Technical Tip: Using Address Family on BGP Dual Stack

cborgato_FTNT · ‎10-29-2015

Description

This article describes how to use address family settings in Dual-Stack mode in order to avoid IPv4 addresses being exchanged by IPv6 peers and vice versa.

Dual-Stack BGP allows using BGPv4 and BGPv6 at the same time. This means that 2 peers can exchange routes as BGPv4 neighbors and BGPv6 neighbors.

If not properly configured it may happen that the system would sometimes choose an IPv4-mapped-IPv6 address over a pre-configured IPv6 address, as the next hop address, which would make the status of any routes that were associated to it 'inactive', even when IPv6 neighbors were already configured and established between the two peers.

The use of address family helps to avoid this possible situation.

Solution

By default Address family is enabled on the FortiGate which means that IPv4 and IPv6 routes are exchanged on both BGP Stacks.

Interface and BGP configuration

Interface configuration on both nodes.

Node A

# config system interface
    edit "port1"
        set ip 10.0.0.10 255.255.255.0
        set allowaccess ping
            config ipv6
                set ip6-allowaccess ping
                set ip6-address 2a05:9cc0:705:102::10/64
            end
    next
end

Node B

# config system interface
    edit "port2"
        set ip 10.0.0.20 255.255.255.0
        set allowaccess ping
            config ipv6
                set ip6-allowaccess ping
                set ip6-address 2a05:9cc0:705:102::20/64
            end
    next
end

Loopback Interface used to be redistributed (1 sample only).

Node A

# config system interface
    edit "lo8"
        set ip 1.10.1.8 255.255.255.255
        set type loopback
            config ipv6
                set ip6-address 2a05:9cc0:10:10::8/128
            end
    next
end

Configure BGP Dual Stack redistributing the IPv4 and IPv6 Loopback routes.

Node A

# config router bgp
    set as 65010
        config neighbor
            edit "10.0.0.20"
                set remote-as 65020
            next
            edit "2a05:9cc0:705:102::20"
                set remote-as 65020
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute6 "connected"
            set status enable
        end
end

Node B

# config router bgp
    set as 65020
        config neighbor
            edit "10.0.0.10"
                set remote-as 65010
            next
            edit "2a05:9cc0:705:102::10"
                set remote-as 65010
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute6 "connected"
            set status enable
        end
end

Results and Solutions

In this example on Node B IPv6 routes have not been exchanged and remain inactive.

# get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       I - IS-IS, B - BGP
       > - selected route, * - FIB route, p - stale info
Timers: Uptime

C    *> ::1/128 via ::, root, 00:36:05
B       2a05:9cc0:10:10::1/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::3/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::4/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::5/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::6/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::7/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::8/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::9/128 [20/0] via :: inactive, 00:03:37
B       2a05:9cc0:10:10::10/128 [20/0] via :: inactive, 00:03:37
C    *> 2a05:9cc0:20:20::1/128 via ::, lo1, 00:21:28
C    *> 2a05:9cc0:20:20::2/128 via ::, lo2, 00:21:27
C    *> 2a05:9cc0:20:20::3/128 via ::, lo3, 00:21:27
C    *> 2a05:9cc0:20:20::4/128 via ::, lo4, 00:21:27
C    *> 2a05:9cc0:20:20::5/128 via ::, lo5, 00:21:27
C    *> 2a05:9cc0:20:20::6/128 via ::, lo6, 00:21:27
C    *> 2a05:9cc0:20:20::7/128 via ::, lo7, 00:21:27
C    *> 2a05:9cc0:20:20::8/128 via ::, lo8, 00:21:27
C    *> 2a05:9cc0:20:20::9/128 via ::, lo9, 00:21:26
C    *> 2a05:9cc0:20:20::10/128 via ::, lo10, 00:21:25
C    *> 2a05:9cc0:705:102::/64 via ::, port1, 00:22:46
C    *> fe80::/10 via ::, port1, 00:22:46
They are not installed into the routing table.

# get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       I - IS-IS, B - BGP
       * - candidate default
Timers: Uptime
C       ::1/128 via ::, root, 00:37:30
C       2a05:9cc0:20:20::1/128 via ::, lo1, 00:22:53
C       2a05:9cc0:20:20::2/128 via ::, lo2, 00:22:52
C       2a05:9cc0:20:20::3/128 via ::, lo3, 00:22:52
C       2a05:9cc0:20:20::4/128 via ::, lo4, 00:22:52
C       2a05:9cc0:20:20::5/128 via ::, lo5, 00:22:52
C       2a05:9cc0:20:20::6/128 via ::, lo6, 00:22:52
C       2a05:9cc0:20:20::7/128 via ::, lo7, 00:22:52
C       2a05:9cc0:20:20::8/128 via ::, lo8, 00:22:52
C       2a05:9cc0:20:20::9/128 via ::, lo9, 00:22:51
C       2a05:9cc0:20:102::10/128 via ::, lo10, 00:22:50
C       2a05:9cc0:705:102::/64 via ::, port1, 00:24:11
C       fe80::/10 via ::, port1, 00:24:11

Sniffing the IPv4 and IPv6 BGP session can clearly show IPv6/IPv4 routes exchanged in the UPDATE BGP message.

Using ‘execute router clear bgp all’ several times may help solve the problem, but it could not be considered as a good workaround.

Applying ‘set activate6 disable’ into the BGPv4 neighbor and ‘set activate disable’ into the BGPv6 neighbor on both Nodes would solve the problem of keeping respectively separated IPv4 route exchanges into BGPv4 and separated IPv6 route exchanges into BGPv6.

Node A (should be the same on Node B).

# config router bgp

config neighbor

edit "10.0.0.20"

set activate6 disable <-------------------------------------

next
edit "2a05:9cc0:705:102::20"

set activate disable <-------------------------------------

end

Node B routes are no longer inactive.

# get router info6 routing-table
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
I - IS-IS, B - BGP
* - candidate default

Timers: Uptime

C       ::1/128 via ::, root, 00:11:00
B       2a05:9cc0:10:10::1/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12

B       2a05:9cc0:10:10::3/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::4/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::5/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::6/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::7/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::8/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::9/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
B       2a05:9cc0:10:10::10/128 [20/0] via fe80::209:fff:feb7:3c78, port1, 00:00:12
C       2a05:9cc0:20:20::1/128 via ::, lo1, 00:11:00
C       2a05:9cc0:20:20::2/128 via ::, lo2, 00:11:00
C       2a05:9cc0:20:20::3/128 via ::, lo3, 00:11:00
C       2a05:9cc0:20:20::4/128 via ::, lo4, 00:11:00
C       2a05:9cc0:20:20::5/128 via ::, lo5, 00:11:00
C       2a05:9cc0:20:20::6/128 via ::, lo6, 00:11:00
C       2a05:9cc0:20:20::7/128 via ::, lo7, 00:11:00
C       2a05:9cc0:20:20::8/128 via ::, lo8, 00:11:00
C       2a05:9cc0:20:20::9/128 via ::, lo9, 00:11:00
C       2a05:9cc0:20:10::10/128 via ::, lo10, 00:11:00
C       2a05:9cc0:705:102::/64 via ::, port1, 00:06:44
C       fe80::/10 via ::, port1, 00:06:47

Another way to solve the problem would be to configure route-map to manually set IPv6 next hop for each IPv6 BGP peer.