FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Description This article describes the behavior of BGP SD-WAN route-tagging for the routes learned and tagged.
Scope FortiGate.
Solution

Unlike normal routing behavior, BGP SD-WAN route-tagging prefers the least specific routes which causes more specific routes to be less preferred.

 

Below is an example wherein the default route is installed by the SD-WAN rule ID 9 due to the said behavior. Notice that 10.56.56.0/24, 10.57.57.0/24, and 10.0.0.0/8 were not included even though these routes are tagged with the same route-tagging as that of the default route.

 

lestopace_0-1649651341272.png

 

lestopace_1-1649651428854.png

 

lestopace_3-1649651765805.png

 

Another example.

 

lestopace_4-1649651943937.png

 

lestopace_5-1649652040601.png

 

lestopace_6-1649652358542.png

 

Note that the 10.0.0.0/8 route is used on SD-WAN rule ID 9. Routes to 10.56.56.0/24 and 10.57.57.0/24 were not installed. 

 

In this example, I have enabled redistribute static route with a route-map and enable capability-default-originate from the Hub. Removing these settings will show the following behavior.

 

lestopace_7-1649652701365.png

 

lestopace_8-1649652888035.png

 

lestopace_9-1649652910670.png

 

After the changes and BGP restart, the routes to 10.56.56.0/24 and 10.57.57.0/24 were installed properly.

 

For more information regarding BGP and SD-WAN route-tagging, check the article below.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-BGP-and-SD-WAN-for-advertising...

Contributors