Re: BGP inbound and outbound failover & OSPF full mesh.

Amit Kulshrestha · ‎06-08-2018

Dear Friends,

I have attached a diagram; I am very sure it is very easy for you all to understand the topology.

But still let me explain what all I have configured and running in attached topology: -

2 core router of ISR 4400 series connected to ISP mpls and further connecting to spoke location.
BGP is used on core router and spoke location “AS-65430”.
Fortigate FW are in HA, so they act as single logical entity.
Bgp is not running on FW. Only OSPF is running.
Below “port3” of FW multiple subnet is running.
192.168.50.0/24 is subnetted to /29 and used as devices communication IP schema.
2 subnet are used between core router and FW ; 1- 192.168.50.16/29 and 192.168.50.32/29.
And between core routers 192.168.50.24/29 used in iBGP and OSPF also.

I have few questions regarding attached diagram.

full mesh using OSPF between both Cisco routers and Fortigate is correct.?
What all other option possible to have full mesh connectivity between (although after reading many forums and referring many sites I have used OSPF as full mesh between routers and FW)?
Kindly guide how can solve OSPF ecmp i.e. how can control that first “port1” of FW is used for inbound & outbound traffic, then “port2” in case of “port1” failure.
My customer want that first ISP-1 on core router 1 should be used for inbound & outbound traffic, then ISP-2 on core router 2 and likewise ISP-3 for inbound & outbound traffic .
From which bgp attribute “local preference or as_path “ should I have to use to achieve my customer requirement.

Do let me know more clarity.

Thanks & Regards

Amit

Georg Pauwen · ‎06-08-2018

Hello,

can you post the full configs of both routers ? OSPF port preference can be achieved by either setting the neighbor cost, or by some other means. For iBGP, use local preference.

Seeing the configs will clarify how to configure the details...

Amit Kulshrestha · ‎06-09-2018

Hi Georg thanks for your interest, config file are attached. Kindly support.

Regards

Amit

Georg Pauwen · ‎06-09-2018

Hello,

thanks for the configs, I'll have a look...I need to lab this, since you have two ISP connections on one router and the third one on a different one...

Amit Kulshrestha · ‎06-10-2018

Thanks Georg , Plz take your time, but do reply back.

Georg Pauwen · ‎06-11-2018

Hello Amit.

I tried to recreate your setup in GNS3, and the below is what I have come up with (important parts marked in bold). Your config looks close to mine, I used local preference as well, but on CR-RTR01 only on the link to 1-ISP, and on CR-RTR02 only on the link to 3-ISP, since the default local preference is 100, you don't need to set it on the link to 2-ISP.

With regard to OSPF, it has already been mentioned that you can use cost. I used auto-cost reference-bandwidth and then set the bandwidth on the interfaces to influence the cost. With auto-cost reference-bandwidth set to 1000, a bandwidth of 10000 will result in a cost of 100 (less preferred) and a bandwidth of 100000 will result in a cost of 10 (preferred).

The 'blackhole' is the Fortigate, I don't have one to test it, but the below is what I think you should configure.

CR-RTR01

interface GigabitEthernet0/0/0
description ##Connected to PRI-FW##
bandwidth 100000
ip address 192.168.50.21 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf 10 area 0
negotiation auto
!
interface GigabitEthernet0/0/1
bandwidth 10000
ip address 192.168.50.33 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf 10 area 0
negotiation auto

!

router ospf 10
redistribute bgp 64530 metric 10 metric-type 1 subnets
distance ospf external 252
auto-cost reference-bandwidth 1000
!
router bgp 64530
bgp log-neighbor-changes
bgp dampening
network 10.125.107.0 mask 255.255.255.224
network 10.125.107.32 mask 255.255.255.224
network 10.125.124.0 mask 255.255.255.192
network 10.125.124.128 mask 255.255.255.128
network 172.16.200.0 mask 255.255.255.0
network 172.16.205.0 mask 255.255.255.0
network 172.16.207.7 mask 255.255.255.255
network 192.168.50.0
redistribute ospf 10
neighbor 100.100.159.2 remote-as 9583
neighbor 100.100.159.2 description ##eBGP-3##
neighbor 100.100.165.2 remote-as 18101
neighbor 100.100.165.2 description ##eBGP-1##
neighbor 100.100.165.2 route-map ISP-1-MPLS in
neighbor 192.168.50.30 remote-as 64530
neighbor 192.168.50.30 description ##IBGP-PEER##
neighbor 192.168.50.30 next-hop-self
!
route-map ISP-1-MPLS permit 10
set local-preference 200

CR-RTR02

interface GigabitEthernet0/0/0
description ##Connected to PRI-FW##
bandwidth 100000
ip address 192.168.50.22 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf 10 area 0
negotiation auto
!
interface GigabitEthernet0/0/1
bandwidth 10000
ip address 192.168.50.34 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf 10 area 0
negotiation auto

