SD-WAN considerations
SD-WAN Member |
SD-WAN Zone |
Performance SLA |
SD-WAN Rule |
Firewall Policy |
---|---|---|---|---|
All overlay interfaces to the single Datacenter location |
Overlays should be grouped by device and location |
Health check server: Business critical applications and resources |
Dependent on business intention and availability requirements. |
References the SD-WAN zone(s) and appropriate security inspection |
Example: overlay1_wan1, overlay2_wan2 |
Example: Datacenter (overlay1_wan1, overlay2_wan2) |
Example: Health-check: Datacenter_Server Members: overlay1_wan1, overlay2_wan2 |
Example: Destination: Datacenter_LAN Steering Strategy: Lowest Quality SLA |
Example: Source: Branch_LAN Destination: Datacenter_LAN Destination Interface: Datacenter Security Inspection: Branch_Group |
Additional details
- SD-WAN members:
- Each overlay will be an SD-WAN member
- If one member or WAN is preferred over another, assign a lower cost to the preferred interface, which can be used later by means of a Lowest Cost SLA SD-WAN rule.
- SD-WAN zone:
- Zones should be grouped by device and location. For example, in the design for single datacenter with an active-passive gateway (see Single datacenter (active-passive gateway)), all overlays to the gateway can share a single Zone.
- In active-passive designs, all overlays will terminate to a single, active device. As a result, no additional considerations are necessary.
- Performance SLA:
- The health-check destination IP address should be strategically pointed to locations where the business application or workload is located.
- Loopbacks on the gateway can also be created to serve as a health check server.
- SD-WAN rules
- The appropriate route must be in the routing table in order for an SD-WAN rule to be active. If the route is not installed correctly or misconfigured, the SD-WAN rule will be considered inactive and skipped.
- Branch to corporate traffic (datacenter or other branch locations) should contain all available overlays and their appropriate SLA.
- Since corporate traffic is typically known, it is often preferred to match destination by the object or
route-tag
as opposed to application or internet service.
- Firewall policy
- The firewall policy should reference the datacenter zone(s) with the appropriate rule and security profiles enabled.
- Policies can only reference zones and not individual members. If you need different policies or inspection per WAN, consider creating a SD-WAN zone per overlay member.