When multiple overlays are used between spokes and a hub, there is a common tendency for shortcuts to be created between different tunnels. This approach has advantages and disadvantages. This article will use the following single hub with 3 ADVPNs and 2 spokes to discuss this.

As shown above, each spoke has 3 overlay links, where one is a MPLS link with private addressing and the other two are internet links from LTE and fiber connections. Upon setting up the ADVPN, the links can be seen as 'up', as shown below in an example hub FortiGate:

get ipsec tunnel list
NAME=HUB-MPLS REMOTE-GW=0.0.0.0:0

NAME=HUB-INET_0 REMOTE-GW=110.110.110.6:0
P2NAME=HUB-INET PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1022

NAME=HUB-INET_1 REMOTE-GW=110.110.110.3:0
P2NAME=HUB-INET PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1129

NAME=HUB-INET REMOTE-GW=0.0.0.0:0

NAME=HUB-LTE_0 REMOTE-GW=120.120.120.6:0
P2NAME=HUB-LTE PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1014

NAME=HUB-MPLS_0 REMOTE-GW=100.100.100.6:0
P2NAME=HUB-MPLS PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1020

NAME=HUB-LTE_1 REMOTE-GW=120.120.120.3:0
P2NAME=HUB-LTE PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1129

NAME=HUB-MPLS_1 REMOTE-GW=100.100.100.3:0
P2NAME=HUB-MPLS PROXY-ID-SOURCE=0.0.0.0/255.255.255.255 PROXY-ID-DESTINATION=0.0.0.0/255.255.255.255 STATUS=up TIMEOUT=1710

NAME=HUB-LTE REMOTE-GW=0.0.0.0:0

When a device behind spoke 1 tries to reach a device behind spoke 2, a shortcut will be created after the initial negotiation, as shown below.

The outputs from spoke 1 and spoke 2 below show that cross shortcuts have been created between MPLS and INET. Refer the following outputs from the Sp1 and Sp2 FortiGates:

In a real network, shortcuts between MPLS links and internet links will fail because MPLS works on a private domain and internet links working on a public domain. This will cause failures in a live network.

Note: As these examples were created in Fortinet labs and there is no way to separate Internet links from MPLS, they have connectivity. This is why shortcuts are shown between MPLS and INET.

To avoid the issues above and allow traffic to pass between the same overlay links (to create shortcuts between the same overlay), apply Policy routes as below. This will allow traffic to pass only from the same links for incoming and outgoing connections on the hub's end.

As a result, on the hub's end:

1. Traffic coming in from MPLS will go out only from MPLS and a shortcut will be created only between them.
2. Traffic coming in from INET will go out only from INET and a shortcut will be created only between them.
3. Traffic coming in from LTE will go out only from LTE and a shortcut will be created only between them.

Relevant configuration on the hub:

config router policy

edit 1

set input-device "HUB-MPLS"
set output-device "HUB-MPLS"

next

edit 2

set input-device "HUB-INET"
set output-device "HUB-INET"

next
edit 3

set input-device "HUB-LTE"
set output-device "HUB-LTE"

next

end

Expected behavior can be observed from the spoke 1 and spoke 2 as below.

Issue: Even though this works in a setup where all spokes have same number of overlay links, spokes a different number of overlay links will cause issues as the traffic from INET (in this example) from one spoke will not reach a spoke which does not have a INET link. It is therefore necessary to be cautious when setting up this solution.

As an alternative, apply the policy route only for the MPLS links in the network and allow cross-link traffic and shortcuts between internet links as they have connectivity.