Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vincenzo
New Contributor III

Created on ‎05-22-2025 02:10 AM

BGP neighbor-group implementation

Hello,

we have different sites connected between us via three vpn ipsec with different isp using sd-wan and static routing.

We want to move from static routing to bgp and started some test on one vpn using the normal neighbor configuration and all is working, the peering is ok and i see the routing table.

Using three vpn ipsec ffor each site connected ivolve a lot of neighbor to configure.

I want to use neighbor-group and neighbor-range, but the documentation about this is lack of details.

Can I use the neighbor-group on each side?

And also the neighbor-range implementation is not clear, what infomation I must insert when I declare a network range?

I implemented a test configuration, but the peering process is not started.

Below the schema

 

BGP over IPSEC.jpg

For test purpose I using only vpn over isp3.

In network range I declared the ip configurated in system interface for interface peer.

On phase1-interface I disabled net-device.

I set also the policies to allow ping and tcp 179 between loopback interfaces.

Below the configuration:

FW1 BGP

config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
set route-reflector-client enable
next
end
config neighbor-range
edit 3
set prefix 10.255.254.6 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end

 

FW2 BGP

Config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
next
end
config neighbor-range
edit 3
set prefix 10.255.254.1 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end

 

Tank You all

 

Vincenzo Stolfi

 

 

Labels:
802
0 Kudos
2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-23-2025 08:43 AM

Both neighbor-group and neighbor-range are only locally significant. The other end wouldn't know if the peer is using them or not. Because this part is NOT in BGP's RFC/standard.
And, BGP is unicast protocol and it cares only the peer IP. It doesn't matter if it's loopback or tunnel interface IP or any other interface's as long as it's reachable.

Toshi

View solution in original post

636
vincenzo
New Contributor III

Created on ‎05-28-2025 02:08 AM

Hi All,

I set the configuration and is working using FW1 with neighbor-group  and FW2 with normal neighbor.

For link selection I set for all firewalls local-pref in with set match-interface and prepend out also with set match-interface.

###FW1###
config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "EOLO"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-OUT"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.255.254.6 255.255.255.255
set neighbor-group "EOLO"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end
end

 

###FW2###
NITCORFWL01 # show router bgp
config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
edit "10.255.254.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.252.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.253.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end
end

 

tank you all for your help

 

Vincenzo

View solution in original post

495
0 Kudos
10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-22-2025 09:42 AM Edited on ‎05-22-2025 09:49 AM

I haven't used the range and group yet but found this conversation two years ago. Look at @kcheng 's comment:
https://community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127

Toshi

711
Yurisk
SuperUser
SuperUser

Created on ‎05-22-2025 09:47 AM

Hi, @Toshi_Esumi already pointed to an example of range configs, but I'd advise against using features in which you have no experience and which are seldom used to save you unneeded head aches of troubleshooting non-standard configs. 3 BGP peers is not a lot by any means - on each FGT you have to only change 1 peer (itself) from template. My 2 cents (not a real doctor).

https://yurisk.info
https://yurisk.info
707
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-22-2025 10:46 AM Edited on ‎05-22-2025 10:48 AM

I understand where @Yurisk 's comment is coming from. I think for the same reason I haven't tried with FGTs we manage although some of them have more than 100 neighbors. But, we do use neighbor groups with Juniper routers for our large scale network for a reason. Mainly because of the significance of the groups.

That been said I don't have anything against using/trying the technology, which probably started by Cisco and adopted by other router providers in the last century. Until you try, you would never get experienced to learn pros&cons. Since your neighbors are only three and all of them have the same purpose, when you learned it's difficult to manage you can always split them very easily.

By the way, FGT's routing protocol implementation is quite similar, if not the same, with Cisco's. You can translate (or map) config from Cisco's almost 1-to-1. Then, if you can't find good document from FTNT, you can look for Cisco's document. Just need to translate the syntax difference when you read it.    

Toshi   

698
Yurisk
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎05-22-2025 10:58 AM

To clarify myself - I was talking mainly about ranges, not neighbor groups. Neighbor-groups we also use a lot on Cisco boxes (we are Telco, so configuring thousands of BGP peers w/o neighbor groups would cause insanity). But we tried the ranges or as Cisco call it "dynamic ranges"   when it became available, had some glitches and decided never to use them again unless it would really save creating like few hundred peers instead, so far we haven't had such need. So I am pretty sure neighbor groups on FGT work just as fine, ranges - I would test thoroughly with actually hundreds of peers before going production. For just 3-10 peers, I wouldn't, again - my 2 cents.  

https://yurisk.info
https://yurisk.info
695
vincenzo
New Contributor III
In response to Yurisk

Created on ‎05-22-2025 11:48 PM

Hi all,

I want clarify that I need to use neighbor-group because I have to configure more than one connection between two site, at list 20 sites x 3 vpn ipsec actually managed via static route.

What I need to understand first is, in network-range what network I must insert? The ip peer set on vpn logical interface? In the admin guide there is configuration witout schema to understand this.

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/390427/configure-bgp

Thank you

Vincenzo

628
0 Kudos
vincenzo
New Contributor III

Created on ‎05-23-2025 02:34 AM

Hi all,

I do some test this morning and understood the issue.

First I'm not using the loopbak interface as update-source to simplify the architecture.

I set the a neighbor group only on fw2 with network-range the ip 10.255.254.1 (peer ip of FW1 on vpn isp3) and it's work.

If i set the network group also on fw1 in same manner as fw2 there is no communication, I can't see port 179 traffic.

I check the configuration of neighbor-group and by default is set passive enabled. Disabling passive mode the behavior not change and peering process not start.

My doubt now is, it is possible implement neighbor group only on one side? Or it is possible to force eache side to use neighbor group starting the peering process?

Thank you all

Vincenzo

600
0 Kudos
Yurisk
SuperUser
SuperUser
In response to vincenzo

Created on ‎05-23-2025 09:19 AM Edited on ‎05-23-2025 09:22 AM

As @Toshi_Esumi already mentioned - neighbor-group AND dynamic ranges are locally significant - the neighbor knows nothing about this. And that is the reason you see what you see - dynamic range basically tells Fortigate "OK, this subnet is potentially allowed to initiate BGP session with me", and so, using dynamic range automatically forces the peer where it is configured to switch to Passive BGP mode. And carrying on the logic - if both peers are configured with dynamic range, both will enable Passive BGP mode and both are passive - no one tries to establish new BGP session. Think of it like LACP - if both sides are set to "passive" no LACP channel will be formed. 

 

So bottom line - do use neighbor-groups on all FGTs, and do NOT use dynamic ranges at all.

I rest my case. 

https://yurisk.info
https://yurisk.info
564
Toshi_Esumi
SuperUser
SuperUser

Created on ‎05-23-2025 08:43 AM

Both neighbor-group and neighbor-range are only locally significant. The other end wouldn't know if the peer is using them or not. Because this part is NOT in BGP's RFC/standard.
And, BGP is unicast protocol and it cares only the peer IP. It doesn't matter if it's loopback or tunnel interface IP or any other interface's as long as it's reachable.

Toshi

637
AlbertoJD
New Contributor
In response to Toshi_Esumi

Created on ‎05-26-2025 03:07 AM

That makes sense, Toshi.blank.png I’ve always thought of neighbor-groups more as a config simplification tool. Good to be reminded that the actual BGP session just cares about the peer IP and nothing else behind the scenes.

492
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.