Business Support

Controlling traffic flow with CenturyLink SD-WAN (web traffic example)

This web traffic flow using CenturyLink® SD-WAN use case shows the steps necessary to complete a rule for web traffic flow based on network service level agreement (SLA) parameters such as latency, jitter, and packet loss on the WAN connectivity of your branch location. These three steps need to be done to make a complete configuration: SLA profiles, forwarding profiles, policies and rules:
 

  1. SLA profiles—sets up the network performance parameters that monitor the performance of access circuits and WAN links of your related branch locations. An access circuit or WAN link is selected based on the threshold values specified in the SLA profile.

  2. Forwarding profiles—defines the properties of WAN circuits to be selected for traffic. It defines properties such as the load balancing method for traffic, priority of circuits, circuit type (broadband or MPLS), circuit media, and other associated attributes. Forwarding profiles are associated with SLA profiles to determine the selection of WAN circuits in a given order of priority.

  3. Policies and rules—you can configure traffic based on matching criteria such as the traffic source address, destination address, source zone, and specific IP packet header information.

In the example below, we are:
 

  • Avoiding a SLA violation based on a high circuit use. 

  • Routing the web traffic, on internet connection first and MPLS second.

  • Avoiding the high cost of a LTE connection. 

  • Using application filtering to match traffic on HTTP and HTTPS.

Note: the CenturyLink engineer may have already defined some standard SLA profiles and forwarding profiles. In this case, you will see them and can add a new rule that refers to those profiles.

Creating a web traffic SLA profile
The configuration is made on a branch template and not on an individual appliance. Read a comparison of Director Context and Appliance Context

Step 1—configuring SD-WAN SLA profiles

A service level agreement (SLA) defines the network performance parameters between your organization and CenturyLink and includes packet delay, packet loss, and jitter.

  1. Log in to the SD-WAN portal.
  1. In the Director Context, click on the Config Templates tab, then select a template.

  2. In the Services tab (shown with a gear icon), select SDWAN > SLA Profiles.

  3. From the Organization list, select an entity.

  4. Click the + sign to add an SLA profile. 
  1. Fill in the fields to create the SLA profile. In this use case, we describe how to fill out the fields and show options for completing the profile. These selections may not be specific to your situation, they are selected for this specific web traffic example.

    1. In the Name field, type a name for the SLA profile. This is the only required field. We named ours WebTrafficSLAProfile.

    2. In the Description field, describe the SLA profile.

    3. In the Tags field, type words to describe the item so it will appear in a search.

    4. In the Packet Delay-variation (jitter) field, type the acceptable packet delay (in milliseconds).

    5. In the Circuit Transmit Utilization field, type the number of circuit transmit use (in percentage). We set our circuit transmit and receive use to 80%.

    6. In the Circuit Receive Utilization field, type the number of circuit receive use (in percentage).

    7. In the Maximum Packet Loss field, type the acceptable packet loss (in percentage). We typed 2.

    8. In the Maximum Forward Packet Loss field, type the acceptable packet loss (in a percentage).

    9. In the Maximum Reverse Packet Loss field, type the acceptable packet loss (in a percentage).

  2. In the Maximum Latency field, type the acceptable latency (in milliseconds). We typed 100.

  3. In the MOS Score field, type a value for the MOS score.

You can also select the checkbox to turn on default options.

  1. Click OK.

Step 2—configuring SD-WAN forwarding profiles 

A forwarding profile determines the traffic path based on realtime SLA performance of traffic. A forwarding profile defines the properties such as load balancing method, priority of circuits, circuit type, circuit media, and others to be selected for traffic.
 

  1. In the Director Context, click the Config Templates tab, then select a template.

  2. In the Services tab (shown with a blue gear icon), select SDWAN > Forwarding Profiles.

  3. From the Organization list, select an entity.

  4. Click the + sign to add a forwarding profile.
  1. Fill in the fields to create the SLA profile. In this use case we describe how to fill out the fields for adding a forwarding profile. These selections may not be specific to your situation; they are selected for this use case.

    1. In the Name field, type a name for the profile. We named ours WebTrafficForwardingProfile.

    2. In the Description field, type a description for the forwarding profile.

    3. In the Tags field, type words to describe the item so it will appear in a search.

    4. From the SLA Profile list, select the SLA profile. This matches the name we created in the previous step, WebTrafficSLAProfile.

    5. From the Encryption list, select the encryption mode. We selected Optional.

    6. From the Connection Selection Method list, select the mode to balance traffic. We selected Weighted Round Robin.

    7. In the Recompute Timer field, type the switching time (in seconds) between circuits when the current circuit does not meet the SLA threshold values. We typed 300.

    8. From the SLA Violation Action list, select the action to be taken if the traffic does not meet the SLA thresholds. We selected forward.

    9. From the Load Balancing Option list, select a load balancing option. We selected Per Flow.

    10. In the Replication section:

      1. Select the Mode checkbox for replication. Since our example is a web traffic forwarding, the box is checked.

      2. In the Replication factor field, type a replication factor. In our example, we typed 2 so the packets are replicated twice, for each of our WAN circuits.

      3. In the Start When list, select when the SLA is violated. We selected SLA Violated.

      4. Select the Stop When checkbox to stop replication. We stop replication when circuit use gets too high, so we don’t overload the circuits.

      5. In the Circuit Utilization field, type the circuit use (in percentage). We typed 85.

    11. Select the Evaluate Continuously checkbox to apply switching during traffic flow. We checked the box.

    12. Select the Enable Symmetric Forwarding  checkbox to ensure traffic is sent out from the same circuit that was used for the inflow of traffic. We checked the box.

