Hi together,
I have the following issue concerning the described network structure:
Two main sites which are connected to our MPLS-Network. Other sites are also connected via MPLS. Each MPLS site has a MPLS-Router exchanging BGP-Routes with the Site-Firewall and redistributing it within the MPLS network. We want to throw out MPLS and replace it with IPSec tunnels. The goal is one connection from each remote site to each main site, routes also being exchanged via BGP and the two main sites also connected via IPSec to each other. From routing perspective this should not be a problem but if we now let the firewall things join we may break connections due to asynchronous routing when MPLS is still running:
For example: packets entering via IPSec to main site 1 into MPLS to another location. Due to the BGP things within MPLS which we can't affect the answer packet maybe will be routed back through main site 2 as this is a "cheaper" way. Firewall on main site 2, of course, doesn't know about the packet and throws it away.
My thoughts about that:
Easiest way: Is there a possibility in Fortigate to make BGP neighbors dependent so they only get active when another neighbor is NOT active so that only one of the main sites get the BGP routes?
I also thought about doing the thing with metrics but we can't affect routing things within the MPLS-Network.
Do you maybe have any other ideas to get this done?
Thanks already for your answers!
Ketanest
Solved! Go to Solution.
Hi Ketanest,
It would be great if you can show as a Network Topology. Can you take a look if you can use AS prepending to have an Active-Passive kind of setup.
Hi Ketanest,
It would be great if you can show as a Network Topology. Can you take a look if you can use AS prepending to have an Active-Passive kind of setup.
Another way to accomplish primary and backup main sites is to advertise the same routes with a specific community say "community 2" from the backup site to all the other locations. Then the other locations set local-pref a lower value than the default 100, say 99, on those routes with community 2.
However, whatever the method is for this part, if you can't modify/influence the MPLS side of BGP routing decisions, you have to do a hot-cut from the MPLS to the FGT's IPsec network (just another form of MPLS VPN network) at all locations at the same time.
Toshi
Toshi: As we can't hot-cut due to our network size and criticaility this won't work.
Nathan: network topology like this (other VPN-Locations as site 2, other MPLS-Locations as site 1).
Example: Connection (or answer) of site 1 to site 2: site 1 sends the packet to MPLS-Router, Router sends it to the MPLS-Network which we can't affect and from there I don't know where the packet will end.
If you have access to the MPLS routers to configure BGP neighboring with the FGT at the main locations like in the diagram, you can migrate one remote location at a time without a problem. You probably already know how the MPLS provider is providing redundancy between the primary and secondary main sites. I thought you might not have the access.
Toshi
We have physical access to the MLPS routers but not configuration access. Our provider responded they use local preference for the path so AS prepending unfortunately won't work. They offered to manually configure the remote sites on the MPLS routers with an according policy for the routing but this is not what we want as we are dependent of them any time we install a new location. But I think that's the only way as we cannot do a hard cut.
Thanks for your responses anyway!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.