Link Search Menu Expand Document

Deployment Profiles

Configuration > Overlays & Security > Deployment Profiles

Instead of configuring each appliance separately, you can create various Deployment Profiles and provision a device by applying the profile you want. For example, you can create a standard format for your branch.

TIP: For a smoother workflow, complete the DHCP Server Defaults tab (Configuration > Networking > DHCP Server Defaults) before creating Deployment Profiles.

You can use Deployment Profiles to simplify provisioning, regardless of whether you choose to create and use Business Intent Overlays.

NOTE: You cannot edit IP/Mask fields because they are appliance-specific.

Map Labels to Interfaces

  • On the LAN side, labels are optional. They can be used as match criteria for Business Intent Overlay ACLs, such as data, VoIP, or replication.

  • On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are mandatory. They are used by Orchestrator to build Business Intent Overlay policies.

  • To create or manage a global pool of labels, either:

    • Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or

    • Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.

  • The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.

LAN-side Configuration: Segments and Firewall Zones

EdgeConnect Segmentation (VRF) provides orchestrated layer-3 segmentation, Zone Based Firewall, and IDS—end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.

Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a different segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.

NOTE: The segment for WAN interfaces cannot be changed.

LAN–side Configuration: DHCP

  • By default, each LAN IP acts as a DHCP Server when the appliance is in (the default) Router mode.

  • The global defaults are set in Configuration > Networking > DHCP Server Defaults and pre-populate this page. The other choices are No DHCP and having the appliance act as a DHCP/BOOTP Relay.

  • Enter the LAN interface from the drop-down. Click +IP to add a specific IP address.

  • Enter the IP address of the specific LAN interface above the NO DHCP link.

  • To customize an individual interface on the Deployment Profiles tab, click the DHCP-related link under the IP/Mask field. The DHCP Settings dialog box opens.

    The following tables describe the various DHCP settings you can configure.

    DHCP Server

    Field Description
    Subnet Mask Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering 24 reserves 256 IP addresses.
    Exclude first N addresses Specifies how many IP addresses are not available at the beginning of the subnet’s range.
    Exclude last N addresses Specifies how many IP addresses are not available at the end of the subnet’s range.
    Default lease, Maximum lease Specify, in hours, how long an interface can keep a DHCP–assigned IP address.
    Default gateway Indicates whether the default gateway is being used.
    DNS server(s) Specifies the associated Domain Name System servers.
    NTP server(s) Specifies the associated Network Time Protocol servers.
    NetBIOS name server(s) Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer.
    NetBIOS node type NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types:

    B-node – 0x01 Broadcast

    P-node – 0x02 Peer (WINS only)

    M-node – 0x04 Mixed (broadcast, then WINS)

    H-node – 0x08 Hybrid (WINS, then broadcast)
    DHCP failover Enables DHCP failover. To set it up, click the Failover Settings link.

    DHCP/BOOTP Relay

    Field Description
    Destination DHCP/BOOTP Server IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only.
    Enable Option 82 When selected, inserts additional information into the packet header to identify the client’s point of attachment. This setting applies to all LAN-side interfaces on this appliance.

    IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay.
    Option 82 Policy Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-side interfaces on this appliance.

    IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay.

WAN–side Configuration

Select the WAN-side label you want to apply to this deployment. Click the edit icon to add a new interface or delete a previously configured interface.

Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. You can create exception rules (Security Policies) to allow traffic between interfaces with different zones. The firewall zones you have already configured will be in the list under FW Zone. Select the Firewall Zone you want to apply to the WAN you are deploying.

Firewall Mode: Four options are available at each WAN interface:

  • Allow All permits unrestricted communication. Use this option with extreme caution and only if the interface is behind a WAN edge firewall.

  • Stateful only allows communication from the LAN-side to the WAN-side.

    Use this if the interface is behind a WAN edge router.

  • Stateful with SNAT applies Source NAT to outgoing traffic.

    Use this if the interface is directly connected to the Internet and you want to enable local internet breakout.

  • Harden

    • For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance.

    • For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance.

NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens.

Select one of the following options:

  • If the appliance is behind a NAT-ed interface, select NAT.

  • If the appliance is not behind a NAT-ed interface, select Not behind NAT.

  • Enter an IP address to assign a destination IP for tunnels being built from the network to this WAN interface.

Shaping: You can limit bandwidth selectively on each WAN interface.

  • Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth.

  • To enter values for shaping inbound traffic (recommended), you must first select Shape Inbound Traffic.

EdgeConnect Licensing: Only visible on EdgeConnect appliances.

  • For additional bandwidth, you can purchase Plus, and then select it here for this profile.

  • If you have purchased a pool of Boost for your network, you can allocate a portion of it in a Deployment Profile. You can also direct allocations to specific types of traffic in the Business Intent Overlays.

  • To view how you have distributed Plus and Boost, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab.

  • Select the appropriate licensing you have applied to your EdgeConnect appliance from the menu. The licenses will only display depending on the licenses you have for that particular account. You can select the following licensing options:

    • Mini

    • Base

    • Base + Plus

    • 50 Mbps

    • 200 Mbps

    • 500 Mbps

    • 1 Gbps

    • 2 Gbps

    • Unlimited

    NOTE: You must have the correct hardware to support the license selected.

BONDING

  • EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a very high-end appliance and/or provides interface-level redundancy.

  • For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.

  • Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to Aruba SD-WAN user documentation.

A More Comprehensive Guide to Basic Deployments

This section discusses the basics of three deployment modes: Bridge, Router, and Server modes.

It describes common scenarios, considerations when selecting a deployment, redirection concerns, and some adaptations.

For detailed deployment examples, refer to the Aruba EdgeConnect SD-WAN Edge Platform documentation site for various deployment guides.

In Bridge Mode and in Router Mode, you can provide security on any WAN-side interface by hardening the interface. This means:

  • For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets.

  • For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic.

Bridge Mode

Single WAN-side Router

In this deployment, the appliance is in-line between a single WAN router and a single LAN-side switch.

img

Dual WAN-side Routers

This is the most common 4-port bridge configuration.

img

  • 2 WAN egress routers / 1 or 2 subnets / 1 appliance

  • 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)

Considerations for Bridge Mode Deployments

  • Do you have a physical appliance or a virtual appliance?

  • A virtual appliance has no fail-to-wire, so you will need a redundant network path to maintain connectivity if the appliance fails.

  • If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a LAN next hop).

  • If the appliance is on a VLAN trunk, you need to configure VLANs on the EdgeConnect appliance so that the appliance can tag traffic with the appropriate VLAN tag.

Router Mode

There are four options to consider:

  1. Single LAN interface & single WAN interface

  2. Dual LAN interfaces & dual WAN interfaces

  3. Single WAN interface sharing LAN and WAN traffic

  4. Dual WAN interfaces sharing LAN and WAN traffic

For best performance, visibility, and control, Options #1 and #2 are recommended because they use separate LAN and WAN interfaces. And when using NAT, use Options #1 or #2 to ensure that addressing works properly.

#1 - Single LAN Interface & Single WAN Interface

img

For this deployment, you have two options:

  1. You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant paths for high availability.

  2. You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).

To use this deployment with a single router that has only one interface, you could use multiple VLANs.

#2 - Dual LAN Interfaces & Dual WAN Interfaces

img

This deployment redirects traffic from two LAN interfaces to two WAN interfaces on a single EdgeConnect appliance.

  • 2 WAN next-hops / 2 subnets / 1 appliance

  • 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)

    Out-of-path dual LAN and dual WAN interfaces

    2 services

For this deployment, you have two options:

  1. You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant paths for high availability.

  2. You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).

#3 - Single WAN Interface Sharing LAN and WAN traffic

routerMode_share_1-IF

This deployment redirects traffic from a single router (or L3 switch) to a single subnet on the EdgeConnect appliance.

  • This mode only supports out-of-path.

  • When using two EdgeConnects at the same site, this is also the most common deployment for high availability (redundancy) and load balancing.

  • For better performance, control, and visibility, Router mode Option #1 is recommended instead of this option.

#4 - Dual WAN Interfaces Sharing LAN and WAN traffic

img

This deployment redirects traffic from two routers to two interfaces on a single EdgeConnect appliance.

This is also known as Dual-Homed Router Mode.

  • 2 WAN next-hops / 2 subnets / 1 appliance.

  • 2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth).

  • This mode only supports out-of-path.

  • For better performance, control, and visibility, Router mode Option #2 is recommended instead of this option.

Considerations for Router Mode Deployments

  • Do you want your traffic to be in-path or out-of-path? This mode supports both deployments. In-path deployment offers much simpler configuration.

  • Does your router support VRRP, WCCP, or PBR? If so, you might want to consider out-of-path Router mode deployment. You can set up more complex configurations, which offer load balancing and high availability.

  • Are you planning to use host routes on the server/end station?

  • In the rare case when you need to send inbound WAN traffic to a router other than the WAN next hop router, use LAN-side routes.

Examine the Need for Traffic Redirection

Whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.

There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side redirection, or outbound redirection):

  • PBR (Policy-Based Routing) – Configured on the router. No other special configuration required on the appliance. This is also known as FBR (Filter-Based Forwarding).

    If you want to deploy two EdgeConnects at the site for redundancy or load balancing, you also need to use VRRP (Virtual Router Redundancy Protocol).

  • WCCP (Web Cache Communication Protocol) – Configured on both the router and the EdgeConnect appliance. You can also use WCCP for redundancy and load balancing.

  • Host routing – The server/end station has a default or subnet-based static route that points to the EdgeConnect appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).

    To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant EdgeConnect.

How you plan to optimize traffic also affects whether you also need inbound redirection from the WAN router (known as WAN-side redirection):

  • If you use subnet sharing (which relies on advertising local subnets between EdgeConnect appliances) or route policies (which specify destination IP addresses), you only need LAN-side redirection.

  • If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), you must also set up inbound and outbound redirection on the WAN router.

  • For TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric, you need to configure flow redirection among local appliances.

A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:

  • If you enable auto-tunnel, the initial TCP-based or IP-based handshaking creates the tunnel. This means that the appropriate LAN-side and WAN-side redirection must be in place.

  • You can allow the Initial Configuration Wizard to create the tunnel to the remote appliance.

  • You can create a tunnel manually on the Configuration > Networking > Tunnels > Tunnels page.

Server Mode

This mode uses the mgmt0 interface for management and datapath traffic.

img

ADD DATA INTERFACES

  • You can create additional data-plane Layer 3 interfaces to use as tunnel endpoints.

  • To add a new logical interface, click +IP.

Back to top

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America