    13. Select the Enable Gradual Migration checkbox to enable gradual migration.

    14. Click the Circuit Priorities tab to configure circuit properties for local and remote clients.
  1. Click the + sign to define the circuit properties.
  1. Fill in the fields to create the SLA profile. In this use case we describe how to fill out the fields to add circuit priorities. These selections may not be specific to your situation; they are selected for this use case.

    1. From the Priority list, select the circuit priority. 1 is the default. We used the default.

    2. In the Description field, type a description for the circuit priority.

    3. In the Tag field, type words to describe the item so it will appear in a search.

    4. Click the Circuit Names tab, create a name for the local and remote clients. Click the + sign next to each heading and type the circuit name. Because this is web traffic forwarding we chose internet connection as Priority 1.

    5. Click the Circuit Types tab (optional), select the type of circuit to be used for the local and remote clients. Click the + sign to select a circuit type from the list in each section. For our WebTraffic forwarding profile the Circuit Types selection sets up MPLS as the second priority circuit . You can also create the second priority for our MPLS connection using the Circuit Names section as shown above.
  1. Click the Circuit Media tab (optional), define the media of the circuit for the local and remote clients. Click the + sign to select a circuit type for each client from both lists. We did not select a circuit media.
  1. Click the Avoid Connections tab to configure the links that should not be picked. These are defined for the local and remote client links. We will use the circuit media section to set up an avoid connection for LTE for web traffic because using LTE for high use web traffic may be expensive.
  1. In the Local Circuit Names section, click the + sign to define the local circuit name to be skipped.

  2. In the Remote Circuit Names section, click the + sign to define the remote circuit name to be avoided.

  3. Click the FEC tab to apply any forward error correction.
  1. Select the Mode checkbox and fill in the parameters for FEC. We used the default of 4 Packets per FEC and selected SLA Violated from the Start When list. We will stop when the Circuit Utilization gets to 90%.

  2. Click OK.

Step 3—configuring SD-WAN policies and rules

Establishing SD-WAN policies and rules helps you configure web traffic based on matching criteria such as the traffic source address, destination address, source zone, and specific IP packet header information. The default policy is the only policy that can be created; CenturyLink will have done this. Follow these steps to configure rules:
 

  1. In the Director Context, click the Config Templates tab, then select a template.

  2. In the Services tab, select SDWAN > Policies > Rules.

  3. From the Organization list, select an entity.

  4. Click the + sign to add a rule.
  1. Fill in the fields to create the SLA profile. In this use case we describe how to fill out the fields to edit rules. These selections may not be specific to your situation; they are selected for this use case.

    1. In the Name field, type a name for the rule. We named ours GeneraInternet.

    2. In the Description field, describe the rule.
       
  2. Click the Source/Destination tab to configure source and/or destination addresses to capture traffic.
  1. Fill in the following information: 

    1. In the Source Address section, click the + sign to select a source address. Source address refers to the originating address of incoming traffic and is classified by originating country, region, or IP address.

    2. Select the Source Address Negate checkbox to block traffic to the selected source addresses.

    3. In the Destination Address section, click the + sign to select a destination IP address. Destination address refers to the destination address of the traffic. Addresses are classified by countries, regions, or IP addresses. We do not have any source or destination rules to reference in our example.
       
  2. Click the Headers/Schedule tab to configure matching criteria based on the IP packet header information.
  1. Fill in the following information: 

    1. From the IP Version list, select the version of IP.

    2. From the IP Flags list, select either More Fragments or Don’t Fragment to indicate whether routers can fragment the data packets.

    3. In the DSCP field, click the + sign to add the differentiated services code point, which refers to the value or cost of the policy.

    4. From the Condition list, select the condition.

    5. In the Value field, type the value. This matches traffic based on the selected IP version, IP flag, and TTL match condition in the packet's header.

    6. From the Schedules list, specify the frequency of the action to be taken.

    7. Click + Schedule to create a new schedule.

    8. In the Services List section, click the + sign to select services to be allowed or blocked from the list. The list includes predefined and user-defined services. Service is defined based on the destination address and port. We do not have any rules based on IP headers or schedules for our example.
       
  2. Click the Applications/URL tab to select traffic based on applications and URLs. Select the applications and application groups in which to apply this rule. We selected HTTPS and HTTP from the Application List list.

Note: Items selected in the same section (like Applications) will be added in an OR condition, which means HTTPS or HTTP traffic will be captured by the rule. Items added into different sections in the same rule will be considered an AND condition, which means if you have HTTP in Applications and Games in a URL Category list, the traffic would have to match both of those conditions for the rule to apply.
 

  1. Click the Applications/URL tab, click the + sign to select an application from the list. The list includes predefined and user-defined applications. 
  1. Click the Enforce tab to select the forwarding profile and the action to be taken on the traffic.
  1. Fill in the following information: 

    1. In the Action list, select the action to be taken on the traffic .

    2. In the Forwarding Profile list, select the forwarding profile to be applied on the traffic.
       
  2. Click OK.

Apply these changes to your branches.
 

  1. Click Commit.
  1. In the Select Template list, select the related branches to push either the new SD-WAN rule or all rules. We recommend you push a template to just one branch to test your new rule before applying it to all the branches related to your template.
  1. In the View column, click the eye icon to preview changes.
  1. Click OK.

TAGS: