ADVPN with SDWAN - BGP route filtering and manipulation
I have quite a complex issue with BGP and how to manipulate a specific path selection.
So i have an ADVPN topology with one hub and two spokes, the Hub and spokes have two WAN connections each, the primary WAN connection is using ADVPN so the two spokes can have a direct tunnel, the second WAN connection has ADVPN turned off but has an IBGP peer back to the Hub so the Hub can use IBGP multipath, its there so the spokes have two equal cost paths to the Hubs DC networks, i then built an SDWAN over these two equal cost paths for the policy routes it uses.
The issue i have run into is around the spokes are advertising their LAN networks to the hub, each spoke advertises it twice (once over wan1 and wan2).
Spoke A LAN is 192.168.2.0/24
Spoke B Lan is 192.168.3.0/24
Hub local network is 192.168.10.0/24
FYI: The Hub is configured as a route reflector for WAN1 and WAN2.
I need both routes to each LAN to be in the routing table at the same time (using IBGP multipath) which works but my BGP table prefers 192.168.2.0 (SpokeA) over WAN1 and 192.168.3.0 (SpokeB) over WAN2 - These networks get advertised to other spokes and the return path is asynchronous in this case, i need my BGP table to pick WAN1 routes for all spokes (10.10.10.0/30) as the best path as this is the path it advertises to other ADVPN spokes, it must pick it with the > so the other multi-path routes stay in the routing table, this is important for return traffic for the SDWAN when the spokes access the Hubs local networks.
I have tried filtering with route maps with local pref, weight and metric but these just pick the best path and the other multipath routes are no longer in the routing table, in this case the ADVPN works but the SDWAN does not.
How can i manipulate the hubs BGP table to pick the best path whilst leaving all the multi-path routes in the routing table, the best path route will be the one with the > and will be advertised to all the ADVPN spokes. Can anyone advise what path algorithm BGP is using in this case below to pick the best paths to 192.168.2.0 and 192.168.3.0?
HUB-B # get router info bgp network
BGP table version is 5, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i192.168.2.0 10.10.10.2 0 100 0 i
* i 188.8.131.52 0 100 0 i
*>i192.168.3.0 184.108.40.206 0 100 0 i
* i 10.10.10.3 0 100 0 i
*> 192.168.10.0 0.0.0.0 100 32768 i
HUB-B # get rouer infrouting-table bgp
B 192.168.2.0/24 [200/0] via 10.10.10.2, WAN1ADVPN_0, 00:16:15
[200/0] via 220.127.116.11, MPLSADVPN_1, 00:16:15
B 192.168.3.0/24 [200/0] via 18.104.22.168, MPLSADVPN_0, 00:21:49
Thanks for reporting! For BGP route selection, in your case, if you wanted to select one route over the other route, you could configure BGP like this: (ADVPN doesn't impact route selection so it could be treated as a normal link)
FGT_C (vdom1) # sh router bgp config router bgp set as 65001 set router-id 22.214.171.124 set ibgp-multipath enable config neighbor edit "192.168.0.2" set next-hop-self enable set remote-as 65001 set route-map-in "192.168.0.1-weight" <<<<<<<<<<<< apply a route-map for one of your neighbors set route-map-out "192.168.0.1" set route-reflector-client enable next edit "192.168.1.2" set next-hop-self enable set remote-as 65001 set route-reflector-client enable next edit "192.168.2.2" set next-hop-self enable set remote-as 65001 set route-reflector-client enable next edit "192.168.3.2" set next-hop-self enable set remote-as 65001 set route-reflector-client enable next
FGT_C (vdom1) # sh router route-map 192.168.0.1-weight <<<<<<<<<<<<This is the route map. config router route-map edit "192.168.0.1-weight" config rule edit 1 set set-weight 10 next end next end
So in BGP table, you will see:
FGT_C (vdom1) # get router info bgp network BGP table version is 3, local router ID is 126.96.36.199 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path *>i188.8.131.52 192.168.0.2 0 100 10 i * i 192.168.1.2 0 100 0 i *>i184.108.40.206 192.168.3.2 0 100 0 i * i 192.168.2.2 0 100 0 i
Total number of prefixes 2
For the prefix 220.127.116.11/24, the primary gateway is 192.168.0.2. See the weight is 10 here. So only this entry could get into the routing table.
Once this link failed, the traffic would fail over to the other link, which goes to 192.168.1.2 as next-hop.
I wish I answered your question. Please let me know if you have any other concern about the BGP route selection.
#Test topology and complete configuration sample is available upon request.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.