FortiNet SD-WAN Integration with Aviatrix

BGP to LAN allows an Aviatrix multi-cloud network to communicate with network virtualization appliances (NVAs) without running tunneling protocols. One case is to interoperate with third-party SD-WAN appliances.

Credits to Saad Mirza

https://community.aviatrix.com/t/h7htvvc/need-of-conventional-bgp-support-in-the-cloud

Constraints

  • LAN interfaces for Aviatrix Transit Primary and third-party cloud instance must be in the different VNets
  • One BGP over LAN connection per gateway is supported.

Aviatrix software version 6.8 will not require a dedicated vnet for sd-wan appliances

Configuration

Once the vnet is created, using the Native Peering, I’ll peer the new vnet with the transit vnet for control and data plane reachability:

When the peering is established we can monitor the status using the Azure Peering tab:

SD-WAN Appliance Deployment

I’m going to deploy a standalone Fortigate from Azure marketplace on the vnet dedicated to appliances:

If you deployed manually you might need to add a second interface to the VM:

Once the VM is deployed, we need to do the initial configuration. Fortigate configuration is covered on the following post:

External Connection

From the Multi-Cloud Transit folder, we select Setup and then External Connection:

  • External Device
  • BGP
  • LAN

I’m using 65001 for Aviatrix ASN and 65002 for the FortiGate:

Once I click Connect the configuration is saved:

FortiGate BGP Configuration

We need to configure port2:

A static is required for the FortiGate to reach out to the Aviatrix transit gateway:

BGP configuration:

The final BGP config looks like:

config router bgp
set as 65002
set router-id 10.255.162.68
set ebgp-multipath enable
set graceful-restart enable
config neighbor
edit "10.255.160.116"
set ebgp-enforce-multihop enable
set ebgp-multihop-ttl 16
set remote-as 65001
next
end
config redistribute "connected"
set status enable
end
view raw gistfile1.txt hosted with ❤ by GitHub

Once the config is applied the bgp state changes to “Established”:

Checking the prefix received:

From the Controller:

BGP Diagnostics allows us to run commands predefined or custom:

References

https://docs.aviatrix.com/HowTos/transit_gateway_external_device_bgp_over_lan_azure_workflow.html?highlight=bgp

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/750736/bgp

Leave a Reply