Created on 05-17-2023 04:50 AM Edited on 05-17-2023 04:55 AM By Anthony_E
Description |
This article describes how to avoid issues with an IBGP route being preferred over an EBGP route. |
Scope | FortiGate. |
Solution |
If the same route is learned through EBGP and IBGP, the EBGP route is generally activated due to its lower administrative distance (preference) value. This article explains a scenario where the IBGP route becomes active even though the same route is learned through EBGP.
Consider the following topology:
The FW1 route table shows an IBGP route through 10.10.20.3 is active:
get router info routing-table all
Use 'get router info bgp network' to confirm the route is received from both peers:
get router info bgp network
As shown in the above output, there is a local-preference value of 100 associated with the IBGP route even though there is no specific configuration on FW2 to add this.
show router bgp config router bgp set as 65001 set router-id 10.10.20.3 config neighbor edit "10.10.20.1" set next-hop-self enable set remote-as 65001 next end config network6 edit 1 set prefix6 ::/128 next end config redistribute "static" set status enable end
As per the BGP RFC, all IBGP peers must include the local_preference value in the update messages to their internal BGP neighbors. This should not be advertized to external BGP neighbors. The default FortiGate firewall configuration includes a local-preference value of 100, which means FW2 will add the local-preference value 100 to the advertised route.
When FW1 processes the routes from the FW2 and ISP neighbors, the route through FW1 is preferred due to a higher local_preference value even though it is learned through IBGP (BGP route selection process). Apply any one of the solutions below to ensure the EBGP route is preferred over IBGP:
1) Set the default local-preference to zero under the BGP config on FW2 (set default-local-preference 0). 2) Apply a route-map policy to set local-preference to zero on FW2 (for outgoing traffic). 3) Apply a route-map policy to set local-preference to zero on FW1 (for incoming traffic). 4) Apply a route-map policy to set local-preference to a higher value on FW1 for the EBGP peer (for incoming traffic). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.