Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
austinmas1987
New Contributor

is it possible to load balance eBGP routes with iBGP?

 

.

5 REPLIES 5
gfleming
Staff
Staff

Does the IPVPN link terminate at every site on every FortiGate? What is on the other end of the IPVPN link? Is it a FortiGate or something else? Just trying to better understand your topology..

 

You should be able to get eBGP routes into iBGP. That's a fairly basic process of BGP. 

 

Can you post the relevant BGP configs you have today on your Fortigate and, if possible, the IPVPN remote device?

Cheers,
Graham
austinmas1987

.

gfleming

OK perhaps I am a bit confused on what's going on here. Is the IPVPN a secondary link you want to add to all sites to send VPN traffic over in addition to your existing WAN link?

 

If so, the routes you receive from the IPVPN link should get installed in the FGT routing table just the same as any other route, regardless of whether it is RIP, BGP, OSPF, etc. 

 

You FGT should have routes from the iBGP process on the ADVPN and the eBGP process on the IPVPN. You should be able to ping all sites over either the ADVPN links or the IPVPN links. 

 

You'll want to create another VPN overlay on the IPVPN links and join that to your ADVPN and then you'll have new routes in iBGP from the overlay.

 

If you want to use ADVPN over the link you will use the eBGP routes of the IPVPN to create the overlay and then you will have new routes from the overlay installed in iBGP. SD_WAN can take care of load balancing.

 

Does this make sense or am I lost still?

Cheers,
Graham
austinmas1987

,

gfleming

Hey yeah you got it. Even if you could get the IPVPN network to route properly you would want to put it into the ADVPN anyway. There are tons of benefits to doing this; the primary one being you can use the iBGP process of ADVPN to help with routing traffic based on link status.

 

This is where SD-WAN comes into play. Without all links in ADVPN, we cannot set the appropriate BGP community strings to manipulate traffic path selection.

 

So you are definitely on the right track. Get all the links into ADVPN with an overlay running and then configure SD-WAN and you are good to go.

 

This whole doc is a good read but this specific section explains in good detail the overall idea behind ADVPN + SD-WAN: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-architecture-for-enterprise/531289/design-...

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors