Fortigate Advanced Routing 50 PDF
Fortigate Advanced Routing 50 PDF
Fortigate Advanced Routing 50 PDF
Change Log....................................................................................................... 6
Introduction....................................................................................................... 7
Before you begin...................................................................................................... 7
How this guide is organized..................................................................................... 7
Advanced Static routing .................................................................................. 8
Routing concepts..................................................................................................... 8
Routing in VDOMs ............................................................................................. 8
Default route ...................................................................................................... 9
Routing table...................................................................................................... 9
Building the routing table ................................................................................. 16
Static routing security ...................................................................................... 16
Multipath routing and determining the best route ........................................... 18
Route priority .................................................................................................. 19
Troubleshooting static routing ......................................................................... 20
Static routing tips................................................................................................... 22
Policy routing ......................................................................................................... 23
Adding a policy route ....................................................................................... 24
Moving a policy route....................................................................................... 26
Transparent mode static routing............................................................................ 26
Static routing example ........................................................................................... 27
Network layout and assumptions .................................................................... 27
General configuration steps............................................................................. 28
Get your ISP information such as DNS, gateway, etc. .................................... 29
Configure FortiGate unit................................................................................... 29
Configure Admin PC and Dentist PCs ............................................................. 34
Testing network configuration ......................................................................... 35
Advanced static example: ECMP failover and load balancing .............................. 36
Equal-Cost Multi-Path (ECMP) ........................................................................ 36
Configuring interface status detection for gateway load balancing ................ 38
Configuring spillover or usage-based ECMP................................................... 39
Configuring weighted static route load balancing ........................................... 41
Dynamic Routing Overview ........................................................................... 43
What is dynamic routing? ...................................................................................... 43
Comparing static and dynamic routing............................................................ 43
Dynamic routing protocols............................................................................... 44
Minimum configuration for dynamic routing .................................................... 46
Comparison of dynamic routing protocols ............................................................ 46
Features of dynamic routing protocols ............................................................ 46
When to adopt dynamic routing ...................................................................... 49
Page 3
Choosing a routing protocol .................................................................................. 50
Dynamic routing terminology................................................................................. 52
IPv6 in dynamic routing ......................................................................................... 57
Routing Information Protocol (RIP) .............................................................. 58
RIP background and concepts .............................................................................. 58
Background...................................................................................................... 58
Parts and terminology of RIP ........................................................................... 59
How RIP works ................................................................................................ 64
Troubleshooting RIP .............................................................................................. 69
Routing Loops.................................................................................................. 69
Holddowns and Triggers for updates .............................................................. 72
Split horizon and Poison reverse updates ....................................................... 72
Debugging IPv6 on RIPng................................................................................ 73
Simple RIP example............................................................................................... 73
Network layout and assumptions .................................................................... 74
General configuration steps............................................................................. 75
Configuring the FortiGate units system information ........................................ 75
Configuring FortiGate unit RIP router information ........................................... 85
Configuring other networking devices ............................................................. 89
Testing network configuration ......................................................................... 90
RIPng RIP and IPv6........................................................................................... 90
Network layout and assumptions .................................................................... 90
Configuring the FortiGate units system information ........................................ 91
Configuring RIPng on FortiGate units .............................................................. 94
Configuring other network devices .................................................................. 95
Testing the configuration ................................................................................. 95
Border Gateway Protocol (BGP) ................................................................... 97
BGP background and concepts ............................................................................ 97
Background...................................................................................................... 97
Parts and terminology of BGP ......................................................................... 97
How BGP works............................................................................................. 106
Troubleshooting BGP .......................................................................................... 109
Clearing routing table entries ......................................................................... 110
Route flap....................................................................................................... 110
Dual-homed BGP example .................................................................................. 114
Network layout and assumptions .................................................................. 115
Configuring the FortiGate unit........................................................................ 117
Configuring other networking devices ........................................................... 125
Testing this configuration............................................................................... 126
Redistributing and blocking routes in BGP ......................................................... 127
Network layout and assumptions .................................................................. 128
Configuring the FortiGate unit........................................................................ 129
Testing network configuration ....................................................................... 133
Fortinet Technologies Inc. Page 4 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Open Shortest Path First (OSPF) ................................................................ 134
OSPF Background and concepts ........................................................................ 134
Background.................................................................................................... 134
The parts and terminology of OSPF .............................................................. 134
How OSPF works........................................................................................... 140
Troubleshooting OSPF ........................................................................................ 145
Clearing OSPF routes from the routing table................................................. 145
Checking the state of OSPF neighbors ......................................................... 146
Passive interface problems............................................................................ 146
Timer problems .............................................................................................. 146
Bi-directional Forwarding Detection (BFD) .................................................... 146
Authentication issues..................................................................................... 147
DR and BDR election issues .......................................................................... 147
Basic OSPF example ........................................................................................... 147
Network layout and assumptions .................................................................. 148
Configuring the FortiGate units...................................................................... 149
Configuring OSPF on the FortiGate units ...................................................... 152
Configuring other networking devices ........................................................... 159
Testing network configuration ....................................................................... 159
Advanced inter-area OSPF example ................................................................... 160
Network layout and assumptions .................................................................. 160
Configuring the FortiGate units...................................................................... 162
Configuring OSPF on the FortiGate units ...................................................... 166
Configuring other networking devices ........................................................... 170
Testing network configuration ....................................................................... 170
Controlling redundant links by cost ..................................................................... 170
Adjusting the route costs ............................................................................... 172
Verifying route redundancy ............................................................................ 174
Index .............................................................................................................. 175
Fortinet Technologies Inc. Page 5 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Change Log
Page 6
Introduction
Dynamic routing is required in complex and changing network configurations where static
routing does not provide sufficient convergence, redundancy, or other extended functionality.
This guide provides detailed information about FortiGate dynamic routing including common
dynamic routing features, troubleshooting, and each of the protocols including RIP, BGP, and
OSPF.
This chapter contains the following sections:
Before you begin
How this guide is organized
Before you begin using this guide, take a moment to note the following:
This guide is based on the assumption that you are a FortiGate administrator.
The configuration examples show steps for both the web-based manager (GUI) and the CLI.
For more information about using the CLI, see the FortiGate CLI Reference:
At this stage, the following installation and configuration conditions are assumed:
You have administrative access to the web-based manager and CLI.
This chapter describes advanced static routing concepts and how to implement dynamic
routing on FortiGate units.
This FortiOS Handbook chapter contains the following sections:
Advanced Static routing explains universal and static routing concepts, equal cost multipath
(ECMP) and load balancing, policy routing, and routing in transparent mode.
Dynamic Routing Overview provides an overview of dynamic routing, compares static and
dynamic routing, and walks you through deciding which dynamic routing protocol is best for
you, which are individually detailed in the next three sections.
Routing Information Protocol (RIP),
Border Gateway Protocol (BGP),
and Open Shortest Path First (OSPF), which provide background on the specific protocol,
explaining terms used, and how the protocol works, as well as providing some troubleshooting
information and examples on configuring the protocols in different situations.
Page 7
Advanced Static routing
Advanced static routing includes features and concepts that are used in more complex
networks. Dynamic routing is not addressed in this section.
This section includes:
Routing concepts
Static routing tips
Policy routing
Transparent mode static routing
Static routing example
Advanced static example: ECMP failover and load balancing
Routing concepts
Many routing concepts apply to static routing. However without first understanding these basic
concepts, it is difficult to understand the more complex dynamic routing.
This section includes:
Routing in VDOMs
Default route
Routing table
Building the routing table
Static routing security
Multipath routing and determining the best route
Routing in VDOMs
Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled, you
must enter a VDOM to do any routing configuration. This allows each VDOM to operate
independently, with its own default routes and routing configuration.
In this guide, the procedures assume your FortiGate unit has VDOMs disabled. This is stated in
the assumptions for the examples. If you have VDOMs enabled you will need to perform the
following steps in addition to the procedures steps.
Page 8
Default route
The default route is used if either there are no other routes in the routing table or if none of the
other routes apply to a destination. Including the gateway in the default route gives all traffic a
next-hop address to use when leaving the local network. The gateway address is normally
another router on the edge of the local network.
All routers, including FortiGate units, are shipped with default routes in place. This allows
customers to set up and become operational more quickly. Beginner administrators can use the
default route settings until a more advanced configuration is warranted.
FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, an
administration distance of 10, and a gateway IPv4 address.
Routing table
When two computers are directly connected, there is no need for routing because each
computer knows exactly where to find the other computer. They communicate directly.
Networking computers allows many computers to communicate with each other. This requires
each computer to have an IP address to identify its location to the other computers. This is
much like a mailing address - you will not receive your postal mail at home if you do not have an
address for people to send mail to. The routing table on a computer is much like an address
book used to mail letters to people in that the routing table maintains a list of how to reach
computers. Routing tables may also include information about the quality of service (QoS) of the
route, and the interface associated with the route if the device has multiple interfaces.
Looking at routing as delivering letters is more simple than reality. In reality, routers loose power
or have bad cabling, network equipment is moved without warning, and other such events
happen that prevent static routes from reaching their destinations. When any changes such as
these happen along a static route, traffic can no longer reach the destination the route goes
down. Dynamic routing can address these changes to ensure traffic still reaches its destination.
The process of realizing there is a problem, backtracking and finding a route that is operational
is called convergence. If there is fast convergence in a network, users wont even know that
re-routing is taking place.
The routing table for any device on the network has a limited size. For this reason, routes that
arent used are replaced by new routes. This method ensures the routing table is always
populated with the most current and most used routesthe routes that have the best chance of
being reused. Another method used to maintain the routing tables size is if a route in the table
and a new route are to the same destination, one of the routes is selected as the best route to
that destination and the other route is discarded.
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the router not
only looks up the destination information, but also the source information to ensure that it
exists. If there is no source to be found, then that packet is dropped because the router
assumes it to be an error or an attack on the network.
The routing table is used to store routes that are learned. The routing table for any device on the
network has a limited size. For this reason, routes that arent used are replaced by new routes.
This method ensures the routing table is always populated with the most current and most used
routes the routes that have the best chance of being reused. Another method used to
maintain the routing tables size is if a route in the table and a new route are to the same
destination, one of the routes is selected as the best route to that destination and the other
route is discarded.
Fortinet Technologies Inc. Page 9 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Some actions you can perform on the routing table include:
Viewing the routing table in the web-based manager
Viewing the routing table in the CLI
Searching the routing table
Fortinet Technologies Inc. Page 10 FortiOS Handbook - Advanced Routing for FortiOS 5.0
IP version: Select IPv4 or IPv6. This is available only when IPv6 is enabled in the
web-based manager. The fields displayed in the table depend on which IP
version is selected.
Type: Select one of the following route types to search the routing table and
display routes of the selected type only:
All all routes recorded in the routing table.
Connected all routes associated with direct connections to FortiGate
unit interfaces.
Static the static routes that have been added to the routing table
manually.
RIP all routes learned through RIP. For more information see Routing
Information Protocol (RIP) on page 58.
RIPNG all routes learned through RIP version 6 (which enables the
sharing of routes through IPv6 networks).
BGP all routes learned through BGP. For more information see Border
Gateway Protocol (BGP) on page 97.
OSPF all routes learned through OSPF. For more information see Open
Shortest Path First (OSPF) on page 134.
OSPF6 all routes learned through OSPF version 6 (which enables the
sharing of routes through IPv6 networks).
IS-IS all routes learned through IS-IS. For more information see
Intermediate System To Intermediate System Protocol (IS-IS) on
page 176.
HA RIP, OSPF, and BGP routes synchronized between the primary unit
and the subordinate units of a high availability (HA) cluster. HA routes are
maintained on subordinate units and are visible only if you are viewing the
router monitor from a virtual domain that is configured as a subordinate
virtual domain in a virtual cluster.
Not displayed when IP version IPv6 is selected.
For details about HA routing synchronization, see the FortiGate HA User
Guide.
Apply Filter Select to search the entries in the routing table based on the specified
search criteria and display any matching routes.
Not displayed when IP version IPv6 is selected.
Type The type values assigned to FortiGate unit routes (Static, Connected, RIP,
OSPF, or BGP).
Not displayed when IP version IPv6 is selected.
Fortinet Technologies Inc. Page 11 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Subtype If applicable, the subtype classification assigned to OSPF routes.
An empty string implies an intra-area route. The destination is in an area to
which the FortiGate unit is connected.
OSPF inter area the destination is in the OSPF AS, but the FortiGate unit
is not connected to that area.
External 1 the destination is outside the OSPF AS. This is known as
OSPF E1 type. The metric of a redistributed route is calculated by adding
the external cost and the OSPF cost together.
External 2 the destination is outside the OSPF AS. This is known as
OSPF E2 type. In this case, the metric of the redistributed route is
equivalent to the external cost only, expressed as an OSPF cost.
OSPF NSSA 1 same as External 1, but the route was received through a
not-so-stubby area (NSSA).
OSPF NSSA 2 same as External 2, but the route was received through a
not-so-stubby area.
For more information on OSPF subtypes, see OSPF Background and
concepts on page 134.
Not displayed when IP version 6 is selected.
Network The IP addresses and network masks of destination networks that the
FortiGate unit can reach.
Distance The administrative distance associated with the route. A value of 0 means
the route is preferable compared to other routes to the same destination,
and the FortiGate unit may routinely use the route to communicate with
neighboring routers and access servers.
Modifying this distance for dynamic routes is route distribution. See
Redistributing and blocking routes in BGP on page 127
Not displayed when IP version 6 is selected.
Metric The metric associated with the route type. The metric of a route influences
how the FortiGate unit dynamically adds it to the routing table. The
following are types of metrics and the protocols they are applied to.
Hop count routes learned through RIP.
Relative cost routes learned through OSPF.
Multi-Exit Discriminator (MED) routes learned through BGP. However,
several attributes in addition to MED determine the best path to a
destination network. For more information on BGP attributes, see BGP
attributes on page 103. By default, the MED value associated with a BGP
route is zero. However, the MED value can be modified dynamically. If the
value was changed from the default, the Metric column will display a
non-zero value.
Not displayed when IP version 6 is selected.
Fortinet Technologies Inc. Page 12 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Interface The interface through which packets are forwarded to the gateway of the
destination network.
Up Time The total accumulated amount of time that a route learned through RIP,
OSPF, or BGP has been reachable.
Not displayed when IP version IPv6 is selected.
If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must be
performed within a VDOM and not in the global context.
Examining an entry:
B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
Fortinet Technologies Inc. Page 13 FortiOS Handbook - Advanced Routing for FortiOS 5.0
B BGP. The routing protocol used.
2d18h02m How old this route is, in this case almost three days old.
tab table number. This will be either 254 (unicast) or 255 (multicast).
Fortinet Technologies Inc. Page 14 FortiOS Handbook - Advanced Routing for FortiOS 5.0
proto type of installation. This indicates where the route came from. Valid
values include:
0 - unspecific
2 - kernel
11 - ZebOS routing module
14 - FortiOS
15 - HA
16 - authentication based
17 - HA1
gwy gateway - the address of the gateway this route will use
Fortinet Technologies Inc. Page 15 FortiOS Handbook - Advanced Routing for FortiOS 5.0
5. Select Apply Filter.
All of the values that you specify as search criteria must match corresponding values in the
same routing table entry in order for that entry to be displayed.
Fortinet Technologies Inc. Page 16 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Network Address Translation (NAT)
Network address translation (NAT) is a method of changing the address traffic appears to
originate from. This practice is used to hide the IP address on companys internal networks, and
helps prevent malicious attacks that use those specific addresses.
This is accomplished by the router connected to that local network changing all the IP
addresses to its externally connected IP address before sending the traffic out to the other
networks, such as the Internet. Incoming traffic uses the established sessions to determine
which traffic goes to which internal IP address. This also has the benefit of requiring only the
router to be very secure against external attacks, instead of the whole internal network as would
be the case without NAT. Securing one computer is much cheaper and easier to maintain.
Configuring NAT on your FortiGate unit includes the following steps.
1. Configure your internal network. For example use the 10.11.101.0 subnet.
2. Connect your internal subnet to an interface on your FortiGate unit. For example use port1.
3. Connect your external connection, for example an ISP gateway of 172.20.120.2, to
another interface on your Fortigate unit, for example port2.
4. Configure security policies to allow traffic between port1 and port2 on your FortiGate unit,
ensuring that the NAT feature is enabled.
The above steps show that traffic from your internal network will originate on the 10.11.101.0
subnet and pass on to the 172.20.120.0 network. The FortiGate unit moves the traffic to the
proper subnet. In doing that, the traffic appears to originate from the FortiGate unit interface on
that subnet it does not appear to originate from where it actually came from.
NAT hides the internal network from the external network. This provides security through
obscurity. If a hacker tries to directly access your network, they will find the Fortigate unit, but
will not know about your internal network. The hacker would have to get past the
security-hardened FortiGate unit to gain access to your internal network. NAT will not prevent
hacking attempts that piggy back on valid connections between the internal network and the
outside world. However other UTM security measures can deal with these attempts.
Another security aspect of NAT is that many programs and services have problems with NAT.
Consider if someone on the Internet tries to initiate a chat with someone on the internal
network. The outsider only can access the FortiGate units external interface unless the security
policy allows the traffic through to the internal network. If allowed in, the proper internal user
would respond to the chat. However if its not allowed, the request to chat will be refused or
time-out. This is accomplished in the security policy by allowing or denying different protocols.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in Linux
programming.
Fortinet Technologies Inc. Page 17 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries.
This provides added security since the originator will not discover any information from the
target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in use,
traffic to those addresses (traffic which may be valid or malicious) can be directed to a
blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to enable
easier configuration of blackhole routing. Similar to a normal interface, this loopback interface
has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot have
hardware connection or link status problems, it is always available, making it useful for other
dynamic routing roles. Once configured, you can use a loopback interface in security policies,
routing, and other places that refer to interfaces. You configure this feature only from the CLI.
For more information, see the system chapter of the FortiGate CLI Reference.
Fortinet Technologies Inc. Page 18 FortiOS Handbook - Advanced Routing for FortiOS 5.0
speed, and so on. The default administrative distances for any of these routing protocols are
configurable.
Static 10
EBGP 20
OSPF 110
RIP 120
IBGP 200
Another method to determine the best route is to manually change the priority of both routes in
question. If the next-hop administrative distances of two routes on the FortiGate unit are equal,
it may not be clear which route the packet will take. Manually configuring the priority for each of
those routes will make it clear which next-hop will be used in the case of a tie. The priority for a
route be set in the CLI, or when editing a specific static route, as described in the next section.
Lower priority routes are preferred. Priority is a Fortinet value that may or may not be present in
other brands of routers.
All entries in the routing table are associated with an administrative distance. If the routing table
contains several entries that point to the same destination (the entries may have different
gateways or interface associations), the FortiGate unit compares the administrative distances of
those entries first, selects the entries having the lowest distances, and installs them as routes in
the FortiGate unit forwarding table. As a result, the FortiGate unit forwarding table contains only
those routes having the lowest distances to every possible destination. While only static routing
uses administrative distance as its routing metric, other routing protocols such as RIP can use
metrics that are similar to administrative distance.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference. Priority
is a Fortinet value that may or may not be present in other brands of routers.
You can configure the priority field through the CLI or the web-based manager. Priority values
can range from 0 to 4 294 967 295. The route with the lowest value in the priority field is
considered the best route. It is also the primary route.
Fortinet Technologies Inc. Page 19 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To change the priority of a route - CLI
The following command changes the priority to 5 for a route to the address 10.10.10.1 on the
port1 interface.
config router static
edit 1
set device port1
set gateway 10.10.10.10
set dst 10.10.10.1
set priority 5
end
If there are other routes set to priority 10, the route set to priority 5 will be preferred. If there are
routes set to priorities less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority field
settings to use when defining static routes, you can prioritize routes to the same destination
according to their priority field settings. For a static route to be the preferred route, you must
create the route using the config router static CLI command and specify a low priority
for the route. If two routes have the same administrative distance and the same priority, then
they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to the
same address.
Ping
Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any),
how long it takes the packet to make the round trip, and the variation in that time from packet to
packet.
If there is no packet loss detected, your basic network connectivity is OK.
If there is some packet loss detected, you should investigate:
possible ECMP, split horizon, network loops
cabling to ensure no loose connections
Fortinet Technologies Inc. Page 20 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If there is total packet loss, you should investigate:
hardware - ensure cabling is correct, and all equipment between the two locations is
accounted for
addresses and routes - ensure all IP addresses and routing information along the route is
configured as expected
firewalls - ensure all firewalls are set to allow PING to pass through
Traceroute
Where ping will only tell you if it reached its destination and came back successfully, traceroute
will show each step of its journey to its destination and how long each step takes. If ping finds
an outage between two points, traceroute can be used to locate exactly where the problem is.
Fortinet Technologies Inc. Page 21 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table:
local subnets, default routes, specific static routes, and dynamic routing protocols.
To check the routing table in the web-based manager, use the Routing Monitor go to Router
> Monitor > Routing Monitor. In the CLI, use the command get router info
routing-table all.
When your network goes beyond basic static routing, here are some tips to help you plan and
manage your static routing.
Fortinet Technologies Inc. Page 22 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Policy routing
Policy routing enables you to redirect traffic away from a static route. This can be useful if you
want to route certain types of network traffic differently. You can use incoming traffics protocol,
source address or interface, destination address, or port number to determine where to send
the traffic. For example, generally network traffic would go to the router of a subnet, but you
might want to direct SMTP or POP3 traffic directly to the mail server on that subnet.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match
the packet with a policy. If a match is found and the policy contains enough information to route
the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for
forwarding packets to it), the FortiGate unit routes the packet using the information in the policy.
If no policy route matches the packet, the FortiGate unit routes the packet using the routing
table.
Most policy settings are optional, so a matching policy alone might not provide enough
information for forwarding the packet. The FortiGate unit may refer to the routing table
in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate
unit looks up the IP address of the next-hop router in the routing table. This situation
could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do
not want or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to occur.
If the attributes of a packet match all the specified conditions, the FortiGate unit routes the
packet through the specified interface to the specified gateway.
To view policy routes go to Router > Static > Policy Route.
Create New Add a policy route. See Adding a policy route on page 24.
Move the selected policy route. Enter the new position and select OK.
Move To icon
For more information, see Moving a policy route on page 26.
Outgoing The interfaces through which policy routed packets are routed.
The IP source addresses and network masks that cause policy routing
Source
to occur.
Fortinet Technologies Inc. Page 23 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Adding a policy route
To add a policy route, go to Router > Static > Policy Route and select Create New.
Type the IP address of the next-hop router that the FortiGate unit
Gateway Address
can access through the specified interface.
Protocol 6
Fortinet Technologies Inc. Page 24 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Destination Ports From 21 to 21
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP
datagram should be delivered, with such qualities as delay, priority, reliability, and minimum
cost.
Each quality helps gateways determine the best way to route datagrams. A router maintains a
ToS value for each route in its routing table. The lowest priority TOS is 0, the highest is 7 - when
bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on
one of the possible routes to the destination. If there is no match, the datagram is sent over a
zero TOS route.
Using increased quality may increase the cost of delivery because better performance may
consume limited network resources. For more information, see RFC 791 and RFC 1349.
Table 2: The role of each bit in the IP header TOS 8-bit field
For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an x indicates
that bit can be any value. Since all bits are not set, this is a good use for the bit mask; if the
mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.
Fortinet Technologies Inc. Page 25 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Moving a policy route
A routing policy is added to the bottom of the routing table when it is created. If you prefer to
use one policy over another, you may want to move it to a different location in the routing policy
table.
The option to use one of two routes happens when both routes are a match, for example
172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes
are in the policy table, both can match a route to 172.20.120.112 but you consider the
second one as a better match. In that case the best match route should be positioned before
the other route in the policy table.
To change the position of a policy route in the table, go to Router > Static > Policy Route and
select Move To for the policy route you want to move.
Select Before to place the selected Policy Route before the indicated
Before/After
route. Select After to place it following the indicated route.
Enter the Policy route ID of the route in the Policy route table to move
Policy route ID
the selected route before or after.
FortiOS operating modes allow you to change the configuration of your FortiGate unit
depending on the role it needs to fill in your network.
NAT/Route operating mode is the standard mode where all interfaces are accessed individually,
and traffic can be routed between ports to travel from one network to another.
In transparent operating mode, all physical interfaces act like one interface. The FortiGate unit
essentially becomes a bridge traffic coming in over any interface is broadcast back out over
all the interfaces on the FortiGate unit.
In transparent mode, there is no entry for routing at the main level of the menu on the
web-based manager display as there is in NAT/Route mode. Routing is instead accessed
through the network menu option.
To view the routing table in transparent mode, go to System > Network > Routing Table.
When viewing or creating a static route entry in transparent mode there are only three fields
available.
The destination of the traffic being routed. The first entry is attempted
Destination first for a match, then the next, and so on until a match is found or the
IP/Mask last entry is reached. If no match is found, the traffic will not be routed.
Use 0.0.0.0 to match all traffic destinations. This is the default route.
Specifies the next hop for the traffic. Generally the gateway is the
Gateway
address of a router on the edge of your network.
The priority is used if there is more than one match for a route. This
allows multiple routes to be used, with one preferred. If the preferred
route is unavailable the other routes can be used instead.
Priority Valid range of priority can be from 0 to 4 294 967 295.
If more than one route matches and they have the same priority it
becomes an ECMP situation and traffic is shared among those routes.
See Route priority on page 19.
Fortinet Technologies Inc. Page 26 FortiOS Handbook - Advanced Routing for FortiOS 5.0
When configuring routing on a FortiGate unit in transparent mode, remember that all interfaces
must be connected to the same subnet. That means all traffic will be coming from and leaving
on the same subnet. This is important because it limits your static routing options to only the
gateways attached to this subnet. For example, if you only have one router connecting your
network to the Internet then all static routing on the FortiGate unit will use that gateway. For this
reason static routing on FortiGate units in transparent mode may be a bit different, but it is not
as complex as routing in NAT/Route mode.
This is an example of a typical small network configuration that uses only static routing.
This network is in a dentist office that includes a number of dentists, assistants, and office staff.
The size of the office is not expected to grow significantly in the near future, and the network
usage is very stablethere are no new applications being added to the network.
The users on the network are:
admin staff - access to local patient records, and go online for billing purposes
dentists - access and update local patient records, research online from desk
assistants - access and update local patient records in exam rooms
The distinction here is mainly that only the admin staff and dentists office proper need access
to the internetall the other traffic is local and doesnt need to need to leave the local network.
Routing is only required for the outbound traffic, and the computers that have valid outbound
traffic.
Only configuring routing on computers that need it will act as an additional layer of security by
helping prevent malicious traffic from leaving the network.
Fortinet Technologies Inc. Page 27 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Assumptions about these computers, and network include:
the FortiGate unit is a model with interfaces labeled port1 and port2
the FortiGate unit has been installed and is configured in NAT/Route mode
VDOMs are not enabled
the computers on the network are running MS Windows software
any hubs required in the network are not shown in the network diagram
the network administrator has access to the ISP IP addresses, and is the super_admin
administrator on the FortiGate unit
Exam5 Dentist3
Forti
FortiGate
F o
unit
Exam6
Exam4
Exam3 Dentist1
Exam2 Dentist2
Dentist office
Dental exam Admin
computers
room computers desk
Exam1
Printer
Table 3: Static routing example device names, IP addresses, and level of access
Exam1-5 192.168.10.31-35 NO
Printer 192.168.10.41 NO
Fortinet Technologies Inc. Page 28 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Get your ISP information such as DNS, gateway, etc.
Your local network connects to the Internet through your Internet Service Provider (ISP). They
have IP addresses that you need to configure your network and routing.
The addresses needed for routing are your assigned IP address, DNS servers, and the gateway.
IP/Netmask 172.100.1.1/255.255.255.0
Fortinet Technologies Inc. Page 29 FortiOS Handbook - Advanced Routing for FortiOS 5.0
2. Enter the following:
IP/Netmask 172.100.20.20/255.255.255.0
Fortinet Technologies Inc. Page 30 FortiOS Handbook - Advanced Routing for FortiOS 5.0
to update their software. The FortiGate unit can store an up to date copy of the FortiClient
software and offer a URL to it for users to install it if they need to.
Destination port1
Interface/Zone
Schedule always
Service Multiple.
Select DHCP, DNS,FTP, HTTP,
HTTPS, NTP, POP3, SMTP, SSH.
Action ACCEPT
11.Select OK.
12.Select Create New.
13.Enter the following:
Fortinet Technologies Inc. Page 31 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Source Interface/Zone port1
Destination port2
Interface/Zone
Schedule always
Service Multiple.
Select DHCP, DNS,FTP, HTTP,
HTTPS, NTP, POP3, SMTP, SSH.
Action ACCEPT
14.Select OK.
Fortinet Technologies Inc. Page 32 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure security policies - CLI
config firewall address
edit "Admin"
set associated-interface "port1"
set subnet 192.168.10.11 255.255.255.255
next
edit "Dentist1"
set associated-interface "port1"
set subnet 192.168.10.21 255.255.255.255
next
edit "Dentist2"
set associated-interface "port1"
set subnet 192.168.10.22 255.255.255.255
next
edit "Dentist3"
set associated-interface "port1"
set subnet 192.168.10.23 255.255.255.255
end
config firewall addrgrp
edit Internet_PCs
set member Admin Dentist1 Dentist2 Dentist3
end
config firewall policy
edit 1
set srcintf port1
set dstintf port2
set srcaddr Internet_PCs
set dstaddr all
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3"
"SMTP" "SSH"
set logtraffic enable
set endpoint-check enable
set label "Section2"
set endpoint-restrict-check no-av db-outdated
next
edit 2
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr Internet_PCs
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3"
"SMTP" "SSH"
set logtraffic enable
set endpoint-check enable
set label "Section2"
Fortinet Technologies Inc. Page 33 FortiOS Handbook - Advanced Routing for FortiOS 5.0
set endpoint-restrict-check no-av db-outdated
end
end
Device port2
Gateway 172.100.20.5
Distance 10
4. Select OK.
The Windows CLI procedure does not configure the DNS entries. It just adds the static routes.
To configure routing and DNS on Admin and Dentist PCs - Windows GUI
1. On PC, select Start > Control Panel > Network Connections.
2. Right click on the network connection to your local network that has a status of Connected,
and select Properties.
Fortinet Technologies Inc. Page 34 FortiOS Handbook - Advanced Routing for FortiOS 5.0
3. Under the General tab, from the list select TCP/IP, and Properties.
4. Under Gateway, enter the FortiGate unit address (192.168.10.1).
5. Enter the primary and secondary DNS server addresses from your ISP (172.11.22.33 and
172.11.22.34).
6. Select OK.
Fortinet Technologies Inc. Page 35 FortiOS Handbook - Advanced Routing for FortiOS 5.0
5. At the command prompt enter exit to close the window.
6. Repeat these steps for all PCs on the local network.
If the output does not appear similar to above, there is a problem with the network
configuration between these two PCs.
Equal Cost Multi-Path (ECMP) load balancing and failover are methods that extend basic static
routing. They allow you to use your network bandwidth more effectively and with less down time
than if you used basic static routing alone.
The concepts in this section include:
Equal-Cost Multi-Path (ECMP)
Configuring interface status detection for gateway load balancing
Configuring spillover or usage-based ECMP
Configuring weighted static route load balancing
If multiple routes to the same destination have the same priority but different
distances, the route with the lowest distance is used. If multiple routes to the same
destination have the same distance but different priorities, the route with the lowest
priority is used. Distance takes precedence over priority. If multiple routes to the
same destination have different distances and different priorities, the route with the
lowest distance is always used even if it has the highest priority.
Fortinet Technologies Inc. Page 36 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If more than one ECMP route is available, you can configure how the FortiGate unit selects the
route to be used for a communication session. If only one ECMP route is available (for example,
because an interface cannot process traffic because interface status detection does not receive
a reply from the configured server) then all traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes, but
now FortiOS includes three configuration options for ECMP route failover and load balancing:
You can configure only one of these ECMP route failover and load balancing methods in a single
VDOM. If your FortiGate unit is configured for multiple VDOM operation, each VDOM can have
its own ECMP route failover and load balancing configuration.
To configure the ECMP load balancing method from the web-based manager
1. Go to Router > Static > Settings.
2. Set ECMP Load Balance Method to Source IP based, Weighted Load Balance, or Spillover.
Fortinet Technologies Inc. Page 37 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If the FortiGate unit receives a large number of sessions with the same destination IP address,
because all of these sessions will be processed by the same route, it may appear that sessions
are not distributed according to the ECMP route failover and load balancing configuration.
As long as the unit receives responses for at least one of the protocols that you select,
the unit assumes the server is operating and can forward packets. Responding to
more than one protocol does not enhance the status of the server or interface.
Use TCP echo to confirm that the server is responding. Select this
option if the server is configured to provide TCP echo services. In
some cases a server may be configured to reply to TCP echo
requests but not to reply to ICMP pings.
TCP echo uses TCP packets on port number 7 to send a text string
to the server and expect an echo reply back from the server. The
TCP Echo
echo reply just echoes back the same text to confirm that the server
can respond to TCP requests.
FortiGate units do not recognize RST (reset) packets from TCP
Echo servers as normal TCP echo replies. If the unit receives an
RST response to a TCP echo request, the unit assumes the server
is unreachable.
Fortinet Technologies Inc. Page 38 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Use UDP echo to detect the server. Select this option if the server is
configured to provide UDP echo services. In some cases a server
may be configured to reply to UDP echo requests but not to reply
ICMP pings.
UDP Echo
UDP echo uses UDP packets on port number 7 to send a text string
to the server and expects an echo reply from the server. The echo
reply just echoes back the same text to confirm that the server can
respond to UDP requests.
Failover Enter the number of times the test can fail before the unit assumes
Threshold that the interface cannot connect to the server.
4. Select OK.
Fortinet Technologies Inc. Page 39 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Gateway 172.20.130.3
Advanced
Distance 10
Interface port3
Spillover Threshold 100
Interface port4
Spillover Threshold 200
Fortinet Technologies Inc. Page 40 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The FortiGate unit selects an ECMP route for a new session by finding the first route in the
routing table that sends the session out a FortiGate unit interface that is not processing more
traffic that its configured route spill-over limit.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to the
Internet through different ISPs. ECMP routing is set to usage-based and route spillover for to
100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are added, one for port3
and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit sends
all default route sessions out port3 until port3 is processing 10Mbps of data. When port3
reaches its configured bandwidth limit, the FortiGate unit sends all default route sessions out
port4. When the bandwidth usage of port3 falls below 10Mbps, the FortiGate again sends all
default route sessions out port3.
New sessions with destination IP addresses that are already in the routing cache; however, use
the cached routes. This means that even if port3 is exceeding its bandwidth limit, new sessions
can continue to be sent out port3 if their destination addresses are already in the routing cache.
As a result, new sessions are sent out port4 only if port3 exceeds its bandwidth limit and if the
routing cache does not contain a route for the destination IP address of the new session.
Also, the switch over to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switch over takes place.
If port3 bandwidth usage drops below the bandwidth limit during this time period, sessions are
not switched over to port4. This delay reduces route flapping.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic would
usually be processed by the first interface with only spillover traffic being processed by other
interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover thresholds to
all of the interfaces with ECMP routes. The default spillover threshold is 0 which means no
bandwidth limiting. If any interface has a spillover threshold of 0, no sessions will be routed to
interfaces lower in the list unless the interface goes down or is disconnected. An interface can
go down if Detect interface status for Gateway Load Balancing does not receive a response
from the configured server.
Fortinet Technologies Inc. Page 41 FortiOS Handbook - Advanced Routing for FortiOS 5.0
With the ECMP load balancing method set to weighted, the FortiGate unit distributes sessions
with different destination IPs by generating a random value to determine the route to select. The
probability of selecting one route over another is based on the weight value of each route.
Routes with higher weights are more likely to be selected.
Large numbers of sessions are evenly distributed among ECMP routes according to the route
weight values. If all weights are the same, sessions are distributed evenly. The distribution of a
small number of sessions; however, may not be even. For example, its possible that if there are
two ECMP routes with the same weight; two sessions to different IP addresses could use the
same route. On the other hand, 10,000 sessions with different destination IPs should be load
balanced evenly between two routes with equal rates. The distribution could be 5000:5000 or
50001:4999. Also, 10 000 sessions with different destination IP addresses should be load
balanced as 3333:6667 if the weights for the two routes are 100 and 200.
Weights only affect how routes are selected for sessions to new destination IP addresses. New
sessions to IP addresses already in the routing cache are routed using the route for the session
already in the cache. So in practice sessions will not always be distributed according to the
routing weight distribution.
Fortinet Technologies Inc. Page 42 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Dynamic Routing Overview
This section provides an overview of dynamic routing, and how it compares to static routing.
For details on various dynamic routing protocols, see the following chapters for detailed
information.
The following topics are included in this section:
What is dynamic routing?
Comparison of dynamic routing protocols
Choosing a routing protocol
Dynamic routing terminology
IPv6 in dynamic routing
Dynamic routing uses a dynamic routing protocol to automatically select the best route to put
into the routing table. So instead of manually entering static routes in the routing table, dynamic
routing automatically receives routing updates, and dynamically decides which routes are best
to go into the routing table. Its this intelligent and hands-off approach that makes dynamic
routing so useful.
Dynamic routing protocols vary in many ways and this is reflected in the various administrative
distances assigned to routes learned from dynamic routing. These variations take into account
differences in reliability, speed of convergence, and other similar factors. For more information
on these administrative distances, see Multipath routing and determining the best route on
page 18.
This section includes:
Comparing static and dynamic routing
Dynamic routing protocols
Minimum configuration for dynamic routing
Page 43
complexity and some overhead: the routing protocol uses some bandwidth for its own
administration.
Table 4: Comparing static and dynamic routing
Hardware support Supported by all routing May require special, more expensive
hardware routers
Fortinet Technologies Inc. Page 44 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Interior versus exterior routing protocols
The names interior and exterior are very descriptive. Interior routing protocols are designed for
use within a contained network of limited size, whereas exterior routing protocols are designed
to link multiple networks together. They can be used in combination in order to simplify network
administration. For example, a network can be built with only border routers of a network
running the exterior routing protocol, while all the routers on the network run the interior
protocol, which prevents them from connecting outside the network without passing through
the border. Exterior routers in such a configuration must have both exterior and interior
protocols, to communicate with the interior routers and outside the network.
Nearly all routing protocols are interior routing protocols. Only BGP is commonly used as an
exterior routing protocol.
You may see interior gateway protocol (IGP) used to refer to interior routing protocols, and
exterior gateway protocol (EGP) used to refer to interior routing protocols.
Link-state protocols
Link-state protocols are also known as shortest path first protocols. Where distance vector uses
information passed along that may or may not be current and accurate, in link-state protocols
each router passes along only information about networks and devices directly connected to it.
This results in a more accurate picture of the network topology around your router, allowing it to
make better routing decisions. This information is passed between routers using link-state
advertisements (LSAs). To reduce the overhead, LSAs are only sent out when information
Fortinet Technologies Inc. Page 45 FortiOS Handbook - Advanced Routing for FortiOS 5.0
changes, compared to distance vector sending updates at regular intervals even if no
information has changed. The more accurate network picture in link-state protocols greatly
speed up convergence and avoid problems such as routing-loops.
Version no yes no
Router ID no no yes
Each dynamic routing protocol was designed to meet a specific routing need. Each protocol
does some things well, and other things not so well. For this reason, choosing the right dynamic
routing protocol for your situation is not an easy task.
Fortinet Technologies Inc. Page 46 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Table 6: Comparing RIP, BGP, and OSPF dynamic routing protocols (Continued)
Routing protocols
Routing Information Protocol (RIP) uses classful routing, as well as incorporating various
methods to stop incorrect route information from propagating, such as the poisoned horizon
method. However, on larger networks its frequent updates can flood the network and its slow
convergence can be a problem.
Border Gateway Protocol (BGP) has been the core Internet backbone routing protocol since
the mid 1990s, and is the most used interior gateway protocol (IGP). However, some
configurations require full mesh connections which flood the network, and there can be route
flap and load balancing issues for multihomed networks.
Open Shortest Path First (OSPF) is commonly used in large enterprise networks. It is the
protocol of choice mainly due to its fast convergence. However, it can be complicated to setup
properly.
Multicast addressing is used to broadcast from one source to many destinations efficiently.
Protocol Independent Multicast (PIM) is the protocol commonly used in enterprises, multimedia
content delivery, and stock exchanges. For more information on Multicast routing, see the
Firewall chapter.
Routing algorithm
Each protocol uses a slightly different algorithm for choosing the best route between two
addresses on the network. The algorithm is the intelligent part of a dynamic protocol because
the algorithm is responsible for deciding which route is best and should be added to the local
routing table. RIP and BGP use distance vector algorithms, where OSPF uses link-state or a
shortest path first algorithm.
Fortinet Technologies Inc. Page 47 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Vector algorithms are essentially based on the number of hops between the originator and the
destination in a route, possibly weighting hops based on how reliable, fast, and error-free they
are.
The link-state algorithm used by OSPF is called the Dijkstra algorithm. Link-state treats each
interface as a link, and records information about the state of the interface. The Dijkstra
algorithm creates trees to find the shortest paths to the routes it needs based on the total cost
of the parts of the routes in the tree.
For more information on the routing algorithm used, see Distance vector versus link-state
protocols on page 45.
Authentication
If an attacker gains access to your network, they can masquerade as a router on your network
to either gain information about your network or disrupt network traffic. If you have a high
quality firewall configured, it will help your network security and stop many of this type of threat.
However, the main method for protecting your routing information is to use authentication in
your routing protocol. Using authentication on your FortiGate unit and other routers prevents
access by attackers all routers must authenticate with passwords, such as MD5 hash
passwords, to ensure they are legitimate routers.
When configuring authentication on your network, ensure you configure it the same on all
devices on the network. Failure to do so will create errors and outages as those forgotten
devices fail to connect to the rest of the network.
For example, to configure an MD5 key of 123 on an OSPF interface called ospf_test, enter
the following CLI command:
config router ospf
config ospf-interface
edit ospf_test
set authentication md5
set md5-key 123
end
end
Convergence
Convergence is the ability of a networking protocol to re-route around network outages. Static
routing cannot do this. Dynamic routing protocols can all converge, but take various amounts of
time to do this. Slow convergence can cause problems such as network loops which degrade
network performance.
You may also hear robustness and redundancy used to describe networking protocols. In many
ways they are the same thing as convergence. Robustness is the ability to keep working even
though there are problems, including configuration problems as well as network outages.
Redundancy involves having duplicate parts that can continue to function in the event of some
malfunction, error, or outage. It is relatively easy to configure dynamic routing protocols to have
backup routers and configurations that will continue to function no matter the network problem
short of a total network failure.
IPv6 Support
IPv4 addressing is in common use everywhere around the world. IPv6 has much larger
addresses and it is used by many large companies and government departments. IPv6 is not as
common as IPv4 yet, but more companies are adopting it.
If your network uses IPv6, your dynamic routing protocol must support it. None of the dynamic
routing protocols originally supported IPv6, but they all have additions, expansions, or new
Fortinet Technologies Inc. Page 48 FortiOS Handbook - Advanced Routing for FortiOS 5.0
versions that do support IPv6. For more information, see RIP and IPv6 on page 59, BGP and
IPv6 on page 97, or OSPF and IPv6 on page 135.
Budget
When making any business decision, the budget must always be considered. Static routing
does not involve special hardware, fancy software, or expensive training courses.
Dynamic routing can include all of these extra expenses. Any new hardware, such as routers
and switches, will need to support your chosen routing protocols. Network management
software and routing protocol drivers may be necessary as well to help configure and maintain
your more complex network. If the network administrators are not well versed in dynamic
routing, either a training course or some hands-on learning time must be budgeted so they can
administer the new network with confidence. Together, these factors can impact your budget.
Additionally, people will always account for network starting costs in the budgets, but usually
leave out the ongoing cost of network maintenance. Any budget must provide for the hours that
will be spent on updating the network routing equipment, and fixing any problems. Without that
money in the budget, you may end up back at static routing before you know it.
Fortinet Technologies Inc. Page 49 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Expected network growth
You may not be sure if your current network is ready for dynamic routing. However, if you are
expecting rapid growth in the near future, it is a good idea to start planning for that growth now
so you are ready for the coming expansion.
Static routing is very labor intensive. Each network devices routing table needs to be
configured and maintained manually. If there is a large number of new computers being added
to the network, they each need to have the static routing table configured and maintained. If
devices are being moved around the network frequently, they must also be updated each time.
Instead, consider putting dynamic routing in place before those new computers are installed on
the network. The installation issues can be worked out with a smaller and less complex
network, and when those new computers or routers are added to the network there will be
nowhere near the level of manual configuration required. Depending on the level of growth, this
labor savings can be significant. For example, in an emergency you can drop a new router into a
network or AS, wait for it to receive the routing updates from its neighbors, and then remove
one of the neighbors. While the routes will not be the most effective possible, this method is
much less work than static routing in the same situation, with less chance of mistakes.
Also, as your network grows and you add more routers, those new routers can help share the
load in most dynamic routing configurations. For example if you have 4 OSPF routers and
20,000 external routes those few routers will be overwhelmed. But in a network with 15 OSPF
routers they will better be able to handle that number of routes. Be aware though that adding
more routers to your network will increase the amount of updates sent between the routers,
which will use up a greater part of your bandwidth and use more bandwidth overall.
One of that hardest decisions in routing can be choosing which routing protocol to use on your
network. It can be easy to decide when static routing will not meet your needs, but how can you
tell which dynamic routing protocol is best for your network and situation?
Fortinet Technologies Inc. Page 50 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Here is a brief look at the routing protocols including their strongest and weakest points. The
steps to choosing your routing protocol are:
1. Answer questions about your network
2. Dynamic routing terminology
3. Evaluate your chosen protocol
4. Implement your dynamic routing protocol
Fortinet Technologies Inc. Page 51 FortiOS Handbook - Advanced Routing for FortiOS 5.0
So be sure that the test install mirrors your larger network well enough for you to discover any
problems. If its too simplistic, these problems may not appear.
If your chosen protocol does not meet your goals choose a different protocol and repeat the
evaluation process until either a protocol meets your needs, or you change your criteria.
Dynamic routing is a complex subject. There are many routers on different networks and all can
be configured differently. It become even more complicated when you add to this each routing
protocol having slightly different names for similar features, and many configurable features for
each protocol.
To better understand dynamic routing, here are some explanations of common dynamic routing
terms.
Aggregated routes and addresses
Autonomous system (AS)
Area border router (ABR)
Neighbor routers
Route maps
Access lists
Bi-directional forwarding detection (BFD)
For more details on a term as it applies to a dynamic routing protocol, see one of Border
Gateway Protocol (BGP) on page 97, Routing Information Protocol (RIP) on page 58, or
Open Shortest Path First (OSPF) on page 134.
Fortinet Technologies Inc. Page 52 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To manually aggregate the range of IP addresses from 192.168.1.100 to 192.168.1.103
1. Convert the addresses to binary
192.168.1.100 = 11000000 10101000 00000001 01100100
192.168.1.101 = 11000000 10101000 00000001 01100101
192.168.1.102 = 11000000 10101000 00000001 01100110
192.168.1.103 = 11000000 10101000 00000001 01100111
2. Determine the maximum number of matching bits common to the addresses.
There are 30-bits in common, with only the last 2-bits being different.
3 Record the common part of the address.
11000000 10101000 00000001 0110010X = 192.168.1.100
4 For the netmask, assume all the bits in the netmask are 1 except those that are different
which are 0.
11111111 11111111 11111111 11111100 = 255.255.255.252
5 Combine the common address bits and the netmask.
192.168.1.100/255.255.255.252
Alternately the IP mask may be written as a single number:
192.168.1.100/2
6 As required, set variables and attributes to declare the routes have been aggregated, and
what router did the aggregating.
As of January 2010, AS numbers are 4 bytes long instead of the former 2 bytes. RFC 4893
introduced 32-bit ASNs, which FortiGate units support for BGP and OSPF
Fortinet Technologies Inc. Page 53 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Do you need your own AS?
The main factors in deciding if you need your own AS or if you should be part of someone elses
are:
exchanging external routing information
many prefixes should exist in one AS as long as they use the same routing policy
when you use a different routing protocol than your border gateway peers (for example your
ISP uses BGP, and you use OSPF)
connected to multiple other AS (multi-homed)
You should not create an AS for each prefix on your network. Neither should you be forced into
an AS just so someone else can make AS-based policy decisions on your traffic.
There can be only one AS for any prefix on the Internet. This is to prevent routing issues.
LACNIC Latin America, including Mexico, Caribbean, Central and South America
RIPE NCC Europe, the Middle East, former USSR, and parts of Central Asia
AS numbers from 64512 to 65534 are reserved for private use. Private AS numbers can be used
for any internal networks with no outside connections to the Internet such as test networks,
classroom labs, or other internal-only networks that do not access the outside world. You can
also configure border routers to filter out any private ASNs before routing traffic to the outside
world. If you must use private ASNs with public networks, this is the only way to configure them.
However, it is risky because many other private networks could be using the same ASNs and
conflicts will happen. It would be very much like your local 192.168.0.0 network being made
public the resulting problems would be widespread.
In 1996, when RFC 1930 was written only 5,100 ASes had been allocated and a little under 600
ASes were actively routed in the global Internet. Since that time many more public ASNs have
been assigned, leaving only a small number. For this reason 32-bit ASNs (four-octet ASNs) were
defined to provide more public ASNs. RFC 4893 defines 32-bit ASNs, and FortiGate units
support these larger ASNs.
Fortinet Technologies Inc. Page 54 FortiOS Handbook - Advanced Routing for FortiOS 5.0
redistribute traffic between different ASes that are running different protocols, such as the edge
between an ISPs IS-IS routing network and an large companys OSPF network.
OSPF defines ABRs differently from other routers. In OSPF, an ABR is an OSPF router that
connects another AS to the backbone AS, and is a member of all the areas it connects to. An
OSPF ABR maintains a LSA database for each area that it is connected to. The concept of the
edge router is present, but its the edge of the backbone instead of the edge of the OSPF
supported ASes.
Neighbor routers
Routing involves routers communicating with each other. To do this, routers need to know
information about each other. These routers are called neighbor routers, and are configured in
each routing protocol. Each neighbor has custom settings since some routers may have
functionality others routers lack. Neighbour routers are sometimes called peers.
Generally neighbor routers must be configured, and discovered by the rest of the network
before they can be integrated to the routing calculations. This is a combination of the network
administrator configuring the new router with its neighbor router addresses, and the routing
network discovering the new router, such as the hello packets in OSPF. That discovery initiates
communication between the new router and the rest of the network.
Route maps
Route maps are a way for the FortiGate unit to evaluate optimum routes for forwarding packets
or suppressing the routing of packets to particular destinations. Compared to access lists, route
maps support enhanced packet-matching criteria. In addition, route maps can be configured to
permit or deny the addition of routes to the FortiGate unit routing table and make changes to
routing information dynamically as defined through route-map rules.
Route maps can be used for limiting both received route updates, and sent route updates. This
can include the redistribution of routes learned from other types of routing. For example if you
dont want to advertise local static routes to external networks, you could use a route map to
accomplish this.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are
examined in ascending order until one or more of the rules in the route map are found to match
one or more of the route attributes.
As an administrator, route maps allow you to group a set of addresses together and assign them
a meaningful name. Then during your configuration, you can use these route-maps to speed up
configuration. The meaningful names ensure fewer mistakes during configuration as well.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a
route map to take effect, it must be called by a FortiGate unit routing process.
The syntax for route maps are:
config router route-map
edit <route_map_name>
set comments
config rule
edit <route_map_rule_id>
set action
set match-*
set set-*
...
end
Fortinet Technologies Inc. Page 55 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The match-* commands allow you to match various parts of a route. The set-* commands
allow you to set routing information once a route is matched.
For an example of how route maps can be used to create receiving or sending groups in
routing, see Redistributing and blocking routes in BGP on page 127.
Access lists
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate
unit routing processes. For an access list to take effect, it must be called by a FortiGate unit
routing process (for example, a process that supports RIP or OSPF). Use access-list6 for
IPv6 routing.
Access lists can be used to filter which updates are passed between routers, or which routes
are redistributed to different networks and routing protocols. You can create lists of rules that
will match all routes for a specific router or group of routers.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for
this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and
any more specific prefix.
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0
can not be exactly matched with an access-list. A prefix-list must be used for this purpose.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the
top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no
match is found the default action is deny.
The syntax for access lists is:
config router access-list, access-list6
edit <access_list_name>
set comments
config rule
edit <access_list_id>
set action
set exact-match
set prefix
set prefix6
set wildcard
For an example of how access lists can be used to create receiving or sending groups in
routing, see Redistributing and blocking routes in BGP on page 127.
Fortinet Technologies Inc. Page 56 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The CLI commands associated with BFD include:
config router bgp
config neighbor
set bfd
Per-VDOM configuration:
config system settings
set bfd
set bfd-desired-min-tx
set bfd-required-min-rx
set bfd-detect-mult
set bfd-dont-enforce-src-port
Per-interface (override) configuration:
config system interface
edit <interface_name>
set bfd enable
set bfd-desired-min-tx
set bfd-detect-mult
set bfd-required-min-rx
For more information about BFD in BGP, see Bi-directional forwarding detection (BFD) on
page 113.
Unless otherwise stated, routing protocols apply to IPv4 addressing. This is the standard
address format used. However, IPv6 is becoming more popular and new versions of the
dynamic routing protocols have been introduced.
Dynamic routing supports IPv6 on your FortiGate unit. The new versions of these protocols and
the corresponding RFCs are:
RIP next generation (RIPng) RFC 2080 - Routing Information Protocol next generation
(RIPng). See RIP and IPv6 on page 59.
BGP4+ RFC 2545, and RFC 2858 Multiprotocol Extensions for IPv6 Inter-Domain
Routing, and Multiprotocol Extensions for BGP-4 (MP-BGP) respectively. See BGP and
IPv6 on page 97.
OSPFv3 RFC 2740 Open Shortest Path First version 3 (OSPFv3) for IPv6 support. See
OSPF and IPv6 on page 135.
As with most advanced routing features on your FortiGate unit, IPv6 settings for dynamic
routing protocols must be enabled before they will be visible in the GUI. To enable IPv6
configuration in the GUI, enable it in System > Admin > Settings. Alternatively, you can directly
configure IPv6 for RIP, BGP, or OSPF protocols using CLI commands.
Fortinet Technologies Inc. Page 57 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Routing Information Protocol (RIP)
Background
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. Its widespread use started when an early version of RIP was
included with BSD v4.3 Linux as the routed daemon. The routing algorithm used by RIP, the
BellmanFord algorithm, first saw widespread use as the initial routing algorithm of the
ARPANET.
RIP benefits include being well suited to smaller networks, is in widespread use, near universal
support on routing hardware, quick to configure, and works well if there are no redundant paths.
However, RIP updates are sent out node-by-node so it can be slow to find a path around
network outages. RIP also lacks good authentication, can not choose routes based on different
quality of service methods, and can create network loops if you are not careful.
The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058), RIP version 2 (see
RFC 2453), and the IPv6 version RIPng (see RFC 2080).
RIP v1
In 1988 RIP version 1, defined in RFC 1058, was released. The RFC even states that RIP v1 is
based on Linux routed due to it being a defacto standard.
It uses classful addressing and uses broadcasting to send out updates to router neighbors.
There is no subnet information included in the routing updates in classful routing, and it does
not support CIDR addressing subnets must all be the same size. Also, route summarization is
not possible.
RIP v1 has no router authentication method, so it is vulnerable to attacks through packet
sniffing, and spoofing.
Page 58
RIP v2
In 1993, RIP version 2 was developed to deal with the limitations of RIP v1. It was not
standardized until 1998. This new version supports classless routing, and subnets of various
sizes.
Router authentication was added in RIP v2 it supports MD5. MD5 hashes are an older
encryption method, but this is much improved over no security at all.
In RIP v2 the hop count limit remained at 15 to be backwards compatible with RIP v1.
RIP v2 uses multicasting to send the entire routing table to router neighbors, thereby reducing
the traffic for devices that are not participating in RIP routing.
Routing tags were added as well, which allow internal routes or redistributed routes to be
identified as such.
RIPng
RIPng, defined in RFC 2080, is an extension of RIP2 designed to support IPv6. However, RIPng
varies from RIPv2 in that it is not fully backwards compatible with RIPv1.
RIPng does not support RIPv1 update authentication, it relies on IPsec
RIPng does not allow attaching tags to routes as in RIPv2
RIPng requires specific encoding of the next hop for a set of route entries, unlike RIPv2 that
encodes the next-hop into each route entry.
Fortinet Technologies Inc. Page 59 FortiOS Handbook - Advanced Routing for FortiOS 5.0
For example, you want to set up a tunnel on the port1 interface starting at 2002:C0A8:3201:: on
your local network and tunnel it to address 2002:A0A:A01:: where it will need access to an IPv4
network again. Use the following command:
config system ipv6-tunnel
edit test_tunnel
set destination 2002:A0A:A01::
set interface port1
set source 2002:C0A8:3201::
end
end
The Timeout period should be at least three times longer than the Update period. If the Update
timer is smaller than Timeout or Garbage timers, you will experience an error.
You can set the three RIP timers in Router > Dynamic > RIP, under Advanced Options, or use the
CLI.
Fortinet Technologies Inc. Page 60 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The CLI commands associated with garbage, timeout, and update timers include:
config router rip
set garbage-timer
set timeout-timer
set update-timer
end
Garbage timer
The garbage timer is the amount of time (in seconds) that the FortiGate unit will advertise a
route as being unreachable before deleting the route from the routing table. If this timer is
shorter, it will keep more up-to-date routes in the routing table and remove old ones faster. This
will result in a smaller routing table which is useful if you have a very large network, or if your
network changes frequently.
Update timer
The update timer determines the interval between routing updates. Generally, this value is set to
30 seconds. There is some randomness added to help prevent network traffic congestion,
which could result from all routers simultaneously attempting to update their neighbors. The
update timer should be at least three times smaller than the timeout timer, otherwise you will
experience an error.
If you are experiencing significant RIP traffic on your network, you can increase this interval to
send fewer updates per minute. However, ensure you increase the interval for all the routers on
your network or you will experience time outs that will degrade your network speed.
Timeout timer
The timeout timer is the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum time the FortiGate
unit will keep a reachable route in the routing table while no updates for that route are received.
If the FortiGate unit receives an update for the route before the timeout period expires, the timer
is restarted. The timeout period should be at least three times longer than the depute period,
otherwise you will experience an error.
If you are experiencing problems with routers not responding in time to updates, increase this
timer. However, remember that longer timeout intervals result in longer overall update periods
it may be considerable time before the time the FortiGate unit is done waiting for all the timers
to expire on unresponsive routes.
Fortinet Technologies Inc. Page 61 FortiOS Handbook - Advanced Routing for FortiOS 5.0
This example shows how to configure a key-chain with two keys that are valid sequentially in
time. This example creates a key-chain called rip_key that has a password of fortinet. The
accepted and send lifetimes are both set to the same values a start time of 9:00am February
23, 2010 and an end time of 9:00am March 17, 2010. A second key is configured with a
password of my_fortigate that is valid from March 17, 2010 9:01am to April 1 2010 9:00am.
This rip_key keychain is then used on the port1 interface in RIP.
config router key-chain
edit "rip_key"
config key
edit 1
set accept-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
set key-string "fortinet"
set send-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
next
edit 2
set accept-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
set key-string "my_fortigate"
set send-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
next
end
end
config router rip
config interface
edit port1
set auth-keychain rip_key
end
end
Access Lists
Access lists are filters used by FortiGate unit RIP and OSPF routing. An access list provides a
list of IP addresses and the action to take for them essentially an access list makes it easy to
group addresses that will be treated the same into the same group, independent of their
subnets or other matching qualities. You add a rule for each address or subnet that you want to
include, specifying the action to take for it. For example if you wanted all traffic from one
department to be routed a particular way, even in different buildings, you can add all the
addresses to an access list and then handle that list all at once.
Fortinet Technologies Inc. Page 62 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for
this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and
any more specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the
top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no
match is found the default action is deny.
Access lists greatly speed up configuration and network management. When there is a problem,
you can check each list instead of individual addresses. Also its easier to troubleshoot since if
all addresses on one list have problems, it eliminates many possible causes right away.
If you are using the RIPng or OSPF+ IPv6 protocols you will need to use access-list6, the IPv6
version of access list. The only difference is that access-list6 uses IPv6 addresses.
For example, if you want to create an access list called test_list that only allows an exact
match of 10.10.10.10 and 11.11.11.11, enter the command:
config router access-list
edit test_list
config rule
edit 1
set prefix 10.10.10.10 255.255.255.255
set action allow
set exact-match enable
next
edit 2
set prefix 11.11.11.11 255.255.255.255
set action allow
set exact-match enable
end
end
Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6
equivalents of 10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:
config router access-list6
edit test_list_ip6
config rule
edit 1
set prefix6 2002:A0A:A0A:0:0:0:0:0:/48
set action deny
next
edit 2
set prefix6 2002:B0B:B0B:0:0:0:0:0/48
set action deny
end
end
To use an access_list, you must call it from a routing protocol such as RIP. The following
example uses the access_list from the earlier example called test_list to match routes coming in
Fortinet Technologies Inc. Page 63 FortiOS Handbook - Advanced Routing for FortiOS 5.0
on the port1 interface. When there is a match, it will add 3 to the hop count metric for those
routes to artificially increase . Enter the following command:
config router rip
config offset-list
edit 5
set access-list test_list
set direction in
set interface port1
set offset 3
set status enable
end
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0
can not be exactly matched with an access-list. A prefix-list must be used for this purpose
Fortinet Technologies Inc. Page 64 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Overall, RIP is a large step forward when compared to static routing.
Fortinet Technologies Inc. Page 65 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 3: RIP algorithm example in 4 steps
Step 1 Router4
Router1
Step 2 Router4
Router1
Step 3 Router4
Step 4 Router4
The good part about the Bellman-Ford algorithm in RIP is that the router only uses the
information it needs from the update. If there are no newer, better routes than the ones the
router already has in its routing table, there is no need to change its routing table. And no
change means no additional update, so less traffic. But even when there is update traffic, the
RIP packets are very small so it takes many updates to affect overall network bandwidth. For
more information about RIP packets, see RIP packet structure on page 68.
Fortinet Technologies Inc. Page 66 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The main disadvantage of the BellmanFord algorithm in RIP is that it doesnt take weightings
into consideration. While it is possible to assign different weights to routes in RIP, doing so
severely limits the effective network size by reducing the hop count limit. Also other dynamic
routing protocols can take route qualities, such as reliability or delay, into consideration to
provide not only the physically shortest but also the fastest or more reliable routes as you
choose.
Another disadvantage of the Bellman-Ford algorithm is due to the slow updates passed from
one RIP router to the next. This results in a slow response to changes in the network topology,
which in turn results in more attempts to use routes that are down, which wastes time and
network resources.
Fortinet Technologies Inc. Page 67 FortiOS Handbook - Advanced Routing for FortiOS 5.0
RIP packet structure
It is hard to fully understand a routing protocol without knowing what information is carried in its
packets. Knowing what information is exchanged between routers and how will help you better
understand the RIP protocol, and better configure your network for it.
This section provides information on the contents of RIP 1 and RIP 2 packets.
RIP version 1
RIP version 1, or RIP IP packets are 24 bytes in length, with some empty areas left for future
expansion.
Table 7: RIP IP packets
1-byte command 1-byte version 2-byte zero 2-byte AFI 2-byte zero
field field
RIP version 2
RIP version 2 has more features than RIP 1, which is reflected in its packets which carry more
information. All but one of the empty zero fields in RIP 1 packets are used in RIP 2.
Table 8: RIP 2 packets
Fortinet Technologies Inc. Page 68 FortiOS Handbook - Advanced Routing for FortiOS 5.0
A RIP 2 packet contains fields described above in RIP 1, as well as the following:
Unused Has a value set to zero, and is intended for future use
Route tag Provides a method for distinguishing between internal routes learned by RIP
and external routes learned from other protocols.
Subnet mask Contains the subnet mask for the entry. If this field is zero, no subnet mask
has been specified for the entry.
Next hop Indicates the IP address of the next hop to which packets for the entry should
be forwarded.
Troubleshooting RIP
This section is about troubleshooting RIP. For general troubleshooting information, see the
FortiOS Handbook Troubleshooting chapter.
This section includes:
Routing Loops
Holddowns and Triggers for updates
Split horizon and Poison reverse updates
Debugging IPv6 on RIPng
Routing Loops
Normally in routing, a path between two addresses is chosen and traffic is routed along that
path from one address to the other. When there is a routing loop, that normal path doubles back
on itself creating a loop. When there are loops, the network has problems getting information to
its destination and also prevents it from returning to the source to report the inaccessible
destination.
A routing loop happens when a normally functioning network has an outage, and one or more
routers are offline. When packets encounter this, an alternate route is attempted to maneuver
around the outage. During this phase it is possible for a route to be attempted that involves
going back a hop, and trying a different hop forward. If that hop forward is blocked by the
outage as well, a hop back and possibly the original hop forward may be selected. You can see
if this continues, how it can consume not only network bandwidth but also many resources on
those routers affected. The worst part is this situation will continue until the network
administrator changes the router settings, or the downed routers come back online.
Fortinet Technologies Inc. Page 69 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If you arent running SNMP, dead gateway detection, or you have non-Fortinet routers in your
network, you can use networking tools such as ping and traceroute to define the outage on your
network and begin to fix it. Ping, traceroute, and other basic troubleshooting tools are largely
the same between static and dynamic, and are covered in Troubleshooting static routing on
page 20.
Enable Query Select. The Port should be 161. Ensure that your security
policies allow ports 161 and 162 (SNMP queries and traps) to
pass.
SNMP v1/v2
Fortinet Technologies Inc. Page 70 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Queries Enable v1 and/or v2 as needed. The Port should be 161.
Ensure that your security policies allow port 161 to pass.
4. Select the events for which you want notification. For routing loops this should include CPU
usage is high, Memory is low, and possibly Log disk space is low.If there are problems the
log will be filling up quickly, and the FortiGate units resources will be overused.
5. Configure SNMP host (manager) software on your administration computer. This will monitor
the SNMP information sent out by the FortiGate unit. Typically you can configure this
software to alert you to outages or CPU spikes that may indicate a routing loop.
To detect possible routing loops with dead gateway detection and e-mail alerts
1. To configure dead gateway detection, go to Router > Static > Settings and select
Create New.
2. Enter the Ping Server IP address and select the Interface that connects to it.
3. Set the Ping Interval (how often to send a ping), and Failover Threshold (how many lost pings
is considered a failure). A smaller interval and smaller number of lost pings will result in faster
detection, but will create more traffic on your network.
If you have VDOMs configured, you will have to enter the basic SMTP server information in the
Global section, and the rest of the configuration within the VDOM that includes this interface.
After this configuration, when this interface on the FortiGate unit cannot connect to the next
router, the FortiGate unit will bring down the interface and alert you with an email about the
outage.
Fortinet Technologies Inc. Page 71 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Ideally if you debug the flow of the packets, and record the routes that are unreachable, you can
create an accurate picture of the network outage.
Holddown Timers
The holddown timer activates when a route is marked down. Until the timer expires, the router
does not accept any new information about that route. This is very useful if you have a flapping
route because it will prevent your router from sending out updates and being part of the
problem in flooding the network. The potential down side is if the route comes back up while the
timer has not expired, that route will be unavailable for that period of time. This is only a problem
if this is a major route used by the majority of your traffic. Otherwise, this is a minor problem as
traffic can be re-routed around the outage.
Triggers
Triggered RIP is an alternate update structure that is based around limiting updates to only
specific circumstances. The most basic difference is that the routing table will only be updated
when a specific request is sent to update, as opposed to every time the routing table changes.
Updates are also triggered when a unit is powered on, which can include addition of new
interfaces or devices to the routing structure, or devices returning to being available after being
unreachable.
Fortinet Technologies Inc. Page 72 FortiOS Handbook - Advanced Routing for FortiOS 5.0
route to the destination. This poisoned route is marked as unreachable for routers that cannot
use it. In RIP this means that route is marked with a distance of 16.
This is an example of a typical medium sized network configuration using RIP routing.
Your company has 3 small local networks, one for each department. These networks are
connected by RIP, and then connected to the Internet. Each subnet has more than one route, for
redundancy. There are two central routers that are both connected to the internet, and to the
other networks. If one of those routers goes down, the whole network can continue to function
normally.
The ISP is running RIP, so no importing or exporting routes is required on the side of the
network. However, since the internal networks have static networking running those will need to
be redistributed through the RIP network.
To keep the example simple, there will be no authentication of router traffic.
With RIP properly configured, if the device fails or temporarily goes offline, the routes will
change and traffic will continue to flow. RIP is good for a smaller network due to its lack of
complex configurations.
This section includes the following topics:
Network layout and assumptions
General configuration steps
Configuring the FortiGate units system information
Configuring other networking devices
Testing network configuration
Fortinet Technologies Inc. Page 73 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Network layout and assumptions
Fortinet Technologies Inc. Page 74 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 4: Network topology for the simple RIP example
ISP router
(172.20.120.5)
RIP Router2
uter2
RIP Router4
RIP Router1
uter1
R&D Network
Accounting
Network
RIP Router3
RI
Sales Network
Assumptions
The following assumptions have been made concerning this example.
All FortiGate units have 5.0 firmware, and are running factory default settings.
All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
All FortiGate units have interfaces labelled port1 through port4 as required.
All firewalls have been configured for each FortiGate unit to allow the required traffic to flow
across interfaces.
Only FortiGate units are running RIP on the internal networks.
Router2 and Router3 are connected through the internal network for R&D.
Router2 and Router3 each have their own connection to the Internet, indicated in black in
Figure 4.
Fortinet Technologies Inc. Page 75 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Router2 and Router3 have dead gateway detection enabled on the ISP interfaces using Ping.
Remember to contact the ISP and confirm their server has ping enabled.
Gateway 172.20.120.5/255.255.255.0
Distance 40
Gateway 172.20.120.5/255.255.255.0
Distance 40
Alias internal
IP/Netmask 10.11.101.101/255.255.255.0
Administrative Up
Status
Alias router2
IP/Netmask 10.11.201.101/255.255.255.0
Fortinet Technologies Inc. Page 76 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Description Link to R&D network & internet through Router2
Administrative Up
Status
Alias router3
IP/Netmask 10.11.202.101/255.255.255.0
Administrative Up
Status
Fortinet Technologies Inc. Page 77 FortiOS Handbook - Advanced Routing for FortiOS 5.0
config router static
edit 1
set device "port2"
set distance 45
set gateway 10.11.201.102
next
edit 2
set device port3
set distance 45
set gateway 10.11.202.103
end
end
Gateway 172.20.120.5/255.255.255.0
Distance 5
Fortinet Technologies Inc. Page 78 FortiOS Handbook - Advanced Routing for FortiOS 5.0
5. Go to System > Network > Interface.
6. Edit port1 (internal) interface.
7. Set the following information, and select OK.
Alias internal
IP/Netmask 10.12.101.102/255.255.255.0
Administrative Status Up
Alias router1
IP/Netmask 10.12.201.102/255.255.255.0
Administrative Status Up
Alias router4
IP/Netmask 10.12.301.102/255.255.255.0
Administrative Status Up
Alias ISP
IP/Netmask 172.20.120.102/255.255.255.0
Fortinet Technologies Inc. Page 79 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Detect Interface Status for enable
Gateway Load Balancing
Administrative Status Up
Fortinet Technologies Inc. Page 80 FortiOS Handbook - Advanced Routing for FortiOS 5.0
4. Edit the default route and enter the following information:
Gateway 172.20.120.5/255.255.255.0
Distance 5
Alias internal
IP/Netmask 10.12.101.103/255.255.255.0
Administrative Status Up
Alias router1
IP/Netmask 10.13.201.103/255.255.255.0
Administrative Status Up
Alias router4
IP/Netmask 10.13.301.103/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 81 FortiOS Handbook - Advanced Routing for FortiOS 5.0
13.Set the following information, and select OK.
Alias ISP
IP/Netmask 172.20.120.103/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 82 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure Router3 system information - CLI
config system global
set hostname Router3
end
Fortinet Technologies Inc. Page 83 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Gateway 172.20.120.5/255.255.255.0
Distance 40
Gateway 172.20.120.5/255.255.255.0
Distance 40
Alias internal
IP/Netmask 10.14.101.104/255.255.255.0
Administrative Status Up
Alias router2
IP/Netmask 10.14.201.104/255.255.255.0
Administrative Status Up
Alias router3
IP/Netmask 10.14.301.104/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 84 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure Router4 system information - CLI
config system global
set hostname Router4
end
Fortinet Technologies Inc. Page 85 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Router1 and Router4 are configured the same. Router2 and Router3 are configured the same.
These routers will be grouped accordingly for the following procedures repeat the
procedures once for each FortiGate unit.
Authentication None
7. For interface, select Create New and set the following information.
Authentication None
8. For interface, select Create New and set the following information.
Authentication None
Fortinet Technologies Inc. Page 86 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Configure RIP settings on Router1 and Router4 - CLI
config router rip
set version 2
config interface
edit "port1"
set receive-version 1 2
set send-version 1 2
next
edit "port2"
set receive-version 1 2
set send-version 1 2
next
edit "port3"
set receive-version 1 2
set send-version 1 2
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 10.12.0.0 255.255.0.0
next
edit 3
set prefix 10.14.0.0 255.255.0.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
end
config redistribute "static"
set status enable
end
end
Fortinet Technologies Inc. Page 87 FortiOS Handbook - Advanced Routing for FortiOS 5.0
6. For interface, select Create New and set the following information.
Authentication None
7. For interface, select Create New and set the following information.
Authentication None
8. For interface, select Create New and set the following information.
Authentication None
9. For interface, select Create New and set the following information.
Authentication None
Fortinet Technologies Inc. Page 88 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Configure RIP settings on Router2 and Router3- web-based manager
config router rip
set version 2
config interface
edit "port1"
set receive-version 1 2
set send-version 1 2
next
edit "port2"
set receive-version 1 2
set send-version 1 2
next
edit "port3"
set receive-version 1 2
set send-version 1 2
end
edit "port4"
set receive-version 1 2
set send-version 1 2
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 10.12.0.0 255.255.0.0
next
edit 3
set prefix 10.14.0.0 255.255.0.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
end
config redistribute "static"
set status enable
end
end
Fortinet Technologies Inc. Page 89 FortiOS Handbook - Advanced Routing for FortiOS 5.0
network such as the IP addresses of the connecting RIP routers, what version of RIP your
network supports, and what authentication (if any) is used.
RIP next generation, or RIPng, is the version of RIP that supports IPv6.
This is an example of a typical small network configuration using RIPng routing.
Your internal R&D network is working on a project for a large international telecom company
that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have
decided to use only IPv6 addresses.
Your network has two FortiGate units running the RIPng dynamic routing protocol. Both
FortiGate units are connected to the ISP router and the internal network. This configuration
provides some redundancy for the R&D internal network enabling it to reach the internet at all
times.
This section includes the following topics:
Network layout and assumptions
Configuring the FortiGate units system information
Configuring RIPng on FortiGate units
Configuring other networking devices
Testing network configuration
Fortinet Technologies Inc. Page 90 FortiOS Handbook - Advanced Routing for FortiOS 5.0
In this example the routers, networks, interfaces used, and IP addresses are as follows.
Table 10:Rip example network topology
ISP router
(2002:AC14:7805::)
RIP Router1
r1 RIP Router2
R
R&D Internal
Network
Assumptions
The following assumptions have been made concerning this example.
All FortiGate units have 5.0 firmware, and are running factory default settings.
All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
All FortiGate units have interfaces labelled port1 and port2 as required.
All firewalls have been configured for each FortiGate unit to allow the required traffic to flow
across interfaces.
All network devices are support IPv6 and are running RIPng.
Fortinet Technologies Inc. Page 91 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure system information on Router1 - web-based manager
1. Go to System > Dashboard > Status.
2. For Host name, select Change.
3. Enter Router1.
4. Go to System > Admin > Settings.
5. In Display Options on GUI, enable IPv6, and select Apply.
6. Go to System > Network > Interface.
7. Edit port1 (internal) interface.
8. Set the following information, and select OK.
Alias internal
IP/Netmask 2002:A0B:6565::/0
Administrative Status Up
Alias ISP
IP/Netmask 2002:AC14:7865::/0
Administrative Status Up
Fortinet Technologies Inc. Page 92 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure system information on Router1 - CLI
config system global
set hostname Router1
set gui-ipv6 enable
end
config system interface
edit port1
set alias internal
set allowaccess https ping ssh
set description Internal RnD network
config ipv6
set ip6-address 2002:a0b:6565::/0
end
next
edit port2
set alias ISP
set allowaccess https ping ssh
set description ISP and internet
config ipv6
set ip6-address 2002:AC14:7865::
end
end
Alias internal
IP/Netmask 2002:A0B:6566::/0
Administrative Status Up
Alias ISP
IP/Netmask 2002:AC14:7866::/0
Fortinet Technologies Inc. Page 93 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Administrative Access HTTPS SSH PING
Administrative Status Up
Fortinet Technologies Inc. Page 94 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure RIPng on Router1 - CLI
config router ripng
config interface
edit port1
next
edit port2
end
config neighbor
edit 1
set interface port1
set ipv6 2002:a0b:6566::/0
next
edit 2
set interface port2
set ipv6 2002:AC14:7805::/0
end
Fortinet Technologies Inc. Page 95 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Testing the IPv6 RIPng information
There are some commands to use when checking that your RIPng information is correct on your
network. These are useful to check on your RIPng FortiGate units on your network. Comparing
the output between devices will help you understand your network better, and also track down
any problems.
diagnose ipv6 address list
View the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate unit.
diagnose ipv6 route list
View ipv6 addresses that are installed in the routing table.
get router info6 routing-table
View the routing table. This information is almost the same as the previous command
(diagnose ipv6 route list) however it is presented in an easier to read format.
get router info6 rip interface external
View brief output on the RIP information for the interface listed. The information includes if
the interface is up or down, what routing protocol is being used, and whether passive
interface or split horizon are enabled.
get router info6 neighbor-cache list
View the IPv6/MAC address mapping. This also displays the interface index and name
associated with the address.
Fortinet Technologies Inc. Page 96 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Border Gateway Protocol (BGP)
The border gateway protocol contains two distinct subsets internal BGP (iBGP) and external
BGP (eBGP). iBGP is intended for use within your own networks. eBGP is used to connect
many different networks together, and is the main routing protocol for the Internet backbone.
FortiGate units support iBGP, and eBGP only for communities.
The following topics are included in this section:
Background
Parts and terminology of BGP
How BGP works
Background
BGP was first used in 1989. The current version, BGP-4, was released in 1995 and is defined in
RFC 1771. That RFC has since been replaced by the more recent RFC 4271. The main benefits
of BGP-4 are classless inter-domain routing, and aggregate routes. BGP is the only routing
protocol to use TCP for a transport protocol. Other routing protocols use UDP.
BGP makes routing decisions based on path, network policies and rulesets instead of the
hop-count metric as RIP does, or cost-factor metrics as OSPF does.
BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545.
BGP is the routing protocol used on the Internet. It was designed to replace the old Exterior
Gateway Protocol (EGP) which had been around since 1982, and was very limited. In doing so,
BGP enabled more networks to take part in the Internet backbone to effectively decentralize it
and make the Internet more robust, and less dependent on a single ISP or backbone network.
Page 97
The main CLI keywords have IPv6 equivalents that are identified by the 6 on the end of the
keyword, such as with config network6 or set allowas-in6. For more information about
IPv6 BGP keywords, see the FortiGate CLI Reference.
IPv6 BGP commands include:
config router bgp
set activate6 {enable | disable}
set allowas-in6 <max_num_AS_integer>
set allowas-in-enable6 {enable | disable}
set as-override6 {enable | disable}
set attribute-unchanged6 [as-path] [med] [next-hop]
set capability-default-originate6 {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-orf6 {both | none | receive | send}
set default-originate-route-map6 <routemap_str>
set distribute-list-in6 <access-list-name_str>
set distribute-list-out6 <access-list-name_str>
set filter-list-in6 <aspath-list-name_str>
set filter-list-out6 <aspath-list-name_str>
set maximum-prefix6 <prefix_integer>
set maximum-prefix-threshold6 <percentage_integer>
set maximum-prefix-warning-only6 {enable | disable}
set next-hop-self6 {enable | disable}
set prefix-list-in6 <prefix-list-name_str>
set prefix-list-out6 <prefix-list-name_str>
set remove-private-as6 {enable | disable}
set route-map-in6 <routemap-name_str>
set route-map-out6 <routemap-name_str>
set route-reflector-client6 {enable | disable}
set route-server-client6 {enable | disable}
set send-community6 {both | disable | extended | standard}
set soft-reconfiguration6 {enable | disable}
set unsuppress-map6 <route-map-name_str>
config network6
config redistribute6
end
Speaker routers
Any router configured for BGP is considered a BGP speaker. This means that a speaker router
advertises BGP routes to its peers.
Any routers on the network that are not speaker routers, are not treated as BGP routers.
Fortinet Technologies Inc. Page 98 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Peer routers or neighbors
In a BGP network, all neighboring BGP routers or peer routers are routers that are connected to
your FortiGate unit. Your FortiGate unit learns about all other routers through these peers.
You need to manually configure BGP peers on your FortiGate unit as neighbors. Otherwise
these routers will not be seen as peers, but instead as simply other routers on the network that
dont support BGP. You can optionally use MD5 authentication to password protect BGP
sessions with those neighbors. (see RFC 2385).
You can configure up to 1000 BGP neighbors on your FortiGate unit. You can clear all or some
BGP neighbor connections (sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific
route to IP address 10.10.10.1, enter the command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the command:
execute router clear bgp as 650001
To remove route flap dampening information for the 10.10.0.0/16 subnet, enter the command:
execute router clear bgp dampening 10.10.0.0/16
In Figure 1, Router A is directly connected to five other routers in a network that contains 12
routers overall. These routers, the ones in the blue circle, are Router As peers or neighbors.
der Router
Router A
Fortinet Technologies Inc. Page 99 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The BGP commands related to neighbors are quite extensive and include:
config router bgp
config neighbor
edit <neighbor_address_ipv4>
set activate {enable | disable}
set advertisement-interval <seconds_integer>
set allowas-in <max_num_AS_integer>
set allowas-in-enable {enable | disable}
set as-override {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-orf {both | none | receive | send}
set capability-route-refresh {enable | disable}
set connect-timer <seconds_integer>
set description <text_str>
set distribute-list-in <access-list-name_str>
set distribute-list-out <access-list-name_str>
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set ebgp-multihop {enable | disable}
set ebgp-multihop-ttl <seconds_integer>
set filter-list-in <aspath-list-name_str>
set filter-list-out <aspath-list-name_str>
set holdtime-timer <seconds_integer>
set interface <interface-name_str>
set keep-alive-timer <seconds_integer>
set maximum-prefix <prefix_integer>
set maximum-prefix-threshold <percentage_integer>
set maximum-prefix-warning-only {enable | disable}
set next-hop-self {enable | disable}
set passive {enable | disable}
set password <string>
set prefix-list-in <prefix-list-name_str>
set prefix-list-out <prefix-list-name_str>
set remote-as <id_integer>
set remove-private-as {enable | disable}
set retain-stale-time <seconds_integer>
set route-map-in <routemap-name_str>
set route-map-out <routemap-name_str>
set route-reflector-client {enable | disable}
set route-server-client {enable | disable}
set send-community {both | disable | extended | standard}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set strict-capability-match {enable | disable}
Fortinet Technologies Inc. Page 100 FortiOS Handbook - Advanced Routing for FortiOS 5.0
set unsuppress-map <route-map-name_str>
set update-source <interface-name_str>
set weight <weight_integer>
end
end
end
Fortinet Technologies Inc. Page 101 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 7: Required sessions within an AS with and without route reflectors
RR
RR
Cluster2
Cluster1
Confederations
Confederations were introduced to reduce the number of BGP advertisements on a segment of
the network, and reduce the size of the routing tables. Confederations essentially break up an
AS into smaller units. Confederations are defined in RFC 3065 and RFC 1965.
Within a confederation, all routers communicate with each other in a full mesh arrangement.
Communications between confederations is more like inter-AS communications in that many of
the attributes are changed as they would be for BGP communications leaving the AS, or eBGP.
Confederations are useful when merging ASs. Each AS being merged can easily become a
confederation, requiring few changes. Any additional permanent changes can then be
implemented over time as required. The figure below shows the group of ASs before merging,
and the corresponding confederations afterward as part of the single AS with the addition of a
new border router. It should be noted that after merging if the border router becomes a route
reflector, then each confederation only needs to communicate with one other router, instead of
five others.
Fortinet Technologies Inc. Page 102 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 8: AS merging using confederations
AS 1
Confed1
Confed1
AS
AS 1 1 (was AS1)
(was AS1) Confed2
AS 2 (was AS2)
Border
rder Router
Routter
Border
B d R Router
t
Confed5 Confed3
AS 3 (was AS5) (was AS3)
AS 5 Confed4
AS 4 (was AS4)
Confederations and route reflectors perform similar functions they both sub-divide large
ASes for more efficient operation. They differ in that route reflector clusters can include routers
that are not members of a cluster, where routers in a confederation must belong to that
confederation. Also, confederations place their confederation numbers in the AS_PATH attribute
making it easier to trace.
It is important to note that while confederations essentially create sub-ASs, all the
confederations within an AS appear as a single AS to external ASs.
Confederation related BGP commands include:
config router bgp
set confederation-identifier <peerid_integer>
end
BGP attributes
Each route in a BGP network has a set of attributes associated with it. These attributes define
the route, and are modified as required along the route.
BGP can work well with mostly default settings, but if you are going to change settings you
need to understand the roles of each attribute and how they affect those settings.
The BGP attributes include:
MULTI_EXIT_DESC (MED) Which router to use to exit an AS with more than one
external connection. See MULTI_EXIT_DESC (MED) on
page 105.
Fortinet Technologies Inc. Page 103 FortiOS Handbook - Advanced Routing for FortiOS 5.0
COMMUNITY Used to apply attributes to a group of routes. See
COMMUNITY on page 105.
Inbound policies on FortiGate units can change the NEXT-HOP,LOCAL-PREF, MED and
AS-PATH attributes of an internal BGP (iBGP) route for its local route selection purposes.
However, outbound policies on the unit cannot affect these attributes.
AS_PATH
AS_PATH is the BGP attribute that keeps track of each AS a route advertisement has passed
through. AS_PATH is used by confederations and by exterior BGP (EBGP) to help prevent
routing loops. A router knows there is a loop if it receives an AS_PATH with that routers AS in it.
The figure below shows the route between router A and router B. The AS_PATH from A to B
would read 701,702,703 for each AS the route passes through.
As of the start of 2010, the industry upgraded from 2-byte to 4-byte AS_PATHs. This upgrade
was due to the imminent exhaustion of 2-byte AS_PATH numbers. FortiOS supports 4-byte
AS_PATHs in its BGP implementation.
A
B
Network AS701
Network AS703
3 1
2
Fortinet Technologies Inc. Page 104 FortiOS Handbook - Advanced Routing for FortiOS 5.0
MULTI_EXIT_DESC (MED)
BGP AS systems can have one or more routers that connect them to other ASes. For ASes with
more than one connecting router, the Multi-Exit Discriminator (MED) lists which router is best to
use when leaving the AS. The MED is based on attributes such as delay. It is a recommendation
only, as some networks may have different priorities.
BGP updates advertise the best path to a destination network. When the FortiGate unit receives
a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attribute of
potential routes to determine the best path to a destination network before recording the path in
the local FortiGate unit routing table.
FortiGate units have the option to treat any routes without an MED attribute as the worst
possible routing choice. This can be useful because a lack of MED information is a lack of
routing information which can be suspicious possibly a hacking attempt or an attack on the
network. At best it signifies an unreliable route to select.
The BGP commands related to MED include:
config router bgp
set always-compare-med {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set deterministic-med {enable | disable}
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
end
end
COMMUNITY
A community is a group of routes that have the same routing policies applied to them. This
saves time and resources. A community is defined by the COMMUNITY attribute of a BGP
route.
The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to
predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY attribute of
learned routes to perform local filtering and/or redistribution.
The BGP commands related to COMMUNITY include:
config router bgp
set send-community {both | disable | extended | standard}
end
NEXT_HOP
The NEXT_HOP attribute says what IP address the packets should be forwarded to next. Each
time the route is advertised, this value is updated. The NEXT_HOP attribute is much like a
gateway in static routing.
FortiGate units allow you to to change the advertising of the FortiGate units IP address (instead
of the neighbors IP address) in the NEXT_HOP information that is sent to IBGP peers. This is
changed with the config neighbor, set next-hop-self command.
Fortinet Technologies Inc. Page 105 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The BGP commands related to NEXT_HOP include:
config router bgp
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
set next-hop-self {enable | disable}
end
end
ATOMIC_AGGREGATE
The ATOMIC_AGGREGATE attribute is used when routes have been summarized. It indicates
which AS and which router summarize the routes. It also tells downstream routers not to
de-aggregate the route. Summarized routes are routes with similar information that have been
combined, or aggregated, into one route that is easier to send in updates. When it reaches its
destination, the summarized routes are split back up into the individual routes.
Your FortiGate unit doesnt specifically set this attribute in the BGP router command, but it is
used in the route map command.
The commands related to ATOMIC_AGGREGATE include:
config router route-map
edit <route_map_name>
config rule
edit <route_map_rule_id>
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-atomic-aggregate {enable | disable}
end
end
end
ORIGIN
The ORIGIN attribute records where the route came from. The options can be IBGP, EBGP, or
incomplete. This information is important because internal routes (IBGP) are by default higher
priority than external routes (EBGP). However incomplete ORIGINs are the lowest priority of the
three.
The commands related to ORIGIN include:
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set match-origin {egp | igp | incomplete | none}
end
end
end
Fortinet Technologies Inc. Page 106 FortiOS Handbook - Advanced Routing for FortiOS 5.0
been defined as neighbors. BGP routers listen for updates from these configured neighboring
routers on TCP port 179.
A BGP router is a finite state machine with six various states for each connection. As two BGP
routers discover each other, and establish a connection they go from the idle state, through the
various states until they reach the established state. An error can cause the connection to be
dropped and the state of the router to be reset to either active or idle. These errors can be
caused by: TCP port 179 not being open, a random TCP port above port 1023 not being open,
the peer address being incorrect, or the AS number being incorrect.
When BGP routers start a connection, they negotiate which (if any) optional features will be
used such as multiprotocol extensions that can include IPv6 and VPNs.
Fortinet Technologies Inc. Page 107 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 10:Three phases of BGP routing decision
Adj-RIB-IN
(new routes)
Calculate:
iBGP or eBGP?
Phase 1 - Calculate route
local route policies preferences on incoming
LOCAL_PREF routes.
3 9
Adj-RIB-IN
(with route 11 6
preferences) 2 5
22
Phase 2 - Install the best
3 routes into the local
Loc-RIB
(with new 5 6 routing RIB
routes)
9
11
Adj-RIB-OUT
(with routes
to send)
Routes
sent in update
Decision phase 1
At this phase, the decision is to calculate how preferred each route and its NRLI are the
Adjacent Routing Information Base Incoming (Adj-RIBs-In) compared to the other routes. For
internal routes (IBGP), policy information or LOCAL_PREF is used. For external peer learned
routes, it is based strictly on policy. These rules set up a list of which routes are most preferred
going into Phase 2.
Decision phase 2
Phase 2 involves installing the best route to each destination into the local Routing Information
Base (Loc-RIB). Effectively, the Loc-RIB is the master routing table. Each route from Phase 1
has their NEXT_HOP checked to ensure the destination is reachable. If it is reachable, the
Fortinet Technologies Inc. Page 108 FortiOS Handbook - Advanced Routing for FortiOS 5.0
AS_PATH is checked for loops. After that, routes are installed based on the following decision
process:
If there is only one route to a location, it is installed.
If multiple routes to the same location, use the most preferred route from Level 1.
If there is a tie, break the tie based on the following in descending order of importance:
shortest AS_PATH, smallest ORIGIN number, smallest MED, EBGP over IBGP, smallest
metric or cost for reaching the NEXT_HOP, BGP identifier, and lowest IP address.
Note that the new routes that are installed into the Loc-RIB are in addition to any existing routes
in the table. Once Phase 2 is completed the Loc-RIB will consist of the best of both the new and
older routes.
Decision phase 3
Phase 3 is route distribution or dissemination. This is the process of deciding which routes the
router will advertise. If there is any route aggregation or summarizing, it happens here. Also any
route filtering from route maps happens here.
Once Phase 3 is complete, an update can be sent out to update the neighbor of new routes.
Troubleshooting BGP
There are some features in BGP that are used to deal with problems that may arise. Typically the
problems with a BGP network that has been configured, involve routes going offline frequently.
This is called route flap and causes problems for the routers using that route.
Fortinet Technologies Inc. Page 109 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Clearing routing table entries
To see if a new route is being properly added to the routing table, you can clear all or some BGP
neighbor connections (sessions) using the execute router clear bgp command.
For example, if you have 10 routes in the BGP routing table and you want to clear the specific
route to IP address 10.10.10.1, enter the command:
execute router clear bgp ip 10.10.10.1
To remove all routes for AS number 650001, enter the command:
execute router clear bgp as 650001
Route flap
When routers or hardware along a route go offline and back online that is called a route flap.
Flapping is the term if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the peer
routers that are connected to that out-of-service router advertise the change in their routing
tables which creates a lot of administration traffic on the network. And the same traffic happens
again when that router comes back online. If the problem is something like a faulty network
cable that wobbles on and offline every 10 seconds, there could easily be overwhelming
amounts of routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiGate units in HA mode. When
an HA cluster fails over to the secondary unit, other routers on the network may see the HA
cluster as being offline resulting in route flap. While this doesnt occur often, or more than once
at a time, it can still result in an interruption in traffic which is unpleasant for network users. The
easy solution for this problem is to increase the timers on the HA cluster, such as TTL timers, so
they do not expire during the failover process. Also configuring graceful restart on the HA
cluster will help with a smooth failover.
The first method of dealing with route flap should be to check your hardware. If a cable is loose
or bad, it can easily be replaced and eliminate the problem. If an interface on the router is bad,
either avoid using that interface or swap in a functioning router. If the power source is bad on a
router, either replace the power supply or use a power conditioning backup power supply.
These quick and easy fixes can save you from configuring more complex BGP options.
However if the route flap is from another source, configuring BGP to deal with the outages will
ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
Holddown timer
Dampening
Graceful restart
Bi-directional forwarding detection (BFD)
Holddown timer
The first line of defence to a flapping route is the hold down timer. This timer reduces how
frequently a route going down will cause a routing update to be broadcast.
Once activated, the holddown timer wont allow the FortiGate unit to accept any changes to
that route for the duration of the timer. If the route flaps five times during the timer period, only
the first outage will be recognized by the FortiGate unit for the duration of the other outages
there will be no changes because the Fortigate unit is essentially treating this router as down.
After the timer expires, if the route is still flapping it will happen all over again.
Fortinet Technologies Inc. Page 110 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Even if the route isnt flapping if it goes down, comes up, and stays back up the timer still
counts down and the route is ignored for the duration of the timer. In this situation the route will
be seen as down longer than it really is, but there will be only the one set of route updates. This
is not a problem in normal operation because updates are not frequent.
Also the potential for a route to be treated as down when it is really up can be viewed as a
robustness feature. Typically you do not want most of your traffic being routed over an
unreliable route. So if there is route flap going on, it is best to avoid that route if you can. This is
enforced by the holddown timer.
Dampening
Dampening is a method used to limit the amount of network problems due to flapping routes.
With dampening the flapping still occurs, but the peer routers pay less and less attention to that
route as it flaps more often. One flap doesnt start dampening, but the second starts a timer
where the router will not use that route it is considered unstable. If the route flaps again
before the timer expires, the timer continues to increase. There is a period of time called the
reachability half-life after which a route flap will only be suppressed for half the time. This
half-life comes into effect when a route has been stable for a while but not long enough to clear
all the dampening completely. For the flapping route to be included in the routing table again,
the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the FortiGate
units cache by using one of the execute router clear bgp commands:
execute router clear bgp dampening {<ip_address> | <ip/netmask>}
or
execute router clear bgp flap-statistics {<ip> | <ip/netmask>}
For example, to remove route flap dampening information for the 10.10.0.0/16 subnet, enter the
command:
execute router clear bgp dampening 10.10.0.0/16
Fortinet Technologies Inc. Page 111 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The BGP commands related to route dampening are:
config router bgp
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
end
Graceful restart
BGP4 has the capability to gracefully restart.
In some situations, route flap is caused by routers that appear to be offline but the hardware
portion of the router (control plane) can continue to function normally. One example of this is
when some software is restarting or being upgraded, but the hardware can still function
normally.
Graceful restart is best used for these situations where routing will not be interrupted, but the
router is unresponsive to routing update advertisements. Graceful restart does not have to be
supported by all routers in a network, but the network will benefit when more routers support it.
FortiGate HA clusters can benefit from graceful restart. When a failover takes place, the HA
cluster will advertise it is going offline, and will not appear as a route flap. It will also enable the
new HA main unit to come online with an updated and usable routing table if there is a flap
the HA cluster routing table will be out of date.
For example, your FortiGate unit is one of four BGP routers that send updates to each other.
Any of those routers may support graceful startingwhen a router plans to go offline, it will
send out a message to its neighbors how long it expects to be before being back online. That
way its neighbor routers dont remove it from their routing tables. However if that router isnt
back online when expected, the routers will mark it offline. This prevents routing flap and its
associated problems.
Fortinet Technologies Inc. Page 112 FortiOS Handbook - Advanced Routing for FortiOS 5.0
For example, if a neighbor of your FortiGate unit, with an IP address of 172.20.120.120,
supports graceful restart, enter the command:
config router bgp
config neighbor
edit 172.20.120.120
set capability-graceful-restart enable
end
end
If you want to configure graceful restart on your FortiGate unit where you expect the Fortigate
unit to be offline for no more than 2 minutes, and after 3 minutes the BGP network should
consider the FortiGate unit offline, enter the command:
config router bgp
set graceful-restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
end
The BGP commands related to BGP graceful restart are:
config router bgp
set graceful-restart { disable| enable}
set graceful-restart-time <seconds_integer>
set graceful-stalepath-time <seconds_integer>
set graceful-update-delay <seconds_integer>
config neighbor
set capability-graceful-restart {enable | disable}
end
end
Configurable granularity
BFD can run on the entire FortiGate unit, selected interfaces, or on BGP for all configured
interfaces. The hierarchy allows each lower level to override the upper levels BFD setting. For
example, if BFD was enabled for the FortiGate unit, it could be disabled only for a single
Fortinet Technologies Inc. Page 113 FortiOS Handbook - Advanced Routing for FortiOS 5.0
interface or for BGP. For information about FortiGate-wide BFD options, see config system
settings in the FortiGate CLI Reference.
BFD can only be configured through the CLI.
The BGP commands related to BFD are:
config system {setting | interface}
set bfd {enable | disable | global}
set bfd-desired-mix-tx <milliseconds>
set bfd-detect-mult <multiplier>
set bfd-required-mix-rx <milliseconds>
set bfd-dont-enforce-src-port {enable | disable}
The config system commands allow you to configure whether BFD is enabled in a particular
unit/vdom or individual interface, and how often the interface requires sending and receiving of
BFD information.
The config router bgp commands allow you to set the addresses of the neighbor units that
are also running BFD. Both units must be configured with BFD in order to make use of it.
This is an example of a small network that uses BGP routing connections to two ISPs. This is a
common configuration for companies that need redundant connections to the Internet for their
business.
This configuration is for a small company connected to two ISPs. The company has one main
office, the Head Office, and uses static routing for internal routing on that network.
Both ISPs use BGP routing, and connect to the Internet directly. They want the company to
connect to the ISP networks using BGP. They also use graceful restart to prevent unneeded
updates, and use smaller timer values to detect network failures faster.
As can be expected, the company wants to keep their BGP configuration relatively simple and
easy to manage. The current configuration has only 3 routers to worry about the 2 ISP
border routers, and the FortiGate unit. This means the FortiGate unit will only have two
neighbour routers to configure.
This configuration has the added benefit of being easy to expand if the Company wants to add
a remote office in the future.
To keep the configuration simple, the Company is allowing only HTTP, HTTPS, FTP, and DNS
traffic out of the local network. This will allow employees access to the Internet and their
web-mail.
Fortinet Technologies Inc. Page 114 FortiOS Handbook - Advanced Routing for FortiOS 5.0
This section includes the following topics:
Network layout and assumptions
Configuring the FortiGate unit
Configuring other networking devices
Testing this configuration
Fortinet Technologies Inc. Page 115 FortiOS Handbook - Advanced Routing for FortiOS 5.0
The components of the layout include:
The Company AS (AS number 1) is connected to ISP1 and ISP2 through the FortiGate unit.
The Company has one internal network the Head Office network at 10.11.101.0/24.
The FortiGate unit internal interface is on the the Company internal network with an IP
address of 10.11.101.110.
The FortiGate unit external1 interface is connected to ISP1s network with an IP address of
172.21.111.5, an address supplied by the ISP.
ISP1 AS has an AS number of 6501, and ISP2 has an AS number of 6502
Both ISPs are connected to the Internet.
The ISP1 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.21.111.4.
The ISP2 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.22.222.4.
Apart from graceful restart, and shorter timers (holdtimer, and keepalive) default settings are
to be used whenever possible.
ISP2 AS 650002
ISP1 AS 650001
172.22.222.4
172.21.111.4
external2
e
external1
1 172.20.222.5
1
172.20.111.5
5
internal
rna
nall
10.11.101.110 Head Office BGP Border Router
Company AS (ASN 1)
Assumptions
The basic BGP configuration procedure follows these assumptions:
ISP1 is the preferred route, and ISP2 is the secondary route
all basic configuration can be completed in both GUI and CLI
only one AS is used for the Company
Fortinet Technologies Inc. Page 116 FortiOS Handbook - Advanced Routing for FortiOS 5.0
For these reasons this example configuration does not include:
Bi-directional forwarding detection (BFD)
Route maps
Access lists
changing redistribution defaults make link when example is set up
IPv6
For more information on these features, see the corresponding section.
Fortinet Technologies Inc. Page 117 FortiOS Handbook - Advanced Routing for FortiOS 5.0
3. Set the following information, and select OK.
Alias internal
IP/Netmask 10.11.101.110/255.255.255.0
Administrative Status Up
Alias external1
IP/Netmask 172.21.111.5/255.255.255.0
Administrative Status Up
Alias external2
IP/Netmask 172.22.222.5/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 118 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure the FortiGate interfaces - CLI
config system interface
edit port1
set alias internal
set ip 10.11.101.110 255.255.255.0
set allowaccess http https ssh
set description Company internal network
set status up
next
edit port2
set alias external1
set ip 172.21.111.5 255.255.255.0
set allowaccess https ssh
set description ISP1 External BGP network
set status up
next
edit port3
set alias external2
set ip 172.22.222.5 255.255.255.0
set allowaccess https ssh
set description ISP2 External BGP network
set status up
next
end
Device port2
Gateway 172.21.111.5
Distance 10
4. Select OK.
5. Select Create New, and set the following information.
Device port3
Gateway 172.22.222.5
Distance 15
6. Select OK.
Fortinet Technologies Inc. Page 119 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure default routes for both ISPs - CLI
config router static
edit 1
set device "port2"
set distance 10
set gateway 172.21.111.5
next
edit 2
set device "port3"
set distance 15
set gateway 172.22.222.5
next
end
For added security, you may want to define a smaller range of addresses for the internal
network. For example if only 20 addresses are used, only allow those addresses in the range.
In the interest of keeping things simple, a zone will be used to group the two ISP interfaces
together. This will allow using one security policy to apply to both ISPs at the same time.
Remember to block intra-zone traffic as this will help prevent one ISP sending traffic to the other
ISP through your FortiGate unit using your bandwidth. The zone keeps configuration simple,
and in the future if there is a need for separate policies for each ISP, they can be created and the
zone can be deleted.
The addresses that will be used are the addresses of the FortiGate unit internal and external
ports, and the internal network.
More policies or services can be added in the future as applications are added to the network.
For more information on security policies, see the firewall chapter of the FortiGate
Administration Guide.
When configuring security policies always enable logging to help you track and debug your
traffic flow.
Fortinet Technologies Inc. Page 120 FortiOS Handbook - Advanced Routing for FortiOS 5.0
2. For Group Name, enter Basic_Services.
3. From Available Services, move the following six services over to the Member list BGP,
FTP, FTP_GET, FTP_PUT, DNS, HTTP, and HTTPS.
4. Select OK.
4. Select OK.
Interface port1
3. Select OK.
Fortinet Technologies Inc. Page 121 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To add the firewall addresses - CLI
config firewall address
edit "Internal_network"
set associated-interface "port1"
set subnet 10.11.101.0 255.255.255.0
next
end
Destination ISPs
Interface/Zone
Schedule always
Service Basic_services
Action ACCEPT
3. Select OK.
4. Select Create New, and set the following information.
Destination port1(internal)
Interface/Zone
Schedule always
Service Basic_services
Action ACCEPT
NAT Enable
Fortinet Technologies Inc. Page 122 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To add the security policies - CLI
config firewall policy
edit 1
set srcintf "port1"
set srcaddr "Internal_network"
set dstintf "ISPs"
set dstaddr "all"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISP1 basic services out policy"
next
edit 2
set srcintf "ISPs"
set srcaddr "all"
set dstintf "port1"
set dstaddr "Internal_network"
set schedule "always"
set service "Basic_services"
set action accept
set nat enable
set profile-status enable
set logtraffic enable
set comments "ISP1 basic services in policy"
next
end
Local AS 1
Router ID 10.11.101.110
Fortinet Technologies Inc. Page 123 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To set the BGP router information - CLI
config router BGP
set as 1
set router-id 10.11.101.110
end
IP/Netmask 10.11.101.0/255.255.255.0
Fortinet Technologies Inc. Page 124 FortiOS Handbook - Advanced Routing for FortiOS 5.0
advertising updates. These commands applies to neighbors and are part of the BGP
capabilities. This prevents unneeded routing updates.
holdtime-timer how long the router will wait for a keepalive message before declaring
a router offline. A shorter time will find an offline router faster.
keepalive-timer how often the router sends out keepalive messages to neighbor
routers to maintain those sessions.
log-neighbor-changes log changes to neighbor routers status. This can be useful for
troubleshooting from both internal and external networks.
connect-timer how long in seconds the FortiGate unit will try to reach this neighbor
before declaring it offline.
weight used to prefer routes from one neighbor over the other. In this example ISP1 is
the primary connection so it is weighted higher than ISP2
Fortinet Technologies Inc. Page 125 FortiOS Handbook - Advanced Routing for FortiOS 5.0
They will require your FortiGate units:
IP address of the connected interface
Router ID
your Companys AS number
Once you have completed testing the network connectivity, turn off ping support on the
external interfaces for additional security.
Fortinet Technologies Inc. Page 126 FortiOS Handbook - Advanced Routing for FortiOS 5.0
If you want to see the contents of the routing information database (RIB), use the CLI command
get router info routing-table database. This will display the incoming routes that
may or may not make it into the routing table.
During normal BGP operation, peer routers redistribute routes from each other. However, in
some specific situations it may be best to not advertise routes from one peer, such as if the peer
is redundant with another peer (they share the same routes exactly), if it might be unreliable in
some way, or some other reason. The FortiGate can also take routes it learns from other
protocols and advertise them in BGP, for example OSPF or RIP. If your Company hosts its own
web or email servers, external locations will require routes to your networks to reach those
services.
In this example the Company has an internal network in an OSPF area, and is connected to a
BGP AS and two BGP peers. Company goes through these two peers to reach the Internet.
However, Peer 1 routes will not be advertised to Peer 2. The Company internal user and server
networks are running OSPF, and will redistribute those routes to BGP so external locations can
reach the web and email servers.
This section includes the following topics:
Network layout and assumptions
Configuring the FortiGate unit
Testing network configuration
Fortinet Technologies Inc. Page 127 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Network layout and assumptions
The network layout for the BGP redistributing routes example involves the company network
being connected to two BGP peers as shown below. In this configuration the FortiGate unit is
the BGP border router between the Company AS, and the peer routers.
The components of the layout include:
There is only one BGP AS in this example AS 65001, shared by the FortiGate unit and
both peers.
The Companys FortiGate unit connects to the Internet through two BGP peers.
The Company internal networks on the dmz interface of the FortiGate unit with an IP of
10.11.201.0/24.
The FortiGate units interfaces are connected as follows:
port1 (dmz) has IP 10.11.201.110 and is the internal user and server network
port2 (external1) has IP 172.21.111.4 and is connected to Peer 1s network
port3 (external2) has IP 172.22.222.4 and is connected to Peer 2s network
Peer 1 has IP 172.21.111.5, and Peer 2 has IP 172.22.222.5.
OSPF Area 1 is configured on the dmz interface of the FortiGate unit, and is the routing
protocol used by the internal users and servers.
Peer 2
172.22.222.5
Peer 1
external2
172.21.111.5
172.22.222.4
BGP d
dmz
AS 65001 1
10.11.201.110
external1
a1
al
172.21.111.4
.44
OSPF
Area 1
http
email
Assumptions
The the BGP redistributing routes configuration procedure follows these assumptions:
the FortiGate unit has been configured following the Install Guide
interfaces port1, port2, and port 3 exist on the FortiGate unit
we dont know the router manufacturers of Peer 1 and Peer 2
we dont know what other devices are on the BGP AS or OSPF Area
all basic configuration can be completed in both GUI and CLI
access lists and route maps will only be configured in CLI
VDOMs are not enabled on the FortiGate unit
Fortinet Technologies Inc. Page 128 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Configuring the FortiGate unit
1. Configuring the FortiGate unit networks and firewalls
2. Configuring the FortiGate unit - BGP
3. Configuring the FortiGate unit - OSPF
4. Configuring other networking devices
Alias dmz
IP/Netmask 10.11.201.110/255.255.255.0
Administrative Status Up
Alias external1
IP/Netmask 172.21.111.4/255.255.255.0
Administrative Status Up
Alias external2
IP/Netmask 172.22.222.4/255.255.255.0
Fortinet Technologies Inc. Page 129 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Administrative Access HTTPS SSH
Administrative Status Up
Interface port1
3. Select OK.
4. Select Create New, and enter the following information:
5. Select OK.
Fortinet Technologies Inc. Page 130 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure firewall service groups - GUI
1. Go to Firewall Objects > Service > Group.
2. Select Create New.
3. Name the group OSPF_Services.
4. Move the following services to the right list: DNS, FTP, FTP_GET, FTP_PUT, HTTP, HTTPS,
IMAP, MYSQL, NTP, OSPF, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
5. Select OK.
6. Select Create New.
7. Name the group BGP_Services.
8. Move the following services to the right list: BGP, DNS, FTP, FTP_GET, FTP_PUT, HTTP,
HTTPS, IMAP, MYSQL, NTP, PING, POP3, SMTP, SSH, SYSLOG, and TRACEROUTE.
9. Select OK.
Fortinet Technologies Inc. Page 131 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To create access list to block Peer 1 - CLI
config access-list
edit block_peer1
config rule
edit 1
set prefix 172.21.111.0 255.255.255.0
set action deny
set exact-match enable
end
end
end
Type Regular
Authentication None
Fortinet Technologies Inc. Page 132 FortiOS Handbook - Advanced Routing for FortiOS 5.0
6. Enter 10.11.201.0/255.255.255.0 for IP/Netmask, and select OK.
7. For Interfaces, select Create New.
8. Enter OSPF_dmz_network for Name.
9. Select port1(dmz) for Interface, and then select OK.
Fortinet Technologies Inc. Page 133 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Open Shortest Path First (OSPF)
OSPF (Open Shortest Path First) is a link-state interior routing protocol, that is widely used in
large enterprise organizations. It only routes packets within a single autonomous system (AS).
This is different from BGP as BGP can communicate between ASes.
This section includes:
Background
The parts and terminology of OSPF
How OSPF works
Background
OSPF version 2 was defined in 1998 in RFC 2328. OSPF was designed to support classless IP
addressing, and variable subnet masks. This was a shortcoming of the earlier RIP protocols.
Updates to OSPF version 2 are included in OSPF version 3 defined in 2008 in RFC 5340.
OSPF3 includes support for IPv6 addressing where previously OSPF2 only supports IPv4
addressing.
The main benefit of OSPF is that it detects link failures in the network quickly and within
seconds has converged network traffic successfully without any networking loops. Also OSPF
has many features to control which routes are propagated and which are not, maintaining
smaller routing tables. OSPF can also provide better load-balancing on external links than other
interior routing protocols.
Page 134
OSPF and IPv6
OSPF version 3 includes support for IPv6. Generally all IP addresses are in IPv6 format instead
of IPv4.
OSPF3 area numbers use the same 32-bit numbering system as OSPF2.
Router ID
In OSPF, each router has a unique 32-bit number called its Router ID. Often this 32-bit number
is written the same as a 32-bit IPv4 address would be written in dotted decimal notation.
However some brands of routers, such as Cisco routers, support a router ID entered as an
integer instead of an IP address.
It is a good idea to not use IP address in use on the router for the router ID number. The router
ID does not have to be a particular IP address on the router. By choosing a different number, it
will be harder to get confused which number you are looking at. A good idea can be to use the
as much of the area's number as possible. For example if you have 15 routers in area 0.0.0.0
they could be numbered from 0.0.0.1 to 0.0.0.15. If you have an area 1.1.1.1, then routers in that
area could start at 1.1.1.10 for example.
You can manually set the router ID on your FortiGate unit.
Adjacency
In an OSPF routing network, when an OSPF router boots up it sends out OSPF Hello packets to
find any neighbors, routers that have access to the same network as the router booting up.
Once neighbors are discovered and Hello packets are exchanged, updates are sent, and the
Link State databases of both neighbors are synchronized. At this point these neighbors are said
to be adjacent.
For two OSPF routers to become neighbors, the following conditions must be met.
The subnet mask used on both routers must be the same subnet.
The subnet number derived using the subnet mask and each router's interface IP address
must match.
The Hello interval & The Dead interval must match.
The routers must have the same OSPF area ID. If they are in different areas, they are not
neighbors.
If authentication is used, they must pass authentication checks.
If any of these parameters are different between the two routers, the routers do not become
OSPF neighbors and cannot be adjacent. If the routers become neighbors, they are adjacent.
Fortinet Technologies Inc. Page 135 FortiOS Handbook - Advanced Routing for FortiOS 5.0
routing updates. Adjacent routers exchange LSAs (LSDB information) as well as Hello packets.
