SD-WAN policies for Internet traffic

jdtwin
Just browsing

SD-WAN policies for Internet traffic

I am using Custom Expressions with a Uplink Selection Policy of "Prefer WAN 1. Fail over if poor performance" with a Traffic Filter for one VLAN to multiple internet destinations. Once this is in place can WAN 1 reach any internet destinations not included in the rules?

 

My feeling is, it is just a preference and should not Block internet traffic not included in the rules.

 

I hopes this makes sense, please let me know if you need anymore information.

9 REPLIES 9
Johnfnadez
Building a reputation

Hello Jd,

 

All traffic that doesn’t match a custom rule, takes action in the default rule which is the uplink preference or load balancing. For example, if you have load balancing on both uplinks it falls in that rule, otherwise it goes thru the uplink you have as primary.

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

John,

 

That is the behavior I would expect, however the one Internet Block I did not have in my Traffic Filter was going over WAN 2 and my Global Preferences were set to Primary Uplink of WAN 1 and load balancing. I proved this out by whitelisting WAN 2 at the destination end. I am trying to figure out why the MX decided to send traffic over WAN 2 instead of my Primary Uplink of WAN 1.

alemabrahao
Kind of a big deal
Kind of a big deal

SD-WAN policies can be configured to control and modify the flows for specific VPN traffic. Can you show your rule, and provide more information?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jdtwin_1-1663852218395.png

 

jdtwin_0-1663851798281.png

I have an additional list of Traffic Filters that contain Internet destinations I want to reach for voice traffic. I didn't include those as they would show the vendor I am working with. The one destination that I did not have Prefer WAN 1 was using WAN 2. I would have thought it would use WAN 1 as it is defined as the Primary uplink regardless of the Traffic Filter. My ultimate question is "Why did the MX decide to use WAN 2"

alemabrahao
Kind of a big deal
Kind of a big deal

@jdtwin,

 

How are you testing it? Your rules are defined just for DNS (google) traffic destinations. Internet traffic rules are based just on source and destination IP not applications. The Performance class is just used to define Maximum latency (ms) Maximum jitter (ms) Maximum loss (%).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I have 6 additional filters that use the same Uplink Selection policy. I just did not include them as they would show the vendor I am working with. The test was based on the fact that I could not reach the destination via Primary Uplink WAN 1 which was whitelisted at the destination. As soon as I whitelisted Uplink WAN 2 at the destination my devices communicated.

alemabrahao
Kind of a big deal
Kind of a big deal

Like I said, The Performance class is just used to define Maximum latency (ms) Maximum jitter (ms) Maximum loss (%). 

 

Have you tried to change the Fail over if uplink down? The result is the same? Is it an option deactivate load balancing?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for your help, I am really just trying to understand what would drive the MX to use WAN 2 if WAN 1 is healthy and available.

alemabrahao
Kind of a big deal
Kind of a big deal

@jdtwin SD-WAN policies can be configured to control and modify the flows for specific VPN traffic. It's not included the Internet traffic.

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#SD-WAN_p...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels