Description

This article describes a FortiOS feature called tie-break which relates to SDWAN traffic steering strategy.  SDWAN SLA Tie break is required because most of the time SDWAN members are within SLA with little quality variance between them, and FortiOS needs a method to choose between known good SDWAN interface members.

Scope

FortiGate.

Solution

This KB will provide details on the SLA Tie Break SD-WAN features.

The FortiOS SD-WAN SLA Tie Break feature is found in the CLI only via the SDWAN zone and Service Rule. See below:

FGT# config system sdwan

    FGT# config zone

    FGT# edit "virtual-wan-link"

    FGT# set service-sla-tie-break cfg-order <----- Default config.

    FGT# next

    FGT# config service

    FGT# set tie-break?

zone Use the setting that is configured for the members' zone. <----- Default config.
cfg-order Members that meet the SLA are selected in the order they are configured.
fib-best-match Members that meet the SLA have selected that match the longest prefix in the routing table.

From the above output, the tie-break default setting uses the priority member configuration order (cfg-order) as a tie break when all SD-WAN members are within SLA and they are within the define quality variance threshold of each other (default 10%). The configuration order is found in the SD-WAN Service Rule within CLI via:

config service

    edit 1

        set name "SDWAN"

        set mode sla
        set dst "all"
        set src "all"
            config sla

                edit "Ping_1_Loopback"
                    set id 1
                next
                edit "Ping_2_Loopback"
                    set id 1
                next
                edit "Ping_3_Loopback"
                    set id 1
                next
                edit "Ping_4_Loopback"
                    set id 1
                next
            end
        set priority-members 1 2 3 4 8 5 7 6 
    next

From the above CLI output, it can be seen the setting priority-members referencing SD-WAN members 1 2 3 4 8 5 7 6. A disadvantage of using the default setting cfg-order as SLA tie break is because it might not be desirable to steer SD-WAN traffic to member # 1. Most FortiOS SD-WAN deployments relay on BGP architecture to find best paths through the SD-WAN overlay network and cfg-order setting does not capitalize on this logic which could be critical if using many IPsec Hubs offering redundant BGP paths. Furthermore, to steer specific SD-WAN traffic to specific SD-WAN members, then multiple Service Rules would need to be created to accommodate this requirement, which could quickly become complex.

To address these shortcomings of cfg-order, a new feature was created to augment SLA tie break functionality, and this feature is called fib-best-match. When using fib-best-match logic for SLA tie break, FortiOS SD-WAN logic will narrow down possible SD-WAN member egress interfaces configured in Service Rule to the best FIB (routing-table) match, which is essentially native routing logic to make SD-WAN steering choice for egress interface.

For example, if BGP states that SDWAN members #7 and #6 have BGP ECMP best path match for destination IP of interest - then only these two members will be considered to steer traffic.

B 10.1.1.0/22 [200/0] via 172.19.14.1, _MPLS_OL, 11:14:28
                       [200/0] via 172.19.14.1, _INet_OL, 11:14:28

The question might have been then if ECMP is used, then how does SDWAN choose a single SDWAN member interface if they are equal? The answer is simple, once FIB identifies the best egress interfaces, and in our example #7 and #6, the first configured interface within priority-members setting within Service Rule will be chosen, meaning if ECMP between 7 and 6 is always occurring, then member #7 will always be preferred before #6 on the simple fact it is configured in sequence before #6. Unless SLA fails on #7 in which then member #6 would be used.

Furthermore, here are a few Details on fib-best-match logic. Within a single Service Rule, only priority-members referenced, and are within SLA, are considered for traffic steering. Next, out of these SDWAN members, a FIB (native routing table) lookup is performed and if the best path egress interface is SDWAN member listed within said Service rule then forward traffic to that member. Next, if more than one member is selected because of ECMP, then FortiOS used the first configured member based on configuration sequence within "priority-members 1 2 3 4 8 5 7 6".  Note, that the configuration sequence within the priority-member setting reads from LEFT to RIGHT, meaning #1 is first and #6 is last in this example.

Considerations:

1. When using the SLA Tie Break method for member traffic steering, remember that the logic is a per Service Rule basis. Meaning, only members referenced within priority-member config can be used. When using fib-best-match as Tie Break it is best to reference all SD-WAN members so the native routing table can effectively be used.
2. Note that Policy Route Table works differently than native routing table (FIB) in the sense that native route table performs best match logic inherently using attributes like Distance, Metric and longest match logic. The Policy Route Table where Service Rule logic is stored reads from the top-down and the first Service Rule match will be used which might not be the best path determined by FIB. This could be caused by summary or default routes in place directed over SD-WAN members.
3. fib-best-match logic breaks candidate SD-WAN member interfaces into two groups. Group-1 will contain the best path(s) found via FIB lookup and Group-2 will contain the SD-WAN member interface that did not match the FIB lookup. Group-1 will be evaluated first in order and then Group-2.  SD-WAN member selection per group will be based on the priority-member configuration sequence.
4. fib-best-match with ECMP for the longest match is only supported on 7.0.1+ GA, as of this writing. Also, 7.0.1+ GA, when fib-best-match is used, SLA quality comparison member selection is overridden with the longest FIB prefix match.
5. Only cfg-order Tie Break logic uses the quality comparison between SD-WAN members. Meaning, if there is a variance of more than 10% (by default) between SD-WAN member interfaces, then traffic is steered to the next member with better quality. If the variance is under 10%, then traffic will be steered using a member configuration order.