hello,
I have questions regarding SD-WAN Config.
I have two WAN interface from two different ISP (ISP1 (as main, subnet 176.x.x.x) and ISP2 (as backup, 96.x.x.x subnet). They are combined in SDWAN, ant there is SLA which check if ISP1 is OK, if not switch to ISP2.
Question 1
When ISP1 is down, all incomming connections to our services will be down quickly, or sessions must expire to allow new sessions to be up again using ISP2 ?? If yes, how long it takes in default ?
From ISP1 we bought IP public pool (88.x.x.x), and this pool is regitered in RIPE for us, and our partners can use these IPs to access to our services in DMZ, but when ISP1 is down, no possible for our partners to connect.
Question 2.
If his pool is registerd for us shouldn't be possible to connect from outside by ISP2 to our resoures???
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
SD-WAN (Software-Defined Wide Area Network) is a great technology for managing multiple WAN connections, providing path selection, and ensuring application performance. Let's answer your questions:
Question 1: When the primary WAN link (ISP1) goes down, the SD-WAN solution will detect the failure (usually very quickly, within seconds) and will switch over to the secondary WAN link (ISP2) based on the SLA you've configured. Existing sessions may be dropped or interrupted depending on how the SD-WAN solution handles failover, but new sessions will begin utilizing ISP2. How long this takes in default varies by vendor and specific SD-WAN solution, but it's typically in the range of seconds.
However, the challenge here is for incoming connections, especially when DNS or other mechanisms are pointing to your public IP address pool from ISP1. Even if SD-WAN switches the outbound traffic to ISP2, incoming traffic still tries to reach you via ISP1 unless there are some changes in DNS or routing to accommodate the new path.
Question 2: Just because an IP pool (e.g., 88.x.x.x) is registered for you in RIPE doesn't mean it's automatically routable via ISP2. The routing of that IP pool on the global internet depends on BGP advertisements. When you work with ISP1, they advertise your IP range to the rest of the internet. If ISP1 goes down, those BGP advertisements will be withdrawn, and the IP range becomes unreachable.
To make the 88.x.x.x pool reachable via ISP2 when ISP1 is down, you'd need a few things:
If you don't have BGP and these mechanisms in place, then even if ISP1 goes down, the internet will still try to route traffic destined for the 88.x.x.x range via ISP1, and it will be unreachable.
It's a bit complex but achievable with the right setup. If you're looking to implement this, consider consulting with a network professional familiar with BGP and multi-homing setups.
SD-WAN (Software-Defined Wide Area Network) is a great technology for managing multiple WAN connections, providing path selection, and ensuring application performance. Let's answer your questions:
Question 1: When the primary WAN link (ISP1) goes down, the SD-WAN solution will detect the failure (usually very quickly, within seconds) and will switch over to the secondary WAN link (ISP2) based on the SLA you've configured. Existing sessions may be dropped or interrupted depending on how the SD-WAN solution handles failover, but new sessions will begin utilizing ISP2. How long this takes in default varies by vendor and specific SD-WAN solution, but it's typically in the range of seconds.
However, the challenge here is for incoming connections, especially when DNS or other mechanisms are pointing to your public IP address pool from ISP1. Even if SD-WAN switches the outbound traffic to ISP2, incoming traffic still tries to reach you via ISP1 unless there are some changes in DNS or routing to accommodate the new path.
Question 2: Just because an IP pool (e.g., 88.x.x.x) is registered for you in RIPE doesn't mean it's automatically routable via ISP2. The routing of that IP pool on the global internet depends on BGP advertisements. When you work with ISP1, they advertise your IP range to the rest of the internet. If ISP1 goes down, those BGP advertisements will be withdrawn, and the IP range becomes unreachable.
To make the 88.x.x.x pool reachable via ISP2 when ISP1 is down, you'd need a few things:
If you don't have BGP and these mechanisms in place, then even if ISP1 goes down, the internet will still try to route traffic destined for the 88.x.x.x range via ISP1, and it will be unreachable.
It's a bit complex but achievable with the right setup. If you're looking to implement this, consider consulting with a network professional familiar with BGP and multi-homing setups.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.