We have a Data center (DC) and a Central Location (HQ).
For a redundancy we have 4 separate lines:
- 2 are direct leased lines, which I want to use for a primary connection;
- 2 are trough Internet and I would like to use them as a backup connection.
I have implemented the IPSec between all points and I am using BGP.
The question is how to achieve maximum bandwidth usage and redundancy in the same time?
Should I:
1. Use IPSec aggregate or SDWAN on the primary and secondary interfaces?
2. How to make sure the secondary is used only in case secondary goes down? In my current setup I tried to use BGP with communities, but still there is traffic on all interfaces.
3. I have to add move remote locations with, each with one primary and one backup line. If I put them into the same SDWAN, whenever the primary goes down the packets are sent to the other members in the same SDWAN, is this a normal behavior?
Solved! Go to Solution.
Hi Satory,
The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.
For the priority in the SDWAN member, i think this link will interested you.
If you have multiple link, SDWAN will simplify your configuration.
Best regards,
on the Hub, 1 zone with all member line. and in your policy you have only 1 zone, but you can filtered with source/dst network
if you want the ones through the internet to only be backups you can do two things, either add a route-map in on those interfaces and adjust the AS Path, or cost to make them less desirable. You can also create them in their own SD WAN zone and then create two sets of SDWAN rules, one with the zone for the direct lines and one for the zones with the internet tunnels.
Hi,
That was my initial idea, but if I have several locations I have to double the SDWANs as I did not find any way to use two SDWANs - one for all primaries and one for all backups.
Hi Satory,
Hoping to have understood your request and compared to what I have already put in place.
1. If you want to use both links simultaneously, I will use SDWAN in load balance-mode in an SDWAN rule. The hash mode you want next. With a higher priority on the 2 backup interfaces.
2. With a higher priority on backup links
3. I didn't understand what packets are sent to all other sites.
I have not yet used IPSec aggregate and tag route, because I do not have infrastructures entirely in version 7
Best regards,
A link with bgp multipath documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/773406/bgp-multiple-path-support
Hi,
So if I got you correctly: your idea is to use all tunnels in same SDWAN and try to implement BGP routing rules or SDWAN rules on it?
And if I have a lot of locations in the future: should I have a separate SDWAN for each locations, as the firewall rules will have a huge number of interfaces that way?
If I use one SDWAN for all locations there is an interesting issue - whenever all paths to a remote location are down - all traffic is send to the other locations.
Hi Satory,
The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.
For the priority in the SDWAN member, i think this link will interested you.
If you have multiple link, SDWAN will simplify your configuration.
Best regards,
Hi and thank you!
But I still do not understand your point.
In later stage, when I have per example 50 locations, each with 4 lines - 2 for backup and 2 mains - should I have 50 SD-WANs (one for each location) or put them all in one and somehow make it work?
The idea is that If I put them in 50 sd-wans, then in policy I have to use all of them.
If I put them in one sdwan, will it route them correctly?
1 site -- 1 sdwan zone with 1 sdwan member by Lines
Another site with 1 sdwan zone with 1 sdwan membe by lines
I think if i have understand your need.
OK, but on the HUB I will have 50 SD-WAN zones.
The firewall policy rules for some traffic to the HUB site then will have 50 zones in the From field? Is there a way to optimize this?
on the Hub, 1 zone with all member line. and in your policy you have only 1 zone, but you can filtered with source/dst network
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.