Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vinceneil666
Contributor

How to change administrative distance in BGP in relations to OSPF

Hi guys,

 

I had a kinda hard time getting the administrative distance config working. I was also unable to find any real good information online on the issue. But here is what I ended up with, and i looks like it is working just fine... But as allways, if anyone out there has some input it is appreciated! :)

 

The issue was that hosts on "lan" has "B" as its default gateway - being the vrrp master - and hitting that firewall they are able to access resources on "Z"..all good. Then they try to get to resources on "Y" and they get there, but the BGP routing will send the return traffic to "A" and all is not good anymore. 

 

So to fix this, I wanted to change the BGP routes from "A" to have a distance of 190 so that OSPF with 120 would make sure the return traffic got back the same way it came form. 

 

To get this working you have to configure the "Y" firewall to add distance to routes learned from "A" .:

 

config router bgp

   config admin-distance

          edit 1           set neighbour-prefix 10.10.10.1 255.255.255.255        (<-- ip of the bgp neigh)           set route-list "ACCESS-LIST-NAME"           set distance 190           next

 

You also need to create a accesslist to match the route-list reference, and this is where I would like to get some input or verification...

 

config router access-list

      edit "ACCESS-LIST-NAME"              config rule                    edit 1                    set prefix 10.40.40.0 255.255.252.0  (<-- the prefixes learned)                    set exact-match disable       (<-- ..hmm)               next

 

This setup gives me what I need, and it is working. the bgp route from A never ends up in the routingtable of Y because the OSPF is better.  I see that my bgp recived-routes has the prefix there - so it is coming over as a summarized route. ( I have several "lan" ending up in a /22 mask from "A".

 

 

The "exact match" statement... The only thing that statement does now - is apply the same distance to a route learned from that peer within the defined prefix. So If I shut of summary on "A" and I get four /24 - they will be treated the same way....

... right? :)

2 REPLIES 2
emnoc
Esteemed Contributor III

 I see you have HSRP in the diagram so we are assuming this is VRRP?

 

As far as FW1 and FW2 ( vdomA/B ), why do you want VRRP? I would NOT run VRRP, i makes no sense if these are  really Fortigates .

 

 

They should be in a  HA cluster and then you nail BGP to the  devices for the wan-uplink. What your running into  asymmetrical  routing which is clear killer in a stateful fw, and has not real  function in a  true edge security architect.

 

I woluld personally redesign the  network  edge in your case and avoid modifying  BGP path  selections or admin-values.

 

Ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinceneil666

Yeah, vrrp ofcourse.. force of habbit :) 

 

A and B are both already independent clusters. But yeah - the design itself was something already there and the problem had to be solved. So in solving it I found it to be a good example on how to do the distance bit. The design is a different story :) 

 

 

Labels
Top Kudoed Authors