Using BGP tags with SD-WAN rules
SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.
In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to internet applications, and wan2 is used primarily for traffic to the customer's data center.
The customer could create an SD-WAN rule using the data center's IP address range as the destination to force that traffic to use wan2, but the data center's IP range is not static. Instead, a BGP tag can be used.
For this example, wan2's BGP neighbor advertises the data center's network range with a community number of 30:5.
This example assumes that SD-WAN is enabled on the FortiGate, wan1 and wan2 are added as SD-WAN members in the virtual-wan-link SD-WAN zone, and a policy and static route have been created. See SD-WAN quick start for details.
FortiOS supports IPv4 and IPv6 route tags. |
To configure BGP tags with SD-WAN rules:
- Configure the community list:
config router community-list edit "30:5" config rule edit 1 set action permit set match "30:5" next end next end
- Configure the route map:
config router route-map edit "comm1" config rule edit 1 set match-community "30:5" set set-route-tag 15 next end next end
- Configure BGP:
config router bgp set as xxxxx set router-id xxxx config neighbor edit "10.100.20.2" set soft-reconfiguration enable set remote-as xxxxx set route-map-in "comm1" next end end
-
Configure the route tag address object:
config firewall address edit "DataCenter_route_tag_15" set type route-tag set route-tag 15 next end
- Configure a firewall policy:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
- Edit the SD-WAN configuration:
config system sdwan set status enable config members edit 1 set interface "wan1" set gateway 172.16.20.2 next edit 2 set interface "wan2" next end config service edit 1 set name "DataCenter" set mode manual set priority-members 2 next end end
Troubleshooting BGP tags with SD-WAN rules
Check the network community
Use the get router info bgp network
command to check the network community:
# get router info bgp network BGP table version is 5, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.100.1.5 32768 0 ? *> 1.1.1.1/32 0.0.0.0 32768 0 ? *> 10.1.100.0/24 172.16.203.2 32768 0 ? *> 10.100.1.0/30 0.0.0.0 32768 0 ? *> 10.100.1.4/30 0.0.0.0 32768 0 ? *> 10.100.1.248/29 0.0.0.0 32768 0 ? *> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e *> 172.16.200.0/24 0.0.0.0 32768 0 ? *> 172.16.200.200/32 0.0.0.0 32768 0 ? *> 172.16.201.0/24 172.16.200.4 32768 0 ? *> 172.16.203.0/24 0.0.0.0 32768 0 ? *> 172.16.204.0/24 172.16.200.4 32768 0 ? *> 172.16.205.0/24 0.0.0.0 32768 0 ? *> 172.16.206.0/24 0.0.0.0 32768 0 ? *> 172.16.207.1/32 0.0.0.0 32768 0 ? *> 172.16.207.2/32 0.0.0.0 32768 0 ? *> 172.16.212.1/32 0.0.0.0 32768 0 ? *> 172.16.212.2/32 0.0.0.0 32768 0 ? *> 172.17.200.200/32 0.0.0.0 32768 0 ? *> 172.27.1.0/24 0.0.0.0 32768 0 ? *> 172.27.2.0/24 0.0.0.0 32768 0 ? *> 172.27.5.0/24 0.0.0.0 32768 0 ? *> 172.27.6.0/24 0.0.0.0 32768 0 ? *> 172.27.7.0/24 0.0.0.0 32768 0 ? *> 172.27.8.0/24 0.0.0.0 32768 0 ? *> 172.29.1.0/24 0.0.0.0 32768 0 ? *> 172.29.2.0/24 0.0.0.0 32768 0 ? *> 192.168.1.0 0.0.0.0 32768 0 ? Total number of prefixes 28 # get router info bgp network 10.100.11.0 BGP routing table entry for 10.100.10.0/24 Paths: (2 available, best 1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 172.10.22.2 20 10.100.20.2 from 10.100.20.2 (6.6.6.6) Origin EGP metric 200, localpref 100, weight 10000, valid, external, best Community: 30:5 <<<<=========================== Last update: Wen Mar 20 18:45:17 2019
Check dynamic BGP addresses
Use the get router info route-map-address
command to check dynamic BGP addresses:
# get router info route-map-address Extend-tag: 15, interface(wan2:16) 10.100.11.0/255.255.255.0
Check dynamic BGP addresses used in policy routes
Use the diagnose firewall proute list
command to check dynamic BGP addresses used in policy routes:
# diagnose firewall proute list list route policy info(vf=root): id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=16 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 10.100.11.0/255.255.255.0