Fortinet black logo

SD-WAN Architecture for Enterprise

SD-WAN considerations

7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:200404
Download PDF

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

All overlay interfaces to to both Datacenter locations

Overlays should be grouped by device and location

Health check server: Business critical applications and resources

Dependent on business intention and availability requirements.

Refences the SD-WAN zone(s) and appropriate security inspection

Example:

Cost: 10 (preferred) dc1_overlay1_wan1, dc1_overlay2_wan2

Cost: 20 dc2_overlay1_wan1, dc2_overlay2_wan2

Example:

Datacenter1 (dc1_overlay1_wan1, dc1_overlay2_wan2)

Datacenter2 (dc2_overlay1_wan1, dc2_overlay2_wan2)

Example:

Health-check: App1_DC1

Members: dc1_overlay1_wan1, dc1_overlay2_wan2,

App2_DC2

Members: dc2_overlay1_wan1, dc2_overlay2_wan2

Example:

Steering Strategy: Lowest Quality SLA

Members:

dc1_overlay1_wan1, dc1_overlay2_wan2

dc2_overlay1_wan1 dc2_overlay2_wan2

Example:

Source: Branch_LAN

Destination: Datacenter_LAN

Destination Interface: Datacenter1, Datacenter2

Additional details

  • SD-WAN member:
    • All overlays to each gateway at Datacenter1 and Datacenter2
    • Assign the preferred datacenter overlays at a lower cost than the secondary datacenters. For example:

      Cost: 10 (preferred)

      dc1_overlay1_wan1, dc1_overlay2_wan2

      Cost: 20

      dc2_overlay1_wan1, dc2_overlay2_wan2

  • SD-WAN zone:
    • Zones could be grouped by datacenter location.

      For example, Datacenter1 overlays should be grouped together, while Datacenter2 overlays should be grouped separately.

      If you need to use packet duplication, this ensures that duplicated packets will be kept to the same gateway.

  • Performance SLA:
    • Loopbacks should be created on each gateway and used as health-check servers for the performance SLA on the branch.
    • Additional performance SLAs could be created for business critical applications or services in the datacenter. This will allow you to have individual SLA requirements for each application or service.
  • SD-WAN rules:
    • The appropriate route must be in the routing table in order for an SD-WAN rule to be active. If the route is not installed correctly or misconfigured, the SD-WAN rule will be considered inactive and skipped.
    • Branch to corporate traffic (datacenter or other branch locations) will now have multiple overlay paths to reach its destination.
    • When deciding which rule to use for steering between geo-redundant locations, stability of traffic flow is generally preferred over performance.

      The Best Quality Steering Strategy will select the best performing path, which may fluctuate throughout the day.

      The Lowest Cost SLA Steering Strategy will prefer the interfaces with the lowest cost (that is, the primary datacenter), as long as it meets the minimum SLA thresholds.

      This is generally recommended for steering between datacenters.

  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.

SD-WAN considerations

SD-WAN Member

SD-WAN Zone

Performance SLA

SD-WAN Rule

Firewall Policy

All overlay interfaces to to both Datacenter locations

Overlays should be grouped by device and location

Health check server: Business critical applications and resources

Dependent on business intention and availability requirements.

Refences the SD-WAN zone(s) and appropriate security inspection

Example:

Cost: 10 (preferred) dc1_overlay1_wan1, dc1_overlay2_wan2

Cost: 20 dc2_overlay1_wan1, dc2_overlay2_wan2

Example:

Datacenter1 (dc1_overlay1_wan1, dc1_overlay2_wan2)

Datacenter2 (dc2_overlay1_wan1, dc2_overlay2_wan2)

Example:

Health-check: App1_DC1

Members: dc1_overlay1_wan1, dc1_overlay2_wan2,

App2_DC2

Members: dc2_overlay1_wan1, dc2_overlay2_wan2

Example:

Steering Strategy: Lowest Quality SLA

Members:

dc1_overlay1_wan1, dc1_overlay2_wan2

dc2_overlay1_wan1 dc2_overlay2_wan2

Example:

Source: Branch_LAN

Destination: Datacenter_LAN

Destination Interface: Datacenter1, Datacenter2

Additional details

  • SD-WAN member:
    • All overlays to each gateway at Datacenter1 and Datacenter2
    • Assign the preferred datacenter overlays at a lower cost than the secondary datacenters. For example:

      Cost: 10 (preferred)

      dc1_overlay1_wan1, dc1_overlay2_wan2

      Cost: 20

      dc2_overlay1_wan1, dc2_overlay2_wan2

  • SD-WAN zone:
    • Zones could be grouped by datacenter location.

      For example, Datacenter1 overlays should be grouped together, while Datacenter2 overlays should be grouped separately.

      If you need to use packet duplication, this ensures that duplicated packets will be kept to the same gateway.

  • Performance SLA:
    • Loopbacks should be created on each gateway and used as health-check servers for the performance SLA on the branch.
    • Additional performance SLAs could be created for business critical applications or services in the datacenter. This will allow you to have individual SLA requirements for each application or service.
  • SD-WAN rules:
    • The appropriate route must be in the routing table in order for an SD-WAN rule to be active. If the route is not installed correctly or misconfigured, the SD-WAN rule will be considered inactive and skipped.
    • Branch to corporate traffic (datacenter or other branch locations) will now have multiple overlay paths to reach its destination.
    • When deciding which rule to use for steering between geo-redundant locations, stability of traffic flow is generally preferred over performance.

      The Best Quality Steering Strategy will select the best performing path, which may fluctuate throughout the day.

      The Lowest Cost SLA Steering Strategy will prefer the interfaces with the lowest cost (that is, the primary datacenter), as long as it meets the minimum SLA thresholds.

      This is generally recommended for steering between datacenters.

  • Firewall policy
    • The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
    • Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.