|Description||This article describes how Fortinet Secure SD WAN Solution could be configured with a separate Control Plane and Data Plane per segment.|
Fortinet Secure SD WAN Solution can be configured to have a separate control plane and data plane per segment.
The segregation of the Control Plane from the Data Plane is achieved using the feature 'End-to-End Segmentation over Single Overlay'.
The separation of the management plane is achieved through the FGFM tunnel to FortiManager.
For example, if a deployment has Segment 1 and Segment 2, each Segment is configured with a VRF ID. The traffic flow (data plane) and route propagation (control plane) for each VRF ID is segmented.
This feature would be ideal for deployments that need any or all of the below:
- Segmentation of Data Plane and Control Plane.
- Overlapping IP space across multiple sites.
The 'End-to-End Segmentation over Single Overlay' feature was introduced in FortiOS 7.2.0.
In the below configuration, note the command added to the VPN Phase1 Interface setting 'set encapsulation vpn-id-ipip'. It adds an additional encrypted IP header is added to the ESP frame, representing VRF ID.
This ID is used on the remote end to 'demux' the packets into the right CE VRFs. This encapsulation supports hardware acceleration (SOC4, NP6, NP7). In BGP Configuration, the LAN-facing VRFs are assigned the role 'CE' and the IPSEC Overlay (vrf aware) is assigned the role 'PE'.
# config vpn ipsec phase1-interface
Output (Lines removed for brevity):
FGT # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 192.168.0.254, port10, [1/0]
Routing table for VRF=1:
B V 10.101.1.0/24 [200/0] via 10.200.0.1  (recursive via SPOKE_MPLS-T tunnel 10.0.0.4 ), 1d11h41m
Routing table for VRF=2:
B V 10.102.2.0/29 [200/0] via 10.200.0.2  (recursive via SPOKE_MPLS-A tunnel 10.0.0.7 ), 1d11h42m
Routing table for VRF=4:
B V 10.102.4.0/29 [200/0] via 10.200.0.2  (recursive via SPOKE_MPLS-A tunnel 10.0.0.7 ), 1d11h42m