search

fortinet-solutions-cse / sdwan-advpn-reference

Jinja Orchestrator for Fortinet SD-WAN/ADVPN
52 stars 13 forks source link

Shortcut from Site to Hub in other Region #26

Open scan5415 opened 1 month ago

scan5415 commented 1 month ago

Dear Team

I found out that shortcuts between Site1-1 in West Region to Hub in East Region does not really work. On the one hand, I think the Neighbor group on the hubs is missing.

For this reason I have extended the “Project” file:

'Hub-West': {
      'lo_bgp': 'x.x.x.x',
      'peering': {
        'EDGE_EAST': {
            'dynamic_bgp': true,
            ...
            'remote_region': true,
            'as': 65001
        }
      }
}

The addition also requires an adjustment to the “03 hub routing”:

{% for p in peering %}
      {% set remote_as = peering[p].as if peering[p].remote_region|default(false) else project.regions[region].as %}  <----
  config neighbor-group
    edit {{ p }}
      set soft-reconfiguration enable
      set capability-graceful-restart enable
      set advertisement-interval 1
      set next-hop-self enable
      set remote-as {{ remote_as }}
      set interface "Lo"
      set update-source "Lo"
      unset route-reflector-client{{'-vpnv4' if not multi_vrf}}
      {% if not peering[p].dynamic_bgp and project.intrareg_advpn|default(true) %}
      set route-reflector-client{{'-vpnv4' if multi_vrf}} enable
      {% else %}
      set route-reflector-client{{'-vpnv4' if multi_vrf}} disable
      {% endif %}
      {% if peering[p].remote_region|default(false) %}                    <-----
      set route-map-out{{'-vpnv4' if multi_vrf}} "LAN_OUT"                    <-----
      {% endif %}                    <-----
      {% if multi_vrf %}
      set soft-reconfiguration-vpnv4 enable
      set capability-graceful-restart-vpnv4 enable
      {% else %}
      unset soft-reconfiguration-vpnv4
      unset capability-graceful-restart-vpnv4
      {% endif %}
    next
  end
  config neighbor-range
    edit {{ 100 + loop.index }}
      set prefix {{ peering[p].lo_summary }}
      set neighbor-group "{{ p }}"
    next
  end
  {% endfor %}

I don't know if I have misunderstood an existing option, but I have not found any other solution.

dmitryperets commented 1 month ago

Hi @scan5415,

Thanks for reporting this. You are right, we didn't generate the necessary neighbor-group for the remote regions on the Hubs, so Spoke-to-Hub shortcuts do not work with Dynamic BGP.

We are going to fix it, but we prefer to implement a generic solution with the new remote-as-filter feature (see here). This will allow us to create a single neighbor-group to accomodate Spokes from all remote regions, not just from the West region, as in our simple example. The same feature will be used on the Spokes, to avoid the need for multiple neighbor-groups.

Unfortunately, we have to wait for FOS 7.4.5, because at the moment this feature is broken. That's why our Jinja currently generates a separate neighbor-group for each remote region on Spokes. Once FOS 7.4.5 is out, we will update the templates, and now we will also remember to add the missing neighbor-group on the Hubs!