NSE7_SDW-7.2 Rules and Routing

Rules and Routing Detailed Explanation

Rules and routing are essential components of SD-WAN functionality. They control how traffic flows through the network and ensure that traffic is directed dynamically and optimally based on the network’s real-time conditions.

2.1 SD-WAN Rules

Goal:

Define how specific types of traffic are routed through the network based on conditions like IP addresses, applications, and services.

What Are SD-WAN Rules?

SD-WAN rules are policies that the SD-WAN device uses to decide the best path for traffic. These rules are matched sequentially, starting from the highest priority.

Key Components of Rules:

1. Rule Conditions:

   • Source Address: Specifies the starting point of the traffic (e.g., an internal subnet like 192.168.1.0/24).
   • Destination Address: Specifies the endpoint of the traffic (e.g., a public server like 8.8.8.8 for DNS queries).
   • Application Categories: Classify traffic based on the application (e.g., Zoom for video calls, FTP for file transfer).
   • Services: Match specific protocols or ports (e.g., HTTP, SMTP, or custom ports like 8080).

2. Priority Settings:

   • Rules are evaluated in order of priority.
   • High-priority rules are designed to handle business-critical traffic, like voice and video communications.

Example Use Case:

You want to prioritize Zoom traffic over social media usage.

• Rule 1 (High Priority):
  • Source: 192.168.1.0/24
  • Destination: zoom.us
  • Application: Video Conferencing
  • Action: Route through the low-latency WAN1.
• Rule 2 (Low Priority):
  • Source: 192.168.1.0/24
  • Destination: facebook.com
  • Application: Social Media
  • Action: Route through the backup WAN2.

Why Is This Important?

SD-WAN rules allow you to customize traffic flow, ensuring that critical applications have consistent and reliable performance.

2.2 Static Routing

Goal:

Provide fixed-path routing for predictable and straightforward traffic flows.

What Is Static Routing?

Static routing is a manual configuration where traffic is directed to a specific next-hop address, regardless of network changes.

Configuration Steps:

1. Define the Destination Network:

   • Specify the subnet or IP range the traffic will reach.
   • Example: Destination Network = 10.1.1.0/24.

2. Set the Next-Hop Address:

   • Define the IP address of the next device (router or gateway) along the path.
   • Example: Next Hop = 192.168.0.1.

3. Configure a Default Route (Default Gateway):

   • Route all traffic not explicitly defined in other rules to a default gateway.
   • Example: Destination = 0.0.0.0/0, Next Hop = WAN1 Gateway.

Example Use Case:

Your branch office needs to send all internet-bound traffic to an ISP via WAN1.

• Destination: 0.0.0.0/0 (all traffic).
• Next Hop: WAN1 gateway (203.0.113.1).

Why Is This Important?

Static routing provides a simple and predictable way to direct traffic but lacks flexibility in dynamic environments.

2.3 Dynamic Routing Protocols

Goal:

Adapt to complex network topologies by automatically learning and updating paths.

What Are Dynamic Routing Protocols?

Dynamic routing uses protocols like OSPF (Open Shortest Path First) or BGP (Border Gateway Protocol) to automatically discover and update routes based on network changes.

Key Protocols:

1. OSPF (Open Shortest Path First):

   • Fast convergence during network changes.
   • Best for medium-sized networks.
   • Example: Automatically adjust routes when a WAN link fails.

2. BGP (Border Gateway Protocol):

   • Scales to large, multi-domain networks.
   • Ideal for global SD-WAN deployments with multiple ISPs.
   • Example: Adjust international traffic paths between continents based on latency.

Example Use Case:

You have two branches connected via OSPF:

• Branch 1’s subnet: 10.1.1.0/24.
• Branch 2’s subnet: 10.2.2.0/24.
• OSPF ensures traffic between branches uses the fastest available link and adjusts automatically if a link fails.

Why Is This Important?

Dynamic routing ensures resiliency and flexibility in large, complex networks where static routes would be too rigid.

2.4 Routing Policies

Goal:

Control traffic paths based on strategic or performance considerations.

What Are Routing Policies?

Policies that guide SD-WAN’s decision-making for traffic routing, often based on SLA metrics.

Key Policy Details:

1. Path Selection Based on SLA Performance:

   • Route traffic through the best-performing link as measured by SLA (e.g., lowest latency, jitter, or packet loss).

2. Primary and Backup Paths:

   • Configure a preferred link (primary path) for critical traffic.
   • Assign a secondary link (backup path) for redundancy.

Example Use Case:

Your office has two WAN links:

• WAN1: High-speed fiber connection.
• WAN2: Backup 4G LTE connection.
• Policy:
  • Use WAN1 for all traffic unless latency exceeds 100ms.
  • Failover to WAN2 during WAN1 outages or SLA breaches.

Why Is This Important?

Routing policies allow fine-grained control over traffic behavior, ensuring optimal performance and reliability.

Practical Application

1. Configure Static Routes:

   • Define a default route (0.0.0.0/0) for internet-bound traffic through WAN1.
   • Test connectivity to ensure traffic flows correctly.

2. Enable Dynamic Routing:

   • Configure OSPF between two SD-WAN branches.
   • Simulate a link failure to observe automatic route adjustments.

3. Set SD-WAN Rules:

   • Prioritize Zoom traffic over social media using application-based SD-WAN rules.
   • Monitor the traffic paths to verify rule matching.

4. Test Rule Priority:

   • Create overlapping rules with different priorities.
   • Verify that high-priority rules take precedence over lower-priority ones.

Key Takeaways

• SD-WAN Rules: Define how specific traffic types are routed.
• Static Routing: Simple, fixed routes for predictable flows.
• Dynamic Routing Protocols: Adaptive and scalable for large, dynamic environments.
• Routing Policies: Control traffic paths based on SLA performance and priorities.

With proper routing and rules, SD-WAN can efficiently manage traffic flow, ensuring optimal performance and reliability for all applications.

Rules and Routing (Additional Content)

Effective SD-WAN routing is crucial for ensuring optimal traffic flow, redundancy, and efficient WAN utilization. While basic SD-WAN routing covers static routes, SD-WAN rules, and dynamic routing, additional considerations such as route priority, policy-based routing (PBR), Equal-Cost Multi-Path (ECMP), advanced BGP configurations, and troubleshooting techniques enhance the robustness of an SD-WAN deployment.

1. Route Tables and Route Priority

Default Route (0.0.0.0/0)

• A default route (0.0.0.0/0) is used when no specific route matches the destination IP.

• It is typically set to an ISP gateway or a SD-WAN WAN link, ensuring that all non-matching traffic is forwarded to the internet.

• Example of a default static route configuration in FortiGate:

  config router static
      edit 1
          set dst 0.0.0.0/0
          set gateway <ISP_Gateway_IP>
          set device wan1
      next
  end
  

• If multiple default routes exist, priority is determined by administrative distance and cost metrics.

Route Types and Priority in FortiGate

Routes in FortiGate are prioritized based on the following order:

1. Connected Routes – Directly connected network interfaces (highest priority).
2. Static Routes – Manually defined routes by an administrator.
3. Policy-Based Routing (PBR) – Routes based on specific conditions such as source IP, protocol, or application.
4. Dynamic Routing Protocols (OSPF, BGP) – Routes learned from neighbors.
5. SD-WAN Rules – Final decision for WAN link selection based on SLA performance and policy settings.

Checking FortiGate Routing Table

To verify which routes are actively used, administrators can use the following command:

get router info routing-table all

This command displays all active routes, including their priority, cost, and next-hop IP.

2. Policy-Based Routing (PBR)

What is PBR?

Policy-Based Routing (PBR) allows administrators to override normal routing behavior by forcing traffic through a specific WAN link based on predefined rules. Unlike standard SD-WAN rules, PBR is processed before SD-WAN rules.

How PBR Works

• PBR bypasses default routing decisions by enforcing rules based on:
  • Source IP or Subnet – Directing specific hosts or subnets through a dedicated WAN link.
  • Destination IP or Port – Routing traffic for specific services (e.g., VoIP or video conferencing).
  • Protocol Type – Ensuring that mission-critical applications get priority over general internet browsing.

Example of PBR in FortiGate

To force VoIP traffic (UDP port 5060) through WAN2, use the following configuration:

config router policy
    edit 1
        set input-device "lan"
        set src "192.168.1.0/24"
        set dst "0.0.0.0/0"
        set protocol 17  # UDP
        set dst-port 5060
        set gateway <WAN2_Gateway_IP>
        set output-device "wan2"
    next
end

Why is PBR important?

• Ensures traffic control before SD-WAN rule processing.
• Overrides default route decisions for critical applications.
• Useful for ISPs requiring static routing for specific services.

3. Equal-Cost Multi-Path (ECMP) Routing

What is ECMP?

ECMP (Equal-Cost Multi-Path) allows SD-WAN to balance traffic across multiple WAN links with the same cost metric.

How ECMP Works in SD-WAN

• OSPF or BGP can advertise multiple equal-cost paths.
• SD-WAN load balancing is applied across these paths to optimize performance.
• Traffic is distributed using hashing algorithms based on source-destination pairs.

Configuring ECMP in FortiGate

config router setting
    set ecmp-max-paths 4
end

This setting allows up to 4 equal-cost paths for traffic distribution.

Why is ECMP important?

• Increases bandwidth availability by utilizing multiple WAN links.
• Provides redundancy and resilience in case one path degrades.
• Improves SD-WAN load balancing in dynamic routing environments.

4. Advanced BGP Features in SD-WAN

BGP Route Attributes

1. Local Preference

• Used inside an AS to prefer a specific outbound route.
• Higher values are preferred over lower ones.

config router bgp
   config neighbor
       edit <BGP_Peer_IP>
           set local-preference 200
       next
   end
end

2. MED (Multi-Exit Discriminator)

• Used to influence inbound traffic from an external AS.
• A lower MED value is preferred.

config router bgp
   config neighbor
       edit <ISP_Peer_IP>
           set metric 50
       next
   end
end

BGP Peering and SD-WAN Integration

• BGP Peering allows multiple ISPs to be used dynamically.
• SD-WAN can leverage BGP to determine the best path for outbound traffic.

BGP with SD-WAN Overlay

• BGP is often used in SD-WAN overlay networks where branches dynamically learn paths to data centers.
• SD-WAN rules can influence BGP-learned paths by applying additional policies.

Why is BGP important for SD-WAN?

• Allows dynamic ISP path selection for internet-based SD-WAN deployments.
• Ensures fast convergence during link failures.
• Optimizes WAN performance by dynamically adjusting paths.

5. FortiGate Troubleshooting and Diagnostics

Checking SD-WAN Rule Matching

To check which SD-WAN rule is applied to a session, use:

diagnose sys sdwan service

This command helps verify:

• Whether traffic is correctly matched to an SD-WAN rule.
• If a rule is being overridden by another policy.

Verifying Static and Dynamic Routes

For static and dynamic route status, use:

diagnose ip route list

This command shows:

• Active static routes.
• Dynamically learned routes from OSPF or BGP.
• Administrative distance and next-hop information.

Checking OSPF and BGP Routing Tables

1. OSPF Route Information:

get router info ospf routing

Displays OSPF-learned routes and next-hop details.

2. BGP Peering and Routing:

get router info bgp summary

Shows BGP peer status, route counts, and AS path information.

Why are these troubleshooting tools important?

• Ensures SD-WAN rules are applied correctly.
• Helps identify misconfigured routes or unexpected routing behaviors.
• Verifies whether dynamic routing protocols are operating as expected.

Conclusion

Key Takeaways

1. Route Tables and Priority

• Default routes (0.0.0.0/0) ensure connectivity when no specific match exists.
• FortiGate processes routes in the order of connected > static > PBR > dynamic > SD-WAN rules.

2. Policy-Based Routing (PBR)

• Allows traffic steering based on IP, protocol, or application before SD-WAN rule processing.

3. ECMP Routing

• Balances traffic across equal-cost paths for better load distribution and redundancy.

4. Advanced BGP Features

• Local Preference and MED influence inbound and outbound BGP routing.
• BGP with SD-WAN enables dynamic multi-ISP traffic optimization.

5. FortiGate Troubleshooting Tools

• diagnose sys sdwan service → Verifies SD-WAN rule matching.
• diagnose ip route list → Checks static and dynamic routing behavior.
• get router info bgp summary → Validates BGP peering and routing.