Hello we have a BGP WAN connection with two interfaces - primary and secondary. We use weighting and prepending on these to prioritise the primary interface over the secondary. See below config. We have just tried to advertise a statically configured default route out this pair of WAN interfaces by simply adding the command 'set-capability-default-originate enable' on each one (see attached screenshot). The default route was advertised. However this seemed to result in default route flapping i.e. BGP neighbours were sending default route traffic in to us via both our primary and secondary WAN interfaces (inconsistent behaviour). I do not understand how this could happen as we are using prepending on our secondary interface to force inbound traffic to only use the primary interface. Are there some commands we were missing on our WAN interfaces ? To clarify, we are advertising a default route on both our primary and backup WAN connections from this Fortigate because this particular Fortigate is the Internet gateway for the WAN.
The reason I am advertising it on both links is in case of us losing the primary connection and the secondary taking over i.e. redundancy.
As per my config, we are using AS prepending and weight to prefer the primary connection.
config router bgp set as 65100 set router-id 192.168.3.105 set network-import-check disable config neighbor edit "192.168.3.110" set remote-as 7714 set weight 100 next edit "192.168.3.118" set remote-as 7714 set route-map-out "xxx-prepend" next end config router route-map edit "xxx-prepend" config rule edit 10 set set-aspath "65100 65100 65100" next end next end
Solved! Go to Solution.
I think I have found the answer. It appears that standard route-maps used for BGP AS prepending do not work with default routes i.e.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45618
Please let me know if anyone thinks otherwise.
A real trap !
Are you an ISP? I'm confused as to why you would be advertising a default route on your WAN connections (presumably where you SEND your default traffic, no?)....
No screenshot was attached, but maybe give us a rough network drawing...
I think I have found the answer. It appears that standard route-maps used for BGP AS prepending do not work with default routes i.e.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45618
Please let me know if anyone thinks otherwise.
A real trap !
Hi there!
I have the same issue! Did you found a solution for it?
Regards
For the original poster's case, if you have control of BGP config on the default route receiving side, setting a lower local preference on the secondary side is much more consistent way to differentiate between primary and secondary learned routes.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.