Border Gateway Protocol (BGP)

Potential dual homing issues

BGP comes with load balancing issues, and dual homing is the same category. BGP does not inherently deal well with load balancing, or getting default routes through BGP. Ideally one connect may be best for certain destinations, but it may not have that traffic routed to it making the load balancing less than perfect. This kind of fine tuning can be very time consuming, and usually results in a best effort situation.

When dual homing is not configured properly, your network may become a link between your ISPs and result in very high traffic between the ISPs that does not originate from your network. The problems with this situation are that your traffic may not have the bandwidth it needs, and you will be paying for a large volume of traffic that is not yours. This problem can be solved by not broadcasting or redistributing BGP routes between the ISPs.

If you learn your default routes from the ISPs in this example, you may run into an asymmetric routing problem where your traffic loops out one ISP and back to you through the other ISP. If you think this may be happening you can turn on asymmetric routing on the FortiGate unit (config system settings, set asymmetric enable) to verify that really is the problem. Turn this feature off once this is established since it disables many features on the FortiGate by disabling stateful inspection. Solutions for this problem can include using static routes for default routes instead of learning them through BGP, or configuring VDOMs on your FortiGate unit to provide a slightly different path back that is not a true loop.

 

Network layout and assumptions

The network layout for the basic BGP example involves the company network being connected to both ISPs as shown below. In this configuration the FortiGate unit is the BGP border router between the Company AS, ISP1’s AS, and ISP2’s AS.

The components of the layout include:

  • The Company AS (AS number 1) is connected to ISP1 and ISP2 through the FortiGate unit.
  • The Company has one internal network — the Head Office network at 10.11.101.0/24.
  • The FortiGate unit internal interface is on the the Company internal network with an IP address of 10.11.101.110.
  • The FortiGate unit external1 interface is connected to ISP1’s network with an IP address of 172.20.111.5, an address supplied by the ISP.
  • The FortiGate unit external2 interface is connected to IPS2’s network with an IP address of 172.20.222.5, an address supplied by the ISP.
  • ISP1 AS has an AS number of 650001, and ISP2 has an AS number of 650002.
  • Both ISPs are connected to the Internet.
  • The ISP1 border router is a neighbor (peer) of the FortiGate unit. It has an address of 172.21.111.4.
  • The ISP2 border router is a neighbor (peer) of the FortiGate unit. It has an address of 172.22.222.4.
  • Apart from graceful restart, and shorter timers (holdtimer, and keepalive) default settings are to be used whenever possible.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU