Hi,
Migrating from Static routing to BGP and adding a second MPLS and I've only used RIP.
So when the primary WWW & WAN were to fail we.d failover to Secondary WWW &WAN. We don't have control over the Primary and secondary routers, just our FortiGate,s and have been provided BGP details.
BGP Detail is below and I'm looking for guidance on getting this BGP info (also prepending) configured in our 300D (Active-passive) 6.2.5
WWW Vlan's are in SDWAN
Primary WAN/WWW
WAN Pri Vlan v820
Remote IP x.x.x.66/31
remote AS 420000053
Our IP x.x.x.67/31
Our AS 420000207
No Pre Pending
WWW Pri Vlan 810
Remote IP x.x.x.8/31
remote AS 420000051
Our IP x.x.x.9/31
Our AS 420000208
No Pre Pending
Secondary WAN/WWW
WAN Sec Vlan 821
Remote IP x.x.x.60/31
remote AS 420000053
Our IP x.x.x.61/31
Our AS 420000207
Prepend x2
WWW Sec Vlan 811
Remote IP x.x.x.2/31
remote AS 420000053
Our IP x.x.x.3/31
Our AS 420000208
Prepend x2
Thanks,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
We will be advertised only the default route from our ISP Via Two public-facing interfaces Primary_ISP_WWW (vlan 810) & Secondary_ISP_WWW (Vlan811)
We will receive all our WAN interconnected Site routes via the Two WAN interfaces Primary_ISP_WAN (Vlan820) & Secondary_ISP_WAN (vlan821)
As for the two local AS, From reading I figured I could do the below ?. Form our testing all neighbors are show active.
The config below i have one AS "set as 420002028" set globally
The other local AS applied to neighbor "set local-as 4200002027" & "set local-as-replace-as enable"
To accept only default route in 1)
config router prefix-list
edit "DEFAULT_ROUTE"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit "Secondary_ISP_WWW"
config rule
edit 1
set set-aspath "4200002028 4200002028 4200002028"
set match-ip-address "DEFAULT_ROUTE"
next
end
next
end
config router route-map
edit "Secondary_ISP_WAN"
config rule
edit 1
set set-aspath "4200002027 4200002027 4200002027"
next
end
next
end
Route-map that sets higher local preference for prefixes received from Primary ISP:
config router route-map
edit "Primary_ISP_WWW"
config rule
edit 1
set set-local-preference 200
set match-ip-address "DEFAULT_ROUTE"
set set-aspath "4200002028"
next
end
next
end
config router route-map
edit "Primary_ISP_WAN"
config rule
edit 1
set set-local-preference 200
set set-aspath "4200002027"
next
end
next
end
The route-maps are applied to both BGP neighbors:
config router bgp
config neighbor
edit "x.x.x.66"
set remote-as 4200000533
set local-as 4200002027
set local-as-replace-as enable
set route-map-in “Primary_ISP_WAN”
next
edit "x.x.x.60"
set remote-as 4200000533
set local-as 4200002027
set local-as-replace-as enable
set route-map-out "Secondary_ISP_WAN"
next
end
config router bgp
set as 4200002028
config neighbor
edit "x.x.x.8"
set remote-as 4200000531
set route-map-in “Primary_ISP_WWW”
next
edit "x.x.x.2"
set remote-as 4200000531
set route-map-out "Secondary_ISP_WWW"
next
end
end
config router bgp
config network
edit 1
set prefix 201.x.x.24 255.255.255.248
next
edit 2
set prefix 201.x.x.192 255.255.255.248
next
edit 3
set prefix 201.x.x.16 255.255.255.248
next
edit 4
set prefix 101.x.x.224 255.255.255.240
end
Config router bgp
set network-import-check disable
end
Your still making this way harder here's what I do if I understand your layout
config router prefix-list edit ALLOWDEFAULTconfig rule edit 1 set action permit set prefix 0.0.0.0/0 unset ge unset le nextend config router route-map edit "ISP" config rule edit 1 set match-ip-address "ALLOWDEFAULT" next edit 1000 set action deny next end nextend # apply that ISP route-map to both bgp-peers that connects to internal backbone which I believe van810/820 peers config router bgp set as 4200002027 config neighbor edit "x.x.x.x" set remote-as XYZ set route-map-in “ISP” next edit "y.y.y.y" set remote-as ABC set route-map-in "ISP" next end if your ISP is only sending a default ( which you can ask for ) than you do NOT even need a route-map imho. Your going to have a hard time importing a full-bgp table in a fortigate of this size so don't even ask for a full-view. moving on to what I think is part B you what are "Secondary WAN/WWW" or better yet how many ISP do you actually have 2 or 4 ? What is your actual ASN? do you even have a ASN? The number in your cfg are not even true ASN and I knew heard of a outfit being assigned 2 ASN, but some big orgs do get ASN from ARIN and RIPE but that is rare and not typical norm and is not needed. Your design really make no sense on what you have or trying todo. Also you don't as-path pre-pend on inbound Advertisements. I would suggest to read up on bgp routing by starting at "https://www.bgp.us/" they walk you thru bgp routing and such I would drop all of the complexity and 1st set up your ISP bgp peers that connects to the internet 1st, get SDWAN if your goal is SDWAN and with two members. Once you have set that up, than proceed to build on top of that. If you need to setup a route-map to control route distribution out by repeating what was done earlier in my example and draft a prefix-list and apply that in a route-map Ken FelixPCNSE
NSE
StrongSwan
trixsta wrote:If I add this config to the above... Would this advertise the required below routes to my ISP
get | grep network-import-check network-import-check: enable config router bgp config network edit 1 set prefix 201.x.x.24 255.255.255.248 next edit 2 set prefix 201.x.x.192 255.255.255.248 next edit 3 set prefix 201.x.x.16 255.255.255.248 next edit 4 set prefix 101x.x.224 255.255.255.240 end This was mentioned that it's required to be disabled to advertise the routes as they don't have a connected interface. Config router bgp set network-import-check disable end
Yes it would. Usually it is done via adding those to-be-advertised prefixes as a blackhole route, but the tweak you found also works.
BTW - you cannot have different AS numbers/processes on a single Fortigate. Recently they added support for BGP inside VRF (6.4) but even there I don't see option of different local AS. In your plain vanilla multi-home peering it is not needed anyway.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.