Depends on Customer. Some customers want maximum bandwidth so they can utilize multiple paths/ISP's. However most use Lowest Cost SLA so it uses the best path, and if a tie (both meet SLA) then it goes in order listed or cost of link that you set
I also had a question on the very last step of adding the policy routes to prevent asynchronous routing. I haven't seen that configured in any Fortinet documentation but I'm guessing if it isn't configured, you might run into problems during a failover correct?
It took me about 6 months to build this configuration out. I used about 7 different FTNT documents, as they did not have one "golden standard" I had also opened multiple tickets and kept getting alternating answers. Yes, you'll need that policy route to protect against cross-overlay traffic (asymmetry), which could affect applications. Thus it is for always traffic, not just failover
@secrit-com I know the feeling of getting different answers from Fortinet support particularly when it's a more advanced configuration. I've encountered this many times when troubleshooting SDWAN issues, I can only imagine how it might be with ADVPN.
This video is my version of best practices from about 6 different fortinet documents, many of which are in conflict with each other. Yes that policy route prevents cross overly traffic that may occur with failover/failback
I have a question about HUB configuration, when you show the route maps "DENY-1" & "DENY-2" the line "set match-ip-nexthop "pl.PATH2" or "pl.PATH1" I want to know what "pl.PATHx" means because I what to configure a scenario like yours but that line shows an error
pl.PATHx are prefix lists matching the address space used for the transit across path1 or path2. Let's say the subnet we use for path1 is 1.1.1.0/24 and the subnet we use for path2 is 2.2.2.0/24. i make pl.PATH1 = 1.1.1.0/24 pl.PATH2 = 2.2.2.0/24 and have a route map rm.PATH1 that says if i see pl.Path2 then deny. "if i see path2 neighbor on path1 then DENY, and anything else allow" then also the inverse of that across the other path
If you have two ISP providers you will want two ADVPN tunnels so they are both active/active and failover immediately. If you were to build ADVPN single tunnel and use IPSEC backup host, if the tunnel went down you would have to wait for it to re-negotiate on the second provider. That is more difficult and more work that just making the 2 tunnels of ADVPN
![BLACK BAG - Official Trailer [HD] - Only in Theaters March 14](http://i.ytimg.com/vi/Du0Xp8WX_7I/mqdefault.jpg)
Is the same AS number being used for all four overlay tunnels in the BGP configuration?
yes, all iBGP
what strategy do you use in SDWAN . Lowest Cost SLA ?
Depends on Customer.
Some customers want maximum bandwidth so they can utilize multiple paths/ISP's.
However most use Lowest Cost SLA so it uses the best path, and if a tie (both meet SLA) then it goes in order listed or cost of link that you set
I also had a question on the very last step of adding the policy routes to prevent asynchronous routing. I haven't seen that configured in any Fortinet documentation but I'm guessing if it isn't configured, you might run into problems during a failover correct?
Yes, you'll get cross overlay traffic which will cause all sorts of issues unless potentially.
It took me about 6 months to build this configuration out. I used about 7 different FTNT documents, as they did not have one "golden standard" I had also opened multiple tickets and kept getting alternating answers. Yes, you'll need that policy route to protect against cross-overlay traffic (asymmetry), which could affect applications. Thus it is for always traffic, not just failover
@secrit-com I know the feeling of getting different answers from Fortinet support particularly when it's a more advanced configuration. I've encountered this many times when troubleshooting SDWAN issues, I can only imagine how it might be with ADVPN.
This video is my version of best practices from about 6 different fortinet documents, many of which are in conflict with each other. Yes that policy route prevents cross overly traffic that may occur with failover/failback
I have a question about HUB configuration, when you show the route maps "DENY-1" & "DENY-2" the line "set match-ip-nexthop "pl.PATH2" or "pl.PATH1" I want to know what "pl.PATHx" means because I what to configure a scenario like yours but that line shows an error
pl.PATHx are prefix lists matching the address space used for the transit across path1 or path2.
Let's say the subnet we use for path1 is 1.1.1.0/24
and the subnet we use for path2 is 2.2.2.0/24.
i make pl.PATH1 = 1.1.1.0/24
pl.PATH2 = 2.2.2.0/24
and have a route map rm.PATH1 that says if i see pl.Path2 then deny. "if i see path2 neighbor on path1 then DENY, and anything else allow" then also the inverse of that across the other path
@@secrit-com Can you share the PrefixLists you use for pl.Path1 & pl.Path2?
@@JCD80 they are the address space for the peerings/transit
ex: 10.1.0.0/24 for path1 communications
and 10.2.0.0/24 fir path2 comms
any chance you would be willing to share the configs?
please can you share the configuration ?
It is possible to configure one ADVPN tunnel to work with two ISP providers and manage the failover through SD-WAN?
If you have two ISP providers you will want two ADVPN tunnels so they are both active/active and failover immediately.
If you were to build ADVPN single tunnel and use IPSEC backup host, if the tunnel went down you would have to wait for it to re-negotiate on the second provider.
That is more difficult and more work that just making the 2 tunnels of ADVPN
can you please advise where you get the neterm from ? Thanks
neterm ?