Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mohamedh219
New Contributor

Created on ‎05-09-2024 06:24 AM

Implementing FGSP with OSPF ECMP based on source IP address

 
"Should any errors be identified within this configuration, kindly provide guidance accordingly."
 
Configuring FGSP (FortiGate Session Life-long Peering) between FortiGate-A and FortiGate-B with ECMP (Equal-Cost Multi-Path) routing and IP SLA (IP Service Level Agreement) monitoring on the Cisco core switches. The goal is to ensure high availability and load balancing based on the source VLAN.

This my topology:

  • f75acd09-f9fe-484c-8548-1a2e9fa51eb7.pngConfiguration on FortiGate-A 7.0.5:
config system cluster-sync
    edit 1
        set peerip 172.30.30.1
    next
end
config system standalone-cluster
    set standalone-group-id 1
    set group-member-id 1
end
config system ha
    set standalone-config-sync enable
    set mode standalone
    set hbdev port2 256
end
  • Same configuration on FortiGate-B, but with the appropriate peer IP address and group member ID.

 

  • Access Control List (ACL) Configuration on Cisco Core Switches1:

access-list 10 permit 10.1.100.0 0.0.0.255   ! VLAN 100
access-list 10 permit 10.1.101.0 0.0.0.255  ! VLAN 101
access-list 20 permit 10.1.102.0 0.0.0.255  ! VLAN 102
access-list 20 permit 10.1.103.0 0.0.0.255  ! VLAN 103
 

  • IP SLA Configuration on Cisco Core Switches1:

ip sla 1
    icmp-echo 192.168.0.26 source-interface e0/2
        threshold 200
        timeout 200
        frequency 2 ! will send icmp-echo every 2 sec
        exit
    ip sla schedule 1 life forever start-time now
ip sla 2
    icmp-echo 192.168.0.30 source-interface e0/3
        threshold 200
        timeout 200
        frequency 2
        exit
    ip sla schedule 2 life forever start-time now
track 1 ip sla 1 reachability Create tracking objects for the IP SLA results to be used in the route map.
track 2 ip sla 2 reachability Create tracking objects for the IP SLA results to be used in the route map.
 

  • Route Map Configuration on Cisco Core Switches1:

route-map ECMP-PBR permit 5 
    match ip address 10 ! Standard ACL (VLAN 100,101).
    set ip next-hop verify-availability 192.168.0.26 1 track 1 ! Will add this next-hop as primary.
    set ip next-hop verify-availability 192.168.0.30 2 track 2 ! Will add this next-hop as Backup.
route-map ECMP-PBR permit 6
    match ip address 20 ! Standard ACL (VLAN 102,103)
    set ip next-hop verify-availability 192.168.0.26 2 track 1 ! Will add this next-hop as primary.
    set ip next-hop verify-availability 192.168.0.30 1 track 2 ! Will add this next-hop as Backup.
 
  • Apply Route Map on Cisco Core Switch LAN Interfaces:
int range po3,po4,e4/2
    ip policy route-map ECMP-PBR

 

  • Same configuration on Cisco Core Switch2 but we will change Ip address of FortiGate port.

 

Load balance based on source work now, Wireshark image:

Wireshark.PNG

 

 
 

 

Labels:
161
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎05-09-2024 10:27 AM

Here you sync only config, not sessions, right?

AEK
AEK
110
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.