- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: BGP Migration from static
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP Migration from static
Hi,
Migrating from Static routing to BGP and adding a second MPLS and I've only used RIP.
So when the primary WWW & WAN were to fail we.d failover to Secondary WWW &WAN. We don't have control over the Primary and secondary routers, just our FortiGate,s and have been provided BGP details.
BGP Detail is below and I'm looking for guidance on getting this BGP info (also prepending) configured in our 300D (Active-passive) 6.2.5
WWW Vlan's are in SDWAN
Primary WAN/WWW
WAN Pri Vlan v820
Remote IP x.x.x.66/31
remote AS 420000053
Our IP x.x.x.67/31
Our AS 420000207
No Pre Pending
WWW Pri Vlan 810
Remote IP x.x.x.8/31
remote AS 420000051
Our IP x.x.x.9/31
Our AS 420000208
No Pre Pending
Secondary WAN/WWW
WAN Sec Vlan 821
Remote IP x.x.x.60/31
remote AS 420000053
Our IP x.x.x.61/31
Our AS 420000207
Prepend x2
WWW Sec Vlan 811
Remote IP x.x.x.2/31
remote AS 420000053
Our IP x.x.x.3/31
Our AS 420000208
Prepend x2
Thanks,
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
We will be advertised only the default route from our ISP Via Two public-facing interfaces Primary_ISP_WWW (vlan 810) & Secondary_ISP_WWW (Vlan811)
We will receive all our WAN interconnected Site routes via the Two WAN interfaces Primary_ISP_WAN (Vlan820) & Secondary_ISP_WAN (vlan821)
As for the two local AS, From reading I figured I could do the below ?. Form our testing all neighbors are show active.
The config below i have one AS "set as 420002028" set globally
The other local AS applied to neighbor "set local-as 4200002027" & "set local-as-replace-as enable"
To accept only default route in 1)
config router prefix-list
edit "DEFAULT_ROUTE"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit "Secondary_ISP_WWW"
config rule
edit 1
set set-aspath "4200002028 4200002028 4200002028"
set match-ip-address "DEFAULT_ROUTE"
next
end
next
end
config router route-map
edit "Secondary_ISP_WAN"
config rule
edit 1
set set-aspath "4200002027 4200002027 4200002027"
next
end
next
end
Route-map that sets higher local preference for prefixes received from Primary ISP:
config router route-map
edit "Primary_ISP_WWW"
config rule
edit 1
set set-local-preference 200
set match-ip-address "DEFAULT_ROUTE"
set set-aspath "4200002028"
next
end
next
end
config router route-map
edit "Primary_ISP_WAN"
config rule
edit 1
set set-local-preference 200
set set-aspath "4200002027"
next
end
next
end
The route-maps are applied to both BGP neighbors:
config router bgp
config neighbor
edit "x.x.x.66"
set remote-as 4200000533
set local-as 4200002027
set local-as-replace-as enable
set route-map-in “Primary_ISP_WAN”
next
edit "x.x.x.60"
set remote-as 4200000533
set local-as 4200002027
set local-as-replace-as enable
set route-map-out "Secondary_ISP_WAN"
next
end
config router bgp
set as 4200002028
config neighbor
edit "x.x.x.8"
set remote-as 4200000531
set route-map-in “Primary_ISP_WWW”
next
edit "x.x.x.2"
set remote-as 4200000531
set route-map-out "Secondary_ISP_WWW"
next
end
end
config router bgp
config network
edit 1
set prefix 201.x.x.24 255.255.255.248
next
edit 2
set prefix 201.x.x.192 255.255.255.248
next
edit 3
set prefix 201.x.x.16 255.255.255.248
next
edit 4
set prefix 101.x.x.224 255.255.255.240
end
Config router bgp
set network-import-check disable
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your still making this way harder here's what I do if I understand your layout
config router prefix-list edit ALLOWDEFAULTconfig rule edit 1 set action permit set prefix 0.0.0.0/0 unset ge unset le nextend config router route-map edit "ISP" config rule edit 1 set match-ip-address "ALLOWDEFAULT" next edit 1000 set action deny next end nextend # apply that ISP route-map to both bgp-peers that connects to internal backbone which I believe van810/820 peers config router bgp set as 4200002027 config neighbor edit "x.x.x.x" set remote-as XYZ set route-map-in “ISP” next edit "y.y.y.y" set remote-as ABC set route-map-in "ISP" next end if your ISP is only sending a default ( which you can ask for ) than you do NOT even need a route-map imho. Your going to have a hard time importing a full-bgp table in a fortigate of this size so don't even ask for a full-view. moving on to what I think is part B you what are "Secondary WAN/WWW" or better yet how many ISP do you actually have 2 or 4 ? What is your actual ASN? do you even have a ASN? The number in your cfg are not even true ASN and I knew heard of a outfit being assigned 2 ASN, but some big orgs do get ASN from ARIN and RIPE but that is rare and not typical norm and is not needed. Your design really make no sense on what you have or trying todo. Also you don't as-path pre-pend on inbound Advertisements. I would suggest to read up on bgp routing by starting at "https://www.bgp.us/" they walk you thru bgp routing and such I would drop all of the complexity and 1st set up your ISP bgp peers that connects to the internet 1st, get SDWAN if your goal is SDWAN and with two members. Once you have set that up, than proceed to build on top of that. If you need to setup a route-map to control route distribution out by repeating what was done earlier in my example and draft a prefix-list and apply that in a route-map Ken FelixPCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
trixsta wrote:If I add this config to the above... Would this advertise the required below routes to my ISP
get | grep network-import-check network-import-check: enable config router bgp config network edit 1 set prefix 201.x.x.24 255.255.255.248 next edit 2 set prefix 201.x.x.192 255.255.255.248 next edit 3 set prefix 201.x.x.16 255.255.255.248 next edit 4 set prefix 101x.x.224 255.255.255.240 end This was mentioned that it's required to be disabled to advertise the routes as they don't have a connected interface. Config router bgp set network-import-check disable end
Yes it would. Usually it is done via adding those to-be-advertised prefixes as a blackhole route, but the tweak you found also works.
BTW - you cannot have different AS numbers/processes on a single Fortigate. Recently they added support for BGP inside VRF (6.4) but even there I don't see option of different local AS. In your plain vanilla multi-home peering it is not needed anyway.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- VIP Port Forwarding Settings for Mapping... 26 Views
- How to route ougoing FG traffic... 83 Views
- Traffic is not forwards to another... 147 Views
- VPN Setup using dynamic IP from... 106 Views
- Captive portal issue - fails to... 216 Views
Labels
-
FortiGate
6,758 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.