NSE7_SDW-7.2 SD-WAN configuration

SD-WAN Configuration Detailed Explanation

SD-WAN configuration is the backbone of an SD-WAN deployment, ensuring that your network traffic is optimized, reliable, and performs according to your needs.

1.1 SD-WAN Interfaces and Members

Goal:

Identify and define WAN interfaces that will be part of the SD-WAN network. These interfaces can be physical (like ethernet ports) or virtual (like VLANs).

What are WAN Interfaces?

A WAN (Wide Area Network) interface connects your local network (LAN) to external networks like the internet or other branch offices. In SD-WAN, these interfaces form the building blocks of your wide-area network.

Configuration Steps:

1. Add Interfaces:

   • Login to your FortiGate or SD-WAN device’s web interface or CLI (command-line interface).
   • Navigate to the Network > Interfaces section.
   • Add interfaces like wan1 or wan2 that will serve as SD-WAN members.
     Example:
     • WAN1 connects to ISP A.
     • WAN2 connects to ISP B.

2. Set IP Addresses:

   • Assign IP addresses provided by your Internet Service Provider (ISP) to each WAN interface.
   • Ensure the interface is set to either DHCP (if ISP provides dynamic addresses) or Static (if the address is fixed).

3. Define Roles:

   • Set the primary interface (e.g., WAN1 for main traffic).
   • Set the backup interface (e.g., WAN2 for failover).

4. Load Balancing Weights:

   • Assign weights to interfaces. Higher weights mean more traffic will be directed to that interface.
     Example: If WAN1 has a weight of 80 and WAN2 has a weight of 20, 80% of the traffic will use WAN1, while 20% will use WAN2.

Why Is This Important?

Defining interfaces properly ensures your SD-WAN can use multiple internet links efficiently.

1.2 SLA (Service Level Agreement)

Goal:

Ensure the quality of your network links by setting performance benchmarks such as latency (delay), jitter (variation in delay), and packet loss.

What Is SLA in SD-WAN?

SLA ensures that your SD-WAN dynamically selects the best available link for traffic based on predefined performance criteria.

Configuration Steps:

1. Define SLA Parameters:

   • Go to the SD-WAN Monitor > Performance SLA section.
   • Define acceptable thresholds for:
     • Latency: Maximum delay acceptable (e.g., 50ms).
     • Jitter: Acceptable variation in delay (e.g., 10ms).
     • Packet Loss: Percentage of lost packets (e.g., less than 1%).

2. Monitor Link Performance:

   • The system continuously measures each WAN interface's performance using ICMP (ping) or HTTP requests.

3. Set Actions for SLA Breaches:

   • If a link exceeds SLA thresholds, SD-WAN can:
     • Automatically switch to a better-performing link.
     • Send alerts to administrators.

Why Is This Important?

SLA ensures critical applications (like video calls) always use high-quality links, avoiding disruptions.

1.3 Load Balancing and Path Selection

Goal:

Distribute traffic intelligently across available WAN links to improve efficiency and reliability.

Load Balancing Modes:

1. Volume-Based:

   • Distribute traffic based on bandwidth usage. For example, split traffic 50:50 between WAN1 and WAN2.

2. Session-Based:

   • Each new session (e.g., opening a webpage, starting a video) is directed to an interface in a round-robin manner.

3. Application-Based:

   • Traffic is routed based on the type of application. For example:
     • Video traffic uses the low-latency WAN1.
     • File downloads use the high-bandwidth WAN2.

Path Selection Rules:

1. Primary Link:

   • Designate a preferred link for important traffic.
   • Example: Route all office-to-office VPN traffic through WAN1.

2. Failover:

   • Configure automatic switchover to a backup link if the primary fails or breaches SLA thresholds.

Why Is This Important?

Load balancing prevents overloading one link and ensures redundancy in case of failure.

1.4 Application Awareness

Goal:

Optimize network performance by recognizing and prioritizing different types of applications.

What Is Application Awareness?

This feature identifies traffic by its application type (e.g., Zoom, YouTube) and applies specific policies for optimization.

Configuration Steps:

1. Enable Application Identification:

   • Use built-in deep packet inspection (DPI) tools to recognize traffic types.

2. Define Application-Specific Policies:

   • Prioritize business-critical apps (e.g., Zoom, Teams).
   • Throttle or restrict non-essential apps (e.g., social media, gaming).

Example:

• Route Zoom traffic through low-latency WAN1 to ensure smooth video calls.
• Route large downloads through high-bandwidth WAN2.

Why Is This Important?

Application awareness prevents non-critical traffic from affecting critical business operations.

1.5 Bandwidth Control and Traffic Prioritization

Goal:

Ensure that important traffic is always transmitted first, even during peak usage times.

Configuration Steps:

1. Define Bandwidth Limits:

   • Set maximum upload/download speeds for each application or user.

2. Apply Traffic Prioritization:

   • Use Quality of Service (QoS) to prioritize certain traffic types.
   • Example:
     • Assign high priority to voice and video traffic.
     • Assign low priority to background file syncing.

Why Is This Important?

Bandwidth control guarantees smooth operation of critical applications even under heavy network load.

Practical Application

Scenario: Branch Office with Two WAN Links

1. Configure WAN1 as the primary link and WAN2 as a backup.
2. Set SLA thresholds to ensure low-latency and high-quality performance.
3. Use application-based policies to route video traffic through WAN1 and file downloads through WAN2.
4. Test link failover by simulating WAN1 failure and observing automatic switch to WAN2.
5. Monitor the SD-WAN performance dashboard to validate configurations.

Key Takeaways

• Proper SD-WAN configuration maximizes network reliability and performance.
• Each feature (interfaces, SLA, load balancing, application awareness) plays a critical role in ensuring smooth operations.
• Hands-on practice is crucial to mastering these configurations.

SD-WAN Configuration (Additional Content)

SD-WAN configuration is not just about setting up WAN interfaces and defining traffic rules. It also involves ensuring the health of the WAN links, implementing redundancy and failover mechanisms, and integrating VPN solutions for secure connectivity.

1. SD-WAN Health Monitoring

Goal:

Ensure real-time monitoring of network quality to validate SD-WAN policy effectiveness and quickly detect performance degradation.

Key Concepts:

Probing Mechanism

SD-WAN continuously monitors WAN link health using probes. These probes help FortiGate devices collect real-time network performance data such as:

• Latency: The time it takes for a packet to travel from source to destination.
• Jitter: Variations in packet arrival times, which impact real-time applications like VoIP and video conferencing.
• Packet Loss: The percentage of lost packets during transmission, affecting data integrity and quality.

To achieve this, SD-WAN uses different probing methods:

• ICMP (Ping): Measures basic connectivity and round-trip time.
• HTTP Probe: Checks application-level connectivity by sending HTTP requests.
• TCP Probe: Verifies the availability of specific services and ensures firewall traversal.

These probes run at regular intervals and collect performance data for SLA-based path selection.

Data Visualization

SD-WAN provides several ways to visualize link health:

• FortiView: A graphical dashboard in FortiGate that displays WAN link performance in real-time.
• CLI Commands:
  • diagnose sys sdwan health-check – Displays detailed health status of WAN links.
  • get router info routing-table all – Shows which WAN link is actively used for specific traffic.

Dynamic Path Adjustment

• When SD-WAN detects that a WAN link is not meeting SLA criteria (e.g., latency exceeding 100ms), it dynamically reroutes traffic to a better-performing link.
• If multiple WAN links are available, SD-WAN can balance the traffic load based on current network conditions.

Why is it important?

• Ensures reliable network performance by proactively identifying weak links.
• Minimizes downtime and disruptions for mission-critical applications.
• Optimizes traffic routing by selecting the best available path dynamically.

2. Redundancy and Failover

Goal:

Ensure seamless traffic switching between WAN links when one link fails or degrades, preventing network disruptions.

Key Concepts:

Active-Active Mode

• Multiple WAN links are simultaneously active, allowing traffic to be distributed across them.
• Load balancing strategies include:
  • Volume-based: Distributes traffic proportionally based on available bandwidth.
  • Session-based: New sessions are assigned to different WAN links in a round-robin manner.
  • Application-based: Critical applications are prioritized on high-performance links.

Active-Standby Mode

• A primary WAN link is used for all traffic, while the backup link remains inactive.
• If the primary link fails, SD-WAN automatically switches traffic to the standby link.
• This method is ideal for environments where one link is preferred for cost or performance reasons, while the other is used only in case of failure.

Failover Trigger Mechanism

• Failover is triggered when a WAN link violates SLA thresholds, such as:

  • Latency exceeds 100ms.
  • Packet loss exceeds 5%.

• SD-WAN uses Link Health Monitor to track these parameters.

• Example Configuration:

  • Configure an SLA target with:

    config system sdwan
        config health-check
            edit "Internet-Check"
                set server "8.8.8.8"
                set interval 2
                set latency-threshold 100
                set packetloss-threshold 5
            next
        end
    end
    

  • If the link exceeds the defined latency or packet loss limit, SD-WAN reroutes traffic to an alternative link.

Why is it important?

• Prevents network downtime by providing alternative routes.
• Enhances user experience by ensuring seamless connectivity for critical applications.
• Optimizes link utilization by intelligently switching to the best available WAN link.

3. SD-WAN VPN Integration

Goal:

Combine SD-WAN and VPN to create a secure, high-performance network that dynamically selects the best tunnel for traffic.

Key Concepts:

Supported VPN Types

1. Site-to-Site VPN:

• Connects two or more branch offices securely over the internet using IPsec tunnels.
• SD-WAN can dynamically select the best VPN path based on latency and jitter.

2. Remote Access VPN:

• Allows employees to securely connect to the corporate network from remote locations.
• SSL VPN or IPsec VPN can be integrated with SD-WAN for optimal performance.

SD-WAN and VPN Integration

• SD-WAN can dynamically select the best VPN tunnel based on SLA performance metrics.
• Example Use Case:
  • A branch office in New York connects to the headquarters in London via VPN.
  • If the primary IPsec tunnel over Fiber has high latency, SD-WAN automatically reroutes traffic over a backup tunnel using LTE.

Encryption and Authentication

1. IPsec Encryption:

• Encrypts all traffic passing through the VPN tunnels.
• Ensures data confidentiality, integrity, and authentication.
• Uses protocols like AES-256 for encryption.

2. Multi-Factor Authentication (MFA/2FA):

• Prevents unauthorized VPN access.
• Requires users to verify identity using a second factor (e.g., OTP or security token).

Why is it important?

• Ensures secure remote connectivity between branch offices.
• Improves VPN performance by dynamically selecting the best tunnel.
• Reduces manual intervention by automating failover between VPN tunnels.

Conclusion

Key Takeaways

1. SD-WAN Health Monitoring

• Uses probes (ICMP, HTTP, TCP) to track WAN link performance.
• Provides real-time SLA monitoring via FortiView and CLI.
• Enables dynamic path adjustment based on link health.

2. Redundancy and Failover

• Supports Active-Active for load balancing and Active-Standby for reliability.
• Uses SLA-based triggers to switch traffic during WAN failures.
• Ensures network resilience and prevents service disruptions.

3. SD-WAN VPN Integration

• Supports Site-to-Site and Remote Access VPNs.
• Uses IPsec encryption and 2FA authentication for security.
• Dynamically selects the best VPN tunnel based on real-time SLA metrics.