- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ADVPN with SDWAN - BGP route filtering and manipul...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADVPN with SDWAN - BGP route filtering and manipulation
Hi all,
I have quite a complex issue with BGP and how to manipulate a specific path selection.
So i have an ADVPN topology with one hub and two spokes, the Hub and spokes have two WAN connections each, the primary WAN connection is using ADVPN so the two spokes can have a direct tunnel, the second WAN connection has ADVPN turned off but has an IBGP peer back to the Hub so the Hub can use IBGP multipath, its there so the spokes have two equal cost paths to the Hubs DC networks, i then built an SDWAN over these two equal cost paths for the policy routes it uses.
The issue i have run into is around the spokes are advertising their LAN networks to the hub, each spoke advertises it twice (once over wan1 and wan2).
Spoke A LAN is 192.168.2.0/24
Spoke B Lan is 192.168.3.0/24
Hub local network is 192.168.10.0/24
FYI: The Hub is configured as a route reflector for WAN1 and WAN2.
I need both routes to each LAN to be in the routing table at the same time (using IBGP multipath) which works but my BGP table prefers 192.168.2.0 (SpokeA) over WAN1 and 192.168.3.0 (SpokeB) over WAN2 - These networks get advertised to other spokes and the return path is asynchronous in this case, i need my BGP table to pick WAN1 routes for all spokes (10.10.10.0/30) as the best path as this is the path it advertises to other ADVPN spokes, it must pick it with the > so the other multi-path routes stay in the routing table, this is important for return traffic for the SDWAN when the spokes access the Hubs local networks.
I have tried filtering with route maps with local pref, weight and metric but these just pick the best path and the other multipath routes are no longer in the routing table, in this case the ADVPN works but the SDWAN does not.
How can i manipulate the hubs BGP table to pick the best path whilst leaving all the multi-path routes in the routing table, the best path route will be the one with the > and will be advertised to all the ADVPN spokes. Can anyone advise what path algorithm BGP is using in this case below to pick the best paths to 192.168.2.0 and 192.168.3.0?
HUB-B # get router info bgp network
BGP table version is 5, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.2.0 10.10.10.2 0 100 0 i
* i 20.20.20.2 0 100 0 i
*>i192.168.3.0 20.20.20.3 0 100 0 i
* i 10.10.10.3 0 100 0 i
*> 192.168.10.0 0.0.0.0 100 32768 i
HUB-B # get rouer infrouting-table bgp
B 192.168.2.0/24 [200/0] via 10.10.10.2, WAN1ADVPN_0, 00:16:15
[200/0] via 20.20.20.2, MPLSADVPN_1, 00:16:15
B 192.168.3.0/24 [200/0] via 20.20.20.3, MPLSADVPN_0, 00:21:49
[200/0] via 10.10.10.3, WAN1ADVPN_1, 00:21:49
thanks.
Matt
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matt,
Thanks for reporting! For BGP route selection, in your case, if you wanted to select one route over the other route, you could configure BGP like this: (ADVPN doesn't impact route selection so it could be treated as a normal link)
FGT_C (vdom1) # sh router bgp
config router bgp
set as 65001
set router-id 1.1.1.1
set ibgp-multipath enable
config neighbor
edit "192.168.0.2"
set next-hop-self enable
set remote-as 65001
set route-map-in "192.168.0.1-weight" <<<<<<<<<<<< apply a route-map for one of your neighbors
set route-map-out "192.168.0.1"
set route-reflector-client enable
next
edit "192.168.1.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
edit "192.168.2.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
edit "192.168.3.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
.
.
.
.
.
.
FGT_C (vdom1) # sh router route-map 192.168.0.1-weight <<<<<<<<<<<<This is the route map.
config router route-map
edit "192.168.0.1-weight"
config rule
edit 1
set set-weight 10
next
end
next
end
...
So in BGP table, you will see:
FGT_C (vdom1) # get router info bgp network
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.169.1.0 192.168.0.2 0 100 10 i
* i 192.168.1.2 0 100 0 i
*>i192.169.2.0 192.168.3.2 0 100 0 i
* i 192.168.2.2 0 100 0 i
Total number of prefixes 2
For the prefix 192.169.1.0/24, the primary gateway is 192.168.0.2. See the weight is 10 here. So only this entry could get into the routing table.
Once this link failed, the traffic would fail over to the other link, which goes to 192.168.1.2 as next-hop.
I wish I answered your question. Please let me know if you have any other concern about the BGP route selection.
#Test topology and complete configuration sample is available upon request.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Could you please share topology and configuration files ?
For now I see one issue that is not resolved - asynchronous paths with iBGP. To fix it I've used route-map on each spoke with "set set-ip-nexthop" for each peering IP address.
Interested - how did you implement sd-wan and advpn in your topology.
Thank you in advance.
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution for asynchronous paths is:
-change "remote-ip" from a /24 to a /32 at the ADVPN interfaces
-make one ADVPN interface preferred for both/all overlay networks using static routes (I used the same distance, but different prio)
Related Posts
- Route filtering with a distribution list 488 Views
- eBGP routes not showing up 3692 Views
- Block/Filter routes from OSPF 1477 Views
- L2 VLAN Routing+Filtering 702 Views
- Webfilter URL Routing / PBR. What... 1513 Views
Labels
-
FortiGate
6,508 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
72 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.