Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎11-30-2023 01:53 AM

Article Id 286706

Technical Tip: BGP local distance modification on learned routes from neighbors (backdoor routes)

Description This article describes the use of BGP 'set distance-local' settings.
Scope FortiGate.
Solution

Diagram:

distance-local.PNG

 

set-distance-local: This command can be used for routes that are configured under ‘configured network’ for the BGP config ‘config router bgp’.

This command is handy when you have ‘set backdoor enable’ under ‘config network’ and want to set up a different local distance. The default value for ‘set distance-local’ is 200, however, this can be changed with this command.

 

More information regarding the BGP backdoor can be found in the article linked below:

Technical Tip: Use BGP backdoor to prefer IGP over EBGP

 

FGT1 # show router bgp
    config router bgp
        set as 65001
        set router-id 172.16.10.1
            config neighbor
                edit "20.0.0.3"
                    set remote-as 65003
                next
            end
            config network
                edit 1
                    set prefix 172.16.10.0 255.255.255.0
                next
end

 

  1. Network 172.16.20.0/24 is learned via two different routing protocols i.e., BGP and RIP.

    The network learned via BGP is installed in the routing table because of the lower distance and the network learned via RIP is installed in the database.

FGT1 # get router info routing-table database | grep 172.16.20.0/24
B *> 172.16.20.0/24 [20/0] via 20.0.0.3 (recursive is directly connected, port3), 00:01:24, [1/0] 
R 172.16.20.0/24 [120/2] via 10.0.0.2, port2, 00:53:18, [1/0]

 

  1. After enabling ‘set backdoor enable’ under ‘config network’, BGP network 172.16.20.0/24 has moved to the database because the default distance-local of 200 is set. The same network learned via RIP is installed in the routing table.

    config router bgp

        config network
            edit 1
                set prefix 172.16.10.0 255.255.255.0
            next
            edit 2
                set prefix 172.16.20.0 255.255.255.0 <-- This is a local route that has a backdoor enabled.
                set backdoor enable
            next
    end

     

    FGT1 # get router info routing-table database | grep 172.16.20.0
    B 172.16.20.0/24 [200/0] via 20.0.0.3 (recursive is directly connected, port3), 00:01:08, [1/0]  
    R *> 172.16.20.0/24 [120/2] via 10.0.0.2, port2, 00:46:01, [1/0]

     

    Before enabling the backdoor, the BGP network 172.16.20.0/24 had a distance of 20, and it was changed to the default distance-local 200 after enabling the backdoor command.

     

  2. To prefer the BGP route over RIP, the distance current set to 200 must be changed. This can be done using the command ‘set distance-local x’.

    config router bgp

        set distance-local 65

    end

     

    FGT1 # get router info routing-table details | grep 172.16.20.0
    B 172.16.20.0/24 [65/0] via 20.0.0.3 (recursive is directly connected, port3), 00:00:32, [1/0]

     

    FGT1 # get router info routing-table database | grep 172.16.20.0
    B *> 172.16.20.0/24 [65/0] via 20.0.0.3 (recursive is directly connected, port3), 00:00:40, [1/0]
    R 172.16.20.0/24 [120/2] via 10.0.0.2, port2, 01:26:13, [1/0]
451
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.