Deployment Tab
Configuration > Networking > Deployment
This tab provides summary and detailed views of the selected appliance’s deployment settings.
To change an appliance’s deployment settings, click the Edit icon next to the name of the desired appliance.
The following table describes the fields on the Summary view of this tab.
Field | Description |
---|---|
Appliance | Name of the deployed appliance. |
HA | Name of the appliance with which this appliance is paired for EdgeHA. |
Mode | Indicates the deployment mode for the appliance: Inline Router – Uses separate LAN and WAN interfaces to route data traffic. Bridge – Uses a virtual interface, bvi, created by binding the WAN and LAN interfaces. Server – Both management and data traffic use the mgmt0 interface. |
Outbound Bandwidth | Deployment’s total outbound bandwidth in Kbps. |
Inbound Bandwidth | Deployment’s total inbound bandwidth in Kbps. |
WAN Labels Used | Identify the service, such as MPLS or Internet. |
LAN Labels Used | Identify the data, such as data, VoIP, or replication. |
Segment | Names of the segments used for this appliance deployment. |
License | License tier granted for this appliance deployment. |
Details | Select the information icon to view further deployment details of an appliance. |
The following table describes the fields on the Details view of this tab.
Field | Description |
---|---|
Interface | Name of the LAN or WAN interface. |
Label | Label mapped to the interface. LAN labels refer to traffic type, such as VoIP, data, or replication. WAN labels refer to the service or connection type, such as MPLS, internet, or Verizon. |
Zone | Firewall zone applied to the interface. |
Segment | Name of the segment used for this interface. |
IP/Mask | Interface’s IP address and subnet mask. |
WAN/LAN Side | Indicates that the interface is WAN-side or LAN-side. |
Next Hop | Deployment interface’s next hop router address. |
Public IP | Public IP address. |
Inbound | Interface’s inbound bandwidth in Kbps. |
Outbound | Interface’s outbound bandwidth in Kbps. |
NAT | Indicates whether the appliance is behind a NAT-ed interface. |
Firewall Mode | Indicates the firewall mode for the appliance’s WAN-side interface: Allow All – Permits unrestricted communication. Stateful – Only allows communication from the LAN-side to the WAN-side. Used if the interface is behind the WAN edge router. Stateful+SNAT – Applies Source NAT to outgoing traffic. Used if the interface is directly connected to the Internet. Harden – For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance. For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance. |
DHCP | Indicates whether the interface’s IP address is obtained from the DHCP server. |
HA Interface | Indicates whether the interface is part of an EdgeHA link. |
License | License tier granted for this appliance deployment. |
Comment | Additional information for this deployment interface. |
Deployment Dialog Box
The three deployment modes are Bridge, Router, and Server.
WARNING: ALWAYS use Router mode unless you have a legacy, WAN Optimization–specific use case and are well-acquainted with the requirements of Bridge or Server mode deployments.
Enable EdgeHA
EdgeHA mode is a high availability cluster configuration that provides appliance redundancy by pairing two EdgeConnect devices together.
When you configure two EdgeConnect appliances in EdgeHA mode, the resilient cluster acts as a single logical system for orchestrated WAN functions. It extends the robust SD-WAN multipathing capabilities, such as Business Intent Overlays, seamlessly across the two devices as though they were one entity.
With EdgeHA mode, a WAN uplink is physically plugged into a single one of the EdgeConnect appliances but is available to both in the cluster. For WAN connections that perform NAT (for example, a consumer-grade Broadband Internet connection), it means that only a single Public IP needs to be provisioned in order for both EdgeConnect devices in the EdgeHA cluster to be able to build Business Intent Overlays using that transport resource. The same is true for orchestrated tunnels to third-party cloud services, such as Zscaler and AWS Transit Gateway.
NOTE: EdgeHA mode provides clustering for WAN-side functions only. You must select and configure an appropriate LAN-side redundancy mechanism for a given business location. Available options are VRRP+IP SLA, BGP, and OSPF.
To enable EdgeHA:
-
Select the EdgeHA check box.
-
Configure the interfaces (LAN-side and WAN-side) on both EdgeConnect devices to reflect the WAN connections that are plugged into each one of the respective appliances.
NOTE: Both EdgeConnect devices will be able to leverage all WAN connections regardless of which chassis they are physically plugged into. It is, however, important to match the interface configuration displayed on the Deployment dialog box to the actual chassis the WAN connection is physically and directly connected to.
-
Select the physical ports on the respective EdgeConnect appliances that you will connect to each other using an Ethernet cable (RJ-45 twisted pair or SR optical fiber).
NOTE: You can choose any LAN or WAN port combination for this HA Link that is available on the respective EdgeConnect chassis. You must match the media type and speed for both ends of the HA link. (For example, 1 Gigabit-Ethernet RJ-45 to RJ-45 or 10 Gigabit-Ethernet multimode fiber LC-connector-to-LC-connector). Also, note that you cannot use MGMT ports for the HA Link; only LAN or WAN ports.
IPSec over UDP Tunnel Configuration
For both EdgeConnect appliances in a high availability cluster to be able to share a common transport connection, you must set the tunnel type to IPSec over UDP mode. This is the default tunnel mode for all deployments running ECOS 8.1.6/Orchestrator 8.2 or later.
NOTE: For SD-WAN fabrics upgraded from earlier releases, see Tunnel Settings in Orchestrator (Orchestrator > Orchestrator Server > Tools > Tunnel Settings) to change to IPSec over UDP mode.
You must configure the same site name for both appliances in the EdgeHA pair so that Orchestrator assigns a unique IPSec UPD port number for each appliance.
LAN-side High Availability
Typically, in a branch site deployment, you will choose to configure the cluster with VRRP+IP SLA to modify priority and subnet sharing metrics based on VRRP and WAN interface status. For more advanced deployments with Layer 3 routers or switching on the LAN side, BGP or OSPF can be configured. For details, refer to the EdgeHA High Availability Deployment Guide.
LAN-side Monitoring
The IP SLA feature should be configured to monitor the LAN-side VRRP state in order to automatically disable subnet sharing from that appliance in the case of a LAN link failure.
For more information, refer to the IP SLA configuration guide.
Map Labels to Interfaces
-
On the LAN side, labels are optional. You can use them as match criteria for Business Intent Overlay ACLs, such as data, VoIP, or replication.
-
On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are mandatory. Orchestrator uses them to build Business Intent Overlay policies.
-
To create or manage a global pool of labels, either:
-
Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or
-
Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.
-
-
The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.
LAN-side Configuration: Segments and Firewall Zones
EdgeConnect Segmentation (VRF) provides orchestrated Layer 3 segmentation, Zone Based Firewall, and IDS—end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.
Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a different segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.
NOTE: The segment for WAN interfaces cannot be changed.
LAN–side Configuration: DHCP and Router Advertisements
-
By default, the LAN IP does not act as a DHCP Server. Based on your configuration, you can set the interface to act as a DHCP relay server when the appliance is in Router mode.
-
The global defaults are set in Configuration > Networking > DHCP > DHCP Server Defaults and pre-populate this page. The other choices are No DHCP/No RA and having the appliance act as a DHCP/BOOTP Relay.
-
To customize an individual interface on the Deployment screen, click the DHCP-related link under the IP/Mask field. The DHCP Settings / Router Advertisements dialog box opens.
-
Before you can configure DHCP Relay, you must navigate to Management Services and select an interface for DHCP Relay. See Management Services for more information.
If the LAN interface has an IPv4 IP address, click V4 to display the DHCP configuration settings. See V4.
If the LAN interface has an IPv6 IP address, click V6 to display the Router Advertisement settings. See V6.
V4
The following tables describe the various DHCP settings you can configure for LAN interfaces that have IPv4 IP addresses.
DHCP Server
Setting | Description |
---|---|
Subnet Mask | Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering 24 reserves 256 IP addresses. |
IP Range | You can designate one or more IP address ranges available for use. Specify Start IP and End IP addresses. To add another IP address range, click Add. IMPORTANT: Multiple IP ranges cannot overlap. |
Default lease,Maximum lease | Specify, in seconds, how long an interface can keep a DHCP–assigned IP address. |
Gateway IP | Specifies the IP address for the gateway to use. |
DNS server(s) | Specifies the associated Domain Name System servers. |
NTP server(s) | Specifies the associated Network Time Protocol servers. |
NetBIOS name server(s) | Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer. |
NetBIOS node type | NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types: B-node = 0x01 Broadcast P-node = 0x02 Peer (WINS only) M-node = 0x04 Mixed (broadcast, then WINS) H-node = 0x08 Hybrid (WINS, then broadcast) |
DHCP failover | Enables DHCP failover. To set it up, click the Failover Settings link. |
DHCP/BOOTP Relay
Setting | Description |
---|---|
Destination DHCP/BOOTP Server | IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only. |
Common DHCP server for all segments | Select this check box to set the default values for all segments. HINT: You can reset the defaults in Management Services by setting the DHCP Relay interface to “any” and then selecting an interface label again. However, this might impact service. Or, you can manually reset the defaults by selecting the following values: Option 82 = enabled, Option 82 Policy = append, and select the following sub options: 1, 5, 10, 11, 151, and 152. |
Distinct DHCP server per segment | Select this option to override the DHCP relay configuration set in the Manages Services tab with the settings you select in this dialog box. |
Enable Option 82 | When selected, inserts additional information into the packet header to identify the client’s point of attachment. This setting applies to all LAN-side interfaces on this appliance. IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay. |
Option 82 Policy | Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-side interfaces on this appliance. IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay. |
Sub Options | Select one or more of the following: 1 - Agent Circuit ID: Provides information about the interface or circuit through which the DHCP request was received. 5 - Link selection: Specifies the IP address used by the DHCP server to determine the appropriate subnet for addressing the DHCP client. 10 - Client Unicast/Broadcast Indication flag: Indicates whether the DHCP relay received the client packet as a unicast or broadcast packet. 11 - Server ID Override: Allows the DHCP relay agent to act as a proxy for the DHCP server to process unicast lease renewals. 150 - Link selection (Cisco proprietary): Provides information about a segment or VPN that is necessary to allocate an address to a DHCP client on that segment. 151 - VRF name/VPN ID 152 - VRF name/VPN ID Control Sub-Option OR Server ID Override (Cisco proprietary): Indicates whether the DHCP server supports sub option 151 (VRF Name/VPN ID). If this option is present in the reply from the server, the server does not support option 151. |
V6
The following table describe the various router advertisement settings you can configure for LAN interfaces that have IPv6 IP addresses. The LAN clients can use these options to autoconfigure IPv6 addresses and to learn default gateway addresses.
NOTE: DHCP for IPv6 is not supported.
Setting | Description |
---|---|
Enable Router Advertisements | Specifies whether the router should send RA messages. |
Managed Flag | Select this option to instruct IPv6 hosts to use DHCPv6 to obtain their IPv6 addresses in addition to any other configuration information. |
Other Flag | Select this option to instruct IPv6 hosts to use DHCPv6 to obtain additional configuration information, such as DNS server addresses and other network parameters. |
Link MTU | Set the maximum transmission unit (MTU) size that can be transmitted without fragmentation. This helps ensure that all hosts on the network use the same MTU, avoiding issues related to packet fragmentation and reassembly. |
Max Interval | Specify the maximum interval in seconds between unsolicited RA messages. This helps to control the frequency of RA messages. |
Min Interval | Specify the minimum interval in seconds between unsolicited RA messages. This helps to control the frequency of RA messages. |
Current Hop Limit | Set the default hop limit for IPv6 packets sent by hosts on the network. Hosts use this value to configure their own hop limit for outgoing packets. |
Default Router Preference | Select High, Medium, or Low to set the preference level of the router for use as a default router. Hosts use this value to prioritize multiple routers on the same link. |
Default Router Lifetime | Specify the lifetime in seconds of the default route that is advertised by the router. The hosts use this value to determine how long the router should be used as the default gateway. |
Reachable Time | Specify the time in milliseconds that an IPv6 host considers a neighbor reachable after receiving a confirmation. This value maintains accurate and timely reachability information in the neighbor cache. |
Retrans Timer | Specify the time in milliseconds between retransmissions of neighbor solicitation messages. This value reduces the frequency of retries when attempting to discover or confirm the reachability of neighbors on the network. |
Add a Router Advertisement Prefix
Click Add and complete the following fields.
