Technical Tip: BGP on Loopback with SD-WAN Health-check configuration

How to configure BGP on Loopback is not part of this article. For configuration information, visit the below article:

Technical Tip: ADVPN with BGP on loopback

BGP on Loopack is commonly used in ADVPN topology together with SD-WAN on spokes. To have a correct failover of BGP over an available tunnel, an SD-WAN health-check is used.

From Spoke's perspective important parts of the configuration.

Loopback used for BGP:

Spoke1 # show system interface Loopback
config system interface
    edit "Loopback"
        set vdom "root"
        set ip 172.16.100.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 16
    next
end

 Partial BGP configuration showing neighbor configuration:

Spoke1 # show router bgp
config router bgp
    set as 65500
    set router-id 10.255.255.2
    set ibgp-multipath enable
    set additional-path enable
    set recursive-next-hop enable
    set tag-resolve-mode merge
        config neighbor
            edit "172.16.100.1"
                set soft-reconfiguration enable
                set interface "Loopback"
                set remote-as 65500
                set route-map-in "set-tag"
                set update-source "Loopback"
                set additional-path both
            next
end

This device has 2 tunnels, both are members of SD-WAN. As this example used BGP on Loopback configuration, tunnels do not have their own IP address and because, here let's use SD-WAN health-checks to probe connection to HUB, it is necessary to specify source-ip address for health-check packets:

Spoke1 # show system sdwan
config system sdwan
    set status enable
        config zone
            edit "ADVPN_Z"
            next
end

config members
    edit 1
        set interface "advpn"
        set zone "ADVPN_Z"
        set source 172.16.100.2
    next
    edit 2
        set interface "advpn_b"
        set zone "ADVPN_Z"
        set source 172.16.100.2
    next
end

Health-check configuration is simple. One rule should be followed, the IP address that is used for health-check should be different from the Loopback IP address used by HUB for BGP. In this example, HUB's Loopback IP address used by BGP is 172.16.100.1. For the health-check purposes, it will be used different IP address:

Spoke1 #
config health-check
    edit "Hub_HC"
        set server "172.99.99.1"
        set members 1 2
    next
end

The reason for this is that the kernel route for the health-check IP will be created over members:

Spoke1 # get router info kernel | grep 172.99.99.1
tab=254 vf=0 scope=0 type=1 proto=18 prio=0 172.16.100.2/255.255.255.255/0->172.99.99.1/32 pref=0.0.0.0 gwy=20.0.0.1 dev=20(advpn)
tab=254 vf=0 scope=0 type=1 proto=18 prio=0 172.16.100.2/255.255.255.255/0->172.99.99.1/32 pref=0.0.0.0 gwy=30.0.0.1 dev=21(advpn_b)

If the health-check IP is the same as the Loopback IP address on HUB (in this case 172.16.100.1) it would interfere with failover in case the current select egress tunnel would go down. The result would be delayed or non-working failover over the secondary tunnel.