Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mattmans1
New Contributor

ADVPN with SDWAN - BGP route filtering and manipulation

Hi all,

 

I have quite a complex issue with BGP and how to manipulate a specific path selection.

 

So i have an ADVPN topology with one hub and  two spokes, the Hub and spokes have two WAN connections each, the primary WAN connection is using ADVPN so the two spokes can have a direct tunnel, the second WAN connection has ADVPN turned off but has an IBGP peer back to the Hub so the Hub can use IBGP multipath, its there so the spokes have two equal cost paths to the Hubs DC networks, i then built an SDWAN over these two equal cost paths for the policy routes it uses.

 

The issue i have run into is around the spokes are advertising their LAN networks to the hub, each spoke advertises it twice (once over wan1 and wan2). 

 

Spoke A LAN is 192.168.2.0/24

Spoke B Lan is 192.168.3.0/24

Hub local network is 192.168.10.0/24

 

FYI: The Hub is configured as a route reflector for WAN1 and WAN2.

 

I need both routes to each LAN to be in the routing table at the same time (using IBGP multipath) which works but my BGP table prefers 192.168.2.0 (SpokeA) over WAN1 and 192.168.3.0 (SpokeB) over WAN2 - These networks get advertised to other spokes and the return path is asynchronous in this case, i need my BGP table to pick WAN1 routes for all spokes (10.10.10.0/30) as the best path as this is the path it advertises to other ADVPN spokes, it must pick it with the > so the other multi-path routes stay in the routing table, this is important for return traffic for the SDWAN when the spokes access the Hubs local networks.

 

I have tried filtering with route maps with local pref, weight and metric but these just pick the best path and the other multipath routes are no longer in the routing table, in this case the ADVPN works but the SDWAN does not.

 

 

How can i manipulate the hubs BGP table to pick the best path whilst leaving all the multi-path routes in the routing table, the best path route will be the one with the > and will be advertised to all the ADVPN spokes.  Can anyone advise what path algorithm BGP is using in this case below to pick the best paths to 192.168.2.0 and 192.168.3.0?

 

 

HUB-B # get router info bgp network
BGP table version is 5, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
 
   Network          Next Hop            Metric LocPrf Weight Path
*>i192.168.2.0      10.10.10.2               0    100      0 i
* i                         20.20.20.2               0    100      0 i
*>i192.168.3.0      20.20.20.3               0    100      0 i
* i                         10.10.10.3               0    100      0 i
*> 192.168.10.0     0.0.0.0                       100  32768 i


 

 

HUB-B # get rouer infrouting-table bgp
B       192.168.2.0/24 [200/0] via 10.10.10.2, WAN1ADVPN_0, 00:16:15
                                [200/0] via 20.20.20.2, MPLSADVPN_1, 00:16:15
B       192.168.3.0/24 [200/0] via 20.20.20.3, MPLSADVPN_0, 00:21:49
                                [200/0] via 10.10.10.3, WAN1ADVPN_1, 00:21:49

 

thanks.

 

Matt

3 REPLIES 3
ericli_FTNT
Staff
Staff

Hi Matt,

 

Thanks for reporting! For BGP route selection, in your case, if you wanted to select one route over the other route, you could configure BGP like this: (ADVPN doesn't impact route selection so it could be treated as a normal link)

 

FGT_C (vdom1) # sh router bgp
config router bgp
    set as 65001
    set router-id 1.1.1.1
    set ibgp-multipath enable
    config neighbor
        edit "192.168.0.2"
            set next-hop-self enable
            set remote-as 65001
            set route-map-in "192.168.0.1-weight" <<<<<<<<<<<< apply a route-map for one of your neighbors
            set route-map-out "192.168.0.1"
            set route-reflector-client enable
        next
        edit "192.168.1.2"
            set next-hop-self enable
            set remote-as 65001
            set route-reflector-client enable
        next
        edit "192.168.2.2"
            set next-hop-self enable
            set remote-as 65001
            set route-reflector-client enable
        next
        edit "192.168.3.2"
            set next-hop-self enable
            set remote-as 65001
            set route-reflector-client enable
        next

.

.

.

.

.

.

FGT_C (vdom1) # sh router route-map 192.168.0.1-weight <<<<<<<<<<<<This is the route map.
config router route-map
    edit "192.168.0.1-weight"
        config rule
            edit 1
                set set-weight 10
            next
        end
    next
end

...

 

So in BGP table, you will see:

 

FGT_C (vdom1) # get router info bgp network
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
*>i192.169.1.0 192.168.0.2 0 100 10 i
* i 192.168.1.2 0 100 0 i
*>i192.169.2.0 192.168.3.2 0 100 0 i
* i 192.168.2.2 0 100 0 i

Total number of prefixes 2

 

For the prefix 192.169.1.0/24, the primary gateway is 192.168.0.2. See the weight is 10 here. So only this entry could get into the routing table.

Once this link failed, the traffic would fail over to the other link, which goes to 192.168.1.2 as next-hop.

 

I wish I answered your question. Please let me know if you have any other concern about the BGP route selection.

 

#Test topology and complete configuration sample is available upon request.

 

stanislav_timofeev

Hi. Could you please share topology and configuration files ?

For now I see one issue that is not resolved - asynchronous paths with iBGP. To fix it I've used route-map on each spoke with "set set-ip-nexthop" for each peering IP address.

Interested - how did you implement sd-wan and advpn in your topology.

 

Thank you in advance.

 

 

NSE 8 #003249, FCT, CCSE, CompTIA CTT+

NSE 8 #003249, FCT, CCSE, CompTIA CTT+
Frank1

The solution for asynchronous paths is:

-change "remote-ip" from a /24 to a /32 at the ADVPN interfaces

-make one ADVPN interface preferred for both/all overlay networks using static routes (I used the same distance, but different prio)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors