SDWAN-Application Based Traffic Steering over Secure SD-WAN Gateways

Application based Traffic Forwarding refers to the process of forwarding application traffic to pre-defined secure Gateways based on the Enterprise needs and network conditions. This is slightly different from Traffic Engineering which is basically routing the traffic on specific available local WAN-links and continually evaluating them for SLA metrics and switching the traffic forwarding to alternate links in case of a SLA violation. 

Typical enterprise networks will have a high capacity Internet circuit at their Hub locations and could be having a Firewall or a Proxy in place with controlled Internet access while a local break out at the Branches would be required for SaaS traffic to have a seamless user experience. 

Legacy routing uses PBR based forwarding policies which act on layer-3 and forward traffic to appropriate gateways. This isn’t scalable when the applications today are hosted on cloud and new network and servers keep getting added. Versa Secure SD-WAN Application based forwarding capability, gives the flexibility to match and forward traffic based on Layer 3 and right upto Layer 7. This can also be tagged with Traffic Engineering and the traffic can be forwarded to the most optimal Gateway or exit point in the network. 

This article will provide information about application based traffic forwarding configuration and verifying the same using Versa SD-WANs CLI and big data Analytics.

Versa SD-WAN Application Based Forwarding is an easy to configure policy and has a single touch point – the SDWAN Policy 

SDWAN Policy  – Define the Application(s) to be matched and forwarding action to be taken
– Define the default action for all other Internet bound traffic to be matched and the forwarding action

High Level Topology

Hubs and the Spoke sites have two Transports enabled – a MPLS and a Internet with a local DIA (Direct Internet Access) break out enabled at all the sites. The Spoke site gets two Default Routes (0.0.0.0/0) – one from Hub-1 and the other from Hub-2 and in addition has its local DIA. The Default routes present in the Spoke with the next Hop towards 10.1.224.102 and 10.1.224.103 represent the Hub-1 and Hub-2 Control-VR-IPs and ‘indirect’ reference in the routing table classifies it as a route is received over the SDWAN fabric. 

In steady state the traffic destined for central breakout prefers the SD-WAN Gateway at Hub-1.

admin@T3-Spoke-1-cli> show route routing-instance Tenant-3-LAN-VR 


Routes for Routing instance : Tenant-3-LAN-VR  AFI: ipv4  SAFI: unicast


Codes: E1 - OSPF external type 1, E2 - OSPF external type 2
IA - inter area, iA - intra area,
L1 - IS-IS level-1, L2 - IS-IS level-2
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
RTI - Learnt from another routing-instance
+ - Active Route


Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name
----   ----  -----------------   --------        ---      -------------- 
BGP    N/A  +0.0.0.0/0           10.1.224.102    1d03h29m Indirect
BGP    N/A   0.0.0.0/0           10.1.224.103    1d07h15m Indirect
BGP    N/A   0.0.0.0/0           169.254.0.2     1d07h04m tvi-0/603.0

On failure of the Internet circuit at Hub-1, the default route from Hub-1 towards the Spoke is withdrawn and traffic intended for Central breakout will prefer Hub-2 as SD-WAN Gateway.

Configuration

Objectives:

  1. Configure a default policy for all SDWAN traffic – Branch to Branch
  2. Configure a Policy use the Hub as Gateway – Hub-1 and in case of failure towards Hub-2 for all traffic matching the applications – Facebook & Amazon
  3. All other Internet bound traffic should use the local breakout (DIA) at the Spoke site

Step 1: Configure a SDWAN Policy. Under the Service Tab, create a SDWAN Policy – ‘Default-Policy

Step 2: Configure a rule for all LAN-to-LAN  traffic
– Create a Rule ‘Branch-Branch’. Choose the source Zone as LAN zone ‘Intf-Spoke-LAN-Zone’ to match all traffic coming from the LAN
– Use the Enforce tab to define the Action to ‘Allow Flow’ and select ‘Enable Symmetric Forwarding

Step 3: Configure a rule for all traffic that has to go to the Central – Hub break out. We will match all traffic going to Amazon & Facebook 
– Create a Rule ‘Facebook-Rule’. Choose the source Zone as LAN zone ‘Intf-Spoke-LAN-Zone’ to match all traffic coming from the LAN
– On the Applications Tab – select ‘Facebook’ and ‘Amazon
– Use the Enforce tab to define the Action to ‘Allow Flow’ and select ‘Enable Symmetric Forwarding
– Select ‘Default Profile’ to enable logging and get the Analytics view

Step 4: Configure a rule for all traffic that has to go to the Central – Hub break out. We will match all traffic going to Amazon & Facebook 
– Create a Rule ‘Internet-Bound’. Choose the source Zone as LAN zone ‘Intf-Spoke-LAN-Zone’ to match all traffic coming from the LAN
– Use the Enforce tab to define the Action to ‘Allow Flow
– Choose the next hop as ‘169.254.0.2’ (the local DIA breakout) and select ‘Enable Symmetric Forwarding’ 
– Select ‘Default Profile’ to enable logging and get the Analytics view

Verification

In steady state the traffic towards Facebook & Amazon traffic take the Hub-1 SD-WAN Gateway and all other Internet traffic takes the DIA. CLI output shows the traffic towards Facebook and Amazon as SD-WAN traffic exiting the spoke and reaching Hub-1 and traffic towards other applications like Twitter and Facebook go out as DIA traffic via the local break out. 

In the output below, the traffic towards Amazon is going out as SDWAN traffic the from the Branch and not getting NATTED.

admin@T3-Spoke-1-cli> show orgs org Tenant-3 sessions brief | match amazon
0    2    11737  10.10.30.30     13.32.36.24     43262   443          6         No      Yes    amazon       
0    2    11752  10.10.30.30     54.239.26.255   44942   443          6         No      Yes    amazon       
0    2    11764  10.10.30.30     54.239.26.255   44946   443          6         No      Yes    amazon       
0    2    11777  10.10.30.30     54.209.9.51     40738   443          6         No      Yes    amazon       
0    2    11782  10.10.30.30     34.192.208.233  34980   443          6         No      Yes    amazon       
[ok][2020-07-14 05:26:06]
admin@T3-Spoke-1-cli> show orgs org Tenant-3 sessions sdwan brief               
VSN  VSN  SESS                                   SOURCE  DESTINATION                                                                              TX        
ID   VID  ID     SOURCE IP       DESTINATION IP  PORT    PORT         PROTOCOL  NATTED  SDWAN  APPLICATION  RX WAN CKT         TX WAN CKT         BRANCH    
------------------------------------------------------------------------------------------------------------------------------------------------------------
0    2    11719  52.206.125.160  10.10.30.30     443     40926        6         No      Yes    -            Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    11720  10.10.30.30     13.249.217.20   58232   443          6         No      Yes    -            MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11737  10.10.30.30     13.32.36.24     43262   443          6         No      Yes    amazon       Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    11752  10.10.30.30     54.239.26.255   44942   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11756  10.10.30.30     52.46.130.13    33778   443          6         No      Yes    -            MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11761  10.10.30.30     52.46.135.211   42514   443          6         No      Yes    -            Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    11764  10.10.30.30     54.239.26.255   44946   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11777  10.10.30.30     54.209.9.51     40738   443          6         No      Yes    amazon       Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    11782  10.10.30.30     34.192.208.233  34980   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11787  10.10.30.30     104.115.92.65   39318   443          6         No      Yes    -            Internet:Internet  Internet:Internet  T3-Hub-1  
admin@T3-Spoke-1-cli> show orgs org Tenant-3 sessions sdwan brief                 
VSN  VSN  SESS                                   SOURCE  DESTINATION                                                                              TX        
ID   VID  ID     SOURCE IP       DESTINATION IP  PORT    PORT         PROTOCOL  NATTED  SDWAN  APPLICATION  RX WAN CKT         TX WAN CKT         BRANCH    
------------------------------------------------------------------------------------------------------------------------------------------------------------
0    2    11719  52.206.125.160  10.10.30.30     443     40926        6         No      Yes    -            Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    11844  10.10.30.30     13.32.36.24     43300   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11866  10.10.30.30     13.249.213.191  44818   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11976  10.10.30.30     52.46.141.49    49296   443          6         No      Yes    amazon       MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    11979  10.10.30.30     157.240.16.35   40536   443          6         No      Yes    facebook     Internet:Internet  Internet:Internet  T3-Hub-1  
0    2    12008  10.10.30.30     31.13.79.26     60246   443          6         No      Yes    facebook     MPLS:MPLS          MPLS:MPLS          T3-Hub-1  
0    2    12021  10.10.30.30     157.240.16.35   40578   443          6         No      Yes    facebook     Internet:Internet  Internet:Internet  T3-Hub-1  

The SDWAN Traffic sessions below show, the traffic to Amazon and Facebook taking the Hub-1 as SD-WAN Gateway to the Internet.

All other Internet bound traffic is taking the local DIA at the Spoke where the traffic is getting Natted and going as a non-SD-WAN traffic and no SD-WAN sessions are built for traffic destined to other Internet sites like Microsoft, Office365, Google etc.

admin@T3-Spoke-1-cli> show orgs org Tenant-3 sessions brief
VSN  VSN  SESS                                   SOURCE  DESTINATION                                           
ID   VID  ID     SOURCE IP       DESTINATION IP  PORT    PORT         PROTOCOL  NATTED  SDWAN  APPLICATION     
---------------------------------------------------------------------------------------------------------------
0    2    12074  10.10.30.30     13.90.213.204   41976   80           6         No      No     office365       
0    2    12075  10.10.30.30     13.90.213.204   41976   80           6         Yes     No     office365       
0    2    12080  10.10.30.30     184.84.103.195  45806   443          6         No      No     office365       
0    2    12081  10.10.30.30     184.84.103.195  45806   443          6         Yes     No     office365       
0    2    12086  10.10.30.30     104.115.94.4    55820   443          6         No      No     microsoft       
0    2    12087  10.10.30.30     104.115.94.4    55820   443          6         Yes     No     microsoft       
0    2    12102  10.10.30.30     13.235.101.167  40172   443          6         No      No     microsoft       
0    2    12103  10.10.30.30     13.235.101.167  40172   443          6         Yes     No     microsoft       
0    2    12109  10.10.30.30     104.77.173.32   48436   443          6         No      No     microsoft       
0    2    12112  10.10.30.30     104.77.173.32   48436   443          6         Yes     No     microsoft       
0    2    12182  10.10.30.30     117.18.232.200  46762   443          6         No      No     windows_azure   
0    2    12183  10.10.30.30     117.18.232.200  46762   443          6         Yes     No     windows_azure
0    2    12284  10.10.30.30     172.217.163.78  37362   443          6         No      No     youtube         
0    2    12285  10.10.30.30     172.217.163.78  37362   443          6         Yes     No     youtube         
0    2    12292  10.10.30.30     172.217.160.131  48630   80           6         No      No     ocsp                                                                                       
0    2    12293  10.10.30.30     172.217.160.131  48630   80           6         Yes     No     ocsp                                                                           
0    2    12316  10.10.30.30     172.217.163.202  36366   443          6         No      No     google_gen                                                                      
0    2    12317  10.10.30.30     172.217.163.202  36366   443          6         Yes     No     google_gen                                                                      
0    2    12318  10.10.30.30     142.250.67.77   60364   443          6         No      No     google_accounts                                                                                                              
0    2    12319  10.10.30.30     142.250.67.77   60364   443          6         Yes     No     google_accounts  
                                                                                               s              

On Internet link failure at Hub-1, the SD-WAN automatically withdraws the default route from Hub-1 and make that out of Hub-2 as indicated by the next hop of 10.1.224.103 as the best path. 

admin@T3-Spoke-1-cli> show route routing-instance Tenant-3-LAN-VR                 


Routes for Routing instance : Tenant-3-LAN-VR  AFI: ipv4  SAFI: unicast


Codes: E1 - OSPF external type 1, E2 - OSPF external type 2
IA - inter area, iA - intra area,
L1 - IS-IS level-1, L2 - IS-IS level-2
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
RTI - Learnt from another routing-instance
+ - Active Route


Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name
----   ----  -----------------   --------        ---      -------------- 
BGP    N/A  +0.0.0.0/0           10.1.224.103    1d08h01m Indirect
BGP    N/A   0.0.0.0/0           169.254.0.2     1d07h50m tvi-0/603.0

All traffic destines to Amazon and Facebook take the SD-WAN Gateway at Hub-2 to reach the application. 

admin@T3-Spoke-1-cli> show orgs org Tenant-3 sessions sdwan brief
VSN  VSN  SESS                                SOURCE  DESTINATION                                                                                  TX        
ID   VID  ID     SOURCE IP    DESTINATION IP  PORT    PORT         PROTOCOL  NATTED  SDWAN  APPLICATION      RX WAN CKT         TX WAN CKT         BRANCH    
-------------------------------------------------------------------------------------------------------------------------------------------------------------
0    2    12567  10.10.30.30  176.32.103.205  50098   80           6         No      Yes    amazon           MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12568  10.10.30.30  176.32.103.205  45608   443          6         No      Yes    amazon           Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12569  10.10.30.30  176.32.103.205  45610   443          6         No      Yes    amazon           MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12576  10.10.30.30  13.32.36.24     43730   443          6         No      Yes    amazon           Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12597  10.10.30.30  104.115.92.65   39886   443          6         No      Yes    amazon           MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12598  10.10.30.30  104.115.92.65   39888   443          6         No      Yes    amazon           Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12599  10.10.30.30  104.115.92.65   39890   443          6         No      Yes    amazon           MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12616  10.10.30.30  104.115.92.65   39906   443          6         No      Yes    amazon           Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12617  10.10.30.30  104.115.92.65   39908   443          6         No      Yes    amazon           MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12628  10.10.30.30  157.240.16.20   49240   443          6         No      Yes    facebook         Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12629  10.10.30.30  157.240.16.20   49242   443          6         No      Yes    facebook         MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12630  10.10.30.30  157.240.16.20   49244   443          6         No      Yes    facebook         Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12631  10.10.30.30  157.240.16.20   49246   443          6         No      Yes    facebook         MPLS:MPLS          MPLS:MPLS          T3-Hub-2  
0    2    12632  10.10.30.30  157.240.16.20   49248   443          6         No      Yes    facebook         Internet:Internet  Internet:Internet  T3-Hub-2  
0    2    12633  10.10.30.30  157.240.16.20   49250   443          6         No      Yes    facebook         MPLS:MPLS          MPLS:MPLS          T3-Hub-2  

The traffic for Microsoft and Twitter continues as is via the local DIA. 

Traffic logs on the Monitor Tab

Near Real time traffic can be monitored using the Monitor feature on the Director. This show traffic sessions for Facebook which are considered as SDWAN and that for Microsoft considered as non-SDWAN DIA traffic. 

Analytics Logs

Big Data Analytics shows the Rules which match the traffic of interest. The remote usage of sites shows the volume of traffic going via each of the Hubs mapped against the Rules. 

The analytics logs confirms that the Traffic going to Internet getting NATTED as it goes out via the Local break out.

Summary

This document explained the feature of Application Based Traffic forwarding over secure SD-WAN Gateways. While creating these Policies, we can tie with Traffic Engineering by creating SLA profiles to automatically remove or switch to alternate Gateway in case of degradation in link quality. This gives the enterprise more control over the policy and gives best user experience and application performance.