Skip to main content
fwilliams
Staff & Editor
fwilliams
Staff & Editor
November 14, 2022

Technical Tip: When to use BGP route-tag in SD-WAN rule’s destination

  • November 14, 2022
  • 0 replies
  • 4088 views
Description

This article describes scenarios (or use cases) where it is better to use BGP 'route-tag', in the SD-WAN rule's destination, to determine the link choice (or preferred one), in opposition to the traditional destination IP address(es).
Scope FortiGate v6.4, v7.0 and v7.2.
Solution

If there is an environment with any of the following conditions, using 'route-tag' SD-WAN rules’ destination can be (or is probably) the best choice.

 

  1. The destination IP address(es) to control with the SD-WAN rule changes dynamically. If there is a BGP neighbor with some IPs behind it to reach over different links using the SD-WAN decision mechanism, these IPs are not static. It changes from time to time. In such conditions, it is better to use 'route-tag', so whatever is advertised by the BGP peer will be tagged and routed by SD-WAN using those tags solely.

  2. In HUB and SPOKE topology, on the HUB, no SD-WAN health checks are wanted for the Branches configured. Here, the branches will measure their links’ SLA and announce it to HUB in the BGP community: for both examples: 'MEET_SLA community' and 'NOT_MEET_SLA community'.Prefixes announced by Branches over the link(s) that meet SLA are attached with 'MEET_SLA community', while those announced of link(s) that do not meet SLA, but are not completely down, are attached with 'NOT_MEET_SLA community'.The HUB can use these communities in the inbound 'route-map' to set route-tag(s) on those prefixes and use them in SD-WAN rule(s).

  3. In the ADVPN setup, the branch is intended to inform another branch (es) of the shortcut (overlay) preferred for receiving trafficHere, the receiving branch sends the BGP community all its updates (BGP). The sending branch converts the BGP community to 'route-tag' (with the help of route-map-in).

 

This 'route-tag' is used in the SD-WAN rule to enforce the receiving branch’s choice or preferred link. 

 

Note: Starting in FortiOS v7.4.0, firewall address objects can be created using the route tag type and used in firewall policies and SD-WAN rules. For more information, refer to this document: Add route tag address objects.

 

Related articles:

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: How to use BGP and SD-WAN for advertising routes and path selection in FortiGate

Technical Tip: To list route tag address

Technical Tip: Route Tag Option is not Available in GUI in v7.4.0 and Above 
    Terms & ConditionsAccessibility statement