Deployment Profiles
Configuration > Overlays & Security > Deployment Profiles
Instead of configuring each appliance separately, you can create various Deployment Profiles and provision a device by applying the profile you want. For example, you can create a standard format for your branch.
TIP: For a smoother workflow, complete the DHCP Server Defaults tab (Configuration > Networking > DHCP Server Defaults) before creating Deployment Profiles.
You can use Deployment Profiles to simplify provisioning, regardless of whether you choose to create and use Business Intent Overlays.
NOTE: You cannot edit IP/Mask fields because they are appliance-specific.
Map Labels to Interfaces
-
On the LAN side, labels are optional. They can be used as match criteria for Business Intent Overlay ACLs, such as data, VoIP, or replication.
-
On the WAN side, labels identify the link type, such as MPLS or Internet. These labels are mandatory. They are used by Orchestrator to build Business Intent Overlay policies.
-
To create or manage a global pool of labels, either:
-
Navigate to Configuration > Overlays & Security > Deployment Profiles, click the Edit icon next to Label, and make the appropriate changes, or
-
Navigate to Configuration > Overlays & Security > Interface Labels) and make the appropriate changes.
-
-
The change you make to a label propagates automatically. For example, it renames tunnels that use that labeled interface.
LAN-side Configuration: Segments and Firewall Zones
EdgeConnect Segmentation (VRF) provides orchestrated layer-3 segmentation, Zone Based Firewall, and IDS—end-to-end across the SD-WAN fabric. Segment and zone policies are global in scope. They are managed on the Configuration > Networking > Routing > Routing Segmentation (VRF) tab.
Segments and zones are then assigned to LAN-side interfaces for each appliance by using the Deployment dialog box. By default, the Segment and FW Zone fields on LAN interfaces are set to the system-generated Default segment. You can select a different segment and firewall zone from the drop-down lists. These lists reflect the segments and zones that are set up on the Routing Segmentation (VRF) tab.
NOTE: The segment for WAN interfaces cannot be changed.
LAN–side Configuration: DHCP and Router Advertisements
-
By default, the LAN IP does not act as a DHCP Server. Based on your configuration, you can set the interface to act as a DHCP relay server when the appliance is in Router mode.
-
The global defaults are set in Configuration > Networking > DHCP Server Defaults and pre-populate this page. The other choices are No DHCP/No RA and having the appliance act as a DHCP/BOOTP Relay.
-
Enter the LAN interface from the drop-down. Click +IP to add a specific IP address.
-
Enter the IP address of the specific LAN interface above the NO DHCP link.
-
To customize an individual interface on the Deployment Profiles tab, click the DHCP-related link under the IP/Mask field. The DHCP Settings / Router Advertisements dialog box opens.
-
Before you can configure DHCP, you must navigate to Management Services and select an interface for DHCP Relay. See Management Services for more information.
If the LAN interface has an IPv4 IP address, click V4 to display the DHCP configuration settings. See V4.
If the LAN interface has an IPv6 IP address, click V6 to display the Router Advertisement settings. See V6.
V4
The following tables describe the various DHCP settings you can configure for LAN interfaces that have IPv4 IP addresses.
DHCP Server
Field | Description |
---|---|
Subnet Mask | Mask that specifies the default number of IP addresses reserved for any subnet. For example, entering 24 reserves 256 IP addresses. |
Exclude first N addresses | Specifies how many IP addresses are not available at the beginning of the subnet’s range. |
Exclude last N addresses | Specifies how many IP addresses are not available at the end of the subnet’s range. |
Default lease, Maximum lease | Specify, in seconds, how long an interface can keep a DHCP–assigned IP address. |
Default gateway | Indicates whether the default gateway is being used. |
DNS server(s) | Specifies the associated Domain Name System servers. |
NTP server(s) | Specifies the associated Network Time Protocol servers. |
NetBIOS name server(s) | Used for Windows (SMB) type sharing and messaging. It resolves the names when you are mapping a drive or connecting to a printer. |
NetBIOS node type | NetBIOS node type of a networked computer relates to how it resolves NetBIOS names to IP addresses. There are four node types: B-node – 0x01 Broadcast P-node – 0x02 Peer (WINS only) M-node – 0x04 Mixed (broadcast, then WINS) H-node – 0x08 Hybrid (WINS, then broadcast) |
DHCP failover | Enables DHCP failover. To set it up, click the Failover Settings link. |
DHCP/BOOTP Relay
Field | Description |
---|---|
Destination DHCP/BOOTP Server | IP address of the DHCP server assigning the IP addresses. This setting applies to the local interface only. |
