sd-wan - broadview networks sd-wan permissions 1.1 setting sd-wan permission levels administrator...
TRANSCRIPT
SD-WANPERMISSIONS, MONITORING & CONFIGURATION FOR WINDSTREAM SD-WAN
Administrator User Guide
2
Table of ContentsSD-WAN Network Management Tool in Windstream Online (WOL)
SD-WAN Permissions
1.1 SD-WAN Permission Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Permission Level Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Confirmation of Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SD-WAN Monitor
2.1. Monitoring Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Monitoring Quality of Experience (QoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Monitoring Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Monitoring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.5 Monitoring Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6 Monitoring Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.7 Monitoring Business Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
SD-WAN Configuration
3.1 Configure Edges Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Configure Edges Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.3 Configure Edges Business Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4 Configure Edges Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Configure Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.6 Configure Profile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.7 Configure Profile Business Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.8 Configure Profile Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.9 Configure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.10 Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
NEED HELP?CONTACT SUPPORT
[email protected]://community.broadviewnet.com
3
SD-WAN PERMISSIONS
1.1 SETTING SD-WAN PERMISSION LEVELSAdministrator grants permissions for SD-WAN to others in their company via the “Admin” area of the Windstream Online (WOL) portal. There are four (4) Levels of permission access defined for SD-WAN as shown below:
Note: These permission levels are not cumulative, so only those checked are applicable.
1.2 PERMISSION LEVEL NOTIFICATIONSUsers are informed if they do not have the level of permission to make changes for certain areas:
1.3 CONFIRMATION OF CONFIGURATION CHANGESReminder: Administrators that are reluctant to make their own changes can always rely on the Windstream SD-WAN Concierge™ support team to implement changes.
Note: It is recommended that a qualified network technician manage network configuration changes, as these updates may cause service interruptions, network issues, or security risks if not properly implemented.
Product & Service ToolsAllow this user to access the online tools to manageyour Windstream services. You can provide access toonly select tools by choosing ‘Advanced’.
SD-WANConfiguration changes may cause, but are notlimited to, service interruptions, networkingissues, or security risks. Misconfigurations orservice interruptions that result from Customerinitiated configuration change are solely theresponsibility of the Customer and are notcovered as a part of the SD-WAN service levelagreement.
None
View SD-WAN Monitor
View Manage Advanced
View SD-WAN Configure
Manage (Limited) SD-WAN ConfigureBusiness Policy and Firewall only
Manage (All) SD-WAN ConfigureFull access to manage configuration settings
Note: You do not have permission to save any changes on this page.!
Are you sure you want to save these configuration changes?
YES NO
Configuration changes may cause, but are not limited to, service interruptions, networking issues, or securityrisks. Misconfigurations or service interruptions that result from Customer initiated configuration change aresolely the responsibility of the Customer and are not covered as a part of the SD-WAN service level agreement.
4
SD-WAN MONITOR
2.1 MONITORING OVERVIEW
1. Overview displays information about your Edge WAN links, application bandwidth, and network usage for top operating systems, top categories, and the top sources. The Overview tab consists of two (2) areas: Link Status and Bandwidth Usage.
2. The Link Status area (WAN/LAN) is updated in real-time and displays a list of your links and their data (Cloud and VPN status, Interface, and Throughput Capacity). Cloud Status and VPN Status can display the following statuses: Green=Active, Yellow=Degraded, Red=Offline/Disconnected, Grey=Not Enabled. The Link Status area can also display the status of Backup links depending upon the WAN settings.
LINK
AT&T U-verse
Verizon Wireless
INTERFACE (WAN TYPE)
INTERNET 2 (ETHERNET)
INTERNET 3 (ETHERNET)
NAME
VeloCloud Control
VeloCloud Management
VOLUME
9.01 MB
1.85 MB
THROUGHPUT | BANDWIDTH
9.32 Kbps ↑ 753.00 Kbps10.03 Kbps ↓ 6.96 Mbps
2.91 Kbps ↑ 2.09 Kbps2.58 Kbps ↓ 5.21 Mbps
LATENCY
18 msec ↑ 18 msec20 msec ↓ 20 msec
70 msec ↑ 70 msec51 msec ↓ 51 msec
JITTER
1 msec ↑ 1 msec0 msec ↓ 0 msec
10 msec ↑ 10 msec6 msec ↓ 6 msec
PACKET LOSS
0% ↑ 0%0% ↓ 0%
0% ↑ 0%0% ↓ 0%
STATUS
Past 60 Minutes
Previous Next
Link Status
Bandwidth UsageTop Applications Top Categories
Top Operating Systems
VeloCloud VeloCloud Edge0.0.0.0
Top Sources
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
1
Previous Next1
Previous Next1
Previous Next1
5
3. The Bandwidth Usage area displays your top applications, categories, operating systems and Sources along with their volume for a historical period of time. You can change the time frame by clicking the Time Duration drop down menu. Clicking on one of the arrow icons will allow you to drill down further into the details for each usage category.
4. The Top Applications area displays historical usage data for top applications and is connected to the Applications tab. To access the Applications tab, click the View Details arrow () on the right side.
5. The Top Categories area displays categories as a color-coded Pie chart (with a corresponding Legend). The Top Categories area is also connected to the Applications tab. To access the Applications tab, click the View Details arrow () on the right side.
6. The Top Operating Systems area displays top operating systems as a bar graph. Hover over a bar in the graph to display usage data for that system. The Top Operating Systems area is connected to the Sources tab. To access the Sources tab, click the View Details arrow () on the right side.
7. The Top Sources section of the Bandwidth Usage area displays top sources as a bar graph. The Top Sources section is also connected to the Sources tab. You can access the Sources tab. To access the Sources tab, click the View Details arrow () on the right side.
2.2 MONITORING QUALITY OF EXPERIENCE (QOE)
1. The SD-WAN Quality of Experience (QoE) tab shows the SD-WAN Quality Score (SQS) for different applications. The QS rates an application’s quality of experience that a network can deliver for a period of time.
2. There are three different traffic types that you can monitor (Voice, Video, and Transactional) in the QoE tab. You can hover over a WAN network link, or the aggregate link provided by the SD-WAN to display a summary of Latency, Jitter, and Packet Loss.
Past 60 Minutes
Network Enhancements
9.98
Test Communications
QoE Score
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Voice
Afte
rBe
fore
9.61Thurs Aug 17 2016 13:05
Latency Fair
Jitter Good
Pocket Loss Good
Downstream latency reported at 26 msec.
6
3. The SD-WAN Quality Score (SQS) rates an application’s quality of experience that a network can deliver for a given time frame. Some examples of applications are: video, voice, and transactional. QoE rating options are shown in the table below.
4. Link Steering and Remediation enables dynamic, application aware per-packet link steering that is performed automatically based on the business priority of the application, embedded knowledge of network requirements of the application, and the real-time capacity and performance of each link. On-demand mitigation of individual link degradation through forward error correction, jitter buffering and negative acknowledgment proxy also protects the performance of priority and network sensitive applications. Both the dynamic per-packet link steering and on-demand mitigation combine to deliver robust, sub-second blackout and even brownout protection to improve application availability, performance and end user experience.
2.3 MONITORING TRANSPORT
RATING COLOR
Green
Yellow
Red
Good
Fair
Poor
All metrics are better than the objective thresholds. Application performance at or above SLA.
Some or all metrics are between the objective and maximum values. Application performance may be impacted.
Some or all metrics have reached or exceeded the maximum value. Application performance may be impacted.
RATING OPTION DEFINITION
Past 60 Minutes
Downstream
Bps
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Average Throughout Links
60
45
36
24
12
0
April 8
3:59 p
mApri
l 8
4:03 p
mApri
l 8
4:24 p
mApri
l 8
4:48 p
mApri
l 8
4:53 p
mApri
l 8
5:02 p
m
AT&T U-verse
Verizon Wireless
CLOUD STATUS NAME
AT&T U-verse108.507.435.396
Verizon Wireless106.646.365.125
INTERFACE (WAN TYPE)
INTERNET 2 (ETHERNET)
INTERNET 3 (ETHERNET)
TOTAL BYTES
13.59 MB
2.39 MB
DOWNSTREAM (BPS)
16.38 Kbps
2.37 Kbsp
UPSTREAM (BPS)
14.28 Kbps
2.56 Kbsp
VPN STATUS
Previous Next1
Download as Excel (.csv) GO
7
1. The Transport tab provides an overview of the bandwidth used across all of the WAN links. For any period of time including historical timeframes, you can view which Link or Transport Group was used for the traffic and how much data was sent. You can filter on the data by drilling down into various utilization types.
2. Using the chart tools you can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.
3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.
4. The Cloud Status represents the ability for the Edge device to communicate to the gateway over the Internet cloud. The status values for both Cloud and VPN are (green: connected, red: disabled, gray: unavailable)
5. Descriptions for the options of Links Stats listed in the Links Stats drop menu are listed in the table below.
LINK STAT ITEM
Bandwidth
Jitter
Latency
Packet Loss
This parameter denotes the desired bandwidth allocation in Mbps for each flow. Based on these parameters, the total capacity is allocated in proportion to the bandwidth values of various flows.
Jitter is calculated using the RFC 3550 Formula for calculating jitter that is used by RTP. Jitter metrics are measured between the edged device and the SD-WAN core gateway. Application performance may be impacted.
For each packet, the latency is measured by subtracting the network send time (packet is time stamped immediately before being sent) from the network receive time (packet is time stamped immediately after being received).
A lost packet is calculated when a path sequence number is missed and doesn’t arrive within the re-sequencing window. A “very late” packet is counted as a lost packet in this regard.
DEFINITION
Past 60 Minutes
Downstream
Bps
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Average Throughout Links
60
45
36
24
12
0
April 8
3:59 p
mApri
l 8
4:03 p
mApri
l 8
4:24 p
mApri
l 8
4:48 p
mApri
l 8
4:53 p
mApri
l 8
5:02 p
m
AT&T U-verse
Verizon Wireless
CLOUD STATUS NAME
AT&T U-verse108.507.435.396
Verizon Wireless106.646.365.125
INTERFACE (WAN TYPE)
INTERNET 2 (ETHERNET)
INTERNET 3 (ETHERNET)
TOTAL BYTES
13.59 MB
2.39 MB
DOWNSTREAM (BPS)
16.38 Kbps
2.37 Kbsp
UPSTREAM (BPS)
14.28 Kbps
2.56 Kbsp
VPN STATUS
Previous Next1
Download as Excel (.csv) GO
8
2.4 MONITORING APPLICATIONS
Past 60 Minutes
Received
Byte
s
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Bytes Received / Sent Applications
5.200M
9.60M
7.20M
4.50M
2.40M
Aug 1
Aug 2
Aug 3
Aug 4
Aug 5
Aug 6
Aug 7
Aug 8
Aug 9
Aug 10
Aug 11
Aug 12
Aug 13
Aug 14
Aug 15
Aug 16
Aug 17
Aug 18
GoogleHTTPHTTPSLDAPYouTubeWindows LiveYahooMicrosfot Office 365Background Intelligent Transfer Services (BITS)VeloCloud Control
APPLICATION
VeloCloud Control
Microsoft Office 365
TOTAL BYTES
15.41 GB
5.78 GB
5.81 GB
BYTES RECEIVED
5.95 GB
5.46 GB
4.56 GB
BYTES SENT
9.46 GB
311.40 MB
1.28 GB
CATEGORY
VeloCloud
Web
Business Collaboration
Previous Next1
Top Applications by Bytes Received / Sent
VeloCloud Management
Top Destinations velocloud.net
CLOSE �
Top Source Devices VeloCloud Edge
OK
9
1. The Applications tab displays network usage information about your applications or your application categories. You can hover over a segment of the graph to display network usage data for that segment. You can also choose which type of data is displayed from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent).
2. You can also click an application in the Applications column to open a dialog box, which displays the Top Destinations and Top Source Devices for the application.
3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data.
4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.
5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.
2.5 MONITORING SOURCES
Past 30 Minutes
Received
Byte
s
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Bytes Received / SentDevices
90M
72M
54M
36M
18M
0
Aug 1
7:37 p
mAug
7
9:24 p
mAug
10
11:34
am Aug 13
3:44 p
mAug
19
9:25 a
mAug
23
8:35 p
m
Andrew’s PhoneLauren’s PhoneMark’s PhoneApril’s AppleWatch
APPLICATION
Andrew’s Phone
Lauren’s Phone
Mark’s Phone
OPERATING SYSTEM
EDGE
IOS
IOS
TYPE
n/a
Smart Phone/Tablet
Smart Phone/Tablet
TOTAL BYTES
5.51 GB
38.89 MB
821.92 KB
BYTES RECEIVED
2.79 GB
36.55 MB
774.87 KB
BYTES SENT
2.72 GB
2.34 MB
73.56 KB
IP ADDRESS
0.0.0.0108.507.435.396
10.0.0.231106.646.365.125
10.0.0.211135.646.365.467
Previous Next1
Top Sources by Bytes Received / Sent
VeloCloud
Top Applications Facebook
CLOSE �
Top Destinations facebook.com
fbcdn.net
yimg.com
yahoo.com
OK
Active Edges Only
Download as Excel (.csv) GO
10
Past 30 Minutes
Received
Byte
s
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Bytes Received / SentDevices
90M
72M
54M
36M
18M
0
Aug 1
7:37 p
mAug
7
9:24 p
mAug
10
11:34
am Aug 13
3:44 p
mAug
19
9:25 a
mAug
23
8:35 p
m
Andrew’s PhoneLauren’s PhoneMark’s PhoneApril’s AppleWatch
APPLICATION
Andrew’s Phone
Lauren’s Phone
Mark’s Phone
OPERATING SYSTEM
EDGE
IOS
IOS
TYPE
n/a
Smart Phone/Tablet
Smart Phone/Tablet
TOTAL BYTES
5.51 GB
38.89 MB
821.92 KB
BYTES RECEIVED
2.79 GB
36.55 MB
774.87 KB
BYTES SENT
2.72 GB
2.34 MB
73.56 KB
IP ADDRESS
0.0.0.0108.507.435.396
10.0.0.231106.646.365.125
10.0.0.211135.646.365.467
Previous Next1
Top Sources by Bytes Received / Sent
VeloCloud
Top Applications Facebook
CLOSE �
Top Destinations facebook.com
fbcdn.net
yimg.com
yahoo.com
OK
Active Edges Only
Download as Excel (.csv) GO
1. The Sources tab screen displays network usage data (operating system, device type) over a historical period of time. The data is displayed as two line graphs. You can change the data that is displayed in the graphs from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent). You can also hover over a segment of the graph to display the source and its associated network usage.
2. You can also click a source in the Source column to open a dialog box, which displays the Top Destinations and Top applications. Friendly Name capability for Sources by clicking the pencil icon next to the source device in the grid view allows you to rename a source device for in portal reporting.
3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data.
4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.
5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.
11
2.6 MONITORING DESTINATIONS
Past 30 Minutes
Received
Byte
s
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Bytes Received / SentDomains
900M
720M
540M
360M
180M
0
Aug 1
7:37 p
mAug
7
9:24 p
mAug
10
11:34
am Aug 13
3:44 p
mAug
19
9:25 a
mAug
23
8:35 p
m
sunn.edw.netpen.local1e100.netgoogle.comtechnologies.comexpertcity.com204.506.332windstream.comyahoo.comfacebook.com
DESTINATION
velocloud.net
expertcity.com
google.com
technologies.com
TOTAL BYTES
17.43 GB
5.39 GB
5.94 GB
2.38 GB
BYTES RECEIVED
7.04 GB
4.31 GB
4.04 GB
2.55 GB
BYTES SENT
10.43 GB
1.46 GB
1.66 GB
130.62 MB
Previous Next1
Top Destinations by Bytes Received / Sent
velocloud.net
Top Applications Facebook
CLOSE �
Top Operating System Other/Unidentified
OK
12
1. The Edge Destinations tab screen displays network usage data (operating system, device type) over a historical period of time by the destination of the network traffic. If you hover over a segment of the graph, the destination and its associated network usage displays. There are three destination types (Domain, FQDN, IP) located on the right side of the screen.
2. For each type (Domain, FQDN, and IP), the Top Destinations dialog box displays by type when you click a destination from the Destination column. You can open the Applications and Sources tabs from the Top Destinations dialog box. Click the arrows next to the Top Applications and Top Operating sections of the dialog boxes (respectively) to open these tabs.
3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data.
4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.
5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.
2.7 MONITORING BUSINESS PRIORITY
Past 60 Minutes
Downstream
Byte
s
Overview QoE Transport Applications Sources Destinations Business Priority
Site 01
Average ThroughputDomains
5K
4K
3K
2K
1K
0
Aug 1
7:37 p
mAug
7
9:24 p
mAug
10
11:34
am Aug 13
3:44 p
mAug
19
9:25 a
mAug
23
8:35 p
mAug
29
1:50 p
m
HighNormalLowControl
PRIORITY
High
Normal
Low
Control
DOWNSTREAM (BPS)
33.43 Mbps
86.43 Mbps
0 Bps
14.18 Mbps
UPSTEAM (BPS)
32.81 Mbps
29.51 Mbps
0 Bps
23.08 Mbps
Previous Next1
2.46K
130.26
18.33
Aug 1611:26 am
13
1. The Business Priority tab page displays the priority (High, Normal, and Low) of the network traffic over a historical period of time. If you mouse over a segment of the graph, the Business Policy characteristics and its associated Network usage displays.
2. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.
3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.
4. Quality of Experience (QoE), resource allocations, link/path steering, and error correction are automatically applied based on business policies and application priorities. Orchestrate traffic based on transport groups defined by private and public links, policy definition, and link characteristics.
SD-WAN CONFIGURATION
3.1 CONFIGURE EDGES OVERVIEW
1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile” settings, any other color means at least one rule override is in place.
2. The Edge device settings are inherited from the Profile selected for the Edge and can be simple if the network configuration defined in the profile is used without modification. Overrides can be made to Network and Network Service configuration as part of Edge configuration but should be used sparingly and for scenarios that are temporary.
NAME
TestEdge 01
TestEdge 02
TestEdge 03
TestEdge 04
PROFILE
Default Internet Network
Default VPN Network
VPN Network - Adtran 5355
VPN Network - Adtran 6355
STATUS
Activated
Activated
Activated
Activated
MODEL
Edge500
Edge1000
Edge500
Edge 340
SERIAL NUMBER
VC00002008
VC00003948
VC00003958
VC00002954
HA DEVICE BIZ. POL FIREWALL
Previous Next1
ASSIGN PROFILE
14
3.2 CONFIGURE EDGES DEVICE
Edge Overview Business Policy FirewallDevice
VLAN
1 - Corporate
3 - Management
7 - Corp Office
Network: VPN Network
SETTINGS
NetworkIP AddressMgmt IPInterfacesDHCP
NetworkIP AddressMgmt IPInterfacesDHCP
NetworkIP AddressMgmt IPInterfacesDHCP
10.0.0.010.0.0.110.0.0.2
10.0.0.010.0.0.310.0.0.4
10.0.0.010.0.0.510.0.0.6
ACTIONS
Network Settings
EnabledThis option is not available when the LAN1 interface is set to “Routed”
High Availability
Corporate Network:1 - Corporate3 - Management14 - Office-West13 - Office-East
Guest Network:64 - Guest80 - GuestBackup
Assignable VLANs
VLAN Settings
Management VLANs:All VLANs
Management VLANs
Device Settings: Edge 500
LAN2
LAN2
LAN3 LAN4
15
LAN2
LAN3
LAN4
INTERNET1
INTERNET2
SIFP
USB1
WLAN1
INTERFACEOVERRIDE INTERFACE
Subnet
MODE VLANS ADDRESSING WAN OVERLAY ACTIONS
Static Route Settings
Interface Settings
LAN1
ADD WIFI SSID
SWITCH PORT SETTINGS ROUTED INTERFACE SETTINGS
This interface is being used for High Availability
Trunk 7 - Corp Offsite3 - Management
1 - Corporate
1 - Corporate
DHCP Auto Detect
Auto Detect
User Defined
Disabled
DHCP
DHCP
PPP0E
7 - Corp Offsite
Access
Access
Wifi
192.235.1.0/7
Source IP
10.0.1.1
Description
Common
Cost
0
Next Hop Interface VLAN
10.0.4.1 INTERNET1 1
Preferred Advertise
192.235.2.0/7 10.0.3.55 VPN010.0.4.120 INTERNET1 1
192.235.3.0/7 N/A Web010.0.3.1 INTERNET2 1
192.235.4.0/7 10.0.2.33 Backup010.0.8.9 USB1 1
United States
2.4 GHz
149
Radio Enabled:
Country:
Band:
Channel:
Wi-Fi Radio Settings Enable Edge Override
5 GHz
DNS Internal PrimaryPrivate DNS:
Public DNS:
DNS Settings Enable Edge Override
-DNS Internal Secondary
DNS Public
- +
16
1. Network settings are inherited from the Profile selected for the Edge and can only be changed in the associated profile. In addition, Configuration overrides can be made to some settings that were configured in the Network, Network Services, and Profile assigned to an Edge. In most cases, an override must first be enabled then changes can be made. Overrides can be made to Interfaces and DNS.
2. Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA) support. The HA configuration can be achieved with using L2 switches only or using a combination of L2 and L3 switches. The HA configuration is only for wired WAN connections.
3. VLAN Settings can be chosen for your LAN interfaces. The Edge LAN IP address, the Edge Management IP address, and CIDR Prefix. You can also specify Fixed IP addresses tied to specific MAC Addresses. The list of LAN interfaces and the SSID of any Wi-Fi interfaces that are configured for this VLAN are listed. Finally, a block for configuring DHCP is shown. DHCP can be enabled (where a start address, the number of addresses, the lease time, and optional parameters are entered), the address of one or more relay agents can be enabled, or DHCP can be disabled.
4. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background.
5. Static Route Settings are useful for special cases where statics routes are needed for existing network attached devices (such as printers). The ‘+’ icon on the right of the dialog box can be used to add additional Static Route Settings.
Perform these steps to specify the Static Route settings: • Enter the subnet for the route. • Enter the IP address for the route. • Select the WAN interface where the Static Route will be bound.
10.0.0.1
10.0.0.2
10.0.0.0
8
10
Enabled
Select
1 day
integer
Edge LAN IP Address:
Edge LAN Mangement IPAddress:
Cldr Prefix:
Network:
LAN Interfaces:
Type:
Static Addresses:
Lease Time:
DHCP Options:
Option
2
Code
5
ValueData Type
VLAN
VLAN: Corporate CLOSE �
Select Text5 207.536.75.24.065
Select
DHCP
OKCANCEL
LAN3 LAN4
Enable Edge Override
17
This option enables Edge specific edits to the displayed settings, and discontinues further automatic updates from the configuration profile for this module.
For ongoing consistency and ease of updates it is recommended to set configurations at the Profile rather than Edge exception level.
!
!
Enable Edge Override
• Select the Broadcast checkbox to advertise this route over VPN and allow other Edges in the network to have access to this resource. • Optionally, add a description for the route.
6. DNS is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service or a private DNS service provided by your company. A Primary and Backup server can be specified. The service is preconfigured to use Google and Open DNS servers.
7. The management IP address is used as the source address for local services (e.g. DNS) and as a destination for diagnostic tests (e.g. pinging from another edge).
8. Dynamic Host Configuration Protocol (DHCP) dynamically assigns unique IP addresses to network devices. As a network device joins or leaves an IP-based network, DHCP automatically renews or releases an IP address. DHCP allows network administrators to centrally manage and automate the assignment of the IP addresses making network
administration a lot easier to manage.
9. Refer to the snapshot below for hover text to appear at EACH “Enable Edge Override” field. The following text should appear with icon next to each occurrence of the “Enable Edge Override” field option:
10. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.
11. DHCP can be configured on a Routed Interface. The routed interface must be configured with a STATIC address at the Edge level. The usual DHCP Server settings can be specified, including Disabled (the default), Relay (configure as DHCP relay), and Enabled (configure as a DHCP server, with options). If an Edge Override is enabled, the DHCP Start IP must be a valid available IP within undefined/24 subnet.
18
3.3 CONFIGURE EDGES BUSINESS POLICY
Edge Overview Business Policy FirewallDevice
Ports: 5800�1
�2
�3
4
5
6
ADD RULE IMPORT DELETE RULE
Enlarge �
Match
Rule Source
Action
Net. Service Link PriorityDestination Application
Direct Mandatory:Local ISPWireless
High
High
Ports: 5800 Any
VLAN: 7 - CorpOffsite
Direct Preferred:INTERNET3,VLAN: 9
Normal
Normal
Any Any
Direct
Multi-Path
Available:Private Wired
LowHostname:backup.us
Any ftp (File Sharing)46 - EF
Protocol: TCPAny Autospeedtest (File Sharing)
DirectAny Any AutoAll VeloCloud
WAN Override
Offsite remote
Local apps
Speedtest
VeloCloud
LogMain RemoteNormalDirectAny Any AutoLogMn (Remote
Desktops)
Edge
Ove
rrid
eR
ules
from
Pro
file
x+
Local appsRule Name:
Source:
Edit Rule CLOSE �
Match
SAVECANCEL
Any Define...
Destination: Any Define...
Application: Any Define...
None
VLAN:
VLAN IP Address
Priority:
Action
High
Rate Limit
Normal Low
Select
Operating System: None
Ports: undefined
Any Application
Anonymizers and Proxies
All VeloCloud
VeloCloud Control
Ports: undefined
IP Address:
Protocol: Select
Hostname: Ex: domain.com
Edit Rule CLOSE �
SAVECANCEL
Network Service: Direct Multi-Path
Link Steering: Auto Transport Group Interface
Mandatory
Preferred
Available
WAN Link
NAT: Disabled Enabled
NAT: Real Time Transactional Bulk
DSCP: Select
0 % Link bandwidth
0 % Link bandwidth
Local ISP Wireless
19
1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior, the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the mitigation of network errors.
2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence.
3. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the x (cross) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
4. If the Match Source Define option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a Port, an Operating System or any combination of the selections.
5. If the Match Destination Define option is chosen, the destination can be first narrowed to a type (Any, Internet, Edge, or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or UDP), and a port.
6. The Action section allows traffic to categorize Priority as High, Normal, or Low. Percentage Rate Limits can also be applied in both the Outbound and Inbound direction. Link Steering provides for
a. Mandatory where traffic will be sent over the WAN link or link Service-group specified. If the link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is unavailable, the corresponding packet will be dropped.
b. Preferred indicates the traffic should preferably be sent over the WAN link or link Service-group specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route chosen is unstable or if the link Service Level Objective (SLO) is not being met, the corresponding packet will be steered on the next best available link. If the preferred link becomes available again, traffic will be steered back to the preferred link.
c. Available indicates the traffic should preferably be sent over the WAN link or link Service-group specified as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen service group) are not available or if multi-path gateway route chosen is unavailable, the corresponding packet will be steered to the next best available link. If the preferred link becomes available again, traffic will be steered back to the available link.
20
3.4 CONFIGURE EDGES FIREWALL
Edge Overview Business Policy FirewallDevice
Ports: 40-049�1
�2
�3
4
5
6
7
ADD RULE IMPORT DELETE RULE
Enlarge �
Match
Rule Source
Action
ActionDestination Application
AllowGoogle App Engine(Business Application)
Ports: 754 VLAN 1 - CorpProtocol - TCP
IP: 294.54.24.5Protocol - TCP
All Tunneling and VPN32 - CS4
Firewall Enabled
Outbound Firewall Rules
Allow
Any
Any Any
Deny
Deny
Any
Any
AllMusic (Media)VLAN 1 - Corp
Any
Any AnyAny
Any All Business Application
All Email
Any
Deny and log
App Engine
VPN Traffic
Streaming Music
AllowAny
DenyAll
Business Apps
Allow
Allow
Edge
Ove
rrid
eR
ules
from
Pro
file
Enlarge �
Port Forward Rule
RuleName
Allowed Traffic Source
Remote IP/Subnet Log
Inbound Port Forwarding
Logging Enabled
Internal Web1
WAN Port(s)
80
LAN IP
129.05.3.1 129.05.335.3/03
LAN PORT
34576TCP
Interface
INTERNET1
Secure Web1 334 129.05.8.2 129.05.463.3/0254676TCP INTERNET1
Local Storage 3546 129.46.2.0 255.05.75.8/024968UCP USB3
Enlarge �
1:1 NAT Rule
Outside IPName
Allowed Traffic Source
Remote IP Log
Inbound NAT Rules
VPN Traffic
Inside IP
129.57.35.1 129.05.335.3/03
Interface
INTERNET2
Video Stream 129.57.35.2 129.05.463.3/02INTERNET3
Remote Access 129.57.35.3
129.05.3.1
129.05.8.2
129.46.2.0 255.05.75.8/02INTERNET3
Traffic Out Protocol
TCP
ICMP
TCP
Port(s)
3546
77543
3367
SAVE CHANGES
21
1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence.
2. Adding a new Firewall rule using the dialog, you can select Source, Destination, and Application characteristics to match. Given a match, the Firewall action defined in the rule will be applied.
3. When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using Monitor -> Events. When a Deny and Log action is detected, the Firewall logs the event locally.
4. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
5. Mac Address Filtering is another Source option available in the Match area of the dialog box shown below. You can use the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is associated with. (The filtering rule is independent of the client’s subnet).
6. The Inbound Firewall Rules section provides Port Forwarding and 1:1 NAT rules that define how Internet traffic is filtered or routed to an Edge via the Gateway. Configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally restrict the inbound traffic by IP or subnet. Port Forwarding Rules are used to forward requests made on specific TCP or UDP ports to specific LAN IP addresses and ports on an Edge. The ‘+’ icon on the right can be used to add additional Port Forwarding Rules.
7. 1:1 NAT Settings are used to map a public IP address to an Inside (LAN) IP address. A 1:1 NAT mapping can only be configured with IP addresses that do not belong to the Edge. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the Edge. Each mapping is between one IP address outside the firewall and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The ‘+’ icon on the right can be used to add additional 1:1 NAT settings.
Streaming MusicRule Name:
Source:
Add Rule CLOSE �
Match
SAVECANCEL
Any Define...
Application: Any Define...
Destination: Any Define...
None
VLAN:
VLAN IP Address
1 - Corporate
Media
Network Service
Peer to Peer
Remote Desktop
All Music
Amazon MP3
Amazon Video
AOL On
Ports: Ex. 10.0.2.0.24
Protocol: None
Any Define...
None
Ports
VLAN
IP Address
Mac Address
Ex. 10.0.2.0.24
Ex: aa:bb:cc:dd
Ex: 2224-4456
22
3.5 CONFIGURE PROFILE OVERVIEW
Previous Next1
NAME
Default Internet NetworkDefault Internet Network
Default VPN NetworkDUNNEDWARD 1068.32
VPN Network - Adtran 5355Profile to support Adtran 5355 when used as a Voice switch
USED BY
5 Edges
0
0
JUMP TO
Device Settings
Previous Next1
Business Policy Firewall
ADD PROFILE
ADD PROFILE
DUPLICATE PROFILE DELETE PROFILE
Profile Overview Business Policy FirewallDevice
Name
Name
Addressing Type
Corporate Addresses & VLANs
Network
Assignable VLANs
Edges
Quest Addresses & VLANs
Network
Assignable VLANs
Edges
Dynamic Multi-Path Optimization
Business Policy
Firewall
BGP
OSPF
Cloud VPN
Application Recognition
Identity
Wireless
B02 1x
SNMP
Neoflow
Off
TBD rules
TBD outbound rules
On
On
On
Off
Off
On
Off
Off
Off
VPN Network
Non Overlapping Addresses
10.0.0.0.8
6
16
192.564.4.2.64
5
32
Default Internet Network
Description Default Internet Network
Profile Overview
Networks Services
23
1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile” settings, any other color means at least one rule override is in place
2. A Profile Overview page is display that provides a quick summary of all Networks and Services that are defined in the profile. The overview is divided into two categories (Networks and Services). After all settings have been entered for the Profile Device, Business Policy, and Firewall pages, the Profile Overview page should reflect the configurations you have performed.
3. Networks has the name of the Network configuration used, the type of addressing, and the Network addresses and VLANs assigned to the Corporate and Guest networks.
4. Services has a summary of the services provided by the Windstream SD-WAN system.
3.6 CONFIGURE PROFILE DEVICE
Edge Overview Business Policy FirewallDevice
Network
Assignable VLANs
Management VLANs
VPN Network
Change...
Change...
Network Settings
Select Management VLANs
HELP OK Cancel
All VLANs (Recommended)All VLANs will be assigned a management IP address
CustomizeOnly selected VLANs will be assigned a management IP address
Select Management VLANs
HELP OK Cancel
All VLANs (Recommended)All VLANs will be assigned a management IP address
Available Corporate VLANs
CustomizeOnly selected VLANs will be assigned a management IP address
Selected VLANs Max 8
1 - Corporate ><
>><<
Virtual Edge
Device Settings
Edge 1000 Edge 5X6 Edge 560
24
Actions
Switch Port Settings
Interface
LAN1
LAN2
INTERNET1
INTERNET2
USB1
WifiSSID (disabled)
Mode
Trunk
Access
Wifi
VLANs
All
7 - Corp Office
1 - Corporate
1 - Corporate
7 - Corporate Office
Addressing
DHCP
DHCP
DHCP
WAN Overlay
Auto Detect
Auto Detect
Disabled
Routed Interface Settings
Interface Settings
Edge500
Wi-Fi Radio Settings
ADD WIFI SSID
United States
2.4 GHz
149
Radio Enabled:
Country:
Band:
Channel:
5 GHz
DNS Internal PrimaryPrivate DNS:
Public DNS:
DNS Settings
-DNS Internal Secondary
DNS Public
- +
Interface Enabled:
Capability:
Mode:
VLANs:
Untagged VLAN:
Switched
All
Edge500: LAN1 CLOSE �
Interface: LAN1
Autonegotiate:
Speed:
Duplex:
MTU:
L2 Settings
SAVECANCEL
Trunk Post
100 Mbps
1500
Drop Untagged
Full duplex
Any
7 - Corporate Offsite19 - Corp Failover1 - Corporate1 Corporate
25
1. The device settings tab is used to select a Network, assign VLANs, configure Wired and Wired LAN connections and configure DNS settings. Device configuration allows you to associate a Network configuration with a Profile, configure Interfaces, and choose Network Services to be associated with a Profile. Choosing a Network and selecting Network Services can be performed from drop-down lists on this tab page.
2. This is the Network associated with the Profile, the list of Assignable VLANs, and the list of Management VLANs using the Network Settings section of the Device tab page.
3. The Select Assignable VLANs dialog is used to select the VLANs that will be supported by this Profile.
4. For the Management VLANs in a typical corporate VLAN definition, two IP addresses are preallocated. The first IP address in the subnet is assigned to address the subnet and the second IP address is used for a management function (such as Ping). These values can be seen and modified in the Subnet Addressing section of the Edge device tab. The default is “All VLANs will be assigned a management IP address.”
5. For VLAN definitions where the number of IP addresses must be tightly controlled, the creation of the Management IP address can be suppressed by customizing which VLANs have a Management IP address. The Select Management VLANs dialog is used to select which of the available corporate VLANs will be assigned a Management IP address (all VLANs in the Selected VLANs) list in the screen capture below. If you customize the list of VLANs, new VLANs that you add are not given a Management IP address. If you want a new VLAN to have a Management IP address, you will need to add the new VLAN to the list of Selected VLANs via the Select Management VLANs dialog.
6. Device Settings allows you configure the Interface Settings for one or more Edge models in a profile. Depending on the Edge Model, each interface can be a Switch Port (LAN) interface or a Routed (WAN) Interface. Depending on the Branch Model, a connection port is a dedicated LAN or WAN port, or ports can be configured to be either a LAN or WAN port. Branch ports can be Ethernet or SFP ports. Some Edge models may also support wireless LAN interfaces. It is assumed that a single public WAN link is attached to a single interface that only serves WAN traffic. If no WAN link is configured for a routed interface that is WAN capable, it is assumed that a single public WAN link should be automatically discovered. If one is discovered, it will be reported back and this auto-discovered WAN link can then be modified and the new configuration pushed back to the branch.
7. Actions you can perform on the network interface, such as Edit or Delete.
8. The Interface name. This name matches the Edge port label on the Edge device or is predetermined for wireless LANs.
Edge 500: INTERNET 1
Update INTERNET1 Cancel
Interface: INTERNET1Interface Enabled
Capability
Addressing Type
WAN Overlay
OSPF
NAT Direct Traffic
L2 SettingsAutonegotiate
MTU
Routed
OSPF Not Enabled
Static/PPPoE addressing details must be configured individually per edge.
DHCP
1500
Auto-Detect Overlay
*
Edge 500: WLAN1
Update WLAN1 Cancel
Interface: WLAN1Interface Enabled
VLAN
SSID
Security
Passphrase
1 - Corporate
vc-wifi
WPA2 / Personal
••••••••••
Broadcast
Use Captive Web Portal (disclaimer only)
26
9. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background.
10. The list of Routed Interfaces with a summary of their settings (such as the addressing type and if the interface was auto-detected or has an Auto Detected or User Defined WAN overlay). Routed Interfaces are highlighted with a light blue background.
11. The list of Wireless Interfaces (if available on the Edge device). You can add additional wireless networks by clicking the Add Wi-Fi SSID button. Wireless Interfaces are highlighted with a light gray background. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.
12. You can configure Edge device LAN interfaces as Access Ports where you can choose a VLAN for the port and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500). You can also configure Edge device LAN interfaces as Trunk Ports where you can choose VLANs for the port, how Untagged VLAN data is handled (routed to a specific VLAN or Dropped) and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500).
13. WAN interfaces can be “Routed” (where the routing process is done between two networks using IP addresses) or “Switched” (In switching packets are transferred from source to destination using MAC address. Switching is done within the network). You can also choose Addressing Type (DHCP, PPPoE, or static), a WAN Overlay (Auto-detect, or User Defined), enable OSPF, enable NAT Direct Traffic, and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500).
14. Initially two Wi-Fi networks are defined for the Edge; one as a “Corporate” network and one as a “Guest” network that is initially disabled. Additional wireless networks can be defined, each with a specific VLAN, SSID, and security configuration. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.
15. Security for your Wi-Fi connections can be one of three types:• Open: No security is enforced.• WPA2 / Personal: A password is used to authenticate a user.• WPA2 / Enterprise: A server is used to authenticate a user. In this scenario, a Server must be configured in Network Services and the Server must be selected in the Profile Authentication Settings on the Device page. The default settings for Security can also be overridden on the Edge Device page.
16. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.
17. The Device DNS Settings allow you to specify which Network Services DNS Service will be used.
27
3.7 CONFIGURE PROFILE BUSINESS POLICY
Edge Overview Business Policy FirewallDevice
�1
�2
�3
�4
�5
�6
ADD RULE IMPORT DELETE RULE
Enlarge �
Match
Rule Source
Action
Net. Service Link PriorityDestination Application
Multi-Path HighProtocol: TCP
VLAN: 7 - CorpOffsite
Direct Normal
Normal
Normal
Normal
IP:192.456.2.0/34
Any
Direct
Multi-Path
Any Any
Any Any
Any
LogMain (RemoteDesktop)
Auto
Auto
Auto
Auto
Cusco NetFlow(Mangement)
Ports: 5800 Protocol: UDP All Web
speedtest (File Sharing)
Multi-Path
Any Any
Manadatory:Private Wired
All VeloCloud
Speed test
VeloCloud
LogMain Remote
Netflow Management
Default-Internet-UDP
ManagementLowDirect Auto
x+
Rule NameRule Name:
Source:
Match
Any Define...
Destination: Any Define...
Application: Any Define...
None
VLAN
Any Application
Anonymizers and Proxies
All VeloCloud
VeloCloud Control
Operating System
Ports:
IP Address: Ex. 10.0.2.0.24
IP Address Ex. 10.0.2.0.24
Ports Ex. 10.0.2.0.24
Ex. 10.0.2.0.24
Protocol: Select
Hostname: Ex: domain.com
SAVE CHANGES
OKHelp Cancel
Rule NameRule Name:
Source:
Destination:
Application:
Match
Action
Any Define...
Any Define...
Any Define...
Priority:
Network Service:
Link Steering:
NAT:
Service Class:
High
Rate Limit
Normal Low
T Time Transactional Bulk
Direct Multi-Path
Auto
Inner Packet DSCP Tag:
Outer Packet DSCP Tag:
Leave as is
0 - CS0/DF
Transport Group Interface WAN Link
Disabled Enabled
OKHelp Cancel
28
1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior, the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the mitigation of network errors.
2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
3. You can select Match choices for network traffic based on the Source of the traffic, the Destination of the traffic, and or the type of Application that generated the traffic. Given a match, the Actions defined in the lower part of the dialog for the rule will be applied. For each of the Match selections, the option “Any” is used to designate any traffic from a source, destination, or application. If the Match Source “Define” option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a Port, an Operating System or any combination of the selections.
4. If the Match Destination Define option is chosen, additional parameters can be specified to identify traffic destination (see the following screen capture). The destination can be first narrowed to a type (Any, Internet, Edge, or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or UDP), and a port. Match Destination options are particularly useful if the same traffic match pattern needs to be assigned different QoS values depending on the route taken. As an example, you may want to assign a higher priority to traffic destined to a SD-WAN Site versus regular cloud-based internet traffic. This can be easily achieved using the Destination configuration value.
5. If the Match Application Define option is chosen, applications can be chosen first by category then by specific application. In addition, a DSCP value can be specified to match traffic coming in with a preset DSCP/TOS tag. Depending on your Match choices, some Actions may not be available. For example, if All Applications is chosen, Network Service and Link Actions are grayed out and are not available for selection.
6. The Action “Priority” parameter allows traffic to categorize as High, Normal, or Low. Percentage Rate Limits can also be applied in both the Outbound and Inbound direction.
7. The Action “Network Service” parameter can be set to Direct or Internet Multi-path. The Direct option explicitly sets the traffic to be sent to the destination directly, bypassing the SD-WAN Gateway - this option is only applicable for Destination = Internet. The Internet Multi-path option explicitly marks the traffic to be sent over the SD-WAN Gateway utilizing the benefits of per packet link steering, multipath redundancy, and error-correction.
8. The Action “Link Steering” parameter can be set to by Service Group, by Interface, or by WAN Link. A Transport Group represents WAN links bundled together based on similar characteristics and functionality. Defining a Transport Group allows business abstraction so that similar policy can apply across different Hardware types. For the “Transport Group” option, you select the Transport Group type of All, Public Wired, Public Wireless, or Private Wired. This option is allowed at both the Edge override level and Profile level.
• “Mandatory” indicates that traffic will be sent over the WAN link or link Service-group specified. If the link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is unavailable, the corresponding packet will be dropped.
• “Preferred” indicates the traffic should preferably be sent over the WAN link or link Service-group specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route
29
chosen is unstable or if the link Service Level Objective (SLO) is not being met, the corresponding packet will be steered on the next best available link. If the preferred link becomes available again, traffic will be steered back to the preferred link.
• “Available” indicates the traffic should preferably be sent over the WAN link or link Transport group specified as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen service group) are not available or if multi-path gateway route chosen is unavailable, the corresponding packet will be steered to the next best available link. If the preferred link becomes available again, traffic will be steered back to the available link.
9. You can configure Policy Based NAT for both Source and Destination. The NAT can be applied to either Non-SD-WAN Site traffic or Internet traffic using Multi-Path. When configuring NAT, you must define which traffic to NAT and the action you want to perform. There are two types of NAT configuration: Many to One and One-to-One.
10. The Service Class parameter can be set to Real-time (time sensitive traffic), Transactional, or Bulk. This option is only for custom application. SD-WAN Apps/Categories fall in one of these categories.
3.8 CONFIGURE PROFILE FIREWALL
Edge Overview Business Policy FirewallDevice
�1
�2
�3
�4
�5
�6
ADD RULE IMPORT DELETE RULE
Enlarge �
Match
Rule Source
Action
ActionDestination Application
Allow
Allow
Allow
Allow and log
Ports: 754
VLAN 1 - Corp
VLAN 1 - CorpProtocol - TCP
Firewall Enabled
Outbound Firewall Rules
AnyAny Any
Deny
All Business Application
All Email
IP: 192.345.1.0/21Protocol - TCP
SSL (Tunneling and VPN)
MAC: 32.34.afPorts: 8948
Cisco NetFlow (Management)30 + AF33
AllowAny
DenyAll
Business Apps
CorpVPN
Netflow
AnyAny Any
Any
Any
Any
Logging Enabled
x+
Allow and log x+
30
1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. Note that Firewall function can be disabled using the Firewall Enabled switch. This page allows you to define Outbound Firewall Rules and Edge Access. Inbound rules must be defined at each Edge.
2. Using the dialog, you can select Source, Destination, and Application characteristics to match. You can use the parameters to finely select where you want the Firewall rule to be applied. Given a match, the Firewall action defined in the rule will be applied. Note: When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using Monitor>Events. When a Deny and Log action is detected, the Firewall logs the event locally.
3. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.
4. Mac Address Filtering is a Source option available in the Match area of the dialog box shown below. You can use the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is associated with. (The filtering rule is independent of the client’s subnet). To enable this filter, choose the Mac Address radio button, type in the Mac address, and click the OK button.
Rule NameRule Name:
Source:
Match
Any Define...
Destination: Any Define...
Application: Any Define...
None
VLAN
Any Application
Anonymizers and Proxies
All VeloCloud
VeloCloud Control
IP Address Ex. 10.0.2.0.24
Ports Ex. 10.0.2.0.24
None
VLAN
IP Address Ex. 10.0.2.0.24
Protocol
Ports Ex. 10.0.2.0.24
OKHelp Cancel
31
3.9 CONFIGURE NETWORK
Guest Networks (addresses and VLANS)
NEW NETWORK DELETE NETWORK DUPLICATE NETWORK
NAME USED BY ADDRESS SPACE VLANSADDRESS TYPE
VPN Network
Internet Network
VPN Network-VOIPThis is a description for a network. There can be more here.
3 edges2 profiles
1 edge0 profiles
2 edges1 profile
65
11
11
Non OverlappingAddresses
Overlapping Addresses
Non OverlappingAddresses
10.0.0.0/8193.432.5.3/64
10.0.0.0/8194.567.3.5/32
10.0.0.0/8354.432.4.6/32
SAVE CHANGES
Address Space:
Edges:
Address/Edge:
Edge Prefix:
VLANs/EDGE:
Name:
Description:
Address Type:
VPN Network
10.0.0.0/8
1048576
12
16
8
Non Overlapping Addresses
Corporate Networks (addresses and VLANS)
VLANS
Name
Corporate
Management
Corp Offsite
Office-East
Office-West
Corp Failover
VLAN ID
1
3
7
13
14
19
DHCPType
enabled
enabled
enabled
enabled
enabled
enabled
StaticAddresses
10
10
10
10
10
10
DHCPAddresses
245
245
245
245
245
245
DHCPOptions
2
2
2
2
2
2
NEW DELETE
Address Space:
Edges:
Address/Edge:
Edge Prefix:
VLANs/EDGE:
192.567.2.6/22
32
27
32
4
VLANS
Name
Guest
Visitor-1
Visitor-2
GuestBackup
VLAN ID
64
65
66
67
DHCPType
enabled
enabled
enabled
enabled
StaticAddresses
10
10
10
10
DHCPAddresses
245
245
245
245
DHCPOptions
1
0
0
0
NEW DELETE
New VLAN...
HELP Add VLAN Cancel
VLAN* VLAN Name
* VLAN ID
DHCPType
Static Addresses:
Lease Time:
DHCP Options:
2
10
Enabled
Option
Relay Disabled
1 hour
add an optionCode Data Type Value
32
Guest Networks (addresses and VLANS)
NEW NETWORK DELETE NETWORK DUPLICATE NETWORK
NAME USED BY ADDRESS SPACE VLANSADDRESS TYPE
VPN Network
Internet Network
VPN Network-VOIPThis is a description for a network. There can be more here.
3 edges2 profiles
1 edge0 profiles
2 edges1 profile
65
11
11
Non OverlappingAddresses
Overlapping Addresses
Non OverlappingAddresses
10.0.0.0/8193.432.5.3/64
10.0.0.0/8194.567.3.5/32
10.0.0.0/8354.432.4.6/32
SAVE CHANGES
Address Space:
Edges:
Address/Edge:
Edge Prefix:
VLANs/EDGE:
Name:
Description:
Address Type:
VPN Network
10.0.0.0/8
1048576
12
16
8
Non Overlapping Addresses
Corporate Networks (addresses and VLANS)
VLANS
Name
Corporate
Management
Corp Offsite
Office-East
Office-West
Corp Failover
VLAN ID
1
3
7
13
14
19
DHCPType
enabled
enabled
enabled
enabled
enabled
enabled
StaticAddresses
10
10
10
10
10
10
DHCPAddresses
245
245
245
245
245
245
DHCPOptions
2
2
2
2
2
2
NEW DELETE
Address Space:
Edges:
Address/Edge:
Edge Prefix:
VLANs/EDGE:
192.567.2.6/22
32
27
32
4
VLANS
Name
Guest
Visitor-1
Visitor-2
GuestBackup
VLAN ID
64
65
66
67
DHCPType
enabled
enabled
enabled
enabled
StaticAddresses
10
10
10
10
DHCPAddresses
245
245
245
245
DHCPOptions
1
0
0
0
NEW DELETE
New VLAN...
HELP Add VLAN Cancel
VLAN* VLAN Name
* VLAN ID
DHCPType
Static Addresses:
Lease Time:
DHCP Options:
2
10
Enabled
Option
Relay Disabled
1 hour
add an optionCode Data Type Value
1. Networks are standard configurations that define network address spaces and VLAN assignments for Edges. Networks configure two network types: Corporate (or trusted networks) and Guest (or untrusted networks). Multiple Corporate and Guest Networks can be defined. VLANs can be assigned to both Corporate and Guest Networks.
2. Corporate Networks can be configured with either Overlapping Addresses or Non-overlapping Addresses. With overlapping addresses, all Edges using the Network have the same address space. Overlapping addresses are associated with non-VPN configurations. Guest networks always use overlapping addresses.
3. With non-overlapping addresses, an address space is divided into blocks of an equal number of addresses. Non-overlapping addresses are associated with VPN configurations. The address blocks are assigned to Edges that use the Network so that each Edge has a unique set of addresses. When using non-overlapping addressing, SD-WAN automatically allocates blocks of addresses based on the maximum number of Edges you predict will use the Network configuration.
4. For Corporate Networks the address space was set in a previous step when you create the network space and will be distributed across the number of Edges chosen using the Allocation slider. You can specify the number of Edges, the Addresses/Edge, and the Edge Prefix. The Allocation slider help you choose these values by calculating the values when all addresses are assigned across the number of Edges. This is the built-in IPAM IP address management for Edges to allocate LAN side subnet behind the Edge. Once a Network is assigned to an Edge, it is not possible to change the Address Space Allocation. The number of Edges is the maximum number of Edges that will ever be deployed using this Network. The Addresses/Edge defines the size of the address space for each Edge.
5. You can define as many VLANs as you like for the Corporate Network but the Max VLANs value specifies the maximum number you can specify for use in a Profile or Edge. Click the New button to create a new VLAN where you can configure the VLAN Name, VLAN ID, and the DHCP configuration.
6. After you configure the VLAN Name and VLAN ID you choose DHCP type of Enabled, Relay, or Disabled:
• Enabled: the Edge is the DHCP server - when choosing Enabled, you can add one or more DHCP options where you specify predefined options or add custom options.
• Relay: the DHCP is at a remote location - If you choose DHCP type of Relay, you can specify the IP address of one or more Relay Agents.
33
• Disabled: the DHCP is incapacitated - If the DHCP type of Disabled is chosen, IP addresses are not provided by DHCP for this VLAN.
7. The Guest Network is an untrusted network that always uses an overlapping address space. It is completely segmented and on separate VRF as compared to corporate network. The Guest Network section (see screen capture below) defines the Address Space. You can define as many VLANs as you like for the Guest Network, but the Max VLANs value specifies the maximum number you can use in a Profile or Edge.
3.10 CONFIGURE NETWORK SERVICES
NAME TYPE ADDRESS TYPE
DNS Private
DNS Public
Google DNS
DNS Internal Primary
Private
Public
Public
Public
USED BY
0
0
0
0
Primary: 193.543.1.1Backup: none
Primary: 129.446.1.2Backup: 129.34.2.5
Primary: 8.8.8.8Backup: 8.8.4.4
Primary: 16.3.5.1Backup: none
NEW DELETEDNS Services
PrivateType:
DNS PrivateName:
192.158.1.1Primary Server:
Ex: 54.124.5.789Primary Server:
DNS Private �
Server Details
sub.dd.com Description
Private Domains
SAVECANCEL
34
1. Network Services for SD-WAN allows you to define your Enterprise Network Services. These definitions can be used across all Profiles. This includes services for DNS. The possible services are defined in Network Services but are not used unless they are assigned in a Profile.
2. Domain Name Server (DNS) translates domain names into IP addresses. With the DNS service we can access websites by only typing their alpha-numeric names (domain names) in the browser instead of their IP addresses. The DNS services is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service or a private DNS service provided by your company. A Primary and Backup server can be specified. The recommended practice is to configure the primary and secondary DNS servers on separate machines, on separate Internet connections, and in separate geographic locations (for the purpose of redundancy). The service is preconfigured to use Google and Open DNS servers. For a private service, you can also specify one or more Private Domains.