Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ramakrishnan
Staff
Staff

Created on ‎03-30-2023 06:36 AM Edited on ‎03-30-2023 06:58 AM By Moderator

Article Id 250847

Technical Tip: Segmentation of Control Plane and Data Plane in SD WAN per segment

Description This article describes how Fortinet Secure SD WAN Solution could be configured with a separate Control Plane and Data Plane per segment.
Scope SD WAN.
Solution

Fortinet Secure SD WAN Solution can be configured to have a separate control plane and data plane per segment.

The segregation of the Control Plane from the Data Plane is achieved using the feature  'End-to-End Segmentation over Single Overlay'.

 

The separation of the management plane is achieved through the FGFM tunnel to FortiManager.

 

For example, if a deployment has Segment 1 and Segment 2, each Segment is configured with a VRF ID. The traffic flow (data plane) and route propagation (control plane) for each VRF ID is segmented.

 

This feature would be ideal for deployments that need any or all of the below:

 

- Segmentation of Data Plane and Control Plane.

- Overlapping IP space across multiple sites.

- Multi-tenancy.

 

The 'End-to-End Segmentation over Single Overlay' feature was introduced in FortiOS 7.2.0.

 

end to end vrf.png

In the below configuration, note the command added to the VPN Phase1 Interface setting 'set encapsulation vpn-id-ipip'. It adds an additional encrypted IP header is added to the ESP frame, representing VRF ID. 

 

This ID is used on the remote end to 'demux' the packets into the right CE VRFs. This encapsulation supports hardware acceleration (SOC4, NP6, NP7). In BGP Configuration, the LAN-facing VRFs are assigned the role 'CE' and the IPSEC Overlay (vrf aware) is assigned the role 'PE'.

 

# config vpn ipsec phase1-interface
    edit "SPOKE_MPLS-A"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set exchange-ip-addr4 10.202.0.254
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set encapsulation vpn-id-ipip
        set network-overlay enable
        set network-id 21
        set psksecret ENC XXX
        set dpd-retrycount 2
        set dpd-retryinterval 5
    next
end

# config router bgp
    set as 65001
        # config vrf
            edit "0"
                set role pe
            next
            edit "1"
                set role ce
                set rd "65001:1"
                set export-rt "65001:1"
                set import-rt "65001:1"
            next
            edit "2"
                set role ce
                set rd "65001:2"
                set export-rt "65001:2"
                set import-rt "65001:2"
            next
            edit "4"
                set role ce
                set rd "65001:4"
                set export-rt "65001:4"
                set import-rt "65001:4"
            next
        end
end

 

Output (Lines removed for brevity):

 

FGT # get router info routing-table all

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 192.168.0.254, port10, [1/0]
S 10.200.0.1/32 [15/0] via SPOKE_MPLS-T tunnel 10.0.0.4, [5/0]
[15/0] via SPOKE_MPLS-A tunnel 10.200.0.1, [5/0]
S 10.200.0.2/32 [15/0] via SPOKE_MPLS-A tunnel 10.0.0.7, [5/0]
[15/0] via SPOKE_MPLS-T tunnel 10.200.0.2, [5/0]
S 10.200.0.3/32 [15/0] via SPOKE_MPLS-T tunnel 10.0.0.5, [5/0]
[15/0] via SPOKE_MPLS-A tunnel 10.200.0.3, [5/0]
S 10.200.0.4/32 [15/0] via SPOKE_MPLS-T tunnel 10.0.0.6, [5/0]
[15/0] via SPOKE_MPLS-A tunnel 10.200.0.4, [5/0]

 

Routing table for VRF=1:

 

….

B V 10.101.1.0/24 [200/0] via 10.200.0.1 [4] (recursive via SPOKE_MPLS-T tunnel 10.0.0.4 [5]), 1d11h41m
(recursive via SPOKE_MPLS-A tunnel 10.200.0.1 [5]), 1d11h41m, [1/0]
B V 10.101.3.0/24 [200/0] via 10.201.0.254 (recursive via H2H_VPN1_MPLS-A tunnel 172.21.1.5 [1]), 1d11h41m
(recursive via H2H_VPN1_MPLS-T tunnel 172.21.2.5 [1]), 1d11h41m, [1/0]
[200/0] via 10.204.0.254 (recursive via H2H_VPN3_MPLS-A tunnel 172.24.1.5 [1]), 1d11h41m
(recursive via H2H_VPN3_MPLS-T tunnel 172.24.2.5 [1]), 1d11h41m, [1/0]

 

Routing table for VRF=2:

 

...

B V 10.102.2.0/29 [200/0] via 10.200.0.2 [4] (recursive via SPOKE_MPLS-A tunnel 10.0.0.7 [5]), 1d11h42m
(recursive via SPOKE_MPLS-T tunnel 10.200.0.2 [5]), 1d11h42m, [1/0]
B 10.103.1.0/24 [200/0] via 192.168.99.1, CORP_odcA1, 01w6d18h, [1/0]
B V 10.103.2.0/29 [200/0] via 10.200.0.3 [4] (recursive via SPOKE_MPLS-T tunnel 10.0.0.5 [5]), 1d11h42m
(recursive via SPOKE_MPLS-A tunnel 10.200.0.3 [5]), 1d11h42m, [1/0]
B 10.104.1.0/24 [200/0] via 192.168.99.1, CORP_odcA1, 01w3d03h, [1/0]
C 192.168.99.0/30 is directly connected, CORP_odcA1

 

Routing table for VRF=4:

 

...

B V 10.102.4.0/29 [200/0] via 10.200.0.2 [4] (recursive via SPOKE_MPLS-A tunnel 10.0.0.7 [5]), 1d11h42m
(recursive via SPOKE_MPLS-T tunnel 10.200.0.2 [5]), 1d11h42m, [1/0]
B 10.103.1.0/24 [200/0] via 192.168.99.1, CORP_odcC1, 01w6d18h, [1/0]
B V 10.103.4.0/29 [200/0] via 10.200.0.3 [4] (recursive via SPOKE_MPLS-T tunnel 10.0.0.5 [5]), 1d11h42m
(recursive via SPOKE_MPLS-A tunnel 10.200.0.3 [5]), 1d11h42m, [1/0]
B 10.104.1.0/24 [200/0] via 192.168.99.1, CORP_odcC1, 01w3d03h, [1/0]
C 192.168.99.0/30 is directly connected, CORP_odcC1

 

 

Labels:
4587
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.