Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agomes
Staff
Staff

Created on ‎03-25-2025 05:19 AM

Article Id 384181

Technical Tip: BGP Redundancy with route map

Description

This article describes setting up BGP Redundancy using route-map.
Scope FortiGate 7.x and earlier.
Solution

Topology:

 

2025-03-24 10_02_52-Excalidraw and 11 more pages - Personal - Microsoft​ Edge.png

 

  1. Create the respective interfaces in the Firewalls:

FIREWALL-DC
config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.1.1 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-01"
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.2.1 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-02"
        set snmp-index 2
    next
    edit "Loopback01"
        set vdom "root"
        set ip 172.21.254.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 13
    next

 

Firewall-Branch1

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.0.1.2 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-01"
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.2.2 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-02"
        set snmp-index 2
    next
    edit "Loopback01"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 13
    next

 

Firewall-Branch2
 edit "port1"
        set vdom "root"
        set ip 10.0.1.3 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-01"
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set ip 10.0.2.3 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "Link-02"
        set snmp-index 2
    edit "Loopback01"
        set vdom "root"
        set ip 192.168.2.1 255.255.255.0
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 13
    next

 

  1. Configure the BGP peers between the links.

Firewall-DC

config router bgp
    set as 65000
    set router-id 172.21.254.1
    config neighbor
        edit "10.0.1.2"
            set interface "port1"
            set remote-as 65001
        next
        edit "10.0.1.3"
            set interface "port1"
            set remote-as 65002
        next
        edit "10.0.2.2"
            set interface "port2"
            set remote-as 65001
        next
        edit "10.0.2.3"
            set interface "port2"
            set remote-as 65002
        next
    end

 

Firewall-Branch1

config router bgp
    set as 65001
    set router-id 192.168.1.1
    config neighbor
        edit "10.0.1.1"
            set remote-as 65000
        next
        edit "10.0.2.1"
            set remote-as 65000
        next
    end

 

Firewall-Branch2

config router bgp
    set as 65002
    set router-id 192.168.2.1
    config neighbor
        edit "10.0.1.1"
            set remote-as 65000
        next
        edit "10.0.2.1"
            set remote-as 65000
        next
    end

 

  1. Configure the network to be advertised.

Firewall-DC

config router bgp
    set as 65000
    set router-id 172.21.254.1
    config network
        edit 1
            set prefix 172.21.254.0 255.255.255.0
        next
    end

 

Firewall-Branch1
config router bgp
    set as 65001
    set router-id 192.168.1.1
     config network
        edit 1
            set prefix 192.168.1.0 255.255.255.0
        next
    end

 

Firewall-Branch2
config router bgp
    set as 65002
    set router-id 192.168.2.1
     config network
        edit 1
            set prefix 192.168.2.0 255.255.255.0
        next
    end

 

  1. Configure the route-map to set local preference to link1 as preferred to link2.

 

Firewall-DC

config router route-map
    edit "map-in-link01"
        config rule
            edit 1
                set match-ip-address "prefix-in"
                set set-local-preference 200
            next
        end
    next
    edit "map-in-link02"
        config rule
            edit 1
                set match-ip-address "prefix-in"
                set set-local-preference 100
            next
        end
    next
end

 

  1. Adjust the BGP config to use the route-map.

 

Firewall_DC

config router bgp
    set as 65000
    set router-id 172.21.254.1
    config neighbor
        edit "10.0.1.2"
            set interface "port1"
            set remote-as 65001
            set route-map-in "map-in-link01" <----------------
        next
        edit "10.0.1.3"
            set interface "port1"
            set remote-as 65002
            set route-map-in "map-in-link01" <----------------
        next
        edit "10.0.2.2"
            set interface "port2"
            set remote-as 65001
            set route-map-in "map-in-link02" <----------------
        next
        edit "10.0.2.3"
            set interface "port2"
            set remote-as 65002
            set route-map-in "map-in-link02" <----------------
        next
    end

 

  1. Check the routing table.

 

get router info bgp network
VRF 0 BGP table version is 3, local router ID is 172.21.254.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric     LocPrf Weight RouteTag Path
*> 172.21.254.0/24  0.0.0.0                       100  32768        0 i <-/1>
*> 192.168.1.0      10.0.1.2        0             200      0        0 65001 i <-/1> 
*                   10.0.2.2        0             100      0        0 65001 i <-/-> 
*  192.168.2.0      10.0.2.3        0             100      0        0 65002 i <-/->
*>                  10.0.1.3        0             200      0        0 65002 i <-/1>

Total number of prefixes 3

get router info routing-table bgp
Routing table for VRF=0
B       192.168.1.0/24 [20/0] via 10.0.1.2 (recursive is directly connected, port1), 1d19h31m, [1/0]
B       192.168.2.0/24 [20/0] via 10.0.1.3 (recursive is directly connected, port1), 1d19h31m, [1/0]

 

  1. Note how the local preference on link2 (10.0.2.0/24) has the lower preference (100) as configured before, and the routes installed into the routing table are using the link01.
61
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.