Link Search Menu Expand Document

Deployment Tab

Configuration > Networking > Deployment

This tab provides summary and detailed views of the selected appliance’s deployment settings.

To change an appliance’s deployment settings, click the Edit icon next to the name of the desired appliance.

The following table describes the fields on the Summary view of this tab.

Field Description
Appliance Name of the deployed appliance.
HA Name of the appliance with which this appliance is paired for EdgeHA.
Mode Indicates the deployment mode for the appliance:

Inline Router – Uses separate LAN and WAN interfaces to route data traffic.

Bridge – Uses a virtual interface, bvi, created by binding the WAN and LAN interfaces.

Server – Both management and data traffic use the mgmt0 interface.
Outbound Bandwidth Deployment’s total outbound bandwidth in Kbps.
Inbound Bandwidth Deployment’s total inbound bandwidth in Kbps.
WAN Labels Used Identify the service, such as MPLS or Internet.
LAN Labels Used Identify the data, such as data, VoIP, or replication.
Segment Names of the segments used for this appliance deployment.
License License tier granted for this appliance deployment.
Details Select the information icon to view further deployment details of an appliance.

The following table describes the fields on the Details view of this tab.

Field Description
Interface Name of the LAN or WAN interface.
Label Label mapped to the interface. LAN labels refer to traffic type, such as VoIP, data, or replication. WAN labels refer to the service or connection type, such as MPLS, internet, or Verizon.
Zone Firewall zone applied to the interface.
Segment Name of the segment used for this interface.
IP/Mask Interface’s IP address and subnet mask.
WAN/LAN Side Indicates that the interface is WAN-side or LAN-side.
Next Hop Deployment interface’s next hop router address.
Public IP Public IP address.
Inbound Interface’s inbound bandwidth in Kbps.
Outbound Interface’s outbound bandwidth in Kbps.
NAT Indicates whether the appliance is behind a NAT-ed interface.
Firewall Mode Indicates the firewall mode for the appliance’s WAN-side interface:

Allow All – Permits unrestricted communication.

Stateful – Only allows communication from the LAN-side to the WAN-side. Used if the interface is behind the WAN edge router.

Stateful+SNAT – Applies Source NAT to outgoing traffic. Used if the interface is directly connected to the Internet.

Harden – For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance. For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance.
DHCP Indicates whether the interface’s IP address is obtained from the DHCP server.
HA Interface Indicates whether the interface is part of an EdgeHA link.
License License tier granted for this appliance deployment.
Comment Additional information for this deployment interface.

Deployment Dialog Box

The three deployment modes are Bridge, Router, and Server.

WARNING: ALWAYS use Router mode unless you have a legacy, WAN Optimization–specific use case and are well-acquainted with the requirements of Bridge or Server mode deployments.

Enable EdgeHA

EdgeHA mode is a high availability cluster configuration that provides appliance redundancy by pairing two EdgeConnect devices together.

When you configure two EdgeConnect appliances in EdgeHA mode, the resilient cluster acts as a single logical system for orchestrated WAN functions. It extends the robust SD-WAN multipathing capabilities, such as Business Intent Overlays, seamlessly across the two devices as though they were one entity.

With EdgeHA mode, a WAN uplink is physically plugged into a single one of the EdgeConnect appliances but is available to both in the cluster. For WAN connections that perform NAT (for example, a consumer-grade Broadband Internet connection), it means that only a single Public IP needs to be provisioned in order for both EdgeConnect devices in the EdgeHA cluster to be able to build Business Intent Overlays using that transport resource. The same is true for orchestrated tunnels to third-party cloud services, such as Zscaler and AWS Transit Gateway.

NOTE: EdgeHA mode provides clustering for WAN-side functions only. You must select and configure an appropriate LAN-side redundancy mechanism for a given business location. Available options are VRRP+IP SLA, BGP, and OSPF.

To enable EdgeHA:

  1. Select the EdgeHA check box.

  2. Configure the interfaces (LAN-side and WAN-side) on both EdgeConnect devices to reflect the WAN connections that are plugged into each one of the respective appliances.

    NOTE: Both EdgeConnect devices will be able to leverage all WAN connections regardless of which chassis they are physically plugged into. It is, however, important to match the interface configuration displayed on the Deployment dialog box to the actual chassis the WAN connection is physically and directly connected to.

  3. Select the physical ports on the respective EdgeConnect appliances that you will connect to each other using an Ethernet cable (RJ-45 twisted pair or SR optical fiber).

    NOTE: You can choose any LAN or WAN port combination for this HA Link that is available on the respective EdgeConnect chassis. You must match the media type and speed for both ends of the HA link. (For example, 1 Gigabit-Ethernet RJ-45 to RJ-45 or 10 Gigabit-Ethernet multimode fiber LC-connector-to-LC-connector). Also, note that you cannot use MGMT ports for the HA Link; only LAN or WAN ports.

IPSec over UDP Tunnel Configuration

For both EdgeConnect appliances in a high availability cluster to be able to share a common transport connection, you must set the tunnel type to IPSec over UDP mode. This is the default tunnel mode for all deployments running ECOS 8.1.6/Orchestrator 8.2 or later.

