Speed tests run from the hub to the spokes in dial-up IPsec tunnels
In a hub and spoke SD-WAN topology that uses dial-up VPN overlays, QoS can be applied on individual tunnels based on the measured bandwidth between the hub and spokes. The FortiGate can use the built in speed test to dynamically populate the egress bandwidth to individual dial-up tunnels from the hub.
SD-WAN members on a spoke can switch routes when the speed test is running from the hub to the spoke. The speed test results can be cached for reuse when a tunnel comes back after going down.
CLI commands
Allow upload speed tests to be run from the hub to spokes on demand for dial-up IPsec tunnel:
config system speed-test-schedule
edit <interface>
set dynamic-server {enable | disable}
next
end
|
<interface> |
The dial-up IPsec tunnel interface on the hub. |
|
dynamic-server {enable | disable} |
Enable/disable the dynamic speed test server (default = disable). |
|
To limit the maximum and minimum bandwidth used in the speed test, enable |
config system global
set speedtest-server {enable | disable}
end
|
speedtest-server {enable | disable} |
Enable/disable the speed test server on the spoke (default = disable). This setting must be enabled on spoke FortiGates. This enables iPerf in server mode, which listens on the default iPerf TCP port 5201. |
Allow an SD-WAN member on the spoke to switch routes when it is on speed test from the hub to spokes:
config system sdwan
set speedtest-bypass-routing {enable | disable}
config neighbor
edit <bgp neighbor>
set mode speedtest
next
end
end
|
speedtest-bypass-routing {enable | disable} |
Enable/disable bypass routing when doing a speed test on an SD-WAN member (default = disable). |
|
set mode speedtest |
Use the speed test to select the neighbor. |
Manually run uploading speed test on the physical interfaces of each tunnel of an dial-up IPsec interface:
execute speed-test-dynamic <interface> <tunnel_name> <'y'/'n'> <max-out> <min-out>
|
<interface> |
IPsec phase1 interface name. |
|
<tunnel_name> |
The tunnel name, or |
|
<'y'/'n'> |
Apply the result to the tunnels' shaper or not. |
|
<max-out> |
The maximum speed used in a speed test, in kbps. |
|
<min-out> |
The minimum speed used in a speed test, in kbps. |
Manually run a non-blocking uploading speed test:
diagnose netlink interface speed-test-tunnel <interface> <tunnel_name>
Debug and test commands:
|
diagnose debug application speedtest <int> |
Enable debug of the speed test module in the forticron daemon. |
|
diagnose debug application speedtestd <int> |
Enable debug of the speed test server daemon. |
|
diagnose test application forticron 9 |
List the scheduled speed tests. |
|
diagnose test application forticron 10 |
Show the cached speed test results. |
|
diagnose test application forticron 11 |
Write the cached speed test results to disk. |
|
diagnose test application forticron 12 |
Load the speed test results from disk. |
|
diagnose test application forticron 99 |
Cancel all pending speed tests. |
Example
In this example, the hub is configured as a VPN dial-up server and both of the spokes are connected to the hub. It is assumed that the VPN configuration is already done, with a dynamic gateway type and kernel device creation (net-device) disabled. Only one SD-WAN interface is used, so there is only one VPN overlay member in the SD-WAN zone. Multiple WAN interfaces and VPN overlays could be used.
The VPN interfaces and IP addresses are:
|
FortiGate |
|---|