Fortinet black logo

SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN Deployment for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Segmentation over single overlay

Segmentation over single overlay

Our generic deployment workflow can be used with minimal adjustments when implementing segmentation across the SD-WAN network, as discussed in the respective section of the SD-WAN / SD-Branch Architecture for MSSPs guide.

The following adjustments must be made to the Project Template:

  • For each LAN interface in the profile, its VRF ID must be specified, using the vrf parameter. This will be the CE VRF. If Internet access must be provided for this CE VRF, an additional allow_dia parameter must be set too. In the below example, only one of the two CE VRFs will have Internet access:

    'Silver': {
   'interfaces': [
     ...
     {
       'name': 'port5',
       'role': 'lan',
       'vrf': 11,
       'allow_dia': true,
       'ip': lan_ip_edu
     },
     {
       'name': 'port6',
       'role': 'lan',
       'vrf': 12,
       'ip': lan_ip_fin
     }
   ]
 }

  • The region must also list all the existing CE VRFs:

    'West': {
  'as': '65001',
  'lo_summary': '10.200.1.0/24',
  'hubs': [ 'site1-H1', 'site1-H2' ],
  'vrfs': [
    {
      'id': 11
    },
    {
      'id': 12
    }
  ]
}

The rest of the Project Template remains unchanged.

Note

By default, the PE VRF is set to 1. This can be changed, using an optional parameter pe_vrf defined for the region. Please consult the planning guidelines in the SD-WAN / SD-Branch Architecture for MSSPs guide.

Another adjustment needs to be made to the Firewall Policies. As described in the SD-WAN / SD-Branch Architecture for MSSPs guide, two sessions are required for the Internet access, and therefore two separate Firewall Rules are needed to permit those sessions.

The following rules will permit the Internet access on the Spokes. Note that we use the System Zones automatically generated by the Jinja Templates during inter-VRF link creation:

Name

From

To

Src

Dst

Service

NAT
Internet (CEto-PE) lan_zone vrfs_leak_zone all all ALL Yes

Internet (DIA)

pevrf_leak_zone

underlay

all

all

ALL

 Yes

Internet (RIA)

pevrf_leak_zone

overlay

all

all

ALL

 Lo-Pool
Note

In Remote Internet Access (RIA), the traffic is NATed using an IP Pool named "Lo-Pool", which must include the Loopback address. This NAT is required, because the traffic is already NATed on the inter-VRF link. Without the second NAT, it would egress the Spoke with the inter-VRF link IP, which is internal to the Spoke and hence not reachable from the rest of the overlay network.
Previous
Next

Segmentation over single overlay

Our generic deployment workflow can be used with minimal adjustments when implementing segmentation across the SD-WAN network, as discussed in the respective section of the SD-WAN / SD-Branch Architecture for MSSPs guide.

The following adjustments must be made to the Project Template:

  • For each LAN interface in the profile, its VRF ID must be specified, using the vrf parameter. This will be the CE VRF. If Internet access must be provided for this CE VRF, an additional allow_dia parameter must be set too. In the below example, only one of the two CE VRFs will have Internet access:

    'Silver': {
   'interfaces': [
     ...
     {
       'name': 'port5',
       'role': 'lan',
       'vrf': 11,
       'allow_dia': true,
       'ip': lan_ip_edu
     },
     {
       'name': 'port6',
       'role': 'lan',
       'vrf': 12,
       'ip': lan_ip_fin
     }
   ]
 }

  • The region must also list all the existing CE VRFs:

    'West': {
  'as': '65001',
  'lo_summary': '10.200.1.0/24',
  'hubs': [ 'site1-H1', 'site1-H2' ],
  'vrfs': [
    {
      'id': 11
    },
    {
      'id': 12
    }
  ]
}

The rest of the Project Template remains unchanged.

Note

By default, the PE VRF is set to 1. This can be changed, using an optional parameter pe_vrf defined for the region. Please consult the planning guidelines in the SD-WAN / SD-Branch Architecture for MSSPs guide.

Another adjustment needs to be made to the Firewall Policies. As described in the SD-WAN / SD-Branch Architecture for MSSPs guide, two sessions are required for the Internet access, and therefore two separate Firewall Rules are needed to permit those sessions.

The following rules will permit the Internet access on the Spokes. Note that we use the System Zones automatically generated by the Jinja Templates during inter-VRF link creation:

Name

From

To

Src

Dst

Service

NAT
Internet (CEto-PE) lan_zone vrfs_leak_zone all all ALL Yes

Internet (DIA)

pevrf_leak_zone

underlay

all

all

ALL

 Yes

Internet (RIA)

pevrf_leak_zone

overlay

all

all

ALL

 Lo-Pool
Note

In Remote Internet Access (RIA), the traffic is NATed using an IP Pool named "Lo-Pool", which must include the Loopback address. This NAT is required, because the traffic is already NATed on the inter-VRF link. Without the second NAT, it would egress the Spoke with the inter-VRF link IP, which is internal to the Spoke and hence not reachable from the rest of the overlay network.
Previous
Next