Query:
How do I figure out why my traffic is using Broadband instead of MPLS?
Solution:
This article provides a solution to one of the most commonly reported issue - traffic not using the expected path.
Let's resolve this issue with the help of this example, where:
- There are two transport paths (MPLS and Broadband) available between Branch101 and Branch102.
- All business critical traffic is assigned to the forwarding class, fc_af, using an application QoS policy. It is configured to prefer MPLS using an SDWAN policy unless the latency exceeds 100ms or loss exceeds 5%, and
- All non-business critical site to site traffic is assigned to the forwarding class, fc_be. It is configured to use broadband unless it goes down.
Use this application QoS policy configuration:
admin@vcsn2-cli(config)% show orgs org-services Customer2 class-of-service qos-profiles
qp-business {
forwarding-class fc_af;
loss-priority low;
}
qp-non-business {
forwarding-class fc_be;
loss-priority low;
}
admin@vcsn2-cli(config)% show orgs org-services Customer2 class-of-service app-qos-policies
aqp1 {
rules {
business {
match {
application {
predefined-application-list [ FTP FTP_DATA HTTP ];
}
}
set {
qos-profile qp-business;
}
}
non-business {
set {
qos-profile qp-non-business;
}
}
}
}Use this SDWAN policy configuration:
admin@vcsn2-cli(config)% show orgs org-services Customer2 sd-wan sla-profiles
sla-business {
latency 100;
loss-percentage 5;
}
admin@vcsn2-cli(config)% show orgs org-services Customer2 sd-wan forwarding-profiles
fp-business {
sla-profile sla-business;
circuit-priorities {
priority 1 {
circuit-names {
local [ MPLS ];
}
}
priority 2 {
circuit-names {
local [ Broadband ];
}
}
}
evaluate-continuously enable;
recompute-timer 20;
}
fp-non-business {
circuit-priorities {
priority 1 {
circuit-names {
local [ Broadband ];
}
}
priority 2 {
circuit-names {
local [ MPLS ];
}
}
}
}
admin@vcsn2-cli(config)% show orgs org-services Customer2 sd-wan policies
p1 {
rules {
rule-business {
match {
application {
predefined-application-list [ FTP FTP_DATA HTTP ];
}
}
set {
forwarding-profile fp-business;
}
}
rule-non-business {
match {
application {
predefined-application-list [ IPERF ];
}
}
set {
forwarding-profile fp-non-business;
}
}
}
}Follow these steps to determine whether specific traffic is using the expected path. If it is not using the expected path, you can identify the reasons.
1. Run the run show orgs org-services <customer-name> sd-wan policies <policy name> rules statistics local-circuit rule-business CLI command to check the path that is currently used for business critical traffic.
Example
admin@vcsn2-cli(config)% run show orgs org-services Customer2 sd-wan policies p1 rules statistics local-circuit rule-business TX TX RX RX LOCAL HIT PKTS BYTES PKTS BYTES NAME CIRCUIT COUNT TUNNEL TUNNEL TUNNEL TUNNEL ------------------------------------------------------------------------ rule-business-critical Broadband 10 100 102400 80 81920 MPLS 16 50 51200 40 40960
2.Check the traffic, if it is not using the expected path then look for some sample HTTP sessions and check the path they are using. Also, check if they are mapped to the correct SDWAN rule.
-
Run the request orgs org <org-name> filter-add filter-name filter_http predefined-application HTTP CLI command to create a filter to list all HTTP sessions.
Example
admin@vcsn2-cli> request orgs org Customer2 filter-add filter-name filter_http predefined-application HTTP result [Org: Customer2] Filter filter_http added successfully [ok][2017-06-12 10:40:50]
- Run the show orgs org Customer2 sessions filter filter_http extensive CLI command to list the extensive information about HTTP sessions.
