An SD-WAN appliance acts as a virtual gateway. It is neither a TCP endpoint nor a router. Like any gateway, its job is to buffer incoming packets and put them onto the outgoing link at the right speed. This packet forwarding can be done in different ways, such as inline mode, virtual inline mode, and WCCP mode (WANOP appliance only). Although these methods are called modes, you do not have to disable one forwarding mode to enable another. If your deployment supports more than one mode, the mode that the appliance uses is determined automatically by the Ethernet and IP format of each packet.
Because the appliance supports different forwarding modes and different kinds of non-forwarded connections, it needs a way of distinguishing one type of traffic from another. It does so by examining the destination IP address and destination Ethernet address (MAC address), as shown in the following table. For example, in inline mode, the appliance is acting as a bridge. Unlike other traffic, bridged packets are addressed to a system beyond the appliance, not to the appliance itself. The address fields contain neither the appliance’s IP address nor the appliance’s Ethernet MAC address.
In addition to pure forwarding modes, the appliance has to account for more types of connections, including management connections to the GUI and the heartbeat signal that passes between members of a high-availability pair. For completeness, these additional traffic modes are also listed in table below.
Table 1. How MAC and IP Addresses determine the mode
|Destination IP Address||Destination MAC Address||Mode|
|Not appliance||Not appliance||Inline or Pass-through|
|Not appliance||Appliance||Virtual Inline or L2 WCCP|
|Appliance||Appliance||Direct (UI access)|
|Appliance (VIP)||Appliance||High-Availability. Proxy mode|
|Appliance (Signaling IP)||Appliance||Signaling Connection (SD-WAN plugin Signaling Connection (SD-WAN plugin, Secure Peer) or Redirector Mode Connection (SD-WAN plugin)|
All modes can be active simultaneously. The mode used for a given packet is determined by the MAC, Ethernet and IP headers.
The forwarding modes are:
- Inline mode, in which the appliance transparently accelerates traffic flowing between its two Ethernet ports. In this mode, the appliance appears (to the rest of the network) to be an Ethernet bridge. Inline mode is recommended, because it requires the least configuration.
- Virtual inline mode, in which a router sends WAN traffic to the appliance and the appliance returns it to the router. In this mode, the appliance appears to be a router, but it uses no routing tables. It sends the return traffic to the real router. Virtual inline mode is recommended when inline mode and high-speed WCCP operation are not practical.
- High availability mode, which allows to appliances to operate as an active/standby high availability pair. If the primary appliance fails, the secondary appliance takes over.
More traffic types are listed here for completeness:
- Pass-through traffic refers to any traffic that the appliance does not attempt to accelerate. It is a traffic category, not a forwarding mode.
- Direct access, where the appliance acts as an ordinary server or client. The GUI and CLI are examples of direct access, using the HTTP, HTTPS, SSH, or SFTP protocols. Direct access traffic can also include the NTP and SNMP protocols.
- Appliance-to-appliance communication, which can include signaling connections (used in secure peering and by the SD-WAN plugin), VRRP heartbeats (used in high-availability mode), and encrypted GRE tunnels (used by group mode).
- Deprecated modes. Proxy mode and redirector mode are legacy forwarding modes that should not be used in new installations.