Fortigate SD-WAN

Question

Hello Guys,

I hope you're all doing well.

I'm fairly new to Fortinet's SD-WAN and recently tried to do a deep dive into it.

So I set up a lab with fortimanger and 3 fortigate, one as a hub and the other two as spoke.

The aim is to understand how it really works and to set up all the configuration using a CLI model without using “orchestration overlay” in order to understand all the steps.

I've read a lot of different articles on Fortinet documentation and other websites and I've seen a lot of different configurations/design depending on the Forti OS version.

I'm really struggling to understand the different designs and the best mode to use depending on the situation, and also how certain concepts work. So I hope to find my answers here...

Since the 7.0.x version :

=> BGP on loopback + ADVPN 2.0 (RR-less) :

=> BGP on loopback + ADVPN 2.0 (RR) :

Before the 7.0.x version :

=> BGP on overlay interface (VTI) + ADVPN ?

So here are my questions :

BGP on loopback + ADVPN 2.0 :

-Do you validate the both design ? One without BGP RR and the other with BGP RR.

BGP on overlay interface (VTI) + ADVPN :

-Is the route reflector necessary?

-How are shortcuts created between Spoke when using ADVPN? How are VTIs communicated between the 2 spokes? How are LAN prefixes notified between the 2 spokes?

Use cases between the 2 modes (BGP on VTI or BGP on loopback):

-If I've understood correctly (or not) it would be more interesting to use the “BGP on loopback” mode if spoke to spoke communications are necessary? Also, this may prevent the HUB from having too many BGP neighbors. Are there any other cases where it would be preferable to use one mode rather than another?

Thanks a lot!

Regards

DPadula · Accepted Answer

Hi Jeremy,

I will try to answer all the questions in order.

-Do you validate the both design ? One without BGP RR and the other with BGP RR.

Regarding the design, there is no 'right' or 'wrong'. There are situation that once design is more suitable than other. So to better decide which one is more appropriate for you we need more details. This is service that Fortinet offer and of course there is a cost.

-Is the route reflector necessary?

No, but you will need to setup a full-mesh network between all devices. Basically setup iBGP between all Fortigates. Again, there is no right or wrong, the RR solution has more scalability and is easy to maintain in comparison to a 'RR-less' solution.

-How are shortcuts created between Spoke when using ADVPN? How are VTIs communicated between the 2 spokes? How are LAN prefixes notified between the 2 spokes?

The Fortinet Certified Security Specialist course covers each of those points, I won't be able to answer such questions in few phrases. Sorry by that.

-If I've understood correctly (or not) it would be more interesting to use the “BGP on loopback” mode if spoke to spoke communications are necessary?

The solution using Loopback are more scalable as I have mentioned. You should check the document BGP on loopback: advantages.

Also, this may prevent the HUB from having too many BGP neighbors. Correct

Are there any other cases where it would be preferable to use one mode rather than another?

Image a scenario where a small company only have 3-5 sites and they have been like that for years, so no big changes on the network. You can easily use the IPSec Wizard and select hub-spoke topology and deploy a solution without the loopback in 5-10 minutes. Not bad right? There are so many small business using such solution, it is easy to deploy and it works without issues.

I hope I have clarified some of the points.

Regards

DPadula

jeremyOrchestr · Answer

Just to correct a mistake that I've made on the first diagram, the BGP advertisement of the hub should be 192.168.0.0/16.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded