Fortinet white logo
Fortinet white logo

New Features

Classifying SLA probes for traffic prioritization

Classifying SLA probes for traffic prioritization

Note

This information is also available in the FortiOS 7.4 Administration Guide:

Support for traffic classification on SLA probes has been implemented to ensure they are prioritized in times of congestion. This prevents SD-WAN link flapping and unexpected routing behaviors, and stabilizes SD-WAN from unnecessary failovers.

SLA probes can now be classified into a specific class ID so that SLA probes assigned to a class ID with higher priority are prioritized over other traffic. SLA probes are assigned using the class-id command:

config system sdwan
    config health-check
        edit <health-check name>
            set class-id <class name>
        next
    end
end

Example

In this example, SLA probes are assigned into different class ID. The interfaces dmz and vd1-01 both have outbandwidth of 1000000 Kbps (1 Gbps) configured. Three traffic shaping classes are defined:

Class ID

Name

Definition

2 sla_probe High priority with a guaranteed 10% of bandwidth (100 Mbps)
3 default Low priority with a guaranteed 80% of bandwidth (800 Mbps)
4 sla_probe_2 Medium priority with a guaranteed 10% of bandwidth (100 Mbps)

Under this scheme, when congestion occurs, traffic in each class will have their guaranteed bandwidth honored. If there is remaining bandwidth, higher priority traffic will get the bandwidth. On the SD-WAN health check, probes to server 2.2.2.2 are assigned to class 2 (sla_probe). This means it has a guaranteed bandwidth and has the highest priority to use unused bandwidth. This allows SD-WAN health check to function properly even during times of congestion.

To classify SLA probes for traffic prioritization:
  1. Configure the firewall traffic class:

    config firewall traffic-class
        edit 2
            set class-name "sla_probe"
        next
        edit 3
            set class-name "default"
        next
        edit 4
            set class-name "sla_probe_2"
        next
    end
  2. Configure the class ID priority and guaranteed bandwidth:

    config firewall shaping-profile
        edit "profile-1"
            set default-class-id 3
            config shaping-entries
                edit 2
                    set class-id 2
                    set priority high
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 100
                next
                edit 3
                    set class-id 3
                    set priority low
                    set guaranteed-bandwidth-percentage 80
                    set maximum-bandwidth-percentage 100
                next
                edit 4
                    set class-id 4
                    set priority medium
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 100
                next
            end
        next
    end
  3. Configure the interfaces:

    config system interface
        edit "dmz"
            set outbandwidth 1000000
            set egress-shaping-profile "profile-1"
            ...
        next
        edit "vd1-p1"
            set outbandwidth 1000000
            set egress-shaping-profile "profile-1"
            ...
        next
    end
  4. Configure the SD-WAN health check and assign the SLA probes into class 2:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vd1-p1"
            next
        end
        config health-check
            edit "1"
                set server "2.2.2.2"
                set members 1 2
                set class-id 2
                config sla
                    edit 1
                    next
                end
            next
        end
    end
To verify the SLA probe assignment:
  1. Verify the health check diagnostics:

    diagnose sys sdwan health-check
        Health Check(1):
        Seq(1 dmz): state(alive), packet-loss(0.000%) latency(0.247), jitter(0.022), mos(4.404), bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1
        Seq(2 vd1-p1): state(alive), packet-loss(0.000%) latency(0.247), jitter(0.018), mos(4.404), bandwidth-up(999999), bandwidth-dw(1000000), bandwidth-bi(1999999) sla_map=0x1
  2. Verify the SLA probes are assigned into class 2:

    # diagnose netlink interface list dmz
        if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
        ref=36 state=start present fw_flags=10018000 flags=up broadcast run multicast
        Qdisc=mq hw_addr=e0:23:ff:9d:f9:9e broadcast_addr=ff:ff:ff:ff:ff:ff
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=low    forwarded_bytes=1446
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=medium         forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=high   forwarded_bytes=1404
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=19502 txp=14844 rxb=2233923 txb=802522 rxe=0 txe=0 rxd=0 txd=0 mc=0     collision=0 @ time=1675121675
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=36
    # diagnose netlink interface list vd1-p1
        if=vd1-p1 family=00 type=768 index=99 mtu=1420 link=0 master=0
        ref=20 state=start present fw_flags=10010000 flags=up p2p run noarp multicast
        Qdisc=noqueue
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=low    forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=medium         forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=high   forwarded_bytes=1120
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=4097 txp=4586 rxb=540622 txb=221500 rxe=0 txe=19 rxd=0 txd=0 mc=0     collision=0 @ time=1675121742
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=20
    Note

    When verifying the class assignment, the counter value should increase.

The example also demonstrates assigning SLA probes to class 4 (sla_probe_2), in which case the probes get medium priority.

To assign the SLA probe to medium priority:
  1. Assign SLA probes into class 4:

    config sys sdwan
        config health-check
            edit 1
                set class-id 4
            next
        end
        set status disable
    end
    config sys sdwan
        set status enable
    end
  2. Verify the SLA probes are assigned into class 4.

    # diagnose netlink interface list dmz
        if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
        ref=34 state=start present fw_flags=10018000 flags=up broadcast run multicast
        Qdisc=mq hw_addr=e0:23:ff:9d:f9:9e broadcast_addr=ff:ff:ff:ff:ff:ff
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=low    forwarded_bytes=24K
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=medium         forwarded_bytes=1674
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=high   forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=20818 txp=15874 rxb=2382789 txb=857674 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1675122057
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=34
    # diagnose netlink interface list vd1-p1
        if=vd1-p1 family=00 type=768 index=99 mtu=1420 link=0 master=0
        ref=20 state=start present fw_flags=10010000 flags=up p2p run noarp multicast
        Qdisc=noqueue
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=low    forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=medium         forwarded_bytes=1280
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=high   forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=4097 txp=4703 rxb=540622 txb=226180 rxe=0 txe=19 rxd=0 txd=0 mc=0 collision=0 @ time=1675122058
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=20

Classifying SLA probes for traffic prioritization

Classifying SLA probes for traffic prioritization

Note

This information is also available in the FortiOS 7.4 Administration Guide:

Support for traffic classification on SLA probes has been implemented to ensure they are prioritized in times of congestion. This prevents SD-WAN link flapping and unexpected routing behaviors, and stabilizes SD-WAN from unnecessary failovers.

SLA probes can now be classified into a specific class ID so that SLA probes assigned to a class ID with higher priority are prioritized over other traffic. SLA probes are assigned using the class-id command:

config system sdwan
    config health-check
        edit <health-check name>
            set class-id <class name>
        next
    end
end

Example

In this example, SLA probes are assigned into different class ID. The interfaces dmz and vd1-01 both have outbandwidth of 1000000 Kbps (1 Gbps) configured. Three traffic shaping classes are defined:

Class ID

Name

Definition

2 sla_probe High priority with a guaranteed 10% of bandwidth (100 Mbps)
3 default Low priority with a guaranteed 80% of bandwidth (800 Mbps)
4 sla_probe_2 Medium priority with a guaranteed 10% of bandwidth (100 Mbps)

Under this scheme, when congestion occurs, traffic in each class will have their guaranteed bandwidth honored. If there is remaining bandwidth, higher priority traffic will get the bandwidth. On the SD-WAN health check, probes to server 2.2.2.2 are assigned to class 2 (sla_probe). This means it has a guaranteed bandwidth and has the highest priority to use unused bandwidth. This allows SD-WAN health check to function properly even during times of congestion.

To classify SLA probes for traffic prioritization:
  1. Configure the firewall traffic class:

    config firewall traffic-class
        edit 2
            set class-name "sla_probe"
        next
        edit 3
            set class-name "default"
        next
        edit 4
            set class-name "sla_probe_2"
        next
    end
  2. Configure the class ID priority and guaranteed bandwidth:

    config firewall shaping-profile
        edit "profile-1"
            set default-class-id 3
            config shaping-entries
                edit 2
                    set class-id 2
                    set priority high
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 100
                next
                edit 3
                    set class-id 3
                    set priority low
                    set guaranteed-bandwidth-percentage 80
                    set maximum-bandwidth-percentage 100
                next
                edit 4
                    set class-id 4
                    set priority medium
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 100
                next
            end
        next
    end
  3. Configure the interfaces:

    config system interface
        edit "dmz"
            set outbandwidth 1000000
            set egress-shaping-profile "profile-1"
            ...
        next
        edit "vd1-p1"
            set outbandwidth 1000000
            set egress-shaping-profile "profile-1"
            ...
        next
    end
  4. Configure the SD-WAN health check and assign the SLA probes into class 2:

    config system sdwan
        set status enable
        config zone
            edit "virtual-wan-link"
            next
        end
        config members
            edit 1
                set interface "dmz"
                set gateway 172.16.208.2
            next
            edit 2
                set interface "vd1-p1"
            next
        end
        config health-check
            edit "1"
                set server "2.2.2.2"
                set members 1 2
                set class-id 2
                config sla
                    edit 1
                    next
                end
            next
        end
    end
To verify the SLA probe assignment:
  1. Verify the health check diagnostics:

    diagnose sys sdwan health-check
        Health Check(1):
        Seq(1 dmz): state(alive), packet-loss(0.000%) latency(0.247), jitter(0.022), mos(4.404), bandwidth-up(999999), bandwidth-dw(999997), bandwidth-bi(1999996) sla_map=0x1
        Seq(2 vd1-p1): state(alive), packet-loss(0.000%) latency(0.247), jitter(0.018), mos(4.404), bandwidth-up(999999), bandwidth-dw(1000000), bandwidth-bi(1999999) sla_map=0x1
  2. Verify the SLA probes are assigned into class 2:

    # diagnose netlink interface list dmz
        if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
        ref=36 state=start present fw_flags=10018000 flags=up broadcast run multicast
        Qdisc=mq hw_addr=e0:23:ff:9d:f9:9e broadcast_addr=ff:ff:ff:ff:ff:ff
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=low    forwarded_bytes=1446
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=medium         forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=high   forwarded_bytes=1404
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=19502 txp=14844 rxb=2233923 txb=802522 rxe=0 txe=0 rxd=0 txd=0 mc=0     collision=0 @ time=1675121675
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=36
    # diagnose netlink interface list vd1-p1
        if=vd1-p1 family=00 type=768 index=99 mtu=1420 link=0 master=0
        ref=20 state=start present fw_flags=10010000 flags=up p2p run noarp multicast
        Qdisc=noqueue
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=low    forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=medium         forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=high   forwarded_bytes=1120
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=4097 txp=4586 rxb=540622 txb=221500 rxe=0 txe=19 rxd=0 txd=0 mc=0     collision=0 @ time=1675121742
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=20
    Note

    When verifying the class assignment, the counter value should increase.

The example also demonstrates assigning SLA probes to class 4 (sla_probe_2), in which case the probes get medium priority.

To assign the SLA probe to medium priority:
  1. Assign SLA probes into class 4:

    config sys sdwan
        config health-check
            edit 1
                set class-id 4
            next
        end
        set status disable
    end
    config sys sdwan
        set status enable
    end
  2. Verify the SLA probes are assigned into class 4.

    # diagnose netlink interface list dmz
        if=dmz family=00 type=1 index=5 mtu=1500 link=0 master=0
        ref=34 state=start present fw_flags=10018000 flags=up broadcast run multicast
        Qdisc=mq hw_addr=e0:23:ff:9d:f9:9e broadcast_addr=ff:ff:ff:ff:ff:ff
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=low    forwarded_bytes=24K
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=medium         forwarded_bytes=1674
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=high   forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=20818 txp=15874 rxb=2382789 txb=857674 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1675122057
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=34
    # diagnose netlink interface list vd1-p1
        if=vd1-p1 family=00 type=768 index=99 mtu=1420 link=0 master=0
        ref=20 state=start present fw_flags=10010000 flags=up p2p run noarp multicast
        Qdisc=noqueue
        egress traffic control:
                bandwidth=1000000(kbps) lock_hit=0 default_class=3 n_active_class=3
                class-id=3      allocated-bandwidth=800000(kbps)        guaranteed-bandwidth=800000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=low    forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
                class-id=4      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=1(kbps)
                                priority=medium         forwarded_bytes=1280
                                dropped_packets=0       dropped_bytes=0
                class-id=2      allocated-bandwidth=100000(kbps)        guaranteed-bandwidth=100000(kbps)
                                max-bandwidth=1000000(kbps)     current-bandwidth=0(kbps)
                                priority=high   forwarded_bytes=0
                                dropped_packets=0       dropped_bytes=0
        stat: rxp=4097 txp=4703 rxb=540622 txb=226180 rxe=0 txe=19 rxd=0 txd=0 mc=0 collision=0 @ time=1675122058
        re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
        te: txa=0 txc=0 txfi=0 txh=0 txw=0
        misc rxc=0 txc=0
        input_type=0 state=3 arp_entry=0 refcnt=20