Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Routing design

    Routing design

    There is no change in the way the SD-WAN nodes establish BGP sessions between them. The difference is only in the content of the BGP advertisements: we use a different BGP address family (VPNv4), and every advertised BGP route now includes the following important elements:

    • The prefixes are prepended with a route distinguisher (RD), to make them look unique.

      Remember that IP overlap is permitted between different segments (VRFs). On the diagram in the Segmentation over single overlay topic, we see how the two VRFs both contain the same LAN prefix 10.0.2.0/24. By prepending two unique RDs, "65000:11" and "65000:12" respectively, we make these prefixes look unique: "65000:11:10.0.2.0/24" and "65000:12:10.0.2.0/24". Even though both BGP routes are originated by the same Spoke (and hence having the same BGP NH), these are nevertheless two different BGP routes now.

    • An extended community called route target (RT) is attached to each route, and it signals from which VRF this route is exported (advertised) and into which VRF the receiving node must import it.

    The combination of RD and RT allows us to advertise Customer LAN prefixes, while preserving their VRF information across the entire SD-WAN overlay network.

    Note

    The exact values of RT/RD don't matter, as long as they are configured consistently on all the SD-WAN nodes. These values will never be readvertised to any peers outside of the SD-WAN overlay network. Therefore, they will not conflict with any existing MP-BGP deployments (such as existing BGP/MPLS L3VPNs in Customer network).
    Previous
    Next

    Routing design

    Routing design

    There is no change in the way the SD-WAN nodes establish BGP sessions between them. The difference is only in the content of the BGP advertisements: we use a different BGP address family (VPNv4), and every advertised BGP route now includes the following important elements:

    • The prefixes are prepended with a route distinguisher (RD), to make them look unique.

      Remember that IP overlap is permitted between different segments (VRFs). On the diagram in the Segmentation over single overlay topic, we see how the two VRFs both contain the same LAN prefix 10.0.2.0/24. By prepending two unique RDs, "65000:11" and "65000:12" respectively, we make these prefixes look unique: "65000:11:10.0.2.0/24" and "65000:12:10.0.2.0/24". Even though both BGP routes are originated by the same Spoke (and hence having the same BGP NH), these are nevertheless two different BGP routes now.

    • An extended community called route target (RT) is attached to each route, and it signals from which VRF this route is exported (advertised) and into which VRF the receiving node must import it.

    The combination of RD and RT allows us to advertise Customer LAN prefixes, while preserving their VRF information across the entire SD-WAN overlay network.

    Note

    The exact values of RT/RD don't matter, as long as they are configured consistently on all the SD-WAN nodes. These values will never be readvertised to any peers outside of the SD-WAN overlay network. Therefore, they will not conflict with any existing MP-BGP deployments (such as existing BGP/MPLS L3VPNs in Customer network).
    Previous
    Next