Fortinet white logo
Fortinet white logo

Handbook

BGP

BGP

BGP stands for Border Gateway Protocol, which was first used in 1989. The current version, BGP-4, was released in 1995 and is defined in RFC 1771. That RFC has since been replaced by the more recent RFC 4271. The main benefits of BGP-4 are classless inter-domain routing and aggregate routes. Often classified as a path-vector protocol and sometimes as a distance-vector touting protocol, BGP exchanges routing and reachability information among autonomous systems over the Internet.

BGP makes routing decisions based on path, network policies and rulesets instead of the hop-count metric as RIP does, or cost-factor metrics as OSPF does.

BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545.

BGP is the routing protocol used on the Internet. It was designed to replace the old Exterior Gateway Protocol (EGP) which had been around since 1982, and was very limited. In doing so, BGP enabled more networks to take part in the Internet backbone to effectively decentralize it and make the Internet more robust, and less dependent on a single ISP or backbone network.

How BGP works

A BGP router receives information from its peer routers that have been defined as neighbors. BGP routers listen for updates from these configured neighboring routers on TCP port 179.

A BGP router is a finite state machine with six various states for each connection. As two BGP routers discover each other, and establish a connection they go from the idle state, through the various states until they reach the established state. An error can cause the connection to be dropped and the state of the router to be reset to either active or idle. These errors can be caused by: TCP port 179 not being open, a random TCP port above port 1023 not being open, the peer address being incorrect, or the AS number being incorrect.

When BGP routers start a connection, they negotiate which (if any) optional features will be used such as multiprotocol extensions that can include IPv6 and VPNs.

By the support HA for BGP route injection feature, the virtual server IP/IPv6 address can be injected into the BGP domain, and can be advertised or withdrawn according to the health state of the real server.

FortiADC is designed for BGP node and for BGP route injection (distribute VS public IP to BGP network). It’s not recommend to deploy it as a core BGP routing.

IBGP vs. EBGP

When you read about BGP, often you see EBGP or IBGP mentioned. These are both BGP routing, but BGP used in different roles. Exterior BGP (EBGP) involves packets crossing multiple autonomous systems (ASes) where interior BGP (IBGP) involves packets that stay within a single AS. For example the AS_PATH attribute is only useful for EBGP where routes pass through multiple ASes.

These two modes are important because some features of BGP are only used for one of EBGP or IBGP. For example confederations are used in EBGP, and route reflectors are only used in IBGP. Also routes learned from IBGP have priority over EBGP learned routes.

For more information on BGP routing, see "Chapter 3 - Advanced Routing" of the FortiOS Handbook for FortiOS 5.4.1.

Before you begin, you must:

  • Know how BGP has been implemented in your network, i.e., the configuration details of the implementation..
  • Have Read-Write permission for System settings.
  • Have configured all the needed access (IPv6) lists and prefix (IPv6) lists. See Access list vs. prefix list.

To configure BGP:

  1. Click Networking > Routing.
  2. Click the BGP tab.
  3. Make the desired entries and/or seldctions as described in BGP configuration.
  4. Click Save when done.

BGP configuration

Settings

Guidelines

AS

Enter the AS (Autonomous System) number of the BGP router. Valid values are from 0 to 4294967295.

Note: Per RFC 6996, the first and last ASNs of the original 16-bit integers, namely 0 and 65535, and the last ASN of the 32-bit numbers, namely 4,294,967,295, are reserved and should not be used by operators; ASNs 64,512 to 65,534 of the original 16-bit AS range, and 4,200,000,000 to 4,294,967,294 of the 32-bit range are reserved for private use, which means that they can be used internally but should not be announced to the global Internet.

Router ID

Enter the 32-bit number that sets the router-ID of the BGP process. The router ID uses dotted decimal notation. The router-ID must be the IP address of the router, and it must be unique within the entire BGP domain to the BGP speaker.

Redistribute OSPF

Enable/Disable (default) the redistribution of OSPF routes to the BGP process.

Redistribute Connected

Enable/Disable (default) the redistribution of connected routes to the BGP process.

Redistribute Static

Enable/Disable (default) the redistribution of static routes to the BGP process.

Redistribute IPv6 Connected

Enable/Disable (default) the redistribution of connected IPv6 routes to the BGP process.

Redistribute IPv6 Static

Enable/Disable (default) the redistribution of static IPv6 routes to the BGP process.

Always Compare MED

Enable/Disable (default) the comparison of Multi-Exit Discriminator (MED) for paths from neighbors in different ASs (Autonomous Systems).

Deterministic MED

Enable/Disable (default) the deterministic comparison of Multi-Exit Discriminator (MED) values among all paths received from the same AS (Autonomous System).

Bestpath Compare Router ID

Enable/Disable (default) the BGP routing process to compare identical routes received from different external peers during the best-path selection process and to select the route with the lowest router ID as the best path.

Network
Type

Select either of the following (IP address) types:

  • IPv4
  • IPv6
IPv4 Prefix

If IPv4 is selected (above), specify the IPv4 prefix in the format of 0.0.0.0/0.

IPv6 Prefix

If IPv6 is selected (above), specify the IPv6 prefix in the format of ::/0.

Save

Be sure to click Save after you are done with configuring the network.

Neighbor
Remote AS

Specify the remote AS (Autonomous System) number of the BGP neighbor you are creating. Valid values are from 1 to 4294967295.

Type

Select either of the following:

  • IPv4
  • IPv6
IP/IPv6

Specify the IPv4 address or IPv6 address for the BGP neighbor.

Interface

Click to select the interface for the BGP neighbor.

Port

Specify the port of the BGP neighbor.

Keep Alive

Specify the frequency (in seconds) at which the BGP neighbor sends out keepalive message to its peer.

Valid values are from 0 to 65535, with 60 seconds being the default.

Hold Time

Specify the "wait time" or pause (in seconds) the BGP neighbor declares a peer dead after failing to receive a keepalive message from it.

Valid values are from 0 to 65535, with 180 (seconds) being the default.

When the minimum acceptable hold time is configured on a BGP router, a remote BGP peer session can be established only when the latter is advertising a hold time equal to, or greater than, the minimum acceptable hold time configured on the former. If the minimum acceptable hold time is greater than the configured hold time, then the next time the remote BGP peer tries to establish a session with the local BGP router, it will fail and the local BGP router will notify the remote BGP peer saying "unacceptable hold time".

Distribute List In/Distribute IPv6 List In

Click to select an Access List or Access IPv6 List.

The BGP router will apply the selected access list to inbound advertisements to the BGP neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the IPv6 Prefix List configured before configuring BGP Routing.

Distribute List Out/Distribute IPv6 List Out

Click to select an Access List or Access IPv6 List.

The BGP router will apply the selected access list to outbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Access List or the Access IPv6 List configured before configuring BGP Routing.

Prefix List In/Prefix IPv6 List In

Click to select an Prefix List or Prefix IPv6 List.

The BGP router will apply the selected Prefix (IPv6) List to inbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the Prefix IPv6 List configured before configuring BGP Routing.

Prefix List Out/Prefix IPv6 List Out

Click to select an Prefix List or Prefix IPv6 List.

The BGP router will apply the selected Prefix (IPv6) List to outbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the Prefix IPv6 List configured before configuring BGP Routing.

Weight

Assign a weight to a neighbor connection. Valid values are from 0 to 65535.

By default, routes learned through another BGP peer carries a weight value of 0, whereas routes sourced by the local router carry a default weight value of 32768.

Initially, all routes learned from a neighbor will have an assigned weight. The route with the greatest weight is chosen as the preferred route when multiple routes are available to a network.

Save

Be sure to click Save after you are done with configuring the Neighbor.

HA Router ID List
Router ID

Use the HA Router list configuration in an HA active-active deployment. On each HA cluster node, add an HA Router configuration that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the primary BGP Router ID; when it is in HA mode, it uses the HA Router list ID.

Specify a 32-bit number that sets the router-ID of the BGP process. The router ID uses dotted decimal notation. The router-ID must be an IP address of the router, and it must be unique within the entire BGP domain to the BGP speaker.

Node

Specify the HA Node ID (0-7).

Save

Be sure to click Save after you are done with configuring the HA Router ID List.

Note:The Access List and Prefix List features are mutually exclusive. Therefore, do NOT apply both to any neighbor in any direction (inbound or outbound) when configuring BGP routing.

Route health injection (RHI)

Route health injection (RHI) allows for advertising routes to virtual server IP addresses based on the health status of the corresponding service. For FortiADC deployment, routes to virtual server IP addresses can be injected into the dynamic routing protocol like BGP, OSPF, etc. and spread through the network. The status of a virtual server depends on factors such as the status of its real servers, the scheduled if the schedule pool is enabled. For example, if there is at least one available real server (virtual server is healthy), the route to the virtual server IP address will be injected and spread to the neighbors as long as the virtual server IP is added into the BGP network. Conversely, the route to the virtual server IP will not be injected if no real server is available (virtual server is unhealthy).

BGP

BGP

BGP stands for Border Gateway Protocol, which was first used in 1989. The current version, BGP-4, was released in 1995 and is defined in RFC 1771. That RFC has since been replaced by the more recent RFC 4271. The main benefits of BGP-4 are classless inter-domain routing and aggregate routes. Often classified as a path-vector protocol and sometimes as a distance-vector touting protocol, BGP exchanges routing and reachability information among autonomous systems over the Internet.

BGP makes routing decisions based on path, network policies and rulesets instead of the hop-count metric as RIP does, or cost-factor metrics as OSPF does.

BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545.

BGP is the routing protocol used on the Internet. It was designed to replace the old Exterior Gateway Protocol (EGP) which had been around since 1982, and was very limited. In doing so, BGP enabled more networks to take part in the Internet backbone to effectively decentralize it and make the Internet more robust, and less dependent on a single ISP or backbone network.

How BGP works

A BGP router receives information from its peer routers that have been defined as neighbors. BGP routers listen for updates from these configured neighboring routers on TCP port 179.

A BGP router is a finite state machine with six various states for each connection. As two BGP routers discover each other, and establish a connection they go from the idle state, through the various states until they reach the established state. An error can cause the connection to be dropped and the state of the router to be reset to either active or idle. These errors can be caused by: TCP port 179 not being open, a random TCP port above port 1023 not being open, the peer address being incorrect, or the AS number being incorrect.

When BGP routers start a connection, they negotiate which (if any) optional features will be used such as multiprotocol extensions that can include IPv6 and VPNs.

By the support HA for BGP route injection feature, the virtual server IP/IPv6 address can be injected into the BGP domain, and can be advertised or withdrawn according to the health state of the real server.

FortiADC is designed for BGP node and for BGP route injection (distribute VS public IP to BGP network). It’s not recommend to deploy it as a core BGP routing.

IBGP vs. EBGP

When you read about BGP, often you see EBGP or IBGP mentioned. These are both BGP routing, but BGP used in different roles. Exterior BGP (EBGP) involves packets crossing multiple autonomous systems (ASes) where interior BGP (IBGP) involves packets that stay within a single AS. For example the AS_PATH attribute is only useful for EBGP where routes pass through multiple ASes.

These two modes are important because some features of BGP are only used for one of EBGP or IBGP. For example confederations are used in EBGP, and route reflectors are only used in IBGP. Also routes learned from IBGP have priority over EBGP learned routes.

For more information on BGP routing, see "Chapter 3 - Advanced Routing" of the FortiOS Handbook for FortiOS 5.4.1.

Before you begin, you must:

  • Know how BGP has been implemented in your network, i.e., the configuration details of the implementation..
  • Have Read-Write permission for System settings.
  • Have configured all the needed access (IPv6) lists and prefix (IPv6) lists. See Access list vs. prefix list.

To configure BGP:

  1. Click Networking > Routing.
  2. Click the BGP tab.
  3. Make the desired entries and/or seldctions as described in BGP configuration.
  4. Click Save when done.

BGP configuration

Settings

Guidelines

AS

Enter the AS (Autonomous System) number of the BGP router. Valid values are from 0 to 4294967295.

Note: Per RFC 6996, the first and last ASNs of the original 16-bit integers, namely 0 and 65535, and the last ASN of the 32-bit numbers, namely 4,294,967,295, are reserved and should not be used by operators; ASNs 64,512 to 65,534 of the original 16-bit AS range, and 4,200,000,000 to 4,294,967,294 of the 32-bit range are reserved for private use, which means that they can be used internally but should not be announced to the global Internet.

Router ID

Enter the 32-bit number that sets the router-ID of the BGP process. The router ID uses dotted decimal notation. The router-ID must be the IP address of the router, and it must be unique within the entire BGP domain to the BGP speaker.

Redistribute OSPF

Enable/Disable (default) the redistribution of OSPF routes to the BGP process.

Redistribute Connected

Enable/Disable (default) the redistribution of connected routes to the BGP process.

Redistribute Static

Enable/Disable (default) the redistribution of static routes to the BGP process.

Redistribute IPv6 Connected

Enable/Disable (default) the redistribution of connected IPv6 routes to the BGP process.

Redistribute IPv6 Static

Enable/Disable (default) the redistribution of static IPv6 routes to the BGP process.

Always Compare MED

Enable/Disable (default) the comparison of Multi-Exit Discriminator (MED) for paths from neighbors in different ASs (Autonomous Systems).

Deterministic MED

Enable/Disable (default) the deterministic comparison of Multi-Exit Discriminator (MED) values among all paths received from the same AS (Autonomous System).

Bestpath Compare Router ID

Enable/Disable (default) the BGP routing process to compare identical routes received from different external peers during the best-path selection process and to select the route with the lowest router ID as the best path.

Network
Type

Select either of the following (IP address) types:

  • IPv4
  • IPv6
IPv4 Prefix

If IPv4 is selected (above), specify the IPv4 prefix in the format of 0.0.0.0/0.

IPv6 Prefix

If IPv6 is selected (above), specify the IPv6 prefix in the format of ::/0.

Save

Be sure to click Save after you are done with configuring the network.

Neighbor
Remote AS

Specify the remote AS (Autonomous System) number of the BGP neighbor you are creating. Valid values are from 1 to 4294967295.

Type

Select either of the following:

  • IPv4
  • IPv6
IP/IPv6

Specify the IPv4 address or IPv6 address for the BGP neighbor.

Interface

Click to select the interface for the BGP neighbor.

Port

Specify the port of the BGP neighbor.

Keep Alive

Specify the frequency (in seconds) at which the BGP neighbor sends out keepalive message to its peer.

Valid values are from 0 to 65535, with 60 seconds being the default.

Hold Time

Specify the "wait time" or pause (in seconds) the BGP neighbor declares a peer dead after failing to receive a keepalive message from it.

Valid values are from 0 to 65535, with 180 (seconds) being the default.

When the minimum acceptable hold time is configured on a BGP router, a remote BGP peer session can be established only when the latter is advertising a hold time equal to, or greater than, the minimum acceptable hold time configured on the former. If the minimum acceptable hold time is greater than the configured hold time, then the next time the remote BGP peer tries to establish a session with the local BGP router, it will fail and the local BGP router will notify the remote BGP peer saying "unacceptable hold time".

Distribute List In/Distribute IPv6 List In

Click to select an Access List or Access IPv6 List.

The BGP router will apply the selected access list to inbound advertisements to the BGP neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the IPv6 Prefix List configured before configuring BGP Routing.

Distribute List Out/Distribute IPv6 List Out

Click to select an Access List or Access IPv6 List.

The BGP router will apply the selected access list to outbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Access List or the Access IPv6 List configured before configuring BGP Routing.

Prefix List In/Prefix IPv6 List In

Click to select an Prefix List or Prefix IPv6 List.

The BGP router will apply the selected Prefix (IPv6) List to inbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the Prefix IPv6 List configured before configuring BGP Routing.

Prefix List Out/Prefix IPv6 List Out

Click to select an Prefix List or Prefix IPv6 List.

The BGP router will apply the selected Prefix (IPv6) List to outbound advertisements to the neighbor when distributing BGP neighbor information.

Note: It is highly recommended that you have the Prefix List or the Prefix IPv6 List configured before configuring BGP Routing.

Weight

Assign a weight to a neighbor connection. Valid values are from 0 to 65535.

By default, routes learned through another BGP peer carries a weight value of 0, whereas routes sourced by the local router carry a default weight value of 32768.

Initially, all routes learned from a neighbor will have an assigned weight. The route with the greatest weight is chosen as the preferred route when multiple routes are available to a network.

Save

Be sure to click Save after you are done with configuring the Neighbor.

HA Router ID List
Router ID

Use the HA Router list configuration in an HA active-active deployment. On each HA cluster node, add an HA Router configuration that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the primary BGP Router ID; when it is in HA mode, it uses the HA Router list ID.

Specify a 32-bit number that sets the router-ID of the BGP process. The router ID uses dotted decimal notation. The router-ID must be an IP address of the router, and it must be unique within the entire BGP domain to the BGP speaker.

Node

Specify the HA Node ID (0-7).

Save

Be sure to click Save after you are done with configuring the HA Router ID List.

Note:The Access List and Prefix List features are mutually exclusive. Therefore, do NOT apply both to any neighbor in any direction (inbound or outbound) when configuring BGP routing.

Route health injection (RHI)

Route health injection (RHI) allows for advertising routes to virtual server IP addresses based on the health status of the corresponding service. For FortiADC deployment, routes to virtual server IP addresses can be injected into the dynamic routing protocol like BGP, OSPF, etc. and spread through the network. The status of a virtual server depends on factors such as the status of its real servers, the scheduled if the schedule pool is enabled. For example, if there is at least one available real server (virtual server is healthy), the route to the virtual server IP address will be injected and spread to the neighbors as long as the virtual server IP is added into the BGP network. Conversely, the route to the virtual server IP will not be injected if no real server is available (virtual server is unhealthy).