BGP multi-exit discriminator
Border Gateway Protocol (BGP) is the routing protocol that governs how internet traffic is efficiently routed between autonomous systems (AS). BGP uses path attributes for its best path calculation to a network.
Multi-Exit Discriminator (MED) is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. MED is also known as Optional Non-Transitive path attribute. The lower the MED value, the more preferred the path is to the receiving router.
MED is typically utilized when an AS has multiple exit points to another AS. In such cases, the AS may want to influence incoming traffic by advertising different MED values for the same route.
Common use case
A common use case for MED is in the context of a dual-homed AS. In a dual-homed AS scenario, the FortiGate connects to two different ISPs belonging to the same AS for redundancy and load balancing. By manipulating the MED value, the AS can direct traffic to one ISP over the other. For instance, if one link is congested, the AS can advertise a higher MED value for that link, making the other link more suitable to incoming traffic.
|
MED is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. If an administrator has two or more eBGP peering to different AS then the local preference can be used to influence the routing decision. |
The following example discusses the use of MED in dual-homed AS network and the configuration of MED Path Attribute on FortiOS.
Characteristics of the topology include the following:
-
FortiGate-A has two internet service providers: ISP1 and ISP2.
-
FortiGate-A belongs to AS 200.
-
ISP1 and ISP2 both belong to AS 300.
-
FortiGate-A will establish eBGP peering relationships with ISP1 and ISP2.
-
Network 11.11.11.0/24 resides on the Internet and is reachable by both ISP1 and ISP2.
-
eBGP multipath is enabled on FortiGate-A if FortiGate-A needs to perform equal cost load-balancing of traffic between both ISP1 and ISP2 to reach to 11.11.11.0/24.
-
The network 11.11.11.0/24 on the Internet is being advertised by both ISP1 and ISP2 to FortiGate-A through eBGP.
For this example, the traffic originating from behind the FortiGate-A should prefer ISP1 rather than ISP2 to reach 11.11.11.0/24, and needs to use the BGP MED Path Attribute. This is done by configuring set set-metric in a route map configuration and ensuring the MED value of ISP1 is less than that of ISP2.
To configure MED in a dual-homed AS network using the CLI:
-
Configure eBGP peering on FortiGate-A by specifying the BGP neighbors:
config router bgp set as 200 set router-id 2.2.2.2 config neighbor edit "13.1.1.1" set remote-as 300 next edit "23.1.1.2" set remote-as 300 next end end -
Configure eBGP on ISP1 and ISP2, and advertise the 11.11.11.0/24 network:
config router bgp set as 300 set router-id 3.3.3.3 config neighbor edit "13.1.1.3" set remote-as 200 next end config network edit 1 set prefix 11.11.11.0 255.255.255.0 next end end -
Verify the eBGP neighbors on Fortigate-A with ISP1 and ISP2:
# get router info bgp summary VRF 0 BGP router identifier 2.2.2.2, local AS number 200 BGP table version is 6 1 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 13.1.1.1 4 300 48 50 0 0 0 00:25:45 1 23.1.1.2 4 300 56 60 6 0 0 00:26:30 1
-
Configure the prefix list to filter and select the 11.11.11.0/24 subnet inside the prefix list:
-
Configure ISP1:
config router prefix-list edit "ISP1_Prefix_List" config rule edit 1 set prefix 11.11.11.0 255.255.255.0 next end next end -
Configure ISP2:
config router prefix-list edit "ISP2_Prefix_List" config rule edit 1 set prefix 11.11.11.0 255.255.255.0 next end next end
-
-
Configure route maps and configure the MED value:
-
Configure ISP1:
config router route-map edit "MED_Route_MAP" config rule edit 1 set match-ip-address "ISP1_Prefix_List" set set-metric 300 next end next end -
Configure ISP2:
config router route-map edit "MED_Route_MAP_2" config rule edit 1 set match-ip-address "ISP2_Prefix_List" set set-metric 400 next end next end
-
-
Apply the route map in the outbound direction:
Applying the configuration in the outbound direction ensures that the MED is changed to the respective value for the route 11.11.11.0/24 specified in the prefix list.
-
Configure the ISP1 BGP:
config router bgp set as 300 set router-id 3.3.3.3 config neighbor edit "13.1.1.3" set remote-as 200 set route-map-out "MED_Route_MAP" next end end -
Configure the ISP2 BGP:
config router bgp set as 300 set router-id 4.4.4.4 config neighbor edit "23.1.1.3" set remote-as 200 set route-map-out "MED_Route_MAP_2" next end end
-
-
Verify that ISP1 is selected as the best path to reach the 11.11.11.0/24 network:
The neighbor that is considered the best, valid route is marked with a
*>.# get router info bgp network VRF 0 BGP table version is 6, local router ID is 2.2.2.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 11.11.11.0/24 13.1.1.1 300 0 0 300 i <-/1> * 23.1.1.2 400 0 0 300 i <-/-> Total number of prefixes 1 -
Verify the routing table of FortiGate-A:
The routing table only contains the best and valid paths.
# get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 B 11.11.11.0/24 [20/300] via 13.1.1.1, port2, 00:37:47 C 13.1.1.0/24 is directly connected, port2 C 23.1.1.0/24 is directly connected, port3