Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
austinmas1987
New Contributor

Fortigate BGP multihoming with two separate ISPs and own public pool

.,

10 REPLIES 10
aionescu
Staff
Staff

Hi austinmas1987, 

 

Welcome to the Fortinet community.

 

A few ideas on your scenario.

 

1. It is complicated...

In most cases one of the providers is "preferred" as being cheaper, faster, more reliable, and so on. In that case you would use AS prepend, for example to manipulate the incoming traffic. You would perpend your as to the "less" preferred ISP so upstream ISPs will receive the prefix with a longer AS PATH from it so will not preferer that path. 

More info about this can be found at: Technical Tip: How to configure BGP AS prepending - Fortinet Community

 

If, both ISPs are preferred than it depends on the ISPs and their peering.  Fore example your client has ISP1 and ISP2 and a customer from ISP3 wants to reach your client. How will it reach it? It depends on ISP3 and how it prefers to route traffic towards the "Internet" over ISP1, ISP2 or a completely different ISP. So, even if you prefer both ISPs they might have different routing strategies.

 

2. Can you be more specific? If you use BGP as routing protocol you would have to advertise the prefix to both ISP. Also via BGP you will, supposedly, receive the default route.

 

3. Yes, you can rely solely on static routes for both incoming and outgoing traffic. 

 

As the question are relatively general, so are the answers. However, If you have specific ones do not hesitate to post them here.

Toshi_Esumi
Esteemed Contributor III

For 2 and 3, first it depends on the ISP's router or their policy if they allow a customer specific config, including the prefix 200.200.200.0/24, in the router to spontaneously advertise toward the internet direction (into their own networks) other than the customer's ASN. Generally they just relay with some filters to filter what their customer devices (the FGT) advertise. If they don't, BGP neighboring between the FGT and two ISP routers is necessary. You have to talk to them.

 

Secondary, if the FGT doesn't advertise the prefix to both ISPs, you can't influence your preference toward the internet like AS prepend aionescu was talking about. You might ask each ISP to do that on behalf if they're willing to do so. So comes back to the first point.

Toshi

 

austinmas1987

.

Toshi_Esumi
Esteemed Contributor III

You have to advertise the same /24 prefix to both ISPs if you want to get some from one ISP and the other from another ISP.

 

Toshi

Toshi_Esumi
Esteemed Contributor III

Oh by the way most ISPs don't take smaller than /24 over BGP unless those smaller prefixes are from them so that then can summarize.

austinmas1987

.

aionescu

Hi, I would say it is not a good practice to split the pool. You have to advertise it to both ISPs.

As previously stated, you can use both static routes or BGP.

For load balance - you do have control over the outgoing traffic but for the incoming no (I would say only if you prefer one ISP over the other, but not to have a control of how much traffic comes from ISP1 or ISP2)

austinmas1987

 

.

fcb
Contributor

Can you not just tell us the ISP? We may have familiarity but I will say that we have a very similar setup with Segra here on the East Coast of the US and we threw this hot potato around for months while they were building everything out. Once we finally got in front of their engineering and they were very open and flexible to what we wanted (us providing them with a generic AS, we route if they don't, they route if we don't, we vacation they don't, and you get the idea) we quickly landed on allowing them to handle all of the routing and manage the BGP for us and then we simply enabled SDWAN on our edges, allowed it to manage the gateway routes and then controlled ingress and egress traffic via SDWAN rules and it's worked beautifully. We have two ISP's providing three disparate geographic paths not only out of our DC but also out of our town and ultimately region.  In our case though the one ISP provides two of the circuits and the second ISP provides the third but even in the case if the two separate ISP's the SDWAN still does everything that we wanted in our use case in regards to BC.

 

I guess the point of my post though is to not try and engineer this thing until you talk to the ISP and see what their expectations are. They may not want to allow you to peer but so far into them or they may want you to define everything. You just don't know until you talk to their folks that are in the know and forget everything Sales has told  you to this point because it's probably wrong.. This is why I asked at the front end of my post about who your ISP(s) were?

Labels
Top Kudoed Authors