Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yosefw
New Contributor

BGP Default route as-prepending to a network behind a neighbor

Hi community!

 

I have the following network:
FG Default route.jpg

I have control over FortiGate 1 and 2 but the routers (Cisco) belong to my customer.
I have a BGP peering between FG1 and R1 and between FG2 and R2. There is no BGP peering between FG1/2 and the remote sites routers.

The customer does have a BGP peering between R1/2 and all remote sites.

I'm looking for a way to advertise a default route from each fortigate but have control over what route the remote site will prefer.
For example, i want Remote1 to prefer FG1 over FG2 but keep Remote2 and Remote3 to prefer FG2.

Since i don't have a peering connection with the remote site i don't believe i can do it directly from FG1/FG2 (?)
I found this article explaining how to pre-pend a default route but this would just allow me to do an active passive for all remote sites.

I can ask the customer to take actions based on community tags i send to R1/R2 but i cannot set a BGP peering between the FG and the remote sites (There are actually many remote sites and it's not in the scope of work).

Any creative solution is welcome :)

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

A couple of pre-conditions:
1. no mention about the connection between R1/R2 to Remote routers. If they're 'privately" connected like MPLS, providing a default route over the link is easy. But if it's over IPsec over the internet, you need to have a way not to break the tunnel when 0/0 route is introduced over the tunnel.
2. I'll assume at least FG1/FG2/R1/R2 have different/unique AS each.

3. You could use "capability-default-originate" as in the KB but be aware those FGTs would NOT stop advertising 0/0 route when they lose their internet paths.

Then my solution is to advertise the default route with a community like '1' and '2'. The community is transitive attribute in BGP domain. Then each customer's remote router to choose which one to prefer by setting local-preference based on the community attached to the route.

With this way, each customer's/each remote router's preference can be different.


Toshi

Yosefw

Thank you for your reply @Toshi_Esumi 
1. Between R1/R2 and the remote sites there is an MPLS network
2. That's correct - they have different ASNs
3. I will have a link monitor from FG1/2 monitoring the northbound connection and if it goes down it will stop advertising the default route south towards R1/R2.

I was also leaning towards doing something with a community tag but i'm not sure how it would be able to granularly control a specific remote site

Toshi_Esumi

I recently tested about No.3 with link-monitor for FW VDOM fail-over situation. Even when link-monitor removed the static default route, the eBGP kept advertising default route if capability-default-originate was enabled.

It's not easy to remotely control what remote sides would choose (or force to choose). The best way is to put the preference configured on the remote side. You just need to provide the config for the customer to implement on their end. We do that for our customers when necessary.

Toshi

Yosefw

@Toshi_Esumi Just tried it in a lab and had the same results... cannot remove the default route advertisement. Were you able to find a solution?

Toshi_Esumi

you just need to disable it, then just use "config router bgp/config redistribute static/set status enable" to use the redistributed static route for the advertisement.
<edit>You might want to filter the other routes out with a route-map.</edit>

When the link-monitor removes the static default route, it would disappear from eBGP route advertisement to R1 or R2.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors