Verifying traffic routing
Traffic may be reaching the internal network, but it may be using a different route than you think to get there. Use a browser to try and access the Internet.
If needed, allow traceroute and other diag ports to be opened until things are working properly. Then remove access for them again.
Look for slow hops on the traceroute, or pings to a location, as they may indicate network loops that need to be fixed.
Any locations that have an unresolved traceroute or ping must be examined and fixed. Use network packet sniffing to ensure traffic is being routed as you expect.
Verifying the dual-homed side of the configuration
Since there are two connections to the Internet in this example, theoretically you can pull the plug on one of the ISP connections, and all traffic will go through the other connection. Alternately, you may choose to remove a default route to one ISP, remove that ISP’s neighbor settings, or change the weightings to prefer other other ISP. These alternate ways to test dual-homing do not change physical cabling, which may be preferred in some situations.
If this does not work as expected, things to check include:
- Default static routes — If these are wrong or don’t exist, the traffic can’t get out.
- BGP neighbor information — If the ISP router information is incorrect, the FortiGate unit won’t be able to talk to it.
Redistributing and blocking routes in BGP
During normal BGP operation, peer routers redistribute routes from each other. However, in some specific situations it may be best to not advertise routes from one peer, such as if the peer is redundant with another peer (they share the same routes exactly), if it might be unreliable in some way, or some other reason. The FortiGate can also take routes it learns from other protocols and advertise them in BGP, for example OSPF or RIP. If your Company hosts its own web or email servers, external locations will require routes to your networks to reach those services.
In this example the Company has an internal network in an OSPF area, and is connected to a BGP AS and two BGP peers. Company goes through these two peers to reach the Internet. However, Peer 1 routes will not be advertised to Peer 2. The Company internal user and server networks are running OSPF, and will redistribute those routes to BGP so external locations can reach the web and email servers.
This section includes the following topics:
- Network layout and assumptions
- Configuring the FortiGate unit
- Testing network configuration
Network layout and assumptions
The network layout for the BGP redistributing routes example involves the company network being connected to two BGP peers as shown below. In this configuration the FortiGate unit is the BGP border router between the Company AS, and the peer routers.
The components of the layout include:
- There is only one BGP AS in this example — AS 65001, shared by the FortiGate unit and both peers.
- The Company’s FortiGate unit connects to the Internet through two BGP peers.
- The Company internal networks on the dmz interface of the FortiGate unit with an IP of 10.11.201.0/24.
- The FortiGate units’ interfaces are connected as follows:
- port1 (dmz) has IP 10.11.201.110 and is the internal user and server network
- port2 (external1) has IP 172.21.111.4 and is connected to Peer 1’s network
- port3 (external2) has IP 172.22.222.4 and is connected to Peer 2’s network
- Peer 1 has IP 172.21.111.5, and Peer 2 has IP 172.22.222.5.
- OSPF Area 1 is configured on the dmz interface of the FortiGate unit, and is the routing protocol used by the internal users and servers.
BGP network topology
The the BGP redistributing routes configuration procedure follows these assumptions:
- The FortiGate unit has been configured following the Install Guide
- Interfaces port1, port2, and port 3 exist on the FortiGate unit
- We don’t know the router manufacturers of Peer 1 and Peer 2
- We don’t know what other devices are on the BGP AS or OSPF Area
- All basic configuration can be completed in both GUI and CLI
- Access lists and route maps will only be configured in CLI
- VDOMs are not enabled on the FortiGate unit
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU