Static application steering with a manual strategy
This example covers a typical usage scenario where the SD-WAN has two members: MPLS and DIA. DIA is primarily used for direct internet access to internet applications, such as Office365, Google applications, Amazon, and Dropbox. MPLS is primarily used for SIP, and works as a backup when DIA is not working.
This example configures all SIP traffic to use MPLS while all other traffic uses DIA. If DIA is not working, the traffic will use MPLS.
By default, individual applications and application groups cannot be selected in SD-WAN rules. To enable this functionality in the GUI, go to System > Feature Visibility and enable Application Detection Based SD-WAN. In the CLI, enter:
config system global set gui-app-detection-sdwan enable end
To configure an SD-WAN rule to use SIP and DIA in the GUI:
- Add port1 (DIA) and port2 (MPLS) as SD-WAN members, and configure a static route. See Configuring the SD-WAN interface for details.
- Create a firewall policy with an Application Control profile configured. See Configuring firewall policies for SD-WAN for details.
- Go to Network > SD-WAN, select the SD-WAN Rules tab, and click Create New.
- Enter a name for the rule, such as SIP.
- Click the Application field and select the applicable SIP applications from the Select Entries panel.
- Under Outgoing Interfaces, select Manual.
- For Interface preference, select MPLS.
- Click OK.
- Click Create New to create another rule.
- Enter a name for the rule, such as Internet.
- Click the Address field and select all from the panel.
- Under Outgoing Interfaces, select Manual.
- For Interface preference, select DIA.
- Click OK.
To configure the firewall policy using the CLI:
config firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set fsso disable set application-list "default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
To configure an SD-WAN rule to use SIP and DIA using the CLI:
config system sdwan set status enable config members edit 1 set interface "MPLS" next edit 2 set interface "DIA" next end config service edit 1 set name "SIP" set internet-service enable set internet-service-app-ctrl 34640 152305677 38938 26180 26179 30251 set priority-members 2 next edit 2 set name "Internet" set dst "all" set priority-members 1 next end end
All SIP traffic uses MPLS. All other traffic goes to DIA. If DIA is broken, the traffic uses MPLS. If you use VPN instead of MPLS to run SIP traffic, you must configure a VPN interface, for example vpn1, and then replace member 1 from MPLS to vpn1 for SD-WAN member.
If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone. |
To use the diagnose command to check performance SLA status using the CLI:
# diagnose sys sdwan service 1 Service(1): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>> 1: Seq_num(1), alive, selected Internet Service: SIP(4294836224 34640) SIP.Method(4294836225 152305677) SIP.Via.NAT(4294836226 38938) SIP_Media.Type.Application(4294836227 26180) SIP_Message(4294836228 26179) SIP_Voice(4294836229 30251)
# diagnose sys sdwan service 2 Service(2): Address Mode(IPV4) flags=0x0 TOS(0x0/0x0), Protocol(0: 1->65535), Mode(manual) Members:<<BR>> 1: Seq_num(2), alive, selected Dst address: 0.0.0.0-255.255.255.255
# diagnose sys sdwan internet-service-app-ctrl-list Ctrl application(SIP 34640):Internet Service ID(4294836224) Ctrl application(SIP.Method 152305677):Internet Service ID(4294836225) Ctrl application(SIP.Via.NAT 38938):Internet Service ID(4294836226) Ctrl application(SIP_Media.Type.Application 26180):Internet Service ID(4294836227) Ctrl application(SIP_Message 26179):Internet Service ID(4294836228) Ctrl application(SIP_Voice 30251):Internet Service ID(4294836229)