Link Search Menu Expand Document

Business Intent Overlays

Configuration > Overlays & Security > Business Intent Overlays

Use the Business Intent Overlays (BIOs) tab to create separate, logical networks that are individually customized to your applications and requirements within your network. By default, there are several predefined overlays matching a range of traffic within your network.

The overlay summary table is used for easy comparison of values between your various configured overlays. You can select any link in the table and the Overlay Configuration dialog box launches. You can also temporarily save your changes before officially applying those changes to your overlay. The pending configuration updates are indicated by an orange box around the edited item. Click Save and Apply Changes to Overlays when you are ready to apply the changes and click Cancel if you want to delete the changes.

Overview

Orchestrator matches traffic to an ACL, progressing down the ordered priority list of overlays until it identifies the first one that matches. The matched traffic is then analyzed against the internet traffic configuration of the overlay and forwarded within the fabric, or broken out to the internet based on the preferred policy order. If the software determines that the traffic is not destined for the internet, it refers to the WAN Link Bonding Policy configuration and forwards traffic accordingly within the overlay.

SD-WAN Traffic to Internal Subnets

Overlay Configuration

You can begin to configure or modify a default overlay in the Overlay column. You can also select any icon on the Business Intent Overlay page and the selected editor or dialog box opens.

Complete the following steps to configure your overlay.

  1. Select the name of the overlay. The Overlay Configuration window opens. If you want to edit the default overlay or create a new overlay, enter the new name of the overlay in the Name field.

  2. Select the Match field and choose the match criteria from the menu.

  3. Click the edit icon next to the ACL field. To apply default ACLs or create your own, click Add Rule in the Associate ACL window.

  4. Click Save.

Region

To view the associated region within your overlay, click Regions in the Region column in the overlay summary table. To modify, remove, or edit overlay settings for a selected region, select it from the Region drop-down list at the right-top of the Overlay Configuration window. For more information about Regions, refer to the help on the tab.

Topology

Select the type of topology you want to apply to your overlay and network. You can choose between the following types of topology:

  • Mesh: Choose Mesh if you want to make a local network.

  • Hub & Spoke: Hubs are used to build tunnels in Hub & Spoke networks and route traffic between regions. If you choose Hub & Spoke, any appliance set as a hub will serve as a hub in any overlay applied to it. Hubs in different regions mesh with each other to support regional routing. To configure hubs, click Hubs at the top of the page.

  • Regional Mesh and Regional Hub & Spoke: To streamline the number of tunnels created between groups of appliances that are geographically dispersed, you can assign appliances to Regions and select Regional Mesh or Regional Hub & Spoke.

  1. At the top of the page, click Regions.

  2. You can add and remove a region or view the status of each overlay within a selected region.

Building SD-WAN Using These Interfaces

You can select which WAN interfaces you want to use for each device to connect to the SD-WAN. First, you assign your traffic to go to the Primary interfaces. If the Primary interface is unavailable or not meeting the desired Service Level Objectives configured, either the Secondary or Backup interfaces are used depending on what you have configured. You can configure only Backup interfaces, only Secondary interfaces, or both Secondary and Backup interfaces. Move the desired interfaces between the Primary, Secondary, and Backup boxes. The interfaces are grayed out until they are moved into the boxes.

  • Cross Connect – Allows you to define tunnels built between each interface label. By default, tunnels are formed between labels with the same name. For example, if you have INETA configured on two appliances that are both members of the same mesh overlay topology, those appliances will be connected via a tunnel over the INETA label. In most cases there will be more than one internet link at a given site resulting in the use of INETA and INETB. In this case, it is necessary to cross connect INETA to INETB by placing both labels into the same group. If both INETA and INETB are configured with “Group 1” then tunnels will be formed from INETA <> INETB and INETA <> INETA.

  • Show/Hide Secondary – Click Show Secondary to display the Secondary box, so you can drag interfaces into the box to enable Secondary interfaces. If you do not enable Secondary interfaces, you can click Hide Secondary to close the Secondary box.

  • Add Secondary if Primary Are – Specifies when the system should use the Secondary interfaces. Select either Down or Not Meeting Service Levels. Secondary interfaces will be used before Backup interfaces if you have you have both configured.

  • Add Backup if Above Are – Specifies when the system should use the Backup interfaces. Select either Down or Not Meeting Service Levels. If you have Secondary interfaces configured, Backup interfaces will be used when both the Primary and Secondary interfaces are unavailable and not meeting the configured Service Level Objectives.

NOTE: The order that labels appear in the Primary, Secondary, and Backup boxes only matters when Custom bonding is used and Link Selection is set to “Waterfall” with Rank Links By set to “Fixed Order”.

