FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajeswaran
Staff
Staff
Article Id 256878
Description

This article describes how to avoid issues with an IBGP route being preferred over an EBGP route.

Scope FortiGate.
Solution

If the same route is learned through EBGP and IBGP, the EBGP route is generally activated due to its lower administrative distance (preference) value. This article explains a scenario where the IBGP route becomes active even though the same route is learned through EBGP.

 

Consider the following topology:


Topology.png
FW1 has two BGP peers, FW2(IBGP) and ISP (EBGP). Both peers are advertising the default route to FW1 .

The FW1 route table shows an IBGP route through 10.10.20.3 is active:

 

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
B*      0.0.0.0/0 [200/0] via 10.10.20.3, port4, 01:43:18
C       10.10.10.0/24 is directly connected, port3
C       10.10.20.0/24 is directly connected, port4

 

Use 'get router info bgp network' to confirm the route is received from both peers:

 

get router info bgp network
VRF 0 BGP table version is 2, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i0.0.0.0/0 10.10.20.3 0 100 0 0 ? <-/1>
* 10.10.10.3 0 0 0 65002 ? <-/->

 

As shown in the above output, there is a local-preference value of 100 associated with the IBGP route even though there is no specific configuration on FW2 to add this.

 

show router bgp

config router bgp

set as 65001

set router-id 10.10.20.3

config neighbor

edit "10.10.20.1"

set next-hop-self enable

set remote-as 65001

next

end

config network6

edit 1

set prefix6 ::/128

next

end

config redistribute "static"

set status enable

end

 

As per the BGP RFC, all IBGP peers must include the local_preference value in the update messages to their internal BGP neighbors. This should not be advertized to external BGP neighbors. The default FortiGate firewall configuration includes a local-preference value of 100, which means FW2 will add the local-preference value 100 to the advertised route.

 

When FW1 processes the routes from the FW2 and ISP neighbors, the route through FW1 is preferred due to a higher local_preference value even though it is learned through IBGP (BGP route selection process).

 

Apply any one of the solutions below to ensure the EBGP route is preferred over IBGP:

 

1) Set the default local-preference to zero under the BGP config on FW2 (set default-local-preference 0).

2) Apply a route-map policy to set local-preference to zero on FW2 (for outgoing traffic).

3) Apply a route-map policy to set local-preference to zero on FW1 (for incoming traffic).

4) Apply a route-map policy to set local-preference to a higher value on FW1 for the EBGP peer (for incoming traffic).