- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP From Fortigate To Cisco not changing routing table
From the rough diagram below , I have an issue with SDWAN spoke, it has 2 IPSEC tunnels as its SDWAN members, one to DC1 where the LAN sits behind a Cisco Switch and another IPSEC to DC2 same setup.
The 2 DC switches swap routes via EIGRP, the Hub Fortigates in each DC , have EBGP to the switches where the routes have been re-distibuted from EIGRP, this is an inherited set up which does need to change!
When I "break" the IPSEC to DC1, By disabling the IPSEC interface, traffic correctly now goes down the SDWAN via the DC2 ipsec , I can see this happening no problem, The issue is the Cisco Switch does not see this at all, and still believes the LAN is behind its EBGP neighbour in DC1?
From DC2 Switch, the route to the LAN on the spoke 192.168.1.0/24 should now be via DC2 Fortigate connected to its Switch
* 192.168.1.0/24 > DC2-FORTIGATE 0 65400 ?
*> DC1-SWITCH 25600512 32768 ?
However, The DC2 SWITCH shows the above, the route is there with a weight of 0 , and its picked the best route via DC1, its no longer reachable, so why is the route there?
I then up the interface, and the routing tables stay the same on the switches, i have to clear ip bgp on the switches to make it all work again,
Hope you guys can offer some help thats giving me sleepless nights.
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The route is now that way actually, so its correct, its just the switch is advertising it back up
traceroute to 192.168.1.1 (192.168.1.1), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * 10.99.2.81 0.403 ms 0.382 ms
2 10.99.2.82 0.066 ms 0.040 ms 0.041 ms
3 10.99.2.81 0.522 ms 0.415 ms 0.278 ms
4 10.99.2.82 0.055 ms 0.054 ms 0.056 ms
5 10.99.2.81 0.585 ms 0.484 ms 0.369 ms
6 10.99.2.82 0.074 ms 0.074 ms 0.077 ms
etc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, we can try this.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure the best way to accomplish this! i need it to advertise the spoke routes down to the DC1 switch, but do not accept the spoke routes if they are coming UP from DC1 Switch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ideally the 192.168.1.0/24 route should not be coming from Switches, so if you just apply a route filter to block this subnet from switches, I think it can fix the issue.
ref: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/170065/route-filtering-with-...
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will look at this later as I have to pop out, the switches need to know that the 192.168.1.0 is on the DC2 side, and the switches need to know its on DC1 side when the link is back up.. so if I block it on DC1, will the switch at DC1 go the other way as it should?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The filter is applied on Fortigates to block route coming from switch and not the otherway, so ideally the switches learning route from FGTs shouldn't be an issue.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So on the DC1 Fortigate, if I set an access-list to deny 192.168.1.0 255.255.255.0,
would I apply this as a distribute list in? or out?
- « Previous
-
- 1
- 2
- Next »