Fortinet white logo
Fortinet white logo

Administration Guide

BGP multi-exit discriminator

BGP multi-exit discriminator

Border Gateway Protocol (BGP) is the routing protocol that governs how internet traffic is efficiently routed between autonomous systems (AS). BGP uses path attributes for its best path calculation to a network.

Multi-Exit Discriminator (MED) is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. MED is also known as Optional Non-Transitive path attribute. The lower the MED value, the more preferred the path is to the receiving router.

MED is typically utilized when an AS has multiple exit points to another AS. In such cases, the AS may want to influence incoming traffic by advertising different MED values for the same route.

Common use case

A common use case for MED is in the context of a dual-homed AS. In a dual-homed AS scenario, the FortiGate connects to two different ISPs belonging to the same AS for redundancy and load balancing. By manipulating the MED value, the AS can direct traffic to one ISP over the other. For instance, if one link is congested, the AS can advertise a higher MED value for that link, making the other link more suitable to incoming traffic.

Note

MED is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. If an administrator has two or more eBGP peering to different AS then the local preference can be used to influence the routing decision.

The following example discusses the use of MED in dual-homed AS network and the configuration of MED Path Attribute on FortiOS.

Characteristics of the topology include the following:

  • FortiGate-A has two internet service providers: ISP1 and ISP2.

  • FortiGate-A belongs to AS 200.

  • ISP1 and ISP2 both belong to AS 300.

  • FortiGate-A will establish eBGP peering relationships with ISP1 and ISP2.

  • Network 11.11.11.0/24 resides on the Internet and is reachable by both ISP1 and ISP2.

  • eBGP multipath is enabled on FortiGate-A if FortiGate-A needs to perform equal cost load-balancing of traffic between both ISP1 and ISP2 to reach to 11.11.11.0/24.

  • The network 11.11.11.0/24 on the Internet is being advertised by both ISP1 and ISP2 to FortiGate-A through eBGP.

For this example, the traffic originating from behind the FortiGate-A should prefer ISP1 rather than ISP2 to reach 11.11.11.0/24, and needs to use the BGP MED Path Attribute. This is done by configuring set set-metric in a route map configuration and ensuring the MED value of ISP1 is less than that of ISP2.

To configure MED in a dual-homed AS network using the CLI:
  1. Configure eBGP peering on FortiGate-A by specifying the BGP neighbors:

    config router bgp
        set as 200
        set router-id 2.2.2.2
        config neighbor
            edit "13.1.1.1"
                set remote-as 300
            next
            edit "23.1.1.2"
                set remote-as 300
            next
        end
    end
  2. Configure eBGP on ISP1 and ISP2, and advertise the 11.11.11.0/24 network:

    config router bgp
        set as 300
        set router-id 3.3.3.3
        config neighbor
            edit "13.1.1.3"
                set remote-as 200
            next
        end
        config network
            edit 1
                set prefix 11.11.11.0 255.255.255.0
            next
        end
    end
  3. Verify the eBGP neighbors on Fortigate-A with ISP1 and ISP2:

    # get router info bgp summary 
    VRF 0 BGP router identifier 2.2.2.2, local AS number 200
    BGP table version is 6
    1 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    13.1.1.1 4        300      48      50        0    0    0 00:25:45        1
    23.1.1.2 4        300      56      60        6    0    0 00:26:30        1
  4. Configure the prefix list to filter and select the 11.11.11.0/24 subnet inside the prefix list:

    1. Configure ISP1:

      config router prefix-list
          edit "ISP1_Prefix_List"
              config rule
                  edit 1
                      set prefix 11.11.11.0 255.255.255.0
                  next
              end
          next
      end
    2. Configure ISP2:

      config router prefix-list
          edit "ISP2_Prefix_List"
              config rule
                  edit 1
                      set prefix 11.11.11.0 255.255.255.0
                  next
              end
          next
      end
  5. Configure route maps and configure the MED value:

    1. Configure ISP1:

      config router route-map
          edit "MED_Route_MAP"
              config rule
                  edit 1
                      set match-ip-address "ISP1_Prefix_List"
                      set set-metric 300
                  next
              end
          next
      end
    2. Configure ISP2:

      config router route-map
          edit "MED_Route_MAP_2"
              config rule
                  edit 1
                      set match-ip-address "ISP2_Prefix_List"
                      set set-metric 400
                  next
              end
          next
      end
  6. Apply the route map in the outbound direction:

    Note

    Applying the configuration in the outbound direction ensures that the MED is changed to the respective value for the route 11.11.11.0/24 specified in the prefix list.

    1. Configure the ISP1 BGP:

      config router bgp
          set as 300
          set router-id 3.3.3.3
          config neighbor
              edit "13.1.1.3"
                  set remote-as 200
                  set route-map-out "MED_Route_MAP"
              next
          end
      end
    2. Configure the ISP2 BGP:

      config router bgp
          set as 300
          set router-id 4.4.4.4
          config neighbor
              edit "23.1.1.3"
                  set remote-as 200
                  set route-map-out "MED_Route_MAP_2"
              next
          end
      end
  7. Verify that ISP1 is selected as the best path to reach the 11.11.11.0/24 network:

    Note

    The neighbor that is considered the best, valid route is marked with a *>.

    # get router info bgp network 
    VRF 0 BGP table version is 6, local router ID is 2.2.2.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight RouteTag Path
    *> 11.11.11.0/24    13.1.1.1               300             0        0 300 i <-/1>
    *                   23.1.1.2               400             0        0 300 i <-/->
    
    Total number of prefixes 1
  8. Verify the routing table of FortiGate-A:

    Note

    The routing table only contains the best and valid paths.

    # get router info routing-table  details 
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    B       11.11.11.0/24 [20/300] via 13.1.1.1, port2, 00:37:47
    C       13.1.1.0/24 is directly connected, port2
    C       23.1.1.0/24 is directly connected, port3

BGP multi-exit discriminator

BGP multi-exit discriminator

Border Gateway Protocol (BGP) is the routing protocol that governs how internet traffic is efficiently routed between autonomous systems (AS). BGP uses path attributes for its best path calculation to a network.

Multi-Exit Discriminator (MED) is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. MED is also known as Optional Non-Transitive path attribute. The lower the MED value, the more preferred the path is to the receiving router.

MED is typically utilized when an AS has multiple exit points to another AS. In such cases, the AS may want to influence incoming traffic by advertising different MED values for the same route.

Common use case

A common use case for MED is in the context of a dual-homed AS. In a dual-homed AS scenario, the FortiGate connects to two different ISPs belonging to the same AS for redundancy and load balancing. By manipulating the MED value, the AS can direct traffic to one ISP over the other. For instance, if one link is congested, the AS can advertise a higher MED value for that link, making the other link more suitable to incoming traffic.

Note

MED is a BGP path attribute that discriminates among multiple exit or entry points to the same neighboring AS. If an administrator has two or more eBGP peering to different AS then the local preference can be used to influence the routing decision.

The following example discusses the use of MED in dual-homed AS network and the configuration of MED Path Attribute on FortiOS.

Characteristics of the topology include the following:

  • FortiGate-A has two internet service providers: ISP1 and ISP2.

  • FortiGate-A belongs to AS 200.

  • ISP1 and ISP2 both belong to AS 300.

  • FortiGate-A will establish eBGP peering relationships with ISP1 and ISP2.

  • Network 11.11.11.0/24 resides on the Internet and is reachable by both ISP1 and ISP2.

  • eBGP multipath is enabled on FortiGate-A if FortiGate-A needs to perform equal cost load-balancing of traffic between both ISP1 and ISP2 to reach to 11.11.11.0/24.

  • The network 11.11.11.0/24 on the Internet is being advertised by both ISP1 and ISP2 to FortiGate-A through eBGP.

For this example, the traffic originating from behind the FortiGate-A should prefer ISP1 rather than ISP2 to reach 11.11.11.0/24, and needs to use the BGP MED Path Attribute. This is done by configuring set set-metric in a route map configuration and ensuring the MED value of ISP1 is less than that of ISP2.

To configure MED in a dual-homed AS network using the CLI:
  1. Configure eBGP peering on FortiGate-A by specifying the BGP neighbors:

    config router bgp
        set as 200
        set router-id 2.2.2.2
        config neighbor
            edit "13.1.1.1"
                set remote-as 300
            next
            edit "23.1.1.2"
                set remote-as 300
            next
        end
    end
  2. Configure eBGP on ISP1 and ISP2, and advertise the 11.11.11.0/24 network:

    config router bgp
        set as 300
        set router-id 3.3.3.3
        config neighbor
            edit "13.1.1.3"
                set remote-as 200
            next
        end
        config network
            edit 1
                set prefix 11.11.11.0 255.255.255.0
            next
        end
    end
  3. Verify the eBGP neighbors on Fortigate-A with ISP1 and ISP2:

    # get router info bgp summary 
    VRF 0 BGP router identifier 2.2.2.2, local AS number 200
    BGP table version is 6
    1 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    13.1.1.1 4        300      48      50        0    0    0 00:25:45        1
    23.1.1.2 4        300      56      60        6    0    0 00:26:30        1
  4. Configure the prefix list to filter and select the 11.11.11.0/24 subnet inside the prefix list:

    1. Configure ISP1:

      config router prefix-list
          edit "ISP1_Prefix_List"
              config rule
                  edit 1
                      set prefix 11.11.11.0 255.255.255.0
                  next
              end
          next
      end
    2. Configure ISP2:

      config router prefix-list
          edit "ISP2_Prefix_List"
              config rule
                  edit 1
                      set prefix 11.11.11.0 255.255.255.0
                  next
              end
          next
      end
  5. Configure route maps and configure the MED value:

    1. Configure ISP1:

      config router route-map
          edit "MED_Route_MAP"
              config rule
                  edit 1
                      set match-ip-address "ISP1_Prefix_List"
                      set set-metric 300
                  next
              end
          next
      end
    2. Configure ISP2:

      config router route-map
          edit "MED_Route_MAP_2"
              config rule
                  edit 1
                      set match-ip-address "ISP2_Prefix_List"
                      set set-metric 400
                  next
              end
          next
      end
  6. Apply the route map in the outbound direction:

    Note

    Applying the configuration in the outbound direction ensures that the MED is changed to the respective value for the route 11.11.11.0/24 specified in the prefix list.

    1. Configure the ISP1 BGP:

      config router bgp
          set as 300
          set router-id 3.3.3.3
          config neighbor
              edit "13.1.1.3"
                  set remote-as 200
                  set route-map-out "MED_Route_MAP"
              next
          end
      end
    2. Configure the ISP2 BGP:

      config router bgp
          set as 300
          set router-id 4.4.4.4
          config neighbor
              edit "23.1.1.3"
                  set remote-as 200
                  set route-map-out "MED_Route_MAP_2"
              next
          end
      end
  7. Verify that ISP1 is selected as the best path to reach the 11.11.11.0/24 network:

    Note

    The neighbor that is considered the best, valid route is marked with a *>.

    # get router info bgp network 
    VRF 0 BGP table version is 6, local router ID is 2.2.2.2
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
    
       Network          Next Hop            Metric LocPrf Weight RouteTag Path
    *> 11.11.11.0/24    13.1.1.1               300             0        0 300 i <-/1>
    *                   23.1.1.2               400             0        0 300 i <-/->
    
    Total number of prefixes 1
  8. Verify the routing table of FortiGate-A:

    Note

    The routing table only contains the best and valid paths.

    # get router info routing-table  details 
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    Routing table for VRF=0
    B       11.11.11.0/24 [20/300] via 13.1.1.1, port2, 00:37:47
    C       13.1.1.0/24 is directly connected, port2
    C       23.1.1.0/24 is directly connected, port3