Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wuyudong
New Contributor

FortiGate FW BGP Aggregation-Address behavior is different from Cisco Router

BGP on Fortigate FW is configured with aggregation address to summarize all 10.x.x.x network to 10.0.0.0/8. In routing table, we could see "10.0.0.0/8 Null" entries due to this summarization. If there is no more specific routes within 10.0.0.0/8 is learned from BGP peers, the above "10.0.0.0/8 Null" entry should not stay in routing table since there isn't more specific prefixes learned via BGP. In our case, Fortigate FW learned 10.0.0.0/8 route from its internal neighbour via BGP. But FortiGate FW decided to keep "10.0.0./8 Null" in the routing table instead of 10.0.0.0/8 learned from other BGP peer.

I tested this scenario on Cisco router, when aggregation-address 10.0.0.0/8 is configured and there is no more specific routes learned from BGP peer, Cisco router will install 10.0.0.0/8 which is learned from BGP neighbour and is the exactly same as aggregation address into the routing table instead of  "10.0.0.0/8 Null".

 

Anyone know if Fortigate FW changes this behaviour in the latest version? This breaks our redundancy design which works fine on Cisco router but not on Fortigate FW.

 

Very appreciate your help.

2 REPLIES 2
wuyudong
New Contributor

I would like to clarify my question to see if someone knows the answer.

 

For example, Fortigate FW has eBGP peers with Router A and Router B respectively. FW learned some 10.x.x.x prefixes from Router A. So the aggregation-address was configured to summarize all 10.x.x.x networks to 10.0.0.0/8. A "10.0.0.0/8 null" entry will be added into routing table automatically as well due to this summarization.

 

Now FW lost its connectivity from Router A, all specific routes of 10.x.x.x networks will not be learned from Router A any more. In the meanwhile, FW learned 10.0.0.0/8 prefix from Router B which is the same prefix as the summarized entry on FW. If this scenario happens on Cisco router, Cisco router will install the 10.0.0.0/8 which is learned from Router B into the routing table and the local summarized entry "10.0.0.0/8 null" will be removed since there is no specific 10.x.x.x subnets are learned any more. But FortiGate FW will keep the local summarized entry "10.0.0.0/8 null" in the routing table instead.

 

In our case, Router B is our backup router, when FW lost the connection to Router A, it should forward the packet with the destination IP 10.x.x.x to Router B by following the prefix 10.0.0.0/8 which is learned from Router B. This is working fine in Cisco environment but broken on FortiGate FW since "10.0.0.0/8 null" entry stay in routing table.

 

My question is if ForiNet change this behavior?

emnoc
Esteemed Contributor III

A topo would help, but let's assumed info that we don't have or that's not clear.

 

Your sending the  10.0.0.0/8 or a network(s) via the BGP peerA., and you have what configured in the fortigate ?

 

2nd are router A & B configured the same using the "aggregate-address" and with the summary-only to drop all other prefixes caught in  the summary? ( your explanation leaves alot of information out )

 

3rd, when  you fail the routerA , "what's being sent specifically by router prefixes ( summary only, summary plus more specifics,etc....)

 

4th, same applys when you  have router A only and router B is down. Basically what does the routerA/B and fortigate advertise?

 

5th, are you TRYING SUMMARIZE IN  THE FIREWALL ( I believe you are , but it's not clear & with this new information )

 

Basically provide a copy of the bgp router tables & configurations  ( so we can see all bgp attributes locl_prefs,etc....)

 

 

start with the cli cmd  get router info bgp and show router bgp and the config aggregate-address if your aggregating in the firewall

 

btw, I never heard of anybody trying to summarize networks learned via a eBGP advertisement it is doable bu I don't know how  route summarization works in a firewall like  fortigate. Summarizing like that can lead into black_holes that  temds drop traffic due to the summary routes "says I have this network path send traffic to me ". I only tend to aggregate routes "that I advertise" not that what's received.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors