Technical Tip: SD-WAN route selection for fib-best-match option
| Description | This article describes a change in the behavior of the 'set tie-break fib-best-match' option that has been extended to consider only the best routes.
In SD-WAN service rules, if the 'set default' and 'set gateway' options are disabled, a FIB lookup will occur based on the destination IP address. If there is an FIB match, and the interface is an SD-WAN member, the next SD-WAN service rule will not be checked, even if this FIB match is not the best.
Since v7.0.1, there has been a change in default behavior. The 'set tie-break fib-best-match' option is extended to consider only the best routes.
This works on Manual Mode (manual), Best quality strategy (priority), and Lowest cost (SLA) strategy SD-WAN service modes. |
| Scope | FortiGate v7.0.1 and above. |
| Solution | SD-WAN members, the routing table and FIB are the same in all 3 examples:
Members:
Route:
FIB:
One member is in the SD-WAN service rule: In the example below, two SD-WAN service rules have been configured. Service Rule ID 4 is associated with a single SD-WAN member (Member 1) and uses the tie-break method 'fib-best-match'. Service Rule ID 5 is associated with SD-WAN Member 2 and its gateway, with default settings enabled.
Member 1 (Port 1) has a default route, while Member 2 (Port 2) is configured with a specific destination subnet of 8.8.8.8/32, using the longest-prefix match.
When a user attempts to access the destination IP 8.8.8.8, the firewall validates the SD-WAN rules using a top-down approach. According to this approach, SD-WAN Service Rule ID 4 is selected. This rule has only one member and at least one valid route to the destination, namely the default route (0.0.0.0/0). Consequently, the longest-prefix match criterion is not applicable in this scenario. If no valid route exists via SD-WAN Member 1 (Port 1), the system then proceeds to evaluate the next SD-WAN rule.
Service:
Policy route match:
Packet capture:
Two members are in the SD-WAN service, without 'set tie-break fib-best-match' configured: SD-WAN member 1 has a default route, and SD-WAN member 2 has the most specific match in the FIB with the longest prefix, 8.8.8.8/32. Packets will egress SD-WAN member 1, as it has a valid route (default route) and is configured as the priority member.
Service:
Policy route match:
Packet capture:
Two members are in the SD-WAN service, with 'set tie-break fib-best-match' configured: SD-WAN member 1 is configured as the priority member and has a default route. SD-WAN member 2 has the most specific match in the FIB with the longest prefix 8.8.8.8/32. By configuring 'set tie-break fib-best-match', packets will egress SD-WAN member 2.
Service:
Policy route match:
Packet capture:
Related documents: Technical Tip: Multiple default routes where SD-WAN rules are not preferred |
