- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hub and spoke with 4 interfaces
We have a Data center (DC) and a Central Location (HQ).
For a redundancy we have 4 separate lines:
- 2 are direct leased lines, which I want to use for a primary connection;
- 2 are trough Internet and I would like to use them as a backup connection.
I have implemented the IPSec between all points and I am using BGP.
The question is how to achieve maximum bandwidth usage and redundancy in the same time?
Should I:
1. Use IPSec aggregate or SDWAN on the primary and secondary interfaces?
2. How to make sure the secondary is used only in case secondary goes down? In my current setup I tried to use BGP with communities, but still there is traffic on all interfaces.
3. I have to add move remote locations with, each with one primary and one backup line. If I put them into the same SDWAN, whenever the primary goes down the packets are sent to the other members in the same SDWAN, is this a normal behavior?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Satory,
The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.
For the priority in the SDWAN member, i think this link will interested you.
If you have multiple link, SDWAN will simplify your configuration.
Best regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
on the Hub, 1 zone with all member line. and in your policy you have only 1 zone, but you can filtered with source/dst network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want the ones through the internet to only be backups you can do two things, either add a route-map in on those interfaces and adjust the AS Path, or cost to make them less desirable. You can also create them in their own SD WAN zone and then create two sets of SDWAN rules, one with the zone for the direct lines and one for the zones with the internet tunnels.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That was my initial idea, but if I have several locations I have to double the SDWANs as I did not find any way to use two SDWANs - one for all primaries and one for all backups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Satory,
Hoping to have understood your request and compared to what I have already put in place.
1. If you want to use both links simultaneously, I will use SDWAN in load balance-mode in an SDWAN rule. The hash mode you want next. With a higher priority on the 2 backup interfaces.
2. With a higher priority on backup links
3. I didn't understand what packets are sent to all other sites.
I have not yet used IPSec aggregate and tag route, because I do not have infrastructures entirely in version 7
Best regards,
A link with bgp multipath documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/773406/bgp-multiple-path-support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
So if I got you correctly: your idea is to use all tunnels in same SDWAN and try to implement BGP routing rules or SDWAN rules on it?
And if I have a lot of locations in the future: should I have a separate SDWAN for each locations, as the firewall rules will have a huge number of interfaces that way?
If I use one SDWAN for all locations there is an interesting issue - whenever all paths to a remote location are down - all traffic is send to the other locations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Satory,
The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.
For the priority in the SDWAN member, i think this link will interested you.
If you have multiple link, SDWAN will simplify your configuration.
Best regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and thank you!
But I still do not understand your point.
In later stage, when I have per example 50 locations, each with 4 lines - 2 for backup and 2 mains - should I have 50 SD-WANs (one for each location) or put them all in one and somehow make it work?
The idea is that If I put them in 50 sd-wans, then in policy I have to use all of them.
If I put them in one sdwan, will it route them correctly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 site -- 1 sdwan zone with 1 sdwan member by Lines
Another site with 1 sdwan zone with 1 sdwan membe by lines
I think if i have understand your need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, but on the HUB I will have 50 SD-WAN zones.
The firewall policy rules for some traffic to the HUB site then will have 50 zones in the From field? Is there a way to optimize this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
on the Hub, 1 zone with all member line. and in your policy you have only 1 zone, but you can filtered with source/dst network