Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 6.4.0 SD-WAN / SD-Branch Architecture for MSSPs

SD-WAN

6.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID f03023fb-007b-11ec-8f3f-00505692583a:318886
Download PDF

SD-WAN

And now we are reaching the fifth pillar—SD-WAN. In a nutshell, this is the intelligence that will be applied to each outgoing session to determine the optimal path at a given moment. It will consider all the available paths to the requested destination, compare their measured health, and then apply a business strategy configured for a particular application to make the optimal choice. Health measurement continues in real time. If the conditions change, both new and existing sessions can quickly switch over to another path.

As we have covered earlier, SD-WAN configuration typically consists of the following elements:

  • SD-WAN interface members
  • Performance SLAs
  • SD-WAN rules

When using FortiManager to configure your SD-WAN solution, all the above elements are conveniently packed into an SD-WAN template that can be applied to (a group of) your sites. As usual, although you could apply an individual SD-WAN template to each edge device, we highly recommend grouping similar sites, and applying a single SD-WAN template to the entire group. This will significantly simplify your operations, and make your SD-WAN solution consistent.

For example, you could have a single SD-WAN template for all your branch offices and another SD-WAN template for your central datacenters. This would allow you to apply changes quickly and consistently without the need to reconfigure each site individually. And this is one of the most important goals of an SD-WAN solution!

This is the main point of focus for your network operations. You can adjust the relevant SD-WAN templates to instruct your edge devices to accommodate the changes whenever business requirements change. The configuration of the other four pillars will typically remain unchanged.

Remember that the edge devices already know about all available paths to all possible destinations, and they dynamically adapt to the topology changes. The only input that cannot be obtained without operator intervention is the actual set of business rules to be applied.

For the optimal configuration of your SD-WAN solution, you must understand and use the following recommended principles:

  • The originating site should take the steering decision—that is, by the SD-WAN rules of the edge device located at the site originating the session. If the decision is to break out locally, the traffic will leave the boundaries of the SD-WAN solution. Otherwise, the traffic will flow via one of the active overlays. Hence it will pass through one or more additional FortiGate devices that are part of your solution. All those devices are expected to “respect” the SD-WAN choice made by the originating site. For example, in a hub-and-spoke topology, if the originating site has selected an overlay over MPLS transport as its next hop to the hub, the hub should prefer using the overlay over MPLS transport to forward the traffic further toward the destination site. We also call this property the overlay stickiness.
    Note

    It has particular importance for ADVPN since shortcut offers follow the routing decisions. If the traffic does not preserve the overlay end-to-end, this can cause an attempt to establish a shortcut between two physically disconnected transports, such as the internet and MPLS. This attempt will, of course, fail!

  • The same applies to the reply traffic as well. We recommend preserving symmetrical traffic flows so that reply traffic returns via the same overlays from which the traffic in the original direction arrives. While it is possible to configure FortiGate devices to support asymmetrical replies, we advise keeping the default configuration that respects the choice of the session originator.
  • As can be derived from the above two principles, transit devices (such as hubs) generally do not require SD-WAN configuration since they do not act as originating sites for traffic. They must only respect the steering decisions made by other sites in both directions.
  • >We discuss more principles in the context of complete design examples in the following sections.

To conclude, the SD-WAN pillar allows you to define a fine-grained set of business rules to control your application traffic. It operates on top of the four other pillars—Underlay, Overlay, Routing, and Security—each of those by itself offering a wide range of possibilities to fit your needs. This degree of flexibility is no wonder since all the edge devices are full-featured FortiGate devices. But it is precisely for this reason that planning your design carefully and following our proven best practices is crucial to building a highly scalable and easy-to-operate Secure SD-WAN solution!

Previous
Next

SD-WAN

And now we are reaching the fifth pillar—SD-WAN. In a nutshell, this is the intelligence that will be applied to each outgoing session to determine the optimal path at a given moment. It will consider all the available paths to the requested destination, compare their measured health, and then apply a business strategy configured for a particular application to make the optimal choice. Health measurement continues in real time. If the conditions change, both new and existing sessions can quickly switch over to another path.

As we have covered earlier, SD-WAN configuration typically consists of the following elements:

  • SD-WAN interface members
  • Performance SLAs
  • SD-WAN rules

When using FortiManager to configure your SD-WAN solution, all the above elements are conveniently packed into an SD-WAN template that can be applied to (a group of) your sites. As usual, although you could apply an individual SD-WAN template to each edge device, we highly recommend grouping similar sites, and applying a single SD-WAN template to the entire group. This will significantly simplify your operations, and make your SD-WAN solution consistent.

For example, you could have a single SD-WAN template for all your branch offices and another SD-WAN template for your central datacenters. This would allow you to apply changes quickly and consistently without the need to reconfigure each site individually. And this is one of the most important goals of an SD-WAN solution!

This is the main point of focus for your network operations. You can adjust the relevant SD-WAN templates to instruct your edge devices to accommodate the changes whenever business requirements change. The configuration of the other four pillars will typically remain unchanged.

Remember that the edge devices already know about all available paths to all possible destinations, and they dynamically adapt to the topology changes. The only input that cannot be obtained without operator intervention is the actual set of business rules to be applied.

For the optimal configuration of your SD-WAN solution, you must understand and use the following recommended principles:

  • The originating site should take the steering decision—that is, by the SD-WAN rules of the edge device located at the site originating the session. If the decision is to break out locally, the traffic will leave the boundaries of the SD-WAN solution. Otherwise, the traffic will flow via one of the active overlays. Hence it will pass through one or more additional FortiGate devices that are part of your solution. All those devices are expected to “respect” the SD-WAN choice made by the originating site. For example, in a hub-and-spoke topology, if the originating site has selected an overlay over MPLS transport as its next hop to the hub, the hub should prefer using the overlay over MPLS transport to forward the traffic further toward the destination site. We also call this property the overlay stickiness.
    Note

    It has particular importance for ADVPN since shortcut offers follow the routing decisions. If the traffic does not preserve the overlay end-to-end, this can cause an attempt to establish a shortcut between two physically disconnected transports, such as the internet and MPLS. This attempt will, of course, fail!

  • The same applies to the reply traffic as well. We recommend preserving symmetrical traffic flows so that reply traffic returns via the same overlays from which the traffic in the original direction arrives. While it is possible to configure FortiGate devices to support asymmetrical replies, we advise keeping the default configuration that respects the choice of the session originator.
  • As can be derived from the above two principles, transit devices (such as hubs) generally do not require SD-WAN configuration since they do not act as originating sites for traffic. They must only respect the steering decisions made by other sites in both directions.
  • >We discuss more principles in the context of complete design examples in the following sections.

To conclude, the SD-WAN pillar allows you to define a fine-grained set of business rules to control your application traffic. It operates on top of the four other pillars—Underlay, Overlay, Routing, and Security—each of those by itself offering a wide range of possibilities to fit your needs. This degree of flexibility is no wonder since all the edge devices are full-featured FortiGate devices. But it is precisely for this reason that planning your design carefully and following our proven best practices is crucial to building a highly scalable and easy-to-operate Secure SD-WAN solution!

Previous
Next