NOTE: For SD-WAN fabrics upgraded from earlier releases, see Tunnel Settings in Orchestrator (Orchestrator > Orchestrator Server > Tools > Tunnel Settings) to change to IPSec over UDP mode.

You must configure the same site name for both appliances in the EdgeHA pair so that Orchestrator assigns a unique IPSec UPD port number for each appliance.

LAN-side High Availability

Typically, in a branch site deployment, you will choose to configure the cluster with VRRP+IP SLA to modify priority and subnet sharing metrics based on VRRP and WAN interface status. For more advanced deployments with Layer 3 routers or switching on the LAN side, BGP or OSPF can be configured. For details, refer to the EdgeHA High Availability Deployment Guide.

LAN-side Monitoring

The IP SLA feature should be configured to monitor the LAN-side VRRP state in order to automatically disable subnet sharing from that appliance in the case of a LAN link failure.

For more information, refer to the IP SLA configuration guide.

Map Labels to Interfaces

  • On the LAN side, labels are optional. You can use them as match criteria for Business Intent Overlay ACLs, such as data, VoIP, or replication.

  • On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are mandatory. Orchestrator uses them to build Business Intent Overlay policies.

  • To create or manage a global pool of labels, either:

    • Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or

    • Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.

  • The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.

LAN-side Configuration: Segments and Firewall Zones

EdgeConnect Segmentation (VRF) provides orchestrated Layer 3 segmentation, Zone Based Firewall, and IDS—end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.

Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a different segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.

NOTE: The segment for WAN interfaces cannot be changed.

LAN–side Configuration: DHCP

  • By default, each LAN IP acts as a DHCP Server when the appliance is in (the default) Router mode.

  • The global defaults are set in Configuration > Networking > DHCP > DHCP Server Defaults and pre-populate this page. The other choices are No DHCP and having the appliance act as a DHCP/BOOTP Relay.

  • To customize an individual interface on the Deployment screen, click the DHCP-related link under the IP/Mask field. The DHCP Settings dialog box opens.

    The following tables describe the various DHCP settings you can configure.

    DHCP Server

    Setting Description
    Subnet Mask Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering 24 reserves 256 IP addresses.
    IP Range You can designate one or more IP address ranges available for use. Specify Start IP and End IP addresses. To add another IP address range, click Add.

    IMPORTANT: Multiple IP ranges cannot overlap.
    Default lease,Maximum lease Specify, in hours, how long an interface can keep a DHCP–assigned IP address.
    Gateway IP Specifies the IP address for the gateway to use.
    DNS server(s) Specifies the associated Domain Name System servers.
    NTP server(s) Specifies the associated Network Time Protocol servers.
    NetBIOS name server(s) Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer.
    NetBIOS node type NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types:

    B-node = 0x01 Broadcast

    P-node = 0x02 Peer (WINS only)

    M-node = 0x04 Mixed (broadcast, then WINS)

    H-node = 0x08 Hybrid (WINS, then broadcast)
    DHCP failover Enables DHCP failover. To set it up, click the Failover Settings link.

    DHCP/BOOTP Relay

    Setting Description
    Destination DHCP/BOOTP Server IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only.
    Enable Option 82 When selected, inserts additional information into the packet header to identify the client’s point of attachment. This setting applies to all LAN-side interfaces on this appliance.

    IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay.
    Option 82 Policy Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-side interfaces on this appliance.

    IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay.

WAN–side Configuration

Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. You can create exception rules (Security Policies) to allow traffic between interfaces with different zones.

Firewall Mode: Four options are available at each WAN interface:

  • Allow All permits unrestricted communication.

    WARNING: Use this option with extreme caution and only if the interface is behind a WAN edge firewall.

  • Stateful only allows communication from the LAN-side to the WAN-side.

    Use this option if the interface is behind a WAN edge router.

  • Stateful with SNAT applies Source NAT to outgoing traffic.

    Use this option if the interface is connected directly to the Internet and you want to enable local internet breakout.

  • Harden

    • For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance.

    • For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance.

NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens.

Select one of the following options:

  • If the appliance is behind a NAT-ed interface, select NAT.

  • If the appliance is not behind a NAT-ed interface, select Not behind a NAT.

  • To assign a destination IP address for tunnels being built from the network to this WAN interface, select the last option and enter the IP address.

Shaping: You can limit bandwidth selectively on each WAN interface.

  • Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth.

  • To enter values for shaping inbound traffic (recommended), you first must select Shape Inbound Traffic.

EdgeConnect Licensing: Only visible on EdgeConnect appliances.

  • You can change the bandwidth allotted for this appliance by selecting the appropriate option from the EC drop-down list. Your options are based on the licensing you have purchased.

  • If you have purchased a pool of Boost for your network, you can allocate a portion of it on the Deployment dialog box. You can also direct allocations to specific types of traffic in the Business Intent Overlays.

  • To view the licensing and distribution of EdgeConnect and Boost bandwidth for your appliances, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab.


  • EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a very high-end appliance and/or provides interface-level redundancy.

  • For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.

  • Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to Aruba SD-WAN user documentation.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America