Fortinet black logo

Cookbook

Controlling traffic with BGP route mapping and service rules

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:256748
Download PDF

Controlling traffic with BGP route mapping and service rules

BGP can adapt to changes in SD-WAN link SLAs:

  • BGP can send a different route map to its BGP neighbor when IP SLA is not met.
  • Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service rule matches the selected rule, the service is enabled. If the service rule does not match the selected rule, then the service is disabled.

Examples

Route mapping

Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.

The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so the neighbor can use the best path.

To configure route mapping to a BGP neighbor when SLA is not met:
  1. Configure BGP:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        set ibgp-multipath enable
        config neighbor
            edit "10.100.1.1"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "prim-fails"
                set route-map-out-preferable "comm1"
            next
            edit "10.100.1.5"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "sec-fails"
                set route-map-out-preferable "comm2"
            next
        end
    end
  2. Configure the virtual WAN link:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
            next
            edit 2
                set interface "port2"
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set members 1
                config sla
                    edit 1
                    next
                end
            next
            edit "ping2"
                set server "10.100.2.23"
                set failtime 3000
                config sla
                    edit 2
                    next
                end
            next
        end
        config neighbor
            edit "10.100.1.1"
                set member 1
                set role primary
                set health-check "ping"
                set sla-id 1
            next
            edit "10.100.1.5"
                set member 2
                set role secondary
                set health-check "ping2"
                set sla-id 2
            next
        end
    end

Service rules

Specific traffic is controlled using a service rule.

The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If the SLAs of both BGP neighbors are out of compliance, SD-WAN will disable the service rules.

To configure the virtual WAN link:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
        next
        edit 2
            set interface "port2"
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set members 1
            config sla
                edit 1
                next
            end
        next
        edit "ping2"
            set server "10.100.2.23"
            set failtime 3000
            config sla
                edit 2
                next
            end
        next
    end
    config neighbor
        edit "10.100.1.1"
            set member 1
            set role primary
            set health-check "ping"
            set sla-id 1
        next
        edit "10.100.1.5"
            set member 2
            set role secondary
            set health-check "ping2"
            set sla-id 2
        next
    end
    config service
        edit 1
            set role primary
            set member 1
            set dst "data-centerA"
        next
        edit 2
            set role secondary
            set member 2
            set dst "data-centerB"
        next
    end
end

Controlling traffic with BGP route mapping and service rules

BGP can adapt to changes in SD-WAN link SLAs:

  • BGP can send a different route map to its BGP neighbor when IP SLA is not met.
  • Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service rule matches the selected rule, the service is enabled. If the service rule does not match the selected rule, then the service is disabled.

Examples

Route mapping

Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.

The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so the neighbor can use the best path.

To configure route mapping to a BGP neighbor when SLA is not met:
  1. Configure BGP:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        set ibgp-multipath enable
        config neighbor
            edit "10.100.1.1"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "prim-fails"
                set route-map-out-preferable "comm1"
            next
            edit "10.100.1.5"
                set soft-reconfiguration enable
                set remote-as 20
                set route-map-out "sec-fails"
                set route-map-out-preferable "comm2"
            next
        end
    end
  2. Configure the virtual WAN link:
    config system virtual-wan-link
        set status enable
        config members
            edit 1
                set interface "port1"
            next
            edit 2
                set interface "port2"
            next
        end
        config health-check
            edit "ping"
                set server "10.100.2.22"
                set members 1
                config sla
                    edit 1
                    next
                end
            next
            edit "ping2"
                set server "10.100.2.23"
                set failtime 3000
                config sla
                    edit 2
                    next
                end
            next
        end
        config neighbor
            edit "10.100.1.1"
                set member 1
                set role primary
                set health-check "ping"
                set sla-id 1
            next
            edit "10.100.1.5"
                set member 2
                set role secondary
                set health-check "ping2"
                set sla-id 2
            next
        end
    end

Service rules

Specific traffic is controlled using a service rule.

The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If the SLAs of both BGP neighbors are out of compliance, SD-WAN will disable the service rules.

To configure the virtual WAN link:
config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
        next
        edit 2
            set interface "port2"
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set members 1
            config sla
                edit 1
                next
            end
        next
        edit "ping2"
            set server "10.100.2.23"
            set failtime 3000
            config sla
                edit 2
                next
            end
        next
    end
    config neighbor
        edit "10.100.1.1"
            set member 1
            set role primary
            set health-check "ping"
            set sla-id 1
        next
        edit "10.100.1.5"
            set member 2
            set role secondary
            set health-check "ping2"
            set sla-id 2
        next
    end
    config service
        edit 1
            set role primary
            set member 1
            set dst "data-centerA"
        next
        edit 2
            set role secondary
            set member 2
            set dst "data-centerB"
        next
    end
end