Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN / SD-Branch Architecture for MSSPs
6.4.0
7.2.0
7.0.0
6.4.0

SD-WAN configuration

SD-WAN configuration

The SD-WAN configuration principles remain very similar to the basic design. Let us recap with the necessary adjustments:

  • What interfaces on the spokes should become SD-WAN members? As before, we recommend adding all underlays and overlays to the SD-WAN bundle. This time it will include the overlays belonging to both hubs.
  • What probe destinations should you choose for performance SLAs? To simplify the configuration, you can configure an identical loopback address on both hubs. This will allow you to use a single performance SLA definition, while effectively, the probes will be sent to different hubs, depending on which overlay they are sent over. As shown below, you can easily refer to both hubs in the same SD-WAN rule if needed.

But the following question requires more attention: How to implement the desired redundancy model with SD-WAN rules?

We recommend one of the following approaches:

  • Active-passive hub: In this approach, the secondary hub will be used only when the primary hub is out of service (down or unreachable). This means that even if all the overlays toward the primary hub are out of SLA, the secondary hub will not be used. To implement this approach, you need to define two SD-WAN rules: The first rule includes the primary hub overlays, and the second rule includes the secondary hub overlays. Note that, due to the operation of SD-WAN rules, the second rule will be matched only when the first rule cannot be used to forward the traffic. This is only true when the primary hub is entirely out of service. This is shown in the following figure:

  • Active-passive underlay: All the overlays are listed in a single SD-WAN rule in this approach. The actual path selection depends on the configured rule strategy. For example, the following figure demonstrates an active-passive underlay:

    As can be seen, the rule is configured with the Lowest Cost (SLA) strategy, preferring the members in the order they are listed. Hence, the overlays of the Primary hub will be preferred. However, the difference with the active-passive hub approach is that if both primary hub overlays are out of SLA (although still in service), the secondary hub will be selected.

Previous
Next

SD-WAN configuration

The SD-WAN configuration principles remain very similar to the basic design. Let us recap with the necessary adjustments:

  • What interfaces on the spokes should become SD-WAN members? As before, we recommend adding all underlays and overlays to the SD-WAN bundle. This time it will include the overlays belonging to both hubs.
  • What probe destinations should you choose for performance SLAs? To simplify the configuration, you can configure an identical loopback address on both hubs. This will allow you to use a single performance SLA definition, while effectively, the probes will be sent to different hubs, depending on which overlay they are sent over. As shown below, you can easily refer to both hubs in the same SD-WAN rule if needed.

But the following question requires more attention: How to implement the desired redundancy model with SD-WAN rules?

We recommend one of the following approaches:

  • Active-passive hub: In this approach, the secondary hub will be used only when the primary hub is out of service (down or unreachable). This means that even if all the overlays toward the primary hub are out of SLA, the secondary hub will not be used. To implement this approach, you need to define two SD-WAN rules: The first rule includes the primary hub overlays, and the second rule includes the secondary hub overlays. Note that, due to the operation of SD-WAN rules, the second rule will be matched only when the first rule cannot be used to forward the traffic. This is only true when the primary hub is entirely out of service. This is shown in the following figure:

  • Active-passive underlay: All the overlays are listed in a single SD-WAN rule in this approach. The actual path selection depends on the configured rule strategy. For example, the following figure demonstrates an active-passive underlay:

    As can be seen, the rule is configured with the Lowest Cost (SLA) strategy, preferring the members in the order they are listed. Hence, the overlays of the Primary hub will be preferred. However, the difference with the active-passive hub approach is that if both primary hub overlays are out of SLA (although still in service), the secondary hub will be selected.

Previous
Next