Service Level Objective (SLO)

Traffic is routed through the primary interfaces exclusively until the Service Level Objectives (SLOs) for Loss, Latency, or Jitter have been exceeded. If this occurs, backup interfaces are added to the overlay to help meet the specified SLO.

You should configure SLOs based on the tolerance of the application to network performance. You should not configure SLOs based on the type of network or expected performance of the network itself. SLOs are about the application, not the network. For example, for voice SLOs most customers find 250ms Latency, 50ms Jitter, and 10% Loss to be acceptable parameters.

For High Availability and High Quality “waterfall” overlay modes, when an underlay violates the Loss SLO, the underlay is not removed from the overlay until the overlay itself violates the SLO. For High Throughput and and High Efficiency “balanced” modes, when an underlay violates the Loss SLO it is immediately removed from the overlay. This behavior is controlled by the Exclude Links BIO setting and can be modified using the Custom link bonding policy.

The Exclude Links setting does not apply to Latency or Jitter SLOs. Those SLOs always operate with Exclude Links set to “on Underlay Brownout”.

NOTE: If all links are in violation of SLOs, the system acts as if no SLO is configured and all links are configured as primary.

You can select the following Link Bonding Policies when you need to specify the criteria for selecting the best route possible when data is sent between multiple tunnels and appliances. You can also select custom bonding, which enables you to customize link prioritization and traffic steering policies based on multiple criteria.

Field Description
High Availability High availability chooses the best performing path, uses the path until it is near full, then waterfalls traffic onto the next best performing path. All traffic receives 1:1 FEC (forward error correction) when a copy of the packet is placed on another transport. High availability link bonding policy type should be used only for real-time traffic, since it renders the effective bandwidth to 50%.
High Quality High quality policy chooses the best performing path, uses the path until it is near full, then waterfalls traffic onto the next best performing path. Adaptive FEC is used to provide parity packets only if there is degradation of the circuit. High quality link bonding policy should be used as the default selection for all non-real-time traffic types.
High Throughput High throughput policy load-balances packets across all transports performing below the SLO defined in the BIO. Adaptive FEC is used to provide parity packets only if there is degradation of the circuit. This link bonding policy is used only in unique circumstances.
High Efficiency High efficiency policy load-balances packets across all transports performing below the SLO defined in the BIO. No FEC is used in this bonding policy. This link bonding policy is used only in unique circumstances.
Custom If the current fixed overlay bonding modes are not flexible enough, the Custom link bonding policy allows for fine tuning your network performance. Custom link bonding preserves existing bonding modes (HA, HQ, HT, HE) while allowing customization of link bonding characteristics on a per-overlay basis. This should only be used when absolutely necessary. If you select Custom, see the following table for information about the settings.

If you select Custom link bonding, enter the appropriate information for the following fields.

Field Description
FEC Wait Time Measured in milliseconds (ms). This controls how long to wait to fill a packet before sending. A lower number indicates more FEC overhead.
Exclude Links This controls when an underlay is removed from an overlay during brownout conditions.

On overlay brownout – Wait for the overlay to see a loss before removing any underlays from the overlay. This allows bandwidth to be used, but there could be increased latency due to path conditioning.

On underlay brownout – Remove the underlay from the overlay as soon as it violates the brownout threshold.

NOTE: The Exclude Links setting only applies to the Loss SLO. When underlays violate a Latency or Jitter SLO they are immediately removed from the Overlay regardless of the Exclude Links setting.
Link Reorder Frequency This controls how aggressively underlays are evaluated and determines when to switch traffic from one link to another. It also controls the ranking and eligibility of links, which impacts Link Selection and brownout behavior.

Aggressive – Changes in underlay performance are detected within a few seconds. This setting is best for high-speed networks, such as dual high speed internet links.

Moderate – Changes in underlay performance are detected within about a minute.

Conservative – Changes in underlay performance take several minutes to detect. This is useful for situations where you want to be certain that the primary link is not performing as expected before switching to another link.
Path Conditioning Measured as a percentage. This controls the amount of FEC employed for the overlay. More FEC means more overhead but a higher chance to recover lost or delayed packets.

NOTE: For HQ and HA modes that use Waterfall, when two or more links are present FEC is transmitted on the second-best link. For HT and HE modes that use Balanced link selection, FEC is spread over all eligible underlays.
Packet Reorder Wait Time Measured in milliseconds (ms). This determines how long to wait for packet order correction (POC) to occur. When the wait time expires, all missed packets are declared as lost packets. If the EdgeConnect sees packets not arriving or arriving out of order, it dynamically increases this timer.
Link Selection Waterfall – Cascades packets across eligible underlays based on one of five quality measures. Select one of the quality measures from the drop down menu: Overall Quality, Latency, Loss, Jitter, or Link Order. Waterfall is used for both High Availability and High Quality overlay modes.

