SD-WAN

Starting in R81.10.10, SD-WAN feature is available in Locally Managed Quantum Spark appliances.

SD-WAN directs traffic for a specific application over a specific interface. It uses pre-configured recommended general settings, without the need for manual configuration. Traffic for specific applications uses different links to optimize the performance and utilization of all available links. Without SD-WAN, traffic is routed automatically based on the destination IP address.

SD-WAN is configured to use a primary ISP for most traffic, and a secondary ISP (for example, LTEClosed Long Term Evolution - a standard for wireless broadband communication for mobile devices and data terminals, based on the GSM/EDGE and UMTS/HSPA technologies. It increases the capacity and speed using a different radio interface together with core network improvements.) as a backup if the primary link fails.

On the Access Policy > Firewall section > SD-WAN page, you can configure the SD-WAN rules and monitor the traffic.

Note - SD-WAN for Centrally Managed appliances is available starting from R81.10.05. For more information, see the Quantum SD-WAN Administration Guide.

Gateway Prerequisites

  • More than one internet connection is configured.

  • Connection to the internet.

SD-WAN Known Limitations

  • Smart SD-WAN does not support VTI.

    There are 4 possible workarounds:

    • Disable the SD-WAN blade.

    • Disable Smart SD-WAN and configure manual SD-WAN policy rules with the Internet object.

    • Configure manual SD-WAN policy rules for the VTI routes.

    • Add a new specific rule to the Routing Table that does not have "Any" as the source or destination.

      Note - In the route configuration, instead of selecting the vpnt interface, configure the VTI peer's IP address.

  • SD-WAN Policy does not support Custom Applications.

  • SD-WAN does not support Bond, Bridge, and Alias interfaces.

  • SD-WAN does not support Internet Connections with IPv6 address configured.

Getting Started with SD-WAN

    1. Connect to the appliance WebUI.

    2. From the left tree, click Device.

    3. In the middle pane, expand the section Network and click Internet.

    4. Configure at least two internet connections - one for each ISP:

      1. Click New.

        The New Internet Connection window opens.

      2. On the Configuration tab:

        1. In the Connection name field, enter the applicable name for this connection.

        2. In the Interface field, select the applicable interface.

        3. In the Connection type field, select the applicable type.

      3. On the Connection Monitoring tab:

        Select Automatically detect loss of connectivity to the default gateway.

      4. On the Advanced tab:

        1. Click SD-WAN Settings to expand the section.

        2. In the Upload speed (Mbps) field, configure the values provided by the ISPs for the upload speed of the Internet connection. For example, Bezeq gives an upload speed of 100 MB.

        3. In the Download speed (Mbps) field, configure the values provided by the ISP for the download speed of the Internet connection. For example, Bezeq gives a download speed of 1000 MB.

          SD-WAN uses all the links that meet the thresholds and fives weights proportionally to the configured upload/download speed.

        4. Select the checkbox This internet connection will be a part of SD-WAN.

        5. For the checkbox This internet connection will be set as backup in SD-WAN, select this only for links that are expensive or of poor quality. For example, Cellular networks have a plan, and if you exceed your limit it can be costly. In the MPLS network, you pay per use.

      5. Click Save.

      For more information see Configuring Internet Connectivity.

      Notes:

      • You can also configure a new SD-WAN connection on the Access PolicySD-WAN page.

      • To navigate directly from the SD-WAN page to the DeviceInternet page, click Manage and monitor links.

  2. Note - The SD-WAN interfaces send ICMP Echo Requests to the specified destination. Based on the received ICMP Echo Responses, the appliance decides which ISP link (SD-WAN interface) to use.

    1. In the SD-WAN mode line (SD-WAN blade is enabled), click Configure.

    2. In the First host field, enter the IPv4 Address or Hostname for the first probing destination.

      The default is dns.google.com

    3. In the Second host field, enter the IPv4 Address or Hostname for the first probing destination.

      The default is dns.cloudflare.com

    4. In the Third host field, enter the IPv4 Address or Hostname for the first probing destination.

      The default is dns.opendns.com

    5. In the Probing interval field, enter the time between the probing packets (in milli-seconds).

      The default is 1000 msec (1 sec).

    6. In the Probing mode field, select the applicable value.

      The default is Best.

      This field controls which Internet connection the appliance selects in each steering object based on the probing mode:

      • Best - Selects the Internet connection that has the best probing mode (the lowest values for the probing characteristics of packet loss, latency, and jitter). This is the default.

      • Average - Selects the Internet connection that has the average probing mode.

      • Worst - Selects the Internet connection that has the worst probing mode (the highest values for the probing characteristics of packet loss, latency, and jitter).

      Example:

      These two Internet connections are configured for SD-WAN - "WAN" and "DMZ".

      There are three probing hosts (destinations) - "Host 1", "Host 2", and "Host 3".

      The probing mode over the configuration probing interval are:

       

      WAN

      DMZ

      Probing

      Characteristic

      Host 1

      Host 2

      Host 3

      Host 1

      Host 2

      Host 3

      Packet Loss (%)

      1

      1

      4

      2

      3

      7

      Latency (msec)

      1

      1

      4

      2

      3

      7

      Jitter (msec)

      1

      1

      4

      2

      3

      7

      Where:

      • The best probing mode was:

        • For "WAN": Packet Loss = 1, Latency = 1, Jitter = 1

        • For "DMZ": Packet Loss = 2, Latency = 2, Jitter = 2

      • The average probing mode was:

        • For "WAN": Packet Loss = (1+1+4)/3 = 2, Latency = (1+1+4)/3 = 2, Jitter = (1+1+4)/3 = 2

        • For "DMZ": Packet Loss = (2+3+7)/3 = 4, Latency = (2+3+7)/3 = 4, Jitter = (2+3+7)/3 = 4

      • The worst probing mode was:

        • For "WAN": Packet Loss = 4, Latency = 4, Jitter = 4

        • For "DMZ": Packet Loss = 7, Latency = 7, Jitter = 7

      Therefore:

      • If you select "Best", the appliance selects the Internet connection "WAN".

      • If you select "Average", the appliance selects the corresponding Internet connection.

      • If you select "Worst", the appliance selects the Internet connection "DMZ".

      Note - If there is a tie between the Internet connections, the appliance selects an Internet connection based the configured Link Utilization (see below):

      • If you selected the option Link Aggregation, the appliance uses all good interfaces.

      • If you selected the option Prioritize, the appliance fails over and falls back between the Internet connections.

    7. In the Packet loss up to field, enter the maximum acceptable packet loss in probing packets (in %).

      The default is 30%.

    8. In the Latency up to field, enter the maximum acceptable latency in probing packets (in milli-seconds).

      The default is 200 msec.

    9. In the Jitter up to field, enter the maximum acceptable jitter in probing packets (in milli-seconds).

      The default is 80 msec.

    10. Click Save.

  		3.

    Note - After you configure multiple connections, you can only work in the High Availability mode.

    1. From the left tree, click Access Policy.

    2. In the middle pane, expand the section Firewall and click SD-WAN.

    3. Scroll down until you see the tabs Performance and Policy.

    4. Below the section Custom Rules, move the slider Smart SD-WAN uses prioritize to the right to enable this option.

    5. On the right side of this slider, click Configure.

      The Smart SD-WAN Settings window opens.

    6. In the Link Utilization section, select the Link Utilization method for Smart SD-WAN:

      • Link Aggregation - Selected by default. The appliance uses all SD-WAN interfaces that meet the threshold criteria.

      • Prioritize - The appliance uses the Internet connections based on the configured priority order.

        To change the priority order of connections:

        1. Click and hold the applicable table row.

        2. Drag the table row up or down to the required position.

        3. Release the mouse button.

        4. Click Save.

  4. These rules configure a steering behavior for specific application traffic. The steering behavior determines how the appliance sends traffic to the Internet. The default behavior is Local Breakout. See Predefined Steering Behavior Objects and Configuring User-Defined Steering Behavior Objects.

    The appliance applies the rules in the order you put them in the policy.

    1. Click New.

      Notes:

      • If you just click the New button, the appliance creates a rule at the bottom of this section. You can move it to the required position.

        You can click the downward arrow on the right side of the New button and select the applicable rule position in advance (Top Rule, Bottom Rule, Above Selected, Below Selected).

      • You can edit, disable, and enable the rule after you create it.

    2. In the New SD-WAN RuleClosed A set of traffic parameters and other conditions in a Rule Base that cause specified actions to be taken for a communication session. window, select the applicable objects in these columns:

      Important - To select user-defined objects, you must create them before you create a new rule.

      This applies to:

        1. Click the + icon.

        2. Click the applicable tab - Networks or Updatable objects.

        3. Select the applicable objects.

          To select Updatable objects, click Import > select objects > click Save.

        4. Click Select.

        1. Click the + icon.

        2. Click the applicable tab - Networks or Updatable objects.

        3. Select the applicable objects.

          To select Updatable objects, click Import > select objects > click Save.

        4. Click Select.

        1. Click the + icon.

        2. Click the applicable tab - Common, Services, or Applications.

        3. Select the applicable objects.

        4. Click Select.

        1. Click the Default Breakout object.

        2. Select the applicable steering behavior object.

    3. Click Save.

    4. To change the priority order of custom rules:

      1. Click and hold the applicable table row.

      2. Drag the table row up or down to the required position.

      3. Release the mouse button.

  5. The middle section of the page shows the graph with all SD-WAN Internet connections.

    Hover the mouse in the top part of the graph and click the applicable category:

    • Throughput

    • Packet rate

    • Connections

    • All (appears only for Throughput and Packet rate)

    • Inbound (appears only for Throughput and Packet rate)

    • Outbound (appears only for Throughput and Packet rate)

    • Real-time

    • Trends - Traffic over a specific time frame

    In the Real-time view, hover the mouse on each Internet connection to see the tooltip with additional data - latency, jitter, and packet loss.

Predefined Steering Behavior Objects

The appliance has several predefined Steering Behavior objects:

  1. From the left tree, click Access Policy.

  2. In the middle pane, expand the section Firewall and click SD-WAN.

  3. Scroll down until you see the tabs Performance and Policy.

  4. Click the Performance tab. This tab shows predefined steering objects and how they perform.

  5. Click a predefined object to see its complete settings.

    • Icons of the applications this object uses.

    • Internet SD-WAN links this object uses.

    • Icons that show the state of each SD-WAN link.

    • When you hover on each SD-WAN link, the tooltip shows its quality (jitter, latency, packet loss).

    You cannot change the settings of the predefined objects.

Configuring User-Defined Steering Behavior Objects

The appliance has several predefined Steering Behavior objects:

  1. From the left tree, click Access Policy.

  2. In the middle pane, expand the section Firewall and click SD-WAN.

  3. Scroll down until you see the tabs Performance and Policy.

  4. Click the Policy tab.

  5. From the top toolbar, click Manage Behaviors.

  6. From the top toolbar, click New.

  7. In the Name field, enter a descriptive name.

  8. Optional: In the Comment field, enter the applicable text.

  9. In the Thresholds section, configure the required criteria for the steering behavior.

    • Select Predefined and from the list, select the applicable category (each category has predefined thresholds).

    • Select Custom, and configure the required thresholds:

      • Jitter up to

      • Latency up to

      • Packet loss up to

  10. In the Steering Candidates section, select the required SD-WAN interfaces:

    • Select All relevant links to use all SD-WAN interfaces.

    • Select Specific links and select the required SD-WAN interfaces (if there are three or more SD-WAN interfaces).

  11. In the Link Utilization section, configure the required settings:

    • Select Link Aggregation and select the algorithm how to use all SD-WAN interfaces:

      • Connection hash - Allocates connections to links based on a hash of their attributes, ensuring all packets of a connection follow the same path.

      • Round robin - Distributes connections to available links in a cyclical manner, aiming for a balanced but not necessarily bandwidth-optimized allocation.

      • Proportionally to upload bandwidth - Assigns connections to links in proportion to the links' upload bandwidth, optimizing for efficient bandwidth utilization.

      • Proportionally to download bandwidth - Allocates connections to links based on their download capacities, aiming to optimize inbound bandwidth usage.

    • Select Prioritize and configure the priority order of SD-WAN interfaces (drag and drop to change the order). This option is available when you configure two or more SD-WAN interfaces.

  12. In the Probing section, you can override the global probing settings.

    The appliance sends pings to all configured hosts in parallel and measures the ISP link quality based on jitter, latency, and packet loss.

    1. Enter the applicable destination IP address or hostname for the First host, Second host, Third host.

    2. In the Probing mode field, select the applicable result from these options: Best, Average, Worst.

  13. Click Save.

Static Routes and SD-WAN

When SD-WAN is enabled on the appliance (this is the default), SD-WAN routing decision takes priority over all static routes (configured in the Device view > the Advanced Routing section > the Routing Table page) that send traffic through Internet Connections.

This is the default SD-WAN configuration:

  1. The SD-WAN blade is enabled.

  2. Each Internet connection is enabled for SD-WAN.

If you do not want to use SD-WAN, then to send traffic through Internet Connections based on the configured static routes, follow one of these options:

  • Disable the SD-WAN blade:

    Note - This completely disables SD-WAN on the appliance.

    1. Click the Access Policy view > in the Firewall section, click the SD-WAN page.

    2. At the top of the page, move the slider to the left position (near the text "SD-WANblade is enabled").

  • In each specific Internet connection, clear the option This Internet connection will be a part of SD-WAN:

    Note - Use this option to disable SD-WAN only in a specific interface and keep using SD-WAN with other interfaces.

    1. Click the Device view > in the Network section, click the Internet page.

    2. Select the Internet connection and click Edit.

    3. Go to the right tab Advanced.

    4. Expand the last section SD-WAN Settings.

    5. Clear the option This Internet connection will be a part of SD-WAN.