SD-WAN Circuit ID

The Circuit ID feature is available in these Security Gateway versions:

Overview

SD-WAN uses these WAN Link types (see WAN Link Mapping):

  • Public - This represents a general public ISP link.

    Important - You can use a WAN Link of type "Public" for the connection types "Local Breakout" and "Overlay - VPN".

  • Private - This represents a private link (for example, MPLS).

    Important - You can use a WAN Link of type "Private" only for the connection type "Overlay - VPN" (you cannot use it for the connection type "Local Breakout").

In SD-WAN, the circuit is a way to define a specific, closed WAN Network, through which VPN peers can communicate with each other.

Each WAN Link is configured with a Circuit ID number that is used to distinguish it from other WAN Links.

For example, SD-WAN does not create a VPN tunnel between a Local MPLS Link and a remote peer Internet Link.

The closed WAN Network:

  • Can be Public, such as the worldwide Internet, where any connected device can communicate with another.

    The Internet is one global network. Therefore, a single common Circuit ID is required.

  • Can be Private, such as a closed Point-to-Point, or an MPLS network, where only the devices connected to it can communicate with each another.

    • There may be multiple, different Private WAN circuits that a customer can use to connect the different sites.

      In such cases, multiple Circuit IDs may be required for different links.

    • Usually, it not possible to create a connection between different Private WAN Networks.

    • The same device can be connected to different Private WAN circuits, through different interfaces.

      As a result, the same device can be part of multiple WAN circuits.

How SD-WAN Uses the Circuit ID

SD-WAN assigns different Circuit ID for Public WAN Links, and different Circuit ID for Private WAN Links:

  • By default, each Public WAN Link gets the Circuit ID value 0 (zero).

  • By default, each Private WAN Link gets the Circuit ID value 1 (one).

An SD-WAN Security Gateway always creates VPN tunnels only with VPN Peers that use the same Circuit ID as the local link.

The Nano-Agents on SD-WAN Security Gateways share the information about the configured WAN Links and their Circuit ID with Infinity Portal.

Example:

  • Two SD-WAN VPN Peers.

  • Each Security Gateway has two Public WAN Links and one Private WAN Link.

The VPN Peers will establish these VPN tunnels:

  • Four VPN tunnels over the Public WAN Links

    (2 WAN Links on the first Security Gateway x 2 WAN Links on the second Security Gateway).

  • One VPN tunnel over the Private WAN Link

    (1 WAN Link on the first Security Gateway x 1 WAN Link on the second Security Gateway).

The Need to Override the Default the Circuit ID

Example:

  • Two SD-WAN VPN Peers.

  • Each Security Gateway has two Private WAN Links.

  • The first Private WAN Link is connected to the interface eth1.

  • The second Private WAN Link is connected to the interface eth2.

The VPN Peers will try to establish these four VPN tunnels over the two Private WAN Links:

VPN

Tunnel

Interface

on the First

Security Gateway

Interface

on the Second

Security Gateway

VPN Tunnel Status

1

eth1

(Circuit ID "1")

eth1

(Circuit ID "1")

Established

2

eth2

(Circuit ID "1")

eth2

(Circuit ID "1")

Established

3

eth1

(Circuit ID "1")

eth2

(Circuit ID "1")

Down, constantly tries to establish

4

eth2

(Circuit ID "1")

eth1

(Circuit ID "1")

Down, constantly tries to establish

The cross-over VPN tunnels (between eth1 and eth2, between eth2 and eth1) are down, because these WAN Links have the same type (Private) and, therefore, have the same Circuit ID (value "1"). As a result, SD-WAN cannot distinguish these Private WAN Links from the Private WAN Links, on which it already established the VPN tunnels.

To resolve this conflict, you can configure a different value for the Circuit ID for different interfaces.

For example, for the interfaces eth2, configure the Circuit ID value "2":

VPN

Tunnel

Interface

on the First

Security Gateway

Interface

on the Second

Security Gateway

VPN Tunnel Status

1

eth1

(Circuit ID "1")

eth1

(Circuit ID "1")

Established because the Circuit ID values are the same

2

eth2

(Circuit ID "2")

eth2

(Circuit ID "2")

Established because the Circuit ID values are the same

3

eth1

(Circuit ID "1")

eth2

(Circuit ID "2")

Not establish because the Circuit ID values are different

4

eth2

(Circuit ID "2")

eth1

(Circuit ID "1")

Not establish because the Circuit ID values are different

Use Cases to override the default the Circuit ID:

  • Separate Circuit ID values are required for separate Private WAN Links (see the example above).

