Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN / SD-Branch Architecture for MSSPs

SD-WAN configuration

6.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID f03023fb-007b-11ec-8f3f-00505692583a:238452
Download PDF

SD-WAN configuration

As we have already mentioned in the previous section, SD-WAN decisions shall be made by the originating sites, typically the spokes. The hub usually acts either as a destination site or as a transit site, and, as such, it does not require SD-WAN configuration.

  • What interfaces on the spokes should become SD-WAN members? All the overlays do. But we recommend adding the underlays too. Suppose only direct internet access is needed, and all the sites have just a single internet connection. In that case, you could handle internet access with the conventional routing, and that way, keep it outside of the SD-WAN solution. However, adding the underlays to the SD-WAN bundle allows you to measure their health (using one or more performance SLAs). Hence, even though you do not make steering decisions based on these measurements, you can still benefit from the improved visibility! Furthermore, if your business requirements change—for example, you add a new cloud on-ramp service, or you decide to backhaul at least some of the internet traffic through a central location—it will be just a matter of updating your SD-WAN rules to apply this change.
  • What probe destinations should you choose for performance SLAs? Because it largely depends on your traffic patterns for internet traffic, it is difficult to provide a general recommendation. For example, for public cloud traffic, it is generally recommended to probe the respective cloud provider. For general internet browsing, probing a public DNS could be a good option. As for the corporate (site-to-site) traffic, we recommend configuring a loopback interface on the hub, which the spokes will probe over all available overlays. This will allow them to compare the quality of different available transports without maintaining a dedicated health-check server behind the hub.
Note

ADVPN shortcuts are automatically monitored, using settings and SLA targets defined in the performance SLA of the respective parent overlay. No manual configuration and no external health-check servers are required for this functionality. ADVPN Shortcut Monitoring provides more accurate measurement for the spoke-to-spoke traffic.
Previous
Next

SD-WAN configuration

As we have already mentioned in the previous section, SD-WAN decisions shall be made by the originating sites, typically the spokes. The hub usually acts either as a destination site or as a transit site, and, as such, it does not require SD-WAN configuration.

  • What interfaces on the spokes should become SD-WAN members? All the overlays do. But we recommend adding the underlays too. Suppose only direct internet access is needed, and all the sites have just a single internet connection. In that case, you could handle internet access with the conventional routing, and that way, keep it outside of the SD-WAN solution. However, adding the underlays to the SD-WAN bundle allows you to measure their health (using one or more performance SLAs). Hence, even though you do not make steering decisions based on these measurements, you can still benefit from the improved visibility! Furthermore, if your business requirements change—for example, you add a new cloud on-ramp service, or you decide to backhaul at least some of the internet traffic through a central location—it will be just a matter of updating your SD-WAN rules to apply this change.
  • What probe destinations should you choose for performance SLAs? Because it largely depends on your traffic patterns for internet traffic, it is difficult to provide a general recommendation. For example, for public cloud traffic, it is generally recommended to probe the respective cloud provider. For general internet browsing, probing a public DNS could be a good option. As for the corporate (site-to-site) traffic, we recommend configuring a loopback interface on the hub, which the spokes will probe over all available overlays. This will allow them to compare the quality of different available transports without maintaining a dedicated health-check server behind the hub.
Note

ADVPN shortcuts are automatically monitored, using settings and SLA targets defined in the performance SLA of the respective parent overlay. No manual configuration and no external health-check servers are required for this functionality. ADVPN Shortcut Monitoring provides more accurate measurement for the spoke-to-spoke traffic.
Previous
Next