- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: BGP query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BGP query
Hi All,
We as an organisation are moving away from running static routing for our outbound Internet and are looking to implement a BGP solution with our service provider. We are looking to run the services out of our redundant data centres to provide clients at the business HQ with a redundant path to the Internet. We connect to the two data centres through a redundant managed WAN service. At each site we advertise the local networks at the site to the managed WAN through RIPv2. These routes are then advertised by the service provider through the WAN to a managed router that in turn talks to a layer 3 device that is doing the advertising for each of the sites.
The service provider is able to provide a pair of redundant Internet services. A single service will be hosted out of each site. We have been allocated our own private AS number and have formed the relationship between ourselves and the ISP. We have used a Cisco router to form the relationship. The ISP is advertising the ' full route' and the ' default route' to us. We' ve also been allocated a block of public IP addresses (lets say 119.34.67.16/28) that are configured across the two services (sites). We will advertise this block of addresses to the ISP.
One of the issues we are having that I need to find a solution for is a method for advertising ONLY the ' default route' to the Fortigate that is sitting behind the router, which in turn will advertise the ' default route' to the RIPv2 process. Once in here it can then be advertised to the business and the other data centre.
The default route will be the 0.0.0.0 0.0.0.0 119.224.56.84/30
What would be the best way to go about doing this? I' ve been reviewing the Advanced Routing guide but was looking for some feedback from people who may have done something similar?
Diagram:
ISP AS xxxx -------->Fa0/0 Cisco Router AS xxxx Fa0/1 ------>VLAN_INT-Fortigate
Interface Config (adjusted for example)
ISP Neighbour IP: 119.224.56.84/30
Cisco Router Fa 0/0: 119.224.56.85/30
Cisco Router Fa 0/1: 119.34.67.17/28
Fortigate VLAN: 119.34.67.18/28
Thanks,
D
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can work with Access Lists - to only " learn" specific routes through bgp.
There are various ways to perform filtering on " incoming route lists" or filtering " distributed lists" . The example would only put routes into route-table that do
match the router-access-list..
In reverse we could set action to drop, so it would accept all routes learned, except the ones defined in the access-list
example:
config router access-list
edit " NET_172.160.1.0"
config rule
edit 1
set prefix 172.160.1.0 255.255.255.0
set exact-match disable
next
end
next
end
config router bgp
set as 10
config neighbor
edit " 1.2.3.4"
set remote-as 20
set distribute-list-in " NET_172.160.1.0"
next
end
config redistribute " static"
set status enable
end
set router-id 0.0.0.1
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Option-B
This would actually only accept the def route, all other routes would be dropped consequently.
config router prefix-list
edit " default_route"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
next
edit 2
set action deny
set prefix any
next
end
config router bgp
set as 20
config neighbor
edit 1.2.3.4
set prefix-list-in " default_route"
set remote-as 30
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your post is kinda confusing , but I think what your trying getting at; is you need a default -rpoute from the cisco into Fortigate ?
Have you looked at the default-information originate command? be careful, in that will generate a default even if the next-hop for the internet is not present on the cisco.
What you need to do is talk to your ISP and have them inject a default-route only, into the cisco and have that pass thru to the fortigate. This way if the Internet ( ISP ASXXX ) goes down, your default route will self-terminate it' s announcement.
e.g from one of my routers and ASN
router bgp 57XX
no network 0.0.0.0
neighbor defaultonly peer-group
neighbor defaultonly default-originate
neighbor defaultonly prefix-list myprefixes001 out
neighbor 216.7.x.9 peer-group defaultonly
!
!
ip prefix-list myprefixes001 description allow only default route leak to neighbors
ip prefix-list myprefixes001 seq 5 permit 0.0.0.0/0
!
!
!
and on the cisco router, you would do a bgp-to-ripv2 redistribution
!
router rip
version 2 ! enable verison 2 RIP
network 2.0.0.0 ! define the network to run RIPv2 on and where the FGt sits
redistribute bgp 200 metric 8 ! redistribute BGP ASN #### into RIP and optional set the metric for this
!
Now I' m curious as why RIP when OSPF would be so much better ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys,
Thank you all for your valuable input. I do apologise if the post was confusing it was late last night when I submitted the query.
