Hi all,
I have quite a complex issue with BGP and how to manipulate a specific path selection.
So i have an ADVPN topology with one hub and two spokes, the Hub and spokes have two WAN connections each, the primary WAN connection is using ADVPN so the two spokes can have a direct tunnel, the second WAN connection has ADVPN turned off but has an IBGP peer back to the Hub so the Hub can use IBGP multipath, its there so the spokes have two equal cost paths to the Hubs DC networks, i then built an SDWAN over these two equal cost paths for the policy routes it uses.
The issue i have run into is around the spokes are advertising their LAN networks to the hub, each spoke advertises it twice (once over wan1 and wan2).
Spoke A LAN is 192.168.2.0/24
Spoke B Lan is 192.168.3.0/24
Hub local network is 192.168.10.0/24
FYI: The Hub is configured as a route reflector for WAN1 and WAN2.
I need both routes to each LAN to be in the routing table at the same time (using IBGP multipath) which works but my BGP table prefers 192.168.2.0 (SpokeA) over WAN1 and 192.168.3.0 (SpokeB) over WAN2 - These networks get advertised to other spokes and the return path is asynchronous in this case, i need my BGP table to pick WAN1 routes for all spokes (10.10.10.0/30) as the best path as this is the path it advertises to other ADVPN spokes, it must pick it with the > so the other multi-path routes stay in the routing table, this is important for return traffic for the SDWAN when the spokes access the Hubs local networks.
I have tried filtering with route maps with local pref, weight and metric but these just pick the best path and the other multipath routes are no longer in the routing table, in this case the ADVPN works but the SDWAN does not.
How can i manipulate the hubs BGP table to pick the best path whilst leaving all the multi-path routes in the routing table, the best path route will be the one with the > and will be advertised to all the ADVPN spokes. Can anyone advise what path algorithm BGP is using in this case below to pick the best paths to 192.168.2.0 and 192.168.3.0?
HUB-B # get router info bgp network
BGP table version is 5, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.2.0 10.10.10.2 0 100 0 i
* i 20.20.20.2 0 100 0 i
*>i192.168.3.0 20.20.20.3 0 100 0 i
* i 10.10.10.3 0 100 0 i
*> 192.168.10.0 0.0.0.0 100 32768 i
HUB-B # get rouer infrouting-table bgp
B 192.168.2.0/24 [200/0] via 10.10.10.2, WAN1ADVPN_0, 00:16:15
[200/0] via 20.20.20.2, MPLSADVPN_1, 00:16:15
B 192.168.3.0/24 [200/0] via 20.20.20.3, MPLSADVPN_0, 00:21:49
[200/0] via 10.10.10.3, WAN1ADVPN_1, 00:21:49
thanks.
Matt
Hi Matt,
Thanks for reporting! For BGP route selection, in your case, if you wanted to select one route over the other route, you could configure BGP like this: (ADVPN doesn't impact route selection so it could be treated as a normal link)
FGT_C (vdom1) # sh router bgp
config router bgp
set as 65001
set router-id 1.1.1.1
set ibgp-multipath enable
config neighbor
edit "192.168.0.2"
set next-hop-self enable
set remote-as 65001
set route-map-in "192.168.0.1-weight" <<<<<<<<<<<< apply a route-map for one of your neighbors
set route-map-out "192.168.0.1"
set route-reflector-client enable
next
edit "192.168.1.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
edit "192.168.2.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
edit "192.168.3.2"
set next-hop-self enable
set remote-as 65001
set route-reflector-client enable
next
.
.
.
.
.
.
FGT_C (vdom1) # sh router route-map 192.168.0.1-weight <<<<<<<<<<<<This is the route map.
config router route-map
edit "192.168.0.1-weight"
config rule
edit 1
set set-weight 10
next
end
next
end
...
So in BGP table, you will see:
FGT_C (vdom1) # get router info bgp network
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.169.1.0 192.168.0.2 0 100 10 i
* i 192.168.1.2 0 100 0 i
*>i192.169.2.0 192.168.3.2 0 100 0 i
* i 192.168.2.2 0 100 0 i
Total number of prefixes 2
For the prefix 192.169.1.0/24, the primary gateway is 192.168.0.2. See the weight is 10 here. So only this entry could get into the routing table.
Once this link failed, the traffic would fail over to the other link, which goes to 192.168.1.2 as next-hop.
I wish I answered your question. Please let me know if you have any other concern about the BGP route selection.
#Test topology and complete configuration sample is available upon request.
Hi. Could you please share topology and configuration files ?
For now I see one issue that is not resolved - asynchronous paths with iBGP. To fix it I've used route-map on each spoke with "set set-ip-nexthop" for each peering IP address.
Interested - how did you implement sd-wan and advpn in your topology.
Thank you in advance.
NSE 8 #003249, FCT, CCSE, CompTIA CTT+
The solution for asynchronous paths is:
-change "remote-ip" from a /24 to a /32 at the ADVPN interfaces
-make one ADVPN interface preferred for both/all overlay networks using static routes (I used the same distance, but different prio)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.