Example
admin@vcsn2-cli> show orgs org Customer2 sessions filter filter_http extensive
extensive 0 2 5
source-ip 192.168.40.3
destination-ip 192.168.42.3
source-port 60986
destination-port 80
protocol 6
natted No
sdwan Yes
application http
forward-pkt-count 53934
forward-byte-count 2804693
reverse-pkt-count 357580
reverse-byte-count 477714911
dropped-forward-pkt-count 0
dropped-forward-byte-count 0
dropped-reverse-pkt-count 0
dropped-reverse-byte-count 0
session-age 00:00:55
idle-for 00:00:31
idle-timeout 32
pbf-enabled false
forward-egress-vrf lan-vrf2
reverse-egress-vrf lan-vrf2
session-provider-zone 0
forward-offload false
reverse-offload false
forward-ingress-interface vni-0/1.0
forward-egress-interface ptvi-0/69
reverse-ingress-interface ptvi-0/69
reverse-egress-interface vni-0/1.0
forward-fc fc_af
reverse-fc fc_af
forward-plp low
reverse-plp low
rx-wan-ckt b1-w1:h1-w1
tx-wan-ckt b1-w1:h1-w1
tx-branch -
pbf-wan-ackt-enc (P,E)
forward-ingress-ckt vni-0/1.0
forward-egress-branch Branch102
forward-egress-ckt Broadband:Broadband
reverse-ingress-branch Branch102
reverse-ingress-ckt Broadband:Broadband
reverse-egress-ckt vni-0/1.0
sdwan-rule-name rule-business
[ok][2017-06-12 10:43:13]
- The HTTP session is using the forwarding class fc_af, and the sdwan rule "rule-business".
- The HTTP session uses Broadband path to/from Branch102, whereas we expect it to use MPLS.
3. Run the show orgs org <org-name> sd-wan sla-monitor path status CLI command to check the status of the MPLS path (it must be enabled). Also check if it was flapping:
Example
admin@vcsn2-cli> show orgs org Customer2 sd-wan sla-monitor path status
LOCAL REMOTE
LOCAL LOCAL REMOTE WAN WAN
PATH FWD SITE REMOTE SITE WAN WAN LINK LINK ADAPTIVE CONN LAST
HANDLE CLASS NAME NAME LINK LINK ID ID MONITORING STATE FLAPS FLAPPED
--------------------------------------------------------------------------------------------------------
6689024 fc_af Branch101 Branch102 Broadband Broadband 1 1 disable up 1 03:52:26
6689028 fc_be Branch101 Branch102 Broadband Broadband 1 1 disable up 1 03:52:26
6689032 fc_af Branch101 Branch102 MPLS MPLS 1 1 disable up 1 03:52:26
6689036 fc_be Branch101 Branch102 MPLS MPLS 1 1 disable up 1 03:52:26
1052928 fc_af Branch101 controller1 Broadband Broadband 1 1 disable up 1 3:52:26
1052932 fc_be Branch101 controller1 Broadband Broadband 1 1 disable up 1 3:52:26
1052936 fc_af Branch101 controller1 MPLS MPLS 1 1 disable up 1 3:52:26
1052940 fc_be Branch101 controller1 MPLS MPLS 1 1 disable up 1 3:52:27
4. Run the run show orgs org-services <org-name> sd-wan policies <policy-name> rules path-state detail rule-business-critical Branch2 CLI command to check the state of path towards Branch102 for rule-business:
Example
admin@vcsn2-cli(config)% run show orgs org-services Customer2 sd-wan policies p1 rules path-state detail rule-business-critical Branch2
TWO FWD REV
REMOTE LOCAL REMOTE FORWARDING WAY DELAY DELAY FWD LOSS REV LOSS PDU LOSS CIRCUIT RX CIRCUIT TX
BRANCH FORWARDING PROFILE SLA PROFILE CIRCUIT CIRCUIT CLASS PRIORITY DELAY VAR VAR PERCENTAGE PERCENTAGE PERCENTAGE UTILIZATION UTILIZATION
------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------
Branch2 fp-business sla-business Broadband Broadband fc_af 2 75 12 3 0.00 0.00 0.00 - Broadband Broadband fc_be 2 89 21 7 0.00 0.00 0.00 - MPLS MPLS fc_af SLA Violated 128 5 9 0.00 0.00 0.00 - MPLS MPLS fc_be SLA Violated 189 12 2 0.00 0.00 0.00 -
- The MPLS path is out of compliance for the forwarding class, fc_af because the latency (128ms) exceeds the threshold of 100ms specified in the sla-business SLA profile and is demoted to the "SLA Violated" priority.
- The Broadband path is in compliance with the SLA and is currently used.