Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddabhade
Staff
Staff

Created on ‎10-08-2019 02:22 AM

Article Id 197448

Technical Tip: BGP : 'allowas-in-enable' or 'as-override' when local AS in the AS-path conflicts with the received prefix

Description
This article explains how to configure 'allowas-in-enable' or 'as-override' when using MPLS with the same AS in different locations
to avoid routing loops.

e.g. Using AS 65001 at location A and B

If the route advertised by the Location A is rejected by the location B because of the AS path the route from location B will be rejected by the location A.

This can be avoided by configuring 'allowas-in-enable' or 'as-override'.


Solution
BGP Config and route advertisement:

Location A:
#config router bgp
    set as 65001
    set router-id 10.109.19.146
    config neighbor
        edit "10.109.16.172"                             <----- ISP IP
            set soft-reconfiguration enable
            set remote-as 1111
        next
    end
    config redistribute "connected"
        set status enable
    end
Route advertise by Location A to ISP
#Location A # get  router info  bgp neighbors 10.109.16.172 advertised-routes
BGP table version is 2, local router ID is 10.109.19.146
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.109.16.0/20   10.109.19.146                      32768        0 ?
*> 10.201.0.0/20    10.109.19.146                      32768        0 ?
*> 10.205.0.0/20    10.109.19.146                      32768        0 ?
ISP
#config router bgp
    set as 1111
    config neighbor
        edit "10.109.19.146"                             <----- Location A
            set soft-reconfiguration enable
            set remote-as 65001
        next
        edit "10.109.16.73"                              <----- Location B
            set soft-reconfiguration enable
            set remote-as 65001
        next
    end
Here ISP is advertising the route to the Location B
#ISP # get router info bgp  neighbors 10.109.16.73 advertised-routes
BGP table version is 4, local router ID is 10.201.0.172
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.109.16.0/20   10.109.19.146                          0        0 65001 ?
*> 10.201.0.0/20    10.109.19.146                          0        0 65001 ?
*> 10.205.0.0/20    10.109.19.146                          0        0 65001 ?
Total number of prefixes 3

Location B
config router bgp
    set as 65001
    config neighbor
        edit "10.109.16.172"                             <----- ISP
            set soft-reconfiguration enable
            set remote-as 1111
        next
    end     
The route advertise is visible by the ISP, but route is not installed in the routing table of location B.
#Location B #  get  router info bgp  neighbors 10.109.16.172 received-route
BGP table version is 1, local router ID is 192.168.100.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 10.109.16.0/20   10.109.19.146                          0        0 1111 65001 ?
*> 10.201.0.0/20    10.109.19.146                          0        0 1111 65001 ?
*> 10.205.0.0/20    10.109.19.146                          0        0 1111 65001
Total number of prefixes 3

In routing table of location B route is not installed
#Location B # get  router info routing-table details
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
S*      0.0.0.0/0 [10/0] via 10.109.31.254, port1
                  [10/0] via 10.109.63.254, mgmt
C       10.109.16.0/20 is directly connected, port1

SOLUTION:

There are two solutions to overcome this problem:

1) Configure the 'allowas-in-enable' in the bgp config of Location B.

Location B#
#config router bgp
    set as 65001
    config neighbor
        edit "10.109.16.172"                            <----- ISP
            set allowas-in-enable enable   
            set soft-reconfiguration enable
            set remote-as 1111
        next
    end
#Location B # get  router  info routing-table details
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.109.31.254, port1
                  [10/0] via 10.109.63.254, mgmt
C       10.109.16.0/20 is directly connected, port1
B       10.201.0.0/20 [20/0] via 10.109.19.146, port1, 00:00:38
B       10.205.0.0/20 [20/0] via 10.109.19.146, port1, 00:00:38

#Location B # get  router info bgp network 10.205.0.0/20
BGP routing table entry for 10.205.0.0/20
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  1111 65001
    10.109.19.146 from 10.109.16.172 (10.201.0.172)
      Origin incomplete metric 0, localpref 100, valid, external, best
      Last update: Sun Oct  6 13:13:19 2019

2) Enable the 'as-override' in the bgp config of ISP.

ISP#
#config router bgp
    set as 1111
    config neighbor
        edit "10.109.19.146"
            set soft-reconfiguration enable
            set as-override enable
            set remote-as 65001
        next
        edit "10.109.16.73"
            set soft-reconfiguration enable
            set as-override enable
            set remote-as 65001
        next
    end
After enabling the as-override, the routes are available in the routing table of Location B
#Location B # get  router  info routing-table details

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.109.31.254, port1
C       10.109.16.0/20 is directly connected, port1
B       10.201.0.0/20 [20/0] via 10.109.19.146, port1, 00:02:23
B       10.205.0.0/20 [20/0] via 10.109.19.146, port1, 00:02:23

#Location B # get  router  info bgp network 10.201.0.0/20
BGP routing table entry for 10.201.0.0/20
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  1111 1111
    10.109.19.146 from 10.109.16.172 (10.201.0.172)
      Origin incomplete metric 0, localpref 100, valid, external, best
      Last update: Sun Oct  6 14:25:57 2019
Note: After enabling the 'allowas-in-enable' or 'as-override' bgp neighbor gets down and came up.

12129
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.