Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Example of route resolution with BGP on loopback

Example of route resolution with BGP on loopback

Referring to the previous diagrams, let's see how "site1-1" resolves the route towards 10.0.2.0/24 received from "site1-2". In this example, the [blue] lines indicate the tag-based resolution, while the black lines refer to the standard best-match resolution.

Without the ADVPN shortcut, the BGP NH (the loopback of "site1-2") is recursively resolved through the loopback summary, which in turn is resolved through the /32 routes towards the Hub's loopback, injected by the exchange-ip-addrv4 feature over each of the overlays:

B 10.0.2.0/24 via 10.200.1.2

=> B 10.200.0.0/14 via 10.200.1.253

=> S 10.200.1.253/32 via ISP1

=> S 10.200.1.253/32 via MPLS
Note

In this particular case, the Tag-based resolution plays no particular role. The outcome would be the same with the standard best-match resolution.

With the ADVPN shortcut (ISP1_0), the standard best-match resolution now uses the new /32 route towards the loopback IP of "site1-2", which is injected upon shortcut creation. (This route is not tagged!) At the same time, the Tag-based resolution still uses the tunnel summary, hence keeping the MPLS overlay in the list of results, so that the SD-WAN can switchover to an alternative overlay, should the ISP1 health degrade:

B 10.0.2.0/24 via 10.200.1.2
=> B 10.200.0.0/14 via 10.200.1.253
=> S 10.200.1.253/32 via MPLS
=> S 10.200.1.2/32 via ISP1_0

In summary, the Tag-based resolution (configured in "merge" mode) ensures correct SD-WAN operation in conjunction with ADVPN.

Previous
Next

Example of route resolution with BGP on loopback

Referring to the previous diagrams, let's see how "site1-1" resolves the route towards 10.0.2.0/24 received from "site1-2". In this example, the [blue] lines indicate the tag-based resolution, while the black lines refer to the standard best-match resolution.

Without the ADVPN shortcut, the BGP NH (the loopback of "site1-2") is recursively resolved through the loopback summary, which in turn is resolved through the /32 routes towards the Hub's loopback, injected by the exchange-ip-addrv4 feature over each of the overlays:

B 10.0.2.0/24 via 10.200.1.2

=> B 10.200.0.0/14 via 10.200.1.253

=> S 10.200.1.253/32 via ISP1

=> S 10.200.1.253/32 via MPLS
Note

In this particular case, the Tag-based resolution plays no particular role. The outcome would be the same with the standard best-match resolution.

With the ADVPN shortcut (ISP1_0), the standard best-match resolution now uses the new /32 route towards the loopback IP of "site1-2", which is injected upon shortcut creation. (This route is not tagged!) At the same time, the Tag-based resolution still uses the tunnel summary, hence keeping the MPLS overlay in the list of results, so that the SD-WAN can switchover to an alternative overlay, should the ISP1 health degrade:

B 10.0.2.0/24 via 10.200.1.2
=> B 10.200.0.0/14 via 10.200.1.253
=> S 10.200.1.253/32 via MPLS
=> S 10.200.1.2/32 via ISP1_0

In summary, the Tag-based resolution (configured in "merge" mode) ensures correct SD-WAN operation in conjunction with ADVPN.

Previous
Next