Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic will be steered based on the Criteria configured as part of the SD-WAN rules configuration.

In our example, we configured three different SD-WAN rules to govern DSCP tagged traffic. We have one SD-WAN rule each for VoIP traffic, social media traffic (Facebook in this case), and all other web traffic. VoIP traffic is always steered to either of the two overlay SD-WAN zones - VPN_A_tunnel(Branch-HQ-A) or VPN_B_tunnel(Branch-HQ-B). Similarly, social media traffic and other web traffic is always steered to either of the two underlay SD-WAN zones - Internet_A(port1) or Internet_B(port5). The interface that is preferred by the system over another depends upon the Criteria configured in the SD-WAN rule definition.

We configured the following SD-WAN rules:

SD-WAN rule for VoIP traffic

To configure SD-WAN rule for DSCP tagged VoIP traffic using the CLI:
config sys sdwan
    config service
        edit 5
            set name "VoIP-Steer"
            set mode priority
            set tos 0x70
            set tos-mask 0xf0
            set dst "all"
            set health-check "Default_DNS"
            set link-cost-factor jitter
            set priority-members 4 3
        next
    end
end

The VoIP-Steer SD-WAN rule configured above governs the DSCP tagged VoIP traffic.

DSCP values commonly are 6-bit binary numbers that are padded with zeros at the end. Therefore, in this example, VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number 01110000 is represented in its hexadecimal form 0x70 as the tos (Type of Service bit pattern) value. The tos-mask (Type of Service evaluated bits) hexadecimal value of 0xf0 (binary 11110000) is used to check the four most significant bits from the tos value in this case. Hence, the first four bits of the tos (0111) will be used to match the first four bits of the DSCP tag in our policy above. Only the non-zero bit positions are used for comparison and the zero bit positions are ignored from the tos-mask.

We used the Best Quality strategy to define the Criteria to select the preferred interface from the overlay SD-WAN zone. With the Best Quality strategy selected, the interface with the best measured performance is selected. The system prefers the interface with the least Jitter.

SD-WAN rule for VoIP traffic

For more information about configuring SD-WAN rules with the Best Quality strategy, see Best quality strategy.

SD-WAN rule for social media traffic

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:

FortiGate # config sys sdwan

config service

edit 3