Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jeremyOrchestr
New Contributor II

Created on ‎12-11-2024 04:22 AM

Fortigate SD-WAN

Hello Guys, 

 

I hope you're all doing well.

I'm fairly new to Fortinet's SD-WAN and recently tried to do a deep dive into it.

 

So I set up a lab with fortimanger and 3 fortigate, one as a hub and the other two as spoke.

 

The aim is to understand how it really works and to set up all the configuration using a CLI model without using “orchestration overlay” in order to understand all the steps.

 

I've read a lot of different articles on Fortinet documentation and other websites and I've seen a lot of different configurations/design depending on the Forti OS version.

 

I'm really struggling to understand the different designs and the best mode to use depending on the situation, and also how certain concepts work. So I hope to find my answers here...

 

Since the 7.0.x version :

 

=> BGP on loopback + ADVPN 2.0 (RR-less) : 

 

bgponloopbackRRless.png

 

 => BGP on loopback + ADVPN 2.0 (RR) : 

bgponloopbackRR.png

Before the 7.0.x version :

 

=> BGP on overlay interface (VTI) + ADVPN ?

bgponoverlayVTI.png

 

So here are my questions :

 

BGP on loopback + ADVPN 2.0 :

 

-Do you validate the both design ? One without BGP RR and the other with BGP RR.

 

BGP on overlay interface (VTI) + ADVPN :

 

-Is the route reflector necessary?

-How are shortcuts created between Spoke when using ADVPN? How are VTIs communicated between the 2 spokes? How are LAN prefixes notified between the 2 spokes?

 

Use cases between the 2 modes (BGP on VTI or BGP on loopback):

 

-If I've understood correctly (or not) it would be more interesting to use the “BGP on loopback” mode if spoke to spoke communications are necessary? Also, this may prevent the HUB from having too many BGP neighbors. Are there any other cases where it would be preferable to use one mode rather than another?

 

Thanks a lot!

 

Regards

 

 

Labels:
276
0 Kudos
1 Solution
DPadula
Staff
Staff

Created on ‎12-11-2024 01:51 PM

Hi Jeremy,

I will try to answer all the questions in order. 

-Do you validate the both design ? One without BGP RR and the other with BGP RR.

Regarding the design, there is no 'right' or 'wrong'. There are situation that once design is more suitable than other. So to better decide which one is more appropriate for you we need more details. This is service that Fortinet offer and of course there is a cost.

 

-Is the route reflector necessary?

No, but you will need to setup a full-mesh network between all devices. Basically setup iBGP between all Fortigates. Again, there is no right or wrong, the RR solution has more scalability and is easy to maintain in comparison to a 'RR-less' solution.

-How are shortcuts created between Spoke when using ADVPN? How are VTIs communicated between the 2 spokes? How are LAN prefixes notified between the 2 spokes?

The Fortinet Certified Security Specialist course covers each of those points, I won't be able to answer such questions in few phrases. Sorry by that. 

 

-If I've understood correctly (or not) it would be more interesting to use the “BGP on loopback” mode if spoke to spoke communications are necessary?

The solution using Loopback are more scalable as I have mentioned. You should check the document BGP on loopback: advantages.

Also, this may prevent the HUB from having too many BGP neighbors. Correct

Are there any other cases where it would be preferable to use one mode rather than another?

Image a scenario where a small company only have 3-5 sites and they have been like that for years, so no big changes on the network. You can easily use the IPSec Wizard and select hub-spoke topology and deploy a solution without the loopback in 5-10 minutes. Not bad right? There are so many small business using such solution, it is easy to deploy and it works without issues. 

 

I hope I have clarified some of the points. 

Regards

DPadula

 

View solution in original post

217
3 REPLIES 3
jeremyOrchestr
New Contributor II

Created on ‎12-11-2024 05:43 AM

Just to correct a mistake that I've made on the first diagram, the BGP advertisement of the hub should be 192.168.0.0/16. 

253
0 Kudos
DPadula
Staff
Staff

Created on ‎12-11-2024 01:51 PM

Hi Jeremy,

I will try to answer all the questions in order. 

-Do you validate the both design ? One without BGP RR and the other with BGP RR.

Regarding the design, there is no 'right' or 'wrong'. There are situation that once design is more suitable than other. So to better decide which one is more appropriate for you we need more details. This is service that Fortinet offer and of course there is a cost.

 

-Is the route reflector necessary?

No, but you will need to setup a full-mesh network between all devices. Basically setup iBGP between all Fortigates. Again, there is no right or wrong, the RR solution has more scalability and is easy to maintain in comparison to a 'RR-less' solution.

-How are shortcuts created between Spoke when using ADVPN? How are VTIs communicated between the 2 spokes? How are LAN prefixes notified between the 2 spokes?

The Fortinet Certified Security Specialist course covers each of those points, I won't be able to answer such questions in few phrases. Sorry by that. 

 

-If I've understood correctly (or not) it would be more interesting to use the “BGP on loopback” mode if spoke to spoke communications are necessary?

The solution using Loopback are more scalable as I have mentioned. You should check the document BGP on loopback: advantages.

Also, this may prevent the HUB from having too many BGP neighbors. Correct

Are there any other cases where it would be preferable to use one mode rather than another?

Image a scenario where a small company only have 3-5 sites and they have been like that for years, so no big changes on the network. You can easily use the IPSec Wizard and select hub-spoke topology and deploy a solution without the loopback in 5-10 minutes. Not bad right? There are so many small business using such solution, it is easy to deploy and it works without issues. 

 

I hope I have clarified some of the points. 

Regards

DPadula

 

218
jeremyOrchestr
New Contributor II
In response to DPadula

Created on ‎12-12-2024 01:17 AM

Thank you!

 

Have a good day.

 

Regards.

186
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.