Solved

How to setup MPLS on fortigate firewall

Posted on 2015-02-01
2
2,876 Views
Last Modified: 2015-02-03
I have connected three my three branch offices with IPsec Vpn , We are using Fortigate 80c on all branches ,Now I need to configure MPLS . I dont no much about MPLS ,Please suggest how can i configure this.
0
Comment
Question by:jitendra singh
2 Comments
 

Expert Comment

by:deepak_giri
ID: 40583437
Hi Dear,

As i understand you connected your branch offices  IPsec  VPN with static ip, it's all-way's connect on your internet speed.  when you go for MPSL, you will get dedicated speed plan for that. you can connect with your ISP . they will do the things for you, they will connect your branch office with dedicated leased line on MPSL. you can talk with AIRTEL, BSNL, TATA etc.

http://www.airtel.in/mpls
Hope this information will help you.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 40584396
The MPLS is just an internet-independent connection mechanism.  I've heard some ISPs refer to the ports they provide as "just like looking into a switch" if that helps.

Since you have VPNs already, you already have separate site subnets no doubt and know how you're managing those regarding the larger network ( things like name service, file sharing, etc.).  

Here's a way to deal with the addition of MPLS capability:
If we assume that the Fortigate routers have a VLAN capability then I would do this:
1) set up a VLAN on each of them which will all be on the same subnet.  I'll call this VLAN2.
    Presumably the Fortigate will have an IP address assigned on VLAN2.  Make it so.
2) connect each MPLS port at each site to a Fortigate VLAN2 Ethernet port.
3) add routes in the Fortigate that say this:
    To get from VLAN2 to site 0 subnet, go to the local LAN subnet.
    To get to site 1 subnet, next hop is Fortigate VLAN2 IP at site 1
    To get to site 2 subnet, next hop is Fortigate VLAN2 IP at site 2
    And, if necessary, there may also need to be a route from the local LAN subnet to the VLAN2 subnet.
    etc.
    Each site would have its own set of these routes e.g. Site 0 will point to Site 1 and Site 2.
                                                                                                  Site 1 will point to Site 2 and Site 0
                                                                                                  Site 2 will point to Site 0 and Site 1

If this is a bit vague, it's because I'm not completely sure how the Fortigate needs to be set up.  But I think this is close.

There's an alternate method that I'm quite sure of:
Add an interface router at each site that connects the LAN to the MPLS port.  
For example, this could be an RV042 in Router mode.
Pick an "interim subnet" like 10.10.99.0/24 which is analogous to VLAN2's subnet above.
Assign a separate IP address to each interface router's MPLS port that's in this subnet.
Assign an IP address to each interface router's LAN side port that's in the LAN subnet.
In each interface router, add routes:
    To get to site 1 subnet, next hop is interface router's MPLS port IP address at site 1
     To get to site 2 subnet, next hop is interface router's MPLS port IP address at site 2
     Each site would have its own set of these routes e.g. Site 0 will point to Site 1 and Site 2.
                                                                                                  Site 1 will point to Site 2 and Site 0
                                                                                                  Site 2 will point to Site 0 and Site 1
Then, in the Fortigates, which I presume is your LAN gateway, right?, you will add routes:
 To get to site 1 subnet, next hop is the local interface router's LAN port IP address
 To get to site 2 subnet, next hop is the local interface router's LAN port IP address
Like this:
Let's assume that the sites have subnets:
192.168.0.0/24 at Site 0
192.168.1.0/24 at Site 1
192.168.2.0/24 at Site 2
Let's assume that the MPLS interface router ports have LAN IP addresses:
192.168.0.99 at Site 0
192.168.1.99 at Site 1
192.168.2.99 at Site 2
Let's assume that the MPLS interface router ports have interim subnet IP addresses:
10.10.99.100 at Site 0
10.10.99.101 at Site 1
10.10.99.102 at Site 2

The Site 0 MPLS router will have routes:
192.168.1.0/24 to 10.10.99.101
192.168.2.0/24 to 10.10.99.102
The Site 0 Fortigate will have routes:
192.168.1.0/24 to 192.168.0.99
192.168.2.0/24 to 192.168.0.99

The Site 1 MPLS router will have routes:
192.168.0.0/24 to 10.10.99.100
192.168.2.0/24 to 10.10.99.102
The Site 1 Fortigate will have routes:
192.168.0.0/24 to 192.168.1.99
192.168.2.0/24 to 192.168.1.99

The Site 2 MPLS router will have routes:
192.168.0.0/24 to 10.10.99.100
192.168.1.0/24 to 10.10.99.101
The Site 2 Fortigate will have routes:
192.168.0.0/24 to 192.168.2.99
192.168.1.0/24 to 192.168.2.99

The description of all this is:
Packets originating at one Site destined for another Site will go to the internet gateway as usual -as the destination isn't on the local LAN>
The internet gateway device will forward those packets back onto the LAN destined for the MPLS interface router.
The MPLS interface router will forward those packets to the corresponding MPLS interface router.
The destination MPLS router will dump those packets out onto the wire on its local LAN - and on to the destination.

There is one small concern doing it with added routers:
When oncoming packets arrive on the local MPLS router, as above, they go straight to their intended destination.
There is no interaction with the internet gateway router.
But, the return packets WILL go to the internet gateway router.
If there are routing rules in the internet gateway router that check packets for consistency (like stateful packet inspection) then the return packets may be dropped because they aren't in an established communication "state".  If so, the rules need to be changed to prevent this.
This should not be a big deal to accomplish if it's needed at all.  And, presumably, if everything is done inside the internet gateway router (your Fortigates) then the router *should know* enough to treat the return  packets as OK and pass them through as intended.

I might add that you could continue to use VPNs on the MPLS.  The MPLS links are supposed to be "private" much like older "private" links.  But if you're concerned about security as your packets flow through some ISP switches, etc. then you may well want to use VPN connections through the MPLS.   This would mean setting up new VPNs.
I'd be a little surprised if you could set up a VPN on a VLAN interface on most small routers so this may require that you do add MPLS interface routers that are VPN capable.

Presumably each site has its own internet connection presently.
You may find it advantageous to provide a single internet connection and use the MPLS to serve up internet service to all the other sites.  It all depends on costs and speeds of course.  We do it this way for one customer and it works quite well.  If you should decide to do that and are going to use RV042 routers for the interfaces then I suggest you read:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/A_6533-Using-Cisco-Linksys-RV042-RV0XX-Routers-in-Router-Mode.html
Basically what it tells you is that the RV042s ALL have to have their WAN ports "pointing toward" the internet gateway.  So, the main site with internet service will have its RV042 connected "backwards" with the WAN port on the LAN and the LAN ports on the interim MPLS side.
(Routers in "Router" / no NAT mode aren't symmetrical in their functionality).
1

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now