Balanced – Per-packet load balancing across all eligible underlays based on one of three modes. Select one of the modes from the drop down menu:
Link Capacity (Local) – Fills the “most open” link first. The EdgeConnect fills whichever link has the most bandwidth available until all links have the same amount of absolute available bandwidth. This balancing mode is used by the High Throughput overlay mode.
Link Utilization (Local) – Fills links proportionally to total link capacity.
Link Utilization (Local & Remote) – Fills links based on tunnel capacity. This balancing mode is used by the High Efficiency overlay mode.

For Link Utilization mode, the EdgeConnect tries to keep all links at the same percent (%) utilization. For example, if one link is at 50% utilization, the EdgeConnect fills the other links until all links are at 50% utilization.

QoS and Optimization

To further customize your overlay configuration, enter the appropriate information for the following fields.

Field Description
FW Zone Select the firewall zone you want to restrict traffic to from an overlay.
NOTE: This field is disabled when end-to-end zone-based firewall is enabled.
Boost Select Enabled if you want to apply any purchased Boost to your overlay or select Disabled if you do not want to apply Boost to your overlay.
Peer Unavailable Option Select what the appliance should do when there is no peer reachable via a tunnel. Select a specific label, Use Best Route, or Drop. If you select a specific label, the appliance routes the traffic to that link.

Best Route: When selected, the appliance searches for the next best route that is available.

Drop: When selected, the appliance drops the connection.
Traffic Class Channels traffic to the desired queue based on the applied service.
LAN DSCP Select the DSCP you want to apply as a filter to the LAN interface.
WAN DSCP Select the DSCP you want to apply as a filter to the WAN interface.

Breakout Traffic to Internet and Cloud Services

You can use the Breakout Traffic to Internet & Cloud Services to monitor and manage traffic coming to or from the internet.

Hub Versus Branch Breakout Settings

You can create different breakout policies for hubs. Any hub you select in the Topology section also displays at the top of the Internet Traffic to Web, Cloud Services tab. When you select an individual hub, the Use Branch Settings displays, selected, to the right of the screen. Complete the following steps to create a custom breakout policy for that hub:

  1. Clear the Use Branch Settings check box.

  2. Configure the now accessible parameters.

  3. Click OK.

Preferred Policy Order and Available Policies

  • You can move policies back and forth between the Preferred Policy Order and the Available Policies columns. You can also change their order within a column. The defaults provided are Backhaul via Overlay, Break Out Locally, and Drop.

  • When you select Break Out Locally, confirm that any selected interface that is directly connected to the internet has Stateful Firewall specified in the deployment profile.

  • You can add services (such as Zscaler, Fortigate, or Palo Alto). The service requires a corresponding internet-breakout (Passthrough) tunnel for each appliance traffic to that service. To add a service, select the edit icon next to Available Policies.

  • The Default policy you configure for internet breakout is pushed to all appliances that use the selected Overlay. However, you might want to push different breakout rules to your hubs.

  • You can select the best internet breakout links by specifying the type of Link Selection; either Waterfall or Balanced.

    • If Waterfall is selected, links are ranked on the selected threshold, from best to worst, using an inference system that averages performance of all SDWAN fabric tunnels associated with a given label. In Waterfall mode, flows are routed across the best label until bandwidth utilization is above 80%. Once 80% utilization is reached flows will “waterfall” to the next-best label. For more information about Waterfall mode, see Internet Breakout Trends.

    • If Balanced is selected, flows are subjected to a weighted load-balancing algorithm. The weighting is proportional to the available bandwidth of the link.

    • For both Waterfall and Balanced, if a threshold is configured for Loss, Latency, or Jitter, the system removes the link from Local Breakout eligibility when it exceeds the threshold.

  • You can choose to set IP SLA Rule destinations.

  • If you select the Threshold-based Failover check box, the Preferred Policy Order is applied when all links violate the configured threshold. This setting is useful when you want the system to backhaul traffic during Local Breakout threshold violation. When this check box is cleared, all Local Breakout labels must be down for flows to fall to the next policy.

  • For Local Breakout flows, the system uses session affinity to attempt to keep flows with the same source and destination IPs on the same link. You can change the session affinity timeout.

Complete the following steps.

  1. In the Break Out Locally Using These Interfaces section, drag and drop available interfaces into the Primary or Backup boxes.

  2. Under Link Selection, select Waterfall or Balanced, and enter the amount for the Performance Thresholds: Loss, Latency, Jitter, and Utilization.

  3. If you selected Waterfall, select one of the following thresholds to rank links.

    Field Description
    Auto Default threshold if you do not specify the threshold for your links. The Auto metric uses combined loss and latency to derive the best link. This is the same metric used for determining the best underlay in HQ overlay bonding mode and is referred to as “Overall Quality” in the Link Selection section of the Custom Bonding configuration.
    MOS Inferred average MOS score for a given underlay.
    Loss Inferred average loss percentage as derived from the all Up-Active tunnels for a given underlay.
    Latency Inferred average latency for a given underlay.
    Fixed Order Links are sorted in the order specified under Break Out Locally Using These Interfaces. The link at the top of the Primary list is used first.

    NOTE: Backup links are used only when all primary links are down.

  4. Click the edit icon next to Break Out Locally Using These Interfaces to change the default Local Breakout IPSLA endpoints.

    The IP SLA Rule Destination dialog box appears.

  5. Click the Enable IP SLA rule orchestration toggle. Then enter information in the following fields to change the default Local Breakout IP SLA endpoints and create IP SLA rules.

    Field Description
    Enable IP SLA rule orchestration When enabled, Orchestrator automatically sets up IP SLA rules on all appliances where this overlay is applied.
    Monitor Select one of the three types of probes used to monitor IP SLA endpoints: Ping, HTTP, or HTTPS.

    NOTE: Using HTTPS causes additional CPU load and increased packets due to the overhead of SSL handshaking. Ping or HTTP are recommended.
    Address A comma separated list of hostnames or IP addresses to probe. A response from any of the destinations allows the system to validate the path.
    Proxy Address (optional for HTTP/HTTPS)
    User Agent (optional for HTTP/HTTPS)
    HTTP Request Timeout After an HTTP probe is sent, this is the length of time the system waits to hear back from the destination server.
    Ping Interval/Polling Frequency How frequently the ping or HTTP/HTTPS probe is sent. This value can be set to “1” for ICMP, however, this should be set to “2” or greater for HTTP/HTTPS.
    Rolling average window for Loss and Latency The rolling average for loss and latency for each destination. For a 1 second Keep Alive Interval, this would be a 5 minute rolling average. Reducing the sampling window could cause overly aggressive behavior.
    Reachability The system uses these values to determine if the probe can reach the destinations or not. A good value for these is 5, based on a 1 second Keep Alive Interval. Setting these any lower could cause false positives.

    Mark Up after X Pings/X Sequential Successes – Enter a numeric value. The system makes this many attempts to reach the destinations, and it marks the status of the tunnels as “up” after it receives this many successful responses from any of the destinations.

    Mark Down after X Failed Pings/X Sequential Failures – Enter a numeric value. The system marks the status of the tunnels as “down” after this many consecutive failed responses from ALL destinations.
    Loss The system uses these values as thresholds when calculating percentage loss to determine if the passthrough tunnels are “up” or “down”.

    Mark Up after loss below X% – Enter a percentage. The system marks the status of the tunnels as “up” if the percentage loss calculated from the best performing destination is below this threshold.

    Mark down after loss above X% – Enter a percentage. The system marks the status of the tunnels as “down” if the percentage loss calculated from the best performing destination exceeds this threshold. This means that all destinations in the Address field must have crossed this threshold for the system to invoke the “down” status.
    Latency The system uses these values as thresholds when calculating average latency to determine if the passthrough tunnels are “up” or “down”. These values are measured in milliseconds.

    Mark Up after average latency below X – Enter a numeric value. The system marks the status of the tunnels as “up” if the average latency calculated from the best performing destination is below this threshold.

    Mark Down after average latency above X – Enter a numeric value. The system marks the status of the tunnels as “down” if the average latency calculated from the best performing destination exceeds this threshold. This means that all destinations in the Address field must have crossed this threshold for the system to invoke the “down” status.
    Loss OR Latency, Loss AND Latency Select one of two options for combining the Loss and Latency metrics.

    OR – The system marks the status of the tunnels as “down” if either the Loss or the Latency thresholds are crossed.

    AND – The system marks the status of the tunnels as “down” if both the Loss and Latency thresholds are crossed.
    Check IP SLA status every How frequently EdgeConnect checks to see if the thresholds have been crossed. This is also how frequently a decision is made to move a tunnel in or out of service or to raise an IP SLA Down alarm. 30 seconds is the default. Setting this value much lower could cause false positives or tunnel flapping.
  6. (optional) Click the Threshold-based Failover check box.

  7. Click the edit icon next to Link Selection and in the Session Affinity Settings dialog box, enter a value in the Session Affinity Timeout field. You can enter any value between 0 and 10,000 minutes.

    NOTE: Setting Session Affinity Timeout to “0” disables the Session Affinity feature.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America