|
Setup:
10.1.1.0/24 (HQ LAN network) <> (AS - 65500) FortiGate HQ IPsec VPN <> IPsec VPN FortiGate Branch (AS - 65500) <> 10.1.2.0/24 (branch LAN network).
This scenario is using IBGP, where both FortiGates are using the same AS number (65500).
When using BGP over IPsec VPN and having a blackhole route, the VPN tunnel goes down.
The traffic going to that destination will be prevented by the blackhole from going through the default route.
HQ_FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 1.2.3.4, port1
S 10.1.2.0/24 [254/0] is a summary, Null
When the tunnel came up, the blackhole route is still taking precedence over the BGP route.
This is due to BGP static redistribution being enabled.
config router bgp
config redistribute "static"
set status enable
end
end
This is expected as the blackhole route will take precedence over BGP, as it is a static route that was redistributed to BGP.
BGP treats this as a local route; It has a weight of 32768, which is higher than the received route's weight. It can be verified with:
get router info bgp network
Regardless of the distance, blackhole will still be chosen.
BGP does not compare distances when choosing a route.
Options to resolve this:
- Filter the static routes that will be redistributed to BGP and exclude the destination (branch LAN network - 10.1.2.0/24).
Create an access list and route map to achieve this.
Create an access list and specify the network that needs to be redistributed to BGP.
config router access-list
edit "static-to-BGP"
config rule
edit 1
set prefix 192.168.1.0 255.255.255.0
set exact-match enable
next
end
next
end
Create a route map and specify the access list created.
config router route-map
edit "filter-static-to-BGP"
config rule
edit 1
set match-ip-address "static-to-BGP"
next
end
next
end
Specify the route map created on the BGP static redistribution.
config router bgp
config redistribute "static"
set status enable
set route-map "filter-static-to-BGP"
end
end
-
Apply a weight higher than 32768 on the received route.
Create the prefix list:
config router prefix-list
edit "high-weight"
config rule
edit 1
set prefix 10.1.2.0 255.255.255.0
unset ge
unset le
next
end
next
end
Create the route map containing the prefix list, and apply a higher weight (for example, 40000).
config router route-map
edit "high-weight-in"
config rule
edit 1
set match-ip-address "high-weight"
set set-weight 40000
next
end
next
end
Apply the route map with 'IN' direction on the neighbor config:
config router bgp
config neighbor
edit "neighbor_ip"
set route-map-in "high-weight-in"
next
Result:
Perform BGP soft clear specific to the BGP neighbor or all.
execute router clear bgp all soft in
execute router clear bgp all soft out
execute router clear bgp ip <BGP neighbor> soft in
execute router clear bgp ip <BGP neighbor> soft in
When the tunnel goes down again and it comes up, the BGP route is now taking precedence.
HQ_FGT1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 1.2.3.4, port1
B 10.1.2.0/24 [200/0] via 10.10.10.2, BGP_1, 00:05:58
|
