avoid RPF problem in asymetric routing scenario
    Terms & ConditionsAccessibility statement