Controlling traffic with BGP route mapping and service rules
BGP can adapt to changes in SD-WAN link SLAs:
- BGP can send a different route map to its BGP neighbor when IP SLA is not met.
- Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service rule matches the selected rule, the service is enabled. If the service rule does not match the selected rule, then the service is disabled.
Examples
Route mapping
Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.
The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so the neighbor can use the best path.
To configure route mapping to a BGP neighbor when SLA is not met:
- Configure BGP:
config router bgp set as 65412 set router-id 1.1.1.1 set ibgp-multipath enable config neighbor edit "10.100.1.1" set soft-reconfiguration enable set remote-as 20 set route-map-out "prim-fails" set route-map-out-preferable "comm1" next edit "10.100.1.5" set soft-reconfiguration enable set remote-as 20 set route-map-out "sec-fails" set route-map-out-preferable "comm2" next end end - Configure the virtual WAN link:
config system virtual-wan-link set status enable config members edit 1 set interface "port1" next edit 2 set interface "port2" next end config health-check edit "ping" set server "10.100.2.22" set members 1 config sla edit 1 next end next edit "ping2" set server "10.100.2.23" set failtime 3000 config sla edit 2 next end next end config neighbor edit "10.100.1.1" set member 1 set role primary set health-check "ping" set sla-id 1 next edit "10.100.1.5" set member 2 set role secondary set health-check "ping2" set sla-id 2 next end end
Service rules
Specific traffic is controlled using a service rule.
The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If the SLAs of both BGP neighbors are out of compliance, SD-WAN will disable the service rules.
To configure the virtual WAN link:
config system virtual-wan-link
set status enable
config members
edit 1
set interface "port1"
next
edit 2
set interface "port2"
next
end
config health-check
edit "ping"
set server "10.100.2.22"
set members 1
config sla
edit 1
next
end
next
edit "ping2"
set server "10.100.2.23"
set failtime 3000
config sla
edit 2
next
end
next
end
config neighbor
edit "10.100.1.1"
set member 1
set role primary
set health-check "ping"
set sla-id 1
next
edit "10.100.1.5"
set member 2
set role secondary
set health-check "ping2"
set sla-id 2
next
end
config service
edit 1
set role primary
set member 1
set dst "data-centerA"
next
edit 2
set role secondary
set member 2
set dst "data-centerB"
next
end
end