SD-WAN Traffic Distribution Profiles

Understand how an SD-WAN Traffic Distribution profile implements path selection.
In an SD-WAN topology, the firewall detects a brownout, a blackout, and path deterioration
per application
and selects a new path to ensure you experience the best performance for your critical business applications. Having multiple ISP links allows you to scale your traffic capacity and reduce costs. The new path selection occurs in less than one second if you leave Path Monitoring and Probe Frequency with default settings; otherwise, new path selection could take more than one second.
To implement such path selection, the firewall uses SD-WAN policy rules, which reference a Traffic Distribution profile that specifies how to select paths for session load distribution and for failover to a better path when path quality for an application deteriorates.
Decide which traffic distribution method an application or service (that matches an SD-WAN policy rule) should use:
  • Best Available Path
    —Select this method if cost is not a factor and you will allow applications to use any path out of the branch. The firewall uses path quality metrics to distribute traffic and to fail over to one of the links belonging to a Link Tag in the list, thus providing the best application experience to users.
  • Top-Down Priority
    —If you have expensive or low-capacity links that you want used only as a last resort or as a backup link, use the Top-Down Priority method and place the tags that include those links last in the list of Link Tags in the profile. The firewall uses the top Link Tag in the list first to determine the links on which to session load traffic and on which to fail over. If none of the links in the top Link Tag are qualified based on the Path Quality profile, the firewall selects a link from the second Link Tag in the list. If none of the links in the second Link Tag are qualified, the process continues as necessary until the firewall finds a qualified link in the last Link Tag. If all associated links are overloaded and no link meets quality thresholds, the firewall uses the Best Available Path method to select a link on which to forward traffic. At the start of a failover event, the firewall starts at the top of the Top-Down Priority list of Link Tags to find a link to which it fails over.
  • Weighted Session Distribution
    —Select this method if you want to manually load traffic (that matches the rule) onto your ISP and WAN links and you don’t require failover during brownout conditions. You manually specify the link’s load when you apply a static percentage of new sessions that the interfaces grouped with a single Link Tag will get. The firewall distributes new sessions using round robin among the links having the specified Link Tags, until the link assigned the lowest percentage reaches that percentage of sessions. The firewall then uses the remaining link(s) in the same manner. You might select this method for applications that aren’t sensitive to latency and that require a lot of the link’s bandwidth capacity, such as large branch backups and large file transfers.
    If the link experiences brownout, the firewall doesn’t redirect the matching traffic to a different link.
In the event of a failing path condition, the traffic distribution method you choose for application(s) in an SD-WAN policy rule, along with the Link Tags on groups of links, determine if and how the firewall selects a new path (performs link failover) as follows:
Path Condition
Top-Down Priority
Best Available Path
Weighted Session Distribution
Session on existing path failed a path health threshold (brownout)
Affected session fails over to better path (if available)
Affected session fails over to better path (if available)
Affected sessions don’t fail over
Top-Down or Best Available Path recovered: existing path is still qualified (good)
Affected session fails back to previous path
Affected session stays on existing path, doesn’t fail back
Affected sessions don’t fail over
Top-Down or Best Available Path recovered: existing path fails a health check
All sessions fail back to previous path
Selective sessions fail back to previous path until affected existing path recovers
Affected sessions don’t fail over
Existing path is down (blackout)
All sessions fail over to next path on list
All sessions fail over to next best path
All sessions fail over to other tags based on weight settings
Brownout with no qualified (better) path
Take best available path
Take best available path
Take best available path
Additionally, the firewall automatically performs session load sharing among interface members of a single Link Tag. After those interfaces approach their maximum Mbps, new sessions flow over to interfaces having a different Link Tag (based on the traffic distribution method) if those interfaces have better health metrics.
Path Condition
Top-Down Priority
Best Available Path
Weighted Session Distribution
Multiple links with the same SD-WAN Tag
Share session load equally among links within SD-WAN Tag
Share session load based on best path within SD-WAN Tag
Share session load based on % weight assigned to SD-WAN Tag
Multiple links with different SD-WAN Tags
Share session load based on list priority, load link(s) in first SD-WAN Tag first.
Share session load based on best path from all SD-WAN Tags
Share session load based on % weight assigned to SD-WAN Tags
The following figure illustrates an example of a Traffic Distribution profile that uses the Top-Down Priority method. The #1, #2, and #3 are the order of Link Tags of links the firewall examines, if necessary, to find a healthy path to complete an application session failover. For each separate failover event that arises, the firewall starts at the beginning of the Top-Down list of Link Tags.
  1. In this Top-Down Priority example, packets from a branch carrying a specific application (for example, office365-enterprise-access) arrive at the firewall. The firewall uses the route table to determine the next hop to the destination and the outgoing interface, which is the virtual SD-WAN interface tunnel named sdwan.1. The Security policy rule allows the packets. The packets then match an SD-WAN policy rule (named Office365 to Hub1) that specifies the destination zone for the hub. The firewall uses the SD-WAN policy rule’s Path Quality profile, Traffic Distribution profile, and that profile’s Link Tags to determine which interface member (link) from sdwan.1 to use. The Traffic Distribution profile lists three Link Tags in this order: #1 Cheap Broadband, #2 HQ Backhaul, and #3 Backup (which is the order of Link Tags the firewall examines links to find a link to which it can fail over).
  2. Assuming all paths are qualified (by the Path Quality profile), the firewall distributes the packets to one of the physical links tagged with first Link Tag in the Traffic Distribution profile list: Cheap Broadband. The sdwan.1 tunnel has two member interfaces (two carriers): the cable modem VPN tunnel and the fiber service VPN tunnel. The firewall first examines a link by round-robin, and chooses the first link it finds that is qualified, for example, the cable modem link.
  3. If the first Cheap Broadband link (cable modem) isn’t a qualified link, the firewall selects the second Cheap Broadband link (fiber service).
  4. If the second Cheap Broadband link (fiber service) isn’t a qualified link, the firewall selects the link tagged with the #2 link tag HQ Backhaul, which is a more expensive MPLS link to the same hub.
  5. If the MPLS link isn’t a qualified link, the firewall selects the link tagged with the #3 link tag Backup, which is an even more expensive 5G LTE link to the same hub.
  6. If the firewall doesn’t find a qualified link to fail over to, it uses the Best Available method to select a link.
  7. Upon the start of a new failover event, the firewall starts at the top of the Top-Down list of Link Tags to find a link to which it will fail over.
Keep in mind that SD-WAN traffic distribution is one of the later steps in the packet flow logic. Let’s zoom out to see a broader view of the packet flow.
Packet flow details for the figure are as follows:
  1. When a session for an application arrives at the firewall, the firewall performs session lookup to determine if the session is an existing session or new session.
  2. A new session goes through session setup:
    1. Forwarding lookup—The firewall gets the egress zone, egress interface, and virtual system from the Layer 3 route table or Layer 2 Forwarding Database lookup, etc. For applications that match an SD-WAN policy rule, the firewall uses the virtual SD-WAN interface as the egress interface.
    2. NAT Policy lookup—If session matches a NAT rule, firewall does another forwarding lookup to determine the final (translated) egress interface and zone.
    3. Security Policy lookup—If a Security Policy rule allows the session, the session is created and installed in the session table. The firewall then performs additional classification using App-ID™ and User-ID™.
  3. Content Inspection—The firewall performs Threat Inspection (Anti-Spyware for IPS [Vulnerability Protection], Antivirus, URL Filtering, WildFire
    ®
    , etc.) on payload and headers as needed.
  4. The Forwarding/Egress stage performs path selection and forwards the packets. This stage is where SD-WAN path selection occurs.
    1. Packet Forwarding Process—The firewall uses the ingress interface to determine the forwarding domain; performs routing, switching, or virtual wire forwarding.
    2. SD-WAN path selection occurs when the application matches an SD-WAN policy rule; the Path Quality profile determines path qualification; the Traffic Distribution profile determines the method of path selection and the order in which paths are considered during the selection.
    3. IPSec/SSL-VPN tunnel encryption occurs if needed.
    4. Packet Egress Process - QoS shaping, DSCP rewrite, and IP fragmentation are applied (if needed).
  5. Transmit Packet—The firewall forwards the packet over the selected egress interface.
Now we zoom back in to examine the SD-WAN path selection logic in more detail.
  1. The firewall consults the route table during Forwarding lookup; based on the destination IP address matching a Layer 3 prefix, the firewall determines the egress SD-WAN virtual interface. The packet is either going directly to the public internet or going back to the hub through a secure VPN link.
  2. The firewall monitors each path by performing health checks that run over a VPN tunnel. Each DIA circuit has a VPN tunnel that monitors health information.
  3. The application in the SD-WAN policy rule is associated with a Path Quality profile, and the firewall compares the path’s actual average latency, jitter, and packet loss values to the threshold values.
  4. Any path that has a higher latency, jitter, or packet loss value than the threshold is not selected.
  5. All qualifying paths in the virtual SD-WAN interface are then subjected to the Traffic Distribution profile’s method and path priority (ordering) logic. SD-WAN link tags group ISP services together, and the order of these tags in the Traffic Distribution profile prioritizes the paths during path selection.
  6. Thus, the Path Quality Profile and the Traffic Distribution profile together determine the next best path to use and the firewall forwards the traffic out that link.

Recommended For You