Fortigate BGP - 2 DC

dl_ger · ‎07-31-2023

Hello,

I have an active-passive cluster which is split into two datacenters. Between the datacenters I have a Layer2 connection.

The ISP is the same in both datacenters. However, I have two different transfer networks.

For this reason I have two WAN VLANs.

If I add an IP address from my BGP network as Secondary IP address on the one WAN VLAN I can ping it etc..

Now my question is how can I connect my BGP Network to the Fortigate, so that it also works in Datacenter 2 in case of a failure of Datacenter 1.

Thank you.

Toshi_Esumi · ‎07-31-2023

Since I haven't done anything like this before all my comments below are just my "ideas".

I have two ideas:

1. have a separate vdom to interface with the ISP from both DC separately. To do that, you need to exclude the vdom from HA sync. I don't know how exactly you can accomplish this since this is just an idea. But you will need a VDOM-link or npu-vlink then set up eBGP between the ISP interfacing VDOM and your main VDOM.

2. have both interface IP/subnet 80.x.10.x/30 and 80.x.20.x/30 on the same physical interface as main IP and secondary IP with the ISP. Obviously only one of them would come up/communicate with the ISP. Then set up two BGP neighbors on both subnets. When DC1 is the HA primary, only 80.x.10.y neighbor comes up. When it fails over only 80.x.20.y neighbor would come up on DC2 FGT.
I'm not sure exactly how the ISP side's BGP would behave when the fail-over happens. You probably need to carefully test it somehow. I would imagine the transition would take long time on the ISP side.

Probably not much helpful for you but I was afraid you might not get any responses. So just posted my ideas.

Toshi