Skip to main content
Satory
Satory
Explorer
February 14, 2023
Solved

Hub and spoke with 4 interfaces

  • February 14, 2023
  • 2 replies
  • 5783 views

We have a Data center (DC) and a Central Location (HQ).

For a redundancy we have 4 separate lines:

- 2 are direct leased lines, which I want to use for a primary connection;

- 2 are trough Internet and I would like to use them as a backup connection.

 

I have implemented the IPSec between all points and I am using BGP.

The question is how to achieve maximum bandwidth usage and redundancy in the same time?
Should I:
1. Use IPSec aggregate or SDWAN on the primary and secondary interfaces?

2. How to make sure the secondary is used only in case secondary goes down? In my current setup I tried to use BGP with communities, but still there is traffic on all interfaces.

3. I have to add move remote locations with, each with one primary and one backup line. If I put them into the same SDWAN, whenever the primary goes down the packets are sent to the other members in the same SDWAN, is this a normal behavior? 

Best answer by Julien87

Hi Satory,

 

The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.

 

For the priority in the SDWAN member, i think this link will interested you.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-Default/ta-p/230911 

 

If you have multiple link, SDWAN will simplify your configuration.

 

Best regards,

 

 

 

2 replies

distillednetwork
distillednetwork
Explorer II
February 15, 2023

if you want the ones through the internet to only be backups you can do two things, either add a route-map in on those interfaces and adjust the AS Path, or cost to make them less desirable.  You can also create them in their own SD WAN zone and then create two sets of SDWAN rules, one with the zone for the direct lines and one for the zones with the internet tunnels.

Satory
SatoryAuthor
Explorer
February 16, 2023

Hi,

 

That was my initial idea, but if I have several locations I have to double the SDWANs as I did not find any way to use two SDWANs - one for all primaries and one for all backups.

 

Julien87
Julien87
Esteemed Contributor III
February 15, 2023

Hi Satory,

 

Hoping to have understood your request and compared to what I have already put in place.

 

1. If you want to use both links simultaneously, I will use SDWAN in load balance-mode in an SDWAN rule. The hash mode you want next. With a higher priority on the 2 backup interfaces.

 

2. With a higher priority on backup links

 

3. I didn't understand what packets are sent to all other sites.

 

I have not yet used IPSec aggregate and tag route, because I do not have infrastructures entirely in version 7

 

Best regards,

 

 

 

A link with bgp multipath documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/773406/bgp-multiple-path-support 

Satory
SatoryAuthor
Explorer
February 16, 2023

Hi,

 

So if I got you correctly: your idea is to use all tunnels in same SDWAN and try to implement BGP routing rules or SDWAN rules on it?

 

And if I have a lot of locations in the future: should I have a separate SDWAN for each locations, as the firewall rules will have a huge number of interfaces that way?

 

If I use one SDWAN for all locations there is an interesting issue - whenever all paths to a remote location are down - all traffic is send to the other locations.

Julien87
Julien87Answer
Esteemed Contributor III
February 17, 2023

Hi Satory,

 

The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.

 

For the priority in the SDWAN member, i think this link will interested you.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-Default/ta-p/230911 

 

If you have multiple link, SDWAN will simplify your configuration.

 

Best regards,

 

 

 

Terms & ConditionsCookie settingsAccessibility statement