BGP on loopback (Dual-Hub region)

This topic includes reference configurations for the following components:

Spoke
Hub
Optimizing failover

Spoke

Configure Loopback to be used for BGP termination and for ADVPN shortcut monitoring:

    config system interface
      edit "Lo"
        set vdom "root"
        set type loopback
        set ip 10.200.1.1/32
        set allowaccess ping
      next
    end

Configure a unique Location ID. (Best practice is to use Loopback.)

    config system settings
      set location-id 10.200.1.1
    end

Configure IKE to automatically inject the static route to reach the Loopback on all the phase1-interfaces towards the Hub:

    config vpn ipsec phase1-interface
      edit "H1_ISP1"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H1_MPLS"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H2_ISP1"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H2_MPLS"
        set exchange-ip-addr4 10.200.1.1
      next
    end

There is no need to configure any tunnel IPs—that is no IPs on the interfaces H1_ISP1, H1_MPLS, H2_ISP1 and H2_MPLS.

Configure the route-maps to apply a different tag per Hub:

    config router route-map
      edit "H1_TAG"
        config rule
          edit 1
            set set-tag 1
          next
        end
      next
      edit "H2_TAG"
        config rule
          edit 1
            set set-tag 2
          next
        end
      next
    end

Configure BGP:

Single neighbor per Hub (using the Hub's Loopback) and terminated on the Loopback
Apply the above-configured route-maps on ingress for each Hub.
No ADD-PATH is needed.
Must enable set tag-resolve-mode merge.

Must enable set recursive-next-hop enable.

    config router bgp
      set as 65001
      set router-id 10.200.1.1
      set keepalive-timer 15
      set holdtime-timer 45
      set ibgp-multipath enable
      set recursive-next-hop enable
      set tag-resolve-mode merge
      config neighbor
        edit 10.200.1.253
          set soft-reconfiguration enable
          set advertisement-interval 1
          set interface "Lo"
          set update-source "Lo"
          set connect-timer 1
          set remote-as 65001
          set route-map-in "H1_TAG"
        next
        edit 10.200.1.254
          set soft-reconfiguration enable
          set advertisement-interval 1
          set interface "Lo"
          set update-source "Lo"
          set connect-timer 1
          set remote-as 65001
          set route-map-in "H2_TAG"
        next
      end
      config network
        edit 1
          set prefix 10.0.1.0/24
        next
      end
    end

In SD-WAN Member configuration, must set set source on all the overlays, to ensure that the Loopback IP is used as a source of health probes:

    config system sdwan
      config members
        edit 2
          set source 10.200.1.1
        next
        edit 3
          set source 10.200.1.1
        next
        edit 4
          set source 10.200.1.1
        next
        edit 5
          set source 10.200.1.1
        next
      end
    end

In Firewall Policy configuration, must add a rule to permit incoming health probes destined to the Loopback for the ADVPN shortcut monitoring:

    config firewall policy
      edit 4
        set name "Health-Check"
        set srcintf "overlay"
        set dstintf "Lo"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING"
      next
    end

Hub

Configure Loopback to be used for BGP termination:

    config system interface
      edit "Lo"
        set vdom "root"
        set type loopback
        set ip 10.200.1.253/32
        set allowaccess ping
      next
    end

DO NOT use the same loopback as Spokes' health-check server! Using the same loopback is not supported, because the healh-check routes are statically injected on the Spokes, and they remain even when the respective overlay is down. As a result, the BGP session will be unable to switchover to another overlay upon failure!

Configure a unique Location ID. Best practice is to use Loopback.

    config system settings
      set location-id 10.200.1.253
    end

Configure IKE to automatically inject the static route to reach the Loopback on all the Dial-Up phase1-interfaces towards the Spokes:

    config vpn ipsec phase1-interface
      edit "EDGE_ISP1"
        set exchange-ip-addr4 10.200.1.253
      next
      edit "EDGE_MPLS"
        set exchange-ip-addr4 10.200.1.253
      next
    end

There is no need to configure any tunnel IPs—that is, no IPs on the interfaces EDGE_ISP1 and EDGE_MPLS.

Configure BGP:

Single neighbor-group for all Spokes and terminated on the Loopback.
No ADD-PATH is needed.
Must enable set recursive-next-hop enable.

Must advertise a loopback summary to all the Spokes (10.200.0.0/14 in the snippet below), so that they can resolve each other's routes.

    config router route-map
      edit "LOCAL_REGION"
        config rule
          edit 1
            set set-community "no-export"
          next
        end
      next
    end    
    config router bgp
      set as 65001
      set router-id 10.200.1.253
      set keepalive-timer 15
      set holdtime-timer 45
      set ibgp-multipath enable
      set ebgp-multipath enable
      set recursive-next-hop enable
      config neighbor-group
        edit "EDGE"
          set soft-reconfiguration enable
          set advertisement-interval 1
          set next-hop-self enable
          set remote-as 65001
          set interface "Lo"
          set update-source "Lo"
          set route-reflector-client enable
        next
      end
      config neighbor-range
        edit 1
          set prefix 10.200.0.0/14
          set neighbor-group "EDGE"
        next
      end
      config network
        edit 1
          set prefix 10.200.0.0/14
          set route-map "LOCAL_REGION"
        next
        edit 2
          set prefix 10.1.0.0/24
        next
      end
    end

For correct ADVPN operation, in topologies with segregated transports (such as Internet plus MPLS), it is required to configure the "overlay stickiness" policy:

    config router policy
      edit 1
        set input-device EDGE_ISP1
        set output-device EDGE_ISP1
      next
      edit 2
        set input-device EDGE_MPLS
        set output-device EDGE_MPLS
      next
    end

In Firewall Policy configuration, must add a rule to permit incoming BGP sessions destined to the Loopback:

    config firewall policy
      edit 6
        set name "Peering"
        set srcintf overlay
        set dstintf "Lo"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING" "BGP"
      next
    end

Optimizing failover

The following best-practice recommendations improve failover times during different network issues:

On all devices, DPD timers must be shorter than BGP hold-timer. This way, if one overlay fails, the BGP session will seamlessly switchover to another available overlay.
On the Hub, dpd on-idle is recommended, with timers shorter than those on the Spokes. This will allow the Hub to quickly detect a failed overlay on a Spoke, to avoid resolving routes through dead overlays.
It is recommended to configure default route on the Spokes towards the overlays. One easy way of doing this is using set sdwan-zone "underlay" "overlay" static route on the Spokes.

Please note that the deployment workflow discussed throughout this document already incorporates all the above recommendations.

BGP on loopback (Dual-Hub region)

This topic includes reference configurations for the following components:

Spoke
Hub
Optimizing failover

Spoke

Configure Loopback to be used for BGP termination and for ADVPN shortcut monitoring:

    config system interface
      edit "Lo"
        set vdom "root"
        set type loopback
        set ip 10.200.1.1/32
        set allowaccess ping
      next
    end

Configure a unique Location ID. (Best practice is to use Loopback.)

    config system settings
      set location-id 10.200.1.1
    end

Configure IKE to automatically inject the static route to reach the Loopback on all the phase1-interfaces towards the Hub:

    config vpn ipsec phase1-interface
      edit "H1_ISP1"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H1_MPLS"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H2_ISP1"
        set exchange-ip-addr4 10.200.1.1
      next
      edit "H2_MPLS"
        set exchange-ip-addr4 10.200.1.1
      next
    end

There is no need to configure any tunnel IPs—that is no IPs on the interfaces H1_ISP1, H1_MPLS, H2_ISP1 and H2_MPLS.

Configure the route-maps to apply a different tag per Hub:

    config router route-map
      edit "H1_TAG"
        config rule
          edit 1
            set set-tag 1
          next
        end
      next
      edit "H2_TAG"
        config rule
          edit 1
            set set-tag 2
          next
        end
      next
    end

Configure BGP:

Single neighbor per Hub (using the Hub's Loopback) and terminated on the Loopback
Apply the above-configured route-maps on ingress for each Hub.
No ADD-PATH is needed.
Must enable set tag-resolve-mode merge.

Must enable set recursive-next-hop enable.

    config router bgp
      set as 65001
      set router-id 10.200.1.1
      set keepalive-timer 15
      set holdtime-timer 45
      set ibgp-multipath enable
      set recursive-next-hop enable
      set tag-resolve-mode merge
      config neighbor
        edit 10.200.1.253
          set soft-reconfiguration enable
          set advertisement-interval 1
          set interface "Lo"
          set update-source "Lo"
          set connect-timer 1
          set remote-as 65001
          set route-map-in "H1_TAG"
        next
        edit 10.200.1.254
          set soft-reconfiguration enable
          set advertisement-interval 1
          set interface "Lo"
          set update-source "Lo"
          set connect-timer 1
          set remote-as 65001
          set route-map-in "H2_TAG"
        next
      end
      config network
        edit 1
          set prefix 10.0.1.0/24
        next
      end
    end

In SD-WAN Member configuration, must set set source on all the overlays, to ensure that the Loopback IP is used as a source of health probes:

    config system sdwan
      config members
        edit 2
          set source 10.200.1.1
        next
        edit 3
          set source 10.200.1.1
        next
        edit 4
          set source 10.200.1.1
        next
        edit 5
          set source 10.200.1.1
        next
      end
    end

In Firewall Policy configuration, must add a rule to permit incoming health probes destined to the Loopback for the ADVPN shortcut monitoring:

    config firewall policy
      edit 4
        set name "Health-Check"
        set srcintf "overlay"
        set dstintf "Lo"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING"
      next
    end

Hub

Configure Loopback to be used for BGP termination:

    config system interface
      edit "Lo"
        set vdom "root"
        set type loopback
        set ip 10.200.1.253/32
        set allowaccess ping
      next
    end

Configure a unique Location ID. Best practice is to use Loopback.

    config system settings
      set location-id 10.200.1.253
    end

Configure IKE to automatically inject the static route to reach the Loopback on all the Dial-Up phase1-interfaces towards the Spokes:

    config vpn ipsec phase1-interface
      edit "EDGE_ISP1"
        set exchange-ip-addr4 10.200.1.253
      next
      edit "EDGE_MPLS"
        set exchange-ip-addr4 10.200.1.253
      next
    end

There is no need to configure any tunnel IPs—that is, no IPs on the interfaces EDGE_ISP1 and EDGE_MPLS.

Configure BGP:

Single neighbor-group for all Spokes and terminated on the Loopback.
No ADD-PATH is needed.
Must enable set recursive-next-hop enable.

Must advertise a loopback summary to all the Spokes (10.200.0.0/14 in the snippet below), so that they can resolve each other's routes.

    config router route-map
      edit "LOCAL_REGION"
        config rule
          edit 1
            set set-community "no-export"
          next
        end
      next
    end    
    config router bgp
      set as 65001
      set router-id 10.200.1.253
      set keepalive-timer 15
      set holdtime-timer 45
      set ibgp-multipath enable
      set ebgp-multipath enable
      set recursive-next-hop enable
      config neighbor-group
        edit "EDGE"
          set soft-reconfiguration enable
          set advertisement-interval 1
          set next-hop-self enable
          set remote-as 65001
          set interface "Lo"
          set update-source "Lo"
          set route-reflector-client enable
        next
      end
      config neighbor-range
        edit 1
          set prefix 10.200.0.0/14
          set neighbor-group "EDGE"
        next
      end
      config network
        edit 1
          set prefix 10.200.0.0/14
          set route-map "LOCAL_REGION"
        next
        edit 2
          set prefix 10.1.0.0/24
        next
      end
    end

For correct ADVPN operation, in topologies with segregated transports (such as Internet plus MPLS), it is required to configure the "overlay stickiness" policy:

    config router policy
      edit 1
        set input-device EDGE_ISP1
        set output-device EDGE_ISP1
      next
      edit 2
        set input-device EDGE_MPLS
        set output-device EDGE_MPLS
      next
    end

In Firewall Policy configuration, must add a rule to permit incoming BGP sessions destined to the Loopback:

    config firewall policy
      edit 6
        set name "Peering"
        set srcintf overlay
        set dstintf "Lo"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "PING" "BGP"
      next
    end

Optimizing failover

The following best-practice recommendations improve failover times during different network issues:

On all devices, DPD timers must be shorter than BGP hold-timer. This way, if one overlay fails, the BGP session will seamlessly switchover to another available overlay.
On the Hub, dpd on-idle is recommended, with timers shorter than those on the Spokes. This will allow the Hub to quickly detect a failed overlay on a Spoke, to avoid resolving routes through dead overlays.
It is recommended to configure default route on the Spokes towards the overlays. One easy way of doing this is using set sdwan-zone "underlay" "overlay" static route on the Spokes.

Please note that the deployment workflow discussed throughout this document already incorporates all the above recommendations.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

SD-WAN Deployment for MSSPs

BGP on loopback (Dual-Hub region)

BGP on loopback (Dual-Hub region)

Spoke

Hub

Optimizing failover

BGP on loopback (Dual-Hub region)

BGP on loopback (Dual-Hub region)

Spoke

Hub

Optimizing failover