Skip to main content
scheuri
scheuri
Explorer III
October 26, 2023
Question

Routing (BGP) of location with two active VPNs to hubs that exchange routing info

  • October 26, 2023
  • 2 replies
  • 2326 views

Hi all

 

This might be an odd question and I might just be too dense to see the solution. It is not excactly a Fortinet specific question (its about BGP, routing) - however, since it is realised with Fortigates, I thought I might ask here as well

 

The situation is as follows:

  • I have >20 locations in a country which has two "country" hubs.

  • Every location has an active ipsec tunnel to each of the hubs (meaning: two active vpn connections)

  • One tunnel will be considered "primary" handling all the traffic, the other will considered "seconday" and should only handle traffic when the primary is down.

  • The choice of primary and secondary tunnel or hub is made on location basis (meaning both hubs have primary and secondary connections)

  • With every ipsec tunnel they propagate their network to the hub(s).

  • So every hub has the information of each connected location

  • The hubs are also connected with each other

  • The hubs act as route reflector

  • The hubs also have connections to other countries and propagate the learned networks from the locations to those countries (and vice versa).

Now - how can I make sure that the traffic only goes via the primary ipsec tunnel (unless down and the secondary takes over) when everyone learns every route/network via both tunnels?
How can I avoide an asynchrounous routing? (I guess that will happen at some point if I do nothing).

 

Thanks a lot for your input

2 replies

Stephan_s
Stephan_s
Visitor III
October 26, 2023

Hi,

could this maybe be done by using administrative distance?

best

stephan

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 26, 2023

No. Admin distances are per protocol. like eBGP=20, iBGP=200, etc.
There are two directions you have to take care of. Most commonly used methods are below:

- For hub-advertised routes, you can set different local-preferences per neighbor (two hubs) so that the remote router(FGT) prefers the primary path.

- For remote-router-advertised routes, you need to set a metric that can be passed to neighbors per neighbor so that two hubs can negotiate/exchange info which route to take to get to the remote router. The most common metric for this purpose is community. So like community=1 for primary and community=2 for secondary when the remote advertises.
Then both hubs set local-preferences based on the community attached to each route to prefer community 1 routes.

This is not unique to FGTs. So you can find many materials on-line or books how to use community in BGP available.

Toshi

    scheuri
    scheuriAuthor
    Explorer III
    October 30, 2023

    Thank you very much for your reply. I will look into communities and preferences for said communities. Much appreciated.

    Terms & ConditionsAccessibility statement