Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Use BGP Weight attribute to prefer ...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to use BGP Weight attribute to prefer default route received from BGP neighbor over the default route originated by 'capability-default-originate' command in BGP.
When a FortiGate is receiving a default route from BGP neighbor 11.11.11.143, enabling 'capability-default-originate' for neighbor 100.1.1.141 will cause the FortiGate to stop displaying default route (learnt from neighbor 11.11.11.143) in the routing table.
Solution
- Post enabling 'capability-default-originate' for neighbor 100.1.1.141, the default route is locally originated in the BGP routing table.
- By default, BGP Weight attribute is set to 32768 for FortiGate locally originated prefixes.
- Weight is only locally significant in the FortiGate where it is configured, so for the routes received from the BGP neighbors, the weight attribute value is always 0.
- In the BGP best route selection criteria, weight is the first attribute to be checked.
- BGP prefers the routes with the highest Weight, hence default route originated using 'capability- default-originate' command is preferred as its weight is 32768 which is higher than default route received from neighbor 11.11.11.143 which is 0.
- To prefer the default route from the BGP neighbor 11.11.11.143, apply a route-map matching default route with weight more than 32768.
1) Create a Prefix set for default route.
This article describes how to use BGP Weight attribute to prefer default route received from BGP neighbor over the default route originated by 'capability-default-originate' command in BGP.
When a FortiGate is receiving a default route from BGP neighbor 11.11.11.143, enabling 'capability-default-originate' for neighbor 100.1.1.141 will cause the FortiGate to stop displaying default route (learnt from neighbor 11.11.11.143) in the routing table.
Solution
- Post enabling 'capability-default-originate' for neighbor 100.1.1.141, the default route is locally originated in the BGP routing table.
- By default, BGP Weight attribute is set to 32768 for FortiGate locally originated prefixes.
- Weight is only locally significant in the FortiGate where it is configured, so for the routes received from the BGP neighbors, the weight attribute value is always 0.
- In the BGP best route selection criteria, weight is the first attribute to be checked.
- BGP prefers the routes with the highest Weight, hence default route originated using 'capability- default-originate' command is preferred as its weight is 32768 which is higher than default route received from neighbor 11.11.11.143 which is 0.
- To prefer the default route from the BGP neighbor 11.11.11.143, apply a route-map matching default route with weight more than 32768.
1) Create a Prefix set for default route.
# config router prefix-list2) Create route-map matching default prefix-list and set the weight value to 40000.
edit "acl-143"
# config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
# config router route-map3) Apply the route-map against neighbor 11.11.11.143.
edit "143-in"
# config rule
edit 1
set match-ip-address "acl-143"
set set-weight 40000
next
end
next
end
# config router bgp4) Check the weight value.
set as 142
# config neighbor
edit "100.1.1.141"
set capability-default-originate enable
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 141
next
edit "11.11.11.143"
set next-hop-self enable
set soft-reconfiguration enable
set remote-as 143
set route-map-in "143-in"
next
vm142 # get router info bgp network 0.0.0.05) Still, Weight 40000 is not set against default route received from neighbor 11.11.11.143 though route-map is applied. For route-map to come into effect soft clear the BGP neighbor.
BGP routing table entry for 0.0.0.0/0
Paths: (2 available, best 0000002, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
100.1.1.141
143
11.11.11.143 from 11.11.11.143 (172.18.18.143)
Origin incomplete metric 0, localpref 100, valid, external
Last update: Mon Jun 16 14:59:32 2014
Local
0.0.0.0 from 0.0.0.0 (172.18.18.142)
Origin IGP, localpref 100, weight 32768, valid, sourced, local, best
Last update: Mon Jun 16 14:59:31 2014
# execute router clear bgp ip 11.11.11.143 soft6) Now, weight 40000 applied for the default route received from neighbor 11.11.11.143. Hence displaying as valid & best.
vm142 # get router info bgp network 0.0.0.07) Routing table is displaying the default route from neighbor 11.11.11.143.
BGP routing table entry for 0.0.0.0/0
Paths: (2 available, best 1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
100.1.1.141
143
11.11.11.143 from 11.11.11.143 (172.18.18.143)
Origin incomplete metric 0, localpref 100, weight 40000, valid, external, best
Last update: Mon Jun 16 15:09:31 2014
Local
0.0.0.0 from 0.0.0.0 (172.18.18.142)
Origin IGP, localpref 100, weight 32768, valid, sourced, local
Last update: Mon Jun 16 15:09:30 2014
vm142 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B* 0.0.0.0/0 [20/0] via 11.11.11.143, port1, 00:02:17
C 11.11.11.0/24 is directly connected, port1
C 100.1.1.0/24 is directly connected, port10
C 172.18.18.0/24 is directly connected, port6
Related Articles
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.