Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ys1
New Contributor

SD WAN Rule routing aspect issue

Hi ,

 

we have implemented a Hub and Spoke architecture via FortiManager, using a "Star" community, and a single SD WAN interface which contains all the tunnels, but we have a routing problem.

 

According to Fortinet, the SD WAN Rule, is matched after the policy route (if not found), so we created an SD WAN Zone with all members, and to route correctly, we created an SD WAN Rule to match the traffic exact, with the use of a Performance SLA, but the communication between the Hub and the spokes does not work.

 

thank you for your support.

 

 

 

so, to test, we created a sperated SD WAN zone, and that contains just the tunnel of a single site, and the routing also with a static route, and it works. but we cannot create at each site a SD WAN spéré with a separate routing, knowing that we have many spokes.

 

what is the solution to this problem, and is the fact of configuring the SD WAN Rules without any static route is the right solution.

 

7 REPLIES 7
sw2090
Honored Contributor

I thiink in this case sdwan is the wrong way. If you put all VPNs into one SDWAN Zone and add a rule and a SLA then sdwan would select a member accoarding to your load balancing settings and sla once the rule is matched.

At least if I understand your setup correctly. 

You said star topology so you have spokes that all connect to the same hub correct?

 

at the hub you could create a zone containing all the tunnels and then use that as interface in policies and routes. But you would still have to create routes for each spoke subnet.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ys1
New Contributor

Hi @sw2090 ,

 

Thank you for your response,

 

Yes, Star topology means all Spokes are connected to the Hub. 

 

i need juste to confirm , if this is the correct design and implemntation : 

 

We have 1 Hub, and lot of spokes. we have use FortiManeger to manage this implementation. we created a Star community, create one SD WAN zone called HubToSpoke-SDW, and he contain all tunnel created from VPN Manager ( with Random ID _X) , after we created a STATIC route X.X.X.X/8 to spokes and HubToSpokes-SDW as destination & policies to permit traffic ( Inside to HubToSpokes-SDW), and a lot of SDWAN Rule & SLA to route traffic to the specific spoke.

 

It is the correct design/configuration, or i need mandatory to configure a dynamic routing protocol ? 

sw2090
Honored Contributor

In my opinion sdwan is not the correct choice for this. sdwan is cool when you have redundancy and want to do like ha on tunnels. 

So if you have e.g. two S2S to the same site you could create an sdwan zone on both sides and set static routing to that zone and then have sdwan handle the rest accoarding to your rules. That means sdwan will have to chose a member of the sdwan zone accoarding to your rules and SLAs.

But here you don't have redundancy. You appear to have various sites that have an S2S IPSec to the same hub. This is imho not intended for sdwan. This is intended for a interface zone so you can use the zone for routes and policies.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ys1
New Contributor

Thank you @sw2090  for your response, 

 

I forgot to mention that each spoke is connected with 3 different links, so 3 tunnels for each spoke.

 

so i need to make 1 SD WAN zone, and which will contain all spokes tunnels , and 1 summurized static route ( X.X.XX/8 to branche ) . its correcte this configuration ?

sw2090
Honored Contributor

you can use an sdwan zone on your spoke and one for each spoke on the hub to handle redundancy. But I don't think you can use one for all.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

caveat: in this case you cannot use Interface zones on the hub hence you cannot put a zone into a zone...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ys1
New Contributor

so to recap:
1.  Create a Star community.
2. Create the hub and the spokes
3. Create the SD WAN zone (HubToSpoke) and associate all site tunnels on a single Zone, and create a static route (X.X.X.X/8) to the spokes
4. Create the SD WAN zone (SpokeToHub) and associate the 3 tunnels of the 3 links, and assign it to the spokes, and a static route to Hub (Hub_Network/24).
5. Create an SD WAN Rule in the HUB for each spokes, and choose the 3 appropriate tunnels for each spokes, and associate the associated SLA performance.

 

NB: Is it mandatory to have the static route or not (in the documentation: SD-WAN rules work like policy routes, so they won't work without corresponding entries in the routing table.
)

Top Kudoed Authors