Wednesday, May 27, 2020

Fortigate to Cumulus - BGP peering

This is a general guide to connect a Fortigate firewall to a cumulus router.  This is all being mocked up in GNS3.

The BGP peering is happening between "leaf01-10.10.10.253" and "FGT-10.10.10.254"

- port2 on the FGT relates to "e1" in the picture.
- port3 on the FGT relates to "e2" in the picture.






STEP 1 - 
Fortigate
config system interface
    edit "port2.10"
        set vdom "root"
        set ip 10.10.10.254 255.255.255.0
        set allowaccess ping ssh
        set device-identification enable
        set role lan
        set snmp-index 10
        set interface "port2"
        set vlanid 10
    next
    edit "port3.50"
        set vdom "root"
        set ip 50.50.50.254 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 50
        set interface "port3"
        set vlanid 50
    next
    edit "port3.60"
        set vdom "root"
        set ip 60.60.60.254 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 9
        set interface "port3"
        set vlanid 60
    next
end


We will be using VLAN10/port2.10 as the link between the FGT and the Cumulus router.  port3.50 and port3.60 are the interfaces that we are going to be advertising into BGP.

Now we will create the BGP peer on the FGT.

config router bgp
    set as 65000
    set router-id 1.1.1.1
    config neighbor
        edit "10.10.10.253"
            set remote-as 65001
        next
    end

Now you need to advertise your routes from the FGT... I will be advertising specific routes using "config network".... if you would like to advertise all of your routes you could do that with "config redistributes "connected/rip/ospf/static".

config router bgp
 config network
        edit 3
            set prefix 50.50.50.0 255.255.255.0
        next
        edit 4
            set prefix 60.60.60.0 255.255.255.0
        next
    end

At this point your FGT should have routes that look like the following.

FortiGate-VM64-KVM # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

C       10.10.10.0/24 is directly connected, port2.10
C       20.20.20.0/24 is directly connected, port2.20
C       50.50.50.0/24 is directly connected, port3.50
C       60.60.60.0/24 is directly connected, port3.60

Now it is time to set up the Cumulus side.

STEP 2 -

Cumulus
Use a text editor to open "/etc/network/interfaces"
sudo nano /etc/network/interfaces

auto swp1
iface swp1
    bridge-vids 10
    bridge-stp on

auto bridge
iface bridge
        bridge-vlan-aware yes
        bridge-ports swp1
        bridge-vids 10
        bridge-pvid 1
        bridge-stp on

auto bridge.10
iface bridge.10
        address 10.10.10.253/24

save the file "etc/netwrok/interfaces" and then reload the interfaces.

sudo ifreload -a


Now set up BGP on the cumulus.

cumulus@leaf01$ net add bgp autonomous-system 65001
cumulus@leaf01$ net add bgp router-id 1010.10.253
cumulus@leaf01$ net add bgp neighbor 10.10.10.254 remote-as external

You can preview and commit the changes.

net pending
net commit

once this is done you should be able to verify that you bgp session is connected.

cumulus@leaf01:~$ net show bgp summary
show bgp ipv4 unicast summary
=============================
BGP router identifier 10.10.10.253, local AS number 65001 vrf-id 0
BGP table version 6
RIB entries 3, using 456 bytes of memory
Peers 1, using 19 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
10.10.10.254    4      65000     136     124        0    0    0 00:00:51            2

Total number of neighbors 1

you should also be able to see the routes coming through from FGT.  "net show bgp"

cumulus@leaf01:~$ net show bgp
show bgp ipv4 unicast
=====================
BGP table version is 6, local router ID is 10.10.10.253
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
              i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 50.50.50.0/24    10.10.10.254                           0 65000 i
*> 60.60.60.0/24    10.10.10.254                           0 65000 i

Displayed  2 routes and 2 total paths


You can also do "net show router" to see all routes.

cumulus@leaf01:~$ net show route
show ip route
=============
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR,
       > - selected route, * - FIB route

C>* 10.10.10.0/24 is directly connected, bridge.10, 00:04:04
B>* 50.50.50.0/24 [20/0] via 10.10.10.254, bridge.10, 00:03:59
B>* 60.60.60.0/24 [20/0] via 10.10.10.254, bridge.10, 00:03:59
















Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)