Dual link with ADVPN and BGP - asymmetrical routing
Good morning everyone!
We have an interesting routing problem. The scenario is a single hub location and several branches. Each location has an MPLS link and an internet link. The MPLS link is preferred and is running BGP to get all the location addresses. The internet link is running ADVPN with BGP and is used for failover. We will be running SDWAN at the branch to direct some traffic to the ADVPN, but that is a topic for another discussion.
We are using the weight BGP attribute to prefer the MPLS link. What we would like to have happen is that if the MPLS link fails for a single location, that location will use ADVPN to connect directly to other locations for traffic.
What is actually happening: Let's say I have a ping running from site 1 to site 2 (MPLS). If the MPLS link goes down, the ping will go from site 1 to the HUB via VPN, and from the HUB to site 2 via MPLS. The return traffic will actually use ADVPN and go directly from site 2 to site 1 via VPN. So for this to work I need to enable asymmetric routing.
This is happening because the HUB has two BGP routes to site 2 - MPLS and VPN - but it prefers the MPLS and forwards that to site 1. Is there any way to get it to send both routes to site 2?
One strategy I am considering is using OSPF for ADVPN instead of BGP, but I've never tried ADVPN with OSPF.
It should not matter what routing protocol, but the bgp would be less chatty. It would be much easier to do TE with bgp fwiw.
So back to you BGP why are you using weight? I would send the route-advertisements using metric and local_pref and preference the path that you want.
So if you have path 1 & 2 and want path1 to be used for receiving traffic ( inbound to you ) , you send a higher metric on path2. If you want to "preference" path1 for OUTGOING traffic you set the preference on path1 to let's say 200 and path2 100. This will ensure traffic is sent and received over that link and path2 would only come into play of path1 goes down.
if you want to get creative and have multiple networks, you can do some weird stuff like
preference path1 for prefixes 10.1.1.0/24; 10.1.2.0/24 and path2 for prefixes 10.1.3.0/24; 10.1.4.0/24 and the opposite path is back-up from a BGP route perspective ( the best path would be preferred ).
You probably need to rethink your bgp route-policy and TE and set metric and preferences to achieve the routing domain that you want, imho
Ah, forgot to mention an important point. The MPLS link is a different AS, managed by the SP. So some attributes will get dropped in the MPLS link, which is why we are using local weights to set the main link as the MPLS one.
They you are going to have issues. So are you familiar with GRE? You could tunnel thru the MPLS provider and then set you routing within the GRE tunnel. Here you can send any path attribute and do what you want or option 2 convince your MPLS provider to do what you need.
All can be accommodating to some degree buy YMMV. I would ask them for their bgp route-policy and support communities to see what they can do but if your originating the paths at the CE you should be able to do most of what I mention.
Do you have a solution for this? I want to deploy ADVPN in a environment between sites with VPN and MPLS too.
I don't believe there's an easy way to get them to work together nicely - from what I've found you really need a dynamic routing protocol for both the MPLS & ADVPN.
I did some testing in our environment and found that MPLS with Link health monitor wouldn't work as it removes all static routes when one site is detected as down - not good.
We're now moving our MPLS off of our LAN and creating an interface on the firewall specifically for it. Fortunately, our vendor has approved the use of BGP between their router and our firewall allowing for dynamic route updates. If your vendor doesn't allow for BGP (or you don't have confidence in them) I've seen suggestions in my research to run ADVPN over the MPLS allowing BGP directly between the firewalls.
A pain to implement but this seems to be the only way we could get this to work in our environment.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.