Mastering SD-WAN Overlay Design

Questions and Answers

Which type of tunnel is set to static and known in the IPsec configuration for the spoke?

Static; dial-up client (correct)

Dynamic; dial-up client

Static; dial-up server

Dynamic; dial-up server

What is the purpose of enabling the net-device setting in SD-WAN?

To increase the number of overlays deployed

To enhance security

To support AD-VPN shortcuts (correct)

To improve performance

What is the configuration of the phase2 in the spoke?

Not mentioned in the text

Depends on the overlay

The same as in the hub (correct)

Different from the hub

What is the encryption domain in the spoke configuration?

Open to all traffic

What is the purpose of assigning an IP-address for the overlays in the spoke configuration?

To obtain an IP-address using IKE mode configuration

Which port is the tunnel bound to in the spoke configuration?

port1

What is the purpose of allowing ping in the spoke configuration?

To monitor network performance

How many overlays are usually deployed on the spokes?

A small number

What zone are the two overlays placed in the SD-WAN configuration for the spokes?

Overlay zone

What is the main focus of the IPsec configuration for the spoke in this lesson?

Settings specific to the spoke

Which IP address is used to measure the health and performance of the overlays?

10.200.99.1

What is the purpose of the VPN performance SLA?

To determine the best quality member in the overlay zone

What are the default values for the BGP timers?

Keep alive: 60 seconds, Hold: 180 seconds, Advertysement: 30 seconds

What does reducing the advertysement interval in BGP configuration help with?

Speeding up routing convergence

What does enabling link down failover feature in BGP configuration do?

Brings down peerings immediately after the interface they use comes down

What are the default values for the IPsec DPD settings?

Retry count: 3, Retry interval: 20 seconds

What is the purpose of overlay stickiness on the hub?

To prefer spoke-to-spoke traffic to stay within the same-ISP overlays

What happens when the hub receives the first packet of a spoke-to-spoke connection?

It performs a route lookup to determine the best route

What is the default time it takes for DPD to detect a dead gateway?

80 seconds

How can the time to detect a dead gateway using DPD be reduced to 30 seconds?

By setting the retry count and retry interval to 2 and 10 respectively

Which type of traffic does FortiGate prefer to keep within same-ISP overlays in AD-VPN?

Spoke-to-spoke traffic

What is the purpose of configuring policy routes in FortiGate for AD-VPN?

To improve performance

When are the policy routes used in FortiGate for AD-VPN?

Only if the FIB contains a route for the outgoing overlay

What is overlay stickiness in AD-VPN?

A preference for keeping spoke-to-spoke traffic within same-ISP overlays

What is the main reason for the suboptimal performance in AD-VPN?

Added latency introduced by the cross-ISP overlay path

What does the FIB stand for in FortiGate for AD-VPN?

Forwarding Information Base

What happens if the FIB does not contain a route for the outgoing overlay in FortiGate for AD-VPN?

The policy routes are skipped and traffic is forwarded based on the best route in the FIB

What is the purpose of overlay stickiness in AD-VPN?

To prevent spokes from negotiating shortcuts over unreachable underlays

What is the importance of overlay stickiness in AD-VPN?

It helps prevent spokes from trying to negotiate shortcuts over unreachable underlays

What will you learn more about in this lesson?

AD-VPN and overlay stickiness