| Description |
This article describes the behaviour and benefits of packet duplication with SD-WAN |
| Scope | FortiGate. |
| Solution |
Packet duplication is an SD-WAN feature to reduce data loss over any underlay and overlay SD-WAN. It enables the sending of duplicate packets through up to 3 additional members of any kind, provided the best route to the destination is an SD-WAN member and the links used for duplication have a route to the destination. These duplicate packets are verbatim copies of the original packet.
This way the duplicate packets can be used for data loss protection, and for out-of-band inspection or packet capture.
It is also possible to enable packet de-duplication on the receiving FortiGate. When enabled, the receiving FortiGate accepts only the first copy of the packet received and drops the additional copies. The goal is to save resources at the receiving end by instructing the FortiGate to forward one copy only, instead of forwarding all the copies and letting the next hop discard additional packets.
In the below topology, 2 FortiGates are connected through 3 IPSec overlays, which are members of the overlay zone.
Spoke CLI config:
On the Spoke FortiGate, duplication-max-num is set to 3. This indicates that FortiGate will forward up to three copies of each packet: the original packet plus two duplicates. Each copy is sent through a different member.
Hub CLI config: 
On the hub side, packet-de-duplication is enabled to instruct the FortiGate to accept only one copy of the packet. The first packet to arrive will be accepted and additional copies will be dropped.
Packet capture on the Spoke side:
Packet capture on the Hub Side:
NOTE: 250ms for the packet duplication is the expected max latency difference of two channels in one way (this is by design).
set duplication-max-discrepancy <latency> <----- Enter an integer value from <250> to <1000> (default = <250>) end
|
