fast international shipping
ISO 9001/27001 Corporate certification
Manufacturer certified experts for your project
Fortinet - FortiGate as Dual Homed BGP Peer
Fortinet
The objective was to connect 2 BGP peers (AS3356 Lumen and AS8422 - NetCologne) as BGP neighbours and to announce our AS212033 with the IPv4 and IPv6 addresses.
Since the configuration via the graphical user interface does not offer all necessary options, the configuration parameters that are made via the CLI are listed here.
Configuring your own autonomous system
First we have to tell the FortiGate what our own AS number is and assign a router ID. The Autonomous System is assigned here by RIPE NCC.To do this, we configure the following via the CLI
config router bgp
set as 212033
set router-id X.X.X.X - Replace with your own router ID - Freely assignable
end
Binding the own networks to the FortiGate unit
In order for our public addresses to be announced at all, they must be available in the routing table of the FortiGate unit. Since we use subnetting to make this smaller internally, we have decided to work with blackhole routes.
config router static
edit 1
set dst 193.3.45.0 255.255.255.0
set blackhole enable
next
end
config router static6
edit 1
set dst 2a10:5dc0::/32
set blackhole enable
next
end
Preparing the so-called prefix lists and route maps
We have to tell FortiGate which networks we want to announce and which routes we want to receive. Since we do not want to become a Transit AS here, we have to take measures to prevent this.
In our first steps, we have found that receiving the Full BGP Routes through the providers quickly brings our FortiGate to its knees. Since with 2 providers 4 full routes (2x IPv4 and 2x IPv6) have to go into the RAM, we quickly reach our limits.
Therefore, we have decided to only accept the default route from the service providers.
The basis for this are the prefix lists, which we can then use in router maps.
These are also separated into IPv4 and IPv6.
config router prefix-list
edit "accept-dflt-only
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
edit "own-nets-only-out
config rule
edit 1
set prefix 193.3.45.0 255.255.255.0
unset ge
unset le
next
end
next
edit "1
next
end
config router prefix-list6
edit "own-nets-v6-only-out
config rule
edit 1
set prefix6 2a10:5dc0::/32
unset ge
unset le
next
end
next
edit "accept-dflt-only
config rule
edit 1
set prefix6 ::/0
unset ge
unset le
next
end
next
end
config router route-map
edit "dualhomes
config rule
edit 1
set set-local-preference 100
next
end
next
edit "Default-only
config rule
edit 1
set match-ip-address "accept-dflt-only
next
edit 2
set match-ip6-address "accept-dflt-only
next
end
next
end
Configuring the BGP Neighbors
Next we need to tell FortiGate what our BGP peers are. In our case we have 4 BGP peers. 2 IPv4 peers and 2 IPv6 peers. This is where the first "special" configuration parameters came into play. But one thing after the other. Enclosed is the configuration excerpt:
config router bgp
config neighbour
edit "X.X.X.X"
set activate6 disable
set soft-reconfiguration enable
set prefix-list-out "own-nets-only-out
set prefix-list-out6 "own-nets-v6-only-out
set remote-as 3356
set route-map-in "default-only
set route-map-out "dualhomes
next
edit "2001:1900:X
set activate disable
set soft-reconfiguration enable
set prefix-list-out "own-nets-only-out
set prefix-list-out6 "own-nets-v6-only-out
set remote-as 3356
set route-map-in6 "default-only
set route-map-out6 "dualhomes
next
edit "Y.Y.Y"
set activate6 disable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set prefix-list-out "own-nets-only-out
set prefix-list-out6 "own-nets-v6-only-out
set remote-as 8422
set route-map-in "default-only
set route-map-out "dualhomes
set password Password
next
edit "2001:4dd0:X"
set activate disable
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set prefix-list-out "own-nets-only-out
set prefix-list-out6 "own-nets-v6-only-out
set remote-as 8422
set route-map-in6 "default-only
set route-map-out6 "dualhomes
set password Password
next
end
set activate6 disable - prohibits this BGP peer from using IpV6
set activate disable - prohibits this BGP peer from using IpV4
set soft-reconfiguration enable - Allows granular re-learning of routes without emptying the BGP routing table each time.
set prefix-list-out "own-nets-only-out" - which IPv4 networks should be announced?
set prefix-list-out6 "own-nets-v6-only-out" - which IPv6 networks should be announced?
set remote-as XXXX - AS number of the neighbour
set ebgp-enforce-multihop enable - By default, the BGP peer must be directly reachable. In special cases, however, the BGP router may be several hops away.
set password Password - This can be used to specify an MD5 encryption password.
set route-map-in "Default-only" - Which routes do we want to receive?
set route-map-out "dualhomes" - Which routes do we want to send out?
Allow multiple BGP default gateways
By default, only one default route is accepted from a BGP peer. We circumvent this with the following command:
config router bgp
set ebgp-multipath enable
set ibgp-multipath enable
end
Now the FortiGate should start announcing its own networks and the BGP routing should be functional.
Marcel Zimmer is the Technical Managing Director of EnBITCon. During his time in the German Armed Forces, the trained IT developer was able to gain numerous project experiences. His interest in IT security was significantly awakened by his service in command support. Even after his service, he is an active reservist in the Bundeswehr.
His first firewall was a Sophos UTM 120, which he had to set up for a customer project. Since then, his interest in IT security has grown steadily. In the course of time, various security and infrastructure topics have come into his focus. His most interesting projects included, for example, WLAN coverage in an explosion-proof area, as well as a multi-site WLAN solution for a large
Related products
