I searched the forums and saw different things and just got more confused. LOL
Here is our current set up (simplified).
We have fortigate 200E at two sites. We have S2S VPn between the sites that are always active. We also have an MPLS circuit between the sites. The MPLS is currently on our Core switch and using BGP to announce routes to the other site (and a couple more MPLS connected sites). The ISP side has an IP of our LAN on it as the "gateway" for routing across the MPLS. There are static routes for the other sites on the core switch which can be changed between the fortigate for S2S traffic in the event that the MPLS is down. There are also routes for use of the MPLS. I want to move the MPLS to our fortigates so we can do some more things with it and so we can add our new redundant core switches. The issue is i am not sure how to connect the MPLS to the fortigate since the IP is in the same range as the LAN. Do i just add another LAN ip to an interface and then have the BGP neighbors look at that IP address? I can do the routing in the fortigate and such once i get it connected properly.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Moving the MPLS circuit from the core-sw to FGT should be easy. You just need to copy the BGP config to the FGT with a new IP and the ISP need to change the neighboring to the FGT IP.
But if you want to merge two paths to the same destination into one BGP domain, you need to design the entire network properly including AS paths. I'm assuming it's L3 MPLS with eBGP over the ISP. Then S2S VPN would be a shorter path ASpath-wise, if you don't manipulate metrics.
Not looking to merge paths as we will be removing the MPLS circuits next year and moving to SD WAN or something like that. The MPLS is horrible for us.
Any ways to understand what you are saying...
Don't get on me about the IPs this was done prior to me. LOL
Site A:
LAN IP of FGT: 192.168.1.7
Core Switch IP: 192.168.1.10
IP of MPLS (carrier Side): 192.168.1.254
Site B:
LAN IP of FGT: 10.64.0.3
Core Switch IP: 10.64.0.5
IP of MPLS (carrier side): 10.64.0.254
So if I move the MPLS to the FGT I need to change the IP for the MPLS side to something different and add another IP range to the interface for the MPLS? correct? Like Below
Site A:
LAN IP of FGT: 192.168.1.7
Core Switch IP: 192.168.1.10
IP of MPLS (carrier Side): 10.0.0.1
IP of MPLS on FGT: 10.0.0.2
Then the BGP on the FGT at Site B would have the 10.0.0.2 as its neighbor.
It's depending on the MPLS provider but I wouldn't expect any particular change necessary. From the provider's view, the BGP neighbor 192.168.1.10 devices will change from your core sw to the FGT. Nothing else would change. If you want to keep the .10 IP on the sw instead of moving it to the FGT, and the FGT has like .11, the provider just needs to change the neighbor IP to .11 instead.
Just talk to the vendor, and schedule a maintenance window with them if that's the case.
I guess the questions I am having are in regards to connectivity. The MPLS will physical plug in to the FGT but I am not sure the IP of that interface can be the same as the current LAN subnet.. can it?
You're migrating it, right? Not keeping the current and adding another BGP session with the vendor. Why do you think you have to change the IP? Same thing would happen when your core switch dies and need to get it replaced with another. This time, you want to do it with your FGT.
Because when I try to add the MPLS to the FGT I have to give the interface an IP address. The current vendor side has an ip address on our subnet and it is connected to our core switch. I cannot add the interface to the FGT because the ip address would have to be in the same range as the current LAN. Make sense?
Probably I'm not understanding your current network topology and after the migration.
If you want to terminate the MPLS on a new port (WAN side) other than the LAN port, of course you need to have a different subnet from the one on LAN side.
See attached for current. The connection from the MPLS router (carrier router) would be placed in the FTG. I assume what I need to do will be to contact the carrier to change the IP of the MPLS router side to a new range and use that range for the FTG and set my routes up accordingly. There is not plug and play with the way this is currently set up.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.