Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Planning guidelines

Planning guidelines

  1. This design relies heavily on the loopback, which uniquely identifies each SD-WAN node within the overlay network. It is used for BGP termination, ADVPN shortcut monitoring, and more.

    • During the design stage, we must allocate a single subnet summarizing all the loopbacks (the loopback summary). As you have seen previously, this summary will be advertised by the Hubs to all the Spokes.

    • Additionally, in multi-regional deployments with Inter-Regional ADVPN support, the loopbacks must be split between the regions in such a way that they can be summarized also per-region (the regional loopback summary). As you have seen previously, this summary will be advertised between the Hubs.

      For example, the loopback summary might be 10.200.0.0/14, which is further split into multiple regional loopback summaries 10.200.1.0/24, 10.200.2.0/24, and so on.

    Note that the loopbacks discussed here have significance only within the SD-WAN overlay network. They will never be advertised outside of the overlay network and will not interfere with the rest of the environment.

    The size of the loopback subnet is determined by the size of the SD-WAN network: it must accommodate all the SD-WAN nodes (Hubs and Spokes). Be careful when splitting it into regional loopback subnets! Each regional subnet must be large enough to accommodate all the SD-WAN nodes in that region!

  2. There is no need to configure any tunnel IPs in this design. As a consequence, also IKE Mode Config is no longer used.

  3. Finally, a few more words about multi-regional deployments. Should you opt for the Inter-Regional ADVPN support? Or should you rather keep ADVPN only within each region?

    This question is mainly about scalability of the entire solution:

    • Clearly, Inter-Regional ADVPN support reduces the scalability of the control plane, because it requires to preserve BGP NHs end-to-end, prohibiting route summarization on the Hubs.

    • At the same time, when ADVPN is kept only within each region, it reduces the scalability of the data plane, because all inter-regional traffic must flow through the Hubs, potentially turning them into bottlenecks.

    To sum up, the answer to this question depends on your project requirements. It mainly depends on the expected amount of inter-regional traffic and on sizing of the Hubs.

Note

Make sure you consult the SD-WAN Deployment for MSSPs Guide for more details and follow the recommended configuration approach!
Previous
Next

Planning guidelines

  1. This design relies heavily on the loopback, which uniquely identifies each SD-WAN node within the overlay network. It is used for BGP termination, ADVPN shortcut monitoring, and more.

    • During the design stage, we must allocate a single subnet summarizing all the loopbacks (the loopback summary). As you have seen previously, this summary will be advertised by the Hubs to all the Spokes.

    • Additionally, in multi-regional deployments with Inter-Regional ADVPN support, the loopbacks must be split between the regions in such a way that they can be summarized also per-region (the regional loopback summary). As you have seen previously, this summary will be advertised between the Hubs.

      For example, the loopback summary might be 10.200.0.0/14, which is further split into multiple regional loopback summaries 10.200.1.0/24, 10.200.2.0/24, and so on.

    Note that the loopbacks discussed here have significance only within the SD-WAN overlay network. They will never be advertised outside of the overlay network and will not interfere with the rest of the environment.

    The size of the loopback subnet is determined by the size of the SD-WAN network: it must accommodate all the SD-WAN nodes (Hubs and Spokes). Be careful when splitting it into regional loopback subnets! Each regional subnet must be large enough to accommodate all the SD-WAN nodes in that region!

  2. There is no need to configure any tunnel IPs in this design. As a consequence, also IKE Mode Config is no longer used.

  3. Finally, a few more words about multi-regional deployments. Should you opt for the Inter-Regional ADVPN support? Or should you rather keep ADVPN only within each region?

    This question is mainly about scalability of the entire solution:

    • Clearly, Inter-Regional ADVPN support reduces the scalability of the control plane, because it requires to preserve BGP NHs end-to-end, prohibiting route summarization on the Hubs.

    • At the same time, when ADVPN is kept only within each region, it reduces the scalability of the data plane, because all inter-regional traffic must flow through the Hubs, potentially turning them into bottlenecks.

    To sum up, the answer to this question depends on your project requirements. It mainly depends on the expected amount of inter-regional traffic and on sizing of the Hubs.

Note

Make sure you consult the SD-WAN Deployment for MSSPs Guide for more details and follow the recommended configuration approach!
Previous
Next