I' ve included a network diagram of what I am trying to achieve.
Each site has a distinct IP addressing scheme allocated to it. The HQ will use 10.1.x.x/24, the Prod DC will use 10.2.x.x/24 and the DR DC will use 10.3.x.x/24. These ' local' networks will be advertised into the IP VPN through the respective 172.16.x.x/28 network address using RIPv2 which is what the ISP will support for internal route advertisement into the VPN.
The private ASN will be advertised by our ISP to our two sites with the same address block. The ISP will then advertise the ' full' and ' default' route to the Cisco router at each site. I then need to advertise the ' default' route from each data centre, into the VPN to provide Internet redundancy (both default routes would be visible to the firewalls at each site). Assuming the ISP advertises the default route I can then advertise this route into RIP between the sites?
Does this make sense?
Thanks,
D
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drawing is much better, but even more confusion ( mainly on the right side and specially with IP VPN & the other set of FGTs ) and after trying to figure out what you’re doing or try to accomplish.
Now I have a few question & thoughts for you;
are you at least worried about asymmetrical routing and how it plays with your 119.x.x.20/28 announcement ?
I assuming the 10net are being NAT' d into this segment from either HA-Pair? if yes, that could become an issues later on down the road
Does the ISP provider use BGP-MED to manipulate which is the most preferred link into your AS ?
Have you or your provider looked at multihoming the internal BGP peers to provide a simple topology ?
btw, What is a IPVPN ( a MPLS cloud ? ) ? and how do you use it ? is it truely a layer2 or 3 service
Since you have no control over how or which redundant ISP link this comes over, this ( asymmetrical ) could be a big problem.
And more so if a host on network 10.2.2.0/24 is nat' d via FGT with inside .7 and the ISP routes the return down the other path at the opposite location.
If your hosting from 2 physically sites, and are looking at redundancy between these sites and within the same subnet ( announcement ), You need to really think this thru & build a topology that simple and straight forward ( K.I.S.S ).
Distributing a default thru your IPVPN to the far-right side can be doable, and by the use of metric, you can make it ( other RIPv2 default-route ) less preferred, by manipulating the metric of this route
( see above cisco method )
I' ll draw you up a drawing later on what and how I think it would be KISS and get' s you what you need. The route manipulation would be trivial.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
drwg
Something like this would be way much better, it provide your dual uplink, and redistributes the defdault route to the FGT. If ISP001 link goes down or the cisco dies, the other side become active and your best path and only path to the internet, You might need to weight the RIPv2 default-advertisemet.
BTW, you can get the same thing with OSPF and with a faster convergence time. RIP is god awful slow to react to network changes.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Emnoc
In your simple drawing you have captured what it is I am trying to achieve! :)
Our ISP has configured BGP to the 10.2.x.x network (left side) is the preferred site.
A further piece of information that I need to include is this.
At our site we run MS ISA on our client workstation. The PROXY server is enforced through a GPO in AD. The DNS server has two IP addresses for PROXY one on the 10.2.x.x network and one on the 10.3.x.x network. A client will randomly select one of these addresses for outbound Internet traffic. I believe this will work as the default route for each site will be the preferred route (the metric of the other side will be higher than the default route for the site).
Just to confirm. I would then redistribute the default route into my RIP process. Appreciate this is slow but this is where we are at today. We will push to change this in the future.
Now, I have one last query. Our ISP can advertise the ' full' route and the ' default' route. In your experience do you have both advertised or do you just have them advertise the default route?
Thanks for all of your help :)
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will since your peer' d to the same ISP, and all traffic for your 119.x.x.x network is going to terminate thru ISP " XYZ" , just go with the default-route from the ISP provider.
This would reduce the overhead on the BGP-router ( cisco private-ASN ) and nothing is to gain with receiving all 300K+ BGP table enrtries ;)
You also don' t want to redistribute the 300K+ plus BGP tables entries into RIP for the obvious reasons
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- DoS policy in FortiGate 327 Views
- GeoIP Block Not working 190 Views
- Geo blocking address command query 171 Views
- DNS filter 128 Views
- Recipient Verification 221 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.