{"id":17,"date":"2026-04-14T21:35:04","date_gmt":"2026-04-14T21:35:04","guid":{"rendered":"https:\/\/inhochoi.com\/index.php\/2026\/04\/14\/bgp-basics-cisco-fortigate\/"},"modified":"2026-04-14T21:35:04","modified_gmt":"2026-04-14T21:35:04","slug":"bgp-basics-cisco-fortigate","status":"publish","type":"post","link":"https:\/\/inhochoi.com\/index.php\/2026\/04\/14\/bgp-basics-cisco-fortigate\/","title":{"rendered":"BGP Basics \u2014 Configuration on Cisco IOS and FortiGate"},"content":{"rendered":"
<\/div>\n

Border Gateway Protocol (BGP) is the routing protocol that holds the internet together. It is the standard exterior gateway protocol used to exchange routing information between autonomous systems (AS). Whether you are managing enterprise WAN links, configuring SD-WAN underlay routing, or peering with an ISP, understanding BGP fundamentals is essential. In this post, we will cover the core concepts and then walk through basic configuration on both Cisco IOS<\/strong> and FortiGate (FortiOS)<\/strong>.<\/p>\n

<\/div>\n

What Is BGP?<\/h2>\n

BGP is a path-vector<\/strong> routing protocol that operates over TCP port 179. Unlike interior gateway protocols (IGPs) such as OSPF or EIGRP, BGP is designed to route between autonomous systems \u2014 each identified by a unique AS number (ASN). There are two flavours:<\/p>\n

    \n
  • eBGP (External BGP)<\/strong> \u2014 peering between different autonomous systems. The default TTL is 1 (directly connected neighbours).<\/li>\n
  • iBGP (Internal BGP)<\/strong> \u2014 peering within the same autonomous system. Requires a full mesh or route reflectors to avoid routing loops.<\/li>\n<\/ul>\n
    <\/div>\n

    Key BGP Concepts<\/h2>\n

    BGP Neighbour States<\/h3>\n

    A BGP session progresses through several states before routes are exchanged:<\/p>\n

      \n
    1. Idle<\/strong> \u2014 BGP is waiting to start a TCP connection.<\/li>\n
    2. Connect<\/strong> \u2014 TCP three-way handshake is in progress.<\/li>\n
    3. OpenSent<\/strong> \u2014 An OPEN message has been sent to the peer.<\/li>\n
    4. OpenConfirm<\/strong> \u2014 An OPEN message has been received and acknowledged.<\/li>\n
    5. Established<\/strong> \u2014 The session is up and routes are being exchanged.<\/li>\n<\/ol>\n

      BGP Path Attributes<\/h3>\n

      BGP uses path attributes to determine the best route. The default decision process (simplified):<\/p>\n

        \n
      1. Weight<\/strong> (Cisco-proprietary, local to the router \u2014 higher is preferred)<\/li>\n
      2. Local Preference<\/strong> (shared within the AS \u2014 higher is preferred)<\/li>\n
      3. Locally Originated<\/strong> (prefer routes originated by this router)<\/li>\n
      4. AS Path Length<\/strong> (shorter path is preferred)<\/li>\n
      5. Origin Type<\/strong> (IGP < EGP < Incomplete)<\/li>\n
      6. MED (Multi-Exit Discriminator)<\/strong> (lower is preferred, compared across same neighbour AS)<\/li>\n
      7. eBGP over iBGP<\/strong><\/li>\n
      8. Lowest IGP metric to next hop<\/strong><\/li>\n
      9. Lowest Router ID<\/strong><\/li>\n<\/ol>\n
        <\/div>\n

        BGP Message Types<\/h2>\n

        BGP uses four message types to manage sessions and exchange routing information:<\/p>\n

          \n
        • OPEN<\/strong> \u2014 Initiates a BGP session and negotiates parameters (ASN, hold time, router ID).<\/li>\n
        • UPDATE<\/strong> \u2014 Advertises new routes or withdraws previously announced routes.<\/li>\n
        • KEEPALIVE<\/strong> \u2014 Maintains the session (sent every 60 seconds by default, hold time 180 seconds).<\/li>\n
        • NOTIFICATION<\/strong> \u2014 Signals an error condition and tears down the session.<\/li>\n<\/ul>\n
          <\/div>\n

          Cisco IOS \u2014 Basic BGP Configuration<\/h2>\n

          Below is a basic eBGP configuration on a Cisco router. In this example, our router is in AS 65001<\/strong> and peers with a neighbour in AS 65002<\/strong> at IP 10.0.0.2<\/code>.<\/p>\n

          ! Enter BGP configuration\nrouter bgp 65001\n\n ! Set a router ID (best practice)\n bgp router-id 1.1.1.1\n\n ! Disable auto-summary (default in modern IOS, but good habit)\n no auto-summary\n\n ! Define the eBGP neighbour\n neighbor 10.0.0.2 remote-as 65002\n\n ! Optional: set a description\n neighbor 10.0.0.2 description eBGP-to-ISP\n\n ! Advertise networks into BGP\n network 192.168.1.0 mask 255.255.255.0\n network 172.16.0.0 mask 255.255.0.0\n\n ! Optional: set a password for MD5 authentication\n neighbor 10.0.0.2 password SecureBGP123<\/code><\/pre>\n
          Cisco \u2014 iBGP Example<\/h3>\n
          For iBGP, the remote AS matches your own. You typically peer via loopback interfaces:<\/p>\n
          router bgp 65001\n neighbor 2.2.2.2 remote-as 65001\n neighbor 2.2.2.2 update-source Loopback0\n neighbor 2.2.2.2 next-hop-self<\/code><\/pre>\n
          Cisco \u2014 Useful Verification Commands<\/h3>\n
          ! Check BGP neighbour status\nshow ip bgp summary\n\n! View the full BGP table\nshow ip bgp\n\n! Check details for a specific neighbour\nshow ip bgp neighbors 10.0.0.2\n\n! View advertised routes to a neighbour\nshow ip bgp neighbors 10.0.0.2 advertised-routes\n\n! View routes received from a neighbour\nshow ip bgp neighbors 10.0.0.2 received-routes<\/code><\/pre>\n
          <\/div>\n
          FortiGate (FortiOS) \u2014 Basic BGP Configuration<\/h2>\n
          FortiGate supports BGP through its CLI. Below is the equivalent eBGP setup \u2014 our FortiGate is in AS 65001<\/strong>, peering with AS 65002<\/strong> at 10.0.0.2<\/code>.<\/p>\n
          # Enter the BGP router configuration\nconfig router bgp\n    set as 65001\n    set router-id 1.1.1.1\n\n    # Define the eBGP neighbour\n    config neighbor\n        edit \"10.0.0.2\"\n            set remote-as 65002\n            set description \"eBGP-to-ISP\"\n\n            # Optional: MD5 authentication\n            set password SecureBGP123\n\n            # Enable the neighbour (enabled by default)\n            set shutdown disable\n        next\n    end\n\n    # Advertise networks into BGP\n    config network\n        edit 1\n            set prefix 192.168.1.0 255.255.255.0\n        next\n        edit 2\n            set prefix 172.16.0.0 255.255.0.0\n        next\n    end\nend<\/code><\/pre>\n
          FortiGate \u2014 iBGP Example<\/h3>\n
          config router bgp\n    set as 65001\n    config neighbor\n        edit \"2.2.2.2\"\n            set remote-as 65001\n            set update-source \"loopback0\"\n            set next-hop-self enable\n        next\n    end\nend<\/code><\/pre>\n
          FortiGate \u2014 Route Maps and Prefix Lists<\/h3>\n
          Controlling inbound and outbound routes is critical. Here is how to create a prefix list and apply it via a route map on FortiGate:<\/p>\n
          # Create a prefix list\nconfig router prefix-list\n    edit \"ALLOW-RFC1918\"\n        config rule\n            edit 1\n                set prefix 10.0.0.0 255.0.0.0\n                set le 32\n                set action permit\n            next\n            edit 2\n                set prefix 172.16.0.0 255.240.0.0\n                set le 32\n                set action permit\n            next\n            edit 3\n                set prefix 192.168.0.0 255.255.0.0\n                set le 32\n                set action permit\n            next\n        end\n    next\nend\n\n# Create a route map referencing the prefix list\nconfig router route-map\n    edit \"BGP-OUTBOUND\"\n        config rule\n            edit 1\n                set match-ip-address \"ALLOW-RFC1918\"\n                set action permit\n            next\n        end\n    next\nend\n\n# Apply the route map to the neighbour\nconfig router bgp\n    config neighbor\n        edit \"10.0.0.2\"\n            set route-map-out \"BGP-OUTBOUND\"\n        next\n    end\nend<\/code><\/pre>\n
          FortiGate \u2014 Useful Verification Commands<\/h3>\n
          # Check BGP neighbour summary\nget router info bgp summary\n\n# View the BGP routing table\nget router info bgp network\n\n# Check details for a specific neighbour\nget router info bgp neighbors 10.0.0.2\n\n# View routes advertised to a neighbour\nget router info bgp neighbors 10.0.0.2 advertised-routes\n\n# View routes received from a neighbour\nget router info bgp neighbors 10.0.0.2 routes<\/code><\/pre>\n
          <\/div>\n
          Cisco vs. FortiGate \u2014 Quick Comparison<\/h2>\n
          \n\n\n\n\n\n\n\n\n\n\n\n
          Feature<\/th>\nCisco IOS<\/th>\nFortiGate (FortiOS)<\/th>\n<\/tr>\n<\/thead>\n
          Enter BGP config<\/td>\nrouter bgp <ASN><\/code><\/td>\nconfig router bgp<\/code><\/td>\n<\/tr>\n
          Define neighbour<\/td>\nneighbor <IP> remote-as <ASN><\/code><\/td>\nconfig neighbor \u2192 edit <IP> \u2192 set remote-as<\/code><\/td>\n<\/tr>\n
          Advertise network<\/td>\nnetwork <prefix> mask <mask><\/code><\/td>\nconfig network \u2192 edit \u2192 set prefix<\/code><\/td>\n<\/tr>\n
          Verify neighbours<\/td>\nshow ip bgp summary<\/code><\/td>\nget router info bgp summary<\/code><\/td>\n<\/tr>\n
          View BGP table<\/td>\nshow ip bgp<\/code><\/td>\nget router info bgp network<\/code><\/td>\n<\/tr>\n
          MD5 authentication<\/td>\nneighbor <IP> password<\/code><\/td>\nset password<\/code> under neighbour<\/td>\n<\/tr>\n
          Route map (outbound)<\/td>\nneighbor <IP> route-map <name> out<\/code><\/td>\nset route-map-out<\/code> under neighbour<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
          <\/div>\n
          Common Troubleshooting Tips<\/h2>\n
            \n
          • Neighbour stuck in Active\/Idle<\/strong> \u2014 Check TCP connectivity on port 179. Verify firewall rules, ACLs, and that the neighbour IP and ASN are correct on both sides.<\/li>\n
          • Routes not appearing in the table<\/strong> \u2014 Ensure the network statement matches an exact route in the routing table (Cisco) or that the prefix is correctly defined (FortiGate). Check route maps and prefix lists for unintended deny rules.<\/li>\n
          • MD5 authentication mismatch<\/strong> \u2014 Both sides must have the identical password. A mismatch will cause TCP resets. On FortiGate, use diagnose sys tcpsock | grep 179<\/code> to check for session issues.<\/li>\n
          • iBGP next-hop unreachable<\/strong> \u2014 Use next-hop-self<\/code> on Cisco or set next-hop-self enable<\/code> on FortiGate to rewrite the next hop for iBGP peers.<\/li>\n
          • AS path loop<\/strong> \u2014 iBGP does not modify the AS path, which is why a full mesh or route reflectors are required.<\/li>\n<\/ul>\n
            <\/div>\n
            Wrapping Up<\/h2>\n
            BGP is a deep protocol with many advanced features \u2014 route reflectors, confederations, communities, graceful restart, BFD integration, and more. But every BGP deployment starts with these basics: defining your AS, establishing neighbour relationships, and advertising your prefixes. Once you are comfortable with the fundamentals on both Cisco and FortiGate, you will have a solid foundation to build on.<\/p>\n
            In future posts, we will dive deeper into advanced BGP topics including route filtering strategies, BGP communities, and high-availability designs. Stay tuned.<\/p>\n
            <\/div>\n
            \u2014 Inho<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
            A practical introduction to Border Gateway Protocol (BGP) fundamentals with hands-on configuration examples for both Cisco IOS and FortiGate (FortiOS).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-17","post","type-post","status-publish","format-standard","hentry","category-networking"],"_links":{"self":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/17","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/comments?post=17"}],"version-history":[{"count":0,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/posts\/17\/revisions"}],"wp:attachment":[{"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/media?parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/categories?post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/inhochoi.com\/index.php\/wp-json\/wp\/v2\/tags?post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}