Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎04-07-2024 04:54 PM

Article Id 308265

Technical Tip: Use case of a Local preference and AS path prepending for route manipulation in BGP

Description

This article describes a use case demonstrating how BGP local preference and AS path prepending is used on incoming routes and advertised routes, thereby manipulating the routes as required.

 

The following diagram is used as the reference for this article:

diagram.png

 

As per the above diagram:

  • FGT1 advertises LAN11 and LAN12.
  • FGT2 advertise LAN21 and LAN22.
  • FGT1 is on AS number 65600 and FGT2 is on AS number 65500.
Scope FortiGate, local preference and AS path prepending for route manipulation in BGP.
Solution

In this example, changes are performed on FGT1 only, assuming it is the CX router.

 

Assume CX needs to be capable of the following:

  1. As the CX (FGT1) is receiving routes (10.55.0.0 and 10.98.0.0) on both ISP links ISP1 and ISP2, it needs to prefer the receiving routes to ISP1. When ISP1 fails, the routes should received via ISP2.
  2. When the CX (FGT1) is advertising its networks (10.3.0.0/20 and 10.49.0.0/20), it needs to advertise them through the ISP2 link, but the a failing ISP2 will failover to ISP1.

 

To achieve item 1, the local preference will be set to 200 for the incoming routes via the neighbor 10.56.241.57, where the other neighbor 10.56.245.57 will have the default local preference which is 100.

 

Configure the prefix-list:

 

config router prefix-list
   edit "default"
      config rule
         edit 1
            set prefix any <- To apply for all incoming routes, set this as 'any'. Otherwise, configure it for any specific subnet.
            unset ge
            unset le
        next
    end

 

Configure the routemap:

 

config router route-map

   edit "LocalPref200"
      config rule
         edit 1
            set match-ip-address "default"
            set set-local-preference 200
         next
      end

 

Configure the route-map-in under the relevant neighbor.

 

To achieve item 2, prepend more AS paths and apply them to the relevant BGP neighbor:

 

config router route-map

edit "inside1_out"

config rule

edit 1

set set-aspath "65510  65510 65510 65510" <- Original setup, neighbor is 2 AS paths away. More AS paths are made.

set set-ip-nexthop 0.0.0.0

set set-originator-id 0.0.0.0

next

end

 

Apply this on relevant BGP neighbors as route-map-out.

Below is the BGP config for both neighbors:

 

config router bgp

set as 65500
set router-id 1.1.1.1

config neighbor

 

edit "10.56.241.57" <- FGT1 only.

set soft-reconfiguration enable
set maximum-prefix 1000
set maximum-prefix-threshold 85
set maximum-prefix-warning-only enable
set remote-as 65600
set route-map-in "LocalPref150-2"
set route-map-out "inside1_out"

set password ENC

next

end

 

edit "10.56.245.57" <- FGT2 only.

set soft-reconfiguration enable
set remote-as 65600
set password ENC

next

end 

 

Verification of the configuration:

 

The following names were used in lab devices:

  • FGT1 = BGP-Rmap.
  • FGT2 = BGP-plain.

 

Local Preferences on the FGT1 side:

 

Summary.JPG

 

BGPnetworks.jpg

 55NW.jpg

 

98NW.jpg

 

routing table.jpg

 

AS Path Prepending:

 

Advertised routes on FGT1 to the other end:

 

advertised routes.jpg

 

Received routes at the FGT2 end:

 

Summary1.JPG

 

AS path prepend.jpg

 

03NWp.jpg

 

49NW.jpg

 

rT table 2.jpg
338
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.