When designing anADVPN (Auto-Discovery VPN) networkfor alarge enterprisewith spokes that havevarying numbers of internet links, the main challenge is tominimize the number of peer connections and routesat the hub while maintainingscalability and efficiency.

Using a dynamic routing protocol (such as BGP or OSPF) with loopback interfaces helps in several ways:

●Reduces the number of peer connectionsat the hub byusing a single loopback address per spokeinstead of individual physical interfaces.

●Enables simplified route advertisementby dynamically learning and propagating routes instead of manually configuring static routes.

●Supports multiple internet links per spokeefficiently, as dynamic routing can automatically adjust to the best available path.

●Allows seamless failoverif a spoke’s internet link fails, ensuring continuous connectivity.

From theOSPF status output, the key information is:

●"This router is an ASBR"→ This means the FortiGate is acting as anAutonomous System Boundary Router (ASBR).

● AnASBRis responsible for injectingexternal routing informationinto OSPF from another routing protocol (such as BGP, static routes, or connected networks).

neighbor-group:

● This command is used to group multipleBGP neighborswith the same configuration, reducing redundant configuration.

● Instead of defining individual BGP settings for each spoke, the administrator can create aneighbor-groupand apply the same policies, reducing manual work.

neighbor-range:

● This command allows the configuration ofa range of neighbor IPs dynamically, reducing the need to manually define each spoke neighbor.

● It automatically addsBGP neighborsthat match a given prefix, simplifying deployment.