greetings,
I created an SD-WAN rule (source = all, destination = all) for Internet access with two member interfaces. One is the underlay interface and will forward traffic to local egress (DIA), the other one is an overlay MPLS ipsec tunnel that will forward traffic to our offshore office in another country (RIA).
underlay interface is the primary for internet access, overlay interface is used when underlay interface is inactive. They are judged by an SLA that uses ping as the probe to a public www server (but we are gonna change to use DNS soon).
There is only one default route (0.0.0.0/0.0.0.0) pointing to the underlay interface. my concern is, when underlay interface becomes inactive, will the overlay interface be able to forward internet traffic? according to the SD-WAN routing logical, when primary interface is down, the default route via it will be updated (removed I think), then there is no route through any of the SD-WAN member interface for internet traffic.
Should I create two default routes (0.0.0.0/0.0.0.0) pointing to both of the member interface?
thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If the overlay interface (ipsec) is created under the same physical interface so when underlay goes down( due to routing or layer 1 problem) the overlay will also gets disconnected. So no traffic will go out.
If the overlay is under a different interface, when sdwan performance sla fails it will only remove the route from that specific interface. As long as one of the interface is showing up in slas the traffic will work
In the static routing you need to create only one default route with the sdwan zone as the interface.
However, I would say it is not a good practice to keep overlay and underlay in the same zone
Created on 07-25-2024 10:27 PM Edited on 07-25-2024 10:28 PM
thanks amrit,
ipsec overlay interface is based on MPLS (a separate link), not under the underlay interface.
the two interface I mentioned in the post are not in the same zone. The underlay interface is within ZONE_Internet, the mpls-based ipsec tunnel is within Zone_WAN. They are just two interfaces in the same sd-wan rule.
but there is only one default route (in Static Route of the GUI) pointing to the underlay interface in zone_internet. I want to know if one more default route is required pointing to MPLS-based tunnel interface.
actually we got an issue days ago making the underlay interface went down and RIA internet is working, but I do not know what makes it work if the underlay interface went down.
Pleas refer to this document for the SDWAN DIA and RIA setup and click on the next button to check static default route configuration . https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/942095/sd-wan-members-and-zo....
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.