| Description | This article demonstrates a configuration using eBGP multihop to achieve link redundancy for a single BGP neighbor. |
| Scope | FortiGate. |
| Solution |
By default, IP protocol TTL is set to 1 for an eBGP session, meaning the BGP neighbor must be directly connected. To override that limitation, eBGP multihop can be used.
A common use case is load balancing between 2 BGP peers connected via 2 or more links. Because of recursive lookup, load sharing toward a BGP destination always occurs if there are several equal-cost IGP paths to the BGP next hop. In this example, load-balancing for the BGP next-hop is configured using two static routes on each peer.
FortiGate-1 configuration:
config router static edit <index> set dst 194.1.1.2 255.255.255.255 set gateway 200.30.30.10 set device "port2" next edit <index> set dst 194.1.1.2 255.255.255.255 set gateway 200.30.30.2 set device "port1" next end
In this example, the eBGP session must be terminated on Loopback interfaces. Because of this, the neighbors are not considered directly connected. The configured loopback addresses are 194.1.1.1 and 194.1.1.2.
FortiGate-1 configuration:
config system interface edit "Loop-root" set vdom "root" next end
A firewall policy to allow the remote peer to initiate BGP traffic is required on at least one side. It is recommended to apply a firewall policy on both sides.
config firewall policy edit <index> set name "BGP IN" next end
To establish the session, 'ebgp-enforce-multihop' must be enabled. See the settings below:
config router bgp set as 10 config neighbor edit "194.1.1.2" set ebgp-enforce-multihop enable next end next end
When the 'ebgp-enforce-multihop' command is enabled, the TTL for this peer is set to 255. This can be manually adjusted to a desired value with the command 'ebgp-multihop-ttl'.
In the example above, the TTL for this EBGP peer will be 10.
eBGP and iBGP TTL Behavior:
|
