Basic BGP network topology

Assumptions

The basic BGP configuration procedure follows these assumptions:

• ISP1 is the preferred route, and ISP2 is the secondary route
• All basic configuration can be completed in both GUI and CLI
• Only one AS is used for the Company

For these reasons this example configuration does not include:

• Bi-directional forwarding detection (BFD)
• Route maps
• Access lists
• Changing redistribution defaults — make link when example is set up
• IPv6

For more information on these features, see the corresponding section.

Configuring the FortiGate unit

In this topology, the FortiGate unit is the link between the Company Network and the ISP network. The FortiGate unit is the only BGP router on the Company Network, but there is at least one other BGP router on the ISP Network — there may be more but we don’t have that information.

As mentioned in the general configuration steps, the ISP must be notified of the Company’s BGP router configuration when complete as it will need to add the FortiGate BGP router as a neighbor router on its domain. This step is required for the FortiGate unit to receive BGP routing updates from the ISP network and outside networks.

If the ISP has any special BGP features enabled such as graceful restart, or route dampening that should be determined up front so those features can be enabled on the FortiGate unit.

To configure the FortiGate unit as a BGP router

1. Configure interfaces and default routes

2. Configure firewall services, addresses, and policies

3. Set the FortiGate BGP information

4. Add the internal network to the AS

5. Additional FortiGate BGP configuration

Configure interfaces and default routes

The FortiGate unit is connected to three networks — Company Network on the internal interface, ISP1 Network on external1interface, and ISP2 on external2 interface.

This example uses basic interface settings. Check with your ISP to determine if additional settings are required such as setting the maximum MTU size, or if gateway detection is supported.

High end FortiGate units do not have interfaces labeled Internal, or External. Instead, for clarity’s sake, we are using the alias feature to name interfaces for these roles.

Default routes to both external interfaces are configured here as well. Both are needed in case one goes offline. ISP1 is the primary connection and has a smaller administrative distance so it will be preferred over ISP2. Both distances are set low so they will be preferred over any learned routes.

 

To configure the FortiGate interfaces – web-based manager

1. Go to System > Network > Interface.

2. Edit port 1 (internal) interface.

3. Set the following information, and select OK.

Alias                                           internal

IP/Network Mask                       10.11.101.110/255.255.255.0

Administrative Access             HTTPS SSH PING

Description                                Company internal network

Administrative Status               Up

4. Edit port 2 (external1) interface.

5. Set the following information, and select OK.

Alias                                           external1

IP/Network Mask                       172.21.111.5/255.255.255.0

Administrative Access             HTTPS SSH PING

Description                                ISP1 External BGP network

Administrative Status               Up

6. Edit port 3 (external2) interface.

7. Set the following information, and select OK.

Alias                                           external2

IP/Network Mask                       172.22.222.5/255.255.255.0

Administrative Access             HTTPS SSH PING

Description                                ISP2 External BGP network

Administrative Status               Up