Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Satory
New Contributor III

Hub and spoke with 4 interfaces

We have a Data center (DC) and a Central Location (HQ).

For a redundancy we have 4 separate lines:

- 2 are direct leased lines, which I want to use for a primary connection;

- 2 are trough Internet and I would like to use them as a backup connection.

 

I have implemented the IPSec between all points and I am using BGP.

The question is how to achieve maximum bandwidth usage and redundancy in the same time?
Should I:
1. Use IPSec aggregate or SDWAN on the primary and secondary interfaces?

2. How to make sure the secondary is used only in case secondary goes down? In my current setup I tried to use BGP with communities, but still there is traffic on all interfaces.

3. I have to add move remote locations with, each with one primary and one backup line. If I put them into the same SDWAN, whenever the primary goes down the packets are sent to the other members in the same SDWAN, is this a normal behavior? 

2 Solutions
Julien87

Hi Satory,

 

The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.

 

For the priority in the SDWAN member, i think this link will interested you.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-D... 

 

If you have multiple link, SDWAN will simplify your configuration.

 

Best regards,

 

 

 

Julien

View solution in original post

Julien
Julien87

on the Hub, 1 zone with all member line.  and in your policy you have only 1 zone, but you can filtered with source/dst network

Julien

View solution in original post

Julien
10 REPLIES 10
distillednetwork
Contributor III

if you want the ones through the internet to only be backups you can do two things, either add a route-map in on those interfaces and adjust the AS Path, or cost to make them less desirable.  You can also create them in their own SD WAN zone and then create two sets of SDWAN rules, one with the zone for the direct lines and one for the zones with the internet tunnels.

Satory

Hi,

 

That was my initial idea, but if I have several locations I have to double the SDWANs as I did not find any way to use two SDWANs - one for all primaries and one for all backups.

 

Julien87
Contributor II

Hi Satory,

 

Hoping to have understood your request and compared to what I have already put in place.

 

1. If you want to use both links simultaneously, I will use SDWAN in load balance-mode in an SDWAN rule. The hash mode you want next. With a higher priority on the 2 backup interfaces.

 

2. With a higher priority on backup links

 

3. I didn't understand what packets are sent to all other sites.

 

I have not yet used IPSec aggregate and tag route, because I do not have infrastructures entirely in version 7

 

Best regards,

 

 

 

A link with bgp multipath documentation : https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/773406/bgp-multiple-path-support 

Julien
Julien
Satory
New Contributor III

Hi,

 

So if I got you correctly: your idea is to use all tunnels in same SDWAN and try to implement BGP routing rules or SDWAN rules on it?

 

And if I have a lot of locations in the future: should I have a separate SDWAN for each locations, as the firewall rules will have a huge number of interfaces that way?

 

If I use one SDWAN for all locations there is an interesting issue - whenever all paths to a remote location are down - all traffic is send to the other locations.

Julien87

Hi Satory,

 

The policyr rules are configured in zone sdwan destination. You don't use interface name. It's more simple.

 

For the priority in the SDWAN member, i think this link will interested you.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-D... 

 

If you have multiple link, SDWAN will simplify your configuration.

 

Best regards,

 

 

 

Julien
Julien
Satory
New Contributor III

Hi and thank you!

 

But I still do not understand your point.

In later stage, when I have per example 50 locations, each with 4 lines - 2 for backup and 2 mains - should I have 50 SD-WANs (one for each location) or put them all in one and somehow make it work?

 

The idea is that If I put them in 50 sd-wans, then in policy I have to use all of them.

 

If I put them in one sdwan, will it route them correctly?

Julien87

1 site -- 1 sdwan zone with 1 sdwan member by Lines

Another site with 1 sdwan zone with 1 sdwan membe by lines

 

I think if i have understand your need.

Julien
Julien
Satory
New Contributor III

OK, but on the HUB I will have 50 SD-WAN zones.
The firewall policy rules for some traffic to the HUB site then will have 50 zones in the From field? Is there a way to optimize this?

Julien87

on the Hub, 1 zone with all member line.  and in your policy you have only 1 zone, but you can filtered with source/dst network

Julien
Julien
Top Kudoed Authors