Explorer

Solved

BGP neighbor-group implementation

Forum|Forum|1 year ago
May 22, 2025
6 replies
3750 views

Hello,

we have different sites connected between us via three vpn ipsec with different isp using sd-wan and static routing.

We want to move from static routing to bgp and started some test on one vpn using the normal neighbor configuration and all is working, the peering is ok and i see the routing table.

Using three vpn ipsec ffor each site connected ivolve a lot of neighbor to configure.

I want to use neighbor-group and neighbor-range, but the documentation about this is lack of details.

Can I use the neighbor-group on each side?

And also the neighbor-range implementation is not clear, what infomation I must insert when I declare a network range?

I implemented a test configuration, but the peering process is not started.

Below the schema

BGP over IPSEC.jpg

For test purpose I using only vpn over isp3.

In network range I declared the ip configurated in system interface for interface peer.

On phase1-interface I disabled net-device.

I set also the policies to allow ping and tcp 179 between loopback interfaces.

Below the configuration:

FW1 BGP

config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
set route-reflector-client enable
next
end
config neighbor-range
edit 3
set prefix 10.255.254.6 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end

FW2 BGP

Config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
next
end
config neighbor-range
edit 3
set prefix 10.255.254.1 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end

Tank You all

Vincenzo Stolfi

Best answer by Toshi_Esumi

Both neighbor-group and neighbor-range are only locally significant. The other end wouldn't know if the peer is using them or not. Because this part is NOT in BGP's RFC/standard.
And, BGP is unicast protocol and it cares only the peer IP. It doesn't matter if it's loopback or tunnel interface IP or any other interface's as long as it's reachable.

Toshi

Toshi_Esumi

SuperUser

I haven't used the range and group yet but found this conversation two years ago. Look at @kcheng 's comment:
https://community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127

Toshi

Yurisk

SuperUser

Hi, @Toshi_Esumi already pointed to an example of range configs, but I'd advise against using features in which you have no experience and which are seldom used to save you unneeded head aches of troubleshooting non-standard configs. 3 BGP peers is not a lot by any means - on each FGT you have to only change 1 peer (itself) from template. My 2 cents (not a real doctor).

Toshi_Esumi

SuperUser

I understand where @Yurisk 's comment is coming from. I think for the same reason I haven't tried with FGTs we manage although some of them have more than 100 neighbors. But, we do use neighbor groups with Juniper routers for our large scale network for a reason. Mainly because of the significance of the groups.

That been said I don't have anything against using/trying the technology, which probably started by Cisco and adopted by other router providers in the last century. Until you try, you would never get experienced to learn pros&cons. Since your neighbors are only three and all of them have the same purpose, when you learned it's difficult to manage you can always split them very easily.

By the way, FGT's routing protocol implementation is quite similar, if not the same, with Cisco's. You can translate (or map) config from Cisco's almost 1-to-1. Then, if you can't find good document from FTNT, you can look for Cisco's document. Just need to translate the syntax difference when you read it.

Toshi

Yurisk

SuperUser

To clarify myself - I was talking mainly about ranges, not neighbor groups. Neighbor-groups we also use a lot on Cisco boxes (we are Telco, so configuring thousands of BGP peers w/o neighbor groups would cause insanity). But we tried the ranges or as Cisco call it "dynamic ranges" when it became available, had some glitches and decided never to use them again unless it would really save creating like few hundred peers instead, so far we haven't had such need. So I am pretty sure neighbor groups on FGT work just as fine, ranges - I would test thoroughly with actually hundreds of peers before going production. For just 3-10 peers, I wouldn't, again - my 2 cents.

vincenzoAuthor

Explorer

Hi all,

I want clarify that I need to use neighbor-group because I have to configure more than one connection between two site, at list 20 sites x 3 vpn ipsec actually managed via static route.

What I need to understand first is, in network-range what network I must insert? The ip peer set on vpn logical interface? In the admin guide there is configuration witout schema to understand this.

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/390427/configure-bgp

Thank you

Vincenzo

vincenzoAuthor

Explorer

Hi all,

I do some test this morning and understood the issue.

First I'm not using the loopbak interface as update-source to simplify the architecture.

I set the a neighbor group only on fw2 with network-range the ip 10.255.254.1 (peer ip of FW1 on vpn isp3) and it's work.

If i set the network group also on fw1 in same manner as fw2 there is no communication, I can't see port 179 traffic.

I check the configuration of neighbor-group and by default is set passive enabled. Disabling passive mode the behavior not change and peering process not start.

My doubt now is, it is possible implement neighbor group only on one side? Or it is possible to force eache side to use neighbor group starting the peering process?

Thank you all

Vincenzo

Yurisk

SuperUser

As @Toshi_Esumi already mentioned - neighbor-group AND dynamic ranges are locally significant - the neighbor knows nothing about this. And that is the reason you see what you see - dynamic range basically tells Fortigate "OK, this subnet is potentially allowed to initiate BGP session with me", and so, using dynamic range automatically forces the peer where it is configured to switch to Passive BGP mode. And carrying on the logic - if both peers are configured with dynamic range, both will enable Passive BGP mode and both are passive - no one tries to establish new BGP session. Think of it like LACP - if both sides are set to "passive" no LACP channel will be formed.

So bottom line - do use neighbor-groups on all FGTs, and do NOT use dynamic ranges at all.

I rest my case.

Toshi_EsumiAnswer

SuperUser

Both neighbor-group and neighbor-range are only locally significant. The other end wouldn't know if the peer is using them or not. Because this part is NOT in BGP's RFC/standard.
And, BGP is unicast protocol and it cares only the peer IP. It doesn't matter if it's loopback or tunnel interface IP or any other interface's as long as it's reachable.

Toshi

AlbertoJD

New Member

That makes sense, Toshi. I’ve always thought of neighbor-groups more as a config simplification tool. Good to be reminded that the actual BGP session just cares about the peer IP and nothing else behind the scenes.

vincenzoAuthor

Explorer

Hi All,

I set the configuration and is working using FW1 with neighbor-group and FW2 with normal neighbor.

For link selection I set for all firewalls local-pref in with set match-interface and prepend out also with set match-interface.

###FW1###
config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "EOLO"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-OUT"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.255.254.6 255.255.255.255
set neighbor-group "EOLO"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end
end

###FW2###
NITCORFWL01 # show router bgp
config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
edit "10.255.254.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.252.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.253.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end
end

tank you all for your help

Vincenzo

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded