Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
trixsta
New Contributor

BGP Migration from static

Hi,

 

Migrating from Static routing to BGP and adding a second MPLS and I've only used RIP.

So when the primary WWW & WAN were to fail we.d failover to Secondary WWW &WAN. We don't have control over the Primary and secondary routers, just our FortiGate,s and have been provided BGP details.

 

BGP Detail is below and I'm looking for guidance on getting this BGP info (also prepending) configured in our 300D (Active-passive) 6.2.5

 

WWW Vlan's are in SDWAN

 

Primary WAN/WWW

 

WAN Pri  Vlan v820

Remote IP x.x.x.66/31

remote AS 420000053

Our IP x.x.x.67/31

Our AS 420000207

No Pre Pending

 

WWW Pri Vlan 810

Remote IP x.x.x.8/31

remote AS 420000051

Our IP x.x.x.9/31

Our AS 420000208

No Pre Pending

 

Secondary WAN/WWW

 

WAN Sec Vlan 821

Remote IP x.x.x.60/31

remote AS 420000053

Our IP x.x.x.61/31

Our AS 420000207

Prepend x2

 

WWW Sec Vlan 811

Remote IP x.x.x.2/31

remote AS 420000053

Our IP x.x.x.3/31

Our AS 420000208

Prepend x2

 

 

 

Thanks,

 

 

 

 

 

12 REPLIES 12
Toshi_Esumi
SuperUser
SuperUser

We regularly don't use AS prepend so basically I would do what you need to do in case it's required: Internet Search! I found two KBs.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD39448

https://kb.fortinet.com/kb/documentLink.do?externalID=FD31868

Both use 2bytes private ASN but your case is 4byte ones 42xxxxxxx. Just number difference so don't worry. You just need to get used to how to use route-maps and set up neighbors. The key requirement is you seems to be expected to append the same ASN on the secondary side at least two times (I would add three or more, which shouldn't hurt) when you advertise your local routes over the secondary.

For route receiving side, the second KB is using local preference to set higher preference on the primary side. We usually set local preference lower on the secondary side instead. Either way would work.

So you need to take care of those advertisement side and receiving side. One you got use to those, you would realize there are multiple ways to accomplish your goal.

trixsta

Update: We managed to get this going with the below config

 

I have another question:  We need to restrict receiving & sending all routes over the WWW Pri & WWW Sec internet interfaces and only accept the default route advertised.

We also have some public address ranges provided by our ISP ( previously routed to us using static routes on their core) but we now need to advertise these public ranges to them, These are not configured on connected interfaces on our FortiGate.

 

Any help or point me in the right direction would be apprecated 

 

 

Config used for the BGP setup:

 

config router route-map     edit "Secondary_ISP_WWW"         config rule             edit 1                 set set-aspath "4200002028 4200002028 4200002028"             next         end     next end config router route-map     edit "Secondary_ISP_WAN"         config rule             edit 1                 set set-aspath "4200002027 4200002027 4200002027"             next         end     next end Route-map that sets higher local preference for prefixes received from Primary ISP: config router route-map     edit "Primary_ISP_WWW"         config rule             edit 1                 set set-local-preference 200                 set set-aspath "4200002028"             next         end     next end config router route-map     edit "Primary_ISP_WAN"         config rule             edit 1                 set set-local-preference 200                 set set-aspath "4200002027"             next         end     next end The route-maps are applied to both BGP neighbors: config router bgp     set as 4200002027         config neighbor             edit "x.x.x.66"                 set remote-as 4200000533                 set local-as 4200002027                 set route-map-in “Primary_ISP_WAN”             next             edit "x.x.x.60"                 set remote-as 4200000533                 set local-as 4200002027                 set route-map-out "Secondary_ISP_WAN"             next         end config router bgp     set as 4200002028         config neighbor             edit "x.x.x.8"                 set remote-as 4200000531                 set route-map-in “Primary_ISP_WWW”             next             edit "x.x.x.2"                 set remote-as 4200000531                 set route-map-out "Secondary_ISP_WWW"             next         end end

Toshi_Esumi

You need to split route-maps to 1) receiving and 2) advertisement, then 1) is applied to "route-map-in" and 2) is applied to "route-map-out" for each neighbor.

Obviously the local pref setting is in 1),  then AS prepending is in 2) like in the KB: https://kb.fortinet.com/k....do?externalID=FD39448

Toshi_Esumi

To accept only default route in 1), you can do like below: config router prefix-list     edit "DEFAULT_ROUTE"         config rule             edit 1                 set prefix 0.0.0.0 0.0.0.0                 unset ge                 unset le             next

[size="2"]        end     next end[/size]

config router route-map     edit “DEFAULT_ONLY_P”         config rule             edit 1                 set match-ip-address "DEFAULT_ROUTE"                 set set-local-preference 200             next         end

[size="2"][size="2"]    next[/size][/size]

[size="2"][size="2"]    edit “DEFAULT_ONLY_S”         config rule             edit 1                 set match-ip-address "DEFAULT_ROUTE"             next         end[/size][/size]

[size="2"][size="2"]    next[/size][/size]

[size="2"][size="2"]end[/size][/size]

 

[size="2"][size="2"]Then use these with "set route-map-in" statement for each neighbor.[/size][/size]

 

 

 

trixsta

Hi,

 

I've updated the config below to include the default route. If this is correct?

 

I need to make sure the following also work

[ul]
  • Secondary_ISP_WAN     (Redistribute Our Connected Networks to neighbors) & receive all routes
  • Primary_ISP_WAN         (Redistribute Our Connected Networks to neighbors) & Receive all routes[/ul]

    Also requested to advertise the following subnets to our internet-facing interfaces Primary_ISP_WWWSecondary_ISP_WWW

     

    What I need to advertise the below routes to our ISP. These IP's are for our internal websites behind the FortiGate with local IP ranges 10.x.x.0/24.

     

    These routes have no connected interface on the FortiGate. We just had DNAT rules to the internal IP addresses of our web servers.

    [ul]
  • 201.x.x.24/29
  • 201.x.x.192/29
  • 201.x.x.16/29
  • 111.x.x.224/28[/ul]

     

    Help on the final tweaks would be great! Toshi thanks for all your help so far.

     

     

    Config updated with accepting only the default route on "Primary_ISP_WWW" & Secondary_ISP_WWW"

     

    To accept only default route in 1 config router prefix-list     edit "DEFAULT_ROUTE"         config rule             edit 1                 set prefix 0.0.0.0 0.0.0.0                 unset ge                 unset le             next         end     next end config router route-map     edit "Secondary_ISP_WWW"         config rule             edit 1                 set set-aspath "4200002028 4200002028 4200002028"   set match-ip-address "DEFAULT_ROUTE"             next         end     next end config router route-map     edit "Secondary_ISP_WAN"         config rule             edit 1                 set set-aspath "4200002027 4200002027 4200002027"             next         end     next end Route-map that sets higher local preference for prefixes received from Primary ISP: config router route-map     edit "Primary_ISP_WWW"         config rule             edit 1                 set set-local-preference 200                 set match-ip-address "DEFAULT_ROUTE"                 set set-aspath "4200002028"             next         end     next end config router route-map     edit "Primary_ISP_WAN"         config rule             edit 1                 set set-local-preference 200   set set-aspath "4200002027"             next         end     next end The route-maps are applied to both BGP neighbors: config router bgp     set as 4200002027         config neighbor             edit "x.x.x.66"                 set remote-as 4200000533                 set local-as 4200002027                 set route-map-in “Primary_ISP_WAN”             next             edit "x.x.x.60"                 set remote-as 4200000533                 set local-as 4200002027                 set route-map-out "Secondary_ISP_WAN"             next         end config router bgp     set as 4200002028         config neighbor             edit "x.x.x.8"                 set remote-as 4200000531                 set route-map-in “Primary_ISP_WWW”             next             edit "x.x.x.2"                 set remote-as 4200000531                 set route-map-out "Secondary_ISP_WWW"             next         end end

     

     

     

  • trixsta

    If I add this config to the above... Would this advertise the required below routes to my ISP

     

    get | grep network-import-check network-import-check: enable config router bgp  config network             edit 1                 set prefix 201.x.x.24 255.255.255.248         next         edit 2                 set prefix 201.x.x.192 255.255.255.248         next         edit 3                 set prefix 201.x.x.16 255.255.255.248         next         edit 4                 set prefix 101x.x.224 255.255.255.240  end       This was mentioned that it's required to be disabled to advertise the routes as they don't have a connected interface. Config router bgp  set network-import-check disable end

    Toshi_Esumi

    I didn't realize you have two FGTs terminating different vlans/circuits. Then Internet peering and WAN peering have separate sets of AS numbers. I don't think you can have multiple BGP instances (different ASNs) on one FGT unless you split it into multiple VDOMs. Since you have two FGTS, you should split two local ASNs with two FGTs, means one for Internet, and another for WAN. Then those two FGTs need to be iBGP peers each other to share the routes that the opposite side doesn't learn from the circuit.

    Then as-path prepending is only for advertising routes. It wouldn't do anything with route-map-in.

     

    At this point, it's a little too complicated than I can simply advise outside of my work without any fallouts. I would suggest you get help from FTNT TAC.

     

     

    trixsta

    Hi,

     

    No, we only have 1 FortiGate (HA  Active-passive).  This is connected to two Different managed internet connections.

    Primary and secondary  (failing over to secondary is Primary was to fail)

     

     

    I Asked Fortinet support and no help what so ever just closed the ticket as nothing was faulty.

    emnoc
    Esteemed Contributor III

    Your description and drawing does not match and how are you planning to set 2 local-AS on a single fortigate ruing a config  router bgp?

     

      set as 4200002027

          and

      set as 4200002028

     

     

    Next observation, what is your ISP actually sending you? partial/full or default only? if it's a default-only then you do not need route-maps

     

    Next, are you trying to set aspath prepend on a in route-map ?

     

     

     

    last observation this is a 300D, it's going croak or fall over if you think your going to ingest full-routes from 4 bgp peers.

     

     

    Also btw FTNT support is not a design, consultation or solution team. Support is to fix and remediate support needs.

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors