Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN Deployment for MSSPs

    Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs
    6.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Configuring routing

    Configuring routing

    Similar to single hub, we need iBGP sessions to each to propagate routes.

    Following is a summary of how to configure routing:

    1. Edit the existing overlay template, or create a new overlay CLI template. See Creating a template.
    2. Define new Meta Fields for the second Hub. See Defining Meta Fields.
    3. Add the template to the template group. See Adding the CLI template to the group.

    Creating a template

    Create (or import) another CLI Template, called 02-Edge-DualHub-Routing.

    As before, this template will configure IBGP sessions to the Hubs - this time, to both of them. We will follow the same guidelines described in the previous chapter.

    Here is the content of this CLI Template in our example topology:

    config router static

    edit 101

    set dst $(lan-summary)

    set blackhole enable

    set comment "Avoid potential leak of corporate traffic to underlay"

    next

    edit 102

    set dst 10.200.0.0/14

    set device "H1_INET"

    set comment "Cross-overlay BGP NH reachability"

    next

    edit 103

    set dst 10.200.0.0/14

    set device "H1_MPLS"

    set comment "Cross-overlay BGP NH reachability"

    next

    end

    config router bgp

    set as $(as)

    set router-id $(lan-net:4,1)

    set keepalive-timer 5

    set holdtime-timer 15

    set ibgp-multipath enable

    set additional-path enable

    # additional-path-select = max. number of overlays * max. number of hubs

    set additional-path-select 2

    config neighbor

    edit $(h1-inet-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H1_INET"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h1-mpls-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H1_MPLS"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h2-inet-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H2_INET"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h2-mpls-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H2_MPLS"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    end

    config network

    edit 1

    set prefix $(lan-net)

    next

    end

    end

    Defining Meta Fields

    You will notice the following additional Meta Fields used:

    Meta Field

    Description

    h2-inet-tunnel-ip

    Tunnel IP of the Internet overlay on the Secondary Hub

    h2-mpls-tunnel-ip

    Tunnel IP of the MPLS overlay on the Secondary Hub

    Navigate to System Settings > Advanced > Meta Fields, and create the missing Meta Fields listed in the table above. All the Meta Fields must be of type Device and defined as Optional.

    Adding the CLI template to the group

    To add the CLI template to the group:

    Add the new CLI template to the group Edge-DualHub-Template created earlier.

    Previous
    Next

    Configuring routing

    Configuring routing

    Similar to single hub, we need iBGP sessions to each to propagate routes.

    Following is a summary of how to configure routing:

    1. Edit the existing overlay template, or create a new overlay CLI template. See Creating a template.
    2. Define new Meta Fields for the second Hub. See Defining Meta Fields.
    3. Add the template to the template group. See Adding the CLI template to the group.

    Creating a template

    Create (or import) another CLI Template, called 02-Edge-DualHub-Routing.

    As before, this template will configure IBGP sessions to the Hubs - this time, to both of them. We will follow the same guidelines described in the previous chapter.

    Here is the content of this CLI Template in our example topology:

    config router static

    edit 101

    set dst $(lan-summary)

    set blackhole enable

    set comment "Avoid potential leak of corporate traffic to underlay"

    next

    edit 102

    set dst 10.200.0.0/14

    set device "H1_INET"

    set comment "Cross-overlay BGP NH reachability"

    next

    edit 103

    set dst 10.200.0.0/14

    set device "H1_MPLS"

    set comment "Cross-overlay BGP NH reachability"

    next

    end

    config router bgp

    set as $(as)

    set router-id $(lan-net:4,1)

    set keepalive-timer 5

    set holdtime-timer 15

    set ibgp-multipath enable

    set additional-path enable

    # additional-path-select = max. number of overlays * max. number of hubs

    set additional-path-select 2

    config neighbor

    edit $(h1-inet-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H1_INET"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h1-mpls-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H1_MPLS"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h2-inet-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H2_INET"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    edit $(h2-mpls-tunnel-ip)

    set soft-reconfiguration enable

    set advertisement-interval 1

    set link-down-failover enable

    set interface "H2_MPLS"

    set connect-timer 1

    set remote-as $(as)

    set additional-path receive

    next

    end

    config network

    edit 1

    set prefix $(lan-net)

    next

    end

    end

    Defining Meta Fields

    You will notice the following additional Meta Fields used:

    Meta Field

    Description

    h2-inet-tunnel-ip

    Tunnel IP of the Internet overlay on the Secondary Hub

    h2-mpls-tunnel-ip

    Tunnel IP of the MPLS overlay on the Secondary Hub

    Navigate to System Settings > Advanced > Meta Fields, and create the missing Meta Fields listed in the table above. All the Meta Fields must be of type Device and defined as Optional.

    Adding the CLI template to the group

    To add the CLI template to the group:

    Add the new CLI template to the group Edge-DualHub-Template created earlier.

    Previous
    Next