SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel

With SD-WAN, the Firebox can dynamically route traffic based on the performance of your network connections. For applications that are sensitive to network performance, such VoIP, RDP, and video conferencing applications, SD-WAN can help make sure those applications perform well and are highly available.

In this example, a company with VoIP traffic between sites wants users to experience high-quality, reliable voice calls over a secure connection. To achieve these goals, the company dedicates an MPLS link to VoIP traffic. If network issues such as high loss, latency, and jitter occur on the MPLS link, the company wants VoIP traffic to fail over to another interface. To help reduce costs, the company wants to use a BOVPN virtual interface tunnel as a backup connection instead of a secondary MPLS link.

This configuration example shows metric-based SD-WAN routing on a distributed enterprise network with hybrid WAN connections. Site A (Headquarters) has a Firebox. Site B (Branch Office) has either a Firebox or a third-party firewall.

To implement this configuration, your Firebox must run Fireware v12.4 or higher.

Network Topology

This diagram shows the network topology for this example. The firewall at Site B can be a Firebox or a third-party firewall.

Screenshot of the network topology for the example

How It Works

A VoIP policy and SD-WAN action route VoIP traffic over the MPLS link.

The Firebox sends Link Monitor probes to remote hosts to monitor the availability and network performance of the MPLS link. Network performance metrics include loss, latency, and jitter. You can select to use one or more metrics, and you can specify values for metrics.

If the MPLS link becomes unavailable, or if metrics exceed the values you specified, VoIP traffic fails over to the BOVPN virtual interface.

If the MPLS link becomes available again, or if metrics no longer exceed the values you specified:

  • The MPLS interface becomes the preferred interface again.
  • If you selected the Immediate Failback option in the SD-WAN action, all VoIP traffic immediately fails back to the MPLS interface.

Configuration

In our example, we assume both sites initiate VoIP traffic. For example, VoIP devices at Site A initiate traffic to Site B. At Site B, VoIP devices initiate traffic to Site A. On your network, only one site might initiate traffic.

On the Firebox at Site A and the firewall at Site B, configure these interfaces:

  • An internal interface configured for the MPLS link
  • A BOVPN virtual interface (VIF) tunnel to the remote site

Site A Firebox

Configure an internal interface for the MPLS connection. In our example, this interface is named MPLS.to.SiteB.

Screenshot of the internal interface settings

Configure a BOVPN virtual interface tunnel to the remote site. In our example, the interface name is BovpnVif.to.SiteB.

In the BOVPN virtual interface settings, you must configure virtual IP addresses. You cannot add the BOVPN virtual interface to Link Monitor unless you configure virtual IP addresses. You can specify any virtual IP addresses that do not conflict with IP addresses already on your network.

Screenshot of the VPN Routes

After you configure the MPLS.to.SiteB and BovpnVif.to.SiteB interfaces, you must add those interfaces to Link Monitor.

In the Link Monitor settings for the MPLS.to.SiteB interface:

  • We recommend that you specify a next hop IP address. In our example, we specify 10.0.2.2 , which is the local side of the MPLS router. The next hop tells the Firebox where to route SD-WAN traffic that uses this interface. If you do not specify a next hop, you must add a static route on the Network > Routes page. For more information, go to the Static Routes section.
  • Add a Link Monitor target to a host at the remote site. In our example, the Link Monitor target is the MPLS interface on the Site B firewall. The IP address is 10.50.2.1.

Screenshot of the Link Monitor settings for Site A

When you add a BOVPN virtual interface to Link Monitor, the Firebox automatically adds a ping target to the IP address of the peer. You cannot edit or remove this target.

Screenshot of the Link Monitor settings

After you configure Link Monitor targets, add an SD-WAN action. In the action, you add interfaces, configure metrics, and select a failback option. In Fireware v12.8 or higher, you must also select the method. In our example, we select the Failover method. In Fireware v12.7.2 or lower, Failover is the only method.

In our example, we add the MPLS.to.SiteB and BovpnVif.to.SiteB interfaces to an SD-WAN Failover action named SDWAN.action.MPLS-VIF.

To route traffic based on metrics, you must select one or more of these metrics:

  • Loss
  • Latency
  • Jitter

In our example, we keep the default selections and values. In Fireware v12.5.4 or higher, the default values are:

  • Loss rate — 5%
  • Latency — 400 ms
  • Jitter—100 ms

To determine which metrics and values to configure, we recommend that you consult your VoIP vendor. We provide these general guidelines, but you might have to configure different metrics and values on your network:

SD-WAN Measure Good Performance Impacted Performance Significantly Impacted Effectively Down
Loss <1% 1–2% 2–5% >5%
Latency <100ms 100–200ms 200–400ms >400ms
Jitter <20ms 20–50ms 50–100ms >100ms

Next, specify a failback option. If you want connections to always fail back to the MPLS interface, select Immediate Failback. Otherwise, select No Failback. For VoIP traffic, we recommend that you do not select Gradual Failback.

If you configure SD-WAN on Fireboxes at both sites, the SD-WAN actions must match. For example, if you select Jitter on the Site A Firebox and specify 15 ms, you must also select Jitter on the Site B Firebox and specify 15 ms.

Configure a policy that allows outbound VoIP connections from the local network at Site A, 10.0.1.0/24, to the local network at Site B, 10.0.50.0/24.

To determine which ports to include in the policy, see the documentation from your VoIP provider. In our example, the SIP-ALG policy allows outbound UDP and TCP on port 5060.

Screenshot of the Site A policy

In the policy, select the SD-WAN action that you created. The SD-WAN action routes the traffic over the MPLS link.

Screenshot of the SD-WAN action selection

If Site B initiates VoIP traffic to Site A, configure another policy on the Site A Firebox to allow that inbound traffic. For example, configure a SIP-ALG policy to allow VoIP traffic from the local network at Site B, 10.0.50.0/24, to the local network at Site A, 10.0.1.0/24. You do not have to specify an SD-WAN action in this policy.

Different factors determine whether static routes are recommended or required:

  • Sites that initiate traffic — If both sites have Fireboxes configured with SD-WAN actions, you do not have to add a static route in most cases on a Firebox that initiates traffic.
  • Sites that receive traffic — We recommend that you add static routes on a Firebox at a site that receives traffic. The Firebox uses the static route to send reply traffic back to the site that initiated the traffic.

In our example, both sites initiate VoIP traffic. On your network, if Site B does not initiate VoIP traffic to Site A, you do not have to add a static route on the Firebox at Site A.

You must add a static route if you did not specify a next hop IP address for an internal interface. If a valid route does not exist, the Firebox drops the traffic.

Static route configuration

In our example, VoIP devices at Site B also initiate traffic to Site A. To route reply traffic back to Site B, we recommend that you add static routes on the Site A Firebox. In our example, we add these static routes:

10.0.50.0/24 via MPLS.to.SiteB distance 1

10.0.50.0/24 via bvpn1 distance 50

Because the MPLS interface has a lower route distance, it is the preferred interface in the route table. However, the SD-WAN interface priority takes precedence over the route table distances. For example, if the MPLS interface is listed first in the SD-WAN action, it is the primary interface. It is also the preferred interface if it is available, and has performance metrics that do not exceed the values you specified.

In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.

IP Spoof Protection (Fireware v12.9 or higher)

In Fireware v12.9 or higher, the IP spoof verification process is simplified. For more information, go to About Spoofing Attacks.

IP Spoof Protection (Fireware v12.8.x or lower)

If you enable the global Drop Spoofing Attacks setting, the Firebox monitors inbound traffic on internal and external interfaces for IP spoof attacks. When inbound traffic arrives, the Firebox determines the source IP address and interface. The Firebox uses the source IP address to look up the route table and checks whether the interface in the routing results matches the inbound interface.

For internal interfaces, if it does not match, the Firebox considers the inbound traffic to be an IP spoof attack. The Firebox drops the inbound traffic. For example, the SD-WAN action sends traffic from Site B to Site A over the MPLS link. However, because the distance (metric) for the MPLS link is higher than the distance (metric) for the BOVPN virtual interface, the route selection for reply traffic does not match the interface used by inbound traffic:

10.0.50.0/24 via MPLS.to.SiteB distance 50

10.0.50.0/24 via bvpn1 distance 1

In this case, the Firebox initiates IP spoof protection and does not send reply traffic back to Site B.

If the Firebox determines the traffic is not an IP spoof attack, the Firebox sends reply traffic through the same interface as the inbound interface.

IP spoof protection applies to internal and external interfaces, but it does not apply to BOVPN virtual interfaces. In our example:

  • If SD-WAN initiates traffic from Site B to Site A over the MPLS link, and the preferred route in the Site A routing table is the BOVPN virtual interface, the Firebox triggers IP spoof protection.
  • If SD-WAN initiates traffic from Site B to Site A over the MPLS link, and the preferred route in the Site A routing table is the MPLS link, the Firebox triggers IP spoof protection.
  • If SD-WAN initiates traffic from Site B to Site A over the BOVPN virtual interface link, and the preferred route is the MPLS link, the Firebox does not trigger IP spoof protection.

Site B Firewall (Firebox or Third-Party Device)

The device at Site B can be a Firebox or a third-party device. In our example, we show a Firebox configuration.

Configure an internal interface for the MPLS connection. In our example, the interface name is MPLS.to.SiteA.

Screenshot of the interface settings

Configure a BOVPN virtual interface tunnel to the remote site. In our example, the interface name is BovpnVif.to.SiteA.

In the BOVPN virtual interface settings, you must configure virtual IP addresses. You cannot add the BOVPN virtual interface to Link Monitor unless you configure virtual IP addresses. You can specify any virtual IP addresses that do not conflict with IP addresses already on your network.

Screenshot of the virtual interface IP address settings

After you configure the MPLS.to.SiteA and BovpnVif.to.SiteA interfaces, you must add those interfaces to Link Monitor.

When you add a BOVPN virtual interface to Link Monitor, the Firebox automatically adds a ping target to the IP address of the peer. You cannot edit or remove this target.

Screenshot of the Link Monitor settings

In the Link Monitor settings for the MPLS.to.SiteA interface:

  • We recommend that you specify a next hop IP address. In our example, we specify 10.50.2.2 , which is the local side of the MPLS router. The next hop tells the Firebox where to route SD-WAN traffic that uses this interface. If you do not specify a next hop, you must add a static route on the Network > Routes page. For more information, go to the Static Routes section.
  • Add a Link Monitor target to equipment at the remote site. In our example, the Link Monitor target is the MPLS interface on the Site A Firebox. The IP address is 10.0.2.1.

Screenshot of the Link Monitor settings

If the Site B device is a Firebox, and Site B initiates VoIP traffic to Site A, you can configure metric-based SD-WAN at Site B.

In our example, we:

  • Add an SD-WAN action named SDWAN.action.MPLS-VIF.
  • Add the MPLS.to.SiteA and BovpnVif.to.SiteA interfaces to the action.
  • Keep the default metrics and values.
  • Select Immediate Failback.

Screenshot of the SD-WAN settings

If you configure SD-WAN on Fireboxes at both sites, the SD-WAN actions must match. For example, if you select Jitter on the Site A Firebox and specify 15 ms, you must also select Jitter on the Site B Firebox and specify 15 ms.

Configure a policy to allow inbound VoIP traffic from the local network at Site A, 10.0.1.0/24, to the local network at Site B, 10.0.50.0/24. You do not have to specify an SD-WAN action in this policy.

Screenshot of the policy settings

If Site B initiates VoIP traffic to Site A, configure another policy on the Site B Firebox to route that outbound traffic with SD-WAN. For example, configure a SIP-ALG policy to allow VoIP traffic from the local network at Site B, 10.0.50.0/24, to the local network at Site A, 10.0.1.0/24. On the SD-WAN tab in the policy, select the SD-WAN action that you created.

In our example, VoIP devices at Site A initiate traffic to Site B. To route reply traffic back to Site A, we recommend that you add static routes on the Site B Firebox. In our example, we add these static routes:

10.0.1.0/24 via MPLS.to.SiteB distance 1

10.0.1.0/24 via bvpn1 distance 50

For detailed information about static routes and IP spoof protection, go to the Static Routes information for Site A.

Related Topics

About SD-WAN

Configure SD-WAN

About SD-WAN Methods

SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager)

SD-WAN Status and Manual Failback (Web UI)