Common DHCP server for all segments | Select this check box to set the default values for all segments. HINT: You can reset the defaults in Management Services by setting the DHCP Relay interface to “any” and then selecting an interface label again. However, this might impact service. Or, you can manually reset the defaults by selecting the following values: Option 82 = enabled, Option 82 Policy = append, and select the following sub options: 1, 5, 10, 11, 151, and 152. |
Distinct DHCP server per segment | Select this option to override the DHCP relay configuration set in the Manages Services tab with the settings you select in this dialog box. |
Enable Option 82 | When selected, inserts additional information into the packet header to identify the client’s point of attachment. This setting applies to all LAN-side interfaces on this appliance. IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay. |
Option 82 Policy | Tells the relay what to do with the hex string it receives. The choices are append, replace, forward, and discard. This setting applies to all LAN-side interfaces on this appliance. IMPORTANT: Changing this setting will modify Option 82 settings on all LAN-side interfaces that are enabled as DHCP Relay. |
Sub Options | Select one or more of the following: 1 - Agent Circuit ID: Provides information about the interface or circuit through which the DHCP request was received. 5 - Link selection: Specifies the IP address used by the DHCP server to determine the appropriate subnet for addressing the DHCP client. 10 - Client Unicast/Broadcast Indication flag: Indicates whether the DHCP relay received the client packet as a unicast or broadcast packet. 11 - Server ID Override: Allows the DHCP relay agent to act as a proxy for the DHCP server to process unicast lease renewals. 150 - Link selection (Cisco proprietary): Provides information about a segment or VPN that is necessary to allocate an address to a DHCP client on that segment. 151 - VRF name/VPN ID 152 - VRF name/VPN ID Control Sub-Option OR Server ID Override (Cisco proprietary): Indicates whether the DHCP server supports sub option 151 (VRF Name/VPN ID). If this option is present in the reply from the server, the server does not support option 151. |
V6
The following table describe the various router advertisement settings you can configure for LAN interfaces that have IPv6 IP addresses. The LAN clients can use these options to autoconfigure IPv6 addresses and to learn default gateway addresses.
NOTE: DHCP for IPv6 is not supported.
Setting | Description |
---|---|
Enable Router Advertisements | Specifies whether the router should send RA messages. |
Managed Flag | Select this option to instruct IPv6 hosts to use DHCPv6 to obtain their IPv6 addresses in addition to any other configuration information. |
Other Flag | Select this option to instruct IPv6 hosts to use DHCPv6 to obtain additional configuration information, such as DNS server addresses and other network parameters. |
Link MTU | Set the maximum transmission unit (MTU) size that can be transmitted without fragmentation. This helps ensure that all hosts on the network use the same MTU, avoiding issues related to packet fragmentation and reassembly. |
Max Interval | Specify the maximum interval in seconds between unsolicited RA messages. This helps to control the frequency of RA messages. |
Min Interval | Specify the minimum interval in seconds between unsolicited RA messages. This helps to control the frequency of RA messages. |
Current Hop Limit | Set the default hop limit for IPv6 packets sent by hosts on the network. Hosts use this value to configure their own hop limit for outgoing packets. |
Default Router Preference | Select High, Medium, or Low to set the preference level of the router for use as a default router. Hosts use this value to prioritize multiple routers on the same link. |
Default Router Lifetime | Specify the lifetime in seconds of the default route that is advertised by the router. The hosts use this value to determine how long the router should be used as the default gateway. |
Reachable Time | Specify the time in milliseconds that an IPv6 host considers a neighbor reachable after receiving a confirmation. This value maintains accurate and timely reachability information in the neighbor cache. |
Retrans Timer | Specify the time in milliseconds between retransmissions of neighbor solicitation messages. This value reduces the frequency of retries when attempting to discover or confirm the reachability of neighbors on the network. |
Add a Router Advertisement Prefix
Click Add and complete the following fields.
Considerations
-
RA can be configured only on LAN side interfaces.
-
Users can configure RA only on IPv6 configured interfaces.
-
DHCPv4 server and RA cannot be configured on the same interface at the same time.
-
DHCPv4 relay and RA cannot be configured on the same interface at the same time.
-
RA, DHCPv4 Server, and DHCPv4 Relay cannot be enabled if there is an alias interface configured for the main/primary interface.
-
A maximum of 10 prefixes can be configured in the RA configurations per interface.
Setting | Description |
---|---|
Prefix-id | The ID assigned to the prefix. |
Prefix | The IPv6 prefix to advertise to hosts on the network. Hosts use this prefix to configure their IPv6 addresses and determine the network portion of the IP addresses. |
Autonomous flag | Select whether the prefix can be used by hosts for SLAAC. When set to true, hosts can use the prefix to generate their own IPv6 addresses. |
Onlink flag | Specifies whether the prefix is on-link, which affects how hosts handle routing for addresses within the prefix. If set to true, hosts assume that addresses within the prefix can be reached directly on the local network segment. |
Valid Lifetime | Specify the duration in seconds for which the advertised prefix is valid. |
Preferred Lifetime | Specify the duration in seconds (relative to the time the packet is sent) that addresses generated from the prefix via stateless address auto-configuration remain preferred. |
WAN–side Configuration
Select the WAN-side label you want to apply to this deployment. Click the edit icon to add a new interface or delete a previously configured interface.
Firewall Zone: Zone-based firewall policies are configured globally on the Orchestrator. A zone is applied to an Interface. By default, traffic is allowed between interfaces labeled with the same zone. Any traffic between interfaces with different zones is dropped. You can create exception rules (Security Policies) to allow traffic between interfaces with different zones. The firewall zones you have already configured will be in the list under FW Zone. Select the Firewall Zone you want to apply to the WAN you are deploying.
Firewall Mode: Four options are available at each WAN interface:
-
Allow All permits unrestricted communication. Use this option with extreme caution and only if the interface is behind a WAN edge firewall.
-
Stateful only allows communication from the LAN-side to the WAN-side.
Use this if the interface is behind a WAN edge router.
-
Stateful with SNAT applies Source NAT to outgoing traffic.
Use this if the interface is directly connected to the Internet and you want to enable local internet breakout.
-
Harden
-
For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets that terminate on an EdgeConnect appliance.
-
For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic that terminate on an EdgeConnect appliance.
-
NAT Settings: To change the NAT setting, click the NAT-related link under the Next Hop field on the WAN side. The NAT Settings dialog box opens.
Select one of the following options:
-
If the appliance is behind a NAT-ed interface, select NAT.
-
If the appliance is not behind a NAT-ed interface, select Not behind NAT.
-
Enter an IP address to assign a destination IP for tunnels being built from the network to this WAN interface.
Shaping: You can limit bandwidth selectively on each WAN interface.
-
Total Outbound bandwidth is licensed by model. It is the same as max system bandwidth.
-
To enter values for shaping inbound traffic (recommended), you must first select Shape Inbound Traffic.
EdgeConnect Licensing: Only visible on EdgeConnect appliances.
-
For additional bandwidth, you can purchase Plus, and then select it here for this profile.
-
If you have purchased a pool of Boost for your network, you can allocate a portion of it in a Deployment Profile. You can also direct allocations to specific types of traffic in the Business Intent Overlays.
-
To view how you have distributed Plus and Boost, navigate to the Configuration > Overlays & Security > Licensing > Licenses tab.
-
Select the appropriate licensing you have applied to your EdgeConnect appliance from the menu. The licenses will only display depending on the licenses you have for that particular account. You can select the following licensing options:
-
Mini
-
Base
-
Base + Plus
-
50 Mbps
-
200 Mbps
-
500 Mbps
-
1 Gbps
-
2 Gbps
-
Unlimited
NOTE: You must have the correct hardware to support the license selected.
-
BONDING
-
EdgeConnect supports etherchannel bonding of multiple physical interfaces of the same media type into a single virtual interface. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a very high-end appliance and/or provides interface-level redundancy.
-
For bonding on a virtual appliance, you would need to configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.
-
Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router. Refer to HPE Aruba Networking EdgeConnect SD-WAN user documentation.
A More Comprehensive Guide to Basic Deployments
This section discusses the basics of three deployment modes: Bridge, Router, and Server modes.
It describes common scenarios, considerations when selecting a deployment, redirection concerns, and some adaptations.
For detailed deployment examples, refer to the HPE Aruba Networking EdgeConnect SD-WAN documentation site for various deployment guides.
In Bridge Mode and in Router Mode, you can provide security on any WAN-side interface by hardening the interface. This means:
-
For traffic inbound from the WAN, the appliance accepts only IPSec tunnel packets.
-
For traffic outbound to the WAN, the appliance only allows IPSec tunnel packets and management traffic.
Bridge Mode
Single WAN-side Router
In this deployment, the appliance is in-line between a single WAN router and a single LAN-side switch.
Dual WAN-side Routers
This is the most common 4-port bridge configuration.
-
2 WAN egress routers / 1 or 2 subnets / 1 appliance
-
2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)
Considerations for Bridge Mode Deployments
-
Do you have a physical appliance or a virtual appliance?
-
A virtual appliance has no fail-to-wire, so you will need a redundant network path to maintain connectivity if the appliance fails.
-
If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a LAN next hop).
-
If the appliance is on a VLAN trunk, you need to configure VLANs on the EdgeConnect appliance so that the appliance can tag traffic with the appropriate VLAN tag.
Router Mode
There are four options to consider:
-
Single LAN interface & single WAN interface
-
Dual LAN interfaces & dual WAN interfaces
-
Single WAN interface sharing LAN and WAN traffic
-
Dual WAN interfaces sharing LAN and WAN traffic
For best performance, visibility, and control, Options #1 and #2 are recommended because they use separate LAN and WAN interfaces. And when using NAT, use Options #1 or #2 to ensure that addressing works properly.
#1 - Single LAN Interface & Single WAN Interface
For this deployment, you have two options:
-
You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant paths for high availability.
-
You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).
To use this deployment with a single router that has only one interface, you could use multiple VLANs.
#2 - Dual LAN Interfaces & Dual WAN Interfaces
This deployment redirects traffic from two LAN interfaces to two WAN interfaces on a single EdgeConnect appliance.
-
2 WAN next-hops / 2 subnets / 1 appliance
-
2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth)
Out-of-path dual LAN and dual WAN interfaces
For this deployment, you have two options:
-
You can put EdgeConnect in-path. In this case, if there is a failure, you need other redundant paths for high availability.
-
You can put EdgeConnect out-of-path. You can redirect LAN-side traffic and WAN-side traffic from a router or L3 switch to the corresponding interface using WCCP or PBR (Policy-Based Routing).
#3 - Single WAN Interface Sharing LAN and WAN traffic
This deployment redirects traffic from a single router (or L3 switch) to a single subnet on the EdgeConnect appliance.
-
This mode only supports out-of-path.
-
When using two EdgeConnects at the same site, this is also the most common deployment for high availability (redundancy) and load balancing.
-
For better performance, control, and visibility, Router mode Option #1 is recommended instead of this option.
#4 - Dual WAN Interfaces Sharing LAN and WAN traffic
This deployment redirects traffic from two routers to two interfaces on a single EdgeConnect appliance.
This is also known as Dual-Homed Router Mode.
-
2 WAN next-hops / 2 subnets / 1 appliance.
-
2 separate service providers or WAN services (MPLS, IPSec VPN, MetroEthernet, and so forth).
-
This mode only supports out-of-path.
-
For better performance, control, and visibility, Router mode Option #2 is recommended instead of this option.
Considerations for Router Mode Deployments
-
Do you want your traffic to be in-path or out-of-path? This mode supports both deployments. In-path deployment offers much simpler configuration.
-
Does your router support VRRP, WCCP, or PBR? If so, you might want to consider out-of-path Router mode deployment. You can set up more complex configurations, which offer load balancing and high availability.
-
Are you planning to use host routes on the server/end station?
-
In the rare case when you need to send inbound WAN traffic to a router other than the WAN next hop router, use LAN-side routes.
Examine the Need for Traffic Redirection
Whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.
There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side redirection, or outbound redirection):
-
PBR (Policy-Based Routing) – Configured on the router. No other special configuration required on the appliance. This is also known as FBR (Filter-Based Forwarding).
If you want to deploy two EdgeConnects at the site for redundancy or load balancing, you also need to use VRRP (Virtual Router Redundancy Protocol).
-
WCCP (Web Cache Communication Protocol) – Configured on both the router and the EdgeConnect appliance. You can also use WCCP for redundancy and load balancing.
-
Host routing – The server/end station has a default or subnet-based static route that points to the EdgeConnect appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).
To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant EdgeConnect.
How you plan to optimize traffic also affects whether you also need inbound redirection from the WAN router (known as WAN-side redirection):
-
If you use subnet sharing (which relies on advertising local subnets between EdgeConnect appliances) or route policies (which specify destination IP addresses), you only need LAN-side redirection.
-
If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), you must also set up inbound and outbound redirection on the WAN router.
-
For TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric, you need to configure flow redirection among local appliances.
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
-
If you enable auto-tunnel, the initial TCP-based or IP-based handshaking creates the tunnel. This means that the appropriate LAN-side and WAN-side redirection must be in place.
-
You can allow the Initial Configuration Wizard to create the tunnel to the remote appliance.
-
You can create a tunnel manually on the Configuration > Networking > Tunnels > Tunnels page.
Server Mode
This mode uses the mgmt0 interface for management and datapath traffic.
ADD DATA INTERFACES
-
You can create additional data-plane Layer 3 interfaces to use as tunnel endpoints.
-
To add a new logical interface, click +IP.