hi all,
thanks for your any help in advance?
think of the scenario:
initially we have a sd-wan rule for traffic destined to 10.74.0.0/15 with an MPLS underlay interface as the SD-WAN member interface, and sure we have a static route 10.74.0.0/15 and the MPLS interface is the egress interface, priority stays the default 1.
afterwards we think of the security and we have existing ipsec overlay tunnel based on Internet (yes the phase 2 selector something are all configured well for the traffic, it's verified working), so we created another static routes to 10.74.0.0/15 and pointing to that ip sec overlay interface, the tunnel interface is one of the sd-wan member interface of course.
the question is, in this scenario, assigning a different (in this case, priority 20) to the second static routes via ipsec tunnel interface make any sense? I think sd-wan rule (lowest SLA as outgoing interface selection rule) will automatically steer the member selection, which results in the selection of the egress interface, it has nothing to do with the priority difference on the two static routes. So, in my opinion we do not need to assign a different priority for the second static routes that is pointing to ipsec tunnel interface.
what is your opinion? Thanks for any advice.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Sean
May be I missed something but I've never created a route for a SD-WAN member. Once some interfaces are members of SD-WAN interface all related routes I create are pointing to SD-WAN interface, not on members. The SD-WAN rules will do the rest.
Hi @sean3,
When using lowest SLA as outgoing interface selection rule, the interface that meets SLA targets is selected. When there is a tie, the interface with the lowest assigned cost is selected.
Regards,
tanks,. I am talking about the priority assigned to the static route. two member interface in an SDWAN rule, should the static routes to thoses two interface have different priority?
I'm not sure why you care about priority. If both interfaces are in the same SDWAN zone, there should be one static route and traffic will be handled by SDWAN rule.
Regards,
The concept of FTNT SD-WAN is to have the same routes like the default route with multiple underlay member circuits, then manipulate specific traffic to decide which path to take based on some conditions like SLA.
This concept is common among other vendors' implementation of SD-WAN.
Manipulating like priority of specific routes on those circuits should be left on circuits outside of SD-WAN members. Otherwise, the SD-WAN might not work as intended and probably nobody has the answer how to behave in your case because it's outside of design/scope. Or, it would often have unintended/unexpected consequences.
Just don't do it.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.