BGP route-map and selective rules 6.2.1
BGP can adapt to changes in SD-WAN link SLAs:
- BGP in can send a different route-map to its BGP neighbor when IP SLA is not met.
- Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service's role matches its selected role, the service is enabled. If the service role does not match the selected role, then the service is disabled.
The following CLI commands are added:
config router bgp config neighbor edit <ip_address> set route-map-out-preferable <route_map> next end end config system virtual-wan-link config neighbor edit <ip_address> set member <integer> set role {standalone | primary | secondary} set health-check <string> set sla-id <integer> next end config service edit <rule_id> set role {standalone | primary | secondary} set standalone-action {enable | disable} next end end
Command |
Description |
---|---|
edit <ip_address> |
IP address of the BGP neighbor. |
route-map-out-preferable <route_map> |
Outbound route map filter if the peer is preferred. |
member <integer> |
Member sequence number. |
role {standalone | primary | secondary} |
Role of the neighbor. |
health-check <string> |
SD-WAN health-check name. |
sla-id <integer> |
SLA ID number. |
role {standalone | primary | secondary} |
Roles to work with the neighbor. |
standalone-action {enable | disable} |
Enable/disable service when the selected neighbor role is standalone and the service role is not standalone. |
Examples
Example 1
Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.
The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so that the neighbor can use the best path.
To configure the FortiGate device:
- Configure BGP:
config router bgp set as 65412 set router-id 1.1.1.1 set ibgp-multipath enable config neighbor edit "10.100.1.1" set soft-reconfiguration enable set remote-as 20 set route-map-out "prim-fails" set route-map-out-preferable "comm1" next edit "10.100.1.5" set soft-reconfiguration enable set remote-as 20 set route-map-out "sec-fails" set route-map-out-preferable "comm2" next end end
- Configure the virtual WAN link:
config system virtual-wan-link set status enable config members edit 1 set interface "port1" next edit 2 set interface "port2" next end config health-check edit "ping" set server "10.100.2.22" set members 1 config sla edit 1 next end next edit "ping2" set server "10.100.2.23" set failtime 3000 config sla edit 2 next end next end config neighbor edit "10.100.1.1" set member 1 set role primary set health-check "ping" set sla-id 1 next edit "10.100.1.5" set member 2 set role secondary set health-check "ping2" set sla-id 2 next end end
Example 2
Specific traffic is controlled using a service rule.
The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If both the BGP neighbors' SLAs are out of compliance, SD-WAN will disable the service rules.
To configure the virtual WAN link:
config system virtual-wan-link set status enable config members edit 1 set interface "port1" next edit 2 set interface "port2" next end config health-check edit "ping" set server "10.100.2.22" set members 1 config sla edit 1 next end next edit "ping2" set server "10.100.2.23" set failtime 3000 config sla edit 2 next end next end config neighbor edit "10.100.1.1" set member 1 set role primary set health-check "ping" set sla-id 1 next edit "10.100.1.5" set member 2 set role secondary set health-check "ping2" set sla-id 2 next end config service edit 1 set role primary set member 1 set dst "data-centerA" next edit 2 set role secondary set member 2 set dst "data-centerB" next end end