Solved

How to setup MPLS on fortigate firewall

Posted on 2015-02-01
2
4,165 Views
Last Modified: 2015-02-03
I have connected three my three branch offices with IPsec Vpn , We are using Fortigate 80c on all branches ,Now I need to configure MPLS . I dont no much about MPLS ,Please suggest how can i configure this.
0
Comment
Question by:jitendra singh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Expert Comment

by:deepak_giri
ID: 40583437
Hi Dear,

As i understand you connected your branch offices  IPsec  VPN with static ip, it's all-way's connect on your internet speed.  when you go for MPSL, you will get dedicated speed plan for that. you can connect with your ISP . they will do the things for you, they will connect your branch office with dedicated leased line on MPSL. you can talk with AIRTEL, BSNL, TATA etc.

http://www.airtel.in/mpls
Hope this information will help you.
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 40584396
The MPLS is just an internet-independent connection mechanism.  I've heard some ISPs refer to the ports they provide as "just like looking into a switch" if that helps.

Since you have VPNs already, you already have separate site subnets no doubt and know how you're managing those regarding the larger network ( things like name service, file sharing, etc.).  

Here's a way to deal with the addition of MPLS capability:
If we assume that the Fortigate routers have a VLAN capability then I would do this:
1) set up a VLAN on each of them which will all be on the same subnet.  I'll call this VLAN2.
    Presumably the Fortigate will have an IP address assigned on VLAN2.  Make it so.
2) connect each MPLS port at each site to a Fortigate VLAN2 Ethernet port.
3) add routes in the Fortigate that say this:
    To get from VLAN2 to site 0 subnet, go to the local LAN subnet.
    To get to site 1 subnet, next hop is Fortigate VLAN2 IP at site 1
    To get to site 2 subnet, next hop is Fortigate VLAN2 IP at site 2
    And, if necessary, there may also need to be a route from the local LAN subnet to the VLAN2 subnet.
    etc.
    Each site would have its own set of these routes e.g. Site 0 will point to Site 1 and Site 2.
                                                                                                  Site 1 will point to Site 2 and Site 0
                                                                                                  Site 2 will point to Site 0 and Site 1

If this is a bit vague, it's because I'm not completely sure how the Fortigate needs to be set up.  But I think this is close.

There's an alternate method that I'm quite sure of:
Add an interface router at each site that connects the LAN to the MPLS port.  
For example, this could be an RV042 in Router mode.
Pick an "interim subnet" like 10.10.99.0/24 which is analogous to VLAN2's subnet above.
Assign a separate IP address to each interface router's MPLS port that's in this subnet.
Assign an IP address to each interface router's LAN side port that's in the LAN subnet.
In each interface router, add routes:
    To get to site 1 subnet, next hop is interface router's MPLS port IP address at site 1
     To get to site 2 subnet, next hop is interface router's MPLS port IP address at site 2
     Each site would have its own set of these routes e.g. Site 0 will point to Site 1 and Site 2.
                                                                                                  Site 1 will point to Site 2 and Site 0
                                                                                                  Site 2 will point to Site 0 and Site 1
Then, in the Fortigates, which I presume is your LAN gateway, right?, you will add routes:
 To get to site 1 subnet, next hop is the local interface router's LAN port IP address
 To get to site 2 subnet, next hop is the local interface router's LAN port IP address
Like this:
Let's assume that the sites have subnets:
192.168.0.0/24 at Site 0
192.168.1.0/24 at Site 1
192.168.2.0/24 at Site 2
Let's assume that the MPLS interface router ports have LAN IP addresses:
192.168.0.99 at Site 0
192.168.1.99 at Site 1
192.168.2.99 at Site 2
Let's assume that the MPLS interface router ports have interim subnet IP addresses:
10.10.99.100 at Site 0
10.10.99.101 at Site 1
10.10.99.102 at Site 2

The Site 0 MPLS router will have routes:
192.168.1.0/24 to 10.10.99.101
192.168.2.0/24 to 10.10.99.102
The Site 0 Fortigate will have routes:
192.168.1.0/24 to 192.168.0.99
192.168.2.0/24 to 192.168.0.99

The Site 1 MPLS router will have routes:
192.168.0.0/24 to 10.10.99.100
192.168.2.0/24 to 10.10.99.102
The Site 1 Fortigate will have routes:
192.168.0.0/24 to 192.168.1.99
192.168.2.0/24 to 192.168.1.99

The Site 2 MPLS router will have routes:
192.168.0.0/24 to 10.10.99.100
192.168.1.0/24 to 10.10.99.101
The Site 2 Fortigate will have routes:
192.168.0.0/24 to 192.168.2.99
192.168.1.0/24 to 192.168.2.99

The description of all this is:
Packets originating at one Site destined for another Site will go to the internet gateway as usual -as the destination isn't on the local LAN>
The internet gateway device will forward those packets back onto the LAN destined for the MPLS interface router.
The MPLS interface router will forward those packets to the corresponding MPLS interface router.
The destination MPLS router will dump those packets out onto the wire on its local LAN - and on to the destination.

There is one small concern doing it with added routers:
When oncoming packets arrive on the local MPLS router, as above, they go straight to their intended destination.
There is no interaction with the internet gateway router.
But, the return packets WILL go to the internet gateway router.
If there are routing rules in the internet gateway router that check packets for consistency (like stateful packet inspection) then the return packets may be dropped because they aren't in an established communication "state".  If so, the rules need to be changed to prevent this.
This should not be a big deal to accomplish if it's needed at all.  And, presumably, if everything is done inside the internet gateway router (your Fortigates) then the router *should know* enough to treat the return  packets as OK and pass them through as intended.

I might add that you could continue to use VPNs on the MPLS.  The MPLS links are supposed to be "private" much like older "private" links.  But if you're concerned about security as your packets flow through some ISP switches, etc. then you may well want to use VPN connections through the MPLS.   This would mean setting up new VPNs.
I'd be a little surprised if you could set up a VPN on a VLAN interface on most small routers so this may require that you do add MPLS interface routers that are VPN capable.

Presumably each site has its own internet connection presently.
You may find it advantageous to provide a single internet connection and use the MPLS to serve up internet service to all the other sites.  It all depends on costs and speeds of course.  We do it this way for one customer and it works quite well.  If you should decide to do that and are going to use RV042 routers for the interfaces then I suggest you read:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_6533-Using-Cisco-Linksys-RV042-RV0XX-Routers-in-Router-Mode.html
Basically what it tells you is that the RV042s ALL have to have their WAN ports "pointing toward" the internet gateway.  So, the main site with internet service will have its RV042 connected "backwards" with the WAN port on the LAN and the LAN ports on the interim MPLS side.
(Routers in "Router" / no NAT mode aren't symmetrical in their functionality).
1

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question