- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring BGP Failover Routing Between Two Sites
We have two sites, site A and Site B. Both sites sites have a Fortigate firewall. Fortigate devices ARE NOT configured for high availability, nor will they be.
Both sites have an internet connection provided by the same ISP:
Site A
Fortinet Firewall Public IP: A.A.A.13/30
ISP Gateway Public IP: A.A.A.14/30
Site B Fortinet Firewall Public IP: B.B.B.16/30 ISP Gateway Public IP: B.B.B.17/30
We have a two BGP published IP address range that have been provided by our ISP:
BGP Advertised Public IP Range Q: Q.Q.Q.Q/27 BGP Advertised Public IP Range R: R.R.R.R/27 Local AS: 4294836658 Remote (ISP) AS: 7545 Local and Remote ASN is the same for both sites (single ISP only).
Under normal conditions, we need to all traffic going to Q.Q.Q.Q/27 to be directed to site A. However, if site A is down, we need all traffic going to Q.Q.Q.Q/27 to be directed to site B.
Likewise under normal conditions, we need to all traffic going to R.R.R.R/27 to be directed to site B. However, if site B is down, we need all traffic going to R.R.R.R/27 to be directed to site A.
I have found a cisco config that is used to configure the above for a single BGP route, which is:
ROUTER A - Primary ================================================================ router bgp 65534 address-family ipv4 network 100.64.0.0 mask 255.255.224.0 neighbor 100.66.10.2 remote-as 100 neighbor 100.66.10.2 description RouterC neighbor 100.66.10.2 prefix-list aggregate out neighbor 100.66.10.2 prefix-list default in neighbor 100.66.10.2 activate ! ip prefix-list aggregate permit 100.64.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 100.64.0.0 255.255.224.0 null0 ================================================================
ROUTER B - Backup ================================================================ router bgp 65534 address-family ipv4 network 100.64.0.0 mask 255.255.224.0 neighbor 100.66.10.2 remote-as 100 neighbor 100.66.10.2 description RouterD neighbor 100.66.10.2 prefix-list aggregate out neighbor 100.66.10.2 route-map med10-out out neighbor 100.66.10.2 prefix-list default in neighbor 100.66.10.2 route-map lp-low-in in neighbor 100.66.10.2 activate ! ip prefix-list aggregate permit 100.64.0.0/19 ip prefix-list default permit 0.0.0.0/0 ! ip route 100.64.0.0 255.255.224.0 null0 ! route-map med10-out permit 10 set metric 10 ! route-map lp-low-in permit 10 set local-preference 90 ! ================================================================
The question I have is how do I do a similar configuration using the Fortigate CLI and how do I extend this configuration for TWO BGP routes.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ian,
I think I can help you. I assume you've already done BGP with this ISP, or at least confirmed they will do BGP with you on /27 routes? Generally anything smaller than a /24 will not be propagated on the Internet, but assuming your networks are part of a larger subnet advertised by the ISP it shouldn't be a problem.
Let's reverse-engineer what we're going to do here. First, you're going to have a peer (or BGP neighbor) on each FortiGate, and that code will look something like:
config router bgp
set as 4294836658
config neighbor
edit A.A.A.14
set remote-as 7545
set route-map-out "BGProuteQ_Routemap"
next
end
end
You'll do something similar on the other FortiGate, changing the appropriate parts of course. The mystery is what is BGProuteQ_Routemap? That might look something like this on the site A FortiGate:
config router route-map
edit "BGProuteQ_Routemap"
config rule
edit 1
set match-ip-address "routeQ_Prefix"
set set-metric 10
next
edit 2
set match-ip-address "routeR_Prefix"
set set-metric 20
next
end
next
end
And something like this on the site B FortiGate:
config router route-map
edit "BGProuteR_Routemap"
config rule
edit 1
set match-ip-address "routeQ_Prefix"
set set-metric 20
next
edit 2
set match-ip-address "routeR_Prefix"
set set-metric 10
next
end
next
end
Now we need to create the prefixes that we referenced in the route-maps, so that would look like this on both FortiGates:
config router prefix-list edit "routeQ_Prefix" config rule edit 1 set prefix Q.Q.Q.Q 255.255.255.224 unset ge unset le next
end next
edit "routeR_Prefix" config rule edit 1 set prefix R.R.R.R 255.255.255.224 unset ge unset le next
end next
end
That's pretty much it. By virtue of the lower MED (that's what we modify with set-metric), the Site A FortiGate will advertise the Q route at a "higher" preference, and Site B will advertise the R route at a "higher" preference with it's lower MED. However, both will have both routes available all the time in the event of a failure.
Hope that helps! - Daniel Hamilton
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem! Forgot to mention a couple details that you may or may not already have covered:
[ol]
Without both of those elements in place you would find that you were not advertising the routes despite all the good routemap work we did before. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ian,
I think I can help you. I assume you've already done BGP with this ISP, or at least confirmed they will do BGP with you on /27 routes? Generally anything smaller than a /24 will not be propagated on the Internet, but assuming your networks are part of a larger subnet advertised by the ISP it shouldn't be a problem.
Let's reverse-engineer what we're going to do here. First, you're going to have a peer (or BGP neighbor) on each FortiGate, and that code will look something like:
config router bgp
set as 4294836658
config neighbor
edit A.A.A.14
set remote-as 7545
set route-map-out "BGProuteQ_Routemap"
next
end
end
You'll do something similar on the other FortiGate, changing the appropriate parts of course. The mystery is what is BGProuteQ_Routemap? That might look something like this on the site A FortiGate:
config router route-map
edit "BGProuteQ_Routemap"
config rule
edit 1
set match-ip-address "routeQ_Prefix"
set set-metric 10
next
edit 2
set match-ip-address "routeR_Prefix"
set set-metric 20
next
end
next
end
And something like this on the site B FortiGate:
config router route-map
edit "BGProuteR_Routemap"
config rule
edit 1
set match-ip-address "routeQ_Prefix"
set set-metric 20
next
edit 2
set match-ip-address "routeR_Prefix"
set set-metric 10
next
end
next
end
Now we need to create the prefixes that we referenced in the route-maps, so that would look like this on both FortiGates:
config router prefix-list edit "routeQ_Prefix" config rule edit 1 set prefix Q.Q.Q.Q 255.255.255.224 unset ge unset le next
end next
edit "routeR_Prefix" config rule edit 1 set prefix R.R.R.R 255.255.255.224 unset ge unset le next
end next
end
That's pretty much it. By virtue of the lower MED (that's what we modify with set-metric), the Site A FortiGate will advertise the Q route at a "higher" preference, and Site B will advertise the R route at a "higher" preference with it's lower MED. However, both will have both routes available all the time in the event of a failure.
Hope that helps! - Daniel Hamilton
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WOW!!! Thank you very much. I really was not anticipating such a detailed answer but I very much appreciate it.
Regards,
Ian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem! Forgot to mention a couple details that you may or may not already have covered:
[ol]
Without both of those elements in place you would find that you were not advertising the routes despite all the good routemap work we did before. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once again, thank you very much. Your assistance has been greatly appreciated.
Regards,
Ian
