Using ADVPN as backup to MPLS, Updating static routes?
We have MPLS connecting all of our sites and we just brought in secondary ISPs for backup.I'm in the process of getting ADVPN set up between our main/hub site and a single spoke site.For MPLS, we're using static routes back to the MPLS router.On the spoke site, when I simulate a down - Fortigate removes all the routes (because of a link monitor) to that router, which is good because the BGP routes are there with a higher metric to take over.However, on the hub site a link monitor or Performance SLA won't work because it would remove all routes for all sites instead of just the site that's down.As I add in more spokes, I assume i'll run in to the exact same problem at those sites.I haven't found much as far as examples, but did find this example from fortinet. If i understand it correctly they're setting up an ipsec tunnel over the MPLS which doesn't seem efficient.Is there a way to accomplish what we're trying to do without running an ipsec tunnel over the mpls?
Not that I know of, but I'd encourage you to rethink the alternative. You're sending all of your traffic unencrypted across someone else's network (your MPLS provider) now, right? So by setting up the (slightly less efficient) IPSEC tunnel, you're gaining a better security profile *as well as* solving your routing problem. Win-win if you ask me.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.