Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Hub connection: full-mesh

Hub connection: full-mesh

In this example, we enhance the Spoke-to-Hub connection redundancy, by interconnecting the two nodes with a full mesh of static IPsec tunnels.

Do not confuse this with a Full-Mesh overlay network topology! Our overlay network still remains Hub-and-Spoke, as described earlier. We are only talking about the overlay connectivity between a given Spoke and a Hub.

Also in this example, with BGP on loopback design, we can configure a single Dial-Up endpoint terminated on each of the Internet connections on the Hub (two Dial-Up endpoints in total). Each Spoke will establish two static IPsec tunnels towards each of these endpoints (four tunnels in total). There will be no tunnel subnets and no additional BGP sessions. BGP routes will be recursively resolved through all available overlay paths.

It must be noted that this topology nevertheless introduces certain added configuration complexity on the Spoke side, because all the static IPsec tunnels must become SD-WAN Members. In our example, the Spoke will have four overlay SD-WAN Members that must be correctly ordered in the SD-WAN rules.

Note

Also this topology cannot be built with the BGP per overlay design. The reasons are similar to the previous case. Four separate Dial-Up IPsec endpoints would be required on the Hub to implement this scenario (two per Internet connection).
Previous
Next

Hub connection: full-mesh

In this example, we enhance the Spoke-to-Hub connection redundancy, by interconnecting the two nodes with a full mesh of static IPsec tunnels.

Do not confuse this with a Full-Mesh overlay network topology! Our overlay network still remains Hub-and-Spoke, as described earlier. We are only talking about the overlay connectivity between a given Spoke and a Hub.

Also in this example, with BGP on loopback design, we can configure a single Dial-Up endpoint terminated on each of the Internet connections on the Hub (two Dial-Up endpoints in total). Each Spoke will establish two static IPsec tunnels towards each of these endpoints (four tunnels in total). There will be no tunnel subnets and no additional BGP sessions. BGP routes will be recursively resolved through all available overlay paths.

It must be noted that this topology nevertheless introduces certain added configuration complexity on the Spoke side, because all the static IPsec tunnels must become SD-WAN Members. In our example, the Spoke will have four overlay SD-WAN Members that must be correctly ordered in the SD-WAN rules.

Note

Also this topology cannot be built with the BGP per overlay design. The reasons are similar to the previous case. Four separate Dial-Up IPsec endpoints would be required on the Hub to implement this scenario (two per Internet connection).
Previous
Next