Fortinet black logo

SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 7.0.0 SD-WAN Deployment for MSSPs
7.0.0
7.2.0
7.0.0
6.4.0

SD-WAN as default route

SD-WAN as default route

According to the rule #2, by default, SD-WAN rules select a member only if there is a valid route to the destination through that member. For Edge-to-Hub and Edge-to-Edge traffic, this valid route will normally be learned by way of BGP. However, for Edge-to-Internet traffic there will be no specific route learned. Hence, for example, in order for the Remote Internet Access to work as desired in our examples, it is required to have a default gateway via the MPLS overlays (H1_MPLS, H2_MPLS). Otherwise the traffic destined to the Internet would never be backhauled to the Hubs.

Configuring SD-WAN to act as a default route for the "overlay" zone solves this problem. Furthermore, it eliminates the need to adjust the routing configuration whenever your SD-WAN rules change. Simply put, it ensures that there always be a valid route to any destination via any SD-WAN member that is selected by the SD-WAN rules. Thus, SD-WAN rules become fully responsible for the traffic steering, in accordance with the Five-Pillar Design Approach. For these reasons, we have recommended this configuration throughout this document.

Nevertheless, it is worth noting a few alternatives to this approach:

Previous
Next

SD-WAN as default route

According to the rule #2, by default, SD-WAN rules select a member only if there is a valid route to the destination through that member. For Edge-to-Hub and Edge-to-Edge traffic, this valid route will normally be learned by way of BGP. However, for Edge-to-Internet traffic there will be no specific route learned. Hence, for example, in order for the Remote Internet Access to work as desired in our examples, it is required to have a default gateway via the MPLS overlays (H1_MPLS, H2_MPLS). Otherwise the traffic destined to the Internet would never be backhauled to the Hubs.

Configuring SD-WAN to act as a default route for the "overlay" zone solves this problem. Furthermore, it eliminates the need to adjust the routing configuration whenever your SD-WAN rules change. Simply put, it ensures that there always be a valid route to any destination via any SD-WAN member that is selected by the SD-WAN rules. Thus, SD-WAN rules become fully responsible for the traffic steering, in accordance with the Five-Pillar Design Approach. For these reasons, we have recommended this configuration throughout this document.

Nevertheless, it is worth noting a few alternatives to this approach:

Previous
Next