Fortinet black logo

SD-WAN Orchestrator 6.4.1 r3 Administration Guide

Regions and links

6.4.2
Copy Link
Copy Doc ID bc4efe56-22c8-11eb-96b9-00505692583a:374602
Download PDF

Regions and links

A region refers to a cluster of devices in one geographical location. Each region consists of exactly one hub device and one or more edge devices.

SD-WAN Orchestrator MEA automatically creates links between devices based on settings in the assigned profiles.

Links between hubs

SD-WAN Orchestrator MEA automatically builds full-mesh overlay links between all hub devices.

Links between hub and edge devices in the same region

In the same region, the connection between a hub device and its edge devices depends on the VPN mode. The VPN mode is configured in profiles, and a profile is assigned to each hub and edge device when you add it to SD-WAN Orchestrator MEA. The following VPN modes are available:

  • Site-to-site VPN
  • Dialup VPN

The following table summarizes how the VPN modes affect the connection between hub and edge devices:

VPN Mode

Description

Site-to-site VPN

Overlay links are full-mesh between the hub device and its edge devices in the same region.

Edge devices from the same region communicate with each other by forwarding packets through their region's hub.

Dialup VPN

Overlay links are one-to-one between the hub device and its edge devices in the same region. In other words, one WAN port on each edge device establishes an IPsec tunnel only with one WAN port on its hub device.

In DialUP VPN mode, ADVPN is supported to create shortcut tunnels between edge devices.

On hub devices, select one of the following options:

  • NONE - ADVPN is disabled. Edge devices from the same region will communicate with each other by forwarding packets through their region's hub.
  • INSIDE_REGION - Shortcut tunnels are triggered by traffic and established only inside a region.

On edge devices, toggle ADVPN on to enable ADVPN. Toggle off to disable ADVPN.

Edge device communication between regions

When site-to-site VPN mode is enabled, edge devices in one region can communicate with devices in another region by using the following method:

  1. Edge devices send packets to their region's hub.
  2. The hub forwards the packet to the hub of the destination region.
  3. The hub from the destination region forwards the packet to the final destination.

Regions and links

A region refers to a cluster of devices in one geographical location. Each region consists of exactly one hub device and one or more edge devices.

SD-WAN Orchestrator MEA automatically creates links between devices based on settings in the assigned profiles.

Links between hubs

SD-WAN Orchestrator MEA automatically builds full-mesh overlay links between all hub devices.

Links between hub and edge devices in the same region

In the same region, the connection between a hub device and its edge devices depends on the VPN mode. The VPN mode is configured in profiles, and a profile is assigned to each hub and edge device when you add it to SD-WAN Orchestrator MEA. The following VPN modes are available:

  • Site-to-site VPN
  • Dialup VPN

The following table summarizes how the VPN modes affect the connection between hub and edge devices:

VPN Mode

Description

Site-to-site VPN

Overlay links are full-mesh between the hub device and its edge devices in the same region.

Edge devices from the same region communicate with each other by forwarding packets through their region's hub.

Dialup VPN

Overlay links are one-to-one between the hub device and its edge devices in the same region. In other words, one WAN port on each edge device establishes an IPsec tunnel only with one WAN port on its hub device.

In DialUP VPN mode, ADVPN is supported to create shortcut tunnels between edge devices.

On hub devices, select one of the following options:

  • NONE - ADVPN is disabled. Edge devices from the same region will communicate with each other by forwarding packets through their region's hub.
  • INSIDE_REGION - Shortcut tunnels are triggered by traffic and established only inside a region.

On edge devices, toggle ADVPN on to enable ADVPN. Toggle off to disable ADVPN.

Edge device communication between regions

When site-to-site VPN mode is enabled, edge devices in one region can communicate with devices in another region by using the following method:

  1. Edge devices send packets to their region's hub.
  2. The hub forwards the packet to the hub of the destination region.
  3. The hub from the destination region forwards the packet to the final destination.