06-08-2020 09:35 AM
Hi,
I wanted to interconnect my SDA fabric with a Fortinet firewall, how I can use static routes to ensure this connection
Thnx
Solved! Go to Solution.
06-10-2020 04:40 AM - edited 06-10-2020 04:41 AM
BGP is the recommended border handoff protocol. Static routes are supported, but not recommended. Redundancy with static routes is challenging in any network design, regardless of SDA or not-SDA, because static routes do not adapt to network state (e.g. neighbour down). You have all the standard static routing tools at your disposal such as floating static routes, or making the 9500 border an Stackwise Virtual (one logical switch comprising of two physical switches). If you choose to use static routes then on the border you would create an interface per SDA VRF (e.g. an SVI), connect those interfaces to the Fortinet, and manually program the static routes into the VRFs on the border. Please test your redundancy carefully before moving into full production.
06-08-2020 06:21 PM
Hello. The Fortinet would connect outside of fabric e.g. to the SD-Access external borders. You can program the static routes as required on the external borders, and the return static routes on the Fortinet. I don't know of a document that explains this, but it's shouldn't be too hard to work out, it's just VRF routing on the external borders. HTH, Jerome
06-09-2020 01:02 AM - edited 06-09-2020 04:16 AM
hello,
the static route configuration with GUI in DNAC or CLI at the border fabric level ??
i am very grateful for your support :)
06-09-2020 05:11 AM
Hello. You can configure on the border CLI directly, or you can use a DNA Center template if you feel that's appropriate. Cheers, Jerome
06-09-2020 07:30 AM
hello
so i must create a sub-interface in the firewall for each VN ??
06-09-2020 04:19 PM
Hi, that should work just fine. Regards, Jerome
06-10-2020 02:34 AM - edited 06-10-2020 03:52 AM
hello
If I understood correctly, the connection between the fabric border and the firewall does not depend on a Bgp session, so what configuration I have to set up at the L3 handoff menu level to use the static routing ? , I only see a connection through the VRF lite
one more question how I can ensure redundancy at the fabric borders knowing that I have two 9500 switches
Regards,
06-10-2020 04:40 AM - edited 06-10-2020 04:41 AM
BGP is the recommended border handoff protocol. Static routes are supported, but not recommended. Redundancy with static routes is challenging in any network design, regardless of SDA or not-SDA, because static routes do not adapt to network state (e.g. neighbour down). You have all the standard static routing tools at your disposal such as floating static routes, or making the 9500 border an Stackwise Virtual (one logical switch comprising of two physical switches). If you choose to use static routes then on the border you would create an interface per SDA VRF (e.g. an SVI), connect those interfaces to the Fortinet, and manually program the static routes into the VRFs on the border. Please test your redundancy carefully before moving into full production.
06-10-2020 06:13 AM
hello,
thank you so much for your support :)
Regards
09-03-2023 01:48 AM
I should also mention, if customer has an Internal Border Node or External + Internal Border Node then only BGP routes are imported to LISP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide