Creating SD-WAN rules
We will create two rules: one for traffic destined for HQ, and one for business traffic not destined for HQ. The first rule will specify traffic destined for HQ to take a VPN through WAN1 to HUB1 or HUB2, provided the measured SLA is met. Otherwise the traffic will use either VPN through WAN2 to HUB1 or HUB2. The second rule uses application identification to ensure business related traffic prefers the highest quality link at any given time. A final catch-all rule is created for the remaining traffic.
Following is an overview of the procedure:
- Define SD-WAN rules for traffic from the branch to HQ. See Defining rules for branch to HQ traffic.
- Define SD-WAN rules for business traffic to the internet. See Defining rules for business internet.
- Define SD-WAN rules for non-business traffic to the internet. See Defining rules for non-business traffic.
- Edit the Non-Business_Internet rule to specify it is for any traffic that is NOT part of the RFC-1918 subnets. See Editing the Non-Business_Internet rule .
Defining rules for branch to HQ traffic
To create SD-WAN rules for branch to HQ traffic:
- Go to Network > SD-WAN > SD-WAN Rules, and click Create New.
- Set Name to Branch_to_HQ.
- In the Source section, set the following options:
- Click Source Address. The Select Entries pane is displayed.
- Click +Create > Address to define an object for your LAN network named Branch_LAN. The New Address pane is displayed.
- Set Name to Branch_LAN.
- Set IP/Netmask to 10.0.1.0/24.
- Click OK. The Branch_LAN object displays in the list.
- Select Branch_LAN, and click Close.
- In the Destination section, set the following options:
- Click Address. The Select Entries pane is displayed.
- Click +Create > Address to define an object for your HQ network named HQ_LAN. The New Address pane is displayed.
- Set Name to HQ_LAN.
- Set IP/Netmask to 10.0.0.0/8.
- Click OK. The HQ_LAN object displays in the list.
- Select HQ_LAN, and click Close.
- In the Outgoing Interfaces section, set the following options:
- Select Lowest Cost (SLA).
- Set Interface Preference to WAN1_VPN, WAN2_VPN.
- Set Required SLA target to HQ_VPN.
- Click OK.
Defining rules for business internet
To create SD-WAN rules for business internet traffic:
- Go to Network > SD-WAN > SD-WAN Rules, and click Create New.
- Set Name to Business_Internet.
- In the Source section, click Source Address, and select Branch_LAN.
- In the Destination section, set the following options:
- Click Application. The Select Entries pane is displayed.
- Click +Create > Application Group. The New Application Group pane is displayed.
- Set Name to Critical_Apps.
- Click Members and select one or more applications that are critical to your business. Click Close when done.
- Click OK. The Critical_Apps object displays in the list.
- Select Critical_Apps, and click Close.
- In the Outgoing Interfaces section, set the following options:
- Select Best Quality.
- Set Interface Preference to ISP1, ISP2.
- Set Measured SLA to Internet.
- Click OK.
Defining rules for non-business traffic
This rule catches all remaining traffic. Matching traffic is defined as traffic destined for any non-private (RFC-1918) IP addresses.
To create SD-WAN rules for non-business internet traffic:
- Go to Network > SD-WAN > SD-WAN Rules, and click Create New.
- Set Name to Non-Business_Internet.
- In the Source section, click Source Address, and select Branch_LAN.
- In the Destination section, create and select an address object named RFC-1918-10:
- Click Address. The Select Entries pane is displayed.
- Click +Create > Address. The New Address pane is displayed.
- Set Name to RFC-1918-10.
- Set IP/Netmask to 10.0.0.0/8.
- Click OK. The RFC-1918-10 object displays in the list.
- Select RFC-1918-10. The Select Entries pane remains displayed.
- Create and select an address object named RFC-1918-172:
- In the Select Entries pane, click +Create > Address. The New Address pane is displayed.
- Set Name to RFC-1918-172.
- Set IP/Netmask to 172.16.0.0/12.
- Click OK. The RFC-1918-172 object displays in the list.
- Select RFC-1918-172. The Select Entries pane remains open.
- Create and select an address object named RFC-1918-192:
- In the Select Entries pane, click +Create > Address. The New Address pane is displayed.
- Set Name to RFC-1918-192.
- Set IP/Netmask to 192.168.0.0/16.
- Click OK. The RFC-1918-192 object displays in the list.
- Select RFC-1918-192.
- Create and select an address group named RFC-1918:
- In the Select Entries pane, click +Create > Address Group. The New Address Group pane is displayed.
- Set Name to RFC-1918.
- Set Type to Group, and select the RFC-1918_<number> objects you created.
- Click OK. The RFC-1918 object displays in the list.
- Select RFC-1918. Click Close.
- In the Outgoing Interfaces section, set the following options:
- Select Manual.
- Set Interface Preference to ISP2. This assumes that ISP2 is a lower quality or cheaper link and is preferred for non-critical traffic.
- Click OK. The Non-Business_Internet rule is displayed.
Editing the Non-Business_Internet rule
Edit the Non-Business_Internet rule to specify it is for any traffic that is NOT part of the RFC-1918 subnets.
To edit the Non-Business_Internet rule in the CLI:
- On the Network > SD-WAN > SD-WAN Rules page, right-click the Non-Business_Internet rule, and select Edit in CLI.
- Configure the service:
Branch1# config system sdwan Branch1 (sdwan) # config service Branch1 (service) # edit 3 Branch1 (3) # show config service edit 3 set name "Non-Business_Internet" set dst "RFC-1918" set src "Branch_LAN" set priority-members 2 next endThe
priority-members 2option is the index of your ISP2 interface object. - Enable
dst-negate:set dst-negate enable end end
- Close the CLI menu, and reload the SD-WAN Rules page. The Destination address displays a red ! in front of the name to indicate it is for any destination that is NOT part of the RFC-1918 subnets.
