Solved: Re: SDA fabric with a Fortinet firewall

jendoubi Abdelbasset · ‎06-08-2020

Hi,
 I wanted to interconnect my SDA fabric with a Fortinet firewall, how I can use static routes to ensure this connection
Thnx

jedolphi · ‎06-10-2020

BGP is the recommended border handoff protocol. Static routes are supported, but not recommended. Redundancy with static routes is challenging in any network design, regardless of SDA or not-SDA, because static routes do not adapt to network state (e.g. neighbour down). You have all the standard static routing tools at your disposal such as floating static routes, or making the 9500 border an Stackwise Virtual (one logical switch comprising of two physical switches). If you choose to use static routes then on the border you would create an interface per SDA VRF (e.g. an SVI), connect those interfaces to the Fortinet, and manually program the static routes into the VRFs on the border. Please test your redundancy carefully before moving into full production.

View solution in original post

jedolphi · ‎06-08-2020

Hello. The Fortinet would connect outside of fabric e.g. to the SD-Access external borders. You can program the static routes as required on the external borders, and the return static routes on the Fortinet. I don't know of a document that explains this, but it's shouldn't be too hard to work out, it's just VRF routing on the external borders. HTH, Jerome

jendoubi Abdelbasset · ‎06-09-2020

hello,

the static route configuration with GUI in DNAC or CLI at the border fabric level ??

i am very grateful for your support :)

jedolphi · ‎06-09-2020

Hello. You can configure on the border CLI directly, or you can use a DNA Center template if you feel that's appropriate. Cheers, Jerome

jendoubi Abdelbasset · ‎06-09-2020

hello
so i must create a sub-interface in the firewall for each VN ??

jedolphi · ‎06-09-2020

Hi, that should work just fine. Regards, Jerome

jendoubi Abdelbasset · ‎06-10-2020

hello

If I understood correctly, the connection between the fabric border and the firewall does not depend on a Bgp session, so what configuration I have to set up at the L3 handoff menu level to use the static routing ? , I only see a connection through the VRF lite

one more question how I can ensure redundancy at the fabric borders knowing that I have two 9500 switches

Regards,

jedolphi · ‎06-10-2020

BGP is the recommended border handoff protocol. Static routes are supported, but not recommended. Redundancy with static routes is challenging in any network design, regardless of SDA or not-SDA, because static routes do not adapt to network state (e.g. neighbour down). You have all the standard static routing tools at your disposal such as floating static routes, or making the 9500 border an Stackwise Virtual (one logical switch comprising of two physical switches). If you choose to use static routes then on the border you would create an interface per SDA VRF (e.g. an SVI), connect those interfaces to the Fortinet, and manually program the static routes into the VRFs on the border. Please test your redundancy carefully before moving into full production.

jendoubi Abdelbasset · ‎06-10-2020

hello,

thank you so much for your support :)

Regards

jedolphi · ‎09-03-2023

I should also mention, if customer has an Internal Border Node or External + Internal Border Node then only BGP routes are imported to LISP.