MPLS (SIP and backup) + DIA (cloud apps)
This topic covers a typical customer usage scenario where the customer's SD-WAN has two members: MPLS and DIA. DIA is mostly used for direct Internet access to Internet applications, for example, Office365, Google applications, Amazon, Dropbox, etc. MPLS is mostly used for SIP and works as a backup when DIA is not working.
Sample topology
Sample configuration
This sample configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.
To configure an SD-WAN rule to use SIP and DIA using the GUI:
- On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.
- When you add a firewall policy, enable Application Control.
- Go to Network > SD-WAN Rules.
- Click Create New. The Priority Rule page opens.
- Enter a name for the rule, such as SIP.
- Click the Application box to display the popup dialog box; then select the applicable SIP applications.
- For Strategy, select Manual.
- For Interface preference, select MPLS.
- Click OK.
- Click Create New to create another rule.
- Enter a name for the rule, such as Internet.
- Click the Address box to display the popup dialog box and select all.
- For Strategy, select Manual.
- For Interface preference, select DIA.
- Click OK.
To configure the firewall policy using the CLI:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf ""virtual-wan-link"" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set fsso disable set application-list "g-default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
To configure an SD-WAN rule to use SIP and DIA using the CLI:
config system virtual-wan-link set status enable config members edit 1 set interface "MPLS" set gateway x.x.x.x next edit 2 set interface "DIA" set gateway x.x.x.x next end config service edit 1 set name "SIP" set member 1 set internet-service enable set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251 next edit 2 set name "Internet" set input-device "dmz" set member 2 set dst "all" next end end
All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.
To use the diagnose command to check performance SLA status using the CLI:
FGT_A (root) # diagnose sys virtual-wan-link service 1 Service(1): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>> 1: Seq_num(1), alive, selected Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251) FGT_A (root) # diagnose sys virtual-wan-link service 2 Service(2): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>> 1: Seq_num(2), alive, selected Dst address: 0.0.0.0-255.255.255.255 FGT_A (root) # FGT_A (root) # diagnose sys virtual-wan-link internet-service-app-ctrl-list Ctrl application(SIP 34640):Internet Service ID(4294836224) Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225) Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226) Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227) Ctrl application(SIP_Message 26179):Internet Service ID(4294836228) Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229) FGT_A (root) #