shaunlab.com

    SD-WAN traffic steering

    Introduction

    This article demonstrates the SD-WAN traffic steering strategy I am calling priority-in/out-sla.

    The idea of this strategy is for the Spoke firewalls to ping the Hub firewall loopback IP address. If the Spoke determines the ping is within the defined SLA parameters, the Spoke will attach an additional route attribute to it’s own advertised prefix with an attractively low (and therefore more preferred) value. Similarly if it falls out of SLA, it will attach a more “expensive” route value, making it less a preferred path to the Spoke prefix, but still a feasible path.

    The topology used to demonstrate this feature is shown below:

    Configuration

    On the Hub firewall, in my case VDOM LAB1, the following configuration is implemented:

    IPSec VPN

    FW-01 (LAB1) # show vpn ipsec phase1-interface 
    config vpn ipsec phase1-interface
        edit "vpn1-hub1"
            set type dynamic
            set interface "LAB1-VLAN211"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr4 10.250.1.1
            set proposal aes256-sha256
            set add-route disable
            set dpd on-idle
            set dhgrp 21
            set auto-discovery-sender enable
            set network-overlay enable
            set network-id 1
            set transport auto
            set psksecret ENC xxxxxxx
            set dpd-retryinterval 5
        next
        edit "vpn1-hub2"
            set type dynamic
            set interface "LAB1-VLAN212"
            set ike-version 2
            set peertype any
            set net-device disable
            set exchange-ip-addr4 10.250.1.1
            set proposal aes256-sha256
            set add-route disable
            set dpd on-idle
            set dhgrp 21
            set auto-discovery-sender enable
            set network-overlay enable
            set network-id 2
            set transport auto
            set psksecret xxxxxxx
        next
    end
    FW-01 (LAB1) #

    BGP:

    FW-01 (LAB1) # show router bgp
    config router bgp
        set as 65000
        set router-id 10.250.1.1
        set keepalive-timer 15
        set holdtime-timer 45
        set ibgp-multipath enable
        set additional-path enable
        set recursive-next-hop enable
        set recursive-inherit-priority enable
        config neighbor-group
            edit "spoke-sites"
                set advertisement-interval 1
                set next-hop-self enable
                set soft-reconfiguration enable
                set interface "loopback1-lab1"
                set remote-as 65000
                set connect-timer 1
                set update-source "loopback1-lab1"
                set additional-path send
                set route-reflector-client enable
            next
        end
        config neighbor-range
            edit 1
                set prefix 10.250.1.0 255.255.255.0
                set neighbor-group "spoke-sites"
            next
        end
        config network
            edit 1
                set prefix 10.1.100.0 255.255.255.0
            next
            edit 2
                set prefix 10.1.101.0 255.255.255.0
            next
            edit 3
                set prefix 10.251.1.1 255.255.255.255
            next
        end
    end
    FW-01 (LAB1) #