Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Deep-dive: route-tags in SD-WAN rules

Deep-dive: route-tags in SD-WAN rules

On release 7.2 of FortiOS, the following two rules apply:

  1. An SD-WAN rule will correctly match a specified route-tag only if the route-tag is learned from an SD-WAN Member listed in the rule.

  2. But once the route-tag is matched, the rule can steer the traffic to any listed Member, not necessarily the one from which the route-tag is learned.

This is best understood with an example:

  • Here the node "site1-1" has an SD-WAN rule that matches on route-tag 1 and applies the "Lowest Cost (SLA)" strategy, with a primary overlay H1_INET and a secondary overlay H2_INET.

  • The Hub H2 is advertising a route towards 10.0.0.0/8 with a BGP community, which is translated into the route-tag 1.

  • The Hub H1 is also advertising a route towards 10.0.0.0/8, but without any BGP community.

Assuming that both overlays are healthy, what will happen to the traffic destined to 10.0.0.0/8?

  • The destination 10.0.0.0/8 is "marked" with a route-tag 1. This route-tag is learned from the BGP session running over H2_INET. Because H2_INET is listed in our SD-WAN rule, the rule will be successfully matched.

  • However, the rule strategy instructs it to prefer H1_INET. Even though the route-tag is not learned from the BGP session running over H1_INET, nevertheless the traffic will be steered to H1_INET!

Now let us configure two separate SD-WAN rules with a "Manual" strategy:

What will happen to the traffic destined to 10.0.0.0/8 in this case?

  • The destination 10.0.0.0/8 is "marked" with a route-tag 1. However, this route-tag is not learned from the BGP session running over H1_INET, which is the only Member listed in the first rule. Therefore, the first rule is skipped!

  • The second rule is matched, since the route-tag is learned from the BGP session running over H2_INET. And now, in accordance with the "Manual" strategy, the traffic is steered towards H2_INET by the second rule.

Note

Due to the implementation details described here, on release 7.2 of FortiOS, the integration between BGP and SD-WAN works best with the BGP per overlay design. When using BGP on loopback design, it may not work as expected in certain cases as described in more detail in the BGP on loopback: limitations section.
Previous
Next

Deep-dive: route-tags in SD-WAN rules

On release 7.2 of FortiOS, the following two rules apply:

  1. An SD-WAN rule will correctly match a specified route-tag only if the route-tag is learned from an SD-WAN Member listed in the rule.

  2. But once the route-tag is matched, the rule can steer the traffic to any listed Member, not necessarily the one from which the route-tag is learned.

This is best understood with an example:

  • Here the node "site1-1" has an SD-WAN rule that matches on route-tag 1 and applies the "Lowest Cost (SLA)" strategy, with a primary overlay H1_INET and a secondary overlay H2_INET.

  • The Hub H2 is advertising a route towards 10.0.0.0/8 with a BGP community, which is translated into the route-tag 1.

  • The Hub H1 is also advertising a route towards 10.0.0.0/8, but without any BGP community.

Assuming that both overlays are healthy, what will happen to the traffic destined to 10.0.0.0/8?

  • The destination 10.0.0.0/8 is "marked" with a route-tag 1. This route-tag is learned from the BGP session running over H2_INET. Because H2_INET is listed in our SD-WAN rule, the rule will be successfully matched.

  • However, the rule strategy instructs it to prefer H1_INET. Even though the route-tag is not learned from the BGP session running over H1_INET, nevertheless the traffic will be steered to H1_INET!

Now let us configure two separate SD-WAN rules with a "Manual" strategy:

What will happen to the traffic destined to 10.0.0.0/8 in this case?

  • The destination 10.0.0.0/8 is "marked" with a route-tag 1. However, this route-tag is not learned from the BGP session running over H1_INET, which is the only Member listed in the first rule. Therefore, the first rule is skipped!

  • The second rule is matched, since the route-tag is learned from the BGP session running over H2_INET. And now, in accordance with the "Manual" strategy, the traffic is steered towards H2_INET by the second rule.

Note

Due to the implementation details described here, on release 7.2 of FortiOS, the integration between BGP and SD-WAN works best with the BGP per overlay design. When using BGP on loopback design, it may not work as expected in certain cases as described in more detail in the BGP on loopback: limitations section.
Previous
Next