Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Segmentation over single overlay

    Segmentation over single overlay

    We now turn to the topic of segmentation across the SD-WAN network. The use case can be summarized as follows:

    • Customer sites have multiple segments segregated from each other. Within each site, each segment may be connected to separate network equipment (such as separate switches and routers), but segments may also share the same equipment that supports multiple VRFs.

      For example, the Customer may want to segregate data and OAM traffic in the network. Another typical requirement is to segregate data traffic of different sensitivity (classification levels), such as Education and Finance, Guest and Corporate, and so on.

    • Not only traffic flow, but also route propagation is permitted only within a segment. In other words, segmentation means also control plane segregation. It also means, for example, that IP addressing overlap is possible between different segments!

      Note

      For this reason, segmentation cannot be implemented only using firewall policies! While they can provide granular segregation of traffic flows, they do not restrict route propagation and do not allow IP overlap. (In other words, they do not implement control plane segregation.)

    • The requirement is to preserve this segregation across the entire SD-WAN network, when we interconnect the sites. In other words, the different segments should not mix with each other. Their segment identity must be preserved end-to-end. IP addressing overlap must be supported and so on.

    How is this implemented in our SD-WAN Solution?

    • FortiGate devices support multiple VRFs. Therefore, on each SD-WAN node, different Customer segments will be attached to different VRFs.

      Note

      Different VRFs effectively mean different routing tables.

    • On the control-plane, we use MP-BGP VPNv4 to advertise VRF information together with each LAN prefix over the entire SD-WAN overlay network.

    • On the data-plane, the traffic is tagged using a new vpn-id-ipip encapsulation, when it is forwarded between the SD-WAN nodes. This encapsulation is enabled on all the IPsec overlay tunnels (including ADVPN shortcuts).

      In other words, we send the traffic from multiple segments (VRFs) over the same IPsec tunnel, while tagging it with its VRF information, so that the receiving SD-WAN node can preserve the segregation. This is why we sometimes call this feature VRF-Aware Overlays.

      Note

      The vpn-id-ipip encapsulation is a variation of IPIP. An extra IP header is added inside the ESP payload (encrypted), encoding the VRF ID into the IP address field.

      Note that all our current ASIC and SoC generations (NP6, NP7, SoC4, SoC5, and so on) support acceleration of IPIP. This was one of our main considerations when designing the new encapsulation.
    Previous
    Next

    Segmentation over single overlay

    Segmentation over single overlay

    We now turn to the topic of segmentation across the SD-WAN network. The use case can be summarized as follows:

    • Customer sites have multiple segments segregated from each other. Within each site, each segment may be connected to separate network equipment (such as separate switches and routers), but segments may also share the same equipment that supports multiple VRFs.

      For example, the Customer may want to segregate data and OAM traffic in the network. Another typical requirement is to segregate data traffic of different sensitivity (classification levels), such as Education and Finance, Guest and Corporate, and so on.

    • Not only traffic flow, but also route propagation is permitted only within a segment. In other words, segmentation means also control plane segregation. It also means, for example, that IP addressing overlap is possible between different segments!

      Note

      For this reason, segmentation cannot be implemented only using firewall policies! While they can provide granular segregation of traffic flows, they do not restrict route propagation and do not allow IP overlap. (In other words, they do not implement control plane segregation.)

    • The requirement is to preserve this segregation across the entire SD-WAN network, when we interconnect the sites. In other words, the different segments should not mix with each other. Their segment identity must be preserved end-to-end. IP addressing overlap must be supported and so on.

    How is this implemented in our SD-WAN Solution?

    • FortiGate devices support multiple VRFs. Therefore, on each SD-WAN node, different Customer segments will be attached to different VRFs.

      Note

      Different VRFs effectively mean different routing tables.

    • On the control-plane, we use MP-BGP VPNv4 to advertise VRF information together with each LAN prefix over the entire SD-WAN overlay network.

    • On the data-plane, the traffic is tagged using a new vpn-id-ipip encapsulation, when it is forwarded between the SD-WAN nodes. This encapsulation is enabled on all the IPsec overlay tunnels (including ADVPN shortcuts).

      In other words, we send the traffic from multiple segments (VRFs) over the same IPsec tunnel, while tagging it with its VRF information, so that the receiving SD-WAN node can preserve the segregation. This is why we sometimes call this feature VRF-Aware Overlays.

      Note

      The vpn-id-ipip encapsulation is a variation of IPIP. An extra IP header is added inside the ESP payload (encrypted), encoding the VRF ID into the IP address field.

      Note that all our current ASIC and SoC generations (NP6, NP7, SoC4, SoC5, and so on) support acceleration of IPIP. This was one of our main considerations when designing the new encapsulation.
    Previous
    Next