How to configure SDWAN: Traffic Distribution using Top Down Priority
Objective
- To configure SDWAN for traffic engineering with an example.
- In this example, MPLS and Ethernet links are used, The ethernet links are further classified into two based on the bandwidth provided by the Service Providers.
- The topmost link has the most available bandwidth while the bottom has the least.
- With the above assumption, the goal is always to utilize tunnel.920 and only use tunnel.922 when Path Quality Profile test detects a link degradation.
- Tunnel.923 will only be utilized if tunnel.920 and tunnel.922 are unavailable or service is degraded due to high loads.
- Should the previous preferred but degraded path recover, traffic needs to fall back to it.
Environment
- Palo Alto Firewalls
- PAN-OS 10.1.3
- SDWAN plugin 2.1.2
Procedure
1. Configure Traffic Distribution Profile based on the above objective.
Device Group: Hub1
Objects > SD-WAN Link Management > Traffic Distribution Profile > Add
Name: TDP-TopDOwn
Traffic Distribution: Top Down Priority
Link Tags: add SDWAN-Broadband-fast
Link Tags: add SDWAN-Broadband-slow
Link Tags: add SDWAN-MPLS
2. Configure the SD-WAN Policies, which will determine how incoming traffic will be handled by the firewall.
Device Group: Hub1
Policies > SD-WAN > Pre Rules > Add
General > Name: Trust to Branch1
Source> Source Zone: Trust Source Address: 10.1.0.0/16
Destination> Destination Zone: zone-to-branch > Destination Address: 10.2.0.0/16
Path Quality Profile: management
Application/Service > Applications: Any > Service: Any
Path Selection > Traffic Distribution Profile: TDP-TopDown
Result:
The above is the ideal result; all traffic flows through tunnel.920 for Branch_2.
Simulate a link failure on the first ISP servicing "Broadband-fast" due to the loss; traffic is redirected to "Broadband-slow".
After the failure of the two above links, it will be the only time tunnel.923 (MPLS) gets used.