Using BGP tags with SD-WAN rules – FortiOS 6.2

Using BGP tags with SD-WAN rules

SD-WAN rules can use Border Gateway Protocol (BGP) learned routes as dynamic destinations.

In this example, a customer has two ISP connections, wan1 and wan2. wan1 is used primarily for direct access to internet applications, and wan2 is used primarily for traffic to the customer’s data center.

The customer could create an SD-WAN rule using the data center’s IP address range as the destination to force that traffic to use wan2, but the data center’s IP range is not static. Instead, a BGP tag can be used.

For this example, wan2’s BGP neighbor advertises the data center’s network range with a community number of 30:5.

This example assumes that SD-WAN is enable on the FortiGate, wan1 and wan2 are added as SD-WAN members, and a policy and static route have been created. See Creating the SD-WAN interface on page 105 for details.

To configure BGP tags with SD-WAN rules:

  1. Configure the community list:

config router community-list edit “30:5” config rule edit 1 set action permit set match “30:5”

next

end

next

end

  1. Configure the route map:

config router route-map edit “comm1” config rule edit 1 set match-community “30:5” set set-route-tag 15

next

end

next

end

  1. Configure BGP:

config router bgp set as xxxxx set router-id xxxx config neighbor edit “10.100.20.2” set soft-reconfiguration enable set remote-as xxxxx set route-map-in “comm1”

next

end

end

  1. Configure a firewall policy:

config firewall policy edit 1 set name “1” set srcintf “dmz”

set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

set nat enable

next

end

  1. Edit the SD-WAN configuration:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway 172.16.20.2

next edit 2 set interface “wan2”

next

end config service edit 1 set name “DataCenter” set mode manual set route-tag 15 set members 2

next

end

end

Troubleshooting

Check the network community

Use the get router info bgp network command to check the network community:

# get router info bgp network

BGP table version is 5, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal, S Stale

Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight RouteTag Path *> 0.0.0.0/0 10.100.1.5 32768 0 ?

*> 1.1.1.1/32 0.0.0.0 32768 0 ?

*> 10.1.100.0/24 172.16.203.2 32768 0 ?

*> 10.100.1.0/30 0.0.0.0 32768 0 ?

*> 10.100.1.4/30 0.0.0.0 32768 0 ?

*> 10.100.1.248/29 0.0.0.0 32768 0 ? *> 10.100.10.0/24 10.100.1.5 202 10000 15 20 e *> 172.16.200.0/24 0.0.0.0 32768 0 ?

*> 172.16.200.200/32

0.0.0.0 32768 0 ?

*> 172.16.201.0/24 172.16.200.4 32768 0 ? *> 172.16.203.0/24 0.0.0.0 32768 0 ?

*> 172.16.204.0/24 172.16.200.4 32768 0 ?

*> 172.16.205.0/24 0.0.0.0 32768 0 ?

*> 172.16.206.0/24 0.0.0.0 32768 0 ?

*> 172.16.207.1/32 0.0.0.0 32768 0 ?

*> 172.16.207.2/32 0.0.0.0 32768 0 ?

*> 172.16.212.1/32 0.0.0.0 32768 0 ?

*> 172.16.212.2/32 0.0.0.0 32768 0 ?

*> 172.17.200.200/32

0.0.0.0 32768 0 ? *> 172.27.1.0/24 0.0.0.0 32768 0 ?

*> 172.27.2.0/24 0.0.0.0 32768 0 ?

*> 172.27.5.0/24 0.0.0.0 32768 0 ?

*> 172.27.6.0/24 0.0.0.0 32768 0 ?

*> 172.27.7.0/24 0.0.0.0 32768 0 ?

*> 172.27.8.0/24 0.0.0.0 32768 0 ?

*> 172.29.1.0/24 0.0.0.0 32768 0 ?

*> 172.29.2.0/24 0.0.0.0 32768 0 ? *> 192.168.1.0 0.0.0.0 32768 0 ?

Total number of prefixes 28

# get router info bgp network 10.100.11.0

BGP routing table entry for 10.100.10.0/24

Paths: (2 available, best 1, table Default-IP-Routing-Table) Advertised to non peer-group peers:

172.10.22.2

20

10.100.20.2 from 10.100.20.2 (6.6.6.6)

Origin EGP metric 200, localpref 100, weight 10000, valid, external, best

Community: 30:5 <<<<===========================

Last update: Wen Mar 20 18:45:17 2019

Check dynamic BGP addresses

Use the get router info route-map-address command to check dynamic BGP addresses:

# get router info route-map-address

Extend-tag: 15, interface(wan2:16)

10.100.11.0/255.255.255.0

Check dynamic BGP addresses used in policy routes

Use the diagnose firewall proute list command to check dynamic BGP addresses used in policy routes:

# diagnose firewall proute list list route policy info(vf=root):

id=4278779905 vwl_service=1(DataCenter) flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sportt=0:65535 iif=0 dport=1-65535 oif=16 source wildcard(1): 0.0.0.0/0.0.0.0 destination wildcard(1): 10.100.11.0/255.255.255.0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.