BGP route-map and selective rules 6.2.1

BGP can adapt to changes in SD-WAN link SLAs:

• BGP in can send a different route-map to its BGP neighbor when IP SLA is not met.
• Traffic can be selectively forwarded based on the status of the BGP neighbor. If the SD-WAN service's role matches its selected role, the service is enabled. If the service role does not match the selected role, then the service is disabled.

The following CLI commands are added:

config router bgp
    config neighbor
        edit <ip_address>
            set route-map-out-preferable <route_map>
        next
    end
end
config system virtual-wan-link
    config neighbor
        edit <ip_address>
            set member <integer>
            set role {standalone | primary | secondary}
            set health-check <string>
            set sla-id <integer>
        next
    end
    config service
        edit <rule_id>
            set role {standalone | primary | secondary}
            set standalone-action {enable | disable}
        next
    end
end

Command	Description
edit <ip_address>	IP address of the BGP neighbor.
route-map-out-preferable <route_map>	Outbound route map filter if the peer is preferred.
member <integer>	Member sequence number.
role {standalone | primary | secondary}	Role of the neighbor.
health-check <string>	SD-WAN health-check name.
sla-id <integer>	SLA ID number.
role {standalone | primary | secondary}	Roles to work with the neighbor.
standalone-action {enable | disable}	Enable/disable service when the selected neighbor role is standalone and the service role is not standalone.

Examples

Example 1

Traffic is controlled when the SLA status changes by advertising a different community to the neighbor.

The customer is using two gateways, primary and secondary, that are located in different datacenters. The gateways have a full mesh network between them. Traffic flows to the primary SD-WAN gateway, unless the link is outside of the SLA, or completely down. When that happens, traffic routes to the secondary gateway. The SD-WAN neighbor is configured to let BGP advertise different communities when the SLA status changes. When the SLA becomes out of compliance, it triggers the route-map to send out a different community number to its BGP neighbor so that the neighbor can use the best path.

To configure the FortiGate device:

1. Configure BGP:

   config router bgp
       set as 65412
       set router-id 1.1.1.1
       set ibgp-multipath enable
       config neighbor
           edit "10.100.1.1"
               set soft-reconfiguration enable
               set remote-as 20
               set route-map-out "prim-fails"
               set route-map-out-preferable "comm1"
           next
           edit "10.100.1.5"
               set soft-reconfiguration enable
               set remote-as 20
               set route-map-out "sec-fails"
               set route-map-out-preferable "comm2"
           next
       end
   end

2. Configure the virtual WAN link:

   config system virtual-wan-link
       set status enable
       config members
           edit 1
               set interface "port1"
           next
           edit 2
               set interface "port2"
           next
       end
       config health-check
           edit "ping"
               set server "10.100.2.22"
               set members 1
               config sla
                   edit 1
                   next
               end
           next
           edit "ping2"
               set server "10.100.2.23"
               set failtime 3000
               config sla
                   edit 2
                   next
               end
           next
       end
       config neighbor
           edit "10.100.1.1"
               set member 1
               set role primary
               set health-check "ping"
               set sla-id 1
           next
           edit "10.100.1.5"
               set member 2
               set role secondary
               set health-check "ping2"
               set sla-id 2
           next
       end
   end

Example 2

Specific traffic is controlled using a service rule.

The customer wants only certain traffic to be forwarded to an SD-WAN member when both the primary BGP neighbor and SLA statuses are good. Otherwise, the traffic is forwarded to a different SD-WAN member. If both the BGP neighbors' SLAs are out of compliance, SD-WAN will disable the service rules.

To configure the virtual WAN link:

config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "port1"
        next
        edit 2
            set interface "port2"
        next
    end
    config health-check
        edit "ping"
            set server "10.100.2.22"
            set members 1
            config sla
                edit 1
                next
            end
        next
        edit "ping2"
            set server "10.100.2.23"
            set failtime 3000
            config sla
                edit 2
                next
            end
        next
    end
    config neighbor
        edit "10.100.1.1"
            set member 1
            set role primary
            set health-check "ping"
            set sla-id 1
        next
        edit "10.100.1.5"
            set member 2
            set role secondary
            set health-check "ping2"
            set sla-id 2
        next
    end
    config service
        edit 1
            set role primary
            set member 1
            set dst "data-centerA"
        next
        edit 2
            set role secondary
            set member 2
            set dst "data-centerB"
        next
    end
end