Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SD-WAN / SD-Branch Architecture for MSSPs

    Home FortiGate / FortiOS 7.4.0 SD-WAN / SD-Branch Architecture for MSSPs
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    Multi-regional deployment

    Multi-regional deployment

    While both ADVPN support methods described above can be extended to support inter-regional ADVPN, in any multi-regional deployment it is highly recommended to implement the RR-less Dynamic BGP method. It is precisely in the inter-regional routing where the benefits of this design become the most evident. And for this reason, in this section we focus only on this design.

    In a multi-regional deployment, every pair of Hubs serving different regions establishes a single EBGP session between them. This EBGP session is terminated on the same loopback used for the Spokes' IBGP sessions. The Hubs rely on the same IKE extension described earlier (exchange-ip-addrv4 feature) to guarantee mutual loopback reachability over the Hub-to-Hub IPsec tunnels.

    The following prefixes are advertised between the Hubs:

    • The regional LAN summaries to provide reachability for the user traffic between the regions

    • The regional loopback summaries to provide the loopback reachability between the regions

    • Additionally, each Hub may also advertise any specific prefixes located behind it.

    One of the benefits of the Dynamic BGP design is that the Hub-to-Hub routing configuration does not depend on whether inter-regional ADVPN support is required or not. The routing can always be optimized, by summarizing the regional LAN prefixes on the Hubs. The above description is therefore valid for both cases.

    The following diagram illustrates inter-regional routing between Region 1 and Region 2:

    • The Hub in Region 2 ("site2-H1") advertises a regional LAN summary (10.4.0.0/16) towards the Hub in Region 1 ("site1-H1"), which in turn readvertises it towards its Spokes. As a result, the Spoke "site1-1" (from Region 1) will be able to reach the LAN network 10.4.1.0/24 behind the Spoke "site2-1" (from Region 2).

    • The Hub in Region 2 also advertises a regional loopback summary (10.200.2.0/24) to guarantee loopback reachability (necessary, for example, for the ADVPN 2.0 operation).

    If the inter-regional ADVPN is enabled between these two regions, the ADVPN 2.0 will be able to build a shortcut between "site1-1" and "site2-1". The two Spokes will then establish a direct BGP session over the shortcut, and "site2-1" will advertise its LAN prefix (10.4.1.0/24) to "site1-1", as demonstrated on the following diagram:

    Previous
    Next

    Multi-regional deployment

    Multi-regional deployment

    While both ADVPN support methods described above can be extended to support inter-regional ADVPN, in any multi-regional deployment it is highly recommended to implement the RR-less Dynamic BGP method. It is precisely in the inter-regional routing where the benefits of this design become the most evident. And for this reason, in this section we focus only on this design.

    In a multi-regional deployment, every pair of Hubs serving different regions establishes a single EBGP session between them. This EBGP session is terminated on the same loopback used for the Spokes' IBGP sessions. The Hubs rely on the same IKE extension described earlier (exchange-ip-addrv4 feature) to guarantee mutual loopback reachability over the Hub-to-Hub IPsec tunnels.

    The following prefixes are advertised between the Hubs:

    • The regional LAN summaries to provide reachability for the user traffic between the regions

    • The regional loopback summaries to provide the loopback reachability between the regions

    • Additionally, each Hub may also advertise any specific prefixes located behind it.

    One of the benefits of the Dynamic BGP design is that the Hub-to-Hub routing configuration does not depend on whether inter-regional ADVPN support is required or not. The routing can always be optimized, by summarizing the regional LAN prefixes on the Hubs. The above description is therefore valid for both cases.

    The following diagram illustrates inter-regional routing between Region 1 and Region 2:

    • The Hub in Region 2 ("site2-H1") advertises a regional LAN summary (10.4.0.0/16) towards the Hub in Region 1 ("site1-H1"), which in turn readvertises it towards its Spokes. As a result, the Spoke "site1-1" (from Region 1) will be able to reach the LAN network 10.4.1.0/24 behind the Spoke "site2-1" (from Region 2).

    • The Hub in Region 2 also advertises a regional loopback summary (10.200.2.0/24) to guarantee loopback reachability (necessary, for example, for the ADVPN 2.0 operation).

    If the inter-regional ADVPN is enabled between these two regions, the ADVPN 2.0 will be able to build a shortcut between "site1-1" and "site2-1". The two Spokes will then establish a direct BGP session over the shortcut, and "site2-1" will advertise its LAN prefix (10.4.1.0/24) to "site1-1", as demonstrated on the following diagram:

    Previous
    Next