FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff
Description
This article describes how to make the hub in an ADVPN setup advertise multiple BGP paths.

Solution
Currently, when deploying Auto-Discovery VPN (ADVPN) for SD-WAN, a FortiGate deployed as the ADVPN hub is a route reflector.
By default, it only advertises one path, which is the best path.
Due to this, the branches/spokes receive different routes in the routing tables that point to the same next hop.

In 6.2, this is addressed by adding additional BGP path support, which allows the ADVPN hub to advertise multiple paths.




Before the change.

On hub.
# get router info routing-table details 192.168.14.0
Routing table for VRF=0
Routing entry for 192.168.14.0/24
Known via "bgp", distance 200, metric 0, best
Last update 02:12:19 ago
* 10.216.10.34, via DC-VPN2
* 10.216.8.34, via DC-VPN1
But when advertising to spoke.
# get router info bgp neighbor 10.216.8.60 advertised-routes | grep 14.0
*>i10.168.14.0/24 10.216.10.34 100 0 0 i <-/->
*>i192.168.14.0 10.216.10.34 100 0 0 i <-/->                                                                <----- Next hop is 8.34.

# get router info bgp neighbor 10.216.10.60 advertised-routes | grep 14.0
*>i10.168.14.0/24 10.216.10.34 100 0 0 i <-/->

On Spoke1.
(root) # get router  info routing-table  details 192.168.14.2
Routing table for VRF=0
Routing entry for 192.168.14.0/24
  Known via "bgp", distance 200, metric 0, best
  Last update 00:22:46 ago
  * 10.216.10.34, via vpn-dc2_1                                                                             <----- Duplicate entries.
  * 10.216.10.34, via vpn-dc2_1
The changes needed.

On hub
.
# config router bgp
    set additional-path enable                                                                   <-----
    set additional-path-select                                                                   <-----
    # config neighbor-group
        edit "<>"
            set additional-path both                                                             <----- To be performed on every neighbor group.
            set adv-additional-path 2                                                            <-----
        next
    end
end
On Spoke1.
# config router bgp
    set additional-path enable                                                                   <-----
    set additional-path-select                                                                   <-----
    # config neighbor
        edit "<>"
            set additional-path both                                                             <----- To be performed on every neighbor.
            set adv-additional-path 2                                                            <-----
        next
    end
end
After the changes.

On spoke1.
(root) # get router  info routing-table  details 192.168.14.2
Routing table for VRF=0
Routing entry for 192.168.14.0/24
  Known via "bgp", distance 200, metric 0, best
  Last update 00:22:46 ago
  * 10.216.8.34, via vpn-dc1_1   
  * 10.216.10.34, via vpn-dc2_1
Related link.

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/815658/bgp-additional-path-support


Contributors