Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

BGP Additional Path Support

Currently, when deploying Auto-Discovery VPN (ADVPN) for Software-Defined Wide Area Networks (SD-WAN), a FortiGate deployed as the ADVPN hub is a route reflector. As such, it only advertises one path, which is the best path. Due to this, the branches receive different routes in their routing tables that point to the same next hop.

In 6.2, this is addressed by adding additional Border Gateway Protocol (BGP) path support, which allows the ADVPN hub to advertise multiple paths.

This feature allows BGP to extend and keep additional network paths according to RFC 7911.

Example

In the following example topology, each spoke has four VPN tunnels connected to the Hub with ADVPN. The Spoke-Hub has established four BGP neighbors on all four tunnels.

Spoke 1 and Spoke 2 can learn four different routes from each other.

Hub

config router bgp

set as 65505

set router-id 11.11.11.11

set ibgp-multipath enable

set additional-path enable  <<<<<<<<<< new

set additional-path-select 4  <<<<<<<<<< new

config neighbor-group

edit "gr1"

set capability-default-originate enable

set remote-as 65505

set additional-path both  <<<<<<<<<< new

set adv-additional-path 4  <<<<<<<<<< new

set route-reflector-client enable

next

end

config neighbor-range

edit 1

set prefix 10.10.0.0 255.255.0.0

set neighbor-group "gr1"

next

end

config network

edit 12

set prefix 11.11.11.11 255.255.255.255

next

end

end

Spoke

config router bgp

set as 65505

set router-id 2.2.2.2

set ibgp-multipath enable

set additional-path enable <<<<<<<<<< new

set additional-path-select 4 <<<<<<<<<< new

config neighbor

edit "10.10.100.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both <<<<<<<<<< new

set adv-additional-path 4 <<<<<<<<<< new

next

edit "10.10.200.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

edit "10.10.203.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

edit "10.10.204.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

end

config network

edit 3

set prefix 22.1.1.0 255.255.255.0

next

end

end

Spoke1 # get router info routing-table bgp

Routing table for VRF=0

B*      0.0.0.0/0 [200/0] via 10.10.200.254, vd2-2, 03:57:26

[200/0] via 10.10.203.254, vd2-3, 03:57:26

[200/0] via 10.10.204.254, vd2-4, 03:57:26

[200/0] via 10.10.100.254, vd2-1, 03:57:26

B       1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

B       11.11.11.11/32 [200/0] via 10.10.200.254, vd2-2, 03:57:51

[200/0] via 10.10.203.254, vd2-3, 03:57:51

[200/0] via 10.10.204.254, vd2-4, 03:57:51

[200/0] via 10.10.100.254, vd2-1, 03:57:51

B       33.1.1.0/24 [200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

Spoke1 #

BGP Additional Path Support

Currently, when deploying Auto-Discovery VPN (ADVPN) for Software-Defined Wide Area Networks (SD-WAN), a FortiGate deployed as the ADVPN hub is a route reflector. As such, it only advertises one path, which is the best path. Due to this, the branches receive different routes in their routing tables that point to the same next hop.

In 6.2, this is addressed by adding additional Border Gateway Protocol (BGP) path support, which allows the ADVPN hub to advertise multiple paths.

This feature allows BGP to extend and keep additional network paths according to RFC 7911.

Example

In the following example topology, each spoke has four VPN tunnels connected to the Hub with ADVPN. The Spoke-Hub has established four BGP neighbors on all four tunnels.

Spoke 1 and Spoke 2 can learn four different routes from each other.

Hub

config router bgp

set as 65505

set router-id 11.11.11.11

set ibgp-multipath enable

set additional-path enable  <<<<<<<<<< new

set additional-path-select 4  <<<<<<<<<< new

config neighbor-group

edit "gr1"

set capability-default-originate enable

set remote-as 65505

set additional-path both  <<<<<<<<<< new

set adv-additional-path 4  <<<<<<<<<< new

set route-reflector-client enable

next

end

config neighbor-range

edit 1

set prefix 10.10.0.0 255.255.0.0

set neighbor-group "gr1"

next

end

config network

edit 12

set prefix 11.11.11.11 255.255.255.255

next

end

end

Spoke

config router bgp

set as 65505

set router-id 2.2.2.2

set ibgp-multipath enable

set additional-path enable <<<<<<<<<< new

set additional-path-select 4 <<<<<<<<<< new

config neighbor

edit "10.10.100.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both <<<<<<<<<< new

set adv-additional-path 4 <<<<<<<<<< new

next

edit "10.10.200.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

edit "10.10.203.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

edit "10.10.204.254"

set soft-reconfiguration enable

set remote-as 65505

set additional-path both

set adv-additional-path 4

next

end

config network

edit 3

set prefix 22.1.1.0 255.255.255.0

next

end

end

Spoke1 # get router info routing-table bgp

Routing table for VRF=0

B*      0.0.0.0/0 [200/0] via 10.10.200.254, vd2-2, 03:57:26

[200/0] via 10.10.203.254, vd2-3, 03:57:26

[200/0] via 10.10.204.254, vd2-4, 03:57:26

[200/0] via 10.10.100.254, vd2-1, 03:57:26

B       1.1.1.1/32 [200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

[200/0] via 11.1.1.1 (recursive via 12.1.1.1), 03:57:51

B       11.11.11.11/32 [200/0] via 10.10.200.254, vd2-2, 03:57:51

[200/0] via 10.10.203.254, vd2-3, 03:57:51

[200/0] via 10.10.204.254, vd2-4, 03:57:51

[200/0] via 10.10.100.254, vd2-1, 03:57:51

B       33.1.1.0/24 [200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

[200/0] via 10.10.204.3, vd2-4, 03:57:26

[200/0] via 10.10.203.3, vd2-3, 03:57:26

[200/0] via 10.10.200.3, vd2-2, 03:57:26

[200/0] via 10.10.100.3, vd2-1, 03:57:26

Spoke1 #