Border Gateway Protocol (BGP) is the routing protocol that holds the internet together. It is the standard exterior gateway protocol used to exchange routing information between autonomous systems (AS). Whether you are managing enterprise WAN links, configuring SD-WAN underlay routing, or peering with an ISP, understanding BGP fundamentals is essential. In this post, we will cover the core concepts and then walk through basic configuration on both Cisco IOS and FortiGate (FortiOS).
What Is BGP?
BGP is a path-vector routing protocol that operates over TCP port 179. Unlike interior gateway protocols (IGPs) such as OSPF or EIGRP, BGP is designed to route between autonomous systems — each identified by a unique AS number (ASN). There are two flavours:
- eBGP (External BGP) — peering between different autonomous systems. The default TTL is 1 (directly connected neighbours).
- iBGP (Internal BGP) — peering within the same autonomous system. Requires a full mesh or route reflectors to avoid routing loops.
Key BGP Concepts
BGP Neighbour States
A BGP session progresses through several states before routes are exchanged:
- Idle — BGP is waiting to start a TCP connection.
- Connect — TCP three-way handshake is in progress.
- OpenSent — An OPEN message has been sent to the peer.
- OpenConfirm — An OPEN message has been received and acknowledged.
- Established — The session is up and routes are being exchanged.
BGP Path Attributes
BGP uses path attributes to determine the best route. The default decision process (simplified):
- Weight (Cisco-proprietary, local to the router — higher is preferred)
- Local Preference (shared within the AS — higher is preferred)
- Locally Originated (prefer routes originated by this router)
- AS Path Length (shorter path is preferred)
- Origin Type (IGP < EGP < Incomplete)
- MED (Multi-Exit Discriminator) (lower is preferred, compared across same neighbour AS)
- eBGP over iBGP
- Lowest IGP metric to next hop
- Lowest Router ID
BGP Message Types
BGP uses four message types to manage sessions and exchange routing information:
- OPEN — Initiates a BGP session and negotiates parameters (ASN, hold time, router ID).
- UPDATE — Advertises new routes or withdraws previously announced routes.
- KEEPALIVE — Maintains the session (sent every 60 seconds by default, hold time 180 seconds).
- NOTIFICATION — Signals an error condition and tears down the session.
Cisco IOS — Basic BGP Configuration
Below is a basic eBGP configuration on a Cisco router. In this example, our router is in AS 65001 and peers with a neighbour in AS 65002 at IP 10.0.0.2.
! Enter BGP configuration
router bgp 65001
! Set a router ID (best practice)
bgp router-id 1.1.1.1
! Disable auto-summary (default in modern IOS, but good habit)
no auto-summary
! Define the eBGP neighbour
neighbor 10.0.0.2 remote-as 65002
! Optional: set a description
neighbor 10.0.0.2 description eBGP-to-ISP
! Advertise networks into BGP
network 192.168.1.0 mask 255.255.255.0
network 172.16.0.0 mask 255.255.0.0
! Optional: set a password for MD5 authentication
neighbor 10.0.0.2 password SecureBGP123Cisco — iBGP Example
For iBGP, the remote AS matches your own. You typically peer via loopback interfaces:
router bgp 65001
neighbor 2.2.2.2 remote-as 65001
neighbor 2.2.2.2 update-source Loopback0
neighbor 2.2.2.2 next-hop-selfCisco — Useful Verification Commands
! Check BGP neighbour status
show ip bgp summary
! View the full BGP table
show ip bgp
! Check details for a specific neighbour
show ip bgp neighbors 10.0.0.2
! View advertised routes to a neighbour
show ip bgp neighbors 10.0.0.2 advertised-routes
! View routes received from a neighbour
show ip bgp neighbors 10.0.0.2 received-routesFortiGate (FortiOS) — Basic BGP Configuration
FortiGate supports BGP through its CLI. Below is the equivalent eBGP setup — our FortiGate is in AS 65001, peering with AS 65002 at 10.0.0.2.
# Enter the BGP router configuration
config router bgp
set as 65001
set router-id 1.1.1.1
# Define the eBGP neighbour
config neighbor
edit "10.0.0.2"
set remote-as 65002
set description "eBGP-to-ISP"
# Optional: MD5 authentication
set password SecureBGP123
# Enable the neighbour (enabled by default)
set shutdown disable
next
end
# Advertise networks into BGP
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
edit 2
set prefix 172.16.0.0 255.255.0.0
next
end
endFortiGate — iBGP Example
config router bgp
set as 65001
config neighbor
edit "2.2.2.2"
set remote-as 65001
set update-source "loopback0"
set next-hop-self enable
next
end
endFortiGate — Route Maps and Prefix Lists
Controlling inbound and outbound routes is critical. Here is how to create a prefix list and apply it via a route map on FortiGate:
# Create a prefix list
config router prefix-list
edit "ALLOW-RFC1918"
config rule
edit 1
set prefix 10.0.0.0 255.0.0.0
set le 32
set action permit
next
edit 2
set prefix 172.16.0.0 255.240.0.0
set le 32
set action permit
next
edit 3
set prefix 192.168.0.0 255.255.0.0
set le 32
set action permit
next
end
next
end
# Create a route map referencing the prefix list
config router route-map
edit "BGP-OUTBOUND"
config rule
edit 1
set match-ip-address "ALLOW-RFC1918"
set action permit
next
end
next
end
# Apply the route map to the neighbour
config router bgp
config neighbor
edit "10.0.0.2"
set route-map-out "BGP-OUTBOUND"
next
end
endFortiGate — Useful Verification Commands
# Check BGP neighbour summary
get router info bgp summary
# View the BGP routing table
get router info bgp network
# Check details for a specific neighbour
get router info bgp neighbors 10.0.0.2
# View routes advertised to a neighbour
get router info bgp neighbors 10.0.0.2 advertised-routes
# View routes received from a neighbour
get router info bgp neighbors 10.0.0.2 routesCisco vs. FortiGate — Quick Comparison
| Feature | Cisco IOS | FortiGate (FortiOS) |
|---|---|---|
| Enter BGP config | router bgp <ASN> |
config router bgp |
| Define neighbour | neighbor <IP> remote-as <ASN> |
config neighbor → edit <IP> → set remote-as |
| Advertise network | network <prefix> mask <mask> |
config network → edit → set prefix |
| Verify neighbours | show ip bgp summary |
get router info bgp summary |
| View BGP table | show ip bgp |
get router info bgp network |
| MD5 authentication | neighbor <IP> password |
set password under neighbour |
| Route map (outbound) | neighbor <IP> route-map <name> out |
set route-map-out under neighbour |
Common Troubleshooting Tips
- Neighbour stuck in Active/Idle — Check TCP connectivity on port 179. Verify firewall rules, ACLs, and that the neighbour IP and ASN are correct on both sides.
- Routes not appearing in the table — Ensure the network statement matches an exact route in the routing table (Cisco) or that the prefix is correctly defined (FortiGate). Check route maps and prefix lists for unintended deny rules.
- MD5 authentication mismatch — Both sides must have the identical password. A mismatch will cause TCP resets. On FortiGate, use
diagnose sys tcpsock | grep 179to check for session issues. - iBGP next-hop unreachable — Use
next-hop-selfon Cisco orset next-hop-self enableon FortiGate to rewrite the next hop for iBGP peers. - AS path loop — iBGP does not modify the AS path, which is why a full mesh or route reflectors are required.
Wrapping Up
BGP is a deep protocol with many advanced features — route reflectors, confederations, communities, graceful restart, BFD integration, and more. But every BGP deployment starts with these basics: defining your AS, establishing neighbour relationships, and advertising your prefixes. Once you are comfortable with the fundamentals on both Cisco and FortiGate, you will have a solid foundation to build on.
In future posts, we will dive deeper into advanced BGP topics including route filtering strategies, BGP communities, and high-availability designs. Stay tuned.
— Inho
Leave a Reply