Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Does the IPVPN link terminate at every site on every FortiGate? What is on the other end of the IPVPN link? Is it a FortiGate or something else? Just trying to better understand your topology..
You should be able to get eBGP routes into iBGP. That's a fairly basic process of BGP.
Can you post the relevant BGP configs you have today on your Fortigate and, if possible, the IPVPN remote device?
Created on 09-11-2022 11:27 AM Edited on 09-14-2022 05:03 PM
.
Created on 09-11-2022 08:54 PM Edited on 09-11-2022 09:00 PM
OK perhaps I am a bit confused on what's going on here. Is the IPVPN a secondary link you want to add to all sites to send VPN traffic over in addition to your existing WAN link?
If so, the routes you receive from the IPVPN link should get installed in the FGT routing table just the same as any other route, regardless of whether it is RIP, BGP, OSPF, etc.
You FGT should have routes from the iBGP process on the ADVPN and the eBGP process on the IPVPN. You should be able to ping all sites over either the ADVPN links or the IPVPN links.
You'll want to create another VPN overlay on the IPVPN links and join that to your ADVPN and then you'll have new routes in iBGP from the overlay.
If you want to use ADVPN over the link you will use the eBGP routes of the IPVPN to create the overlay and then you will have new routes from the overlay installed in iBGP. SD_WAN can take care of load balancing.
Does this make sense or am I lost still?
Created on 09-11-2022 09:58 PM Edited on 09-14-2022 05:04 PM
,
Hey yeah you got it. Even if you could get the IPVPN network to route properly you would want to put it into the ADVPN anyway. There are tons of benefits to doing this; the primary one being you can use the iBGP process of ADVPN to help with routing traffic based on link status.
This is where SD-WAN comes into play. Without all links in ADVPN, we cannot set the appropriate BGP community strings to manipulate traffic path selection.
So you are definitely on the right track. Get all the links into ADVPN with an overlay running and then configure SD-WAN and you are good to go.
This whole doc is a good read but this specific section explains in good detail the overall idea behind ADVPN + SD-WAN: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-architecture-for-enterprise/531289/design-...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.