Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

BGP route-map and selective rules  6.2.1

BGP can adapt to changes in SD-WAN link SLAs:

  • BGP in can send a different route-map to its BGP neighbor when IP SLA is not met.
  • Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service's role matches its selected role, the service is enabled. If the service role does not match the selected role, then the service is disabled.

The following CLI commands are added:

config router bgp
    config neighbor
        edit <ip_address>
            set route-map-out-preferable <route_map>
        next
    end
end
config system virtual-wan-link
    config neighbor
        edit <ip_address>
            set member <integer>
            set role {standalone | primary | secondary}
            set health-check <string>
            set sla-id <integer>
        next
    end
    config service
        edit <rule_id>
            set role {standalone | primary | secondary}
            set standalone-action {enable | disable}
        next
    end
end

Command

Description

edit <ip_address>

IP address of the BGP neighbor.

route-map-out-preferable <route_map>

Outbound route map filter if the peer is preferred.

member <integer>

Member sequence number.

role {standalone | primary | secondary}

Role of the neighbor.

health-check <string>

SD-WAN health-check name.

sla-id <integer>

SLA ID number.

role {standalone | primary | secondary}

Roles to work with the neighbor.

standalone-action {enable | disable}

Enable/disable service when the selected neighbor role is standalone and the service role is not standalone.

Examples

Example 1

Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.

The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so that the neighbor can use the best path.

To configure the FortiGate device:
  1. Configure BGP:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        set ibgp-multipath enable
        config neighbor
            edit "10.100.1.1"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "prim-fails"
                set route-map-out-preferable "comm1"
            next
            edit "10.100.1.5"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "sec-fails"
                set route-map-out-preferable "comm2"
            next
        end
    end
  2. Configure the virtual WAN link:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
            next
            edit 2
                set interface "port2"
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set members 1
                config sla
                    edit 1
                    next
                end
            next
            edit "ping2"
                set server "10.100.2.23"
                set failtime 3000
                config sla
                    edit 2
                    next
                end
            next
        end
        config neighbor
            edit "10.100.1.1"
                set member 1
                set role primary
                set health-check "ping"
                set sla-id 1
            next
            edit "10.100.1.5"
                set member 2
                set role secondary
                set health-check "ping2"
                set sla-id 2
            next
        end
    end

Example 2

Specific traffic is controlled using a service rule.

The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If both the BGP neighbors' SLAs are out of compliance, SD-WAN will disable the service rules.

To configure the virtual WAN link:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
        next
        edit 2
            set interface "port2"
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set members 1
            config sla
                edit 1
                next
            end
        next
        edit "ping2"
            set server "10.100.2.23"
            set failtime 3000
            config sla
                edit 2
                next
            end
        next
    end
    config neighbor
        edit "10.100.1.1"
            set member 1
            set role primary
            set health-check "ping"
            set sla-id 1
        next
        edit "10.100.1.5"
            set member 2
            set role secondary
            set health-check "ping2"
            set sla-id 2
        next
    end
    config service
        edit 1
            set role primary
            set member 1
            set dst "data-centerA"
        next
        edit 2
            set role secondary
            set member 2
            set dst "data-centerB"
        next
    end
end

BGP route-map and selective rules  6.2.1

BGP can adapt to changes in SD-WAN link SLAs:

  • BGP in can send a different route-map to its BGP neighbor when IP SLA is not met.
  • Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service's role matches its selected role, the service is enabled. If the service role does not match the selected role, then the service is disabled.

The following CLI commands are added:

config router bgp
    config neighbor
        edit <ip_address>
            set route-map-out-preferable <route_map>
        next
    end
end
config system virtual-wan-link
    config neighbor
        edit <ip_address>
            set member <integer>
            set role {standalone | primary | secondary}
            set health-check <string>
            set sla-id <integer>
        next
    end
    config service
        edit <rule_id>
            set role {standalone | primary | secondary}
            set standalone-action {enable | disable}
        next
    end
end

Command

Description

edit <ip_address>

IP address of the BGP neighbor.

route-map-out-preferable <route_map>

Outbound route map filter if the peer is preferred.

member <integer>

Member sequence number.

role {standalone | primary | secondary}

Role of the neighbor.

health-check <string>

SD-WAN health-check name.

sla-id <integer>

SLA ID number.

role {standalone | primary | secondary}

Roles to work with the neighbor.

standalone-action {enable | disable}

Enable/disable service when the selected neighbor role is standalone and the service role is not standalone.

Examples

Example 1

Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.

The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so that the neighbor can use the best path.

To configure the FortiGate device:
  1. Configure BGP:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        set ibgp-multipath enable
        config neighbor
            edit "10.100.1.1"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "prim-fails"
                set route-map-out-preferable "comm1"
            next
            edit "10.100.1.5"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "sec-fails"
                set route-map-out-preferable "comm2"
            next
        end
    end
  2. Configure the virtual WAN link:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
            next
            edit 2
                set interface "port2"
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set members 1
                config sla
                    edit 1
                    next
                end
            next
            edit "ping2"
                set server "10.100.2.23"
                set failtime 3000
                config sla
                    edit 2
                    next
                end
            next
        end
        config neighbor
            edit "10.100.1.1"
                set member 1
                set role primary
                set health-check "ping"
                set sla-id 1
            next
            edit "10.100.1.5"
                set member 2
                set role secondary
                set health-check "ping2"
                set sla-id 2
            next
        end
    end

Example 2

Specific traffic is controlled using a service rule.

The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If both the BGP neighbors' SLAs are out of compliance, SD-WAN will disable the service rules.

To configure the virtual WAN link:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
        next
        edit 2
            set interface "port2"
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set members 1
            config sla
                edit 1
                next
            end
        next
        edit "ping2"
            set server "10.100.2.23"
            set failtime 3000
            config sla
                edit 2
                next
            end
        next
    end
    config neighbor
        edit "10.100.1.1"
            set member 1
            set role primary
            set health-check "ping"
            set sla-id 1
        next
        edit "10.100.1.5"
            set member 2
            set role secondary
            set health-check "ping2"
            set sla-id 2
        next
    end
    config service
        edit 1
            set role primary
            set member 1
            set dst "data-centerA"
        next
        edit 2
            set role secondary
            set member 2
            set dst "data-centerB"
        next
    end
end