- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: BGP Route Priority
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP Route Priority
hi Gents,
just a quick question- can you configure a priority for routes learned from BGP like you do for static routes?
bgp config - i have changed the admin distance to match that on static routes
gbp route map - I have set the metric same as the one on static routes
what i want to achieve is have a static default route and a default route learnt from BGP peers in the routing-table, I have seen the route in the database
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @gfleming ,
I always thought a license is needed for SD-WAN. but thinking of it- can you reference vlan interfaces on SD-WAN zones though? I think I saw somewhere where some of the interfaces didn't appear on the list to add onto a zone.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no limitation as to what interface type can be a member of a SD-WAN zone. VLANs are fine to be used as such.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rat1001,
For the routes learnt from different routing protocol, the AD value is used for the route preference. For example if same prefix learnt from static routing and bgp, in this scenario AD value would be deciding factor.
If you have multiple routes learnt from the BGP, in this scenario bgp path attributes are used to prefer 1 bgp learnt route over another. Kindly check below link for more detail:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932
Regards,
Parteek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @parteeksharma,
I have matched the metric and AD of the BGP learned route to that of the statically configured secondary default route. However, my question is- can I configure priority of a BGP route like how one does when configuring a static route on fortigate?
There's no attribute or anything like this on BGP config on fortigate or Atleast I can't seem to find it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @parteeksharma ,
I have tweaked the BGP route AD and metric to match that of the static default route- will have to test with ISP1. What I am unsure of is how to set a priority- Fortigate static route like priority on a route learnt from BGP, not sure if this is even possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rat1001
I think I have a nearly similar use case :
2 ISP (1 corporate ISP and an end consumer ISP)
The corporate ISP provide 2 links, one in L2 on vlan 950 (so connected route + static routing have t be used) and one in L3 (with BGP) transiting on vlan 952
The end consumer ISP provide 1 link transiting on vlan 951 in L2 (trough bridge mode and I can configure the public IP directly on the fortigate wan interface) or in L3 through a router with a private IP as a gateway for the fortigate but in both case (L2 or L3) it's only support static routing
So as you can imagine, dealing with fortigate special proprietary attribute named 'priority', I was able to deal with 2 default route between the 2 internet links.
For my use case, I need to have the 2 links of the corporate ISP (ISP1) active at the same time because I need to migrate all services currently using public IP configured on vlan 950 to the new L3 subnet I advertise with bgp to the ISP backbone over vlan 952 (soft migration IP by IP, service by service, everything is in production..).
For internet traffic to work on vlan 952, I need to recieve a default route with eBGP from the ISP1 backbone.
As said earlier in this thead, it's not possible to mix a BGP default route and a static default route at the same time in the routing table, and if you play 'get router info routing-table all' on the fortigate, you will never find the BGP default route in the fortigate routing table when a static route is configured, even if you recieve it (get router info bgp neighbor xxx.xxx.xxx.xxx recieved-route) .
To handle this use case, I solved it using VRF and isolating vlan 952 in a specific VRF so the default BGP route is in the routing table of this VRF.
To make the 2 VRF communicated, I did use BGP VRF leaking between the 2 VRF using inter vdom-link and subnet overlapping.
Now I'am able to use the 3 internet links with 3 default gateway at the same time on a uniq fortigate AND without using VDOMS.
This way, I will be able to migrate all services hosted on the public subnet of vlan 950 (L2 and using a static default route) to the new L3 subnet I advertise to ISP1 with BGP and to use vlan 951 (ISP2) as a fallback ISP using the same scheme
If someone is interrested in the detailed configuration I can post it here, let me know (that was not that easy to make this design work).
Regards,
nbanba
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nbanba wasn't it possible to use SD-WAN than VRFs? with SD-WAN you can use all the routes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, just to add , below kb might help you in BGP routes using metrics:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Influencing-BGP-routes-using-Metric/ta-p/...
Security all we want
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @sahmed_FTNT will have a look
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @sahmed_FTNT for the KB !
@Rat1001 :
Maybe SD-WAN could had been an option with some complexe setup but wasn't considered because as I need to migrate all traffic reaching us from internet from one link with it's own public IP to the second link using it's own public IP (which would be part of the SD-WAN agregate interface) I cannot use a single agregate interface of the 2 links
From my experiments at our customers, SD-WAN is a nice way to handle use case like the following one :
Having several sites connected by a MPLS network to a "central" site which hold most of all ressources : servers, ip phone appliances, ... , firewalls, and the internet connection. All sites have end users (like in an office) and some sites have some servers. All sites access the central site through mpls and access internet through the central site.
After studying the cost of the MPLS network on the 11 + 1 sites (the farest site from the central site is about 1000km), it appears that having less than 10Mb/s mpls link between every site and the central site and having 2*1G internet connections on each site cost the same (one with a corporate ISP and the second with an end consumers ISP)
So it was decide to replace the old MPLS by SD-WAN using 2 ISP.
Cisco mpls routers were replace by Fortigate on every site + FortiAnalyzer & FortiManager in the central site and mpls links to the central site (datacenter) were replaces by HA IPSEC tunnels over the corporate internet link which are monitored by a second tunnel which get up on the end consumer internet link as soon as the corporate link goes down.
Users of each site are now reaching internet directly from their site (and not from the central site) using SD-WAN sith an agregate interface of the 2 links.
SD-WAN policies are deployed to offload traffic of the corporate internet link to the end consumer internet link for everythings which can use heavy bandwidth or not previsible like Windows update, some allowed youtube channels, etc... and handle all traffic if the latency of the corporate link reach a certain value.
To go back to my actual use-case, except for IPSEC tunnels, I'm not sure that after agregating wan interfaces to a single sd-wan interface it's sitll possible to make policies using only one of the agregate interface (think it's not possible) and I don't know if it's also possible to adress intra sd-wan zone traffic between the 2 or more interfaces agregated to a single sd-wan interface. Also, I did not test VRF support with sd-wan interfaces (does 2 interfaces of 2 differents VRF could be agregated in a single sd-wan zone ? if yes, does it work as expected ? the customer is working in medical so different traffic had to be separated into at least different VRFs / VDOM or better on different hardware which is not the case here )
And to be honnest, I did not think about SD-WAN for this use case because of two things :
- Systems are in production and have an heavy history and I cannot have an enough big downtime timeframe where I can put the production offline to rewrite and to test all (hundreads and hundreads) policies with the SD-WAN interface and I do not have any QA system to POC it
- SD-WAN is OSI-L7 and the customer I'm working for had nearly no network team (that's why I'm working for him) and already have some difficulties in understanding OSI-L2 and OSI-L3 protocoles, so I didn't want to grow the OSI level and prefer to stay at the lowest possible level
(It's quiete cheap and easy to find NSE4 or CCNA/CCNP people on the market who can easily handle use case with VRFs and dynamic routing, it's more difficult to find some real SD-WAN experts)
Kind regards
nbanba
- « Previous
-
- 1
- 2
- Next »
Related Posts
- sd-wan issue 124 Views
- NO internet connection when using static... 826 Views
- Log messages when forwarding traffic 160 Views
- SD-WAN and none interface 148 Views
- Force the routing of a domain... 136 Views
Labels
-
FortiGate
6,556 -
FortiClient
1,307 -
5.2
801 -
5.4
639 -
FortiManager
565 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.