Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Transport groups

    Transport groups

    Consider an SD-WAN topology where the SD-WAN sites have a mixture of Internet and MPLS connections:

    • The Internet and the MPLS transports are physically separate from each other. We often call them segregated transports.

    • All the Internet connections, on the other hand, are naturally interconnected by the public Internet, even if they are of different types (for example, a broadband Internet connection, a backup LTE connection, and so on). Hence, we often call them interconnected transports.

    We can make the following observation: a Spoke cannot build an ADVPN shortcut across two segregated transports, but it can do so across the interconnected transports. For example, a Spoke cannot build an ADVPN shortcut from its Internet WAN link to another Spoke's MPLS WAN link or the reverse. But it can easily build an ADVPN shortcut from its broadband Internet link to another Spoke's LTE link.

    Note

    In the Additional topics section, we discuss other differences between segregated and interconnected transports.

    To express this distinction, ADVPN 2.0 introduces a concept of a transport group. Each set of interconnected transports forms a separate transport group. When a user configures an SD-WAN/ADVPN 2.0 Member, it specifies its transport group ID, so that any two members corresponding to segregated transports will be assigned to different transport groups. This information is exchanged as part of the Discovery process, allowing the originating Spoke to compare its local values with those of the remote Spoke. The Path Selection mechanism will never attempt to build a shortcut between members belonging to different transport groups.

    Following is an example of the transport group assignment. Note that all the Internet overlays belong to transport group 1, while all the MPLS overlays belong to transport group 2:

    Previous
    Next

    Transport groups

    Transport groups

    Consider an SD-WAN topology where the SD-WAN sites have a mixture of Internet and MPLS connections:

    • The Internet and the MPLS transports are physically separate from each other. We often call them segregated transports.

    • All the Internet connections, on the other hand, are naturally interconnected by the public Internet, even if they are of different types (for example, a broadband Internet connection, a backup LTE connection, and so on). Hence, we often call them interconnected transports.

    We can make the following observation: a Spoke cannot build an ADVPN shortcut across two segregated transports, but it can do so across the interconnected transports. For example, a Spoke cannot build an ADVPN shortcut from its Internet WAN link to another Spoke's MPLS WAN link or the reverse. But it can easily build an ADVPN shortcut from its broadband Internet link to another Spoke's LTE link.

    Note

    In the Additional topics section, we discuss other differences between segregated and interconnected transports.

    To express this distinction, ADVPN 2.0 introduces a concept of a transport group. Each set of interconnected transports forms a separate transport group. When a user configures an SD-WAN/ADVPN 2.0 Member, it specifies its transport group ID, so that any two members corresponding to segregated transports will be assigned to different transport groups. This information is exchanged as part of the Discovery process, allowing the originating Spoke to compare its local values with those of the remote Spoke. The Path Selection mechanism will never attempt to build a shortcut between members belonging to different transport groups.

    Following is an example of the transport group assignment. Note that all the Internet overlays belong to transport group 1, while all the MPLS overlays belong to transport group 2:

    Previous
    Next