BGP Protocol Between Core Switch/Firewall with SD WAN device

Bhardwajp · ‎03-10-2023

Hi All,

Hope you guys are doing well.

Trying to configure a new setup for a new branch office. I want Firewall to do access control and and routing to be done on Cisco L3 switch.
I m confused what will will be the best way to achieve this.

i have put the IP address more information that i can think off in the diagram and hope now you guys can understand what im trying to do
So the idea is to configure eBGP between my Cisco Switch and Velo Cloud i want routing to be on the routing and access control can be done on Fortigate firewall.
For that im using 2 vlan one for the communication between Velo and fortigate(VLan 20 1.1.1.0/29) and
other for communication between Fortigate to my Core switch(Vlan 30 IP 2.2.2.0/29).

Kindly share you valuable feedback how i can do it if possible. Please find the diagram attached

MHM Cisco World · ‎03-10-2023

why you not make eBGP bypass the FW?
you can config eBGP direct between SDWAN and Core SW.
I am talking about bypass eBGP not bypass data traffic

Bhardwajp · ‎03-10-2023

@MHM Cisco WorldThanks for your prompt response

I want to config eBGP direct between SDWAN and Core SW and data traffic must come through fortigate Firewall.

Can you please provide valuable guidance to achieve it.

MHM Cisco World · ‎03-10-2023

make look on this guide
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/6500-bgp-pix.html

note:- just to confirm you not run FW as active/standby ?

Bhardwajp · ‎03-10-2023

Hu @MHM Cisco World : Fortigate firewall will be in Active /Standby

MHM Cisco World · ‎03-12-2023

I run lab for you,
between R3 and R1 and R2 I run eBGP
in ASA HA have default route toward VIP of R1&R2 HSRP group
between R3 and both FW HA we run OSPF area nssa with no-redistribute, this prevent the route advertise from BGP to redistribute into ASA HA via OSPF.

paul driver · ‎03-11-2023

Hello
If you desire EBGP peering from the Cisco core and Vcloud then the FortiGate in-between will need to be transparent L2 FWs?

Optionally you could have:

FortiGate routing mode (HA cluster)
Ebgp peering instead will be between the FWs and Vcloud
Run an igp (OSPF) between the FWs and Cisco core, advertising conditional default routes from the FWs in OSPF for cisco core resiliency,
Cisco core advertise the L3 subnets into OSPF, then the Fws will redistribute OSPF into BGP for Vcloud reachability

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Kanan Huseynli · ‎03-11-2023

Hi,

Create static route on core switch for 1.1.1.1/32 host route with next-hop of 2.2.2.1 (forti) and vice-versa, create static route on versa for 2.2.2.2/32 host route with next-hop of 1.1.1.2 (forti). By this way you will have TCP session for BGP which in underlay routing resolves to paths via forti. Whatever versa advertises in eBGP to core it will have NH of 1.1.1.1 in advertisement which is resolved to 2.2.2.1 actual next-hop in routing (recursive lookup). By this way you will have eBGP between versa and core switch.

However, one caveat - you still need to do routing (at least static summary routes) on forti so it can do L3 routing - packet switching.

HTH,

Please rate and mark as an accepted solution if you have found any of the information provided useful.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.