FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 197208
Description
This article describes how to achieve load balancing between two EBGP speakers over parallel links.

Solution
Basic understanding of EBGP Multhop Load-Balancing.

- The multihop is only for EBGP and not for IBGP
- Generally, EBGP selects one of the link to send packets due to which the load balancing does not work.
- If in case there is multiple physical link between the BGP peer unit then instead of creating the separate EBGP peering for each link, it is possible to configure only one EBGP peering session with the loopback address of remote unit.   
- The remote unit loopback has to be reachable from the local unit with either static routes or an IGP with equal-cost paths which help to load-balance the traffic among the multiple physical links between the units.
- The main benefit of EBGP multihop is that even though one of the physical links fails, reachability still exists on the alternate link.

Diagram.





Configuring EBGP Multihop.

- Configure 'FGT-A' with two static routes to reach remote Loopback IP 10.10.10.40. One path via 192.168.1.2 and the other path via 192.168.2.2.
- Likewise, Configure 'FGT-B' with two static routes to reach remote Loopback IP 10.10.10.20. One path via 192.168.1.1 and the other path via 192.168.2.1.
- Configure EBGP session using the update-source as 'loopback' to use it as source for EBGP instead of physical interface IP.
- Enable 'ebgp-enforce-multihop. to allow EBGP multihop.
- When 'ebgp-enforce-multihop' command is enabled, the FortiOS by default sets the ebgp-multihop-ttl value of 255.

FGT-A Configuration.
# config system interface
    edit "loopback"
        set vdom "root"
        set ip 10.10.10.20 255.255.255.255
        set allowaccess ping
        set type loopback
    next
end

# config router bgp

    set as 20
    # config neighbor
        edit "10.10.10.40"
            set ebgp-enforce-multihop enable
            set remote-as 40
            set update-source "loopback"
           set ebgp-multihop-ttl 255
        next
    end
    # config network
        edit 1
            set prefix 172.16.1.0 255.255.255.0
        next
    end

# config router static
    edit 1
        set dst 10.10.10.40
        set gateway 192.168.1.2
        set device "wan1"
    next
    edit 2
        set dst 10.10.10.40
        set gateway 192.168.2.2
        set device "wan2"
    next
end
FGT-B Configuration.
# config system interface
    edit "loopback"
        set vdom "root"
        set ip 10.10.10.40 255.255.255.255
        set allowaccess ping
        set type loopback
    next
end

# config router bgp
    set as 40
    # config neighbor
        edit "10.10.10.20"
            set ebgp-enforce-multihop enable
            set remote-as 20
            set update-source "loopback"
            set ebgp-multihop-ttl 255
        next
    end
    # config network
        edit 1
            set prefix 172.16.2.0 255.255.255.0
        next
    end

# config router static
    edit 1
        set dst 10.10.10.20
        set gateway 192.168.1.1
        set device "wan1"
    next
    edit 2
        set dst 10.10.10.20
        set gateway 192.168.2.1
        set device "wan2"
    next
end

Contributors