Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Routing design

Routing design

Both routing designs described in this document (BGP per overlay and BGP on loopback) support Segmentation over single overlay. There is no change in the way the SD-WAN nodes establish BGP sessions between them. The difference is only in the "content" of the BGP advertisements: we use a different BGP address family (VPNv4), and every advertised BGP route now includes the following important elements:

  • The prefixes are prepended with a route distinguisher (RD), to make them look unique.

    Remember that IP overlap is permitted between different segments (VRFs). On the diagram in the Segmentation over single overlay topic, we see how the two VRFs both contain the same LAN prefix 10.0.2.0/24. By prepending two unique RDs, "65000:11" and "65000:12" respectively, we make these prefixes look unique: "65000:11:10.0.2.0/24" and "65000:12:10.0.2.0/24". Even though both BGP routes are originated by the same Spoke (and hence having the same BGP NH), these are nevertheless two different BGP routes now.

  • An extended community called route target (RT) is attached to each route, and it signals from which VRF this route is exported (advertised) and into which VRF the receiving node must import it.

The combination of RD and RT allows us to advertise Customer LAN prefixes, while preserving their VRF information across the entire SD-WAN overlay network. Just as before, the Hubs will act as BGP Route Reflectors, readvertising the VPNv4 routes towards all the Spokes.

Note

The exact values of RT/RD don't matter, as long as they are configured consistently on all the SD-WAN nodes. These values will never be readvertised to any peers outside of the SD-WAN overlay network. Therefore, they will not conflict with any existing MP-BGP deployments (such as existing BGP/MPLS L3VPNs in Customer network).
Previous
Next

Routing design

Both routing designs described in this document (BGP per overlay and BGP on loopback) support Segmentation over single overlay. There is no change in the way the SD-WAN nodes establish BGP sessions between them. The difference is only in the "content" of the BGP advertisements: we use a different BGP address family (VPNv4), and every advertised BGP route now includes the following important elements:

  • The prefixes are prepended with a route distinguisher (RD), to make them look unique.

    Remember that IP overlap is permitted between different segments (VRFs). On the diagram in the Segmentation over single overlay topic, we see how the two VRFs both contain the same LAN prefix 10.0.2.0/24. By prepending two unique RDs, "65000:11" and "65000:12" respectively, we make these prefixes look unique: "65000:11:10.0.2.0/24" and "65000:12:10.0.2.0/24". Even though both BGP routes are originated by the same Spoke (and hence having the same BGP NH), these are nevertheless two different BGP routes now.

  • An extended community called route target (RT) is attached to each route, and it signals from which VRF this route is exported (advertised) and into which VRF the receiving node must import it.

The combination of RD and RT allows us to advertise Customer LAN prefixes, while preserving their VRF information across the entire SD-WAN overlay network. Just as before, the Hubs will act as BGP Route Reflectors, readvertising the VPNv4 routes towards all the Spokes.

Note

The exact values of RT/RD don't matter, as long as they are configured consistently on all the SD-WAN nodes. These values will never be readvertised to any peers outside of the SD-WAN overlay network. Therefore, they will not conflict with any existing MP-BGP deployments (such as existing BGP/MPLS L3VPNs in Customer network).
Previous
Next