!

router ospf 10
redistribute bgp 64530 metric 10 metric-type 1 subnets
distance ospf external 252
auto-cost reference-bandwidth 1000
!
router bgp 64530
bgp log-neighbor-changes
bgp dampening
network 10.125.107.0 mask 255.255.255.224
network 10.125.107.48 mask 255.255.255.240
network 10.125.124.0 mask 255.255.255.192
network 10.125.124.128 mask 255.255.255.128
network 172.16.200.0 mask 255.255.255.0
network 172.16.205.0 mask 255.255.255.0
network 172.16.207.7 mask 255.255.255.255
network 192.168.50.0
redistribute ospf 10
neighbor 100.100.167.2 remote-as 9730
neighbor 100.100.167.2 description ##eBGP-ISP-2##
neighbor 100.100.167.2 route-map ISP-2-MPLS in
neighbor 192.168.50.25 remote-as 64530
neighbor 192.168.50.25 description ##IBGP-PEER##
neighbor 192.168.50.25 next-hop-self
!
route-map ISP-2-MPLS permit 10
set local-preference 150

auto-cost reference-bandwidth 1000

Fortigate

config router ospf
set auto-cost-ref-bandwidth 1000

config ospf-interface
set interface "Port1"
set ip x.y.z.t
set cost 10

!

config ospf-interface
set interface "Port2"
set ip x.y.z.t
set cost 100

Amit Kulshrestha · ‎08-27-2018

Hi Georg Pauwen,

First i do regret for replying you late , second thanks very much for wonderful suggestions, i will surely applying your suggestions.

Thanks Very Much

Amit

paul driver · ‎06-10-2018

Hello

full mesh using OSPF between both Cisco routers and Fortigate is correct.? —— YES

What all other option possible to have full mesh connectivity between (although after reading many forums and referring many sites I have used OSPF as full mesh between routers and FW)?——-—— Give this setup and resiliency required Full mesh would be applicable

Kindly guide how can solve OSPF ecmp i.e. how can control that first “port1” of FW is used for inbound & outbound traffic, then “port2” in case of “port1” failure. —— two possible ways. 1) have the connection between the rtrs and the fw2 in a different ospf area then area O 2) apply higher ospf interface cost on the links between fw2 and the rtrs.

My customer want that first ISP-1 on core router 1 should be used for inbound & outbound traffic, then ISP-2 on core router 2 and likewise ISP-3 for inbound & outbound traffic.
If this is a L3 mpls vpn setup you could possibly have the spoke ibgp rtrs become route-reflector clients towards your main site rtrs and have the main site rtrs as the RR cluster peers

From which bgp attribute “local preference or as_path “ should I have to use to achieve my customer requirements-
Looking at this current setup local preference wouldn’t really work unless you have ebgp routes to match upon

Res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Amit Kulshrestha · ‎06-12-2018

Hi Paul , After going through suggestions few question which came to me are listed below:-

full mesh using OSPF between both Cisco routers and Fortigate is correct.?— YESà Ok thanks for confirming.

What all other option possible to have full mesh connectivity between (although after reading many forums and referring many sites I have used OSPF as full mesh between routers and FW)?——-—— Give this setup and resiliency required Full mesh would be applicable à Yes full mesh is only option applicable in critical network setup.

Kindly guide how can solve OSPF ecmp i.e. how can control that first “port1” of FW is used for inbound & outbound traffic, then “port2” in case of “port1” failure. —— two possible ways.

have the connection between the rtrs and the fw2 in a different ospf area then area Oà When you configure HA in fortigate it become single logical entity, one cannot configure in 2^nd FW or further there is no option to configure 2^nd
Apply higher ospf interface cost on the links between fw2 and the rtrs. à I think configuring ospf cost on Rtr interface can be bit confusing.

My customer want that first ISP-1 on core router 1 should be used for inbound & outbound traffic, then ISP-2 on core router 2 and likewise ISP-3 for inbound & outbound traffic.
If this is a L3 mpls vpn setup you could possibly have the spoke ibgp rtrs become route-reflector clients towards your main site rtrs and have the main site rtrs as the RR cluster peers. à There no iBGP in spoke location as there is only single Rtr and I have configured Weight attribute on Primary & Secondary link and all spoke location Rtr is forming eBGP with ISP.

From which bgp attribute “local preference or as_path “ should I have to use to achieve my customer requirements-
Looking at this current setup local preference wouldn’t really work unless you have ebgp routes to match upon. à eBGP is formed with ISP on all spoke & hub location Rtr and you can see the router of spoke location on Hub Rtr and visa-versa.