SD-WAN Circuit ID

The Circuit ID feature is available in these Security Gateway versions:

Overview

SD-WAN uses these WAN Link types (see WAN Link Mapping):

  • Public - This represents a general public ISP link.

    Important - You can use a WAN Link of type "Public" for the connection types "Local Breakout" and "Overlay - VPN".

  • Private - This represents a private link (for example, MPLS).

    Important - You can use a WAN Link of type "Private" only for the connection type "Overlay - VPN" (you cannot use it for the connection type "Local Breakout").

In SD-WAN, the circuit is a way to define a specific, closed WAN Network, through which VPN peers can communicate with each other.

Each WAN Link is configured with a Circuit ID number that is used to distinguish it from other WAN Links.

For example, SD-WAN does not create a VPN tunnel between a Local MPLS Link and a remote peer Internet Link.

The closed WAN Network:

  • Can be Public, such as the worldwide Internet, where any connected device can communicate with another.

    The Internet is one global network. Therefore, a single common Circuit ID is required.

  • Can be Private, such as a closed Point-to-Point, or an MPLS network, where only the devices connected to it can communicate with each another.

    • There may be multiple, different Private WAN circuits that a customer can use to connect the different sites.

      In such cases, multiple Circuit IDs may be required for different links.

    • Usually, it not possible to create a connection between different Private WAN Networks.

    • The same device can be connected to different Private WAN circuits, through different interfaces.

      As a result, the same device can be part of multiple WAN circuits.

How SD-WAN Uses the Circuit ID

The Need to Override the Default the Circuit ID

Configuring the Circuit ID

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • The value 0 is the default for Public WAN Links.

  • The value 1 is the default for Private WAN Links.

Note - You can see the Circuit ID of the VPN peers on the Security Gateway:

  • In the $FWDIR/state/local/SDWAN/sdwan_steering_policy.json file.

    In the section "sdwan_steering_vpn_peers" > refer to the section "<Name of VPN Peer>" > refer to the section "Interfaces" > refer to the section "<Name of Interface>" > refer to the parameter "circuit_id".

  • In CPView (sk101878), click Advanced > SD-WAN > Probing > in the section Overlay Probing Results, you should see that VPN tunnels are established only on the links with the same Circuit ID.