Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ddskier
Contributor

Created on ‎03-27-2012 07:25 AM

OSPF - Point to Point Failover

We currently have two point-to-point lines that connect our main office to our Collocation center. We primary force all traffic over the main point-to-point using static routing. (We do have some traffic going over the backup line via a policy route.) We are currently using the Detect Server (Ping) feature of the Fortinet units to know if the main point-to-point is down. The problem that we are running into is that we would like to move towards dual stacked IPv4 and IPv6, however, the Fortinet has no plans to support Detect Server feature for IPv6. So I was thinking about moving to a routing protocol setup like OSPF to accomplish the same thing as the Detect Server. Is this possible using OSPF with two point-2-point links that connect to the same two end points? Or does anyone have an alternative method?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Preview file
28 KB
10668
0 Kudos
26 REPLIES 26
emnoc
Esteemed Contributor III

Created on ‎03-28-2012 07:27 AM

fwiw: Network 0.0.0.0 is the same as saying Area 0. On the default routing, just push or originate a default route into your ospf process like what most others do. If you have a internal uplink gateway devices ( i.e a cisco,juniper, etc..) push that default 0.0.0.0/0 into your ospf process from that device ( at the colo ). In fact you could have multiple exits and provide redundancey if you had a co-lo failure. This would require a 2nd colo uplink location, but that' s another whole design.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1360
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-28-2012 11:31 AM

After all that converges, the route with the least amount of hops is used for routing
Every thing you said is correct, except the above. Mertic is the only calculation and no where in the OSPF information base or computing, does hops ever comes into play. In fact you could more hops between location X and Y, but have a lower overall metric and that could be installed into the RIB. BGP, RIP, EIGRP (cisco) , all use hops in some shape or fashion for these distance vector protocols. I figure I would clarify this FWIW :on cisco, you can very much install opsf area statements as either network area 0 or network area 0.0.0.0 , fwiw you can use a network-number for routing via static routes of a default-network for gateway of last resort, but hardly ever seen anybody doing that today and no such need for this with any dynamic routing protocols & a proper defined network imho

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1360
0 Kudos
rwpatterson
Valued Contributor III
In response to emnoc

Created on ‎03-28-2012 12:13 PM

Yep... The lowest COST is used. My bad. :(

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1360
0 Kudos
ddskier
Contributor
In response to rwpatterson

Created on ‎03-30-2012 01:33 PM

Sorry it took me so long to respond, I have been swamped with other things. So I think I have a configuration setup that shoudl work (See Diagram). Questions: 1. Does that look right to you guys as it will route traffic by default on the Main Point-2-Point line first? Does the networking look right? 2. Once the routing gets the traffic from the Main Office to the Collocation via OSPF, I assume static and/or BGP routing takes over to route it to the Internet, right? Or do I have to use the " Redistribute" settngs of OSPF within the Fortigate unit? 3. Is there something specific I have to do to enable OSPFv3? or just setup IPv6 Networks and it' s automatic? Thanks for all the help!

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
Preview file
51 KB
1360
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-30-2012 02:09 PM

cool diagram and explanation, you can send the default route downwind via the right-side and have an automatic failover. PBR could be use as an alternative for traffic that you might want to breakout of the normal route-selection.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1360
0 Kudos
ddskier
Contributor
In response to emnoc

Created on ‎03-31-2012 09:19 PM

ORIGINAL: emnoc cool diagram and explanation, you can send the default route downwind via the right-side and have an automatic failover. PBR could be use as an alternative for traffic that you might want to breakout of the normal route-selection.
Questions: 1. Does that look right to you guys as it will route traffic by default on the Main Point-2-Point line first? Does the networking look right? 2. Once the routing gets the traffic from the Main Office to the Collocation via OSPF, I assume static and/or BGP routing takes over to route it to the Internet, right? Or do I have to use the " Redistribute" settngs of OSPF within the Fortigate unit? 3. Is there something specific I have to do to enable OSPFv3? or just setup IPv6 Networks and it' s automatic?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
1360
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-02-2012 03:33 AM

q1: yes q2: yes whatever access or reach at colo is what and how you get to the internte of course appropiate fwpolices and NAT/PAT ules q3: read the manual, the explain how to enable and to use IPv6. I never done IPv6 on fortigates outside of static and my other IPv6 routing has been bgp and EIGRP ( cisco ) But the concept starts with enabling ipv6 interfaces, applying v6 fwpolicy and placing routing dynamic or static. The same thing that ipv4 needs, you will need for ipv6 and the concept is all prefixes based no more class boundaries or classfull networks.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1360
0 Kudos
ddskier
Contributor

Created on ‎04-02-2012 07:13 AM

Thanks for the help. Now that I think I have the settings planned out, I' m going to try them out. I' ll let you know how it goes.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
1360
0 Kudos
ddskier
Contributor
In response to ddskier

Created on ‎04-02-2012 09:30 PM

Ok I believe that I have the OSPF working. I see entires in both firewall' s routing table with a type of OSPF. I can even ping the various interfaces on the other firewall. The issue that I am running into now, is that OSPF is NOT adding a default route so that the " Company" firewall will route all Internet requests to the " Colo' firewall. (See previous diagrams.) Basically, the " Company" firewall doesn' t know to router Internet requests to the Colo. Any ideas on how I can get this default route working with my OSPF config?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
1360
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-03-2012 06:20 AM

You did you investigate the OSPF originate at the colo? Worst case, you add statics and dead gateway detection.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1360
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.