Hi,
I am working on SD-WAN solution .I have primary Data center(Hub). Have 13 Spoke connected to Hub (Data center ).Currently SD-WAN Solution with primary MPLS and secondary Broadband used.
Planning for DR.If DC Fails Spoke to connect DR.My DR will also be DC for some applications where remote user will connect through VPN.
In DR location only Broadband available.How to size bandwidth.
Anyone Guide me with Design and Solution with diagram
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
As I understand you want to configure SD WAN on FortiGate firewall to provide redundancy:
Please refer to the below article to configure SDWAN:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/218559/creating-the-sd-wan-interface
You can configure SDWAN rule to use Best quality link:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/22371/sd-wan-rules-best-quality
Regards,
Abhimanyu
Hi,
I would recommend, you analyze your DC bandwidth usages for both the links over a period of time and based on that information you may identify an optimal bandwidth for your DR link if you are planning to shift your entire traffic from 13 spokes to connect to DR at the time of failover or else if you are only planning critical services in DR during failover, then your bandwidth requirement will reduce accordingly. You need to keep in mind about the remote VPN users connecting to DR and allocate some bandwidth for them as well.
Bandwidth can be monitored from the FortiGate Dashboard interface widget and also using your SNMP monitoring tool if any.
For the design part here are few pointers, you can have IPsec overlay configured for DC and DR as part of SDWAN and use dynamic routing protocol like BGP/OPSF over IPsec tunnel to advertise route from DC and DR with different metrics for preference and use SDWAN rules steer traffic to different tunnels based on your requirement. SDWAN rules have precedence over your Routing table and hence it will be easy to control your traffic flow with SDWAN rules.
I would still recommend you take help from your Local Fortinet team for the proper design solution.
Best Regards
Hi
Thanks a Lot for Reply. If DC Fails DR will become active. There are users and Vendors who want to access application in DR.Since DC Fail only DR Firewall activated,How users and vendors access DR Firewall through VPN. What will be the solution.
Hi,
Users and Vendors accessing the VPN on DR will connect to DR Public IP address. If your Public IP address changes frequently for your DR broadband connection, you can make use of Dynamic DNS in FortiGate for SSL VPN, if the IP doesn't change then use the IP address or a registered FQDN to connect to.
https://community.fortinet.com/t5/user/viewprofilepage/user-id/38305
For the DR to act as a HUB for all 13 branches you need to make use of Dynamic DNS for the IPSec VPN Gateway if your Public IP of the DR changes frequently. If not, you can use type "static" for the DR HUB configuration.
Reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-with-DDNS-type-IPsec/ta-p/190773
For the Failover, make use of Dynamic Routing Protocol with different metrics for exchanging routes from DC and DR to the spokes, where DR routes has least preference compared to DC and in the event of DC failure, DR route become active (Ex: using different Local Preference value for DC and DR when receiving and inserting route to Route Table) and SDWAN Rules.
If you plan to use OSPF instead of BGP, you may use different Cost value in DC and DR when exchange route with Spokes. Lower the cost is the preferred route in OSPF.
Hope this helps.
Regards
Hi
Thanks for your Reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.