Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
stroia
Staff
Staff

Created on ‎09-03-2024 11:47 PM

Article Id 338760

Troubleshooting Tip: Prepended BGP routes not installed into the routing table

Description This article describes how to avoid having BGP routes received and filtered out without any route-map or prefix-list applied.
Scope FortiGate, SD-WAN.
Solution

In Multipath communication between 2 sites with routing done via BGP, it is common to use BGP prepending mechanism to define path preferences.

 

There are 2 types of BGP neighborship:

  • EBGP (Exterior BGP): The AS (Autonomous System) of peers is different and should be used for route exchanges between 2 different organizations for a route exchange via the internet.
  • IBGP (Interior BGP): The AS of neighbors is the same and should be used to exchange routes between devices of the same organization, for a route exchange via an intranet network.

The prepending mechanism must be used on EBGP (Exterior BGP), not on Internal IBGP (Interior BGP).

The related RFC document describes the scenario of routes prepended over the Internet, so over EBGP neighborships. Prepending applied on IBGP is a not covered scenario.  

 

Here an example of Wrong configuration prepending over iBGP and what’s happens using it:

  • The route: 10.50.20.0/24, prepended is sent over an IBGP neighborship (as confirmed from the 'i' at the left of the subnet, on the first command output of the last screenshot).
  • 172.100.0.2 is the IP of the first peer, the route advertiser, and 172.100.0.1 IP of the second peer, the route receiver.
  • As visible from the second peer configuration:

 21 Aug Second BGP Conf.png

 

There are not route-maps or prefix-lists applied to it, to filter out the route.

 

  • On the second peer, the route 10.50.20.0/24 is received and discharged:

 

21 Aug Route discarde.png

 

 

The following message appears:


-----
2024-08-21 14:09:13 BGP: 172.100.0.2-Outgoing [RIB] Update: Prefix 10.50.20.0/24 path_id 0 denied due to as-path contains
our own AS
-----

 

The route is correctly discharged for loop prevention mechanism and prepending over an IBGP neighborship is not supported.

 

Suggestions about the correct configuration to use:

To influence route selection behavior with IBGP, is possible to use other BGP attributes, likes:

Other suggestions are in chapter 4 of the RFC document quoted above.

 

Important notes:

Into a Fortinet SD-WAN environment:

 

Related articles:

How to configure BGP AS prepending 

BGP route selection-process 
Labels:
396
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.