SD-WAN Traffic Distribution Profiles
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
SD-WAN Traffic Distribution Profiles
Understand how an SD-WAN Traffic Distribution profile
implements path selection.
In an SD-WAN topology, the firewall detects
a brownout, a blackout, and path deterioration per application and
selects a new path to ensure you experience the best performance
for your critical business applications. Having multiple ISP links
allows you to scale your traffic capacity and reduce costs. The
new path selection occurs in less than one second if you leave Path Monitoring and
Probe Frequency with default settings; otherwise, new path selection
could take more than one second.
To implement such path selection, the firewall uses SD-WAN policy
rules, which reference a Traffic Distribution profile that specifies
how to select paths for session load distribution and for failover
to a better path when path quality for an application deteriorates.
Decide which traffic distribution method an application or service
(that matches an SD-WAN policy rule) should use:
- Best Available Path—Select this method if cost is not a factor and you will allow applications to use any path out of the branch. The firewall uses path quality metrics to distribute traffic and to fail over to one of the links belonging to a Link Tag in the list, thus providing the best application experience to users.
- Top-Down Priority—If you have expensive or low-capacity links that you want used only as a last resort or as a backup link, use the Top-Down Priority method and place the tags that include those links last in the list of Link Tags in the profile. The firewall uses the top Link Tag in the list first to determine the links on which to session load traffic and on which to fail over. If none of the links in the top Link Tag are qualified based on the Path Quality profile, the firewall selects a link from the second Link Tag in the list. If none of the links in the second Link Tag are qualified, the process continues as necessary until the firewall finds a qualified link in the last Link Tag. If all associated links are overloaded and no link meets quality thresholds, the firewall uses the Best Available Path method to select a link on which to forward traffic. At the start of a failover event, the firewall starts at the top of the Top-Down Priority list of Link Tags to find a link to which it fails over.
- Weighted Session Distribution—Select this method if you want
to manually load traffic (that matches the rule) onto your ISP and
WAN links and you don’t require failover during brownout conditions.
You manually specify the link’s load when you apply a static percentage
of new sessions that the interfaces grouped with a single Link Tag
will get. The firewall distributes new sessions using round robin
among the links having the specified Link Tags, until the link assigned
the lowest percentage reaches that percentage of sessions. The firewall
then uses the remaining link(s) in the same manner. You might select
this method for applications that aren’t sensitive to latency and
that require a lot of the link’s bandwidth capacity, such as large
branch backups and large file transfers.If the link experiences brownout, the firewall doesn’t redirect the matching traffic to a different link.
In the event of a failing path condition, the traffic distribution
method you choose for application(s) in an SD-WAN policy rule, along
with the Link Tags on groups of links, determine if and how the
firewall selects a new path (performs link failover) as follows:
Path Condition | Top-Down Priority | Best Available Path | Weighted Session Distribution |
---|---|---|---|
Session on existing path failed a path health
threshold (brownout) | Affected session fails over to better path
(if available) | Affected session fails over to better path
(if available) | Affected sessions don’t fail over |
Top-Down or Best Available Path recovered:
existing path is still qualified (good) | Affected session fails back to previous path | Affected session stays on existing path, doesn’t
fail back | Affected sessions don’t fail over |
Top-Down or Best Available Path recovered:
existing path fails a health check | All sessions fail back to previous path | Selective sessions fail back to previous
path until affected existing path recovers | Affected sessions don’t fail over |
Existing path is down (blackout) | All sessions fail over to next path on list | All sessions fail over to next best path | All sessions fail over to other tags based
on weight settings |
Brownout with no qualified (better) path | Take best available path | Take best available path | Take best available path |
Additionally, the firewall automatically performs session load
sharing among interface members of a single Link Tag. After those
interfaces approach their maximum Mbps, new sessions flow over to
interfaces having a different Link Tag (based on the traffic distribution
method) if those interfaces have better health metrics.
Path Condition | Top-Down Priority | Best Available Path | Weighted Session Distribution |
---|---|---|---|
Multiple links with the same SD-WAN Tag | Share session load equally among links within
SD-WAN Tag | Share session load based on best path within
SD-WAN Tag | Share session load based on % weight assigned
to SD-WAN Tag |
Multiple links with different SD-WAN Tags | Share session load based on list priority,
load link(s) in first SD-WAN Tag first. | Share session load based on best path from
all SD-WAN Tags | Share session load based on % weight assigned
to SD-WAN Tags |
The following figure illustrates an example of a Traffic Distribution
profile that uses the Top-Down Priority method. The #1, #2, and
#3 are the order of Link Tags of links the firewall examines, if
necessary, to find a healthy path to complete an application session
failover. For each separate failover event that arises, the firewall starts
at the beginning of the Top-Down list of Link Tags.
- In this Top-Down Priority example, packets from a branch carrying a specific application (for example, office365-enterprise-access) arrive at the firewall. The firewall uses the route table to determine the next hop to the destination and the outgoing interface, which is the virtual SD-WAN interface tunnel named sdwan.901. The Security policy rule allows the packets. The packets then match an SD-WAN policy rule (named Office365 to Hub1) that specifies the destination zone for the hub. The firewall uses the SD-WAN policy rule’s Path Quality profile, Traffic Distribution profile, and that profile’s Link Tags to determine which interface member (link) from sdwan.901 to use. The Traffic Distribution profile lists three Link Tags in this order: #1 Cheap Broadband, #2 HQ Backhaul, and #3 Backup (which is the order of Link Tags the firewall examines links to find a link to which it can fail over).
- Assuming all paths are qualified (by the Path Quality profile), the firewall distributes the packets to one of the physical links tagged with first Link Tag in the Traffic Distribution profile list: Cheap Broadband. The sdwan.901 tunnel has two member interfaces (two carriers): the cable modem VPN tunnel and the fiber service VPN tunnel. The firewall first examines a link by round-robin, and chooses the first link it finds that is qualified, for example, the cable modem link.
- If the first Cheap Broadband link (cable modem) isn’t a qualified link, the firewall selects the second Cheap Broadband link (fiber service).
- If the second Cheap Broadband link (fiber service) isn’t a qualified link, the firewall selects the link tagged with the #2 link tag HQ Backhaul, which is a more expensive MPLS link to the same hub.
- If the MPLS link isn’t a qualified link, the firewall selects the link tagged with the #3 link tag Backup, which is an even more expensive 5G LTE link to the same hub.
- If the firewall doesn’t find a qualified link to fail over to, it uses the Best Available method to select a link.
- Upon the start of a new failover event, the firewall starts at the top of the Top-Down list of Link Tags to find a link to which it will fail over.
Keep in mind that SD-WAN traffic distribution is one of the later
steps in the packet flow logic. Let’s zoom out to see a broader
view of the packet flow.
Packet flow details for the figure are as follows:
- When a session for an application arrives at the firewall, the firewall performs session lookup to determine if the session is an existing session or new session.
- A new session goes through session setup:
- Forwarding lookup—The firewall gets the egress zone, egress interface, and virtual system from the Layer 3 route table or Layer 2 Forwarding Database lookup, etc. For applications that match an SD-WAN policy rule, the firewall uses the virtual SD-WAN interface as the egress interface.
- NAT Policy lookup—If session matches a NAT rule, firewall does another forwarding lookup to determine the final (translated) egress interface and zone.
- Security Policy lookup—If a Security Policy rule allows the session, the session is created and installed in the session table. The firewall then performs additional classification using App-ID™ and User-ID™.
- Content Inspection—The firewall performs Threat Inspection (Anti-Spyware for IPS [Vulnerability Protection], Antivirus, URL Filtering, WildFire®, etc.) on payload and headers as needed.
- The Forwarding/Egress stage performs path selection and forwards the packets. This stage is where SD-WAN path selection occurs.
- Packet Forwarding Process—The firewall uses the ingress interface to determine the forwarding domain; performs routing, switching, or virtual wire forwarding.
- SD-WAN path selection occurs when the application matches an SD-WAN policy rule; the Path Quality profile determines path qualification; the Traffic Distribution profile determines the method of path selection and the order in which paths are considered during the selection.
- IPSec/SSL-VPN tunnel encryption occurs if needed.
- Packet Egress Process - QoS shaping, DSCP rewrite, and IP fragmentation are applied (if needed).
- Transmit Packet—The firewall forwards the packet over the selected egress interface.
Now we zoom back in to examine the SD-WAN path selection logic
in more detail.
- The firewall consults the route table during Forwarding lookup; based on the destination IP address matching a Layer 3 prefix, the firewall determines the egress SD-WAN virtual interface. The packet is either going directly to the public internet or going back to the hub through a secure VPN link.
- The firewall monitors each path by performing health checks that run over a VPN tunnel. Each DIA circuit has a VPN tunnel that monitors health information.
- The application in the SD-WAN policy rule is associated with a Path Quality profile, and the firewall compares the path’s actual average latency, jitter, and packet loss values to the threshold values.
- Any path that has a higher latency, jitter, or packet loss value than the threshold is not selected.
- All qualifying paths in the virtual SD-WAN interface are then subjected to the Traffic Distribution profile’s method and path priority (ordering) logic. SD-WAN link tags group ISP services together, and the order of these tags in the Traffic Distribution profile prioritizes the paths during path selection.
- Thus, the Path Quality Profile and the Traffic Distribution profile together determine the next best path to use and the firewall forwards the traffic out that link.