Skip to main content
dpsguard
dpsguard
New Member
December 9, 2017
Question

MPLS and Internet on Active Passive Cluster

  • December 9, 2017
  • 1 reply
  • 6650 views

Hello All,

 

I have an interesting requirement wherein we are planning for 7 or 8 mid size FGTs. Two of these will be at headquarters which will have 2 Internet circuits (same ISP) and two MPLS circuits (again same provider). Most remote sites will not have any firewall, just a simple VLAN Layer 2 switch with one MPLS router from SP, which will act as gateway for the site VLANs. 

 

SP will run BGP over MPLS and we can run BGP at headquarter firewalls with the two MPLS routers. The requirement is for the remote sites to send Internet bound traffic so that it arrives at main site over one MPLS router and all other (to main site subnets) to use second MPLS router.

 

I can announce default route from the firewall cluster to the two MPLS router via BGP and based on this default in the routing table, the MPLS routers can then further advertize default route (MPLS1 will push prefix 0.0.0.0, MPLS2 with as path prepend to make it backup, should MPLS1 go down).

 

Similarly I need to advertize private prefixes to MPLS2 as preferred and to MPLS1 as backup, maybe using MED etc on the FGTs.

 

This will make the other sites MPLS routers to send Internet bound traffic thru MPLS1 router at main site and all other thru MPLS2 router there.

 

I am not sure as to how to channel the returning traffic back out the same path as it came in as the routes leaned by the two firewalls in cluster will be same prefixes from both MPLS routers, so they could send the traffic either way.

 

Is there a way to route-map such that if traffic is between the private source to private destination, then next hop is MPLS2 and else MPLS1? Further if MPLS1 or two is down, then all traffic should go thru the single available MPLS.

 

if need be, I can consider both firewalls to be independent and run BGP with one MPLS router each. And then suitably some HA or health monitoring between the two firewalls to check if the second firewall interface is down (IPSLA / link monitoring shutting down LAN interface, thus blocking any routes from that firewall to the MPLS, for then routes form the second firewall will be used for both default and private prefixes.

 

Thanks

    1 reply

    dpsguard
    dpsguardAuthor
    New Member
    December 20, 2017

    Hello everyone,

     

    Am I asking too hard of questions here? None of my post has been answered in over two weeks now. Can someone please advise me on this?

     

    Thanks

    blackhole_route
    blackhole_route
    New Member
    December 21, 2017

    It's not clear from your description, but it sounds like there are local networks that when the remote MPLS sites would communicate with those networks, the traffic would traverse the Fortigate. Assuming that's the case, I see the dilemna and don't believe it's able to be resolved by BGP since ultimately, there will be _a_ route installed as the active route in the routing table on the Fortigate.

     

    I think the knob you are looking for is policy based routing found int the config router policy stanza. This would allow you to write policy based routes along the lines of - from rfc1918 addressing to rfc1918 addressing, use this next-hop gateway and interface. The only question I would have is what the behavior is if the PBR next hop gateway is unreachable. But you could test and verify that behavior.

     

    Hope this helps.

    dpsguard
    dpsguardAuthor
    New Member
    December 21, 2017

    Thanks for good reply. I had looked into this, but have now decided to use two firewalls as VRRP peers and thus run independently BGP from each to the MPLS circuits. That gives me flexibility to advertize to SP the default route with different degree of preferences by using AS path pending and similarly for the main office subnets advertizements. Also traffic coming from branches, into one firewall will then go back the same firewall.

     

    if I can understand as to how to use new features of VRDST tracking out thru another interface using next hop IPs to influence VRRP switchover and use VRGRP groups to signal changes to shutdown all member interfaces, then I think I will have good handle on making the solution as simple as if I was using traditional Cisco IPSLA, VRRP interface tracking and BGP conditional advertising etc,. Fortigate is great product. They have lots of videos and cookbooks, but nothing showing really complex and even CLI guides don't explain many of the things as to how to really use many of these features.

     

    Terms & ConditionsAccessibility statement