SD-WAN’s core capabilities:
- multi-path control
- application awareness
- resultant dynamic application steering
Starting in FortiOS 7.2.1, the entire application category from FortiGuard can be selected as a destination in the SD-WAN service rule. Previously, only application groups and individual applications could be selected.
Fortinet Secure SD-WAN components:
- FortiGate NGFW, which runs FortiOS, is the core of Secure SD-WAN
- Fortinet ZTNA Access Proxy, which runs natively in FortiOS, starting in FortiOS 7.0
- FortiManager for the orchestration and management plane
- FortiAnalyzer for advanced analytics and automation
- FortiPortal to provide a scalable and flexible customer self-service portal
Fortinet Secure SD-WAN solution can be extended to Secure SD-Branch. SD-Branch components:
- FortiSwitch
- FortiAP
- FortiFex
SD-WAN configuration
SD-WAN interface members
Can include underlays or overlays
For convenience, the SD-WAN members are grouped into SD-WAN zones.
Can include underlays or overlays
For convenience, the SD-WAN members are grouped into SD-WAN zones.
Performance SLA
Health-check probes (including Ping, HTTP, TCP/UDP Echo, TWAMP, or DNS)
Each probe will measure latency, jitter, and packet loss percentage
Each probe will measure latency, jitter, and packet loss percentage
SD-WAN rules
SD-WAN Strategy
- Best Quality—select an SD-WAN member with the best measured quality.
- Lowest Cost (SLA)—select the cheapest SD-WAN member that meets a given SLA target.
- Maximize Bandwidth (SLA)—load-balance across all SD-WAN members that meet a given SLA target.
- Manual—manually specify an SD-WAN member to select.
SD-WAN routing logic
- SD-WAN rules are matched only if the best route to the destination points to SD-WAN.
- SD-WAN member is selected only if it has a route to the destination.
This does not have to be the best route this time!
- Our dynamic tunneling technology—Auto-Discovery VPN (ADVPN)—automatically builds direct IPsec tunnels between the sites willing to communicate. These tunnels (also called shortcuts) immediately become part of the overlay topology of your SD-WAN solution. And once the communication between the sites is over, these shortcuts can be automatically torn down to free up the resources.
- We also use industry-standard dynamic routing protocols (BGP being a typical choice), to exchange currently available paths between sites, automatically adapting to all topology changes.
the duty to steer the traffic in our solution is delegated to the fifth pillar—the SD-WAN. Therefore, it is (generally) not recommended to apply any route policy techniques to the routes learned via BGP. Rather than selecting a single best route, we would like to end up with equal-cost multi-path (ECMP) routes to all remote sites via all available overlays
When using FortiManager
hubs generally do not require SD-WAN configuration since they do not act as originating sites for traffic. They must only respect the steering decisions made by other sites in both directions.
FortiOS 7.2.4 and later includes a Fabric Overlay Orchestrator that simplifies deployments of SD-WAN regions where FortiManager is not required
Fabric Overlay Orchestrator is built into FortiOS, allowing devices inside the Security Fabric to automatically interconnect and self-form a new SD-WAN region
Enable Security Fabric as a root to see menu VPN > Fabric Overlay Orchestrator
.
=======SDWAN for DIA========================
1. Configure WAN interface IP addresses, remove all other interface related configurations, ref should shows "0".
2. There is a default SDWAN zone called "virtual-wan-link" (older version called SD-WAN interface), navigate to Network > SD-WAN Zones , Create New > SDWAN Member
Verification:
Network > SD-WAN Zones
Verification:
Network > Interfaces
2. (optional) SDWAN load balancing mode
SD-WAN Implicit Rules
3. Set default route using SD-WAN interface.
4. Add firewall policy
5. Verify routing:
Local-FortiGate # get router info routing-table all
...
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 10.200.1.254, port1
[1/0] via 10.200.2.254, port2
C 10.0.1.0/24 is directly connected, port3
Dashboard > Network > Routing
6. Create SD-WAN rules
Also need set Interface Preference.
7. Performance SLA
Create or pickup a pre-defined SLA, assign it SD-WAN members
Set target server and the protocol used to probe the server
For Lowest Cost and Maximize Bandwidth SD-WAN rules, SLA Target is required.
===============
- WAN Remediation (Packet loss correction): There are situations were protecting the application from packet loss is crucial to business continuity. WAN remediation refers to a series of techniques to fix packet loss on a WAN link. Forward Error Correction (FEC) and Packet Duplication are WAN remediation techniques that can be used to protect a link from various types of impairments.
=========================
ibgp multipath enable
inject ECMP routes into local routing table
ibgp addtional-path enable
advertise multiple ECMP routes to BGP peers, when Disabled, only one best route is advertised
When there are multiple ECMP routes to a BGP next hop, all of them are considered for the next hop recursive resolution. This ensures that the outgoing traffic can be load balanced.
By default, BGP routes are not considered when a BGP next hop requires recursive resolution. They are considered when
recursive-next-hop is enabled. Recursive resolution will resolve to one level.To configure the ECMP algorithm from the CLI:
- At the VDOM-level:
config system settings
set v4-ecmp-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based}
end
- If SD-WAN is enabled, the above option is not available and ECMP is configured under the SD-WAN settings:
config system sdwan
set sdwan enable
set load-balance-mode {source-ip-based* | weight-based | usage-based | source-dest-ip-based | measured-volume-based}
end
Comments
Post a Comment