SD-WAN overlay template IP network design | FortiManager 7.2.2
SD-WAN overlay template IP network design
The SD-WAN overlay template creates the overlay IP network and subnets for your SD-WAN environment. The wizard uses the default range of 10.10.0.0/16
, but this network range can be customized in the SD-WAN overlay template wizard under Region Settings > Advanced.
The overlay network is used to define the VPN tunnel interfaces for hubs and spokes, and is subnetted so that each overlay network is unique and distinct. The number of subnets created is determined based on the number of physical underlay ports that are identified in the Network Configuration section of the wizard. Each configured underlay requires one overlay subnet.
By default, single-hub topologies have a minimum of four subnets, and dual-hub topologies have a minimum of eight subnets. When more than four underlays are configured, the overlay network is further subnetted into the nearest power of two. For example, configuring five physical underlays in the wizard for a single-hub topology results in the creation of eight overlay subnets, with only the first five being used.
The table below shows an example of the subnet ranges that are created based on the number of underlay ports configured in the wizard using the default 10.10.0.0/16
network.
Number of Underlays
Overlay Subnet Address
Overlay’s Usable IPs
Number of FortiGates per Overlay
1 – 4 underlays
Only possible with single-hub
10.10.0.0/18
10.10.0.1 – 10.10.63.254
16382
10.10.64.0/18
10.10.64.1 – 10.10.127.254
16382
10.10.128.0/18
10.10.128.1 – 10.10.191.254
16382
10.10.192.0/18
10.10.192.1 – 10.10.255.254
16382
5 – 8 underlays
Minimum required for dual-hub.
10.10.0.0/19
10.10.0.1 – 10.10.31.254
8190
10.10.32.0/19
10.10.32.1 – 10.10.63.254
8190
10.10.64.0/19
10.10.64.1 – 10.10.95.254
8190
10.10.96.0/19
10.10.96.1 – 10.10.127.254
8190
10.10.128.0/19
10.10.128.1 – 10.10.159.254
8190
10.10.160.0/19
10.10.160.1 – 10.10.191.254
8190
10.10.192.0/19
10.10.192.1 – 10.10.223.254
8190
10.10.224.0/19
10.10.224.1 – 10.10.255.254
8190
9 – 16 underlays
10.10.0.0/20
10.10.0.1 – 10.10.15.254
4094
10.10.16.0/20
10.10.16.1 – 10.10.31.254
4094
…
…
…
In dual-hub topologies, overlay subnets are assigned so that hub 1 receives the first half and hub 2 receives the second. The colors in the table above for “5 – 8 underlays” is an example of how the overlays are assigned when there are two hubs: Blue = Hub 1. Red = Hub 2.
It may be necessary to adjust the default overlay network to something larger than 10.10.0.0/16
if you have a large number of overlays and/or branches. For example, if you have a dual-hub topology with 18 total overlays, each overlay can only support 2046 FortiGates. If you have 2100 branches, you will need to supply a larger overlay network such as 10.0.0.0/8
.
Examples
The wizard includes topologies for single-hub, dual-hub (primary & secondary), and dual-hub (primary & primary). Here you can find an example of how the IP overlya network is designed in a dual-hub (primary & secondary) and single-hub topology using the default overlay network.
In dual-hub topologies, overlay subnets are assigned so that hub 1 receives the first half and hub 2 receives the second.
In this example, four underlays (two for the primary hub and two for the secondary hub) are configured in the default dual-hub (primary & secondary) topology.
With this configuration:
- Hub 1 uses overlay subnet 1 (
10.10.0.0/19
) for HUB1_VPN1 and subnet 2 (10.10.32.0/19
) for HUB1_VPN2. - Hub 2 uses overlay subnet 5 (
10.10.128.0/19
) for HUB2_VPN1 and subnet 6 (10.10.160.0/19
) for HUB2_VPN2. - Subnets 3, 4, 7, and 8 are not used because the wizard has only been configured with four underlays.
The topology diagram below demonstrates how the overlay subnets are applied in this dual-hub scenario:
In single-hub topologies, at least four overlay networks are created by the wizard. If more than four WAN underlays are configured, the overlay network will be further subnetted to allow for additional overlay subnets to be created.
In this example, two physical WAN underlays are configured in this single-hub topology.
With this configuration:
- Hub 1 uses overlay subnet 1 (
10.10.0.0/18
) for HUB1_VPN1 and subnet 2 (10.10.64.0/18
) for HUB1_VPN2. - Subnets 3 and 4 are not used because the wizard has only been configured with two underlays.
The topology diagram below demonstrates how the overlay subnets are applied in this single-hub scenario: