Applying BGP route-map to multiple BGP neighbors
Controlling traffic with BGP route mapping and service rules explained how BGP can apply different route-maps to the primary and secondary SD-WAN neighbors based on SLA health checks.
In this example, SD-WAN neighbors that are not bound to primary and secondary roles are configured.
The FortiGate has multiple SD-WAN links and has formed BGP neighbors with both ISPs.
ISP1 is used primarily for outbound traffic, and has an SD-WAN service rule using the lowest cost algorithm applied to it. When SLAs for ISP1 are not met, it will fail over to the MPLS line.
Inbound traffic is allowed by both WAN links, with each WAN advertising a community string when SLAs are met. When SLAs are not met, the WAN links advertise a different community string.
This example uses two SD-WAN links. The topology can be expanded to include more links as needed.
To configure BGP route-maps and neighbors:
- Configure an access list for routes to be matched:
config router access-list edit "net192" config rule edit 1 set prefix 192.168.20.0 255.255.255.0 next end next end
- Configure route-maps for neighbor ISP1:
config router route-map edit "comm1" config rule edit 1 set match-ip-address "net192" set set-community "64511:1" next end next edit "comm-fail1" config rule edit 1 set match-ip-address "net192" set set-community "64511:5" next end next end
- Configure route-maps for neighbor ISP2:
config router route-map edit "comm2" config rule edit 1 set match-ip-address "net192" set set-community "64522:1" next end next edit "comm-fail2" config rule edit 1 set match-ip-address "net192" set set-community "64522:5" next end next end
- Configure the BGP neighbors:
config router bgp set as 64512 set keepalive-timer 1 set holdtime-timer 3 config neighbor edit "192.168.2.1" set soft-reconfiguration enable set remote-as 64511 set route-map-out "comm-fail1" set route-map-out-preferable "comm1" next edit "172.31.0.1" set soft-reconfiguration enable set remote-as 64522 set route-map-out "comm-fail2" set route-map-out-preferable "comm2" next end config network edit 1 set prefix 192.168.20.0 255.255.255.0 next end end
When SLAs are met,
route-map-out-preferable
is used. When SLAs are missed,route-map-out
is used.
To configure SD-WAN:
- Configure the SD-WAN members:
config system sdwan set status enable config members edit 1 set interface "port1" set gateway 192.168.2.1 next edit 2 set interface "MPLS" set cost 20 next end end
- Configure the health checks that must be met:
config system sdwan config health-check edit "pingserver" set server "8.8.8.8" set members 2 1 config sla edit 1 set link-cost-factor packet-loss set packetloss-threshold 2 next end next end end
- Configure the SD-WAN neighbors and assign them a role and the health checks used to determine if the neighbor meets the SLA:
When no role is defined, the default role,
standalone
, is used.config system sdwan config neighbor edit "192.168.2.1" set member 1 set health-check "pingserver" set sla-id 1 next edit "172.31.0.1" set member 2 set health-check "pingserver" set sla-id 1 next end end
Service rules
Create SD-WAN service rules to direct traffic to the SD-WAN links based on the lowest cost algorithm The same SLA health check and criteria that are used for the SD-WAN neighbor are used for this SD-WAN service rule.
When no roles are defined in the service rule, the default role, standalone
, is used.
To configure the SD-WAN service rule:
config system sdwan config service edit 1 set name "OutboundAll" set mode sla set dst "all" set src "all" config sla edit "pingserver" set id 1 next end set priority-members 1 2 next end end
Verification
To verify that when both SLAs are met, port1 is selected due to its lower cost:
- Verify the health check status:
FortiGate-Branch # diagnose sys sdwan health-check Health Check(pingserver): Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(24.709), jitter(14.996) sla_map=0x1 Seq(1 port1): state(alive), packet-loss(0.000%) latency(28.771), jitter(14.840) sla_map=0x1
- Verify SD-WAN neighbor status:
FortiGate-Branch # diagnose sys sdwan neighbor Neighbor(192.168.2.1): member(1) role(standalone) Health-check(pingserver:1) sla-pass selected alive Neighbor(172.31.0.1): member(2) role(standalone) Health-check(pingserver:1) sla-pass selected alive
- Verify service rules status:
Because the service role is
standalone
, it matches both neighbors. The mode (SLA) determines that port1 is lower cost.FortiGate-Branch # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x0 Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Service role: standalone Members: 1: Seq_num(1 port1), alive, sla(0x1), cfg_order(0), cost(0), selected 2: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected Src address: 0.0.0.0-255.255.255.255 Dst address: 0.0.0.0-255.255.255.255
- Verify neighbor routers:
- Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0 BGP routing table entry for 192.168.20.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 64512 192.168.2.5 from 192.168.2.5 (192.168.122.98) Origin IGP metric 0, localpref 100, valid, external, best Community: 64511:1 Last update: Thu Apr 30 23:59:05 2020
- Secondary neighbor router:
FGT-NBR2 # get router info bgp network 192.168.20.0 VRF 0 BGP routing table entry for 192.168.20.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 64512 172.31.0.2 from 172.31.0.2 (192.168.122.98) Origin IGP metric 0, localpref 100, valid, external, best Community: 64522:1 Last update: Fri May 1 00:11:28 2020
- Primary neighbor router:
To verify that when neighbor ISP1 misses SLAs, MPLS is selected and BGP advertises a different community string for ISP1:
- Verify the health check status:
FortiGate-Branch # diagnose sys sdwan health-check Health Check(pingserver): Seq(2 MPLS): state(alive), packet-loss(0.000%) latency(25.637), jitter(17.820) sla_map=0x1 Seq(1 port1): state(dead), packet-loss(16.000%) sla_map=0x0
- Verify SD-WAN neighbor status:
FortiGate-Branch # diagnose sys sdwan neighbor Neighbor(192.168.2.1): member(1) role(standalone) Health-check(pingserver:1) sla-fail dead Neighbor(172.31.0.1): member(2) role(standalone) Health-check(pingserver:1) sla-pass selected alive
- Verify service rules status:
As SLA failed for neighbor ISP1, MPLS is preferred.
FortiGate-Branch # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x0 Gen(3), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Service role: standalone Members: 1: Seq_num(2 MPLS), alive, sla(0x1), cfg_order(1), cost(20), selected 2: Seq_num(1 port1), dead, sla(0x0), cfg_order(0), cost(0) Src address: 0.0.0.0-255.255.255.255 Dst address: 0.0.0.0-255.255.255.255
- Verify neighbor routers:
The community received on ISP1 is updated.
- Primary neighbor router:
FGT-NBR1 # get router info bgp network 192.168.20.0 BGP routing table entry for 192.168.20.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 64512 192.168.2.5 from 192.168.2.5 (192.168.122.98) Origin IGP metric 0, localpref 100, valid, external, best Community: 64511:5 Last update: Fri May 1 00:33:26 2020
- Secondary neighbor router:
FGT-NBR2 # get router info bgp network 192.168.20.0 VRF 0 BGP routing table entry for 192.168.20.0/24 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer Original VRF 0 64512 172.31.0.2 from 172.31.0.2 (192.168.122.98) Origin IGP metric 0, localpref 100, valid, external, best Community: 64522:1 Last update: Fri May 1 00:22:42 2020
- Primary neighbor router: