Define SD-WAN duplication rules to duplicate packets on other members of the SD-WAN zone 6.4.2

When duplication rules are used, packets are duplicated on other good links within the SD-WAN zone and de-duplicated on the destination FortiGate. Use force mode to force duplication on other links within the SD-WAN zone, or use on-demand mode to trigger duplication only when SLA fails on the selected member.

The duplication rule is configured in the CLI by using the config duplication parameter within config system sdwan. The following parameters can be configured for config duplication:

Parameter	Description
srcaddr	Source address or address group names.
dstaddr	Destination address or address group names.
srcaddr6	Source address6 or address6 group names.
dstaddr6	Destination address6 or address6 group names.
srcintf	Incoming (ingress) interfaces or zones.
dstintf	Outgoing (egress) interfaces or zones.
service	Service and service group names.
packet-duplication	Configure packet duplication method. disable: Disable packet duplication. force: Duplicate packets across all interface members of the SD-WAN zone. on-demand: Duplicate packets across all interface members of the SD-WAN zone based on the link quality.
packet-de-duplication	Enable/disable discarding of packets that have been duplicated.

The duplication-max-num <integer> parameter within config system sdwan is the maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2). If this value is set to 3, the original packet plus two more copies are created. If there are three member interfaces in the SD-WAN zone and the duplication-max-num is set to 2, the packet duplication follows the configuration order, so the packets are duplicated on the second member.

Example

The packet duplication feature works best in a spoke-spoke or hub-spoke topology. In this example, a hub and spoke ADVPN topology is used. Before shortcuts are established, the Hub forwards the duplicate packets from Spoke 1 to Spoke 2. Once shortcuts are established, the Hub is transparent. Duplicate packets are exchanged directly between the spokes.

To use packet duplication between Spoke 1 and Spoke 2:

1. Configure Spoke 1:

   config system sdwan
       set status enable
       config zone
           edit "virtual-wan-link"
           next
           edit "sdwanzone_v4"
           next
       end
       config members
           edit 1
               set interface "t1"
               set zone "sdwanzone_v4"
           next
           edit 4
               set interface "t21"
               set zone "sdwanzone_v4"
           next
           edit 2
               set interface "t2"
               set zone "sdwanzone_v4"
           next
       end
       config health-check
           edit "h1"
               set server "10.34.1.1"
               set interval 1000
               set failtime 10
               set members 1 2
               config sla
                   edit 1
                       set packetloss-threshold 40
                   next
               end
           next
       end
       config duplication
           edit 1
               set srcaddr "all"
               set dstaddr "all"
               set srcintf "port1"
               set dstintf "sdwanzone_v4"
               set service "ALL"
               set packet-duplication force
               set packet-de-duplication enable
           next
       end
   end
   

2. Configure Spoke 2 with similar settings.