FortiGate BGP dual-home with multiple ISP

Problem

Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary.


Solution

FortiGate Basic BGP configuration

First start with basic BGP configuration
config router bgp
    set as 65301
    set router-id 100.200.100.254
    set keepalive-timer 45
    set holdtime-timer 120
    set bestpath-med-missing-as-worst enable
    set graceful-restart enable
    config redistribution connected
        set status enable
    end
end
  • bestpath-med-missing-as-worstThe route without MED is automaticly the worst destination.
  • gracefule-restartAdvertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates.
  • holdtime-timer: How long the router will wait for a keepalive message before declaring a router offline. A shorter time will find an offline router faster.
keepalive-timer: How often the router sends out keepalive messages to neighbor routers to maintain those sessions.

BGP Route-Map and Prefix Settings

config router prefix-list
    edit "NET_0.0.0.0"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "NET_100.200.100.0-24"
        config rule
            edit 1
                set prefix 100.200.100.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end
config router aspath-list
    edit "AS65100"
        config rule
            edit 1
                set action permit
                set regexp "^65100_"
            next
        end
    next
end
config router route-map
    edit "MAP_100.200.100.0"
        config rule
            edit 1
                set match-ip-address "NET_100.200.100.0-24"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
    edit "MAP_0.0.0.0_65100"
        config rule
            edit 1
                set match-as-path "AS65100"
                set match-ip-address "NET_0.0.0.0"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end
MAP_0.0.0.0_65100 route-map match only when the default route is learned from the AS 65100 (ISP-1). That is needed later to prevent asymetric routing.

BGP Neighbour Configuration

config router bgp
    config neighbor
        edit "100.100.100.254"
            set bfd enable
            set prefix-list-in "NET_0.0.0.0"
            set prefix-list-out "NET_100.200.100.0-24"
            set remote-as 65100
            set weight 300
        next
        edit "100.100.160.254"
            set bfd enable
            set prefix-list-in "NET_0.0.0.0"
            set prefix-list-out "NET_100.200.100.0-24"
            set remote-as 65200
            set weight 100
            config conditional-advertise
                edit "MAP_100.200.100.0"
                    set condition-routemap "MAP_0.0.0.0_65100"
                    set condition-type non-exist
                next
            end
        next
    end
Neighbour 100.100.100.254 is the primary ISP (ISP-1). The Prefix-list-in allow only to advertise the default route to the FortiGate. And the prefix-list-out send only the public IP Range to the ISP Router.
Neighbour 100.100.160.254 ist the secondary ISP (ISP-2), here the same configuration for the prefix-list-in and prefix-list-out. But in additional this neighbor has the conditional-advertise configuration set to only send the 100.200.100.0 route-map if the default route is NOT learned by the AS 65100. To achive this you need the MAP_0.0.0.0_65100 route-map.

In normal situation both ISPs are reachable from the FortiGate, the weight Attribute define that the ISP-1 (weight 300) is more "important" that the ISP-2 (weight 100).

Test / Verify

Both ISPs online

Are both ISPs reachable the routing table is as follow:
# get router info bgp network 
VRF 0 BGP table version is 8, local router ID is 192.168.60.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0        100.100.100.254    4294967294           300        0 65100 i <-/1>
*                   100.100.160.254    4294967294           100        0 65200 i <-/->
*> 100.100.100.248/29  0.0.0.0                            32768        0 ? <-/1>
*> 100.100.160.248/29  0.0.0.0                            32768        0 ? <-/1>
*> 100.200.100.0/24    0.0.0.0                       100  32768        0 i <-/1>

Total number of prefixes 4
As you can see the FortiGate learn the default Gateway from both ISPs but the Gateway 100.100.100.254 (ISP-1) is the best.

Take a look to the provider BGP Networks
ISP-2:
<shorted>
*> 100.200.100.0/24    192.168.1.2                            0 65100 65301 i
<shorted>
ISP-2 learn the public IP Range from the FortiGate over ISP-1.

ISP-1 is offline

# get router info bgp network 
VRF 0 BGP table version is 8, local router ID is 192.168.60.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight RouteTag Path
*> 0.0.0.0/0        100.100.160.254    4294967294           100        0 65200 i <-/1>
*> 100.100.160.248/29  0.0.0.0                            32768        0 ? <-/1>
*> 100.200.100.0/24    0.0.0.0                       100  32768        0 i <-/1>

Total number of prefixes 3
After the holdtimer the FortiGate "use" the Default Route over ISP-2.

Take a look ot the provider BGP Networks
ISP-2:
<shorted>
*> 100.200.100.0/24    192.168.1.2                            0 65301 i
<shorted>

ISP-1:
<sorted>
*> 100.200.100.0/24    192.168.1.3                            0 65200 65301 i

Comments

  1. Norris Evans23 April, 2022 06:23

    Great article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best BGP Path Attributes service provider.

    ReplyDelete

Post a Comment

Popular posts from this blog

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more