This article describes how to avoid issues with an IBGP route being preferred over an EBGP route.

If the same route is learned through EBGP and IBGP, the EBGP route is installed in the routing table due to its lower administrative distance (preference) value: Technical Tip: FortiGate IP route selection, and how to change the administrative distance (preferen.... This article explains a scenario where the IBGP route becomes active even though the same route is learned through EBGP.

Consider the following topology:

FW1 has two BGP peers, FW2(IBGP) and ISP (EBGP). Both peers are advertising the default route to FW1.

The FW1 route table shows that an IBGP route through 10.10.20.3 is active:

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
B*      0.0.0.0/0 [200/0] via 10.10.20.3, port4, 01:43:18
C       10.10.10.0/24 is directly connected, port3
C       10.10.20.0/24 is directly connected, port4

Use 'get router info bgp network' to confirm the route is received from both peers:

get router info bgp network
VRF 0 BGP table version is 2, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path
*>i0.0.0.0/0 10.10.20.3 0 100 0 0 ? <-/1>
* 10.10.10.3 0 0 0 65002 ? <-/->

As shown in the above output, there is a local-preference value of 100 associated with the IBGP route, even though there is no specific configuration on FW2 to add this.

show router bgp

config router bgp

    set as 65001

    set router-id 10.10.20.3

        config neighbor

            edit "10.10.20.1"

                set next-hop-self enable

                set remote-as 65001

            next

        end

        config network6

            edit 1

                set prefix6 ::/128

            next

        end

        config redistribute "static"

            set status enable

end

As per the BGP RFC, all IBGP peers must include the local_preference value in the update messages to their internal BGP neighbors. This should not be advertised to external BGP neighbors. The default FortiGate firewall configuration includes a local-preference value of 100, which means FW2 will add the local-preference value 100 to the advertised route.

When FW1 processes the routes from the FW2 and ISP neighbors, the route through FW1 is preferred due to a higher local_preference value, even though it is learned through IBGP (Technical Tip: BGP route selection process).

1. Set the default local-preference to zero under the BGP config on FW2 (set default-local-preference 0).
2. Apply a route-map policy to set local-preference to zero on FW2 (for outgoing traffic).
3. Apply a route-map policy to set local-preference to zero on FW1 (for incoming traffic).
4. Apply a route-map policy to set local-preference to a higher value on FW1 for the EBGP peer (for incoming traffic).