Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Inter-regional ADVPN

Inter-regional ADVPN

The following diagram follows a LAN prefix 10.4.1.0/24, which is advertised by "site2-1" (from Region 2) and is propagated to "site1-1" (from Region 1):

As can be seen:

  • BGP NH (the loopback IP of the originating Spoke) remains unchanged end-to-end. This is crucial to steer the traffic towards the inter-regional shortcut.

  • The Hub in Region 2 ("site2-H1") advertises a regional loopback summary towards the Hub in Region 1 ("site1-H1"). That is, it advertises the summary of all the loopback addresses within the respective region (10.200.2.0/24 in our example). The BGP NH of that summary route is the loopback of the Hub itself.

  • The receiving Hub in Region 1 ("site1-H1") can resolve the regional loopback summary (and, as a consequence, also the LAN prefix) thanks to the /32 loopback route injected by IKE over the Hub-to-Hub tunnel.

  • The Hub in Region 1 readvertises the received LAN prefix towards its Spokes. Recall from the earlier discussion that, in addition, the Hub always advertises to its Spokes the loopback summary that aggregates all the loopback addresses in the overlay network (10.200.0.0/14 in our example). Since it already covers all the regional loopback summaries, there is no need for the Hub to readvertise them individually.

  • The receiving Spokes resolve the LAN prefix in exactly the same way as the prefixes belonging to the same region.

  • Once an inter-regional ADVPN shortcut is established, the same BGP route is recursively resolved through the shortcut in exactly the same way as for the shortcut within the same region.

Previous
Next

Inter-regional ADVPN

The following diagram follows a LAN prefix 10.4.1.0/24, which is advertised by "site2-1" (from Region 2) and is propagated to "site1-1" (from Region 1):

As can be seen:

  • BGP NH (the loopback IP of the originating Spoke) remains unchanged end-to-end. This is crucial to steer the traffic towards the inter-regional shortcut.

  • The Hub in Region 2 ("site2-H1") advertises a regional loopback summary towards the Hub in Region 1 ("site1-H1"). That is, it advertises the summary of all the loopback addresses within the respective region (10.200.2.0/24 in our example). The BGP NH of that summary route is the loopback of the Hub itself.

  • The receiving Hub in Region 1 ("site1-H1") can resolve the regional loopback summary (and, as a consequence, also the LAN prefix) thanks to the /32 loopback route injected by IKE over the Hub-to-Hub tunnel.

  • The Hub in Region 1 readvertises the received LAN prefix towards its Spokes. Recall from the earlier discussion that, in addition, the Hub always advertises to its Spokes the loopback summary that aggregates all the loopback addresses in the overlay network (10.200.0.0/14 in our example). Since it already covers all the regional loopback summaries, there is no need for the Hub to readvertise them individually.

  • The receiving Spokes resolve the LAN prefix in exactly the same way as the prefixes belonging to the same region.

  • Once an inter-regional ADVPN shortcut is established, the same BGP route is recursively resolved through the shortcut in exactly the same way as for the shortcut within the same region.

Previous
Next