- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- BGP Route Priority
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP Route Priority
hi Gents,
just a quick question- can you configure a priority for routes learned from BGP like you do for static routes?
bgp config - i have changed the admin distance to match that on static routes
gbp route map - I have set the metric same as the one on static routes
what i want to achieve is have a static default route and a default route learnt from BGP peers in the routing-table, I have seen the route in the database
Labels:
- Labels:
-
FortiGate
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the same routes are from different protocols, which one would be in the routing-table is decided by the admin distances of the protocols.
You can either change static route's distance or change the admin distance of eBGP or iBGP to be the same with static route like below:
However, as described in the first KB the ECMP is applicable only to static and OSPF, basically. There is a way to allow ECMP inside of BGP:
But I'm not sure if this option makes ECMP possible between static routes and BGP routes.
Probably somebody from FTNT can answer to your question. Or, you just need to test it yourself since these would be simple changes. My guess is still the static default route is preferred over the BGP learned default route when admin distances are the same. Because I vaguely remember the same conversation was in this forum years ago and the conclusion at that time was the poster couldn't make them equal.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have changed the admin distance and metric for BGP learned default route to match the static route ones so it also gets installed onto the routing table.... The only thing I can seen to figure out is how to configure priority for a BGP learned route like you do with statically configured routes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain exactly what you're trying to accomplish?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gram,
I have 2x lines from one ISP and another from another ISP, they're running vrrp so with static routes that's my gateway. We have a different VIP range from the ISP, routes for that are injected onto the CE side - so my thinking is we can have BGP configured between my fgt and ISP 1 two CEs, they'll advertise a default route to me and I'll advertise out the VIP range, however the two routes need to appear in the routing table like they would if you have 2x static default routes with different priorities.
The reason I'd have BGP is that I also need to failover the VIP range between sites during a DR instead of having to log a call with the ISP 1 and have them statically failover the ranges.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it's a bit confusing. You have two ISPs, one provides two links with VRRP and the other is just a single link?
What do you mean you have a different VIP range from the ISP? Are you talking about FortiGate VIP or different type of VIP here? VRRP VIP?
I still don't really understand what you're trying to accomplish with the static route from ISP2 and the BGP routing table from ISP1.
It sounds like you want to advertside ISP2's routes into ISP1's BGP instance? That.... doesn't sound like a good idea to me.
Maybe you can clear it up a bit better though?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gfleming ,
Yes - 2x ISP (one with two links and another just a single link).
We have a Public range on the ISP with 2xLinks - our Virtual IP range.
Initial:
-The FGT has 2x default routes for both these ISPs and the route is in the routing table each with a different priority configured.
- the public range is advertised to us statically on the ISP with 2xLinks
- During a failover to a DR site, the public range routing needs to be moved from this site and be advertised the other side - done by ISP.
What could be good to automating failover:
- have BGP instance with ISP with 2xlinks and advertise to them our public range and they'll advert out a default route
- have the matric and admin distance of the default route from BGP match that of the static so the route appears in the routing table - done via GBP global config and route-maps.
challenge:
--with the BGP default route in the routing table together with a statically configured one, can I configure a priority for the BGP learned default route?
- this is to configure a priority of the route like one would on FortiGate static routes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK More questions now that I Have a clearer idea of what's going on. For future I will refer to 2x link ISP as "ISP1" and the other as "ISP2".
Does ISP1 use BGP with you today? If not do they even support talking BGP with you?
Does ISP2 use BGP and/or support it?
IS your public range a /24 or larger block that you own? Or is it an ISP block that is provided to you from your ISP? I.e. can you use the same public range on ISP2 when ISP1 is down?
The question of moving the public range to the DR site leads me to believe you are just being given a public block assigned (and owned) by the ISP1 as they are the ones involved in moving it to the DR site.
Have you spoken to your ISP about this? Have they suggested they could use BGP to solve it?
If so and this is all cleared up now is the issue that you want BGP default route to co-exist with static default route to ISP2 for things like load balancing, SD-WAN, etc?
If that is the case have you spoken to ISP2 to see if they support BGP?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gfleming ,
apologies for late response. ISP1 currently is static routing - they support BGP.
BGP not supported for ISP2
public range is a /27 provided by ISP1 - can't be used on ISP2. ISP1 assigned us the public block and owns it.
ISP1 has agreed to BGP - we'll have to do the same on the DR site.
yes the BGP default route should co-exist with the static default for ISP2 on the routing table for load-balancing. we do not have an SD-WAN license.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot have a BGP route and a static route active at the same time.
You do not need a license to activate SD-WAN. SD-WAN will use both BGP and static routes simultaneously and let you define granular rules on how to steer traffic.
Or, alternatively, you look at alternative methods of migrating your public range over to the DR site that does not involve BGP....
Cheers,
Graham
Graham
Related Posts
- SD-WAN and none interface 11 Views
- Force the routing of a domain... 47 Views
- IPSec client is blocked by implicit... 373 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 235 Views
- BGP modify the mask of a... 126 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.