Created on 11-13-2022 10:21 PM Edited on 11-14-2022 01:17 AM By Jean-Philippe_P
Description |
This article describes scenarios (or use cases) where it is better to use BGP 'route-tag', in the SD-WAN rule's destination, in order to determine the link choice (or preferred one), in opposition to the traditional destination IP address(es). |
Scope | FortiGate v6.4, v7.0 and v7.2. |
Solution |
If there is an environment with any of the following conditions, using 'route-tag' SD-WAN rule’s destination can be (or is probably) the best choice.
1) The destination IP address(es) to control with the SD-WAN rule changes dynamically. If there is a BGP neighbor with some IPs behind it to reach over different links using the SD-WAN decision mechanism, these IPs are not static. It changes from time to time. In such conditions, it is better to use 'route-tag', so whatever is advertised by the BGP peer, will be tagged and routed by SD-WAN using those tags solely.
2) In HUB and SPOKE topology, where on HUB, no SD-WAN health checks is wanted for the Branches configured. Here, the branches will measure its links’ SLA and announce it to HUB in BGP community: for both examples: 'MEET_SLA community' and 'NOT_MEET_SLA community'. Prefixes announced by Branches over link(s) that meet SLA are attached with 'MEET_SLA community', while those announced of link(s) that do not meet SLA, but are not completely down, are attached with 'NOT_MEET_SLA community'. The HUB can use these communities in the inbound 'route-map' to set route-tag(s) on those prefixes and use them in SD-WAN rule(s).
3) In ADVPN setup, where the branch is wanted to inform other branch(es) of the shortcut (overlay) preferred for receiving traffic. Here the receiving branch sends BGP community all its updates (BGP). The sending branch converts the BGP community to 'route-tag' (with the help of route-map-in). This 'route-tag' is used in the SD-WAN rule to enforce the receiving branch’s choice or preferred link.
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.