Hi ,
we have implemented a Hub and Spoke architecture via FortiManager, using a "Star" community, and a single SD WAN interface which contains all the tunnels, but we have a routing problem.
According to Fortinet, the SD WAN Rule, is matched after the policy route (if not found), so we created an SD WAN Zone with all members, and to route correctly, we created an SD WAN Rule to match the traffic exact, with the use of a Performance SLA, but the communication between the Hub and the spokes does not work.
thank you for your support.
so, to test, we created a sperated SD WAN zone, and that contains just the tunnel of a single site, and the routing also with a static route, and it works. but we cannot create at each site a SD WAN spéré with a separate routing, knowing that we have many spokes.
what is the solution to this problem, and is the fact of configuring the SD WAN Rules without any static route is the right solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I thiink in this case sdwan is the wrong way. If you put all VPNs into one SDWAN Zone and add a rule and a SLA then sdwan would select a member accoarding to your load balancing settings and sla once the rule is matched.
At least if I understand your setup correctly.
You said star topology so you have spokes that all connect to the same hub correct?
at the hub you could create a zone containing all the tunnels and then use that as interface in policies and routes. But you would still have to create routes for each spoke subnet.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi @sw2090 ,
Thank you for your response,
Yes, Star topology means all Spokes are connected to the Hub.
i need juste to confirm , if this is the correct design and implemntation :
We have 1 Hub, and lot of spokes. we have use FortiManeger to manage this implementation. we created a Star community, create one SD WAN zone called HubToSpoke-SDW, and he contain all tunnel created from VPN Manager ( with Random ID _X) , after we created a STATIC route X.X.X.X/8 to spokes and HubToSpokes-SDW as destination & policies to permit traffic ( Inside to HubToSpokes-SDW), and a lot of SDWAN Rule & SLA to route traffic to the specific spoke.
It is the correct design/configuration, or i need mandatory to configure a dynamic routing protocol ?
In my opinion sdwan is not the correct choice for this. sdwan is cool when you have redundancy and want to do like ha on tunnels.
So if you have e.g. two S2S to the same site you could create an sdwan zone on both sides and set static routing to that zone and then have sdwan handle the rest accoarding to your rules. That means sdwan will have to chose a member of the sdwan zone accoarding to your rules and SLAs.
But here you don't have redundancy. You appear to have various sites that have an S2S IPSec to the same hub. This is imho not intended for sdwan. This is intended for a interface zone so you can use the zone for routes and policies.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you @sw2090 for your response,
I forgot to mention that each spoke is connected with 3 different links, so 3 tunnels for each spoke.
so i need to make 1 SD WAN zone, and which will contain all spokes tunnels , and 1 summurized static route ( X.X.XX/8 to branche ) . its correcte this configuration ?
you can use an sdwan zone on your spoke and one for each spoke on the hub to handle redundancy. But I don't think you can use one for all.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
caveat: in this case you cannot use Interface zones on the hub hence you cannot put a zone into a zone...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
so to recap:
1. Create a Star community.
2. Create the hub and the spokes
3. Create the SD WAN zone (HubToSpoke) and associate all site tunnels on a single Zone, and create a static route (X.X.X.X/8) to the spokes
4. Create the SD WAN zone (SpokeToHub) and associate the 3 tunnels of the 3 links, and assign it to the spokes, and a static route to Hub (Hub_Network/24).
5. Create an SD WAN Rule in the HUB for each spokes, and choose the 3 appropriate tunnels for each spokes, and associate the associated SLA performance.
NB: Is it mandatory to have the static route or not (in the documentation: SD-WAN rules work like policy routes, so they won't work without corresponding entries in the routing table.
)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.