Fortigate BGP 設定紀錄

1.網路架構圖
2.建立BGP 鄰居關係
3.設定BGP Network
4.查看狀態

1.網路架構圖

2.建立BGP 鄰居關係
建立BGP Session 有個前提,預設必須要是直連,才可建立BGP,所以這邊先建立GRE通道
Fortigate-A 設定

Fortigate-A#config system gre-tunnel
edit "To-Fortigate-B"
        set interface "wan1"
        set remote-gw 2.2.2.2
        set local-gw 1.1.1.1
next
Fortigate-A#config system interface
edit "To-Fortigate-B"
        set vdom "root"
        set ip 192.168.254.13 255.255.255.255
        set type tunnel
        set remote-ip 192.168.254.14 255.255.255.255
        set snmp-index 10
        set interface "wan1"
next

建立BGP

Fortigate-A#config router bgp
    set as 65002
    config neighbor
        edit "192.168.254.14"
            set remote-as 65001
        next
    end
    config network
        edit 1
            set prefix 172.27.28.0 255.255.255.0
        next
    end
    config redistribute "connected"
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

Fortigate-B 設定

Fortigate-B#config system gre-tunnel
edit "To-Fortigate-A"
        set interface "wan1"
        set remote-gw 1.1.1.1
        set local-gw 2.2.2.2
next
Fortigate-B#config system interface
edit "To-Fortigate-A"
        set vdom "root"
        set ip 192.168.254.14 255.255.255.255
        set type tunnel
        set remote-ip 192.168.254.13 255.255.255.255
        set snmp-index 10
        set interface "wan1"
next

建立BGP

Fortigate-B#config router bgp
set as 65001
    config neighbor
        edit "192.168.254.13"
            set remote-as 65002
        next
    end
    config redistribute "connected"
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

4.查看狀態
查詢BGP Peers是否建立成功

Fortigate-A#get router info bgp summary
BGP router identifier 192.168.254.21, local AS number 65002
BGP table version is 16
1023 BGP AS-PATH entries
0 BGP community entries

Neighbor             V         AS         MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.254.14    4         65001     42200      15109         15    0    0               1d08h05m    37508

Total number of neighbors 1

查看學到了哪些路由

Fortigate-B#get router info bgp neighbors 192.168.254.13 routes
BGP table version is 16390, local router ID is 192.168.254.14
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network                Next Hop            Metric LocPrf Weight Path
*> 172.27.28.0/24   192.168.254.13           0             0 65002 i

Total number of prefixes 1

查看廣播了多少路由出去

Fortigate-B#get router info bgp neighbors 192.168.254.13 advertised-routes

因為是透過GRE Tunnel如果遇到TCP MSS 需要調整,在Policy上進行修改

Fortigate-B#config firewall policy
 edit 99
        set uuid c28674ee-1fe3-51ea-97cc-2c097871c32d
        set srcintf "XXXXXX"
        set dstintf "XXXXXX"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set tcp-mss-sender 1400
        set tcp-mss-receiver 1400
        set nat enable
        set ippool enable
        set poolname "CN2-1"
    next
end
Facebook Comments