Description | This article describes a scenario where an attempt is being made to steer internet traffic using SD-WAN rules when a mix of static and dynamic default routes is in use. |
Scope | FortiGate. |
Solution |
In some network topologies, FortiGate has been set up with more than one default route for redundancy and one of the internet links uses dynamic routing to push the default route while another is connected using the static default links. In cases like these, it becomes challenging to utilize both ISP links. In this example, BGP is already configured and receiving a default route from the neighbor.
# config router static set gateway 10.21.137.1 set distance 20 <-- Same AD as EBGP set device "port1" next end
BGP receiving default route:
# get router info bgp neighbors 10.10.50.2 received-routes VRF 0 BGP table version is 4, local router ID is 10.21.137.214 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.10.50.2 0 0 6502 6501 6500 ? <-/->
The active routing table only shows the static route but no BGP default route:
# get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default
Routing table for VRF=0 S* 0.0.0.0/0 [20/0] via 10.21.137.1, port1, [1/0] C 10.10.50.0/24 is directly connected, port2 C 10.10.60.0/24 is directly connected, port3 C 10.21.137.0/24 is directly connected, port1
The solution here is to remove the current static default route of 0.0.0.0/0 and instead add two static routes which cover all routes and have different prefix length. 0.0.0.0/1 and 128.0.0.0/1 can be used here as two routes which will allow the default route 0.0.0.0/0 pushed by the BGP peer to be added in the active routing table, as the static and dynamic default routes now have a different prefix length.
# config router static edit 1 set dst 128.0.0.0 128.0.0.0 set gateway 10.21.137.1 set distance 20 set device "port1" next edit 2 set dst 0.0.0.0 128.0.0.0 set gateway 10.21.137.1 set distance 20 set device "port1" next set status disable <- Default static route for 0.0.0.0/0 is disabled set gateway 10.21.137.1 set distance 20 set device "port1" next
Note: Either disable the route for 0.0.0.0/0 or delete it, but maintain local or independent access to FortiGate to avoid being locked out from the device.
# get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default
Routing table for VRF=0 B* 0.0.0.0/0 [20/0] via 10.10.50.2 (recursive is directly connected, port2), 04:16:21, [1/0] C 10.10.50.0/24 is directly connected, port2 C 10.10.60.0/24 is directly connected, port3 C 10.21.137.0/24 is directly connected, port1 S 128.0.0.0/1 [20/0] via 10.21.137.1, port1, [1/0]
Now, SD-WAN rules can be used to steer the traffic for PC1 through BGP ISP and PC2 through the static route ISP: Results Verification – The packet capture showing traffic coming from 10.10.60.3 (PC1) is going out through Port1 (BGP) and traffic from 10.10.60.6 (PC2) is going via Port2 (Static). (Packets have source NAT applied while leaving, which means a different source IP will be seen when traffic leaves the interface)
# dia sniffer packet any "host 8.8.8.8 and icmp" 4 0 l |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.