Technical Tip: Redundant iBGP in a Hub and Spoke setup

Before setting up redundancy in iBGP, regarding the ADVPN setup, it is always recommended to go through the IPsec wizard on the GUI when configuring both the Hub and Spoke to prevent any human errors during the configuration and to have the benefit of generating a quick configuration code to apply on the Spoke after going through the wizard on the Hub.

iBGP, firewall policies will also be created on both the Hub and Spoke as part of the process. After setting up the ADVPN tunnel, it is possible to convert to the custom tunnel to configure the desired phase 1 and 2 proposals or any other settings as needed.

To establish the iBGP over the physical interface, be sure the public-facing interfaces of the Hub and Spoke are reachable to each other and go through this article: Basic BGP example | FortiGate / FortiOS 7.4.2 | Fortinet Document Library to configure BGP (make sure the ASN is the same, which indicates this is an iBGP network, instead of eBGP).

After setting up the basic configuration, go through each device to configure additional settings to make sure that: 

• The traffic going over one interface will stay on that interface only (if the route is learned via the BGP neighbor over the ADVPN tunnel, the next hop must be within the ADVPN tunnel itself, and the same goes for physical interfaces).
• For a setup that would like to utilize both the ADVPN tunnel and physical interfaces to route the traffic, all BGP routes must be active and selected.

To achieve these objectives, this article will utilize community tags to separate traffic from the same source, to the same destination but flowing through different interfaces: one for the ADVPN tunnel, and one for the physical interface. On the Hub, since it is the transit point, it will also be configured a policy route to enforce the Spoke's internal traffic from one interface routed to the same interface.

For the sake of demonstration:

• BGP ASN: 65000.
• Hub internal subnet: 10.0.X.0/24; Spoke internal subnet: 10.0.Y.0/24 and 10.0.Z.0/24 with X, Y, Z are not 0.
• ADVPN subnet: 10.0.0.0/24 with Hub IP: 10.0.0.X and Spoke IP: 10.0.0.Y (this configuration will show the setup on one Spoke. The other Spoke should follow the same config.
• Port2 subnet (in the real world, this can also be the personal WAN address): 10.1.0.0/24.

HUB:

config router prefix-list
    edit "Internal Subnet"
        config rule
             edit 1

                 set prefix 10.0.X.0 255.255.255.0

                 unset ge

                 unset le
             next

        end

    next

end

config router community-list

    edit "ADVPN-Community"

        config rule

            edit 1

                set action permit

                set match "65000:1"

            next

        end

    next

    edit "Port2-Community"

        config rule

            edit 1

                set action permit

                set match "65000:2"

            next

        end

    next

end

config router route-map

    edit "Out-ADVPN"

        config rule

            edit 1

                set match-community "ADVPN-Community"

                set match-community-exact enable

            next

            edit 2

                set match-ip-address "10.0.X.0"

                set set-community "65000:1"

            next

         end

     next

     edit "Out-port2"

         config rule

             edit 2

                 set match-ip-address "10.0.X.0"

                 set set-community "65000:2"

             next

             edit 1

                 set match-community "Port2-Community"

                 set match-community-exact enable

             next

        end

    next

end

config router bgp

    set ibgp-multipath enable

    set additional-path enable

    set recursive-next-hop enable

        config neighbor-group

            edit "advpngrp"

                set bfd enable

                set capability-graceful-restart enable

                set link-down-failover enable

                set soft-reconfiguration enable

                set interface "advpn1_0"

                set remote-as 65000

                set route-map-out "Out-ADVPN"

                set update-source "advpn1_0"

                set additional-path both

                set route-reflector-client enable

            next

            edit "port2grp"

                set capability-graceful-restart enable
                set link-down-failover enable
                set soft-reconfiguration enable
                set interface "port2"
                set remote-as 65000
                set route-map-out "Out-port2"
                set update-source "port2"
                set additional-path both
                set route-reflector-client enable

            next

        end

end

config router policy

    edit 1

        set input-device "advpn1_0"

        set dst "10.0.Y.0/255.255.255.0" "10.0.Z.0/255.255.255.0"

        set output-device "advpn1_0"

    next

    edit 2

        set input-device "port2"

        set dst "10.0.Y.0/255.255.255.0" "10.0.Z.0/255.255.255.0"

        set output-device "port2"

    next

end

SPOKE:

config router prefix-list

    edit "Internal-Subnet"

        config rule

            edit 1

                set prefix 10.0.Y.0 255.255.255.0

                unset ge

                unset le

            next

        end

    next

end

config router community-list

    edit "ADVPN-Community"

        config rule

            edit 1

                set action permit
                set match "65000:1"

            next

        end

    next
    edit "Port2-Community"

        config rule

            edit 1

                set action permit
                set match "65000:2"

            next

        end

    next

end

config router route-map

    edit "Out-ADVPN"

        config rule

            edit 1

                set match-ip-address "Internal-Subnet"

                set set-community "65000:1"

            next

        end

    next
    edit "Out-port2"

        config rule

            edit 1

                set match-ip-address "Internal-Subnet"
                set set-community "65000:2"

            next

        end

    next
    edit "In-ADVPN"

        config rule

            edit 1

                set match-community "ADVPN-Community"
                set match-community-exact enable

            next
            edit 2

                set action deny
                set match-community "Port2-Community"
                set match-community-exact enable

            next

        end

    next

    edit "In-Port2"

        config rule

            edit 1

                set action deny
                set match-community "ADVPN-Community"
                set match-community-exact enable

            next

            edit 2

                set match-community "Port2-Community"
                set match-community-exact enable

            next

        end

    next

end

end

config router bgp

    set ibgp-multipath enable
    set additional-path enable
    set recursive-next-hop enable
    set tag-resolve-mode preferred
        config neighbor

            edit "10.0.0.X"

                set bfd enable
                set capability-graceful-restart enable
                set link-down-failover enable
                set soft-reconfiguration enable
                set interface "advpn1_0"
                set remote-as 65000
                set route-map-out "Out-ADVPN"
                set update-source "advpn1_0"
                set additional-path receive

            next
            edit "10.1.0.X"

                set bfd enable
                set capability-graceful-restart enable
                set link-down-failover enable
                set soft-reconfiguration enable
                set interface "port2"
                set remote-as 65000
                set route-map-out "Out-port2"
                set update-source "port2"
                set additional-path receive

            next

        end

end

After applying the needed configuration, for the community tags and route maps to take effect, restart the router software of the firewall with the command: execute router restart. Be VERY AWARE that this command can cause a network disruption for an instant. The network should be restored right after. Therefore, it is recommended to do so in a maintenance window.