Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cwb2205
New Contributor

distributing 2 default gateways over BGP

Hi All,

 

I have set up 2 Fortigates at 2 main sites for a client, They have serveral small offices attached via a BGP network configured by the isp. Only the 2 main sites have internet access and the remote sites access the internet through the BGP network and out the fortigates. All sites advertise their directly connected and static routes. 

 

My question is, if I set a static gateway of last resort at each edge site, should the BGP network learn both of those resorts and make a routing decision. If we lose a site, should the other gateway take all internet traffic?

 

At the moment all internet traffic goes via Edge 1, when Edge one went offline due to port outage at the site, no one routed traffic over the Edge 2 gateway. Edge 2 is the only site who sends its internet out 2.2.2.2 (obviously addresses have been changed for illustrative purposes only)

 

 

NSE 7 ATP3.0

NSE 7 ATP3.0
6 REPLIES 6
emnoc
Esteemed Contributor III

Yes if the two edges are redistributing a 0.0.0.0/0 than two should be in the BGP and 1 preferred. if that one goes away, the 2nd default-route would be your only default.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

It's totally depending on how the ISP's internal network (AS 2500) is built. If it's an MPLS network, depending on the metric how far one remote location is from those main locations, some of them take Edge1 default route and others take Edge2 default route. They're decided by the ISP's "edge" router that is eBGP peering to each location.

For outgoing traffic, it wouldn't probably matter which FGT to go though. But if you have out-to-in VPIs with either 1.1.1.1 or 2.2.2.2, it would be be a problem when it's coming in from 1.1.1.1 but 0/0 route is going toward the FGT w/ 2.2.2.2.

If you have access to each router(?) terminating the ISP circuit, you can take a look at the metric on BGP routes for those main locations' local subnets, then can determine which 0/0 route would be used from that particular location. Or if those are ISP's routers and you don't have access to them, you can just ask you ISP what would happen if two FGTs started advertising a 0/0 route. 

Or your ISP might take some BGP metrics like communities then make one of them as primary and the other as secondary.

Whatever the case is, you should talk to the ISP. No one else can tell you exactly what they can take and what would work.

 

emnoc
Esteemed Contributor III

I would start 1st by getting the ip bgp table, metric & communities mean nothing if you do not have two paths, to begin with, so "show ip bgp 0.0.0.0/0" and review and witness the bgp-table and if you have two paths one active and preferred.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cwb2205
New Contributor

Thanks guys,

 

I will continue to argue with the ISP. I wanted to make sure I wasn't crazy and that it should be able to work with 2 statics.

 

At the moment the isp is insisting I need a layer 2 link and heartbeat between the Fortigates to assign the gateway dynamically and that it won't work with 2 static default gateways. 

 

My argument is that when edge one goes offline due to power outage and the fortigate is off, Edge 2 is the only gateway connected so how is it different from Edge 2 being connected to the bgp network as the only gateway?

 

Anyway, thanks for your help, I have scheduled an isp engineer to  connect and tell me what their routing table says before and after I take Edge 1 offline. We don't have any access to that network.

 

Cheers,

 

Chris.

NSE 7 ATP3.0

NSE 7 ATP3.0
ManagedIT

Hi @cwb2205 - did you ever get this working? I am trying the exact same setup - two main sites both with internet, connecting into an MPLS with BGP from an ISP. I have one advertising 0.0.0.0 and the remote sites are all connecting. When I add the second 0.0.0.0 from the other site, the other sites still only see one path for their default route, and it's of the other site, not the site we want to preference. I have created a route map and followed the below, but it still only will see one default route on the smaller sites.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-BGP-AS-prepending/ta-p/19...

If you did manage to get this working, I would love to know how you did.

Thanks

Toshi_Esumi
Esteemed Contributor III

As I mentioned 4 years ago, it's up to how the ISP/MSP's BGP network is designed/built. You need to ask your provide how you can add the second default route location. You can peak at by "get router info bgp neighbor <neighbor_ip> received-routes" if a remote site is receiving both default routes.

If the hub sides are sending but remote ends are not receiving, nothing you can do about it other than asking the provider.

 

Toshi

Labels
Top Kudoed Authors