Description | This article describes the configurations needed to set up a redundant iBGP connection via various types of connection. This setup will focus on the iBGP over ADVPN and physical connection at the same time. |
Scope | FortiGate. |
Solution |
Before setting up redundancy in iBGP, regarding the ADVPN setup, it is always recommended to go through the IPsec wizard on the GUI when configuring both the Hub and Spoke to prevent any human errors during the configuration and to have the benefit of generating a quick configuration code to apply on the Spoke after going through the wizard on the Hub.
iBGP, firewall policies will also be created on both the Hub and Spoke as part of the process. After setting up the ADVPN tunnel, it is possible to convert to the custom tunnel to configure the desired phase 1 and 2 proposals or any other settings as needed.
To establish the iBGP over the physical interface, be sure the public-facing interfaces of the Hub and Spoke are reachable to each other and go through this article: Basic BGP example | FortiGate / FortiOS 7.4.2 | Fortinet Document Library to configure BGP (make sure the ASN is the same, which indicates this is an iBGP network, instead of eBGP).
After setting up the basic configuration, go through each device to configure additional settings to make sure that:
For the sake of demonstration:
HUB:
config router prefix-list set prefix 10.0.X.0 255.255.255.0 unset ge unset le end next end
config router community-list edit "ADVPN-Community" config rule edit 1 set action permit set match "65000:1" next end next edit "Port2-Community" config rule edit 1 set action permit set match "65000:2" next end next end
config router route-map edit "Out-ADVPN" config rule edit 1 set match-community "ADVPN-Community" set match-community-exact enable next edit 2 set match-ip-address "10.0.X.0" set set-community "65000:1" next end next edit "Out-port2" config rule edit 2 set match-ip-address "10.0.X.0" set set-community "65000:2" next edit 1 set match-community "Port2-Community" set match-community-exact enable next end next end
config router bgp set ibgp-multipath enable set additional-path enable set recursive-next-hop enable config neighbor-group edit "advpngrp" set bfd enable set capability-graceful-restart enable set link-down-failover enable set soft-reconfiguration enable set interface "advpn1_0" set remote-as 65000 set route-map-out "Out-ADVPN" set update-source "advpn1_0" set additional-path both set route-reflector-client enable next edit "port2grp" set capability-graceful-restart enable next end end
config router policy edit 1 set input-device "advpn1_0" set dst "10.0.Y.0/255.255.255.0" "10.0.Z.0/255.255.255.0" set output-device "advpn1_0" next edit 2 set input-device "port2" set dst "10.0.Y.0/255.255.255.0" "10.0.Z.0/255.255.255.0" set output-device "port2" next end
SPOKE:
config router prefix-list edit "Internal-Subnet" config rule edit 1 set prefix 10.0.Y.0 255.255.255.0 unset ge unset le next end next end
edit "ADVPN-Community" config rule edit 1 set action permit next end next config rule edit 1 set action permit next end next end
edit "Out-ADVPN" config rule edit 1 set match-ip-address "Internal-Subnet" set set-community "65000:1" next end next config rule edit 1 set match-ip-address "Internal-Subnet" next end next config rule edit 1 set match-community "ADVPN-Community" next set action deny next end next edit "In-Port2" config rule edit 1 set action deny next edit 2 set match-community "Port2-Community" next end next end end
config router bgp set ibgp-multipath enable edit "10.0.0.X" set bfd enable next set bfd enable next end end
After applying the needed configuration, for the community tags and route maps to take effect, restart the router software of the firewall with the command: execute router restart. Be VERY AWARE that this command can cause a network disruption for an instant. The network should be restored right after. Therefore, it is recommended to do so in a maintenance window. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.