Configuring SD-WAN rules
Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic will be steered based on the Criteria configured as part of the SD-WAN rules configuration.
In our example, we configured three different SD-WAN rules to govern DSCP tagged traffic. We have one SD-WAN rule each for VoIP traffic, social media traffic (Facebook in this case), and all other web traffic. VoIP traffic is always steered to either of the two overlay SD-WAN zones - VPN_A_tunnel(Branch-HQ-A)
or VPN_B_tunnel(Branch-HQ-B)
. Similarly, social media traffic and other web traffic is always steered to either of the two underlay SD-WAN zones - Internet_A(port1)
or Internet_B(port5)
. The interface that is preferred by the system over another depends upon the Criteria configured in the SD-WAN rule definition.
We configured the following SD-WAN rules:
SD-WAN rule for VoIP traffic
To configure SD-WAN rule for DSCP tagged VoIP traffic using the CLI:
FortiGate # config sys sdwan
config service
edit 5
set name "VoIP-Steer"
set mode priority
set tos 0x70
set tos-mask 0xf0
set dst "all"
set health-check "Default_DNS"
set link-cost-factor jitter
set priority-members 4 3
end
The VoIP-Steer
SD-WAN rule configured above governs the DSCP tagged VoIP traffic.
DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, VoIP traffic with DSCP tag 011100
will become 01110000
. This 8-bit binary number 01110000
is represented in its hexadecimal form 0x70
as the tos
(Type of Service bit pattern) value. The tos-mask
(Type of Service evaluated bits) hexadecimal value of 0xf0
(binary 11110000
) is used to check the four most significant bits from the tos
value in this case. Hence, the first four bits of the tos
(0111
) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask
.
We used the Best Quality strategy to define the Criteria to select the preferred interface from the overlay SD-WAN zone. With the Best Quality strategy selected, the interface with the best measured performance is selected. The system prefers the interface with the least Jitter.
To know more about configuring SD-WAN rules with the Best Quality strategy, refer to the SD-WAN rules - best quality section.
SD-WAN rule for social media traffic
To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:
FortiGate # config sys sdwan
config service
edit 3
set name "Facebook-DSCP-steer"
set tos 0x30
set tos-mask 0xf0
set dst "all"
set priority-members 2 1
end
The Facebook-DSCP-steer
SD-WAN rule configured above governs the DSCP tagged social media traffic.
DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, social media traffic with DSCP tag 001100
will become 00110000
. This 8-bit binary number 00110000
is represented in its hexadecimal form 0x30
as the tos
(Type of Service bit pattern) value. The tos-mask
(Type of Service evaluated bits) hexadecimal value of 0xf0
(binary 11110000
) is used to check the four most significant bits from the tos
value in this case. Hence, the first four bits of the tos
(0011
) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask
.
We used a manual strategy to select the preferred interface from the underlay SD-WAN zone. We manually select the preferred interface as Internet_B(port5) to steer all social media traffic to.
To know more about configuring SD-WAN rules with static application steering with a manual strategy, refer to the Static application steering with a manual strategy section.
SD-WAN rule for other web traffic
To configure SD-WAN rule for all other web traffic using the CLI:
FortiGate # config sys sdwan
config service
edit 2
set name "All-traffic"
set mode sla
set dst "all"
config sla
edit "Default_DNS"
set id 1
next
end
set priority-members 1 2
end
The All-traffic
SD-WAN rule configured above governs all other web traffic.
We used the Lowest Cost (SLA) strategy to define the Criteria to select the preferred interface from the underlay SD-WAN zone. With the Lowest Cost (SLA) strategy selected, the interface that meets the defined Performance SLA targets (Default_DNS in our case) is selected. When there is a tie, the interface with the lowest assigned Cost (Internet_A(port1)
in our case) is selected.
To know more about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, refer to the SD-WAN rules - lowest cost (SLA) section.
Once configured, verify your SD-WAN rules by navigating to Network > SD-WAN Rules: