|
Topology:
Cisco Configurations (EIGRP).
CIS22:
interface GigabitEthernet1
description MANAGEMENT
ip address 192.168.175.3 255.255.255.0
!
interface GigabitEthernet2
description LAN
ip address 10.2.0.254 255.255.255.0
!
interface GigabitEthernet3
description CORE
ip address 192.168.1.22 255.255.255.0
!
interface GigabitEthernet4
description FORTIGATE
ip address 192.168.2.22 255.255.255.0
!
!
router eigrp 10
distribute-list 7 in GigabitEthernet3
network 10.2.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
redistribute bgp 65700 metric 100 1 255 1 1500
!
router bgp 65700
bgp log-neighbor-changes
neighbor 192.168.2.1 remote-as 65400
!
address-family ipv4
network 10.2.0.0 mask 255.255.255.0
redistribute eigrp 10
neighbor 192.168.2.1 activate
exit-address-family
!
ip access-list standard 7
10 deny 10.110.0.0 0.0.0.255
20 permit any
!
CIS33:
interface GigabitEthernet1
description MANAGEMENT
ip address 192.168.175.4 255.255.255.0
!
interface GigabitEthernet2
description LAN
ip address 10.3.0.254 255.255.255.0
!
interface GigabitEthernet3
description CORE
ip address 192.168.1.33 255.255.255.01
!
interface GigabitEthernet4
description FORTIGATE
ip address 192.168.3.33 255.255.255.0
!
router eigrp 10
distribute-list 7 in GigabitEthernet3
network 10.3.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
redistribute bgp 65700 metric 50 1 255 1 1500
!
router bgp 65700
bgp log-neighbor-changes
neighbor 192.168.3.3 remote-as 65400
neighbor 192.168.3.3 version 4
!
address-family ipv4
network 10.3.0.0 mask 255.255.255.0
redistribute eigrp 10
neighbor 192.168.3.3 activate
exit-address-family
!
ip access-list standard 7
10 deny 10.110.0.0 0.0.0.255
20 permit any
CIS44:
interface GigabitEthernet1
description MANAGEMENT
ip address 192.168.175.2 255.255.255.0
!
interface GigabitEthernet2
description LAN
ip address 10.4.0.254 255.255.255.0
!
interface GigabitEthernet3
description CORE
ip address 192.168.1.44 255.255.255.0
!
router eigrp 10
network 10.4.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
!
FortiGate Configurations (BGP).
HUB1-A:
- Configure SD-WAN self-healing with BGP. Create route map rules that can apply priorities to BGP routes, the SD-WAN spokes will mark the preferred path learned between the HUB side indicating via BGP attributes to manipulate on BGP routes.
- Create Community Lists. Community Lists provide a way to tag routes with certain attributes, allowing for more granular control over the routing policies.
config router community-list
edit "COMM-65400:1"
config rule
edit 1
set action permit
set match "65400:1"
next
end
next
edit "COMM-65400:2"
config rule
edit 1
set action permit
set match "65400:2"
next
end
next
edit "COMM-65400:999"
config rule
edit 1
set action permit
set match "65400:999"
next
end
next
end
b. Create Route Maps:
config router route-map
edit "ASPATH-INET1"
config rule
edit 1
set set-ip-nexthop 10.10.1.1 (All routes distributed by iBGP will have the next hop 10.10.1.1)
next
end
next
edit "ASPATH-INET2"
config rule
edit 1
set set-ip-nexthop 10.10.2.1 (All routes distributed by iBGP will have the next hop 10.10.2.1)
next
end
next
edit "OVERLAY-1-IN" (Set the priority for routes with community lists, indicating that they are in SLA or out of SLA)
config rule
edit 1
set match-community "COMM-65400:1" (in SLA for overlay 1)
set set-priority 100
next
edit 2
set match-community "COMM-65400:2" (in SLA for overlay 2)
set set-priority 200
next
edit 3
set match-community "COMM-65400:999" (Out of SLA)
set set-priority 5000
next
end
next
end
- Configure BGP:
config router bgp
set as 65400
set keepalive-timer 3 (Speeding up BGP convergence - default 60)
set holdtime-timer 15 (Speeding up BGP convergence - default 180)
set ibgp-multipath enable
set additional-path enable
set additional-path-select 2
config neighbor
edit "10.10.1.3"
set advertisement-interval 1
set link-down-failover enable (Brings down the peering immediately after the interface they use comes down, which can then accelerate failover)
set soft-reconfiguration enable
set as-override enable
set interface "VPN-INET-1"
set remote-as 65400
set route-map-in "OVERLAY-1-IN" (If overlay 1 from the Spoke is in SLA, set Priority “100" to the BGP routes in the hub over overlay 1)
set route-map-out "ASPATH-INET1"
set update-source "VPN-INET-1"
set additional-path send
set adv-additional-path 3
set route-reflector-client enable
next
edit "10.10.2.3"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set as-override enable
set interface "VPN-INET-2"
set remote-as 65400
set route-map-in "OVERLAY-1-IN" <----- If overlay 2 from the Spoke is in SLA, set Priority '200' to the BGP routes in the hub over overlay 2.
set route-map-out "ASPATH-INET2"
set update-source "VPN-INET-2"
set additional-path send
set adv-additional-path 3
set route-reflector-client enable
next
edit "192.168.2.22" (eBGP configuration)
set next-hop-self enable
set soft-reconfiguration enable
set interface "port4"
set remote-as 65700
set send-community disable
set update-source "port4"
next
end
config network
edit 2
set prefix 192.168.2.0 255.255.255.0
next
edit 3
set prefix 10.4.0.0 255.255.255.0
next
edit 4
set prefix 10.2.0.0 255.255.255.0
next
edit 5
set prefix 10.3.0.0 255.255.255.0
next
end
end
HUB2-A (Only 1 Overlay, BGP Healing is not configured).
- Create Route Maps:
config router route-map
edit "ASPATH"
config rule
edit 1
set set-ip-nexthop 10.20.1.1
next
end
next
end
- Create BGP configuration:
config router bgp
set as 65400
set keepalive-timer 5
set holdtime-timer 15
set ibgp-multipath enable
set enforce-first-as disable
set additional-path enable
set additional-path-select 3
config neighbor
edit "10.20.1.3"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "VPN-INET-1"
set remote-as 65400
set route-map-out "ASPATH"
set update-source "VPN-INET-1"
set additional-path send
set adv-additional-path 3
set route-reflector-client enable
next
edit "192.168.3.33"
set next-hop-self enable
set soft-reconfiguration enable
set interface "port3"
set remote-as 65700
set send-community6 disable
set update-source "port3"
next
end
config network
edit 1
set prefix 192.168.3.0 255.255.255.0
next
edit 2
set prefix 10.2.0.0 255.255.255.0
next
edit 3
set prefix 10.3.0.0 255.255.255.0
next
edit 4
set prefix 10.4.0.0 255.255.255.0
next
end
end
SPOKE1.
- Create Router Access List:
config router access-list
edit "LAN-SPOKE1"
config rule
edit 1
set prefix 10.110.0.0 255.255.255.0
next
end
next
end
- Create Route Maps:
config router route-map
edit "OVERLAY-H1_1"
config rule
edit 1
set match-ip-address "LAN-SPOKE1"
set set-community "65400:1"
next
end
next
edit "OVERLAY-H1_2"
config rule
edit 1
set match-ip-address "LAN-SPOKE1"
set set-community "65400:2"
next
end
next
edit "OVERLAY-H2_1"
config rule
edit 1
set match-ip-address "LAN-SPOKE1"
set set-community "65400:3"
next
end
next
edit "OVERLAY-NO_SLA"
config rule
edit 1
set match-ip-address "LAN-SPOKE1"
set set-community "65400:999"
next
end
next
end
- Create BGP configuration:
config router bgp
set as 65400
set keepalive-timer 5
set holdtime-timer 15
set ibgp-multipath enable
set additional-path enable
set additional-path-select 3
config neighbor
edit "10.10.1.1"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "HUB1-INET-1"
set remote-as 65400
set route-map-out "OVERLAY-NO_SLA" <----- Any other condition SLA fail, will be advertised with the default route-map.
set route-map-out-preferable "OVERLAY-H1_1" <----- Route-map Overla-H1_1 is preferable for neighbor BGP, routes advertised to the hub over overlay 1.
set connect-timer 1
set update-source "HUB1-INET-1"
set additional-path receive
next
edit "10.10.2.1"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "HUB1-INET-2"
set remote-as 65400
set route-map-out "OVERLAY-NO_SLA" <----- Any other condition SLA fail, will be advertised with the default route-map.
set route-map-out-preferable "OVERLAY-H1_2" <----- Route-map Overla-H1_2 is preferable for neighbor BGP, routes advertised to the hub over overlay 1.
set connect-timer 1
set update-source "HUB1-INET-2"
set additional-path receive
next
edit "10.20.1.1"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "HUB2-INET-1"
set remote-as 65400
set route-map-out "OVERLAY-NO_SLA" <----- Any other condition SLA fail, will be advertised with the default route-map.
set route-map-out-preferable "OVERLAY-H2_1" <----- Route-map Overla-H2_1 is preferable for neighbor BGP, routes advertised to the hub over overlay 1.
set connect-timer 1
set update-source "HUB2-INET-1"
set additional-path receive
next
end
config network
edit 1
set prefix 10.110.0.0 255.255.255.0
next
end
end
Routing Tables:
Resilience and Speeding Up Convergence.
For speeding up convergence between routing dynamic protocols, tune the configuration:
- VPN IPSEC. Tune the configuration of DPD:
config vpn ipsec phase1-interface
edit <tunnel_name>
set dpd on-idle <----- Trigger Dead Peer Detection when no IPsec traffic is received.
set dpd-retrycount 2 <----- How often will the DPD be attempted.
set dpd-retryinterval 10 <----- How long is the interval in seconds after which a DPD will be attempted again.
set keepalive <----- Sets the time interval in seconds between each keepalive message.
set lifetime 3600 <----- Life time of phase 1 in seconds.
next
end
!
config vpn ipsec phase2-interface
edit <tunnel_name>
set lifetime 1800 <----- Life time of phase 2 in seconds.
next
end
- BGP. Tune the configuration of BGP:
config router bgp
set keepalive-timer 5 <----- Keep alive timer interval.
set holdtime-timer 15 <----- Number of seconds to mark the peer as dead.
config neighbor
edit 10.10.10.1
set advertisement-interval 1 <----- Minimum interval(sec) between sending updates.
set connect-timer 1 <----- How long in seconds the FortiGate will try to reach this neighbor before declaring it offline.
set link-down failover enable <----- Bring down this BGP neighborship once the VPN tunnel goes down.
next
end
end
|
