Description

This article describes how to configure a minimum number of links that must be In-SLA for an SD-WAN Lowest Cost rule to take effect. If the number of In-SLA member interfaces falls below this threshold then the rule can be disabled so that a different rule will be used instead.

Scope

FortiGate, SD-WAN.

Solution

As a primer, SD-WAN Rules with the Lowest Cost (SLA) and Maximize Bandwidth** strategies will select an outgoing interface (or interfaces) from the pool of SD-WAN members that are both Alive and In-SLA (as measured by SD-WAN Performance SLAs).

**Note that as of FortiOS 7.4.1 and later, the Maximize Bandwidth strategy has been removed as a standalone option and is instead merged as a toggle option for the Lowest Cost (SLA) and Manual strategies. See also: Load balancing strategy.

In some cases, administrators may want to disable a given SD-WAN rule if the number of member interfaces that are In-SLA falls below a certain count, and this can be accomplished using the minimum-sla-meet-members option (configured on a per-SD-WAN Rule basis):

config system sdwan

    config service

        edit <id>

            set mode sla

            set minimum-sla-meet-members <0 - 255, default = 0>

        next

    end

end

By default, minimum-sla-meet-members is set to 0, which results in the following behaviors for the SD-WAN rule:

• SD-WAN will first select the lowest-cost outgoing interface from the pool of Alive and In-SLA member interfaces. If none of the members assigned to this SD-WAN rule are In-SLA, then SD-WAN will instead fall back to selecting the lowest-cost interfaces from the pool of Alive and Out-of-SLA member interfaces.
• Notably, the SD-WAN rule will remain active at all times unless all assigned interfaces are in the Dead state.

If minimum-sla-meet-members is set to a non-zero value, then the following behavior will occur instead:

• Like before, SD-WAN will first select the lowest-cost outgoing interface from the pool of Alive and In-SLA member interfaces. However, if the number of In-SLA members for that rule drops below the threshold set by minimum-sla-meet-members, then the rule will be disabled and no longer matched by SD-WAN (until the members transition back to being In-SLA).
• This can be useful if a different SD-WAN rule/strategy should be used when too many members are exceeding their SLAs. The following KB article provides an example of such a strategy: Technical Tip: How to configure an SD-WAN rule with the 'Lowest Cost' strategy, and when no member m....

Example:

Consider an example SD-WAN scenario with the following constraints:

• The FortiGate has 5x WAN interfaces: port1 through port4 (which each have 10Mbps of bandwidth) and port5 (which has 50Mbps of bandwidth but should only be used as a secondary/backup link).
• Clients through the FortiGate are typically utilizing 35Mbps of aggregate bandwidth utilization at any given time.
• The administrator must load-balance traffic over port1 through port4 as long as the links are of good quality (i.e., they are within their Performance SLA thresholds). If the link quality is degraded, then traffic may instead be routed out port5 until port1 through port4 recover.

In this scenario, the administrator configures a Lowest-Cost (SLA) SD-WAN rule that load-balances traffic across port1 through port4, which supports an aggregate of 40Mbps (4x10Mbps) of bandwidth. This works as long as all members are In-SLA, but if one of the member interfaces goes Out-of-SLA, then there may be insufficient bandwidth of good quality to handle client traffic.

To address this, the administrator configures set minimum-sla-meet-members 4 for the Lowest Cost (SLA) + load-balancing rule. If one of the member interfaces goes Out-of-SLA then the threshold is triggered and the SD-WAN rule is disabled/skipped. Traffic can then fall through to a second SD-WAN rule that only sends traffic out of port5, and the first SD-WAN rule can be reactivated automatically once all four member interfaces (port1 through port4) are back to being In-SLA.

The following is an example of what this SD-WAN rule configuration would look like in the CLI:

config system sdwan

    config service

        edit 1

            set name 'Load_Balance_port1-port4'

            set load-balance enable

            set mode sla

            set minimum-sla-meet-members 4

            set dst 'all'

                config sla

                    edit 'Example_SLA'

                        set id 1

                    next

                end

            set priority-members 1 2 3 4

        next

        edit 2

            set name 'Fallback_port5'

            set mode manual

            set dst 'all'

            set priority-members 5

        next

    end

end

Note regarding load-balancing:

When minimum-sla-meet-members is set to 1 or more, and SD-WAN members are participating in multiple SLAs in the SD-WAN rule, traffic will only be load-balanced to members that have the same number and the greatest number of passing SLAs. Consider the following example scenario:

• Interfaces port1, port2, and port3 are all participating in SLA_1, SLA_2, and SLA_3.
• An SD-WAN Lowest Cost (SLA) rule exists with load-balancing enabled, all three ports added, and all three SLAs added.
• port1 and port2 are In-SLA for all three SLAs, but port3 is only In-SLA for two out of three SLAs.

In the above scenario, port1 and port2 each have the greatest number of passing SLAs (3x), and so traffic is load-balanced between the two interfaces and NOT port3 (which has fewer SLAs).

If port2 then goes Out-of-SLA for one of the SLAs (therefore only having 2x passing SLAs), then traffic is only load-balanced to port1 alone.

Finally, if minimum-sla-meet-members is set back to the default of 0, then traffic will be load-balanced to all three interfaces (port1, port2, and port3) as long as they have at least one SLA that is In-SLA.