Applying BGP route-map to multiple BGP neighbors

Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the primary and secondary SD-WAN neighbors based on SLA health checks.

In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.

The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.

ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it. When SLAs for ISP1 are not met, it will fail over to the MPLS line.

Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When SLAs are not met, the WAN links advertise a different community string.

This example uses two SD-WAN links. The topology can be expanded to include more links as needed.

To configure BGP route-maps and neighbors:
  1. Configure an access list for routes to be matched:
    config router access-list
        edit "net192"
            config rule
                edit 1
                    set prefix 192.168.20.0 255.255.255.0
                next
            end
        next
    end
    
  2. Configure route-maps for neighbor ISP1:
    config router route-map
        edit "comm1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:1"
                next
            end
        next
        edit "comm-fail1"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64511:5"
                next
            end
        next
    end
    
  3. Configure route-maps for neighbor ISP2:
    config router route-map
        edit "comm2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:1"
                next
            end
        next
        edit "comm-fail2"
            config rule
                edit 1
                    set match-ip-address "net192"
                    set set-community "64522:5"
                next
            end
        next
    end
    
  4. Configure the BGP neighbors:
    config router bgp
        set as 64512
        set keepalive-timer 1
        set holdtime-timer 3
        config neighbor
            edit "192.168.2.1"
                set soft-reconfiguration enable
                set remote-as 64511
                set route-map-out "comm-fail1"
                set route-map-out-preferable "comm1"
            next
            edit "172.31.0.1"
                set soft-reconfiguration enable
                set remote-as 64522
                set route-map-out "comm-fail2"
                set route-map-out-preferable "comm2"
            next
        end
        config network
            edit 1
                set prefix 192.168.20.0 255.255.255.0
            next
        end
    end
    

    When SLAs are met, route-map-out-preferable is used. When SLAs are missed, route-map-out is used.

To configure SD-WAN:
  1. Configure the SD-WAN members:
    config system sdwan
        set status enable
        config members
            edit 1
                set interface "port1"
                set gateway 192.168.2.1
            next
            edit 2
                set interface "MPLS"
                set cost 20
            next
        end
    end
    
  2. Configure the health checks that must be met:
    config system sdwan
        config health-check
            edit "pingserver"
                set server "8.8.8.8"
                set members 2 1
                config sla
                    edit 1
                        set link-cos