Description
This article provides an understanding of the Border Gateway Protocol (BGP) Multi Exit Discriminator (MED) Attribute when passing over an autonomous system.
Some Facts about Multi Exit Discriminator (MED):
Some Facts about Multi Exit Discriminator (MED):
- It is applied on the BGP outbound routes.
- It influences the incoming traffic from neighboring autonomous systems.
- It can be passed from EBGP to IBGP.
- It can be passed from IBGP to IBGP.
- It can be passed from IBGP to EBGP.
- MED received from one EBGP neighbor cannot be passed to another EBGP neighbor:
FGT1(AS 100) ---- FGT2(AS 200) ---- FGT3(AS 200) ---- FGT4(AS 300)
As per the above scenario, FGT1 is advertising the route with MED 100 to FGT2 over EBGP. Then that MED can be received by FGT2. Also, the same MED 100 can be passed to FGT3 over IBGP. However, the route with MED 100 advertised by FGT3 to FGT4 will have MED value as 0 which is default MED value.
In short, MED advertised by AS100 can influence AS200, however, it has no influence on AS300. Hence, it is called as non-transitive attribute.
Scope
FortiGate.
Solution
Create a prefix list for the desired network being advertised to the AS.
config router prefix-list
edit "networkfromrouterone"
config rule
edit 1
set prefix 10.10.99.0 255.255.255.0
unset ge
unset le
next
end
next
end
Create a route map: 1. Set metric 2. Set the desired prefix list:
config router route-map
edit "newmtric"
config rule
edit 1
set match-ip-address "networkfromrouterone"
set set-metric 300
next
end
next
end
Apply the route map in the outbound direction - on the BGP neighbor config and clear BGP process.
execute router clear bgp all
Verify Metric is applied by running the following command:
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 24.27.64.1, wan2
S 10.10.10.0/24 [15/0] is directly connected, Work to apt_0
S 10.10.17.0/24 [15/0] is directly connected, Work to apt_0
C 10.10.18.0/26 is directly connected, test2
B 10.10.98.0/24 [20/300] via 172.20.1.1 (recursive is directly connected, testAZ), 00:02:23
B 10.10.99.0/24 [20/300] via 172.20.1.1 (recursive is directly connected, testAZ), 00:02:23
S 10.10.200.0/24 [15/0] is directly connected, Work to apt_0
S 10.10.201.0/24 [15/0] is directly connected, Work to apt_0
C 24.27.64.0/19 is directly connected, wan2
B 40.40.40.0/24 [20/300] via 172.20.1.1 (recursive is directly connected, testAZ), 00:02:51
B 50.50.50.0/24 [20/300] via 172.20.1.1 (recursive is directly connected, testAZ), 00:02:51
C 172.16.1.0/24 is directly connected, wifi
S 172.20.1.1/32 [10/0] is directly connected, testAZ
C 172.20.1.2/32 is directly connected, loop
C 192.168.1.0/24 is directly connected, lan
Note: In the case of hub and spokes topology, it is always recommended to apply the route map on the hub side so that only advertised routes with the adjusted metric will be advertised to the spoke.
Example:
- Service-Host device is hosting 1.1.1.1/32 prefix.
- The spoke firewall has two uplinks from the same service provider AS-65001.
Configuration:
- Filter for the prefix [1.1.1.1/32] has been applied at ISP1 and ISP2 using the below command:
ISP1 and ISP2 :
config router prefix-list
edit "MED"
config rule
edit 1
set prefix 1.1.1.1 255.255.255.255
unset ge
unset le
next
end
next
end
- Metric value: 5 has been applied by ISP2
ISP2:
config router route-map
edit "MEDRM"
config rule
edit 1
set match-ip-address "MED"
set set-metric 5
next
end
next
end
config router bgp
set as 65001
config neighbor
edit "10.40.19.118"
set remote-as 65222
next
edit "10.100.0.54"
set remote-as 65111
set route-map-out "MEDRM"
next
end
- Metric value: 100 has been applied by ISP1.
ISP1:
config router route-map
edit "MEDRM"
config rule
edit 1
set match-ip-address "MED"
set set-metric 100
next
end
next
end
config router bgp
set as 65001
config neighbor
edit "10.40.19.118"
set remote-as 65222
next
edit "10.100.0.50"
set remote-as 65111
set route-map-out "MEDRM"
next
end
end
- Prefix 1.1.1.1/32 has been selected best from ISP2 (next-hop 10.100.0.53) since the metric is lower than ISP1.
The MED attribute in BGP is only compared between routes received from the same autonomous system (AS).
If MED values are received from different AS's, they are not directly compared against each other. Instead, each AS's MED values are evaluated independently, and the best route is selected based on other BGP path selection criteria.
For example:
192.168.1.1 (assume it belongs to AS 65001) MED 100
172.16.0.1 and 172.17.0.1 (assume they belong to AS 65002) MED 150 and MED 160
Thus, among 172.16.0.1 and 172.17.0.1, BGP will select the one with the lower MED value for the best path.
Since these prefixes come from different AS's, their MED values will not be compared directly. Instead, BGP will consider other attributes like local preference, AS path length, origin type, and IGP metric when selecting the best route.
