Hi all, We are working on a config for a Multihomed ISP solution. This is the setup Local Fortigate [AS100] <> L3 UPLINK A <> ISP router A [AS200] Local Fortigate [AS100] <> L3 UPLINK B <> ISP router B [AS200] The goal is to divide our assigned IP public space [100.100.100.0/24] into 2 segments to make use of both UPLINK-s I can get inboud traffic "split" by using "set set-metric xxx", the failover also works between the 2 uplinks The "problem" is that I dont know how to divide the outbound traffic based on the source segment. So my corrunt setup of route-maps A-IN/B-IN is incorrect.........
All ideas are welcome!
config router bgp
set as 100
set router-id 100.100.100.100
set network-import-check disable
config neighbor
edit "ISP router A"
set link-down-failover enable
set prefix-list-out "blockrule"
set remote-as 200
set route-map-in "A-IN"
set route-map-out "A-OUT"
set send-community6 disable
set password ENC {---}
next
edit "ISP router B"
set link-down-failover enable
set prefix-list-out "blockrule"
set remote-as 200
set route-map-in "B-IN"
set route-map-out "B-OUT"
set send-community6 disable
set password ENC {---}
next
end
config network
edit 1
set prefix 100.100.100.0 255.255.255.128
next
edit 2
set prefix 100.100.100.128 255.255.255.128
next
end
end
config router prefix-list
edit "blockrule"
config rule
edit 1
set action deny
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
edit 2
set prefix any
unset ge
unset le
next
end
next
edit "SEGMENT-ONE"
config rule
edit 1
set prefix 100.100.100.0 255.255.255.128
unset ge
unset le
next
end
next
edit "SEGMENT-TWO"
config rule
edit 1
set prefix 100.100.100.128 255.255.255.128
unset ge
unset le
next
end
next
edit "DG"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
config router route-map
edit "A-OUT"
config rule
edit 1
set match-ip-address "SEGMENT-ONE"
set set-local-preference 200
set set-metric 100
next
edit 2
set match-ip-address "SEGMENT-TWO"
set set-local-preference 100
set set-metric 200
next
end
next
edit "B-OUT"
config rule
edit 1
set match-ip-address "SEGMENT-ONE"
set set-local-preference 100
set set-metric 200
next
edit 2
set match-ip-address "SEGMENT-TWO"
set set-local-preference 200
set set-metric 100
next
end
next
edit "A-IN"
config rule
edit 1
set match-ip-address "DG"
set set-local-preference 100
set set-metric 200
next
edit 2
set match-ip-address "DG"
set set-local-preference 200
set set-metric 100
next
end
next
edit "B-IN"
config rule
edit 1
set match-ip-address "DG"
set set-local-preference 200
set set-metric 100
next
edit 2
set match-ip-address "DG"
set set-local-preference 100
set set-metric 200
next
end
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Trying to load balance with BGP is always an exercise in frustration, beware ...
Now to the case at hand:
- Setting Local Preference in outgoing advertisements is useless in 99% of the cases as your ISPs will NOT honor it.
The only way to influence traffic to your advertised routes is either via splitting the subnet into 2 or adding prepends on one of the BGP peerings, none of which is an exact science.
About outgoing traffic of yours, you have few options:
[ol]HTH
Yuri
What he has done should work, have you check what you ISP is seeing for A and B outs?
Ken Felix
PCNSE
NSE
StrongSwan
I'm just going to point out the obvious here. You can't use /25's to advertise in the global route table. Not sure if that has anything to do with what you're experiencing, but unless your two connections are from the same ISP and they're aggregating it for you then I would say you cannot do what you're trying to do, period. I didn't know that /24 was the smallest route you could advertise when I got our /24 six years ago and I've regretted it ever since. Should have gotten a /23 :(
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.