Scribd
Upload
18 views

03-SD-WAN Design Principles

Uploaded by

raghava030820
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

03-SD-WAN Design Principles

Uploaded by

raghava030820
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

SD-WAN Design Principles:

When designing your Secure SD-WAN Solution, we recommend that you utilize the following
Five-Pillar Approach. The Five-pillar approach, described in the SD-WAN / SD-Branch
Architecture guide, which is recommended when designing a secure SD-WAN solution.

Underlay:
Determine the WAN links that will be used for the underlay network, such as your broadband
link, MPLS, 4G/5G LTE connection, and others. For each link, determine the bandwidth, quality
and reliability (packet loss, latency, and jitter), and cost. Use this information to determine
which link to prefer, what type of traffic to send across each link, and to help you the baselines
for health-checks.

Overlay:
VPN overlays are needed when traffic must travel across multiple sites. These are usually site-
to-site IPsec tunnels that interconnect branches, datacenters, and the cloud, forming a hub-
and-spoke topology. The management and maintenance of the tunnels should be considered
when determining the overlay network requirements. Manual tunnel configuration might be
sufficient in a small environment, but could become unmanageable as the environment size
increases. ADVPN can be used to help scale the solution; see ADVPN for more information.

Routing:
Traditional routing designs manipulate routes to steer traffic to different links. SD-WAN uses
traditional routing to build the basic routing table to reach different destinations, but uses SD-
WAN rules to steer traffic. This allows the steering to be based on criteria such as destination,
internet service, application, route tag, and the health of the link. Routing in an SD-WAN
solution is used to identify all possible routes across the underlays and overlays, which the
FortiGate balances using ECMP.
In the most basic configuration, static gateways that are configured on an SD-WAN member
interface automatically provide the basic routing needed for the FortiGate to balance traffic
across the links. As the number of sites and destinations increases, manually maintaining routes
to each destination becomes difficult. Using dynamic routing to advertise routes across overlay
tunnels should be considered when you have many sites to interconnect.

Security:
Security involves defining policies for access control and applying the appropriate protection
using the FortiGate's NGFW features. Efficiently grouping SD-WAN members into SD-WAN
zones must also be considered. Typically, underlays provide direct internet access and overlays
provide remote internet or network access. Grouping the underlays together into one zone,
and the overlays into one or more zones could be an effective method.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


SD-WAN:
The SD-WAN pillar is the intelligence that is applied to traffic steering decisions. It is comprised
of four primary elements:
SD-WAN Zones:
SD-WAN is divided into zones. SD-WAN member interfaces are assigned to zones, and zones are
used in policies as source and destination interfaces. You can define multiple zones to group
SD-WAN interfaces together, allowing logical groupings for overlay and underlay interfaces.
Routing can be configured per zone.
SD-WAN Members:
Also called interfaces, SD-WAN members are the ports and interfaces that are used to run
traffic. At least one interface must be configured for SD-WAN to function.
Performance SLAs:
Also called health-checks, performance SLAs are used to monitor member interface link quality,
and to detect link failures. When the SLA falls below a configured threshold, the route can be
removed, and traffic can be steered to different links in the SD-WAN rule.
SD-WAN Rules:
Also called services, SD-WAN rules control path selection. Specific traffic can be dynamically
sent to the best link, or use a specific route.
Rules control the strategy that the FortiGate uses when selecting the outbound traffic interface,
the SLAs that are monitored when selecting the outgoing interface, and the criteria for selecting
the traffic that adheres to the rule. When no SD-WAN rules match the traffic, the implicit rule
applies.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


SD-WAN Architectures:
The core functionalities of Fortinet's SD-WAN solution are built into the FortiGate. Whether the
environment contains one FortiGate, or one hundred, you can use SD-WAN by enabling it on
the individual FortiGates.

Single Device Design:


At a basic level, SD-WAN can be deployed on a single device in a single site environment.

Signal Hub Design:


At a more advanced level, SD-WAN can be deployed in a multi-site, hub and spoke
environment. The sites are interconnected by IPsec overlays, forming hub-and-spoke topology.
The hub is located at the customer’s central office or a datacenter. The spokes (edges) are
distributed across all remote sites branch offices, retail stores, homeworkers, and so on. Most
traffic is either spoke-to-hub or direct internet access from spokes. Occasional spoke-to-spoke
communication is flowing through direct ADVPN shortcuts.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717


Dual-Hub Design:
At an enterprise level, the network can include multiple hubs, possibly across multiple regions.
Customers willing to provide geographic redundancy to their SD-WAN solution will typically
extend the design to include a secondary hub. In this design, each hub acts precisely as in the
base design, and the hubs are independent of each other. The spokes connect to the dial-up
IPsec endpoints of both hubs over all available underlay transports. Effectively, each of the hubs
defines its own set of point-to-multipoint overlays. After connecting to all the overlays, the
spokes also establish separate IBGP sessions to both hubs through each of the overlays. The
spokes then advertise their local site prefix(es) to both hubs, and each of the hubs acts as an
independent BGP route reflector. As a result of this route exchange, all the sites learn each
other’s prefixes by all available overlays through both hubs.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , WhatsApp: 00966564303717

You might also like