A good example of an adjacent pair of routers is the DR and BDR.
You can check on the state of an OSPF neighbor using the CLI command get router info
ospf neighbor all. See Checking the state of OSPF neighbors on page 146.
Benefits
The OSPF concept of the designated router is a big step above RIP. With all RIP routers doing
their own updates all the time, RIP suffers from frequent and sometimes unnecessary updates
that can slow down your network. With OSPF, not only do routing changes only happen when a
link-state changes instead of any tiny change to the routing table, but the designated router
reduces this overhead traffic even more.
However, smaller network topologies may only have a couple routers besides the designated
router. This may seem excessive, but it maintains the proper OSPF form and it will still reduce
the administration traffic but to a lesser extent than on a large network. Also, your network
topology will be ready whenever you choose to expand your network.
Fortinet Technologies Inc. Page 136 FortiOS Handbook - Advanced Routing for FortiOS 5.0
With your FortiGate unit, to configure the port1 interface to be a potential OSPF designated
router or backup designed router called ospf_DR on the network, you need to raise the priority
of the router to a very high number such as 250 out of 255. This will ensure the interface has a
chance to be a DR, but will not guarantee that it will be one. Give the interface a low numbered
IP addresssuch as 10.1.1.1 instead of 192.168.1.1to help ensure it becomes a DR, but that
is not part of this example. Enter the following command:
config router ospf
config ospf-interface
edit ospf_DR
set priority 250
end
end
Area
An OSPF area is a smaller part of the larger OSPF AS. Areas are used to limit the link-state
updates that are sent out. The flooding used for these updates would overwhelm a large
network, so it is divided into these smaller areas for manageability.
Within an area if there are two or more routers that are viable, there will always be a designated
router (DR) and a backup DR (BDR). For more on these router roles, see Designated router (DR)
and backup router (BDR) on page 136.
Defining a private OSPF area, involves:
assigning a 32-bit number to the area that is unique on your network
defining the characteristics of one or more OSPF areas
creating associations between the OSPF areas that you defined and the local networks to
include in the OSPF area
if required, adjusting the settings of OSPF-enabled interfaces.
IPv6 OSPF area numbers use the same 32-bit number notation as IPv4 OSPF.
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.
FortiGate units support the four main types of OSPF area:
Backbone area
NSSA
Stub area
Regular area
Backbone area
Every OSPF network has at least one AS, and every OSPF network has a backbone area. The
backbone is the main area, or possibly the only area. All other OSPF areas are connected to a
backbone area. This means if two areas want to pass routing information back and forth, that
routing information will go through the backbone on its way between those areas. For this
reason the backbone not only has to connect to all other areas in the network, but also be
uninterrupted to be able to pass traffic to all points of the network.
The backbone area is referred to as area 0 because it has an IP address of 0.0.0.0.
Fortinet Technologies Inc. Page 137 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Stub area
A stub area is an OSPF area that receives no outside routes advertised into it, and all routing in
it is based on a default route. This essentially isolates it from outside areas.
Stub areas are useful for small networks that are part of a larger organization, especially if the
networking equipment cant handle routing large amounts of traffic passing through, or there are
other reasons to prevent outside traffic, such as security. For example most organizations dont
want their accounting department to be the center of their network with everyones traffic
passing through there. It would increase the security risks, slow down their network, and it
generally doesnt make sense.
A variation on the stub area is the totally stubby area. It is a stub area that does not allow
summarized routes.
NSSA
A not-so-stubby-area (NSSA) is a stub area that allows for external routes to be injected into it.
While it still does not allow routes from external areas, it is not limited to only using he default
route for internal routing.
Regular area
A regular area is what all the other ASes are, all the non-backbone, non-stub, non-NSSA areas.
A regular area generally has a connection to the backbone, does receive advertisements of
outside routes, and does not have an area number of 0.0.0.0.
Authentication
In the OSPF packet header are two authentication related fields AuType, and Authentication.
All OSPF packet traffic is authenticated. Multiple types of authentication are supported in
OSPFv2. However in OSPFv3, there is no authentication built-in but it is assumed that IPsec will
be used for authentication instead.
Packets that fail authentication are discarded.
Null authentication
Null authentication indicates there is no authentication being used. In this case the 16-byte
Authentication field is not checked, and can be any value. However checksumming is still used
to locate errors. On your FortiGate this is the none option for authentication.
Cryptographic authentication
Cryptographic authentication involves the use of a shared secret key to authenticate all router
traffic on a network. The key is never sent over the network in the cleara packet is sent and a
condensed and encrypted form of the packet is appended to the end of the packet. A
non-repeating sequence number is included in the OSPF packet to protect against replay
attacks that could try to use already sent packets to disrupt the network. When a packet is
accepted as authentic the authentication sequence number is set to the packet sequence
number. If a replay attack is attempted, the packet sent will be out of sequence and ignored.
Your FortiGate unit supports all three levels of authentication through the authentication
keyword associated with creating an OSPF interface .
Fortinet Technologies Inc. Page 138 FortiOS Handbook - Advanced Routing for FortiOS 5.0
For example to create an OSPF interface called Accounting on the port1 interface that is a
broadcast interface, has a hello interval of 10 seconds, has a dead interval of 40 seconds, uses
text authentication (simple password) with a password of ospf_test, enter the command:
config router ospf
config ospf-interface
edit Accounting
set interface port1
set network-type broadcast
set hello-interval 10
set dead-interval 40
set authentication text
set authentication-key ospf_test
end
end
Access Lists
Access lists are filters used by FortiGate unit OSPF routing. An access list provides a list of IP
addresses and the action to take for them essentially an access list makes it easy to group
addresses that will be treated the same into the same group, independent of their subnets or
other matching qualities. You add a rule for each address or subnet that you want to include,
specifying the action to take for it. For example if you wanted all traffic from one department to
be routed a particular way, even in different buildings, you can add all the addresses to an
access list and then handle that list all at once.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for
this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and
any more specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the
top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no
match is found the default action is deny.
Access lists greatly speed up configuration and network management. When there is a problem,
you can check each list instead of individual addresses. Also, it eases troubleshooting since if
all addresses on one list have problems, it eliminates many possible causes right away.
If you are using the OSPF+ IPv6 protocols you will need to use access-list6, the IPv6 version of
access list. The only difference is that access-list6 uses IPv6 addresses.
Fortinet Technologies Inc. Page 139 FortiOS Handbook - Advanced Routing for FortiOS 5.0
For example, if you want to create an access list called test_list that only allows an exact
match of 10.10.10.10 and 11.11.11.11, enter the command:
config router access-list
edit test_list
config rule
edit 1
set prefix 10.10.10.10 255.255.255.255
set action allow
set exact-match enable
next
edit 2
set prefix 11.11.11.11 255.255.255.255
set action allow
set exact-match enable
end
end
Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6
equivalents of 10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:
config router access-list6
edit test_list_ip6
config rule
edit 1
set prefix6 2002:A0A:A0A:0:0:0:0:0:/48
set action deny
next
edit 2
set prefix6 2002:B0B:B0B:0:0:0:0:0/48
set action deny
end
To use an access_list, you must call it from a routing protocol such as RIP. The following
example uses the access_list from the earlier example called test_list to match routes coming in
on the port1 interface. When there is a match, it will add 3 to the hop count metric for those
routes to artificially decrease their priority. Enter the following command:
config router ospf
config distribute-list
edit 5
set access-list test_list
set protocol connected
end
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route 0.0.0.0/0
can not be exactly matched with an access-list. A prefix-list must be used for this purpose.
Fortinet Technologies Inc. Page 140 FortiOS Handbook - Advanced Routing for FortiOS 5.0
OSPF is an interior routing protocol. It includes a backbone AS, and possibly additional ASes.
The DR and BDR are elected from potential routers with the highest priorities. The DR handles
much of the administration to lower the network traffic required. New routers are discovered
through hello packets sent from the DR using the multicast address of 224.0.0.5. If the DR goes
offline at any time, the BDR has a complete table of routes that is uses when it takes over as the
DR router.
OSPF does not use UDP or TCP, but is encapsulated directly in IP datagrams as protocol 89.
This is in contrast to RIP, or BGP. OSPF handles its own error detection and correction
functions.
The OSPF protocol, when running on IPv4, can operate securely between routers, optionally
using a variety of authentication methods to allow only trusted routers to participate in routing.
OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies
on IPv6 protocol security (IPsec).
Other important parts of how OSPF works includes:
OSPF router discovery
How OSPF works on FortiGate units
External routes
Link-state Database (LSDB) and route updates
OSPF packets
Fortinet Technologies Inc. Page 141 FortiOS Handbook - Advanced Routing for FortiOS 5.0
External routes
OSPF is an internal routing protocol. OSPF external routes are routes where the destination
using a routing protocol other than OSPF. OSPF handles external routes by adjusting the cost of
the route to include the cost of the other routing protocol. There are two methods of calculating
this cost, used for OSPF E1 and OSPF E2.
Comparing E1 and E2
The best way to understand OSPF E1 and E2 routes is to check routing tables on OSPF routers.
If you look at the routes on an OSPF border router, the redistributed routes will have an
associated cost that represents only the external route, as there is no OSPF cost to the route
due to it already being on the edge of the OSPF domain. However, if you look at that same route
on a different OSPF router inside the OSPF routing domain, it will have a higher associated cost
- essentially the external cost plus the cost over the OSPF domain to that border router. The
border router uses OSPF E2, where the internal OSPF router uses OSPF E1 for the same route.
Fortinet Technologies Inc. Page 142 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Link-state Database (LSDB) and route updates
OSPF is based on links. The links between adjacent neighbor routers allow updates to be
passed along the network. Network links allow the DR to flood the area with Link-state
database (LSDB) updates. External links allow the OSPF area to connect to destinations outside
the OSPF autonomous system. Information about these links is passed throughout the OSPF
network as link-state updates.
The LSDB contains the information that defines the complete OSPF area, but the LSDB is not
the routing table. It contains the information from all the link-state updates passed along the
network. When there are no more changes required, and the network is stable then the LSDB on
each router in the network will be the same. The DR will flood the LSDB to the area to ensure
each router has the same LSDB.
To calculate the best route (shortest path) to a destination, the FortiGate unit applies the
Shortest Path First (SPF) algorithm, based on Dijkstras algorithm, to the accumulated link-state
information. OSPF uses relative path cost metric for choosing the best route. The path cost can
be any metric, but is typically the bandwidth of the path, how fast traffic will get from one point
to another.
The path cost, similar to distance for RIP, imposes a penalty on the outgoing direction of a
FortiGate unit interface. The path cost of a route is calculated by adding together all of the costs
associated with the outgoing interfaces along the path to the destination. The lowest overall
path cost indicates the best route, and generally the fastest route. Some brands of OSPF
routers, such as Cisco, implement cost as a direct result of bandwidth between the routers.
Generally this is a good cost metric because larger bandwidth means more traffic can travel
without slowing down. To achieve this type of cost metric on FortiGate units, you need to set
the cost for each interface manually in the CLI.
The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent
neighbor in the backbone area. In this situation, the router considers summary-LSAs from all
Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate unit routing table
may include:
the addresses of networks in the local OSPF area (to which packets are sent directly)
routes to OSPF area border routers (to which packets destined for another area are sent)
if the network contains OSPF areas and non-OSPF domains, routes to area boundary
routers, which reside on the OSPF network backbone and are configured to forward packets
to destinations outside the OSPF AS.
Fortinet Technologies Inc. Page 143 FortiOS Handbook - Advanced Routing for FortiOS 5.0
4. Once the SPF tree has been created, and shows the shortest paths to all the OSPF routers
on the network, the work is done. If the new route is the best route, it will be part of that tree.
If it is not the shortest route, it will not be included in the LSDB.
5. If there has been a change from the initial LSDB to the new SPF tree, a link state update will
be sent out to let the other routers know about the change so they can update their LSDBs
as well. This is vital since all routers on the OSPF area must have the same LSDB.
6. If there was no change between the LSDB and the SPF tree, no action is taken.
OSPF packets
Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of information
or more. The header contains all the information necessary to determine whether the packet
should be accepted for further processing.
Table 11:OSPF packet
1-byte Version field 1-byte Type field 2-byte Packet 3-byte Router ID
length
4-byte Network Mask 2-byte Hello interval 1-byte Options field 1-byte Router
Priority
4-byte Dead Router 4-byte DR field 4-byte BDR field 4-byte Neighbor ID
interval
Fortinet Technologies Inc. Page 144 FortiOS Handbook - Advanced Routing for FortiOS 5.0
When AuType is set to 2 (Cryptographic authentication), the 64-bit authentication field is split
into the following four fields: Zero field, Key ID field, Authentication data length field, and
Cryptographic sequence field.
The Key ID field indicates the key and algorithm used to create the message digest appended
to the packet. The authentication data length field indicates how many bytes long the message
digest is, and the cryptographic sequence number is at non-decreasing number that is set
when the packet is received and authenticated to prevent replay attacks.
Network MaskThe subnet where this packet is valid.
Hello intervalThe period of time between sending out Hello packets. See Hello and dead
intervals on page 139.
Options field The OSPF protocol defines several optional capabilities. A router indicates the
optional capabilities that it supports in its OSPF Hello packets, Database Description packets
and in its LSAs. This enables routers supporting a mix of optional capabilities to coexist in a
single Autonomous System.
Router priorityThe priority between 0 and 255 that determines which routers become the DR
and BDR. See Designated router (DR) and backup router (BDR) on page 136.
Dead router intervalThe period of time when there is no response from a router before it is
declared dead. See Hello and dead intervals on page 139.
DR and BDR fieldsThe DR and BDR fields each list the router that fills that role on this
network, generally the routers with the highest priorities. See Designated router (DR) and
backup router (BDR) on page 136.
Neighbor IDThe ID number of a neighboring router. This ID is used to discover new routers
and respond to them.
Troubleshooting OSPF
As with other dynamic routing protocols, OSPF has some issues that may need troubleshooting
from time to time. For basic troubleshooting, see the FortiOS Handbook Troubleshooting
chapter.
The more common issues include:
Clearing OSPF routes from the routing table
Checking the state of OSPF neighbors
Passive interface problems
Timer problems
Authentication issues
DR and BDR election issues
Fortinet Technologies Inc. Page 145 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Checking the state of OSPF neighbors
In OSPF each router sends out link state advertisements to find other routers on its network
segment, and to create adjacencies with some of those routers. This is important because
routing updates are only passed between adjacent routers. If two routers you believe to be
adjacent are not, that can be the source of routing failures.
To identify this problem, you need to check the state of the OSPF neighbors of your FortiGate
unit. Use the CLI command get router info ospf neighbor all to see all the neighbors
for your FortiGate unit. You will see output in the form of:
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.0.0.2 1 Full/ - 00:00:39 10.1.1.2 tunnel_wan1
10.0.0.2 1 Full/ - 00:00:34 10.1.1.4 tunnel_wan2
The important information here is the State column. Any neighbors that are not adjacent to
your FortiGate unit will be reported in this column as something other than Full. If the state is
Down, that router is offline.
Timer problems
A timer mismatch is when two routers have different values set for the same timer. For example
if one router declares a router dead after 45 seconds and another waits for 4 minutes that
difference in time will result in those two routers being out of synch for that period of timeone
will still see that offline router as being online.
The easiest method to check the timers is to check the configuration on each router. Another
method is to sniff some packets, and read the timer values in the packets themselves from
different routers. Each packet contains the hello interval, and dead interval periods, so you can
compare them easily enough.
Fortinet Technologies Inc. Page 146 FortiOS Handbook - Advanced Routing for FortiOS 5.0
connection then that router is declared down. BFD then communicates this information to the
routing protocol and the routing information is updated.
Authentication issues
OSPF has a number of authentication methods you can choose from. You may encounter
problems with routers not authenticating as you expect. This will likely appear simply as one or
more routers that have a blind spot in their routing - they wont acknowledge a router. This can
be a problem if that router connects areas to the backbone as it will appear to be offline and
unusable.
To confirm this is the issue, the easiest method is to turn off authentication on the neighboring
routers. With no authentication between any routers, everything should flow normally.
Another method to confirm that authentication is the problem is to sniff packets, and look at
their contents. The authentication type and password are right in the packets which makes it
easy to confirm they are what you expect during real time. Its possible one or more routers is
not configured as you expect and may be using the wrong authentication. This method is
especially useful if there are a group of routers with these problemsit may only be one router
causing the problem that is seen in multiple routers.
Once you have confirmed the problem is authentication related, you can decide how to handle
it. You can turn off authentication and take your time to determine how to get your preferred
authentication type back online. You can try another type of authentication, such as text instead
of md5, which may have more success and still provide some level of protection. The important
part is that once you confirm the problem, you can decide how to fix it properly.
This example sets up an OSPF network at a small office. There are 3 routers, all running OSPF
v2. The border router connects to a BGP network.
All three routers in this example are FortiGate units. Router1 will be the designated router (DR)
and router2 will be the backup DR (BDR) due to their priorities. Router3 will not be considered
for either the DR or BDR elections. Instead, Router3 is the area border router (ASBR) routing all
traffic to the ISPs BGP router on its way to the Internet.
Router2 has a modem connected that provides dialup access to the Internet as well, at a
reduced bandwidth. This is a PPPoE connection to a DSL modem. This provides an alternate
Fortinet Technologies Inc. Page 147 FortiOS Handbook - Advanced Routing for FortiOS 5.0
route to the Internet if the other route goes down. The DSL connection is slow, and is charged
by the amount of traffic. For these reasons OSPF will highly favor Router3s Internet access.
The DSL connection connects to an OSPF network with the ISP, so no redistribution of routes is
required. The ISP network does have to be added to that routers configuration however.
This section includes the following topics:
Network layout and assumptions
Configuring the FortiGate units
Configuring OSPF on the FortiGate units
Configuring other networking devices
Testing network configuration
Router1 (DR) Internal (port1) 10.11.101.1 Head office network, and Router2
Router2 (BDR) Internal (port1) 10.11.101.2 Head office network, and Router1
Fortinet Technologies Inc. Page 148 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 13:Basic OSPF network topology
Rou
Ro
Router2 (BDR)
Router1 (DR)
R))
Note that other subnets can be added to the internal interfaces without changing the
configuration.
Assumptions
The FortiGate units used in this example have interfaces named port1, port2, and port3.
All FortiGate units in this example have factory default configuration with FortiOS 4.0 MR2
firmware installed, and are in NAT/Route operation mode.
Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in both
directions.
This OSPF network is not connected to any other OSPF networks.
Both Internet connections are always available.
The modem connection is very slow and expensive.
Other devices may be on the network, but do not affect this basic configuration.
Router3 is responsible for redistributing all routes into and out of the OSPF AS.
Fortinet Technologies Inc. Page 149 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Configuring Router1
Router1 has two interfaces connected to the networkinternal (port1) and external (port2). Its
host name must be changed to Router1.
Alias internal
IP/Netmask 10.11.101.1/255.255.255.0
Administrative Status Up
Alias External
IP/Netmask 10.11.102.1/255.255.255.0
Description Router3
Administrative Status Up
Configuring Router2
Router2 configuration is the same as Router1, except Router2 also has the DSL interface to
configure.
The DSL interface is configured with a username of user1 and a password of ospf_example.
The default gateway will be retrieved from the ISP, and the defaults will be used for the rest of
the PPPoE settings.
Alias internal
IP/Netmask 10.11.101.2/255.255.255.0
Fortinet Technologies Inc. Page 150 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Description Head office and Router1
Administrative Status Up
Alias External
IP/Netmask 10.11.103.2/255.255.255.0
Description Router3
Administrative Status Up
6. Edit DSL (port3), set the following information, and select OK.
Alias DSL
Username user1
Password ospf_example
Description DSL
Administrative Status Up
Configuring Router3
Router3 is similar to Router1 and Router2 configurations. The main difference is the External
(port3) interface connected to the ISP BGP network which has no administration access
enabled for security reasons.
Alias internal
IP/Netmask 10.11.102.3/255.255.255.0
Fortinet Technologies Inc. Page 151 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Description Router1
Administrative Status Up
Alias Internal2
IP/Netmask 10.11.103.3/255.255.255.0
Description Router2
Administrative Status Up
Alias External
IP/Netmask 172.20.120.3/255.255.255.0
Administrative Access
Administrative Status Up
Fortinet Technologies Inc. Page 152 FortiOS Handbook - Advanced Routing for FortiOS 5.0
This section includes:
Configuring OSPF on Router1
Configuring OSPF on Router2
Configuring OSPF on Router3
Area 0.0.0.0
Type Regular
Authentication none
4. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.0.0/255.255.0.0
Area 0.0.0.0
5. In Interfaces, select Create New, set the following information, and select OK.
Name Router1-Internal-DR
IP 0.0.0.0
Authentication none
Timers (seconds)
Hello Interval 10
Dead Interval 40
6. In Interfaces, select Create New, set the following information, and select OK.
Name Router1-External
IP 0.0.0.0
Authentication none
Fortinet Technologies Inc. Page 153 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Timers (seconds)
Hello Interval 10
Dead Interval 40
7. Using the CLI, enter the following commands to set the priority for the Router1-Internal
OSPF interface to maximum, ensuring this interface becomes the DR.
config router ospf
config ospf-interface
edit Router1-Internal-DR
set priority 255
end
Fortinet Technologies Inc. Page 154 FortiOS Handbook - Advanced Routing for FortiOS 5.0
3. In Areas, select Create New, set the following information, and select OK.
Area 0.0.0.0
Type Regular
Authentication none
4. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.0.0/255.255.0.0
Area 0.0.0.0
5. In Interfaces, select Create New, set the following information, and select OK.
Name Router2-Internal
IP 0.0.0.0
Authentication none
Timers (seconds)
Hello Interval 10
Dead Interval 40
6. In Interfaces, select Create New, set the following information, and select OK.
Name Router2-External
IP 0.0.0.0
Authentication none
Timers (seconds)
Hello Interval 10
Dead Interval 40
7. In Interfaces, select Create New, set the following information, and select OK.
Name Router2-DSL
IP 0.0.0.0
Authentication none
Cost 50
Fortinet Technologies Inc. Page 155 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Timers (seconds)
Hello Interval 20
Dead Interval 80
8. Using the CLI, enter the following commands to set the priority for the Router2-Internal
OSPF interface to ensure this interface will become the BDR.
config router ospf
config ospf-interface
edit Router2-Internal
set priority 250
next
end
Fortinet Technologies Inc. Page 156 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure OSPF on Router3 - web-based manager
1. Go to Router > Dynamic > OSPF.
2. Set Router ID to 10.11.101.2 and select Apply.
3. Expand Advanced Options.
4. In Redistribute, set the following information, and select OK.
Connected Enable 15
Static Enable 15
BGP Enable 5
5. In Areas, select Create New, set the following information, and select OK.
Area 0.0.0.0
Type Regular
Authentication none
6. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.0.0/255.255.0.0
Area 0.0.0.0
7. In Interfaces, select Create New, set the following information, and select OK.
Name Router3-Internal
IP 0.0.0.0
Authentication none
Timers (seconds)
Hello Interval 10
Dead Interval 40
8. In Interfaces, select Create New, set the following information, and select OK.
Name Router3-Internal2
IP 0.0.0.0
Fortinet Technologies Inc. Page 157 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Authentication none
Timers (seconds)
Hello Interval 10
Dead Interval 40
9. In Interfaces, select Create New, set the following information, and select OK.
Name Router3-ISP-BGP
IP 0.0.0.0
Authentication none
Cost 2
Timers (seconds)
Hello Interval 20
Dead Interval 80
10.Using the CLI, enter the following commands to set the priority for the Router3-Internal
OSPF interface to ensure this interface will become the BDR.
config router ospf
config ospf-interface
edit Router3-Internal
set priority 250
next
end
Fortinet Technologies Inc. Page 158 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure OSPF on Router3 - CLI
config router ospf
set router-id 10.11.102.3
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.11.0.0/255.255.255.0
next
edit 2
set prefix 172.20.120.0/255.255.255.0
next
end
config ospf-interface
edit "Router3-Internal"
set interface "port1"
set priority 255
next
edit "Router3-External"
set interface "port2"
next
edit Router3-ISP-BGP
set interface port3
set cost 2
next
end
end
Fortinet Technologies Inc. Page 159 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Advanced inter-area OSPF example
This example sets up an OSPF network at a large office. There are three areas, each with two
routers. Typically OSPF areas would not be this small, and if they were the areas would be
combined into one bigger area. However, the stub area services the accounting department
which is very sensitive about their network and do not want any of their network information
broadcast through the rest of the company. The backbone area contains the bulk of the
company network devices. The regular area was established for various reasons such as
hosting the company servers on a separate area with extra security.
One area is a small stub area that has no independent Internet connection, and only one
connection to the backbone area. That connection between the stub area and the backbone
area is only through a default route. No routes outside the stub area are advertised into that
area. Another area is the backbone, which is connected to the other two areas. The third area
has the Internet connection, and all traffic to and from the Internet must use that areas
connection. If that traffic comes from the stub area, then that traffic is treating the backbone like
a transit area that only uses it to get to another area.
In the stub area, a subnet of computers is running the RIP routing protocol and those routes
must be redistributed into the OSPF areas.
This section includes the following topics:
Network layout and assumptions
Configuring the FortiGate units
Configuring OSPF on the FortiGate units
Configuring other networking devices
Testing network configuration
Fortinet Technologies Inc. Page 160 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Figure 14:Advanced inter-area OSPF network topology
ISP router
(172.20.120.5)
Router4 (DR)
User
Network
Router3 (D
(DR)
DR)) User
Network
DR
R)
Router2 (BDR)
Area 2.2.2.2
Network Administration
Router1 (DR)
DR) (regular area)
User
Network
Area 1.1.1.1 is a stub area with one FortiGate unit OSPF router called Router1 (DR). Its only
access outside of that area is a default route to the backbone area, which is how it accesses the
Internet. Traffic must go from the stub area, through the backbone, to the third area to reach the
Internet. The backbone area in this configuration is called a transit area. Also in area 1.1.1.1
there is a RIP router that will be providing routes to the OSPF area through redistribution.
Area 0.0.0.0 is the backbone area, and has two FortiGate unit routers named Router2 (BDR) and
Router3 (DR).
Area 2.2.2.2 is a regular area that has an Internet connection accessed by both the other two
OSPF areas. There is only one FortiGate unit router in this area called Router4 (DR). This area is
more secure and requires MD5 authentication by routers.
All areas have user networks connected, but they are not important for configuring the network
layout for this example.
Internal interfaces are connected to internal user networks only. External1 interfaces are
connected to the 10.11.110.0 network, joining Area 1.1.1.1 and Area 0.0.0.0.
External2 interfaces are connected to the 10.11.111.0 network, joining Area 0.0.0.0 and Area
2.2.2.2. The ISP interface is called ISP.
Table 13:Routers, areas, interfaces, IP addresses for advanced OSPF network
Fortinet Technologies Inc. Page 161 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Table 13:Routers, areas, interfaces, IP addresses for advanced OSPF network
Note that other subnets can be added to the internal interfaces without changing the
configuration.
Assumptions
The FortiGate units used in this example have interfaces named port1, port2, and port3.
All FortiGate units in this example have factory default configuration with FortiOS 4.0 MR2
firmware installed, and are in NAT/Route operation mode.
During configuration, if settings are not directly referred to they will be left at default settings.
Basic firewalls are in place to allow unfiltered traffic between all connected interfaces in both
directions.
This OSPF network is not connected to any other OSPF areas outside of this example.
The Internet connection is always available.
Other devices may be on the network, but do not affect this configuration.
Configuring Router1
Router1 is part of the Accounting network stub area (1.1.1.1).
Fortinet Technologies Inc. Page 162 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure Router1 interfaces - web-based manager
1. Go to System > Dashboard > Status.
2. Next to hostname, select Change.
3. Enter a hostname of Router1, and select OK.
4. Go to System > Network > Interface, edit port1, set the following information, and select OK.
Alias internal
IP/Netmask 10.11.101.1/255.255.255.0
Administrative Status Up
Alias External1
IP/Netmask 10.11.110.1/255.255.255.0
Administrative Status Up
Configuring Router2
Router2 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this
area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
Router2 has three interfaces configured; one to the internal network, and two to Router3 for
redundancy.
Alias internal
IP/Netmask 10.11.102.2/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 163 FortiOS Handbook - Advanced Routing for FortiOS 5.0
5. Edit port2 (external1), set the following information, and select OK.
Alias external1
IP/Netmask 10.11.110.2/255.255.255.0
Administrative Status Up
6. Edit port3 (external2), set the following information, and select OK.
Alias external2
IP/Netmask 10.11.111.2/255.255.255.0
Administrative Status Up
Configuring Router3
Router3 is part of the R&D network backbone area (0.0.0.0). Router2 and Router3 are in this
area. They provide a redundant connection between area 1.1.1.1 and area 2.2.2.2.
Alias internal
IP/Netmask 10.11.103.3/255.255.255.0
Administrative Status Up
5. Edit port2 (external1), set the following information, and select OK.
Alias external1
IP/Netmask 10.11.110.3/255.255.255.0
Fortinet Technologies Inc. Page 164 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Description Router2 first connection
Administrative Status Up
6. Edit port3 (external2), set the following information, and select OK.
Alias external2
IP/Netmask 10.11.111.3/255.255.255.0
Administrative Status Up
Configuring Router4
Router4 is part of the Network Administration regular area (2.2.2.2). This area provides internet
access for both area 1.1.1.1 and the backbone area.
This section configures interfaces and hostname.
Alias internal
IP/Netmask 10.11.101.4/255.255.255.0
Administrative Status Up
Alias external2
IP/Netmask 10.11.110.4/255.255.255.0
Administrative Status Up
Fortinet Technologies Inc. Page 165 FortiOS Handbook - Advanced Routing for FortiOS 5.0
7. Set the following information, and select OK.
Alias ISP
IP/Netmask 172.20.120.4/255.255.255.0
Administrative Status Up
Area 1.1.1.1
Type Stub
Authentication None
4. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.101.0/255.255.255.0
Area 1.1.1.1
5. In Interfaces, select Create New, set the following information, and select OK.
Name Accounting
IP 10.11.101.1
Authentication None
6. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone1
IP 10.11.110.1
Authentication None
Fortinet Technologies Inc. Page 166 FortiOS Handbook - Advanced Routing for FortiOS 5.0
To configure OSPF on Router2 - web-based manager
1. Go to Router > Dynamic > OSPF.
2. Enter 10.11.102.2 for the Router ID and select Apply.
3. In Areas, select Create New, set the following information, and select OK.
Area 0.0.0.0
Type Regular
Authentication None
4. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.102.2/255.255.255.0
Area 0.0.0.0
5. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.110.2/255.255.255.0
Area 0.0.0.0
6. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.111.2/255.255.255.0
Area 0.0.0.0
7. In Interfaces, select Create New, set the following information, and select OK.
IP 10.11.102.2
Authentication None
8. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone1
IP 10.11.110.2
Authentication None
9. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone2
Fortinet Technologies Inc. Page 167 FortiOS Handbook - Advanced Routing for FortiOS 5.0
IP 10.11.111.2
Authentication None
Area 0.0.0.0
Type Regular
Authentication None
4. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.102.3/255.255.255.0
Area 0.0.0.0
5. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.110.3/255.255.255.0
Area 0.0.0.0
6. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.111.3/255.255.255.0
Area 0.0.0.0
7. In Interfaces, select Create New, set the following information, and select OK.
IP 10.11.103.3
Authentication None
8. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone1
IP 10.11.110.3
Authentication None
Fortinet Technologies Inc. Page 168 FortiOS Handbook - Advanced Routing for FortiOS 5.0
9. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone2
IP 10.11.111.3
Authentication None
Area 2.2.2.2
Type Regular
Authentication None
5. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.104.0/255.255.255.0
Area 0.0.0.0
6. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 10.11.111.0/255.255.255.0
Area 0.0.0.0
7. In Networks, select Create New, set the following information, and select OK.
IP/Netmask 172.20.120.0/255.255.255.0
Area 0.0.0.0
8. In Interfaces, select Create New, set the following information, and select OK.
IP 10.11.104.4
Authentication None
Fortinet Technologies Inc. Page 169 FortiOS Handbook - Advanced Routing for FortiOS 5.0
9. In Interfaces, select Create New, set the following information, and select OK.
Name Backbone2
IP 10.11.111.4
Authentication None
10.In Interfaces, select Create New, set the following information, and select OK.
Name ISP
IP 172.20.120.4
Authentication None
In this scenario, two FortiGate units have redundant links: one link between their WAN1
interfaces and another between their WAN2 interfaces.
Fortinet Technologies Inc. Page 170 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Network 10.160.0.0/23
Wan1
FortiGate 1
Wan2 Wan1
FortiGate
F 2
Wan2
Network 192.168.182.0/23
FortiGate 1 should learn the route to network 192.168.182.0 and FortiGate 2 should learn the
route to network 10.160.0.0. Under normal conditions, they should learn these routes through
the WAN1 link. The WAN2 link should be used only as a backup.
With the default settings, each FortiGate unit learns these routes from both WAN1 and WAN2.
FortiGate 1:
FGT1 # get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
10.2.2.2 1 Full/Backup 00:00:33 10.182.0.187 wan1
10.2.2.2 1 Full/Backup 00:00:31 10.183.0.187 wan2
Fortinet Technologies Inc. Page 171 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Adjusting the route costs
On both FortiGate units, the cost of the route through WAN2 is adjusted higher so that this route
will only be used if the route through WAN1 is unavailable. The default cost is 10. The WAN2
route will be changed to a cost of 200.
On both FortiGate units:
config router ospf
config ospf-interface
edit "WAN2_higher_cost"
set cost 200
set interface "wan2"
end
Now both FortiGate units use only the WAN1 route:
FortiGate 1:
FGT1 # get router info routing-table ospf
O*E2 0.0.0.0/0 [110/10] via 10.182.0.187, wan1, 00:00:40
O 192.168.182.0/23 [110/20] via 10.182.0.187, wan1, 00:00:40
FortiGate 2:
FGT2 # get router info routing-table ospf
O 10.160.0.0/23 [110/20] via 10.182.0.57, wan1, 00:09:37
Fortinet Technologies Inc. Page 172 FortiOS Handbook - Advanced Routing for FortiOS 5.0
LSDB check on FortiGate 1:
FGT1 # get router info ospf database router lsa
Router Link States (Area 0.0.0.0)
LS age: 81
Options: 0x2 (*|-|-|-|-|-|E|-)
Flags: 0x0
LS Type: router-LSA
Link State ID: 10.1.1.1
Advertising Router: 10.1.1.1
LS Seq Number: 8000000b
Checksum: 0xe637
Length: 60
Number of Links: 3
LS age: 83
Options: 0x2 (*|-|-|-|-|-|E|-)
Flags: 0x2 : ASBR
LS Type: router-LSA
Link State ID: 10.2.2.2
Advertising Router: 10.2.2.2
LS Seq Number: 8000000e
Checksum: 0xfc9b
Length: 60
Number of Links: 3
Fortinet Technologies Inc. Page 173 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Link connected to: a Transit Network
(Link ID) Designated Router address: 10.183.0.187
(Link Data) Router Interface address: 10.183.0.187
Number of TOS metrics: 0
TOS 0 Metric: 200
Fortinet Technologies Inc. Page 174 FortiOS Handbook - Advanced Routing for FortiOS 5.0
Index
A G
access control list (ACL) 16 graceful restart 112
administrative distance 18, 19
anti-spoofing 18 H
area 140 HA 110
AS router monitor 11
multihomed 53 routes 11
number (ASN) 53
stub 53
I
interface
B loopback 18
bgp interior gateway protocol (IGP) 45
attribute Internet Assigned Numbers Authority (IANA) 53
AS_PATH 104 IP, protocol 89 140
ATOMIC_AGGREGATE 106
COMMUNITY 105 L
MULTI_EXIT_DESC 105 link-state advertisement (LSA) 45
NEXT_HOP 105 loopback interface 18
BGP-4+ 97
clearing routes 99, 110 M
control plane 112 Martian addresses 18
flap 112 missing MED 105
graceful restart 112
Multi-Exit Discriminator (MED) 105
MED 105
neighbors 99 Multipath routing 18
password, MD5 99 N
RFC 1997 105
route reflectors (RR) 101 not-so-stubby area (NSSA) 12
stabilizing the network 112 O
Bi-directional Forwarding Detection (BFD) 113
blackhole route 17 ospf
adjacent routers 141, 146
C area 140
area border router (ABR) 140
Classless Inter-Domain Routing (CIDR) 44 Dijkstras algorithm 143
control plane 112 e1 12
convergence 43, 113 e2 12
Hello packets 141
D Hello protocol 141
dampening 111 IP datagrams 140
reachability half-life 111 link-state 140
dead gateway detection 71 neighbor 141
Dijkstras algorithm 143 NSSA 12
distance vector protocols 45 path cost 143
state of neighbor 146
E ospf AS 137
ECMP 17
enhanced packet-matching 55 P
equal cost multipath (ECMP) 17, 20, 36 policy route
Exterior Gateway Protocol (EGP) 97 adding 24
exterior gateway protocol (EGP) 45 moving in list 26
port 179 107
protocol
ospf Hello 141
Page 175
R routing
redistributed routes administrative distance 18
ospf e1/e2 12 blackhole 17
reverse path lookup 18 domain 53
ECMP 17
RFC
enhanced packet-matching 55
RFC 1349 25
loopback interface 18
RFC 1519 44
routing table, searching 15
RFC 1771 97 viewing information 10
RFC 1965 102
routing policy
RFC 1966 101
protocol number 24
RFC 1997 105
RFC 2385 99 routing table 143
RFC 2453 58 removing routes 99
RFC 3065 102 S
RFC 3509 143
RFC 4271 97 Shortest Path First (SPF) 143
RFC 4632 44 Spill-over 39
RFC 5237 24 static route
RFC 791 25 adding policy 24
RIP administrative distance 18
hop count 65 moving in list 26
RFC 1058 58 table priority 19
RFC 2453 58 table sequence 19
RIP Next Generation (RIPng) 59 supernetting 103
version 1 58
version 2 58 T
route flap 112 troubleshooting
HA 110 BFD 113
route reflectors (RR) 101 bgp 109
router monitor dampening 111
HA 11 graceful restart 112
holddown timer 110
route flap 109
routing table 21
Type of service (TOS) 25
U
unicast reverse path forwarding (uRPF) 9
usage-based ECMP 39
Fortinet Technologies Inc. Page 176 FortiOS Handbook - Advanced Routing for FortiOS 5.0