Skip to main content
msolanki
Staff
msolanki
Staff
November 24, 2022

Technical Tip: Interface selection in SD-WAN when multiple zones and members are configured

  • November 24, 2022
  • 0 replies
  • 3756 views
Description This article describes the behavior of traffic selection when multiple zones and members are configured in an SD-WAN manual rule.
Scope FortiGate.
Solution

Note: This article assumes the default service tie-break method 'cfg-order' is in use. For other available tie-break methods, see Technical Tip: FortiOS SD-WAN SLA tie break feature overview.

From FortiOS v7.0.1 onward, SD-WAN functionality supports multiple SD-WAN zones. In previous versions, only SD-WAN member configuration could be used to prioritize traffic flow.

 

The SD-WAN member configuration used for these examples is shown below.

config system sdwan

    config members

        edit 4

            set interface "A_100"

            set zone "A"

        next

        edit 5

            set interface "A_101"

            set zone "A"

        next

        edit 6

            set interface "B_200"

            set zone "B"

        next

        edit 7

            set interface "B_201"

            set zone "B"

        next

    end

end

 

Example 1: Multiple members configured on a rule.

 

config sdwan

    config service

        edit 1

            set name "Two_Members"

            set mode manual

            set dst "Microsoft Office 365"

            set priority-members 7 4

        next

    end

end

 

Result: Members are selected in the order defined in 'set priority-members'.

 

diagnose sys sdwan service4 1

 

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
  Tie break: cfg
  Shortcut priority: 2
    Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)
    Members(2):
      1: Seq_num(7 B_201 B), alive, selected
      2: Seq_num(4 A_100 A), alive, selected
    Dst fqdn(3): login.windows.net(76) login.microsoft.com(247) login.microsoftonline.com(135)

 

 

Example 2: A single zone is configured in a rule.

 

config sdwan

    config service

        edit 1

            set name "One_Zone"

            set mode manual

            set dst "Microsoft Office 365"

            set priority-zone "B"

        next

    end

end

 

Result:

Members within the zone are selected based on their order in the SD-WAN member configuration.

 

diagnose sys sdwan service4 1

 

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
  Tie break: cfg
  Shortcut priority: 2
    Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)
    Members(2):
      1: Seq_num(6 B_200 B), alive, selected
      2: Seq_num(7 B_201 B), alive, selected
    Dst fqdn(3): login.windows.net(76) login.microsoft.com(247) login.microsoftonline.com(135)

 

config system sdwan

    config members

        edit 6

            set interface "B_200"

            set zone "B"

        next

        edit 7

            set interface "B_201"

            set zone "B"

        next

    end

end

 

Example 3: Multiple zones are configured on a rule.

 

config sdwan

    config service

        edit 1

            set name "Prefer_B"

            set mode manual

            set dst "Microsoft Office 365"

            set priority-zone "B" "A"

        next

    end

end

 

Result:
Zones are selected based on the order defined in 'set priority-zone'. Within a zone, members are selected as in Example 2.

 

diagnose sys sdwan service4 1

 

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
  Tie break: cfg
  Shortcut priority: 2
    Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)
    Members(4):
      1: Seq_num(6 B_200 B), alive, selected
      2: Seq_num(7 B_201 B), alive, selected

      3: Seq_num(4 A_100 A), alive, selected
      4: Seq_num(5 A_101 A), alive, selected
    Dst fqdn(3): login.windows.net(76) login.microsoft.com(247) login.microsoftonline.com(135)

 

Example 4: Zone and members are both configured in the SD-WAN rule.

 

config sdwan

    config service

        edit 1

            set name "Prefer_A_100"

            set mode manual

            set dst "Microsoft Office 365"

            set priority-members 4

            set priority-zone "B" "A"

        next

    end

end

 

Result:

Priority-members are selected first, as in case 1. Then, the remaining zones are selected as in Example 3.

 

diagnose sys sdwan service4 1

 

Service(1): Address Mode(IPV4) flags=0x4200 use-shortcut-sla use-shortcut
  Tie break: cfg
  Shortcut priority: 2
    Gen(1), TOS(0x0/0x0), Protocol(0): src(1->65535):dst(1->65535), Mode(manual)
    Members(4):

      1: Seq_num(4 A_100 A), alive, selected
      2: Seq_num(6 B_200 B), alive, selected
      3: Seq_num(7 B_201 B), alive, selected

      4: Seq_num(5 A_101 A), alive, selected
    Dst fqdn(3): login.windows.net(76) login.microsoft.com(247) login.microsoftonline.com(135)

 

Related documents:
Technical Tip: Explaining the SD-WAN rule matching process

Lowest cost (SLA) strategy

Hybrid strategy of priority and SLA modes 
    Terms & ConditionsAccessibility statement