Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff

Created on ‎09-02-2025 11:18 PM Edited on ‎11-22-2025 05:54 AM By Community Manager

Article Id 409326

Technical Tip: Configuring Dynamic BGP for ADVPN 2.0

Description This article describes how to configure Dynamic BGP for ADVPN 2.0.
Scope FortiGate v7.4.2+.
Solution

ADVPN 2.0 is an enhancement of ADVPN 1.0. In ADVPN 1.0, the spokes select the shortcut path by using an overlay between the spokes. In ADVPN 2.0, the spokes select the shortcut path via edge discovery and path management functionality.

 

To implement Dynamic BGP peering, please ensure these points are addressed:

  • All Spokes should have LAN subnets placed serially. If not, Hub has to advertise all private IP subnets on BGP.
  • No route reflection is enabled on the hub
  • BGP peering between spokes is on-demand and shortcut-triggered
  • Spokes learn only relevant routes from direct BGP peers

 

Hub configuration:
The route reflection is not enabled on the Hub, and the Hub is advertising 192.168.0.0/16, which is the LAN summary of all spokes.


BGP settings:

 

Hub1 # show router bgp
config router bgp
    set as 65400
    set ibgp-multipath enable
    set additional-path enable
    set additional-path-select 3
        config neighbor-group
            edit "PrimarySpoke"
                set soft-reconfiguration enable
                set remote-as 65400
                set route-map-in "test"
                set additional-path both
            next
            edit "SecondarySpoke"
                set soft-reconfiguration enable
                set remote-as 65400
                set additional-path both
            next
        end
        config neighbor-range
            edit 1
                set prefix 10.250.255.0 255.255.255.0
                set neighbor-group "PrimarySpoke"
            next
            edit 2
                set prefix 10.254.255.0 255.255.255.0
                set neighbor-group "SecondarySpoke"
            next
        end
        config network
            edit 1
                set prefix 192.168.1.0 255.255.255.0
            next
            edit 2
                set prefix 192.167.1.1 255.255.255.255
            next
            edit 3
                set prefix 192.168.0.0 255.255.0.0
                set network-import-check disable
            next
        end
end

Spoke configuration:
The spoke devices will have 'set passive disable' added to the config, as spoke needs to initiate neighborship with another spoke after the shortcut is created.

BGP configuration:

 

Spoke.png

 

Routing table.
Hub:


Hub routing.png

 

Spoke (before shortcuts):


Spoke routing.png

 

Spoke routing table (after shortcuts):

 

Spoke routing after shortcuts.png

 

Related documents:

Active dynamic BGP neighbor triggered by ADVPN shortcut 

Technical Tip: Configuring BGP overlay for ADVPN 2.0 

Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0

SD-WAN with ADVPN 2.0 versus previous ADVPN

Technical Tip: How to configure ADVPN v2.0 on existing ADVPN v1.0 tunnels 

 

662
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.