Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN / SD-Branch Architecture for MSSPs

Overlay

6.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID f03023fb-007b-11ec-8f3f-00505692583a:144959
Download PDF

Overlay

Second, you must decide on the topology to interconnect your sites. In most cases, you will build IPsec overlays over all the underlay transports to most likely form a set of hub-and-spoke topologies. This way, you can secure your corporate (site-to-site) traffic, and provide confidentiality, integrity, and mutual site authentication, as expected from an industry-standard IPsec suite.

Hub-and-spoke topologies are highly scalable, and they have a crucial zero-touch property: When adding or removing a spoke, the configuration of all other devices remains untouched. Hub-and-spoke topologies can also be enhanced with redundancy options (such as dual-hub). They can be extended to multiple regions (multi-regional hub-and-spoke topologies interconnected together) for large-scale deployments.

ADVPN—our dynamic tunneling technology—can be enabled in your hub-and-spoke topologies. As mentioned earlier, ADVPN can dynamically build direct spoke-to-spoke tunnels (called shortcuts) when they are needed. It preserves the zero-touch property of hub-and-spoke while providing advantages of direct site-to-site communication without bottlenecks.

To conclude, although other overlay topologies can be used (such as a static hub-and-spoke or even a full-mesh), we recommend ADVPN as the most generic, dynamically adjustable topology for your overlays.

It is worth highlighting at this point that overlays are optional in our SD-WAN solution. The traffic can be steered both to the underlays and the overlays, with broadly similar SD-WAN functionality. We return to this topic when we discuss the SD-WAN pillar. See SD-WAN.

Previous
Next

Overlay

Second, you must decide on the topology to interconnect your sites. In most cases, you will build IPsec overlays over all the underlay transports to most likely form a set of hub-and-spoke topologies. This way, you can secure your corporate (site-to-site) traffic, and provide confidentiality, integrity, and mutual site authentication, as expected from an industry-standard IPsec suite.

Hub-and-spoke topologies are highly scalable, and they have a crucial zero-touch property: When adding or removing a spoke, the configuration of all other devices remains untouched. Hub-and-spoke topologies can also be enhanced with redundancy options (such as dual-hub). They can be extended to multiple regions (multi-regional hub-and-spoke topologies interconnected together) for large-scale deployments.

ADVPN—our dynamic tunneling technology—can be enabled in your hub-and-spoke topologies. As mentioned earlier, ADVPN can dynamically build direct spoke-to-spoke tunnels (called shortcuts) when they are needed. It preserves the zero-touch property of hub-and-spoke while providing advantages of direct site-to-site communication without bottlenecks.

To conclude, although other overlay topologies can be used (such as a static hub-and-spoke or even a full-mesh), we recommend ADVPN as the most generic, dynamically adjustable topology for your overlays.

It is worth highlighting at this point that overlays are optional in our SD-WAN solution. The traffic can be steered both to the underlays and the overlays, with broadly similar SD-WAN functionality. We return to this topic when we discuss the SD-WAN pillar. See SD-WAN.

Previous
Next