I am currently working on a project for a company.
Currently they only have a Firewall Cluster in a Datacenter. All the offices are connected through MPLS with the Datacenter. Now they wanna implement Fortigate HA Clusters in each of the offices for Network Segmentation, Filtering, etc.
Currently there is only the MPLS Link but each office will get an additional Internet Connection soon. Each of the offices should be able to communicate with each other. So i guess the HUB and Spoke Topolgy would fit the most.
Why use SDWAN?
I want to apply SDWAN Rules for specific Application to use a specific Interface.
→ Office 365 use Internet Connection
→ Internal Application use MPLS
etc.
How would you approach this? Should i go for ADVPN with BGP ?
My problem is. All the documentation and tutorials always use 2 IPSec Tunnels for failover.
I only want 1 IPSec Tunnel cause they already have MPLS.
How many SDWAN Interfaces should be created then?
1 SDWAN Interface for everything or one Interface for Internet Traffic and one interface for MPLS and IPSec?
The typical approach for Fortigate SDWAN is a Static Route with Destination 0.0.0.0/0 to SDWAN Interface right ? Does the same approach apply in this scenario?
ADVPN with BGP, create one IPsec tunnel using the internet connection and one IPsec tunnel using MPLS. Prefer sending internal applications over the MPLS SD-WAN member and you got the failover via the internet SD-WAN member. You can then also use the MPLS connection as a RIA backup via the hub, but preferrably have a direct breakout.
Further to my other comment, if you are wanting to get a bit of hands-on with SD-WAN and don’t have a lab, then look into a fast track session from your partner or Fortinet SE
Why you want the tunnel over MPLS also? Because you want to treat MPLS as an underlay the same way as the Internet and because you have opted to use SD-WAN, it probably means you want the flexibility to be able add networks to branch offices without opening a ticket to the operator of the MPLS network.
You can use one zone for vpn and mpls and set up your rules and SLAs as needed. Sdwan doesn’t care if it’s wan, vpn or mpls. For sdwan it’s all just interfaces.
Advpn is for connection between different spokes. Is that necessary in your case? If not don’t use it. If you want and need to use it, you will need to implement some kind of dynamic routing, because Advpn doesn’t work without out.
If you have two ISPs at each location you might think about using an sdwan zone for Internet traffic and one for vpn traffic, so it’s little bit better to overview and manage, but you don’t need to.
Thanks for your reply.
Why is it necessary to put another IPSec over the MPLS Underlay in this case?
Would you configure only 1 SDWAN Interface with 1 Static Route (Destination 0.0.0.0/0) to this Interface and put all the Members in there?
Tbh, I would get rid of the mpls, establish 2 different ISPs on the locations and go with sdwan and vpn from there.
How many spokes are we talking about? Is it expected that many spokes will be added in the future? Go for advpn then.
If it’s only a few branches, just go for normal vpns or mpls if you have to.
Thank you for your answer. Sorry for my late reply.
Sadly i cannot get rid of MPLS right now. Some branches only have a MPLS Connection right now.
All in all there will be around 10 or 12 Spokes/Branches
In most cases they only need connectivity from Spoke to Hub, but im not sure if thats really the case. Currently they have the luxury of “everything just works from everywhere” cause of MPLS.
Doesn’t sound to me like you have to go for advpn then. I’d just go for a nice sdwan setup, building redundancy for internal apps that are reachable via vpn and mpls.