Fortinet black logo

SD-WAN Architecture for Enterprise

Home FortiGate / FortiOS 7.0.0 SD-WAN Architecture for Enterprise

Design principles

7.0.0
7.2.0
7.0.0
Copy Link
Copy Doc ID 7030e0d2-4287-11ec-bdf2-fa163e15d75b:531289
Download PDF

Design principles

When designing your Secure SD-WAN Solution, we recommend that you utilize the following Five-Pillar Approach:

As you can see in the above diagram, the goal of the first four pillars (Underlay, Overlay, Routing, and Security) is to define and secure all available paths to all possible destinations. In other words, at this stage, there is still no decision about where specific traffic will flow, but all the edge (CPE) devices are aware of all the options. These four pillars should not require human intervention during regular operations and network functions. And this is despite the fact that the set of available paths and destinations in the network can change dynamically due to network failures, planned migrations, or even changes in traffic patterns.

The Zero-Touch nature of the first four pillars is achieved using two dynamic technologies that, once configured, do not require further operator intervention:

  1. Our dynamic tunneling technology—Auto-Discovery VPN (ADVPN)—automatically builds direct IPsec tunnels between the sites willing to communicate. These tunnels (also called shortcuts) immediately become part of the overlay topology of your SD-WAN solution. And once the communication between the sites is over, these shortcuts can be automatically torn down to free up the resources.
  2. We also use industry-standard dynamic routing protocols (BGP being a typical choice), to exchange currently available paths between sites, automatically adapting to all topology changes.

Once all available paths to all possible destinations are defined and secured, it is time for the fifth pillar (SD-WAN). This intelligence decides which available path will be selected at a given moment and for a given application. This pillar is a combination of administratively configured business rules and dynamically measured metrics.

Note that all the control plane technologies mentioned above (ADVPN, BGP, and SD-WAN) are distributed across all the edge (CPE) devices, making the overall design highly scalable.

Before we move on to design examples, let us discuss each of the five pillars in more detail:

Previous
Next

Design principles

When designing your Secure SD-WAN Solution, we recommend that you utilize the following Five-Pillar Approach:

As you can see in the above diagram, the goal of the first four pillars (Underlay, Overlay, Routing, and Security) is to define and secure all available paths to all possible destinations. In other words, at this stage, there is still no decision about where specific traffic will flow, but all the edge (CPE) devices are aware of all the options. These four pillars should not require human intervention during regular operations and network functions. And this is despite the fact that the set of available paths and destinations in the network can change dynamically due to network failures, planned migrations, or even changes in traffic patterns.

The Zero-Touch nature of the first four pillars is achieved using two dynamic technologies that, once configured, do not require further operator intervention:

  1. Our dynamic tunneling technology—Auto-Discovery VPN (ADVPN)—automatically builds direct IPsec tunnels between the sites willing to communicate. These tunnels (also called shortcuts) immediately become part of the overlay topology of your SD-WAN solution. And once the communication between the sites is over, these shortcuts can be automatically torn down to free up the resources.
  2. We also use industry-standard dynamic routing protocols (BGP being a typical choice), to exchange currently available paths between sites, automatically adapting to all topology changes.

Once all available paths to all possible destinations are defined and secured, it is time for the fifth pillar (SD-WAN). This intelligence decides which available path will be selected at a given moment and for a given application. This pillar is a combination of administratively configured business rules and dynamically measured metrics.

Note that all the control plane technologies mentioned above (ADVPN, BGP, and SD-WAN) are distributed across all the edge (CPE) devices, making the overall design highly scalable.

Before we move on to design examples, let us discuss each of the five pillars in more detail:

Previous
Next