Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
abood
New Contributor

Fortigare BGP DESIGN

hello, I have two fortigare 1000c units, and i’m in process to have teo internet links from the same isp and i want to apply BGP, and i have the following questions: 1- i will receive the default route from the isp through the two lines but i need to prefer the the WAN2 which is the second internet line from isp and in case the line is down use automatically to the first line, my question what bgp feature will be used? Or just use static route? 2- i will advertise my public subnet through the two lines but i will prefer some IPs within this subnet to prefer WAN1, what bgp feature to use to avhieve this? Or use policy based routing only? 3- currently i have enabled WAN load balancing, after applying the bgp and doing the points mentioned above, i think i should disable the WAN load balancing feature, right? 4- do i need to enable to activate some any SLAs mechanism in order to keep monitoring the WAN lines especially if we use static route? Or if we use receiving default route can solve thisissue? 5- i have static VPN tunnels with other companies, and i will create a loopback interface as tunnel source address and use one ip of my public subnet as the ip for the loopback interface instead of the WAN interfaces IPs to avoid creating two ipsec tunnels, right? Thanks in advance
1 Solution
MikePruett
Valued Contributor

I would throw both interfaces in a zone. WLLB isn't a good use for this deployment.

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
3 REPLIES 3
MikePruett
Valued Contributor

You can use weights for your peers to prefer one over the other for the routes they send to you and you can also use route maps etc to broadcast IPs out certain BGP peers.

 

For monitoring you can do link monitors (config system link-monitor) but if the WAN drops you will stop receiving routes from that connection and it should default to the other.

 

You could use a single IP on the IPSec and in the event of failure that IP gets broadcast out the other pipe so no changes would be needed.

Mike Pruett Fortinet GURU | Fortinet Training Videos
abood

Thank you.

regarding the WAN load balance, I need to disable before applying BGP since there is no advantage to use in this case, right?

regarding the IPsec tunnel, I think I can use a loopback to terminate IPsec tunnel, right?

 

thanks

MikePruett
Valued Contributor

I would throw both interfaces in a zone. WLLB isn't a good use for this deployment.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Labels
Top Kudoed Authors