SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN Deployment for MSSPs

6.4.0

Creating an SD-WAN template

The SD-WAN template defines the SLA performance among other things.

Following is a summary of how to configure the template:

Create a new SD-WAN Template called Edge-DualHub-Template. See Creating an SD-WAN template.
Create two SD-WAN zones. See Configuring SD-WAN zones.
Create SD-WAN members. See Configuring SD-WAN members.
Create performance SLA. See Configuring performance SLA.
Configure SD-WAN rules. See Configuring SD-WAN rules.

Creating an SD-WAN template

To create an SD-WAN template:

Create a new SD-WAN Template called Edge-DualHub-Template.

Configuring SD-WAN zones

To configure SD-WAN zones:

Create two SD-WAN Zones called overlay and underlay, and keep them empty at the moment.

Configuring SD-WAN members

To configure SD-WAN members:

Create SD-WAN Members for this template, assigning them to the appropriate SD-WAN Zones, as follows:
Interface Member
SD-WAN Zone
UL_INET
underlay
H1_INET
overlay
H1_MPLS
overlay
H2_INET
overlay
H2_MPLS
overlay

Interface Member	SD-WAN Zone
UL_INET	underlay
H1_INET	overlay
H1_MPLS	overlay
H2_INET	overlay
H2_MPLS	overlay

Configuring performance SLA

Create Performance SLAs that define the desired SLA targets and health checks for each Interface Member.

Create one Performance SLA to be used for the corporate traffic, probing the lo-HC interface of the Hubs. Note that we reuse the same loopback IP address on both Hubs.
Create another Performance SLA to be used for the Internet traffic, probing the Internet health check (unchanged from previous chapter).

Remember to set the sla-fail-log-period and sla-pass-log-period parameters under the Advanced Options.

Configuring SD-WAN rules

Finally, configure SD-WAN Rules. For Primary/Secondary Hub behavior, we recommend configuring two rules, as follows:

The first rule (Corpoarte-H1) will include only H1_INET and H1_MPLS overlays, and will prefer the former, as long as it meets the SLA target. This rule is identical to the Corporate rule from the previous chapter.
The second rule (Corporate-H2) will include only H2_INET and H2_MPLS overlays, and will prefer the former, as long as it meets the SLA target.

During SD-WAN rule lookup process, the first rule that matches will be used to forward traffic, unless all its members are either unavailable or have no valid route to destination.

Let us consider the following two examples:

Edge-to-Edge traffic. Since both Hubs reflect all Edge routes, there are valid routes to any remote Edge via both Hubs. But once our traffic matches Corporate-H1 rule, the selection will be made only between H1_INET and H1_MPLS. Secondary Hub overlays will not be considered, even if both Primary Hub overlays are out of SLA.
However, if the Primary Hub is down, none of its overlays will be available. In that case, the rule will be skipped, and the traffic will match Corporate-H2 rule, selecting between H2_INET and H2_MPLS.
This is inline with the Primary/Secondary Hub model: the Secondary Hub will only be used, if the Primary Hub is completely out of service.
Edge-to-Hub traffic. Here the behavior will be different, because each Hub in our example advertises its own LAN prefix to the Edge devices. Hence, even if the Primary Hub is operational, the traffic towards Secondary Hub’s LAN network will successfully skip the Corporate-H1 rule, match Corporate-H2 rule, and select between H2_INET and H2_MPLS.
This avoids the situation where the traffic would be blackholed to the wrong Hub, and it would be unable to forward it to the destination.
Add the third rule for the Internet traffic. This rule will be similar to the one described in the previous chapter, with one small difference: it will also include the new H2_MPLS member.

Creating an SD-WAN template

The SD-WAN template defines the SLA performance among other things.

Following is a summary of how to configure the template:

Create a new SD-WAN Template called Edge-DualHub-Template. See Creating an SD-WAN template.
Create two SD-WAN zones. See Configuring SD-WAN zones.
Create SD-WAN members. See Configuring SD-WAN members.
Create performance SLA. See Configuring performance SLA.
Configure SD-WAN rules. See Configuring SD-WAN rules.

Creating an SD-WAN template

To create an SD-WAN template:

Create a new SD-WAN Template called Edge-DualHub-Template.

Configuring SD-WAN zones

To configure SD-WAN zones:

Create two SD-WAN Zones called overlay and underlay, and keep them empty at the moment.

Configuring SD-WAN members

To configure SD-WAN members:

Create SD-WAN Members for this template, assigning them to the appropriate SD-WAN Zones, as follows:
Interface Member
SD-WAN Zone
UL_INET
underlay
H1_INET
overlay
H1_MPLS
overlay
H2_INET
overlay
H2_MPLS
overlay

Interface Member	SD-WAN Zone
UL_INET	underlay
H1_INET	overlay
H1_MPLS	overlay
H2_INET	overlay
H2_MPLS	overlay

Configuring performance SLA

Create Performance SLAs that define the desired SLA targets and health checks for each Interface Member.

Create one Performance SLA to be used for the corporate traffic, probing the lo-HC interface of the Hubs. Note that we reuse the same loopback IP address on both Hubs.
Create another Performance SLA to be used for the Internet traffic, probing the Internet health check (unchanged from previous chapter).

Remember to set the sla-fail-log-period and sla-pass-log-period parameters under the Advanced Options.

Configuring SD-WAN rules

Finally, configure SD-WAN Rules. For Primary/Secondary Hub behavior, we recommend configuring two rules, as follows:

The first rule (Corpoarte-H1) will include only H1_INET and H1_MPLS overlays, and will prefer the former, as long as it meets the SLA target. This rule is identical to the Corporate rule from the previous chapter.
The second rule (Corporate-H2) will include only H2_INET and H2_MPLS overlays, and will prefer the former, as long as it meets the SLA target.

During SD-WAN rule lookup process, the first rule that matches will be used to forward traffic, unless all its members are either unavailable or have no valid route to destination.

Let us consider the following two examples:

Edge-to-Edge traffic. Since both Hubs reflect all Edge routes, there are valid routes to any remote Edge via both Hubs. But once our traffic matches Corporate-H1 rule, the selection will be made only between H1_INET and H1_MPLS. Secondary Hub overlays will not be considered, even if both Primary Hub overlays are out of SLA.
However, if the Primary Hub is down, none of its overlays will be available. In that case, the rule will be skipped, and the traffic will match Corporate-H2 rule, selecting between H2_INET and H2_MPLS.
This is inline with the Primary/Secondary Hub model: the Secondary Hub will only be used, if the Primary Hub is completely out of service.
Edge-to-Hub traffic. Here the behavior will be different, because each Hub in our example advertises its own LAN prefix to the Edge devices. Hence, even if the Primary Hub is operational, the traffic towards Secondary Hub’s LAN network will successfully skip the Corporate-H1 rule, match Corporate-H2 rule, and select between H2_INET and H2_MPLS.
This avoids the situation where the traffic would be blackholed to the wrong Hub, and it would be unable to forward it to the destination.
Add the third rule for the Internet traffic. This rule will be similar to the one described in the previous chapter, with one small difference: it will also include the new H2_MPLS member.