Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-BGP-Local-Preference-MED

Configure BGP MED

You can configure the preferred entry path in BGP using the MED (Multi-Exit Discriminator) attribute when an Autonomous System (AS) has more than one entry path.

MED values are propagated to routers in the neighbor AS.

When is MED used

MED is an external attribute that's used when two neighbor AS' have multiple links between them, and the origin AS prefers one link over the others.

By default, routers evaluate MED when they learn two or more routes from the same AS to the same prefix, that is, the destination network. You can change this behavior. Based on MED, they select the entry router into the original AS.

MED is a non-transitive attribute and isn't forwarded to other neighbors. When the receiving AS forwards the route to a different AS, MED is reset to 0.

BGP evaluates MED after it evaluates weight, local preference, the locally originated attribute, the AS path length, and the origin type to reach an AS. It evaluates MED to select the route if all these attributes are equal.

Example scenario

The following example shows how to configure MED so that the router in AS 19 prefers SF-1 for entry into the AS 28 network.

You must use your actual network and neighbor addresses and router IDs based on your network topology. The example uses the following values:

  • AS with two Sophos Firewall devices: 28

    • Network address of AS 28: 2.2.2.0

    • Preferred firewall (SF-1):

      • IP address: 45.45.45.19
      • MED value (metric): 0

    • Second firewall (SF-2)

      • IP address: 28.28.28.28
      • MED value (metric): 400
      • Route map's name: testroute

  • Neighbor AS: 19

    • Router: R3

Diagram of BGP MED.

Key concepts

  • The default MED value is 0.
  • A lower MED value has higher preference. So, you assign a higher value to the route you don't prefer.
  • To assign a value to MED, use the metric command under route-map.

Configure MED

You can configure the MED using the CLI as follows:

  1. Configure a route map with the MED value.
  2. Associate the route map with a neighbor.

Note

You can also use the route map to configure other BGP attributes, such as weight and community.

Configure a route map

You must change the MED value in SF-2 so that neighbors give a lower preference to it.

  1. To enter the BGP configuration mode, enter the following options:

    1. For Route configuration: 3
    2. For Configure unicast routing: 1
    3. For Configure BGP: 3.

  2. Run the following commands:

    1. Enter the global configuration mode: conf t or conf terminal

    2. Create the route map entry: route-map <route map's name> permit <sequence number>

      The firewall reads the route maps in the order they're listed. The sequence number determines the order. If you don't enter a sequence number, the most recent entry is listed at the top of the routing table.

    3. Set the metric: set metric <value>

      Example

      bgp# conf t
bgp(config)# route-map testroute permit 10 
bgp(config-route-map)# set metric 400
bgp(config-route-map)# exit
bgp(config)# sh run

Associate the route map with a neighbor

  1. To associate the route map with the neighbor, run the following commands:

    1. Enter the BGP configuration: router bgp
    2. Enter the IPv4 address family mode: address-family ipv4 unicast
    3. Associate the route map with the neighbor: neighbor <ip address> route-map <route map's name> out
    4. Save all the configurations you've made in this example: write

    5. End the configuration: end

      Example

      bgp(config)# router bgp 
bgp(config-router)# address-family ipv4 unicast 
bgp(config-router-af)# neighbor 45.45.45.19 route-map testroute out
bgp(config-router-af)# write
bgp(config-router-af)# end

  2. To see the BGP configuration: show running-config

    Output of the metric configuration.

  3. To verify the preferred route in the neighbor's routing table, run the following command:

    sh ip bgp

    The angle icon indicates the preferred route to the network.

    BGP routing table with the metric.

Note

If Sophos Firewall is the neighbor, you can also see the routing table on the web admin console on Routing > Information. Under BGP-IPv4, click Routing.