Configuring BGP Failover Routing Between Two Sites

Question

We have two sites, site A and Site B. Both sites sites have a Fortigate firewall. Fortigate devices ARE NOT configured for high availability, nor will they be.

Both sites have an internet connection provided by the same ISP:

Site A

Fortinet Firewall Public IP: A.A.A.13/30

ISP Gateway Public IP: A.A.A.14/30

Site B Fortinet Firewall Public IP: B.B.B.16/30 ISP Gateway Public IP: B.B.B.17/30

We have a two BGP published IP address range that have been provided by our ISP:

BGP Advertised Public IP Range Q: Q.Q.Q.Q/27 BGP Advertised Public IP Range R: R.R.R.R/27 Local AS: 4294836658 Remote (ISP) AS: 7545 Local and Remote ASN is the same for both sites (single ISP only).

Under normal conditions, we need to all traffic going to Q.Q.Q.Q/27 to be directed to site A. However, if site A is down, we need all traffic going to Q.Q.Q.Q/27 to be directed to site B.

Likewise under normal conditions, we need to all traffic going to R.R.R.R/27 to be directed to site B. However, if site B is down, we need all traffic going to R.R.R.R/27 to be directed to site A.

I have found a cisco config that is used to configure the above for a single BGP route, which is:

ROUTER A - Primary ================================================================ router bgp 65534 address-family ipv4 network 100.64.0.0 mask 255.255.224.0 neighbor 100.66.10.2 remote-as 100 neighbor 100.66.10.2 description RouterC neighbor 100.66.10.2 prefix-list aggregate out neighbor 100.66.10.2 prefix-list default in neighbor 100.66.10.2 activate ! ip prefix-list aggregate permit 100.64.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 100.64.0.0 255.255.224.0 null0 ================================================================

ROUTER B - Backup ================================================================ router bgp 65534 address-family ipv4 network 100.64.0.0 mask 255.255.224.0 neighbor 100.66.10.2 remote-as 100 neighbor 100.66.10.2 description RouterD neighbor 100.66.10.2 prefix-list aggregate out neighbor 100.66.10.2 route-map med10-out out neighbor 100.66.10.2 prefix-list default in neighbor 100.66.10.2 route-map lp-low-in in neighbor 100.66.10.2 activate ! ip prefix-list aggregate permit 100.64.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 100.64.0.0 255.255.224.0 null0 ! route-map med10-out permit 10 set metric 10 ! route-map lp-low-in permit 10 set local-preference 90 ! ================================================================

The question I have is how do I do a similar configuration using the Fortigate CLI and how do I extend this configuration for TWO BGP routes.

lobstercreed · Accepted Answer

No problem! Forgot to mention a couple details that you may or may not already have covered:

[ol]

You need to have the network configured in BGP, which is done under config router bgp config network edit 1 set prefix Q.Q.Q.Q 255.255.255.224 next edit 2 set prefix R.R.R.R 255.255.255.224 next end

You also need to have a route in your routing table for each of the above routes. If you're already learning these routes somehow or statically routing them, that's fine, but odds are you're using the public space for VIP objects and don't really route them, right? So you can add a static blackhole route just to get them in the routing table. config router static edit XX (an available number in your static table) set dst Q.Q.Q.Q 255.255.255.224 set blackhole enable next edit XX (another available number in your static table) set dst R.R.R.R 255.255.255.224 set blackhole enable next end[/ol]

Without both of those elements in place you would find that you were not advertising the routes despite all the good routemap work we did before. :)

lobstercreed · Answer

Hi Ian,

I think I can help you. I assume you've already done BGP with this ISP, or at least confirmed they will do BGP with you on /27 routes? Generally anything smaller than a /24 will not be propagated on the Internet, but assuming your networks are part of a larger subnet advertised by the ISP it shouldn't be a problem.

Let's reverse-engineer what we're going to do here. First, you're going to have a peer (or BGP neighbor) on each FortiGate, and that code will look something like:

config router bgp

set as 4294836658

config neighbor

edit A.A.A.14

set remote-as 7545

set route-map-out "BGProuteQ_Routemap"

end

You'll do something similar on the other FortiGate, changing the appropriate parts of course. The mystery is what is BGProuteQ_Routemap? That might look something like this on the site A FortiGate:

config router route-map

edit "BGProuteQ_Routemap"

config rule

edit 1

set match-ip-address "routeQ_Prefix"

set set-metric 10

set match-ip-address "routeR_Prefix"

set set-metric 20

And something like this on the site B FortiGate:

config router route-map

edit "BGProuteR_Routemap"

config rule

edit 1

set match-ip-address "routeQ_Prefix"

set set-metric 20

set match-ip-address "routeR_Prefix"

set set-metric 10

Now we need to create the prefixes that we referenced in the route-maps, so that would look like this on both FortiGates:

config router prefix-list edit "routeQ_Prefix" config rule edit 1 set prefix Q.Q.Q.Q 255.255.255.224 unset ge unset le next

end next

edit "routeR_Prefix" config rule edit 1 set prefix R.R.R.R 255.255.255.224 unset ge unset le next

end next

end

That's pretty much it. By virtue of the lower MED (that's what we modify with set-metric), the Site A FortiGate will advertise the Q route at a "higher" preference, and Site B will advertise the R route at a "higher" preference with it's lower MED. However, both will have both routes available all the time in the event of a failure.

Hope that helps! - Daniel Hamilton

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded