How to monitor a configured SD-wan policy

Solved
swifty
Getting noticed

How to monitor a configured SD-wan policy

Hi

I've created a SD-WAN policy under

Security & SD-WAN > SD-WAN & traffic shaping

 

Is there any way to see data about this policy.

 

All I can see is the Appliance Summary page which allows you to set the b-w usage on the particular uplink.

 

I'd like to see;

Amount of data matching the policy

Src/dest IPs

Matches against which of 2 filters I have defined are being matched (I suspect 1 may not be right)

 

Ian

1 Accepted Solution
jdsilva
Kind of a big deal

Haha we're going around in circles a bit here. Let's level set here since I see that page has changed a bit since I last looked, so I might not be saying this correctly. 

 

The Internet traffic section under Flow Preferences is used to control which WAN interface Internet destined traffic egresses. This section does not impact traffic that is sent over the SD-WAN overlay (AutoVPN tunnels). Here you can override the system defaults for forwarding Internet traffic by selecting a specific interface, or load balance over both. 

 

This section has no effect on traffic being sent through an AutoVPN tunnel. 

 

image.png

 

The VPN Traffic section under SD-WAN policies is used to control traffic that is forwarded over the SD-WAN Overlay (AutoVPN Tunnels). This section allows you to specify an SLA to attach to the traffic type and make dynamic forwarding decisions based on the conditions of the network. This section aligns with what people think of as SD-WAN. Traffic that matches rules in this section can be monitored on the VPN status page as I mentioned previously. 

 

This section has no effect on traffic being sent directly to the Internet (local breakout). 

 

image.png

 

The decision on whether to route traffic into the overlay or direct to Internet is based on the routing table of the MX, not by policies in either of these sections. If the AutoVPN configuration is such that the destination network is routed via an AutoVPN partner then traffic is routed into AutoVPN, and then the SD-WAN policies are applied as applicable. However, if no matching route is found traffic will be sent outside of AutoVPN direct to the Internet, using the Internet Traffic Flow Preferences if applicable. 

 

What I'm getting from your posts is that you are trying to use the SD-WAN policies VPN traffic section to apply policy to Internet traffic, which won't work. Each section has its specific purpose and configuring a rule in one section for the other traffic type will have no effect. 

 

 

View solution in original post

10 Replies 10
jdsilva
Kind of a big deal

Hey @swifty,

 

You can monitor the policy under Security & SD-WAN > VPN Status. The lower section of that page contains "Uplink Decisions" where you can see which flows have been mapped to which uplink, and the reason why they were mapped there. 

swifty
Getting noticed

Hi

Thanks for the reply, this isn't traffic that will go down an Auto-VPN, it's raw Internet traffic (the site uses local Internet breakout).

The MX is purely a firewall, Site-to-Site VPN Mode is 'off'.

Should have made that clear ;]

For now we have a 2nd WAN interface plugged in that we want to dedicate to a temporary migration use.

 

jdsilva
Kind of a big deal

Ahh, gotcha. Yeh I assumed you meant AutoVPN traffic. Unfortunately, there is no way to monitor traffic forwarding that's being done through the Internet Flow Preferences section that I'm aware of, at least not in a meaningful way. You can see how much traffic each uplink is passing on the Uplink tab of the Appliance Status page, but that's about it. If you just want to test it to confirm it's working you can create a rule for a device and visit What is My IP to verify that you have egressed the correct WAN interface, but I know that's really not what you're asking. 😞

swifty
Getting noticed

Hi @jds 

Thx.
That's clear altho slightly disappointing on the stats. front.
Just to clarify it's not an Internet Flow Preference in the SD-WAN UPlink section, but a (confusingly named section) SD-WAN policies, 'VPN traffic', Uplink selection policy.

When speceified filters are met,

Prefer WAN 2,

Fail over if Uplink down

 

Rgds,

Ian

jdsilva
Kind of a big deal

Haha we're going around in circles a bit here. Let's level set here since I see that page has changed a bit since I last looked, so I might not be saying this correctly. 

 

The Internet traffic section under Flow Preferences is used to control which WAN interface Internet destined traffic egresses. This section does not impact traffic that is sent over the SD-WAN overlay (AutoVPN tunnels). Here you can override the system defaults for forwarding Internet traffic by selecting a specific interface, or load balance over both. 

 

This section has no effect on traffic being sent through an AutoVPN tunnel. 

 

image.png

 

The VPN Traffic section under SD-WAN policies is used to control traffic that is forwarded over the SD-WAN Overlay (AutoVPN Tunnels). This section allows you to specify an SLA to attach to the traffic type and make dynamic forwarding decisions based on the conditions of the network. This section aligns with what people think of as SD-WAN. Traffic that matches rules in this section can be monitored on the VPN status page as I mentioned previously. 

 

This section has no effect on traffic being sent directly to the Internet (local breakout). 

 

image.png

 

The decision on whether to route traffic into the overlay or direct to Internet is based on the routing table of the MX, not by policies in either of these sections. If the AutoVPN configuration is such that the destination network is routed via an AutoVPN partner then traffic is routed into AutoVPN, and then the SD-WAN policies are applied as applicable. However, if no matching route is found traffic will be sent outside of AutoVPN direct to the Internet, using the Internet Traffic Flow Preferences if applicable. 

 

What I'm getting from your posts is that you are trying to use the SD-WAN policies VPN traffic section to apply policy to Internet traffic, which won't work. Each section has its specific purpose and configuring a rule in one section for the other traffic type will have no effect. 

 

 

swifty
Getting noticed

HI jdsilva

That's a really useful explanation.
I get what you are saying - my Uplink Selection is set to WAN1 with load-balancing Off.

In fact I was successfully using the SD-WAN, VPN traffic, Uplink selection policy

to send particular traffic down WAN2.

(otherwise with WAN1 as the primary uplink, WAN2 would never get a look in)

jdsilva
Kind of a big deal


@swifty wrote:


In fact I was successfully using the SD-WAN, VPN traffic, Uplink selection policy

to send particular traffic down WAN2.

(otherwise with WAN1 as the primary uplink, WAN2 would never get a look in)


So are you saying you're using the VPN Traffic section for Internet breakout traffic?

swifty
Getting noticed

Hi

Yes i was - now you have explained the sections I am surprised it was behaving like it was.

My VPN traffic , Uplink selection policy had WAN2 as the preferred uplink option (with mandatory failover)
AND

the traffic filters
Windows Ofice365, and a custom expression
tcp from an inside host to any host, external port number.

So a very crude kind of policy routing, i.e.

"if it comes from here" AND "the destination port is X", THEN use uplink WAN2.

jdsilva
Kind of a big deal

Yeh that's odd. Maybe things don't work the way I think they do?

 

Are you doing full tunnel or split tunnel?

swifty
Getting noticed

Split tunnel.

There is a NAT set up for the return traffic, but I don't see that would necessarily dictate the outbound traffic.

i.e. there is a hide-mode NAT (port-forwarding) set up for this internal host when egressing the WAN2 uplink of the MX.

 

So going out that would hide the internal src IP behind the MX WAN 2, but would that make the traffic go that way itself, I don' think so.

 

Anyway thanks for your input and I have learnt something.

I have got rid of the SD-WAN, VPN traffic, Uplink Selection Policy, and used

a Uplink selection, Flow preference, Internet traffic rule instead.

 

Thanks for your interest.

But no stats unfortunately, other than to look at the WAN usage in the Appliance status page :[

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels