NSE7_SDW-7.2 SD-WAN overlay design and best practices

SD-WAN Overlay Design and Best Practices Detailed Explanation

SD-WAN overlay design is about how you structure your network to optimize traffic flow, ensure reliability, and secure data transmission. It combines network topology, tunneling protocols, and application-specific configurations to create an efficient and high-performing SD-WAN setup.

4.1 Topology Design

The topology defines how SD-WAN devices (branch sites, data centers, and hubs) are connected to each other. Two common designs are Hub-and-Spoke and Full-Mesh.

Hub-and-Spoke Topology

• Description:
  • Traffic flows from branch sites to a central hub (usually a data center or headquarters) and then out to its destination.
  • The hub acts as the main point for inter-branch communication and internet access.
• Use Case:
  • Best suited for organizations with a central data center and multiple branches, where most traffic is destined for the central site (e.g., ERP systems or centralized file servers).
• Advantages:
  • Simple to manage.
  • Reduces the complexity of branch-to-branch communication.
• Disadvantages:
  • Can lead to latency issues for branch-to-branch traffic.
  • Higher reliance on the hub's availability and performance.

Full-Mesh Topology

• Description:
  • All sites communicate directly with each other without routing through a central hub.
  • Suitable for performance-critical scenarios requiring low latency.
• Use Case:
  • Ideal for environments where branches frequently communicate with each other (e.g., video conferencing, collaborative work).
• Advantages:
  • Direct communication reduces latency.
  • Offers redundancy as there are multiple paths between sites.
• Disadvantages:
  • Complex to configure and manage in large networks.
  • Higher resource consumption due to multiple direct connections.

4.2 Tunnel Configuration

Tunneling is used to securely connect SD-WAN endpoints, enabling reliable and encrypted communication.

IPsec Tunnel

• Description:
  • IPsec (Internet Protocol Security) is a protocol suite that encrypts and secures data transmitted between sites.
• Features:
  • Ensures data confidentiality, integrity, and authenticity.
  • Widely used for static, pre-configured tunnels.
• Use Case:
  • Best for scenarios where communication paths are predictable and static (e.g., Hub-and-Spoke topologies).

ADVPN (Auto-Discovery VPN)

• Description:
  • ADVPN automatically creates on-demand tunnels between branch sites, reducing the need for pre-configured tunnels.
• Features:
  • Dynamically establishes and tears down tunnels as needed.
  • Reduces management complexity in large networks.
• Use Case:
  • Suitable for Full-Mesh topologies or hybrid scenarios where branch-to-branch communication is dynamic.
• Example:
  • A branch in New York and another in London establish a temporary tunnel for a video call without routing through the hub.

4.3 Application Scenario Optimization

SD-WAN can prioritize and optimize traffic based on application requirements, ensuring critical business apps receive the best network resources.

Traffic Classification

• What It Is:
  • Grouping traffic by type (e.g., voice, video, bulk file transfers) to assign dedicated paths.
• How It Works:
  • Identify application traffic using deep packet inspection (DPI) or protocol-based matching.
  • Create rules to route critical applications through low-latency or high-priority paths.
• Example:
  • Route video conferencing traffic through a low-latency fiber link while routing file backups through a backup broadband link.

Load Balancing

• What It Is:
  • Distributing traffic across multiple WAN links to maximize utilization and avoid congestion.
• How It Works:
  • Balance traffic based on:
    • Volume: Assign traffic proportionally to link bandwidth.
    • SLA Performance: Route traffic to the best-performing link (e.g., lowest jitter or latency).
• Example:
  • Assign 70% of video traffic to WAN1 (fiber) and 30% to WAN2 (DSL) to ensure smooth playback without overloading a single link.

Best Practices

1. Monitor Network Performance Regularly

   • Continuously monitor SLA metrics like latency, jitter, and packet loss.
   • Use centralized tools like FortiAnalyzer to visualize trends and identify potential bottlenecks.

2. Consider Redundant Links

   • Always plan for failover by using at least two WAN links per site.
   • Example:
     • Primary WAN link: High-speed fiber.
     • Backup WAN link: LTE or DSL for redundancy.

3. Optimize Topology Based on Business Needs

   • Choose Hub-and-Spoke for centralized applications and Full-Mesh for collaborative, branch-heavy traffic.

4. Leverage Dynamic Tunnels

   • Use ADVPN to simplify tunnel management, especially in hybrid or Full-Mesh scenarios.

5. Test and Validate Configurations

   • Simulate failure scenarios to ensure failover mechanisms work as expected.
   • Validate application performance under normal and degraded conditions.

Practical Application

Scenario 1: Hub-and-Spoke Topology with IPsec Tunnels

1. Configure IPsec tunnels between the central hub and each branch.
2. Set SD-WAN rules to route branch-to-branch traffic through the hub.
3. Monitor hub performance to ensure it can handle traffic demands.

Scenario 2: Full-Mesh Topology with ADVPN

1. Enable ADVPN on all branch SD-WAN devices.
2. Set policies for on-demand tunnel creation between branches.
3. Test branch-to-branch traffic (e.g., video calls) and validate automatic tunnel creation.

Scenario 3: Application Optimization

1. Use deep packet inspection to classify applications.
2. Create rules:
   • Route video traffic through WAN1.
   • Route bulk file transfers through WAN2.
3. Monitor performance and adjust paths as needed.

Key Takeaways

• Hub-and-Spoke Topology: Best for centralized applications and simpler setups.
• Full-Mesh Topology: Ideal for low-latency, high-collaboration scenarios.
• IPsec Tunnels: Reliable and secure for static connections.
• ADVPN: Dynamic and efficient for on-demand branch communication.
• Best Practices: Regular monitoring, redundancy, and application-aware configurations are essential for a robust SD-WAN overlay design.

SD-WAN Overlay Design and Best Practices (Additional Content)

Designing an efficient SD-WAN overlay requires more than just choosing between Hub-and-Spoke or Full-Mesh topologies. Additional factors such as hybrid topology, security, high availability (HA), and WAN optimization strategies must be considered to ensure a resilient, secure, and high-performance network.

1. Hybrid Topology

What is a Hybrid SD-WAN Topology?

Hybrid topology combines the advantages of both Hub-and-Spoke and Full-Mesh architectures, allowing organizations to optimize network performance while maintaining centralized control.

How it Works

• Hub-and-Spoke for General Traffic

  • Most branch traffic is routed through a central hub for security enforcement, policy management, and application control.
  • Example: ERP systems, centralized file servers, and internal applications are accessed via the hub.

• Full-Mesh for High-Priority Traffic

  • Key branch sites communicate directly via ADVPN tunnels, reducing latency for critical applications.
  • Example: Voice and video calls between regional offices can bypass the hub to minimize delay.

Advantages of Hybrid Topology

Combines management simplicity (Hub-and-Spoke) with performance efficiency (Full-Mesh).
Reduces latency for critical applications by enabling direct communication between branches.
Optimizes bandwidth usage by dynamically choosing between hub-based and direct paths.

Challenges

Requires advanced routing and SD-WAN policies to manage hybrid traffic.
Complex dynamic VPN tunnel management (e.g., ADVPN must be properly configured).

2. SD-WAN Overlay Security Considerations

Security is a critical component of SD-WAN overlay design, as SD-WAN devices operate over the public internet and multiple ISPs.

2.1 Zero Trust Network Access (ZTNA)

• Enforces strict access control between SD-WAN nodes.
• Prevents lateral movement by restricting unnecessary device-to-device communication.
• Uses identity-based authentication for branch users and devices.

Example Implementation:

config firewall policy
    edit 10
        set srcintf "sd-wan"
        set dstintf "sd-wan"
        set srcaddr "Branch1_Subnet"
        set dstaddr "Branch2_Subnet"
        set action accept
        set schedule always
        set service ALL
        set authentication enable
    next
end

2.2 Multi-Factor Authentication (MFA/2FA)

• Protects FortiManager and FortiGate administrative access.
• Prevents unauthorized logins by requiring additional authentication factors.
• Commonly used for remote management portals and VPN access.

2.3 Data Encryption for Overlay Tunnels

• IPsec encryption ensures data confidentiality and integrity.
• TLS encryption protects SD-WAN control traffic.
• ADVPN tunnels should use encryption to prevent interception.

