Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snowman386
New Contributor III

BGP Distance Question

Hey Everyone, Is it possible to modify the BGP distance of a network that is advertised by a fortigate? Here is background of my problem: First off, I am no BGP expert but I do have it setup and working fine advertising routes to our MPLS provider. The problem is that all the fortigates on our network show the distance of the learned BGP routes as 20, the default value from the documents i' ve found. I would like to be able to advertise the same network at two different sites but one having a higher distance (backup route). The only way i have been able to modify the BGP distance is by applying an access rule at one of the sites. The biggest problem is that this seems to only affect incoming routes, not outgoing routes. It would be much better if I could advertise the route with a higher distance so I only have to modify it on one router instead of every router that learns the route. Any help would be appreciated. Thanks
11 REPLIES 11
emnoc
Esteemed Contributor III

First off, I am no BGP expert but I do have it setup and working fine advertising routes to our MPLS provider. The problem is that all the fortigates on our network show the distance of the learned BGP routes as 20, the default value from the documents i' ve found. I would like to be able to advertise the same network at two different sites but one having a higher distance (backup route). The only way i have been able to modify the BGP distance is by applying an access rule at one of the sites. The biggest problem is that this seems to only affect incoming
1st off your thinking is right. You can' t modifiy the distance on an outgoing route. distance is internal and not a bgp well known_attribute 2nd what you need to look at is to set as_path_prepend or if internal to the same ISP provider, you set Metrics for the path that you want to prefer. 3rd, if your peering with 2 different providers, than you can' t 100% control how some one routes into you. I would suggest you review the FGT routing documentations.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ddskier
Contributor

You can make one BGP route look longer by using " Route-Maps" and weights. (e.g. Prepend the route.) See example below: (The XXX is your ASN number) config router route-map edit " xxx-routemap" config rule edit 1 set set-aspath " xxx xxx xxx xxx xxx" next end next config router bgp edit " 1.2.3.4" set remote-as <Vendor 1 Supplied ASN> set weight 200 next edit " 2.3.4.5" set remote-as <Vendor 2 Supplied ASN> set route-map-out " xxx-routemap" set weight 100 next end end

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
rb400
New Contributor

ddskier wrote:
You can make one BGP route look longer by using " Route-Maps" and weights. (e.g. Prepend the route.) See example below: (The XXX is your ASN number) config router route-map edit " xxx-routemap" config rule edit 1 set set-aspath " xxx xxx xxx xxx xxx" next end next config router bgp edit " 1.2.3.4" set remote-as <Vendor 1 Supplied ASN> set weight 200 next edit " 2.3.4.5" set remote-as <Vendor 2 Supplied ASN> set route-map-out " xxx-routemap" set weight 100 next end end

Does anyone know if this still the best way to influence one route over another for Outbound traffic?   Thanks in advance.

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
emnoc
Esteemed Contributor III

 

locl_pref , weights  for traffic outbound ( from your perspective )

as_path  pre-pending for traffic inbound ( from your perspective )

metrics for traffic inbound if you have 2 links to the same ISP ( it stays with in the ISP metrics are localize and non transit between ISPs )

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rb400
New Contributor

emnoc wrote:

 

locl_pref , weights  for traffic outbound ( from your perspective )

as_path  pre-pending for traffic inbound ( from your perspective )

metrics for traffic inbound if you have 2 links to the same ISP ( it stays with in the ISP metrics are localize and non transit between ISPs )

 

Ken

 

NOTE:  It is extremely possible I do not understand locl_pref and pre-pending.  Worse case, I am in the wrong discussion string.

 

Scenario: we are using BGP (outside connections) and VDOMs, our root vdom is as follows:

 

Interface#port23 (neighbor 33333) is a 200Mbps fiber connection

Interface#port24 (neighbor 44444) is a 100Mbps fiber connection

 

interface#port24 seems to be overloaded with inbound (our perspective) traffic, hence it drops packets.

interface#port23 has headroom for more traffic but is fat and happy.

 

See typical workweek bandwidth consumption in image listed below (link will expire in < 15 days or when question is answered):

 

https://drive.google.com/...VMWvJU5SkhjVWg0X1ZDUVE

 

I tried suggestions using weight and route-map-out without any success  The weight settings seems not to have made any improvements.  Route-map-out was applied to interface#port23 and it eliminated all INBOUND traffic.  Hence I pulled the route-map-out setting from port#23. The image link listed below is a picture of the gap when route-map-out was set:

 

https://drive.google.com/open?id=0Bzn6iVMWvJU5ZFB2SjlwbTRSTk0

 

 

(editor's note for the gap-image:  yes, the "added added" is wrong, one "added" is sufficient)

 

ALL IP numbers except the zeroes and all ASNs have been altered.

 

Based on my edited settings below it seems interface#port24 is the "default" route and interface#port23 is only routing 33.0.0.0/14 traffic  (my loose interpretation from my static route type of knowledge)

 

config neighbor     edit "23.23.23.121"         set remote-as 33333         set send-community6 disable         set weight 100     next     edit "24.24.24.225"         set remote-as 44444         set send-community6 disable         set weight 200     next end

 

interface#PORT23# get router info bgp neighbors 23.23.23.121 advertise BGP table version is 13, local router ID is 111.222.196.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 33.0.0.0/14      23.23.23.122                         0 33333 i *> 111.222.135.0    23.23.23.122                100  32768 i *> 111.222.195.0    23.23.23.122                100  32768 i *> 111.222.196.0    23.23.23.122                100  32768 i Total number of prefixes 4

 

interface#PORT24# get router info bgp neighbors 24.24.24.225 advertise BGP table version is 14, local router ID is 111.222.196.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete    Network          Next Hop            Metric LocPrf Weight Path *> 0.0.0.0/0        24.24.24.226                         0 44444 i *> 111.222.135.0    24.24.24.226                100  32768 i *> 111.222.195.0    24.24.24.226                100  32768 i *> 111.222.196.0    24.24.24.226                100  32768 i Total number of prefixes 4

 

BEST way to push more traffic to interface#port23 to best utilize the 200Mbps pipe?  The ISP (44444) attached to Interface#port24 is dropping packets when the bandwidth consumption reaches the 100Mbps.

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
emnoc
Esteemed Contributor III

I would caution the use of weights. Weights is not a known BGP attribute for path selection outside of your ASN. AS_path pre-pend, traffic policy mangement via provider communities-sets, and metrics are the only options you have.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ddskier

ORIGINAL: emnoc I would caution the use of weights. Weights is not a known BGP attribute for path selection outside of your ASN. AS_path pre-pend, traffic policy mangement via provider communities-sets, and metrics are the only options you have.
I believe n this case the weight attribute is used by the firewall for which outbound route is preferred. Helps keep all outbound and inbound traffic using the same connection.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
emnoc
Esteemed Contributor III

Correct but it has no bearing on inbound and you can' t fully control how the internet routes inbound to you 100%.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
snowman386
New Contributor III

Thanks for the help guys. The problem seems that I only have one neighbor. I tried setting the weights of the single neighbor to be different at each site but it didnt influence route selection. The only option on the " config networks" is something called " backdoor" but when i enabled that, the route disappeared completely. I will try the outbound route-map. Is that equivalent to the prepend setting emnoc was talking about because i looked through the cli guide and cannot find any command referring to AS prepending?
Labels
Top Kudoed Authors