  • It is necessary to establish VPN tunnels from Public LTE links only to peer LTE links (it is necessary to avoid LTE to Broadband tunnels, or any other pair of links).

  • It is necessary to use specific ISP of the Headquarters Security Gateway only for VPN tunnel to a Cloud VPN peer.

    You do not want to use this ISP for VPN tunnels to your Branch Security Gateways or to any other VPN peer.

    You do not need this Cloud gateway (interface, or in general) to have a VPN tunnel to Branch Security Gateways.

    To accomplish this, you can configure the specific ISP WAN Link of the Headquarters Security Gateway and the ISP WAN Link of the Cloud gateway to use a different Circuit ID (for example, "2").

  • There are three ISPs configured for Local Breakout, but it is necessary to use only two ISPs for "Overlay - VPN" tunnels.

    For example, the first ISP is problematic for VPN (located behind a device that blocks IKE / NAT-T, or is just unreliable).

    To accomplish this, you can configure the third ISP to use a different Circuit ID value that is not used on any VPN peer.

  • You have Private WAN Links that must be considered as Public WAN Links for Local Breakout, but not for VPN.

    You have a Private MPLS link from a Branch Security Gateway to the Headquarters Security Gateway.

    You can route the traffic over the MPLS WAN Link in clear-text towards the Headquarters Security Gateway, such that the Branch Security Gateways can get to the Internet in clear-text through the Headquarters Security Gateway.

    You do not want to configure Backhaul over VPN, but to use the Private WAN Link as a third ISP, with manual priority for Local Breakout.

    You want to avoid building VPN tunnels between Private links and Public links (which are all configured as Public, with the default Circuit ID "0").

    To accomplish this, you can change the Circuit ID of the true Private links to another value on all VPN Peers.

Configuring the Circuit ID

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • The value 0 is the default for Public WAN Links.

  • The value 1 is the default for Private WAN Links.

Note - You can see the Circuit ID of the VPN peers on the Security Gateway:

  • In the $FWDIR/state/local/SDWAN/sdwan_steering_policy.json file.

    In the section "sdwan_steering_vpn_peers" > refer to the section "<Name of VPN Peer>" > refer to the section "Interfaces" > refer to the section "<Name of Interface>" > refer to the parameter "circuit_id".

  • In CPView (sk101878), click Advanced > SD-WAN > Probing > in the section Overlay Probing Results, you should see that VPN tunnels are established only on the links with the same Circuit ID.

You can configure the Circuit ID in Gaia Portal or Gaia Clish.

  1. Connect to Gaia Portal.

  2. From the left tree, click Network Interfaces.

  3. In the section SD-WAN Interfaces, select the required interface and click Edit.

  4. In the section Advanced Settings:

  5. Select Override Circuit ID.

  6. Enter a value between 0 and 255.

  7. Click OK.

For more information, see SD-WAN Configuration in Gaia Clish.

  1. Connect to the command line on the Security Gateway / each Cluster Member.

  2. Log in.

  3. If your default shell is the Expert mode, go to Gaia Clish:

    clish

  4. Configure the required Circuit ID:

    set interface <Name of Interface> sdwan circuit-id <0-255>

    Example:

    set interface eth1 sdwan circuit-id 2

  5. Examine the SD-WAN configuration on the interface:

    show interface <Name of Interface> sdwan

  6. Save the configuration:

    save config

You can configure the Circuit ID in WebUI or Gaia Clish.

See the R81.10.X Quantum Spark Centrally Managed Administration Guide for 1500, 1600, 1800, 1900, 2000 Appliances > "Managing the Device" > "Configuring Internet Connectivity".

  1. Connect to the WebUI.

  2. From the left tree, click Device.

  3. In the middle pane, expand the section Network and click Internet.

  4. Click the required Internet connection and click Edit.

  5. Click the Advanced tab.

  6. Expand the section SD-WAN Settings.

  7. Select Override circuit ID.

  8. Enter a value between 0 and 255.

  9. Click Save.

  1. Connect to the command line on the Quantum Spark Appliance / each Quantum Spark Cluster Member.

  2. If your default shell is the Expert mode, go to Gaia Clish:

    clish

  3. Configure two Internet connections - one for each ISP.

    Use this command:

    set internet-connection "<Name of Connection>" override-circuit-id true circuit-id <0 - 255>

    See the R81.10.X Quantum Spark CLI Reference Guide for 1500, 1600, 1800, 1900, 2000 Appliances > "Configuring the Internet Connections" > "Setting Internet Connections".

    Example:

    set internet-connection Internet override-circuit-id true circuit-id 2