Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vincenzo
New Contributor III

Created on ā€Ž05-22-2025 02:10 AM

BGP neighbor-group implementation

Hello,

we have different sites connected between us via three vpn ipsec with different isp using sd-wan and static routing.

We want to move from static routing to bgp and started some test on one vpn using the normal neighbor configuration and all is working, the peering is ok and i see the routing table.

Using three vpn ipsec ffor each site connected ivolve a lot of neighbor to configure.

I want to use neighbor-group and neighbor-range, but the documentation about this is lack of details.

Can I use the neighbor-group on each side?

And also the neighbor-range implementation is not clear, what infomation I must insert when I declare a network range?

I implemented a test configuration, but the peering process is not started.

Below the schema

 

BGP over IPSEC.jpg

ā€ƒ

For test purpose I using only vpn over isp3.

In network range I declared the ip configurated in system interface for interface peer.

On phase1-interface I disabled net-device.

I set also the policies to allow ping and tcp 179 between loopback interfaces.

Below the configuration:

FW1 BGP

config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
set route-reflector-client enable
next
end
config neighbor-range
edit 3
set prefix 10.255.254.6 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end

 

FW2 BGP

Config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "ISP3"
set interface "ISP3"
set remote-as 65000
set update-source "LO-01"
next
end
config neighbor-range
edit 3
set prefix 10.255.254.1 255.255.255.255
set max-neighbor-num 3
set neighbor-group "ISP3"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end

 

Tank You all

 

Vincenzo Stolfi

 

 

Labels:
2049
0 Kudos
2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ā€Ž05-23-2025 08:43 AM

Both neighbor-group and neighbor-range are only locally significant. The other end wouldn't know if the peer is using them or not. Because this part is NOT in BGP's RFC/standard.
And, BGP is unicast protocol and it cares only the peer IP. It doesn't matter if it's loopback or tunnel interface IP or any other interface's as long as it's reachable.

Toshi

View solution in original post

1883
vincenzo
New Contributor III

Created on ā€Ž05-28-2025 02:08 AM

Hi All,

I set the configuration and is working using FW1 with neighbor-group  and FW2 with normal neighbor.

For link selection I set for all firewalls local-pref in with set match-interface and prepend out also with set match-interface.

###FW1###
config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "EOLO"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-OUT"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.255.254.6 255.255.255.255
set neighbor-group "EOLO"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end
end

 

###FW2###
NITCORFWL01 # show router bgp
config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
edit "10.255.254.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.252.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.253.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end
end

 

tank you all for your help

 

Vincenzo

View solution in original post

1742
0 Kudos
10 REPLIES 10
vincenzo
New Contributor III

Created on ā€Ž05-28-2025 02:08 AM

Hi All,

I set the configuration and is working using FW1 with neighbor-group  and FW2 with normal neighbor.

For link selection I set for all firewalls local-pref in with set match-interface and prepend out also with set match-interface.

###FW1###
config router bgp
set as 65000
set router-id 10.255.255.1
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor-group
edit "EOLO"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-OUT"
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.255.254.6 255.255.255.255
set neighbor-group "EOLO"
next
end
config network
edit 2
set prefix 10.36.10.0 255.255.254.0
next
edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 3
set prefix 10.36.0.0 255.255.255.0
next
edit 5
set prefix 10.1.0.0 255.255.0.0
next
edit 6
set prefix 10.35.1.0 255.255.255.0
next
edit 7
set prefix 10.36.0.0 255.255.0.0
next
edit 8
set prefix 10.37.1.0 255.255.255.0
next
edit 9
set prefix 10.50.1.0 255.255.255.0
next
edit 10
set prefix 10.255.255.1 255.255.255.255
next
end
end

 

###FW2###
NITCORFWL01 # show router bgp
config router bgp
set as 65000
set router-id 10.255.255.6
set ebgp-multipath enable
set ibgp-multipath enable
set additional-path enable
set multipath-recursive-distance enable
set graceful-restart enable
config neighbor
edit "10.255.254.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.252.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
edit "10.255.253.1"
set soft-reconfiguration enable
set remote-as 65000
set route-map-in "LocalPref-IN"
set route-map-out "Prepend-Out"
next
end
config network
edit 1
set prefix 10.6.0.0 255.255.0.0
next
edit 2
set prefix 10.32.0.0 255.255.0.0
next
edit 3
set prefix 10.255.255.6 255.255.255.255
next
end
end

 

tank you all for your help

 

Vincenzo

1743
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.