Assembling Base Configuration
In the following procedure will cover configuring templates, deployment profiles and loopback orchestration. This procedure will leverage roles, security zones and network segments configured in the Setting Security Policy section.
Table of contents
Configure Templates
Configuration templates allow users to configure a set of standard configuration across devices, the following steps will walk through configuring a template.
Step 1 Select the Configuration tab in the top left hand side.
Step 2 In the Templates & Policy column select Templates
Step 3 Set the default admin password.
Step 4 Configure SNMP.
Step 5 Set the Message of the Day.
Step 6 (Optional) Set Login Message, in this case it’s left to default.
Step 7 Click the Show All button next to Active Templates.
Step 8 In the expanded available templates double click Routes to add it to the Active Template.
Step 9 Click the Pencil icon next to the quarantine. Check the automatically advertise local LAN subnets box
Step 10 Click update.
Step 11 Click the Pencil icon next to the guest. Check the automatically advertise local LAN subnets box.
Step 12 In the expanded available templates double click CLI to add it to the Active Template.
Step 13 In the CLI box enter the following commands to enable LLDP.
```
discoveryd enable
interface wan0 lldp enable
interface wan1 lldp enable
interface lan0 lldp enable
interface lan1 lldp enable
```
Note: LLDP is only supported on 9.3 and higher. CDP is supported on all versions and can be enabled by doing CDP enable.
Configure Deployment profiles
This procedure will demonstrate how to configure the Deployment profile which will be used as a template to onboard gateways. The following section will show how to configure a deployment profile for a single Hub site the process will need to be repeated for both the redundant gateway sites.
Note: It is possible to create a deployment profile for the hub’s or any custom configuration by clicking the +Add button and following the same procedure this guide will not demonstrate creating a hub/custom profile to demonstrate how to manually add configuration.
Configure Labels
Step 1 Navigate to Configuration in the Overlay & Security column select Deployment Profiles.
Step 2 Select MPLS + Internet Branch.
Step 3 Click the Pencil ** Icon next to **Label.
Step 4 In the Interface Label page click New Label.
Step 5 Select the Lan toggle and enter in the VLAN descriptions as the label.
Step 6 Click Ok.
Step 7 Repeat Steps 1-6 for each item in the table.
Step 8 Click Save when all the labels are created.
VLAN ID | Label |
---|---|
100 | MGMT VLAN |
101 | Employee |
102 | Camera |
103 | IOT |
104 | Guest |
105 | Reject |
106 | Critical |
107 | Quarantine |
Loopback | LOOPBACK |
Apply Labels, Zones, Segments and DHCP
In the following section Labels, Zones and Segments will be applied to the interfaces and associated with the VLANs. This will allow the gateway to enforce the policy that was defined previously.
Step 1 Under the Lan Interfaces section of the page click the +IP (7 times) under LAN0.
Step 2 Enter the VLAN ID in each of the newly created sub-interfaces.
Step 3 Set the FW Zone, Segment, and Label for each sub interface using the table below.
Note: The MGMT VLAN does will be a native VLAN do not enter the VLAN Id on this interface.
VLAN ID | Label | FW Zone | Segment |
---|---|---|---|
100 | MGMT VLAN | LAN | Default |
101 | Employee | LAN | Default |
102 | Camera | LAN | Default |
103 | IOT | IOT | Default |
104 | Guest | Default | guest |
105 | Reject | LAN | Default |
106 | Critical | LAN | Default |
107 | Quarantine | Default | quarantine |
Step 4 In the Lan Interfaces section of enter the sub interface line click No DHCP.
Step 5 Click the DHCP/BOOTP Relay radio button.
Step 6 Enter in the following DHCP servers.
- DHCP Server 1: 10.2.120.99
- DHCP Server 2: 10.2.120.98
Step 7 Click OK.
Step 8 Repeat Steps 1-3 for ever sub interface except the Critical VLAN.
Step 9 For the Critical VLAN select the No DHCP.
Step 10 Click the Radio button for DHCP Server.
Step 11 Click OK.
Configure WAN Interfaces
Step 1 In the WAN Interfaces section change the Label for WAN0 to INET1.
Step 2 In the WAN Interfaces section change the Label for WAN1 to MPLS1.
Step 3 Set the FW Zone to WAN for both WAN interfaces.
Step 4 Set the FW Mode for set the MPLS Interface to Stateful + SNAT.
Step 5 Enter the following Bandwidth.
- INET Download: 100,000 Kbps (100Mbps)
- INET Upload: 25,000 Kbps (25Mbps)
- MPLS Download: 10,000 Kbps (10Mbps)
- MPLS Upload: 5,000 Kbps (5Mbps)
Step 6 Click the Calc button.
Step 7 Click Save.
Note: If the deployment requires a BGP peering on the MPLS connection set the FW Mode to allow all.
Redundant Gateway Deployment Profiles
Repeat the procedure for the Single internet branch and MPLS Only Branch profiles. The result of the configuration should look like the examples below.
Single internet branch
MPLS Only Branch
Note: If the deployment requires a BGP peering on the MPLS connection set the FW Mode to allow all.
Loopback Orchestration Configuration
Loopback Orchestration dynamically assigns a loopback interface to gateways when they are onboarded into orchestrator.
Step 1 Navigate to Configuration in the Networking column select Loopback Orchestration.
Step 2 In the Segment section clear the All input. Select the default segment.
Step 3 Click the +Add Loopback Interface button.
Step 4 In the Pop-up set enter the following.
- Label: LOOPBACK
- Zone: LAN
Step 5 Check the Management IP box.
Step 6 Click Add
Step 7 In the newly added row select the Loopback Pool.
Step 8 Enter the Subnet IP Pool. For this deployment the pool will be: 10.14.255.64/26
Step 9 Click Update, then Click Save in the bottom left.