Considerations
-
RA can be configured only on LAN side interfaces.
-
Users can configure RA only on IPv6 configured interfaces.
-
DHCPv4 server and RA cannot be configured on the same interface at the same time.
-
DHCPv4 relay and RA cannot be configured on the same interface at the same time.
-
RA, DHCPv4 Server, and DHCPv4 Relay cannot be enabled if there is an alias interface configured for the main/primary interface.
-
A maximum of 10 prefixes can be configured in the RA configurations per interface.
Setting | Description |
---|---|
Prefix-id | The ID assigned to the prefix. |
Prefix | The IPv6 prefix to advertise to hosts on the network. Hosts use this prefix to configure their IPv6 addresses and determine the network portion of the IP addresses. |
Autonomous flag | Select whether the prefix can be used by hosts for SLAAC. When set to true, hosts can use the prefix to generate their own IPv6 addresses. |
Onlink flag | Specifies whether the prefix is on-link, which affects how hosts handle routing for addresses within the prefix. If set to true, hosts assume that addresses within the prefix can be reached directly on the local network segment. |
Valid Lifetime | Specify the duration in seconds for which the advertised prefix is valid. |
Preferred Lifetime | Specify the duration in seconds (relative to the time the packet is sent) that addresses generated from the prefix via stateless address auto-configuration remain preferred. |
WAN–side Configuration
Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. You can create exception rules (Security Policies) to allow traffic between interfaces with different zones.
Firewall Mode: Four options are available at each WAN interface:
-
Allow All permits unrestricted communication.
WARNING: Use this option with extreme caution and only if the interface is behind a WAN edge firewall.
-
Stateful only allows communication from the LAN-side to the WAN-side.
Use this option if the interface is behind a WAN edge router.
-
Stateful with SNAT applies Source NAT to outgoing traffic.
Use this option if the interface is connected directly to the Internet and you want to enable local internet breakout.
-
Harden
-
For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance.
-
For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance.
-
NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens.
Select one of the following options:
-
If the appliance is behind a NAT-ed interface, select NAT.
-
If the appliance is not behind a NAT-ed interface, select Not behind a NAT.
-
To assign a destination IP address for tunnels being built from the network to this WAN interface, select the last option and enter the IP address.
Shaping: You can limit bandwidth selectively on each WAN interface.
-
Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth.
-
To enter values for shaping inbound traffic (recommended), you first must select Shape Inbound Traffic.
EdgeConnect Licensing: Only visible on EdgeConnect appliances.
-
You can change the bandwidth allotted for this appliance by selecting the appropriate option from the EC drop-down list. Your options are based on the licensing you have purchased.
-
If you have purchased a pool of Boost for your network, you can allocate a portion of it on the Deployment dialog box. You can also direct allocations to specific types of traffic in the Business Intent Overlays.
-
To view the licensing and distribution of EdgeConnect and Boost bandwidth for your appliances, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab.
BONDING
-
EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a very high-end appliance and/or provides interface-level redundancy.
-
For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.
-
Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to HPE Aruba Networking EdgeConnect SD-WAN user documentation.