Hi Guys,
Seeking some design assistance for a new network rollout (WAN Design) using Fortinet Fotigates. Im familiar with some of the aforementioned technology but not to the depth that would allow me to accomplish the design .
Im seeking some guidance on the interconnectivity betwen iBGP, SD-WAN and possible ADVPN. specifically related to the design below. If anyone would be able to lend some technical assistance / guidance based on their experience it would be greatly appreciated.
Based on the the below design:
Is a transit gateway required to accomplish the below design from the island HUB to the Primary Hub ?
a. Use EBGP Between ISLAND HUB AND Primary HUB eliminating the transit gateway altogether
b. Use EBGP Between ISLAND HUB AND Transit gateway and NEXT HOP SELF (iBGP) on Transit gateway to PRIMARY HUB
c. EBGP Between ISLAND WAN AND BB transit gateway EBGP BB Transit gateway and BB Primary (Separate the AS completely)
What do you think may be the best / most viable option in this scenario ?
2. Im leaning towards not using ADVPN on the spokes because each spoke will have different providers:
a. I understand based on research that ADVPN can be accomplished on different underlays once the overlays utilize the same subnet – any confirmations or clarifications here
b. Assuming that we utilize separate IPSEC Tunnels can I just configure my iBGP neighbor here and have it route through whichever tunnel SDWAN chooses ?
c. “configure my iBGP neighbor here and have it route” – Im assuming this would be automatic once SDWAN chooses the link to utilize once bgp neighbor config is correct – correct ?
Any guidance or support from anyone who understands the topics involved is greatly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello RoutedRob,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
From my understanding, your design intent falls under the category of multi-regional deployment for ADVPN. ADVPN feature on the Fortigate side is really just auto-discovery sender/receiver/forwarder. Disabling this auto-discovery setting on the ipsec settings determines whether you can use advpn or not which is basically just the shortcut tunnels forming spoke-to-spoke.
You may find these documents helpful:
Transit gateway is not required. You can just form an ipsec between Island and Primary hub using eBGP. Please note that only SDWAN is required to be configured for the ipsec tunnels on the Spoke side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.