Fortinet black logo

SD-WAN Architecture for Enterprise

Route exchange

7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:455806
Download PDF

Route exchange

The spokes establish separate IBGP sessions to the gateway over each overlay. The BGP Neighbor Group feature is used on the gateway for this peering. Each spoke then advertises its local site prefix(es) over each of the IBGP sessions. The gateway acts as a BGP Route Reflector (RR), readvertising the prefixes to all other spokes when ADVPN is used. Additionally, the gateway advertises its prefixes (such as the datacenter LANs) to each branch location. At the end of this process, all the sites exchange their routes over all available overlays.

Additional Routing Notes

  • Routing inside the datacenter is typically handled by BGP or OSPF. Datacenter networks are readvertised to the branches through BGP if needed.
  • IBGP sessions are terminated on the IPsec overlays. Hence they are using the tunnel IP addresses as BGP next-hops (NH). This requires IP addresses to be configured on the tunnel interfaces. The hub can automatically allocate tunnel IP addresses to the spokes using the IKE Mode Config feature to simplify provisioning and administrative overhead.
  • Since the spokes establish separate IBGP sessions with the hub over each overlay, there are multiple BGP routes for each prefix. To keep all the routes available, the following two BGP features must be enabled on all participating devices (hub and spokes):
    • BGP Multipath ensures that all the available routes are installed into the routing tables.
    • BGP ADD-PATH ensures that the hub between the spokes reflects all available routes.

Route exchange

The spokes establish separate IBGP sessions to the gateway over each overlay. The BGP Neighbor Group feature is used on the gateway for this peering. Each spoke then advertises its local site prefix(es) over each of the IBGP sessions. The gateway acts as a BGP Route Reflector (RR), readvertising the prefixes to all other spokes when ADVPN is used. Additionally, the gateway advertises its prefixes (such as the datacenter LANs) to each branch location. At the end of this process, all the sites exchange their routes over all available overlays.

Additional Routing Notes

  • Routing inside the datacenter is typically handled by BGP or OSPF. Datacenter networks are readvertised to the branches through BGP if needed.
  • IBGP sessions are terminated on the IPsec overlays. Hence they are using the tunnel IP addresses as BGP next-hops (NH). This requires IP addresses to be configured on the tunnel interfaces. The hub can automatically allocate tunnel IP addresses to the spokes using the IKE Mode Config feature to simplify provisioning and administrative overhead.
  • Since the spokes establish separate IBGP sessions with the hub over each overlay, there are multiple BGP routes for each prefix. To keep all the routes available, the following two BGP features must be enabled on all participating devices (hub and spokes):
    • BGP Multipath ensures that all the available routes are installed into the routing tables.
    • BGP ADD-PATH ensures that the hub between the spokes reflects all available routes.