Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Applying BGP route-map to multiple BGP neighbors

Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the primary and secondary SD-WAN neighbors based on SLA health checks.

In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.

The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.

ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it. When SLAs for ISP1 are not met, it will fail over to the MPLS line.

Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When SLAs are not met, the WAN links advertise a different community string.

This example uses two SD-WAN links. The topology can be expanded to include more links as needed.

To configure BGP route-maps and neighbors:
  1. Configure an access list for routes to be matched:
    config router access-list
        edit "net192"
            config rule
                edit 1
                    set prefix 192.168.20.0 255.255.255.0
                next
            end
        next
    end
    
  2. Configure route-maps for neighbor ISP1:
    config router route-map
        edit "comm1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:1"
                next
            end
        next
        edit "comm-fail1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:5"
                next
            end
        next
    end
    
  3. Configure route-maps for neighbor ISP2:
    config router route-map
        edit "comm2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:1"
                next
            end
        next
        edit "comm-fail2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:5"
                next
            end
        next
    end
    
  4. Configure the BGP neighbors:
    config router bgp
        set as 64512
        set keepalive-timer 1
        set holdtime-timer 3
        config neighbor
            edit "192.168.2.1"
                set soft-reconfiguration enable
                set remote-as 64511
                set route-map-out "comm-fail1"
                set route-map-out-preferable "comm1"
            next
            edit "172.31.0.1"
                set soft-reconfiguration enable
                set remote-as 64522
                set route-map-out "comm-fail2"
                set route-map-out-preferable "comm2"
            next
        end
        config network
            edit 1
                set prefix 192.168.20.0 255.255.255.0
            next
        end
    end
    

    When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:
  1. Configure the SD-WAN members:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
    		   set gateway 192.168.2.1
            next
            edit 2
                set interface "MPLS"
                set cost 20
            next
        end
    end
    
  2. Configure the health checks that must be met:
    config system virtual-wan-link
        config health-check
            edit "pingserver"
                set server "8.8.8.8"
                set members 2 1
                config sla
                    edit 1
                        set link-cost-factor packet-loss
                        set packetloss-threshold 2
                    next
                end
            next
        end
    end
    
  3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor meets the SLA:

    When no role is defined, the default role, standalone, is used.

    config system virtual-wan-link
        config neighbor
            edit "192.168.2.1"
                set member 1
                set health-check "pingserver"
                set sla-id 1
            next
            edit "172.31.0.1"
                set member 2
                set health-check "pingserver"
                set sla-id 1
            next
        end
    end

Service rules

Create SD-WAN service rules to direct traffic to the SD-WAN links based on the lowest cost algorithm The same SLA health check and criteria that are used for the SD-WAN neighbor are used for this SD-WAN service rule.

When no roles are defined in the service rule, the default role, standalone, is used.

To configure the SD-WAN service rule:
config system virtual-wan-link
    config service
        edit 1
            set name "OutboundAll"
            set mode sla
            set dst "all"
            set src "all"
            config sla
                edit "pingserver"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end 
end

Verification

To verify that when both SLAs are met, port1 is selected due to its lower cost:
  1. Verify the health check status:
    FortiGate-Branch # diagnose sys virtual-wan-link health-check
    Health Check(pingserver):
    Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(24.709), jitter(14.996) sla_map=0x1
    Seq(1 port1): state(alive), packet-loss(0.000%) latency(28.771), jitter(14.840) sla_map=0x1
    
  2. Verify SD-WAN neighbor status:
    FortiGate-Branch # diagnose sys virtual-wan-link neighbor
    Neighbor(192.168.2.1): member(1) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
    Neighbor(172.31.0.1): member(2) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
  3. Verify service rules status:

    Because the service role is standalone, it matches both neighbors. The mode (SLA) determines that port1 is lower cost.

    FortiGate-Branch # diagnose sys virtual-wan-link service
    
    Service(1): Address Mode(IPV4) flags=0x0
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Service role: standalone
      Members:
        1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
        2: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
      Src address:
            0.0.0.0-255.255.255.255
    
      Dst address:
            0.0.0.0-255.255.255.255
    
  4. Verify neighbor routers:
    1. Primary neighbor router:
      FGT-NBR1 # get router info bgp network 192.168.20.0
      BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        64512
          192.168.2.5 from 192.168.2.5 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64511:1
            Last update: Thu Apr 30 23:59:05 2020
      
    2. Secondary neighbor router:
      FGT-NBR2 # get router info bgp network 192.168.20.0
      VRF 0 BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        Original VRF 0
        64512
          172.31.0.2 from 172.31.0.2 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64522:1
            Last update: Fri May  1 00:11:28 2020
      
To verify that when neighbor ISP1 misses SLAs, MPLS is selected and BGP advertises a different community string for ISP1:
  1. Verify the health check status:
    FortiGate-Branch # diagnose sys virtual-wan-link health-check
    Health Check(pingserver):
    Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(25.637), jitter(17.820) sla_map=0x1
    Seq(1 port1): state(dead), packet-loss(16.000%) sla_map=0x0
    
  2. Verify SD-WAN neighbor status:
    FortiGate-Branch # diagnose sys virtual-wan-link neighbor
    Neighbor(192.168.2.1): member(1) role(standalone)
            Health-check(pingserver:1)  sla-fail dead
    Neighbor(172.31.0.1): member(2) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
    
    
  3. Verify service rules status:

    As SLA failed for neighbor ISP1, MPLS is preferred.

    FortiGate-Branch # diagnose sys virtual-wan-link service
    
    Service(1): Address Mode(IPV4) flags=0x0
      Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Service role: standalone
      Members:
        1: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
        2: Seq_num(1 port1), dead, sla(0x0), cfg_order(0), cost(0)
      Src address:
            0.0.0.0-255.255.255.255
    
      Dst address:
            0.0.0.0-255.255.255.255
    
    
  4. Verify neighbor routers:

    The community received on ISP1 is updated.

    1. Primary neighbor router:
      FGT-NBR1 # get router info bgp network 192.168.20.0
      BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        64512
          192.168.2.5 from 192.168.2.5 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64511:5
            Last update: Fri May  1 00:33:26 2020
      
    2. Secondary neighbor router:
      FGT-NBR2 # get router info bgp network 192.168.20.0
      VRF 0 BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        Original VRF 0
        64512
          172.31.0.2 from 172.31.0.2 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64522:1
            Last update: Fri May  1 00:22:42 2020
      

Applying BGP route-map to multiple BGP neighbors

Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the primary and secondary SD-WAN neighbors based on SLA health checks.

In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.

The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.

ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it. When SLAs for ISP1 are not met, it will fail over to the MPLS line.

Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When SLAs are not met, the WAN links advertise a different community string.

This example uses two SD-WAN links. The topology can be expanded to include more links as needed.

To configure BGP route-maps and neighbors:
  1. Configure an access list for routes to be matched:
    config router access-list
        edit "net192"
            config rule
                edit 1
                    set prefix 192.168.20.0 255.255.255.0
                next
            end
        next
    end
    
  2. Configure route-maps for neighbor ISP1:
    config router route-map
        edit "comm1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:1"
                next
            end
        next
        edit "comm-fail1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:5"
                next
            end
        next
    end
    
  3. Configure route-maps for neighbor ISP2:
    config router route-map
        edit "comm2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:1"
                next
            end
        next
        edit "comm-fail2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:5"
                next
            end
        next
    end
    
  4. Configure the BGP neighbors:
    config router bgp
        set as 64512
        set keepalive-timer 1
        set holdtime-timer 3
        config neighbor
            edit "192.168.2.1"
                set soft-reconfiguration enable
                set remote-as 64511
                set route-map-out "comm-fail1"
                set route-map-out-preferable "comm1"
            next
            edit "172.31.0.1"
                set soft-reconfiguration enable
                set remote-as 64522
                set route-map-out "comm-fail2"
                set route-map-out-preferable "comm2"
            next
        end
        config network
            edit 1
                set prefix 192.168.20.0 255.255.255.0
            next
        end
    end
    

    When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:
  1. Configure the SD-WAN members:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
    		   set gateway 192.168.2.1
            next
            edit 2
                set interface "MPLS"
                set cost 20
            next
        end
    end
    
  2. Configure the health checks that must be met:
    config system virtual-wan-link
        config health-check
            edit "pingserver"
                set server "8.8.8.8"
                set members 2 1
                config sla
                    edit 1
                        set link-cost-factor packet-loss
                        set packetloss-threshold 2
                    next
                end
            next
        end
    end
    
  3. Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor meets the SLA:

    When no role is defined, the default role, standalone, is used.

    config system virtual-wan-link
        config neighbor
            edit "192.168.2.1"
                set member 1
                set health-check "pingserver"
                set sla-id 1
            next
            edit "172.31.0.1"
                set member 2
                set health-check "pingserver"
                set sla-id 1
            next
        end
    end

Service rules

Create SD-WAN service rules to direct traffic to the SD-WAN links based on the lowest cost algorithm The same SLA health check and criteria that are used for the SD-WAN neighbor are used for this SD-WAN service rule.

When no roles are defined in the service rule, the default role, standalone, is used.

To configure the SD-WAN service rule:
config system virtual-wan-link
    config service
        edit 1
            set name "OutboundAll"
            set mode sla
            set dst "all"
            set src "all"
            config sla
                edit "pingserver"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end 
end

Verification

To verify that when both SLAs are met, port1 is selected due to its lower cost:
  1. Verify the health check status:
    FortiGate-Branch # diagnose sys virtual-wan-link health-check
    Health Check(pingserver):
    Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(24.709), jitter(14.996) sla_map=0x1
    Seq(1 port1): state(alive), packet-loss(0.000%) latency(28.771), jitter(14.840) sla_map=0x1
    
  2. Verify SD-WAN neighbor status:
    FortiGate-Branch # diagnose sys virtual-wan-link neighbor
    Neighbor(192.168.2.1): member(1) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
    Neighbor(172.31.0.1): member(2) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
  3. Verify service rules status:

    Because the service role is standalone, it matches both neighbors. The mode (SLA) determines that port1 is lower cost.

    FortiGate-Branch # diagnose sys virtual-wan-link service
    
    Service(1): Address Mode(IPV4) flags=0x0
      Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Service role: standalone
      Members:
        1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected
        2: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
      Src address:
            0.0.0.0-255.255.255.255
    
      Dst address:
            0.0.0.0-255.255.255.255
    
  4. Verify neighbor routers:
    1. Primary neighbor router:
      FGT-NBR1 # get router info bgp network 192.168.20.0
      BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        64512
          192.168.2.5 from 192.168.2.5 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64511:1
            Last update: Thu Apr 30 23:59:05 2020
      
    2. Secondary neighbor router:
      FGT-NBR2 # get router info bgp network 192.168.20.0
      VRF 0 BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        Original VRF 0
        64512
          172.31.0.2 from 172.31.0.2 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64522:1
            Last update: Fri May  1 00:11:28 2020
      
To verify that when neighbor ISP1 misses SLAs, MPLS is selected and BGP advertises a different community string for ISP1:
  1. Verify the health check status:
    FortiGate-Branch # diagnose sys virtual-wan-link health-check
    Health Check(pingserver):
    Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(25.637), jitter(17.820) sla_map=0x1
    Seq(1 port1): state(dead), packet-loss(16.000%) sla_map=0x0
    
  2. Verify SD-WAN neighbor status:
    FortiGate-Branch # diagnose sys virtual-wan-link neighbor
    Neighbor(192.168.2.1): member(1) role(standalone)
            Health-check(pingserver:1)  sla-fail dead
    Neighbor(172.31.0.1): member(2) role(standalone)
            Health-check(pingserver:1)  sla-pass selected alive
    
    
  3. Verify service rules status:

    As SLA failed for neighbor ISP1, MPLS is preferred.

    FortiGate-Branch # diagnose sys virtual-wan-link service
    
    Service(1): Address Mode(IPV4) flags=0x0
      Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
      Service role: standalone
      Members:
        1: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected
        2: Seq_num(1 port1), dead, sla(0x0), cfg_order(0), cost(0)
      Src address:
            0.0.0.0-255.255.255.255
    
      Dst address:
            0.0.0.0-255.255.255.255
    
    
  4. Verify neighbor routers:

    The community received on ISP1 is updated.

    1. Primary neighbor router:
      FGT-NBR1 # get router info bgp network 192.168.20.0
      BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        64512
          192.168.2.5 from 192.168.2.5 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64511:5
            Last update: Fri May  1 00:33:26 2020
      
    2. Secondary neighbor router:
      FGT-NBR2 # get router info bgp network 192.168.20.0
      VRF 0 BGP routing table entry for 192.168.20.0/24
      Paths: (1 available, best #1, table Default-IP-Routing-Table)
        Not advertised to any peer
        Original VRF 0
        64512
          172.31.0.2 from 172.31.0.2 (192.168.122.98)
            Origin IGP metric 0, localpref 100, valid, external, best
            Community: 64522:1
            Last update: Fri May  1 00:22:42 2020