Procedure Manual: Connecting Juniper EX4200 to FortiGate and Configuring OSPF

This manual describes the configuration of two ports on a Juniper EX4200 switch (ge-0/0/22 and ge-0/0/23) connected to FortiGate ports (port6 and port7), forming a Link Aggregation Group (LAG) for increased bandwidth and redundancy. It then configures OSPF for dynamic routing between the devices.

Part 1: Initial Setup and LAG Configuration

Step 1: Juniper LAG Configuration

1. Create LAG (ae0): Aggregate ge-0/0/22 and ge-0/0/23 into a single LAG interface:

   set interfaces ge-0/0/22 ether-options 802.3ad ae0
   set interfaces ge-0/0/23 ether-options 802.3ad ae0

2. Configure VLAN for the LAG: Assign a VLAN for communication between Juniper and FortiGate. For example, VLAN 100:

   set vlans fw-vlan vlan-id 100
   set interfaces ae0 unit 0 family ethernet-switching vlan members fw-vlan

3. Assign an IP to the VLAN Interface: Configure the Juniper switch with an IP address in the same subnet as the FortiGate:

   set interfaces vlan unit 100 family inet address 192.168.100.1/24

4. Activate LACP: Enable LACP for the LAG interface:

   set interfaces ae0 aggregated-ether-options lacp active

5. Commit the Configuration:

   commit

Step 2: FortiGate LAG Configuration

1. Create Aggregate Interface:

   • In the FortiGate GUI:
     • Navigate to Network > Interfaces.
     • Click Create New > Interface, then choose Aggregate.
     • Select port6 and port7 to include in the aggregate interface.
     • Set Mode to 802.3ad (LACP).
     • Assign an IP address in the same subnet as the Juniper (e.g., 192.168.100.2/24).
     • Enable Administrative Access (if needed for testing).
   • CLI equivalent:

     config system interface
         edit "agg1"
             set vdom "root"
             set ip 192.168.100.2 255.255.255.0
             set allowaccess ping https ssh
             set type aggregate
             set member "port6" "port7"
             set lacp enable
         next
     end

2. Commit Changes: Save the configuration on the FortiGate.

Part 2: OSPF Configuration

Step 1: OSPF on the Juniper Switch

1. Activate OSPF Protocol: Enable OSPF on the VLAN interface (vlan.100):

   set protocols ospf area 0.0.0.0 interface vlan.100

2. Set Router ID: Configure a unique OSPF Router ID for the Juniper switch:

   set protocols ospf router-id 192.168.100.1

3. Verify and Commit:

   commit
   show configuration protocols ospf

Step 2: OSPF on the FortiGate

1. Enable OSPF:

   • In the FortiGate GUI:
     • Go to Network > OSPF.
     • Enable OSPF and set the Router ID (e.g., 192.168.100.2).
     • Configure an OSPF area (0.0.0.0).
     • Assign the LAG interface (agg1) to OSPF.
   • CLI equivalent:

     config router ospf
         set router-id 192.168.100.2
         config area
             edit 0.0.0.0
             next
         end
         config network
             edit 1
                 set prefix 192.168.100.0 255.255.255.0
             next
         end
     end

2. Commit Changes: Save the configuration on the FortiGate.

Part 3: Verifications

1. Verify LAG on Juniper:

   show interfaces ae0 extensive

2. Verify LAG on FortiGate:

   diagnose netlink aggregate name agg1

3. Verify OSPF on Juniper:

   show ospf neighbor
   show ospf interface
   show ospf database

4. Verify OSPF on FortiGate:

   get router info ospf neighbor
   get router info ospf database

5. Test Connectivity:

   • Ping the FortiGate from Juniper:

     ping 192.168.100.2
   • Ping the Juniper from FortiGate:

     execute ping 192.168.100.1

Part 4: Nuances of OSPF on Juniper

1. Interface Types:

   • Juniper OSPF automatically detects point-to-point or broadcast networks. If needed, manually set the type:

     set protocols ospf area 0.0.0.0 interface vlan.100 interface-type point-to-point

2. Priority and DR/BDR Elections: Adjust OSPF priority if the Juniper should or should not be the Designated Router (DR):

   set protocols ospf area 0.0.0.0 interface vlan.100 priority 0

3. Timers: Modify OSPF hello and dead timers for faster convergence:

   set protocols ospf area 0.0.0.0 interface vlan.100 hello-interval 10
   set protocols ospf area 0.0.0.0 interface vlan.100 dead-interval 40

4. Authentication: For added security, configure OSPF authentication:

   set protocols ospf area 0.0.0.0 authentication-type simple
   set protocols ospf area 0.0.0.0 interface vlan.100 authentication-key "your-key"

5. Graceful Restart: Enable OSPF graceful restart for minimized downtime during reconvergence:

   set protocols ospf graceful-restart

Best Practices

1. LAG Configuration:

   • Use LACP for dynamic failover and redundancy.
   • Test failover by disabling one link in the LAG.

2. OSPF Design:

   • Ensure unique Router IDs.
   • Use proper area design (e.g., backbone 0.0.0.0).
   • Keep dead and hello timers consistent across devices.

3. Documentation:

   • Document all IPs, VLANs, and Router IDs for troubleshooting.

4. Security:

   • Use OSPF authentication.
   • Restrict OSPF interfaces to known neighbors with passive-interface settings:

     set protocols ospf area 0.0.0.0 interface vlan.100 passive