SD-WAN

The deployment is scenario as follows: -Non redundant WAN (Wan1 on router1; Wan2 on router2); thus the need for the ""dogleg"" -Redundant LAN -Integrated mgmt (mgmt over forwarding interfaces)Attached is a more detailed layout for the HA topology preferred. 

Attached is a diagram depicting this as well.

It doesn't match your sample diagram exactly (I didn't include management over forwarding interfaces), but I scrubbed a configuration we use for testing at HQ and added some descriptions to hopefully highlight the important parts.

 

Caveat: I did not actually test this configuration prior to posting it here, so if I was overzealous in my scrubbing I apologize in advance. Feel free to ask questions here if you want some clarifications.

Thank you, Patrick Timmons.

One detail I consider important is that a separate security policy from the default ""internal"" should be created and used for inter-node-security. Doing so ensures one never has to make changes to the default security policy for specifically handling inter-node security for HA routers.

 

Thomas Sullivan

128 Technology

I do have a setup you describe Adam Morris running release 3.2.2. Two straight cables, one for the forwarding plane (dog leg), the other - for HA Sync. LAN interface is redundant. WAN interfaces are not and hence do not share fate of LAN interfaces. Management (inbound and outbound) is configured to work over the WAN interfaces. Also looking into the near future, in release 3.2.3 we are going to be picking up native support for management over forwarding interfaces. This should simplify the configuration further of course. Moreover, in release 3.2.5/3.2.6 we should be getting HA Sync over forwarding plane. This will allow us to have only one straight cable connection for both HA Sync and the ""dog-leg"", thus reducing the number of physical interfaces required.