Creating an SD-WAN template (Edge)

SD-WAN template is how you input the settings which will govern how the traffic is sent through the use of SLAs, health checks and rules.

Following is a summary of how to configure SD-WAN template:

1. In Device Manager, create a new SD-WAN template for Edge devices. See Creating an SD-WAN template for edge devices.
2. Create two SD-WAN zones named overlay and underlay. See Creating SD-WAN zones.
3. Create three SD-WAN interface members, and put them in their respective underlay or overlay zone. See Creating SD-WAN interface members.
4. Create the following performance SLAs:
   1. Internet
   2. Hub loopback interfaces over each overlay

   See Creating performance SLA.

5. Configure two SD-WAN rules to steer traffic. See Configuring SD-WAN rules to steer traffic.

Creating an SD-WAN template for edge devices

To create a template for edge devices:

1. In FortiManager, go to Device Manager > SD-WAN > SD-WAN Templates, and click Create New.
2. In the Name box, type Edge-Template.
3. Go to the next procedure to create SD-WAN Zones.

Creating SD-WAN zones

Create two SD-WAN Zones named overlay and underlay in the SD-WAN template named Edge-Template. Keep them empty at the moment.

To create SD-WAN zones:

1. In the SD-WAN template under Interface Members, click Create New > SD-WAN Zone.
2. In the Name box type overlay, and click OK.

   The SD-WAN zone is created.

3. Repeat this procedure to create an SD-WAN zone named underlay.
4. Go to the next procedure to create SD-WAN interface members.

Creating SD-WAN interface members

Create SD-WAN interface members for this template, and assign them to the appropriate SD-WAN Zones, as follows:

Interface Member	SD-WAN Zone
UL_INET	underlay
H1_INET	overlay
H1_MPLS	overlay

To create SD-WAN interface members:

1. In the SD-WAN template under Interface Members, click Create New > SD-WAN Member.

   The Create New SD-WAN Interface Member dialog box is displayed.

2. In the Interface Member list, select an interface member.
3. In the SD-WAN Zone list, select the zone, and click OK.

   The interface member is created.

4. Repeat this procedure until you create all SD-WAN members.

   

5. Go to the next procedure to create performance SLA.

Creating performance SLA

To create performance SLA:

1. Create Performance SLAs defining the desired SLA targets and health checks for each Interface Member.

   Create one Performance SLA to be used for the corporate traffic, probing the lo-HC interface of the Hubs over members H1_INET and H1_MPLS.

   1. Under Performance SLA, click Create New.

      The Create New Performance SLA dialog box is displayed.

   2. In the Name box, type HUB.
   3. In the Health-Check Server list, select HUB.
   4. Beside Participants, select Specify, and then select H1_INET and H1_MPLS.
   5. Under SLA, click Create New.
   6. Beside Latency type 100, leave the default for Jitter Threshold, and change Packet Loss Threshold to 10, and click OK.

      The SLA is created.

      

2. Create Performance SLAs defining the desired SLA targets and health checks for each Interface Member.
   • Create one Performance SLA to be used for the corporate traffic, probing the lo-HC interface of the Hub over members H1_INET and H1_MPLS:

     

   • Create another Performance SLA to be used for the Internet traffic, probing the Internet health check over members UL_INET and H1_MPLS

     

   In each Performance SLA, configure the non-zero values of the sla-fail-log-period and sla-pass-log-period parameters under the Advanced Options. These values define the time interval for sending status updates to FortiAnalyzer. Hence, they have impact on the accuracy of graphs and reports.

Configuring SD-WAN rules to steer traffic

To configure SD-WAN rules to steer traffic:

1. Configure SD-WAN Rules that will consolidate all the elements together, in order to steer the traffic. In this example, we will configure the following two SD-WAN Rules:
   • A rule for the corporate traffic that will prefer H1_INET overlay, as long as it meets the SLA target. If it doesn’t, then H1_MPLS overlay will be used instead:

     

   Note that this single SD-WAN rule will cover both Edge-to-Hub and Edge-to-Edge traffic.

   • Edge-to-Hub traffic will simply flow via the overlay selected by the SD-WAN rule
   • For Edge-to-Edge traffic, direct IPSEC tunnel (ADVPN shortcut) will be dynamically built between the two Edge devices, using the overlay selected by the SD-WAN rule.

   For SD-WAN Rules applying “Lowest Cost (SLA)” strategy over ADVPN shortcuts, we highly recommend configuring hold-down-time parameter under the rule’s Advanced Options. Setting its value to 20 seconds (or more) will ensure correct switchover behavior from secondary shortcut back to the primary (after the network recovers from a failure). Without setting this parameter, the traffic may switchover prematurely, while the network issue still persists, causing a short period of bad application quality.

   • A rule for the Internet traffic that will prefer Direct Internet Access (DIA), as long as the underlay connection (UL_INET) meets the SLA target. If it doesn’t, then H1_MPLS overlay will be used instead (so that Internet traffic will be backhauled via the Hub):

This SD-WAN configuration does not cover Hub-to-Edge traffic (sessions originated behind the Hub). As a result, if such traffic exists, it will be handled by the traditional routing, disregarding the health of the overlays towards the Edge devices. If it is desired to let SD-WAN select the optimal path for Hub-to-Edge traffic, please follow the steps detailed in Signaling SLA status to hubs.