Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet

While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks firewall, and a Fortinet FortiGate firewall. Following are all configuration steps from their GUI (Palo) as well as their CLIs (Cisco, Fortinet). It’s just a “basic” lab because I did not configure any possible parameter such as local preference or MED but left almost all to its defaults, except neighboring from loopbacks, password authentication and next-hop-self.

Lab

Some notes about the lab:

  • AS number: 64512 (out of the private range, RFC 6996, IANA AS Numbers)
  • Neighboring via IPv6 for IPv6-Address-Family and via IPv4 for IPv4-Address-Family for all peers, except between the two Cisco routers that used merely IPv6. Those were the only ones who were able to use this single neighborship for both address families. The Palo Alto does not except using an IPv6 neighbor for IPv4 routes (and vice versa) while the FortiGate accepted the config commands but made wrong routing entries out of it. I don’t know why.
  • Neighboring via loopback addresses for Palo and both Cisco routers, but not for the FortiGate. Just to have some variance in the lab.
  • MD5 password authentication for all neighbors, except for the IPv4 ones between Palo and both Cisco routers. Again for having some variance.
  • The Palo Alto firewall is my gateway to the the Internet. It redistributes its default routes (::/0 and 0.0.0.0/0) to its iBGP neighbors.
  • The FortiGate has just one dual-stacked network to propagate.
  • Behind the two Cisco routers, named R4 and R5, some more internal routes coming from OSPFv3 for IPv6 and OSPFv2 for legacy IP are redistributed to the other iBGP neighbors as well.
  • Those redistributed routes have some variances, too. For IPv6, there are some /64 routes, one aggregated /63 route, one /127 transfer segment, a few /128 loopback addresses, and one aggregated /127 route. Same for IPv4, where an aggregated/summarized /23 exists, as well as /32 host routes, and a /31 aggregated route.

A picture is worth a thousand words. And I have two for you. ;) The first one shows my overall CCNP TSHOOT lab with BGP on the left-hand side, while the second one depicts the BGP settings:

So, let’s dig into the lab.

Cisco Router

Two 2851 routers with IOS 15.1(4)M12a. Note the  no bgp default ipv4-unicast command in order to NOT have any neighbors activated for the IPv4 address family by default.

Configuration for R4:

The config for R5 is almost identical:

 

And this is a bunch of show commands from R4:

 

Palo Alto Networks Firewall

A PA-200 with PAN-OS 8.0.7. Palo Alto Networks offers a great GUI from which BGP can be configured completely. Hence no CLI here but only some show commands later on. I additionally enabled ECMP to have both routes (via R4 and R5) to all the other networks in the FIB.

Following are the configuration steps for the Palo:

And these are some “show” screenshots, More Runtime Stats:

As well as a bunch of show commands from the CLI:

 

Fortinet FortiGate Firewall

An FG-100D with firmware v5.6.3. The GUI from Fortinet concerning BGP is completely useless. You can only configure the mere neighbors via IPv4, but no IPv6, no address families, no password, and all the other stuff. Everything must be done via the CLI. (Why is this called a next generation firewall?)

This is the config. Note the  set ibgp-multipath enable command in the beginning to have those equal routes via R4 and R5 in the routing table again:

At least the GUI can be used to have a look at the routing table. :P The default routes are learned via BGP, as well as many other routes that are load-shared over R4 and R5:

Much more information can be monitored through the CLI of course:

Haha, a lot of stuff. ;) Ciao.

For more posts about routing/switching you can follow the Routing” or “Switching” categories concerning various firewall/router vendors, or the “Cisco Router“/”Cisco Switch” tags for posts related to Cisco stuff.

Featured image “Himmlischer Wegweiser/Heavenly fingerpost” by Frank Müller is licensed under CC BY-NC 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *