Fortinet black logo

Administration Guide

Configuring SD-WAN rules

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic is steered based on the criteria that are configured in the SD-WAN rules.

In this example, three SD-WAN rules are configured to govern DSCP tagged traffic:

After configuring the rules, go to Network > SD-WAN and select the SD-WAN Rules tab to check the rules.

VoIP traffic

VoIP traffic is steered to the Overlay zone.

DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number is represented in its hexadecimal form, 0x70, as the type of service bit pattern (tos) value. The type of service evaluated bits (tos-mask) hexadecimal value of 0xf0 (11110000 in binary) is used to check the four most significant bits in the tos value. The four most significant bits of the tos (0111) are used to match the first four bits of the DSCP tag. Only the non-zero bit positions in the tos-mask are used for comparison; the zero bit positions are ignored.

The Best quality (priority mode) strategy is used to select the preferred interface, with the Quality criteria (link-cost-members) set to Jitter. The interface with the lowest amount of jitter is selected. For more information about configuring SD-WAN rules with the Best Quality strategy, see Best quality strategy.

To configure the rule for DSCP tagged VoIP traffic using the CLI:
config sys sdwan
    config service
        edit 5
            set name "VoIP-Steer"
            set mode priority
            set tos 0x70
            set tos-mask 0xf0
            set dst "all"
            set health-check "Default_DNS"
            set link-cost-factor jitter
            set priority-members 4 3
        next
    end
end

Social media traffic

Social media traffic is steered to the virtual-wan-link zone.

DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. Social media traffic traffic with DSCP tag 001100 will become 00110000. This 8-bit binary number is represented in its hexadecimal form, 0x30, as the tos value. The tos-mask hexadecimal value of 0xf0 (11110000 in binary) is used to check the four most significant bits in the tos value. The four most significant bits of the tos (0011) are used to match the first four bits of the DSCP tag. Only the non-zero bit positions in the tos-mask are used for comparison; the zero bit positions are ignored.

The Manual (manual mode) strategy is used to select the preferred interface. Internet_B (port5, priority member 2) is set as the preferred interface to steer all social media traffic to. For more information about configuring SD-WAN rules with the manual strategy, see Manual strategy.

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:
config system sdwan
    config service
        edit 3
            set name "Facebook-DSCP-steer"
            set mode manual
            set tos 0x30
            set tos-mask 0xf0
            set dst "all"
            set priority-members 2 1
        next
    end
end

Other web traffic

Other web traffic is steered to the virtual-wan-link zone.

The Lowest Cost (SLA) strategy (sla mode) is used to select the preferred interface. The interface that meets the defined SLA targets (Default_DNS in this case) is selected. If there is a tie, the interface with the lowest cost is selected, Internet_A (port1) in this case.

For more information about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, see Lowest cost (SLA) strategy.

To configure SD-WAN rule for all other web traffic using the CLI:
config system sdwan
    config service
        edit 2
            set name "All-traffic"
            set mode sla
            set dst "all"
            config sla
                edit "Default_DNS"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end

Configuring SD-WAN rules

Configure SD-WAN rules to govern the steering of DSCP tag-based traffic to the appropriate interfaces. Traffic is steered based on the criteria that are configured in the SD-WAN rules.

In this example, three SD-WAN rules are configured to govern DSCP tagged traffic:

After configuring the rules, go to Network > SD-WAN and select the SD-WAN Rules tab to check the rules.

VoIP traffic

VoIP traffic is steered to the Overlay zone.

DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. VoIP traffic with DSCP tag 011100 will become 01110000. This 8-bit binary number is represented in its hexadecimal form, 0x70, as the type of service bit pattern (tos) value. The type of service evaluated bits (tos-mask) hexadecimal value of 0xf0 (11110000 in binary) is used to check the four most significant bits in the tos value. The four most significant bits of the tos (0111) are used to match the first four bits of the DSCP tag. Only the non-zero bit positions in the tos-mask are used for comparison; the zero bit positions are ignored.

The Best quality (priority mode) strategy is used to select the preferred interface, with the Quality criteria (link-cost-members) set to Jitter. The interface with the lowest amount of jitter is selected. For more information about configuring SD-WAN rules with the Best Quality strategy, see Best quality strategy.

To configure the rule for DSCP tagged VoIP traffic using the CLI:
config sys sdwan
    config service
        edit 5
            set name "VoIP-Steer"
            set mode priority
            set tos 0x70
            set tos-mask 0xf0
            set dst "all"
            set health-check "Default_DNS"
            set link-cost-factor jitter
            set priority-members 4 3
        next
    end
end

Social media traffic

Social media traffic is steered to the virtual-wan-link zone.

DSCP values are usually 6-bit binary numbers that are padded with zeros at the end. Social media traffic traffic with DSCP tag 001100 will become 00110000. This 8-bit binary number is represented in its hexadecimal form, 0x30, as the tos value. The tos-mask hexadecimal value of 0xf0 (11110000 in binary) is used to check the four most significant bits in the tos value. The four most significant bits of the tos (0011) are used to match the first four bits of the DSCP tag. Only the non-zero bit positions in the tos-mask are used for comparison; the zero bit positions are ignored.

The Manual (manual mode) strategy is used to select the preferred interface. Internet_B (port5, priority member 2) is set as the preferred interface to steer all social media traffic to. For more information about configuring SD-WAN rules with the manual strategy, see Manual strategy.

To configure SD-WAN rule for DSCP tagged social media traffic using the CLI:
config system sdwan
    config service
        edit 3
            set name "Facebook-DSCP-steer"
            set mode manual
            set tos 0x30
            set tos-mask 0xf0
            set dst "all"
            set priority-members 2 1
        next
    end
end

Other web traffic

Other web traffic is steered to the virtual-wan-link zone.

The Lowest Cost (SLA) strategy (sla mode) is used to select the preferred interface. The interface that meets the defined SLA targets (Default_DNS in this case) is selected. If there is a tie, the interface with the lowest cost is selected, Internet_A (port1) in this case.

For more information about configuring SD-WAN rules with the Lowest Cost (SLA) strategy, see Lowest cost (SLA) strategy.

To configure SD-WAN rule for all other web traffic using the CLI:
config system sdwan
    config service
        edit 2
            set name "All-traffic"
            set mode sla
            set dst "all"
            config sla
                edit "Default_DNS"
                    set id 1
                next
            end
            set priority-members 1 2
        next
    end
end