Example: Enabling IPsec Encryption for SD-WAN VPN

config vpn ipsec phase1-interface
    edit "Branch1-to-Branch2"
        set interface "wan1"
        set proposal aes256-sha256
        set dhgrp 14
    next
end

2.4 DDoS Protection for SD-WAN Edges

• FortiAnalyzer can monitor abnormal traffic patterns to detect DDoS attacks.
• Rate limiting can prevent SD-WAN edge devices from being overwhelmed.
• FortiGate's IPS/DoS protection can help mitigate attacks.

Example: Enabling DDoS Protection

config firewall DoS-policy
    edit 1
        set interface "wan1"
        set srcaddr all
        set dstaddr all
        set service ALL
        set action block
        set anomaly "tcp_syn_flood"
        set status enable
    next
end

Why is SD-WAN Security Important?

Protects data and network integrity in public internet-based WANs.
Prevents unauthorized access to SD-WAN edge devices.
Reduces attack risks with proactive monitoring and threat detection.

3. WAN Edge High Availability (HA)

High Availability (HA) Solutions for SD-WAN

SD-WAN deployments require redundancy at multiple levels to ensure seamless failover and prevent downtime.

3.1 Dual WAN Links (Active-Active vs. Active-Standby)

• Active-Active Mode
  • Both WAN links are simultaneously used for load balancing and failover.
  • Example: Fiber and LTE WAN links can be used together.
• Active-Standby Mode
  • Only one WAN link is active, and the backup link is enabled only upon failure.
  • Reduces unnecessary failover switches and ensures stability.

3.2 Dual FortiGate HA Configuration**

• Two FortiGate appliances in HA mode (Active-Passive or Active-Active).
• Ensures redundant firewall protection for SD-WAN deployments.

3.3 Virtual Router Redundancy Protocol (VRRP)

• Allows two SD-WAN edge devices to act as a single virtual router.
• Provides seamless failover if one device fails.

Example: VRRP Configuration

config system interface
    edit "wan1"
        set vrrp enable
        set vrrp-virtual-mac enable
        set vrrp-group 1
        set vrrp-priority 100
        set vrrp-ip "192.168.1.1"
    next
end

3.4 Cloud-Based SD-WAN Backup (AWS/Azure Integration)

• Provides cloud-based failover if on-prem WAN links fail.
• Example: AWS Direct Connect or Azure Virtual WAN as backup SD-WAN paths.

Why is HA Important?

Prevents SD-WAN downtime in case of ISP or hardware failures.
Ensures seamless failover and session persistence.
Improves WAN reliability and service availability.

4. WAN Optimization Strategies

SD-WAN overlay performance can be improved with specific optimization techniques to enhance throughput and reduce latency.

4.1 Forward Error Correction (FEC)

• Useful for high-loss networks such as LTE, 5G, and satellite links.
• Adds redundant data packets to reconstruct lost packets.

4.2 TCP/UDP Acceleration

• Optimizes WAN performance by adjusting TCP window size and reducing retransmissions.
• SD-WAN traffic shaping ensures better performance for latency-sensitive applications.

4.3 Cloud Direct Connectivity (Cloud OnRamp)

• Direct peering with SaaS applications such as:
  • Office 365
  • Google Workspace
  • AWS and Azure services
• Reduces latency by eliminating unnecessary intermediate hops.

Why is WAN Optimization Important?

Improves application performance over lossy WAN connections.
Enhances end-user experience for cloud and SaaS applications.
Optimizes bandwidth usage and prevents congestion.

Conclusion

Key Takeaways

1. Hybrid Topology

• Combines Hub-and-Spoke with Full-Mesh to optimize performance.
• ADVPN dynamically establishes direct tunnels for latency-sensitive traffic.

2. SD-WAN Security Considerations

• ZTNA and 2FA secure access to SD-WAN devices.
• IPsec encryption ensures data confidentiality over VPN tunnels.
• DDoS protection prevents SD-WAN edge exploitation.

3. High Availability (HA) for SD-WAN

• Dual WAN, VRRP, and FortiGate HA improve network resilience.
• Cloud-based SD-WAN failover ensures redundancy for critical applications.

4. WAN Optimization

• FEC improves performance for high-packet-loss environments.
• Cloud OnRamp optimizes SaaS application performance.
• TCP/UDP acceleration enhances WAN throughput.