Purpose
Enterprise networks using BGP with multi-homed solution (connected to more than one ISP). Sometime, they might required to design the internet link with primary/backup setup where the lower speed/lower quality internet link should only be used when the primary link is failed.
Diagram
Expectations, Requirements
Configuration
Interface Configuration with WAN1 (Primary ISP) and WAN2 (Secondary ISP), DMZ is the prefix to be published out, which is simulated by a Loopback interface:
Verification
Troubleshooting
Enterprise networks using BGP with multi-homed solution (connected to more than one ISP). Sometime, they might required to design the internet link with primary/backup setup where the lower speed/lower quality internet link should only be used when the primary link is failed.
Since both ISP is independent, the local preference might be lower on the desired/primary internet link and resulting the desired traffic flow through the lower speed/quality path.
Sometimes, even though there is higher local preference on Primary ISP router and lower on the secondary ISP router, some reverse traffic may hit the FortiGate via secondary ISP link.
As Local preference is a non-transitive attribute, routers in the Primary ISP exchange is only inside their own AS (AS65101 in the example) and cannot pass it to Secondary ISP’s AS (AS65201). Due to this, Secondary ISP is unaware of the Local Preference value set on the Primary AS.
As Local preference is a non-transitive attribute, routers in the Primary ISP exchange is only inside their own AS (AS65101 in the example) and cannot pass it to Secondary ISP’s AS (AS65201). Due to this, Secondary ISP is unaware of the Local Preference value set on the Primary AS.
In this case, BGP route selection can be influenced by using AS_PATH attribute with multiple copies of your own AS number (AS-path prepending).
Diagram
Expectations, Requirements
- BGP route selection on internet router for the return path/traffic can be influenced by using AS_PATH, which is transitive attribute.
- BGP prefers the shortest AS
path to reach the destination.
- It is possible to manipulate the path used by the return traffic with AS_PATH prepending while advertising the Fortigate DMZ prefix 93.184.216.34/32 to the Secondary ISP rather than relying on the Local Preference configured at ISP end.
- Even if Secondary ISP AS65201 has to reach DMZ prefix 93.184.216.34/32 behind the FortiGate, it will prefer the Primary ISP AS65101 as the next hop. It is because FortiGate advertises this prefix to Secondary ISP with longer AS_PATH comparing to the same prefix advertised by Primary ISP.
- To manipulate the outgoing traffic from the FortiGate and prioritize Primary ISP connection over Secondary ISP, make sure to set higher Local preference or Weight for Primary ISP BGP peer, than the Secondary ISP peer.
Configuration
Interface Configuration with WAN1 (Primary ISP) and WAN2 (Secondary ISP), DMZ is the prefix to be published out, which is simulated by a Loopback interface:
config system interface
edit "port2"
set vdom "root"
set ip 202.1.1.1 255.255.255.240
set allowaccess ping
set type physical
set alias "WAN1"
next
edit "port3"
set vdom "root"
set ip 202.2.2.1 255.255.255.240
set allowaccess ping
set type physical
set alias "WAN2"
next
edit "DMZ"
set vdom "root"
set ip 93.184.216.34 255.255.255.255
set allowaccess ping
set type loopback
next
end
Route-map to publish the AS-Path with pre-pending:
config router route-map
edit "Secondary_ISP"
config rule
edit 1
set set-aspath "65301 65301 65301"
next
end
next
end
Route-map that sets higher local preference for prefixes received from Primary ISP:
config router route-map
edit "Primary_ISP"
config rule
edit 1
set set-local-preference 200
next
end
next
end
The route-maps are applied to both BGP neighbors:
config router bgp
set as 65301
config neighbor
edit "202.1.1.2"
set remote-as 65101
set route-map-in “Primary_ISP”
next
edit "202.2.2.2"
set remote-as 65201
set route-map-out "Secondary_ISP"
next
end
config network
edit 1
set prefix 93.184.216.34 255.255.255.255
next
end
set router-id 3.3.3.3
end
Verification
The following output show on Secondary ISP router before the pre-pending technique is applied, the best path to reach 93.184.216.34/32 is via 202.2.2.1:
ISP2-R1 # get router info bgp network
BGP table version is 8, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*> 93.184.216.34/32 202.2.2.1 0 0 0 65301 i
* i 10.1.1.1 0 100 0 0 65101 65301 i
*> 202.2.2.0/28 0.0.0.0 100 32768 0 i
The following output show on Secondary ISP router after the pre-pending technique was applied, the best path to reach 93.184.216.34/32 is via 101.1.1.1 now:
ISP2-R1 # get router info bgp network
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i93.184.216.34/32 10.1.1.1 0 100 0 0 65101 65301 i
* 202.2.2.1 0 0 0 65301 65301 65301 65301 i
*> 202.2.2.0/28 0.0.0.0 100 32768 0 i
Troubleshooting
Related Articles
Technical Note : BGP dual-home example - solution to avoid RPF problem in asymetric routing scenario
