If you aren’t using Auto VPN configuration with Panorama,
configure a virtual SD-WAN interface to group multiple SD-WAN-capable
If you use Auto VPN configuration through
Panorama, it creates the SD-WAN interfaces for you, in which case
you don’t create and configure a virtual SD-WAN interface.
you aren’t using Auto VPN configuration with Panorama, create and
configure a virtual SD-WAN interface to specify one or more physical, SD-WAN-capable ethernet interfaces that
go to the same destination, such as to a specific hub or to the
internet. In fact, all links in a virtual SD-WAN interface must
be the same type: all VPN tunnel links or all direct internet access
The first figure illustrates an example of an SD-WAN interface named SDWAN.901 that bundles two
physical interfaces, which use different carriers: Ethernet1/1 (the cable modem
link) and Ethernet1/2 (the fiber service link). Both links are a VPN tunnel from the
branch to the hub.
In this figure, both links
in the SD-WAN interface happen to use the same link tag (Cheap Broadband),
but links in an SD-WAN interface can have different link tags.
In the following figure, SDWAN.902 bundles Ethernet1/1 and Ethernet1/2 links, which are both DIA
links from the branch to the internet:
a logical SD-WAN interface
by entering a number (in the range 1 to 9,999) after the
Auto VPN configuration creates SD-WAN interfaces numbered .901, .902, and
so on. Hence, if you want to create the SD-WAN interfaces manually, do
not use sdwan.90x format for SD-WAN interface name.
Enter a descriptive
Add a helpful comment, such as
Branch to internet
Branch to western USA hub
you are on the Branch template. Your comment makes troubleshooting
easier rather than trying to decipher auto-generated names in logs
tab, assign the
SD-WAN interface to a
Assign the SD-WAN interface to a
The virtual SD-WAN interface and all of its interface members
must be in the same Security zone, thus ensuring the same Security
policy rules apply to all paths from the branch to the same destination.
which are members that go to the same destination, by selecting
one or more Layer 3 Ethernet interfaces (for DIA) or one more virtual
VPN tunnel interfaces (for hub). If you enter more than one interface,
they must all be the same type (either VPN tunnel or DIA).
The firewall virtual router uses this virtual SD-WAN
interface to route SD-WAN traffic to a DIA or a hub location. During
routing, the route table determines which virtual SD-WAN interface
(egress interface) the packet will exit based on the destination
IP address in the packet. Then the SD-WAN path health and Traffic
Distribution profiles in the SD-WAN policy rule that the packet
matches determine which path to use (and the order in which to consider
new paths if a path deteriorates.)