Hey,
So we are getting two internet connections (Primary/Secondary) from a Single Service Provider. SP provides a single Public ASN.
He provides two sets of /30 addresses for the two interfaces and a single /29 LAN Subnet.
Need to terminate the two links directly on the Fortinet Firewall and configure BGP with the same public ASN number for both the links. How can I do this. ?
Thanks a ton. Will be a lot of help if someone throws light.
It is actually quite simple of a setup, even if you didn't configure BGP before:
Regarding BGP - as this is a small (/29) pool, it means you are getting Provider Assigned (PA) IPs, not your own AS numbered, so you will have to set on your side Private AS, say 65001. Also, you should ask your provider whether you need to add AS Path prepends for the /29 you advertise via Backup line or they will do this backup/main line manipulation on their side. If they say you should advertise /29 with prepends over the Backup line, this will add route-map config on your FGT. If not - it is the most basic set up at all.
E.g. let's say Main Line IP is 12.12.12.1/30 and is set on port1 in FGT, and Backup line is 13.13.13.1/30 on the port2 in FGT, AS number of your ISP is AS 1680, and you advertise 10.10.10.0/29 which is configured as directly connected on the FGT, then :
Interface config:
config sys int
edit port1
set ip 12.12.12.1/30
next
edit port2
set ip 13.13.13.1/30
end
BGP
1. Route-map to add prepends
config router route-map edit "prepend-out" config rule edit 1 set set-aspath "65001 65001" next end next end
2. BGP neighboring
config router bgp set as 65001 config neighbor edit "12.12.12.2" set remote-as 1680 set weight 10 next edit "13.13.13.2" set remote-as 1680 set route-map-out "prepend-out" next end config redistribute "connected" set status enable end
That is it.
N.B. Example is taken verbatim from my blog post, there are more case scenarios there https://yurisk.info/2020/05/20/fortigate-bgp-cookbook-of-example-configuration-and-debug/#ee1
Dear Yuri,
Thanks for your response.
How do I pass 10.10.10.0/29 as connected ? Also, if I enable "resdistribute connected", I have other links coming up (a couple of MPLS), will these be redistributed as well ? If yes, How do I avoid them ?
Thanks for the help. Much appreciated. The links just got delivered and will test these soon.
We are also getting a couple of MPLS links in a similar fashion. Active/Standby, They give out a single Private ASN for both the links, will this affect my Internet side configs ?
MPLS has 10.0.0.1/30 and 10.0.1.1/30 and is connected to HQ. Branch LAN subnet 192.168.0.0/16 and HQ subnet is 172.26.0.0/21
Regards
Good Day, Varda
You can configure route-maps and apply them in the desired direction to block specified subnets from being advertised to your BGP neighbors (neighbor specific).
Refer to the following link for an example of applying a BGP route-map to multiple BGP neighbors:
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/89370/applying-bgp-route-map...
To me, using "prefix-list" in route-maps is more popular than using "access-list" as in the admin guide.
Also use "local-preference" (set-local-preference) to change the default value (100) to make routes from a specific neighbor higher or lower than the other to control outgoing direction of traffic.To manipulate the opposite direction, you need to ask the network providers what you should do if they haven't told you already. Either none is needed, or need communities, or AS prepend might be needed. Completely up to them.
Toshi
The funny thing about ACLs for filtering routes in FGT - they accept prefix notation just as happily as bitmask, so even if using ACL you can specify 10.10.10.0/24 instead of 10.10.10.0 0.0.0.255 and turn it into a prefix-list ))
Hi again,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.