Professional Documents
Culture Documents
Configuration Guide
Issue 01
Date 2019-03-13
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Contents
1 Configuration Guide.....................................................................................................................1
1.1 SD-WAN Network Architecture.....................................................................................................................................1
1.2 Typical Application Scenarios........................................................................................................................................2
1.2.1 Carrier Scenario........................................................................................................................................................... 2
1.2.2 Enterprise Self-Construction Scenario........................................................................................................................ 3
1.3 SD-WAN Network Deployment Overview.................................................................................................................... 8
1.4 Feature Configuration Planning......................................................................................................................................9
1.4.1 Networking.................................................................................................................................................................. 9
1.4.1.1 Network Model.........................................................................................................................................................9
1.4.1.2 Site Models............................................................................................................................................................. 13
1.4.1.2.1 Site WAN Model................................................................................................................................................. 14
1.4.1.2.2 Site LAN Model.................................................................................................................................................. 21
1.4.1.3 Underlay Route.......................................................................................................................................................28
1.4.1.4 Overlay Network.................................................................................................................................................... 30
1.4.1.5 VPN Service Isolation............................................................................................................................................ 36
1.4.1.6 Overlay Route.........................................................................................................................................................37
1.4.1.6.1 Address Pool Planning ( DSVPN )......................................................................................................................45
1.4.1.7 Internet Access....................................................................................................................................................... 49
1.4.1.8 Connecting to the Legacy MPLS Network.............................................................................................................51
1.4.1.9 Connecting to the Public Cloud..............................................................................................................................54
1.4.1.9.1 Connecting to the AWS....................................................................................................................................... 54
1.4.1.9.2 Connecting to HUAWEI CLOUD....................................................................................................................... 56
1.4.2 Application Experience–oriented Scheduling and Optimization.............................................................................. 58
1.4.2.1 Application Identification.......................................................................................................................................58
1.4.2.2 Intelligent Traffic Steering......................................................................................................................................63
1.4.2.3 QoS......................................................................................................................................................................... 68
1.4.3 Service Security......................................................................................................................................................... 73
1.4.3.1 ACL Traffic Filtering..............................................................................................................................................73
1.4.3.2 Firewall................................................................................................................................................................... 76
1.4.3.3 IPS.......................................................................................................................................................................... 79
1.4.3.4 URL Filtering......................................................................................................................................................... 81
1.4.3.5 Automatic Security Policy Orchestration............................................................................................................... 83
1.4.4 VM (uCPE) Lifecycle Management..........................................................................................................................85
1 Configuration Guide
Deployment Process
After a carrier deploys the SD-WAN@AC-Campus, the system administrator needs to select
the operating mode when logging in to the system for the first time. Generally, the MSP
operating mode is recommended. In this mode, the carrier acts as the MSP administrator,
provides managed services for enterprise tenants, and provides VASs through VNF
management and provisioning. For details about the deployment process of the MSP
operating mode, see 1.5.2 Management Process in MSP Operating Mode.
SME
SMEs usually consist of a headquarters and several branches.
Networking Model
The single-layer networking of Huawei SD-WAN Solution shown in Figure 1-3 is
recommended for SMEs.
Deployment Process
To reduce network construction and maintenance costs, SMEs are advised to lease the SD-
WAN@AC-Campus deployed on HUAWEI CLOUD to obtain professional SD-WAN
network management services as tenants. Service providers are responsible for managing SD-
WAN networks for the SMEs. 1.5.2 Management Process in MSP Operating Mode shows
the deployment process.
Large Enterprise
Large enterprises generally have headquarters and branches that are widely dispersed across a
country or area and have their own network maintenance teams. Large enterprises with
distributed branches provide various types of services and have stringent requirements on
private line quality.
Networking Model
Based on the number of enterprise sites, Huawei SD-WAN Solution provides two networking
models for large enterprises: hierarchical networking and single-layer networking. The
hierarchical networking (shown in Figure 1-4) is recommended for large enterprises with a
large number of branches. The single-layer networking (shown in Figure 1-5) is
recommended for large enterprises with a small number of branches.
Figure 1-4 Application scenario for large enterprises with a large number of branches
Figure 1-5 Application scenario for large enterprises with a small number of branches
Deployment Process
Large enterprises can deploy the SD-WAN@AC-Campus in the data center or HUAWEI
CLOUD. If no uCPE gateway is deployed on the network and VNF management is not
required, the deployment process for the two-layer operating mode (involving only system
administrators and tenants) can be used. For details, see 1.5.3 Management Process in
Tenant Operating Mode. If the uCPE gateway is deployed and the SD-WAN@AC-Campus
implements VNF management and service chain orchestration on the uCPE, the deployment
process for the three-layer operating mode (involving system administrators, MSP
administrators, and tenant administrators) is used. For details, see 1.5.2 Management Process
in MSP Operating Mode.
Multinational Enterprise
Multinational enterprises have branches or subsidiaries in multiple countries or areas and
carry out transnational operations. They have a high IT investment, diversified applications,
and both national and international leased WAN networks.
Networking Model
Multinational enterprises often deploy one or two global headquarters and regional
headquarters and branches in each country or region (for example, Southeast Asia). Figure
1-6 shows the networking model of Huawei SD-WAN Solution for multinational enterprises.
The global headquarters and regional headquarters are connected through the international
WAN networks. The regional headquarters can serve as the aggregation node in the
corresponding country or region to forward traffic between branches and between the global
headquarters and branches. Typically, two CPEs or uCPEs are deployed at the regional
headquarters, and depending on reliability requirements, one or two CPEs or uCPEs are
deployed at branches.
Deployment Process
Multinational enterprises use international WAN links for communication, which may have
diversified requirements. Therefore, the SD-WAN@AC-Campus can be deployed in
distributed mode to manage SD-WAN networks. For example, one SD-WAN@AC-Campus is
deployed in each country or region, and one SD-WAN@AC-Campus is deployed between
international links.
If no uCPE gateway is deployed on the network and VNF management is not required, the
deployment process for the two-layer operating mode (involving only system administrators
and tenants) can be used. For details, see 1.5.3 Management Process in Tenant Operating
Mode. If the uCPE gateway is deployed and the SD-WAN@AC-Campus implements VNF
management and service chain orchestration on the uCPE, the deployment process for the
three-layer operating mode (involving system administrators, MSP administrators, and tenant
administrators) is used. For details, see 1.5.2 Management Process in MSP Operating
Mode.
l Underlay network
The underlay network can be an IP or MPLS network. For an IP underlay network,
services shall be reachable over IP routes; for an MPLS underlay network, all enterprise
services can be carried over one or more MPLS VPNs. The underlay network is the basis
of the SD-WAN solution. An overlay network can be built only after the underlay
network is connected.
l Overlay network
An overlay network is a logical network abstracted from a physical network. On the
connected underlay network, overlay network technologies such as EVPN, GRE, and
IPSec are used to automatically create VPNs that connect sites based on the overlay
network topology, and BGP is used for route exchange on the overlay network.
l Service policy
Service policies are configured on the overlay network to meet QoS, security, reliability,
and service experience requirements of enterprise services. The service policies include
QoS policies, intelligent traffic steering policies, and security policies.
During network planning and deployment, design and deploy an SD-WAN network as
follows:
1. Network deployment
a. Plan the underlay network model and site model to complete Zero Touch
Provisioning (ZTP) configuration for site deployment.
b. Plan the routing protocol for the WAN side of the underlay network.
c. Plan VPN service isolation.
1.4.1 Networking
l Independent deployment
l The vRR and edge are deployed on the same node. In this scenario, the site can be
configured with a single or dual gateways.
l Network model: Select the single-layer or hierarchical network model. Generally, the
single-layer network model is used. If there are a large number of sites or multinational
deployment is required, use the hierarchical network model. For details, see 1.2 Typical
Application Scenarios. The network model determines the site roles. If the single-layer
network model is used, aggregation sites do not need to be planned. If the hierarchical
network model is used, you need to plan areas and aggregation and branch sites in the
areas.
l Hub site: Generally, the headquarters or the site where the data center is located
functions as the hub site. The SD-WAN network uses a single hub site or dual hub sites
deployed in active/standby mode.
l Aggregation site: If the hierarchical network model is used, you need to plane areas and
aggregation sites in the areas. Each area supports a maximum of two aggregation sites.
l Branch site: If the hierarchical network model is used, you need to plan the aggregation
site to which the branch site is connected. The branch site is then allocated to the area of
the aggregation site. If the single-layer network model is used, you only need to connect
the branch site to the hub site.
l vRR site: Plan the edge sites that function as vRR sites. Generally, stable large edge sites
with high CPE performance and a large number of WAN links are used as vRR sites. In
the current version, vRR sites cannot be deployed separately.
l Edge site: Plan the vRR sites to which each edge site is connected. Generally, edge sites
are connected to vRR sites that are physically close to the edge sites and have good
network connectivity. An edge site can connect to a maximum of two vRR sites, and a
maximum of eight vRR sites can be configured for a tenant. If an edge site is not
connected to any vRR site, the edge site does not participate in overlay networking and
service deployment.
l Network model: Select the single-layer or hierarchical network model. Generally, the
single-layer network model is used. If there are a large number of sites or multinational
deployment is required, use the hierarchical network model. For details, see 1.2 Typical
Application Scenarios. The network model that is used determines the overlay topology
planning. For details, see 1.4.1.4 Overlay Network.
Introduction
The site model needs to be determined based on enterprise branch characteristics. Based on
the similarity of site requirements, sites are classified into three categories: small site, medium
site, and large site.
For sites with high reliability requirements, the dual-gateway model can be used. For common
sites, the single-gateway model can be used.
WAN Model
In the SD-WAN network design, two or more links are selected as site egresses to transmit
key traffic over the preferred WAN link. After the preferred link is set up, other transmission
links are used to provide more bandwidth resources for non-key traffic. The following table
lists the WAN access models of Huawei SD-WAN Solution. In terms of reliability, a single or
dual routers can be deployed. A maximum of three WAN links can be configured for a single
gateway, and a maximum of six WAN links can be configured for dual gateways.
Different site roles are defined in DSVPN and EVPN tunnel modes. In DSVPN tunnel mode,
sites are classified into hub sites, aggregation sites, and branch sites. In EVPN tunnel mode,
sites are classified into edge sites and vRR sites.
l vRR: A vRR site is an independent CPE. It distributes EVPN routes between CPEs
based on VPN topology policies.
l Edge: An edge site is a WAN-side router. It establishes secure data channels with
multiple remote edge sites.
– Dual links: Specify the two interfaces for interconnecting with each other on the
CPEs. The system automatically binds the two interfaces into an Eth-Trunk.
– LAN-side Layer 2 links: If a Layer 2 link is available between a CPE and the LAN
switch and no independent link is planned for the CPEs, you can specify a reserved
VLAN and use the LAN-side Layer 2 link as the data forwarding channel between
the CPEs. Data between CPEs and the data from the LAN side to the CPE are
isolated through VLANs without affecting each other.
Site
Plan data for each site.
l Site name: The site name is a string of 1 to 64 characters, for example, Site1.
l Site role in DSVPN tunnel mode: Specify sites as hub sites, aggregation sites, or branch
sites.
If the SD-WAN network uses a single-layer network model, you need to create hub sites
and branch sites. If the SD-WAN network uses a hierarchical network model, you need
to create hub sites, aggregation sites, and branch sites.
– CPE model: Plan the CPE model. The two CPEs deployed at a dual-gateway site
must be of the same model.
– Device name: To facilitate management and memorization, name the CPEs at each
site. For example, name the two CPEs at Site1 Site1_1 and Site1_2.
– ESN: If ESNs have been obtained, allocate the ESNs in the data planning table. The
CPE information must be consistent with that imported to the SD-WAN@AC-
Campus and that at the site.
– Whether an upgrade is required: Check whether the software version of the CPEs is
upgraded to the specified version.
– WAN link: The WAN links must be the same as those planned in the site template.
– CLI: The configurations that cannot be automatically orchestrated by the SD-
WAN@AC-Campus can be delivered through the CLI. For example, change the
system name of a CPE to Hub1_1.
ESN Device Name Command
WAN Interface
When a CPE is interconnected with a network device on the WAN side, you need to plan the
interconnection mode and configuration of the physical interface.
l Link name: The link name of a WAN interface is specified by the WAN-side link in the
site template. The WAN link name in the site template is used when a site template is
used to create a site.
l Access type and negotiation mode: The access type and negotiation mode have been
planned in the WAN link data plan in Site Deployment.
l MTU: The default value is 1500. Adjust the MTU based on the link type. For example,
for PPPoE, set the MTU to 1492 because the PPPoE header is added before the IP
packet.
When the CPE forwards data packets, the data packet length and MTU are compared at
the IP layer. If a data packet is longer than the MTU, the data packet needs to be
fragmented at the IP layer. After fragmentation, the packet length can be equal to or
shorter than the MTU. If the MTU is too small, the transmission efficiency decreases due
to a large number of fragments. If the MTU is too large, packets on the network may be
discarded.
l MSS: The default value is 1200. To prevent TCP packets from being fragmented, you
must configure a proper MSS based on the MTU. To ensure that a complete packet is
transmitted properly, ensure that the MSS plus all the header lengths (TCP header and IP
header) do not exceed the MTU. For example, the default MTU of an Ethernet interface
is 1500 bytes. To prevent packets from being fragmented, do not set the MSS to a value
equal to or smaller than 1460 bytes (1500 - 20 - 20). In the preceding formula, the two
20s indicate the minimum length of the TCP header and IP header, respectively. It is
recommended that you set the MSS to 1200 bytes.
l Uplink capacity: Plan the uplink capacity based on the actual uplink bandwidth of the
network.
l Downlink capacity: Plan the downlink capacity based on the actual downlink bandwidth
of the network.
Configuration Tasks
Scenario Description Task
LAN Model
The LAN model design adapts to the current LAN-side network. Huawei SD-WAN Solution
can connect to the LAN at Layer 2 or Layer 3, which depends on the actual network
deployment.
The following table describes the structure in which Huawei SD-WAN Solution connects to
the LAN at Layer 2.
For a large site, the site network has a complex structure (hierarchical structure and multi-
network design) and complex network facilities (large number of routers and switches). In
Layer 3 interconnection scenarios, SD-WAN routers can establish Layer 3 connections to the
LAN through static or dynamic routes. Currently, Huawei SD-WAN Solution can use BGP,
OSPF, and static routes to connect to the LAN.
The following table describes the structure in which Huawei SD-WAN Solution connects to
the LAN at Layer 3.
NOTE
1. If two CPEs are deployed at a site, they can be interconnected directly or through the LAN. If the
two CPEs are directly interconnected, the interconnection links can be added to an Eth-Trunk.
2. The LAN-side interfaces of the CPE are Ethernet interfaces (GE/FE), which cannot be bound.
l Site name: Specify the name of the site where the LAN-side device is to be
interconnected.
l Device: Specify the CPE to be configured at a site, especially at a site where two CPEs
are deployed.
l Interconnection with the LAN side through Layer 3 interfaces or sub-interfaces
– Interface: Plan the interface on the CPE for connecting to the LAN-side device. You
can select Layer 3 interfaces, including GE, FE, XGE, or Eth-Trunk.
If the Eth-Trunk is used, you need to plan the following items:
n Eth-Trunk ID: The Eth-Trunk ID is in the range from 0 to 63. In a dual-
gateway scenario, if the two gateways are connected through two Layer 3
physical links, the system automatically creates the Eth-Trunk 0 interface for
the two gateways. You cannot create an Eth-Trunk interface with ID 0 on the
two gateways.
n Interface type: Plan the interface as a Layer 3 interface.
n Physical interfaces: Plan the Eth-Trunk member interfaces for connecting to
the LAN side. A maximum of eight member interfaces can be added. The Eth-
Trunk member interfaces must be Layer 3 physical interfaces.
– VLAN ID of the sub-interface: If a sub-interface is used to connect to a LAN-side
device, plan a VLAN ID for the sub-interface. A Dot1q sub-interface is created on
the interface, and the terminated VLAN tag is the VLAN ID. The VLAN ID must
be the same as the VLAN tag configured on the interconnected device.
l Interconnection with the LAN side through VLANs
– VLAN ID: Plan the VLAN ID used for Layer 2 communication between the site
and the LAN.
The system automatically creates VLANIF interfaces based on VLAN IDs. For a
dual-gateway site, if the CPE is directly connected to a Layer 2 switch in the
downstream direction, to implement the VRRP function on the LAN side, the two
CPEs must use the VLANIF interface with the same VLAN ID to communicate
with the LAN side.
– Physical interface: Plan the interface on the CPE for connecting to the LAN-side
device. You can select Layer 2 interfaces, including GE, FE, XGE, or Eth-Trunk.
If the Eth-Trunk is used, you need to plan the following items:
n Eth-Trunk ID: The Eth-Trunk ID is in the range from 0 to 63. In a dual-
gateway scenario, if the two gateways are connected through two Layer 3
physical links, the system automatically creates the Eth-Trunk 0 interface for
the two gateways. You cannot create an Eth-Trunk interface with ID 0 on the
two gateways.
n Interface type: Plan the interface as a Layer 2 interface.
n Static binding: Plan IP addresses for DHCP clients that need to use fixed IP
addresses. For example, if a server functions as a DHCP client to apply for an
IP address from the DHCP server and needs to use a fixed IP address to ensure
stability, select an IP address from the address pool and bind the IP address to
the MAC address of the server. The DHCP server then assigns a fixed IP
address to the server based on the MAC address.
– DHCP relay agent: If the DHCP relay agent mode is selected, plan the DHCP server
address for the DHCP relay agent. You can specify a maximum of eight DHCP
servers.
l VRRP: If two gateways are deployed at a site, VRRP can be configured. LAN users
access the WAN network through the master device by default. When the master device
fails, services are automatically switched to the backup device. In this manner,
redundancy is implemented between gateways to enhance reliability.
– VRRP ID: Plan the VRRP ID, which is in the range from 1 to 255. The same VRRP
ID must be specified for the two gateways.
– Virtual IP address: Plan the virtual IP address of the VRRP group. The virtual IP
address must be in the same network segment as the gateway interface address. It
can be the same as the gateway interface address but cannot be the same as the user
host IP address. Otherwise, packets from the local network segment will be sent to
the user host. As a result, data on the local network segment cannot be correctly
forwarded.
– Default role: Specify the master gateway and backup gateway in the dual-gateway
scenario.
– Preemption delay: Specify the VRRP preemption delay. The value is in the range
from 0 to 3600, in seconds. The default value is 0. For the two devices in a VRRP
group, you are advised to set the preemption delay to 0 for the backup device and to
15 seconds or a larger value for the master device. If the preceding settings are not
used, two masters may coexist and user devices may learn an incorrect master
address, interrupting traffic.
l ARP proxy: Configure whether to enable the ARP proxy. Only the routed ARP proxy is
supported.
The routed ARP proxy enables network devices on the same network segment but on
different physical networks to communicate.
As shown in the figure below, the IP addresses of Host_1 and Host_2 are 172.16.1.10/16
and 172.16.2.20/16, respectively, which are on the same network segment. The CPE
connects to two networks through VLAN 10 and VLAN 20. The IP addresses of
VLANIF10 and VLANIF20 are on different network segments.
When Host_1 needs to communicate with Host_2, Host_1 broadcasts an ARP Request
packet, requesting the MAC address of Host_2. However, Host_1 and Host_2 are on
different physical networks (in different broadcast domains). Host_2 cannot receive the
ARP Request packet sent from Host_1 and therefore cannot respond with an ARP Reply
packet. If the routed ARP proxy is enabled, the CPE queries the routing table after
receiving the ARP Request packet. Host_2 is directly connected to the CPE, so the CPE
has the routing entry of Host_2. The CPE then uses its MAC address to send an ARP
Reply packet to Host_1. Host_1 forwards data based on the MAC address of the CPE. In
this case, the CPE functions as the proxy of Host_2. The MAC address corresponding to
Host_2's IP address in the ARP table of Host_1 is the MAC address of VLANIF10 on
the CPE.
l MTU: The default value is 1500. Adjust the MTU based on the link type.
When the CPE forwards data packets, the data packet length and MTU are compared at
the IP layer. If a data packet is longer than the MTU, the data packet needs to be
fragmented at the IP layer. After fragmentation, the packet length is shorter than the
MTU. If the MTU is too small, the transmission efficiency decreases due to a large
number of fragments. If the MTU is too large, packets on the network may be discarded.
l MSS: The default value is 1200. To prevent TCP packets from being fragmented, you
must configure a proper MSS based on the MTU. To ensure that a complete packet is
transmitted properly, ensure that the MSS plus all the header lengths (TCP header and IP
header) do not exceed the MTU. For example, the default MTU of an Ethernet interface
is 1500 bytes. To prevent packets from being fragmented, do not set the MSS to a value
greater than 1460 bytes (1500 - 20 - 20). In the preceding formula, the two 20s indicate
the minimum length of the TCP header and IP header, respectively. It is recommended
that you set the MSS to 1200 bytes.
Configuration Tasks
Scenario Description Task
Functions
After a site CPE connects to a WAN, the CPE must have reachable underlay network
(physical network) routes to the PE, so that an overlay network can be normally established to
forward services. BGP, OSPF, or static routes can be used based on WAN access
requirements.
Application Scenarios
One SD-WAN network can be configured with one or more types of underlay routes based on
network requirements.
l BGP route
If an MPLS VPN network is connected and BGP dynamic routing is used, the CPE
typically needs to use BGP to exchange routing information with the PE. The SD-
WAN@AC-Campus can configure route filtering rules based on IP network segments to
control the receiving and advertisement of BGP routes.
l OSPF route
If a Layer 2 WAN network is used, OSPF routes can be used to exchange routes. This
can be implemented by creating OSPF processes. The SD-WAN@AC-Campus can
configure the OSPF routing protocol priority and control the receiving and advertisement
of routes through the blacklist and whitelist route filtering policies.
l Static route
Static routes are applicable to many scenarios, for example, Internet access, wireless
network access using the LTE link, and using blackhole routes to prevent routing loops.
Static routes do not involve protocol interaction and cannot detect faults on indirectly
connected links of the WAN. This may cause service interruption. To prevent this
problem, you can track the IP address of a WAN network and use an NQA test instance
to detect the IP address. If the detection fails, the system considers that the WAN
network is faulty and automatically selects another backup link for forwarding.
Static Route
Configuration Tasks
Scenario Description Task
Configuring Static routes are often used in the 1.8.3.8.4 Configuring Underlay
static routes following situations: Routes (Static Routes)
l Static routes are used to
connect to the WAN.
l LTE links are used to access the
wireless network.
l IP addresses need to be
detected.
l Blackhole routes need to be
configured.
Topology
Based on users' service requirements, the SD-WAN Solution supports the following typical
topology models for inter-site interconnection:
l Hub-spoke: This model is applicable to scenarios where traffic between all branch sites
of an enterprise must pass through the headquarters for centralized security monitoring.
l Full-mesh: This model is applicable to scenarios where all sites of an enterprise need to
directly access each other. This model eliminates the delay caused by traffic transmission
through the headquarters.
l Partial-mesh: This model is applicable to scenarios where most sites of an enterprise
need to directly access each other, while some other sites need to communicate with each
other through a third site.
l Hierarchical topology: This model is applicable to large-scale multi-area enterprise
networks, on which enterprise sites access each other through the hub site.
In DSVPN tunnel mode, only the hub-spoke and full-mesh topology models are supported. In
EVPN tunnel mode, all the preceding topology models are supported.
NOTE
In the current version, the partial-mesh and hierarchical topology are not supported in EVPN tunnel
mode.
Topology Implementation
On the SD-WAN@AC-Campus, you can specify the topology model between sites. The SD-
WAN@AC-Campus then generates the corresponding network model based on the topology
model, converts the network model into BGP routing policies, and delivers the policies to the
RR. The RR controls the route sending and receiving of different sites based on the routing
policy delivered by the SD-WAN@AC-Campus. In this way, the sites can communicate with
each other based on the specified topology model.
Hub site In the hub-spoke networking, all sites communicate with each
other through the headquarters. The site where the headquarters
is located is called the hub site.
Branch site The other user sites are called branch sites.
Border site A border site is an edge site through which sites in an area
communicate with sites in other areas.
Overlay Tunnel
Generally, sites on an SD-WAN network have multiple physical uplinks that connect to
different types of networks provided by different carriers. Overlay tunnels are established
based on physical links that are reachable to a certain type of network.
The transport network defines the type of a physical link on the WAN side of a site and is
determined by the type of a WAN access network provided by carriers. Generally, a type of
network provided by a carrier is defined as a transport network. For example, the Internet of
China Mobile is defined as a transport network, and the Internet of China Unicom is defined
as another transport network.
The routing domain defines whether routes between different transport networks are
reachable. That is, physical links of different transport networks that belong to the same
routing domain are reachable to each other. Generally, if the transport networks that are of the
same type and are provided by different carriers can communicate with each other, they are
defined as an independent routing domain. For example, the Internet of China Mobile and that
of China Unicom can be defined in the same routing domain.
Several types of transport networks and routing domains are predefined in the system. You
can use the predefined transport networks and routing domains or customize them based on
the site requirements.
Plan the DNS server used for network access. If the DNS server used by each site cannot
communicate with each other, you can group multiple DNS servers. When configuring LAN
services on the overlay network, you can reference different DNS server group names to
specify the DNS servers used for network access.
l DNS server group name: Plan the DNS server group and specify the group name, for
example, DNS_Server1.
l DNS server IP address: Plan the IP addresses of the DNS servers in each group.
When planning the network model in 1.4.1.1 Network Model, you have determined whether
the physical network between sites uses the single-layer or hierarchical network model.
If multiple VPNs are planned for service isolation between departments, you need to plan an
overlay topology for sites in each VPN. The same site in different VPNs can use different
overlay topologies.
If multiple VPNs are planned for service isolation between departments, you need to plan an
overlay topology for sites in each VPN. The same site in different VPNs can use different
overlay topologies.
l Network model: If there are a small number of sites and multinational interconnection is
not involved, use the single-layer network model. If there are a large number of sites (for
example, more than 500) or multinational interconnection is involved, use the
hierarchical network model.
l Overlay topology in the single-layer network model
In the single-layer network model, all sites in a VPN belong to the same area. Therefore,
the entire network of a VPN can use the hub-spoke or full-mesh mode.
– Hub site: In hub-spoke mode, the hub site needs to be specified. You can specify a
maximum of two hub sites that work in active/standby mode. Select a site with a
strong and stable network as the hub site. Generally, select the enterprise
headquarters or the site where the data center is located as the hub site.
– Redirect site: In full-mesh mode, you can configure the redirect site in scenarios
where two sites may fail to directly communicate with each other or the reliability
of interconnection between two sites needs to be enhanced. A site with good
network connections and physically near the two sites is recommended as the
redirect site.
l Overlay topology in the hierarchical network model
In the hierarchical network model, sites on the network are divided into multiple areas,
which are level-1 areas and are also called leaf areas. Areas are interconnected through
one or two border sites. Sites 4, 5, 6.1, and 6.2 in the figure are border sites of the
corresponding areas. All border sites form an area, which is a level-2 area and is also
called the backbone area. A network can have only one backbone area.
– Area name: Specifies the name of each leaf area, for example, Area1.
– Area overlay topology: Specify the topology (hub-spoke or full-mesh) for each
area. Different overlay topologies can be specified for areas.
n Hub-spoke
○ Hub site: Similar to the hub-spoke mode in the single-layer network
model. The hub site needs to be specified in the hierarchical network
model.
○ Border site: The hub site functions as a border site, and no border site
needs to be specified again.
n Full-mesh
○ Redirect site: You can specify whether to configure a redirect site based
on actual requirements.
○ Border site: If an area using the full-mesh mode needs to interconnect
with other areas, you need to specify the border site. The border site must
be able to communicate with border sites in other areas and have good
network connections and stability. You can configure a maximum of two
border sites that work in active/standby mode.
– Inter-area interconnection: Select hub-spoke or full-mesh for the backbone area. If
the hub-spoke mode is used, you need to specify the hub site. If the full-mesh mode
is used, you need to specify whether to configure a redirect site as required.
Configuration Tasks
For details, see Configuration > Global Parameters > Physical Network > Transport
Network in 1.8.3.2 Setting Global Parameters.
The SD-WAN Solution uses multiple VPNs to isolate services of multiple departments under
a single tenant. The logical networks of different VPNs are independent of each other. The
CPE establishes and maintains a VPN instance, namely, the VPN routing and forwarding
(VRF) table, for different VPNs.
NOTE
VPN2. For details about the planning of LAN-side configurations, see "Data Planning
and Design" in 1.4.1.2.2 Site LAN Model.
l Policy configuration: Plan service policies for sites in each VPN if multiple VPNs are
configured. For details about policy configuration, see "Data Planning and Design" in
1.4.1.7 Internet Access, 1.4.1.8 Connecting to the Legacy MPLS Network, and 1.4.2
Application Experience–oriented Scheduling and Optimization.
Configuration Tasks
1. Determine the number of departments, for example, R&D department, finance
department, and marketing department, whose services need to be isolated based on
service isolation requirements.
2. Plan LAN-side interfaces required by different departments. Each department can have
an independent LAN-side physical interface. Alternatively, all departments share one
physical interface, and services are isolated by VLANs.
3. Configure initial policies for departments, including: ACL policy, QoS policy, traffic
steering policy, Internet access policy, policy for access to legacy networks, and
URL/IPS/firewall policy.
For details, see Configuration > Overlay Network > VPN in 1.8.3.9.1 Configuring a VPN.
1. Underlay LAN route: OSPF, eBGP, and static routes are supported. Currently, LAN-side
routes are manually configured by customers based on the connection mode on the LAN
side.
2. Local breakout tunnel route: OSPF is used for the interconnection between VPNs on the
overlay and underlay networks. This route is automatically orchestrated and configured
by the system if Site to Internet or Site to Legacy is enabled. This route will not be
enabled if Site to Internet or Site to Legacy is disabled.
3. Interconnection link route: OSPF is used to exchange routes between two CPEs in
scenarios where two CPEs are deployed. The routes are automatically orchestrated and
configured by the system and do not need to be manually configured.
4. Overlay WAN route: BGP or EVPN is used to advertise routes on the overlay network.
The routes are automatically orchestrated and configured by the system and do not need
to be manually configured.
5. Underlay WAN route: OSPF, eBGP, and static routes are supported. The routes are
manually configured by customers based on the access conditions on the WAN side.
Overlay Route
Overlay routes refer to the routes at the overlay network layer on SD-WAN networks and are
classified into WAN-side and LAN-side routes.
An overlay network is established between sites through EVPN tunnels. Routes on the
overlay network between sites use BGP to establish the IBGP peer relationship. By default,
the BGP AS number of a site is 65001, which can be modified.
Address Pool
interface addresses of CPEs, and interface addresses of an internal link between dual
gateways. Therefore, you need to plan an address pool so that the SD-WAN@AC-Campus
can automatically assign IP addresses in the address pool to the preceding interfaces. The
number of addresses to be planned is proportional to the number of sites.
l Address pool in DSVPN tunnel mode: The number of address pools on a single-layer
network and that on a hierarchical network are different. For details, see 1.4.1.6.1
Address Pool Planning ( DSVPN ).
l Address pool in EVPN tunnel mode: Configure the mask length of the address pool
according to the site quantity listed in Table 1-5. The mask length determines the
number of addresses in the address pool.
For example, if the number of sites of a tenant is 150, the recommended mask length is
19. If the planned address segment is 20.100.0.0, the address pool can be set to
20.100.0.0/19. Ensure that the planned address segment does not conflict with the
planned public network segment and private network segment on the tenant network.
Table 1-5 Mapping between the mask length and the network scale
2-10 /23
11-30 /22
31-60 /21
61-120 /20
121-250 /19
251-500 /18
501-1000 /17
1000+ /16
BGP routes on the overlay WAN side are automatically orchestrated by the system. You can
configure the blacklist and whitelist to control the advertisement and receiving of BGP routes
on the overlay WAN side. If multiple VPNs are planned for service isolation between
departments, you need to plan overlay WAN routes for sites in each VPN.
l Filtering direction: Specify whether to filter the routes to be advertised or received. For
example, if some routes on the LAN side cannot be accessed by other sites, you can use
the blacklist to filter out the routes on the LAN side.
l Filtering mode: Specify whether to use the blacklist or whitelist for filtering. If the
blacklist is used, the routes in the blacklist cannot be advertised or received based on the
filtering direction, and the routes not contained in the blacklist can be advertised or
received normally. If the whitelist is used, the routes in the whitelist can be advertised or
received normally, and the routes not contained in the whitelist cannot be advertised or
received.
l IP address prefix list: Plan the IP address prefixes in the blacklist and whitelist for
filtering. You can specify the destination IP address/mask and mask range for filtering.
Multiple network segments can be configured.
– IP address/mask: Plan the IP addresses and masks for filtering. The address prefix
list filters routes by matching destination addresses. Therefore, ensure that the
destination addresses to be filtered are in the specified IP address range. For
example, if you do not want the 172.16.12.0/24 network segment on the overlay
LAN side of the site to be accessed by other sites, you can use the blacklist to filter
the routes that are advertised with the IP address being 172.16.12.0/24.
– Lower limit of the mask range. Specify the lower limit of the mask range. The
following condition must be met: Mask ≤ Lower limit of the mask range ≤ Upper
limit of the mask range. For example, if the mask of an address prefix is set to
172.16.12.0/24, the lower limit is 25, and the upper limit is 26, the 172.16.12.0/25
and 172.16.12.0/26 network segments are filtered out. If the mask range is not
specified, only 172.16.12.0/24 is filtered out.
– Upper limit of the mask range: Specify the upper limit of the mask range.
If multiple VPNs are planned for service isolation between departments, you need to plan
overlay LAN routes for sites in each VPN.
OSPF, BGP, and static routes can be configured on the LAN side. Currently, OSPF routes are
planned for the LAN side at the headquarters site, and static routes are planned for the LAN
side at branch sites.
l OSPF
– Site: Plan the site where overlay LAN routes need to be configured.
– Device: Select the CPE for which OSPF routes are to be configured. In the dual-
gateway scenario, you need to configure OSPF routes for both the two CPEs.
– Process ID: Plan the ID of the OSPF process.
n In DSVPN tunnel mode, the process ID is in the range from 1001 to 65535.
n In EVPN tunnel mode, the process ID is in the range from 1 to 20000.
– General parameters: The following data is valid in the OSPF area of all interfaces
on the LAN side.
n Default route advertisement flag: Plan whether to advertise the default route to
the common OSPF area.
n Default route cost: Plan the default route cost for advertising the default route.
The default value is 1.
n Internal priority: Plan the priority of OSPF routes (excluding AS external
routes). A smaller value indicates a higher priority.
n ASE priority: Plan the priority of the OSPF AS external route. A smaller value
indicates a higher priority.
– Interface parameters: Plan data for all LAN-side interfaces on which OSPF routes
need to be enabled.
n Area ID: Plan the ID of an OSPF area.
n Interface name: Select the LAN-side interface on which OSPF routes are to be
enabled.
n Authentication mode: Plan the authentication mode used by the OSPF area.
The authentication modes and passwords of all the devices must be the same in
any given area, but can differ between several areas.
The following authentication modes are supported:
○ None: Authentication is not performed on OSPF packets.
○ Simple: A password needs to be configured.
○ Cryptographic: The MD5, HMAC-MD5, or HMAC-SHA256
authentication mode can be selected.
n Key: Plan the authentication key identifier for interface ciphertext
authentication. This parameter needs to be set only when the cryptographic
authentication mode is used. The value must be the same as the authentication
key identifier of the peer end.
n Password: Plan the authentication key. This parameter needs to be set only
when the simple authentication mode is used.
n Hello packet interval: Plan the interval for sending Hello packets on an
interface, in seconds. The default value is 10. Hello packets are periodically
exchanged by OSPF interfaces to establish and maintain neighbor
relationships. A smaller interval means shorter time taken to detect network
topology changes but a higher route cost. The interval must be the same as that
of the neighbor.
n DR priority: Plan the priority of an interface during designated router (DR)
election. The default value is 0. The DR priority of an interface determines
whether the interface participates in DR election. If the DR priority is 0, the
router where the interface is located cannot be elected as a DR or BDR.
n Cost: Plan the OSPF cost for the interface. By default, OSPF automatically
calculates the cost based on the interface bandwidth. Load balancing can be
performed among several LAN-side routes with the same protocol type, cost,
and destination address. You can change the interface costs to change the load
balancing mode to the active/standby mode according to the actual
networking.
– Route importing: Import routes discovered by other routing protocols to enrich
OSPF routing information. When OSPF imports external routes, you can set the
cost of imported routes.
n Protocol: Plan the source routing protocol. By default, WAN-side BGP routes
on the overlay network are imported to implement communication on the
entire network. Static, OSPF, and direct routes can also be imported.
n Process ID: Specify the ID of the imported OSPF process when OSPF routes
are imported.
n Cost: Plan the cost of the imported route. The default value is 1. You can
change the cost to determine whether load balancing is achieved for multiple
routes destined for a network segment.
– Route filtering: You can plan the following parameters to use the blacklist and
whitelist for route filtering to control the advertisement and receiving of OSPF
routes. For details, see the description in Overlay WAN Route.
n Filtering direction: Specify whether to filter the routes to be advertised or
received.
n Filtering mode: Specify whether to use the blacklist or whitelist for filtering.
n Filtering address: Plan the address prefixes for blacklist and whitelist filtering.
You can specify the destination IP address/mask and mask range for filtering.
Multiple network segments can be configured.
l BGP
– Site: Plan the site where overlay LAN routes need to be configured.
– Advanced parameters
n External priority: Plan the priority of eBGP routes. In the dual-gateway
scenario, you can configure different priorities for the two devices.
n Default route importing: Specify whether to import the existing default route
in the local routing table to the BGP routing table. Generally, the default route
importing function does not need to be enabled. If the LAN side connects to
the Internet and other sites need to access the Internet through the LAN side of
the site, the default route importing function needs to be enabled.
n Route importing: Specify the source routing protocol. By default, static and
direct routes are imported.
n Aggregated route: If routes need to be aggregated, plan the network segments
of aggregated routes. You can specify the IP addresses and masks of the
aggregated routes.
After the network segment of the summarized routes is specified, if LAN-side
routes are subnets of the specified network segment, these subnets are
aggregated into one route and then advertised. If there are too many LAN-side
routes or the information about the LAN-side routes need to be hidden, routes
of multiple network segments can be aggregated into one network segment.
This reduces the size of the CPE routing table and hides the internal routing
information of the local site.
– Device: Select the CPE for which BGP routes are to be configured. In the dual-
gateway scenario, you need to configure BGP routes for both the two CPEs.
– Peer IP address: Plan the IPv4 address of the peer. The IPv4 address can be the IP
address of an interface that is directly connected to the peer or the IP address of a
loopback interface of the reachable peer.
– Peer AS: Specify the AS number of the peer device. The BGP AS number must be
the same as that of the peer device. Otherwise, the BGP peer relationship cannot be
established.
– Local AS: Configure the local end to establish a connection with a specified peer by
using a fake AS number. By default, the local end uses the actual AS number to
establish a connection.
– Keepalive time: Specify the BGP keepalive time, in seconds. The default value is
60.
– Holdtime: Specify the BGP hold time, in seconds. The default value is 180. The
holdtime must be at least three times the keepalive time.
n If short Keepalive time and holdtime are set, BGP can detect a link fault
quickly. This speeds up BGP network convergence, but increases the number
of keepalive messages on the network and loads of devices, and consumes
more network bandwidth resources.
n If long Keepalive time and holdtime are set, the number of keepalive messages
on the network is reduced, loads of devices are reduced, and fewer network
bandwidths are consumed. If the keepalive time is too long, BGP is unable to
detect link status changes in a timely manner. This is unhelpful for
implementing rapid BGP network convergence and may cause many packets
to be lost.
– MD5 encryption: Specify whether to use MD5 authentication between BGP peers.
If MD5 encryption is used, a ciphertext password must be specified. The MD5
authentication configuration and the ciphertext password must be the same as the
BGP configuration of the peer device. Otherwise, the BGP peer relationship fails to
be established.
– Routing policy: You can configure route filtering to control the advertisement and
receiving of BGP routes.
n Filtering direction: Specify whether to filter the routes to be advertised or
received.
n IP address prefix list: Configure the IP address prefix list in the blacklist and
whitelist for filtering. You can specify the destination IP address/mask and
mask range for filtering. Multiple network segments can be configured.
n Filtering mode: Specify whether to use the blacklist or whitelist for filtering.
n MED: Specify the MED value of BGP routes corresponding to the network
segment specified in the IP address prefix list.
Similar to the metric of an IGP, the MED value is used to determine the
optimal route for the traffic to enter an AS. When a BGP-enabled device
obtains multiple routes to the same destination address but with different next
hops from EBGP peers, it selects the route with the smallest MED value as the
optimal route.
n Community: Specify the community attribute of BGP routes corresponding to
the network segment specified in the IP address prefix list.
The community attribute is a private BGP route attribute. It is transmitted
between BGP peers and is not restricted to within an AS. The community
attribute allows a group of BGP-enabled devices in multiple ASs to share the
same routing policies. This allows routing policies to be flexibly used and
makes it simple to maintain and manage routing policies.
n AS_Path: Specify the AS path of BGP routes corresponding to the network
segment specified in the IP address prefix list.
The AS_Path attribute records the numbers of all ASs that a route passes
through, from the source to the destination, in the vector order. You can
configure the AS_Path attribute to implement flexible route selection.
l Static Route
– Site: Plan the site where overlay LAN routes need to be configured.
– Device: Select the CPE for which static routes are to be configured. In the dual-
gateway scenario, you need to configure static routes for both the two CPEs.
– Priority: Set the priority of static routes. The priority is in the range from 1 to 255
and is 60 by default. A smaller value indicates a higher priority.
If the same priority is configured for multiple static routes with the same
destination, traffic is load balanced among these static routes. If different priorities
are configured, the static routes back up each other.
– Destination network segment/mask: Specify the destination network segment and
mask of a static route. If both the destination IP address and mask are set to 0.0.0.0,
a default route is configured.
– Next hop: Plan the next hop, which can be an IP address or blackhole route.
Generally, you can set the next hop to an IP address. If you want to forbid access to
certain network segments, set the next hop to black_hole, which means that packets
destined for the network segments will be discarded.
– Detection address: Plan the address to be detected. Ensure that the address is
reachable through the configured static route.
If the next-hop IP address manually specified for a static route changes, the device
on which the static route is configured is unaware of the change. As a result, traffic
fails to be forwarded along the static route. After the address to be detected is
specified, the system associates the static route with the NQA test instance and
creates an ICMP NQA test instance to check whether the IP address is reachable. If
the NQA test instance fails, the static route is withdrawn. In this way, invalid static
routes can be detected in a timely manner.
Configuration Tasks
Scenario Description Task
Single-Layer Network
The total number of IP addresses in an address pool is related to the number of network
segments and subnet masks. The larger the number of network segments or the shorter the
mask length, the more the total number of IP addresses. The following describes how to
calculate the number of network segments and the longest mask length. You can set the
required network segments and longest mask length according to the calculation results to
meet your IP address requirement.
NOTE
The longest mask length refers to the least required mask length that needs to be configured for a
network scale. You can set a smaller value than the longest mask length. In this case, the number of
network segments can be reduced, but you need to ensure that the total number of IP addresses does not
decrease.
Table 1-6 Mapping between the longest mask length and the network scale
Network Scale/Number of Sites Longest Mask Length
2-10 28
11-30 27
31-60 26
61-120 25
121-250 24
251-500 23
501-1000 22
> 1000 20
In the preceding formulas, 2 indicates the two network segments occupied by the system. One
network segment must contain at least 192 IP addresses. Therefore, if the number of IP addresses
calculated based on the longest mask length is less than 192, you need to add a network segment.
3. The following uses a dual-hub site as an example to describe how to calculate the
number of network segments using the formula.
1. Assume that the number of sites is 100. According to Table1 Mapping between the longest mask
length and the network scale, the longest mask length is 25.
2. Either of the two network segments occupied by the system must contain at least 192 IP addresses.
However, 27 equals to 128, which is less than 192. Therefore, you need to add a network segment.
3. Finally, the longest mask length is 25 according to the calculation result, so 15 network segments
need to be configured. However, the system supports a maximum of eight network segments. In this
case, you need to decrease the mask value to reduce the number of required network segments. For
example, if the mask length is 23, configure seven network segments.
Dual-Layer Network
The formula for calculating the number of network segments on a dual-layer network is as
follows: Total number of network segments = Number of network segments between the
central site and aggregation site + Number of network segments between the aggregation site
and branch site.
Either of the two network segments occupied by the system must contain at least 192 IP addresses.
However, 29 equals to 512, which is larger than 192. Therefore, you do not need to add any
network segment.
3. Finally, the longest mask length is 23 according to the calculation result, so 18 network
segments need to be configured. However, the system supports a maximum of eight
network segments. In this case, you need to decrease the mask value to reduce the
number of required network segments. For example, if the mask length is 20, configure
three network segments.
Functions
The SD-WAN Solution provides the following Internet access modes:
l Local Internet access: The Internet access traffic of a site is routed from the local Internet
link to the Internet. In local Internet access mode, NAT in Easy-IP mode is provided.
You can determine whether to enable the NAT function based on the outbound interface.
After NAT is enabled, the system uses the IP address of the outbound interface as the
public IP address after NAT is performed and translates the IP address of the traffic
passing through the interface.
l Centralized Internet access: All sites in an enterprise access the Internet through a
centralized Internet gateway.
l Hybrid Internet access: The system allows some applications to access the Internet in
local Internet access mode and other applications to access the Internet in centralized
Internet access mode. If local Internet access with the default policies (Policy is set to
All) is used and centralized Internet access is enabled, local Internet access is preferred.
If the local link is faulty, the centralized Internet access mode is used. In hybrid Internet
access mode, the NAT function in Easy-IP mode can also be enabled on the outbound
interface for local Internet access.
Application Scenarios
l Local Internet access is applicable to small-scale enterprises or scenarios where
centralized security control is not required for Internet access traffic and links for
accessing the Internet are available on the WAN side.
l Centralized Internet access is applicable to scenarios where the site does not have links
for accessing the Internet or where Internet access traffic needs to be centrally controlled.
In this mode, a centralized Internet gateway is configured. Traffic from other sites is
forwarded to the centralized Internet gateway through the overlay network to access the
Internet.
l Hybrid Internet access is applicable to scenarios where Internet access traffic needs to be
managed centrally but the traffic of specified services (such as Office 365) is routed out
from the local site to minimize the access delay.
site is planned as the centralized Internet gateway, the branch site is used as the
Internet gateway.
l Local Internet access
– Site: Plan the site that uses the local Internet access mode.
– WAN link: Specify the WAN link name in the site template to select the WAN link
used for local Internet access. A site can access the Internet through the specified
WAN link. For sites using the same site template, only the same WAN link can be
used for Internet access.
– NAT: Plan whether to enable the NAT function. Generally, the NAT function needs
to be enabled for Internet access services at sites.
– Link priority: Plan the priority of a WAN link. If multiple WAN links are available
for Internet access, you can configure the link priorities so that the WAN links can
work in active/standby mode. The link priority is in the range from 1 to 3. A larger
value indicates a higher priority.
– Bandwidth allocation: Specify the proportion of local breakout traffic to the
available bandwidth that has been allocated to overlay services in the VPN. If the
available bandwidth for overlay services accounts for 30% of the total bandwidth
for the VPN and 10% of the bandwidth is allocated to the local breakout traffic, the
available bandwidth of the local breakout traffic accounts for 3% of the total
bandwidth of the WAN link. That is, if the total bandwidth of the interface is 100
Mbit/s, the bandwidth for local breakout traffic is 3 Mbit/s.
– Policy: By default, All is selected, which indicates that all services of a site
preferentially use local Internet access.
l Hybrid Internet access
– Centralized Internet gateway: For details, see Centralized Internet access.
– Local Internet access: For details, see Local Internet access. The following
parameters for hybrid Internet access are different from those for local Internet
access:
n Policy: Select All or Application. If All is selected, all services of a site
preferentially use local Internet access. If local Internet access is unavailable,
centralized Internet access is used. In this case, local Internet access and
centralized Internet access back up each other. If Application is selected,
traffic classifiers need to be configured so that some services use local Internet
access and other sites use centralized Internet access.
n Traffic classifier: If Policy is set to Application, plan the traffic classifiers for
the local Internet access service.
You can define local Internet access services by specifying the source and
destination IP addresses, and TCP or UDP source and destination port
numbers, or by matching the application group, VLAN ID, 802.1p priority,
source and destination MAC addresses, and Layer 2 protocol type. For details
about the traffic classifier, see the description in "Data Planning and Design" in
1.4.2.2 Intelligent Traffic Steering.
n Detection IP address: If Policy is set to Application, you can plan a detection
IP address for the site. The system creates an NQA instance to detect the IP
address, test the network connectivity, and quickly detect the network fault on
the WAN side. When the detection fails, services can switch to the centralized
Internet access mode in a timely manner. You can plan a public detection IP
address (for example, the DNS server address) that can be accessed by all sites
Configuration Tasks
Scenario Description Task
Configure hybrid l Configure some sites to access the Perform the operations in
Internet access. Internet through the centralized 1.8.5.3 Configuring an
Internet gateway and the other Internet Access Policy for
sites to access the Internet through a Site in the following
the local Internet link. sequence:
l Configure certain services of the 1. On the Site-to-Internet
site to access the Internet through page, select
the local Internet link and the Centralized Internet
other services to access the access to configure the
Internet through the centralized site to access the
Internet gateway. Internet through the
centralized Internet
gateway.
2. On the Site-to-Internet
page, select Local
Internet access, specify
the sites that access the
Internet through the
local Internet link, and
specify policies for
services that access the
Internet through the
local Internet link.
and legacy logical network. These two types of networks require communication between
each other.
When the underlay network connected to an SD-WAN site can communicate with the legacy
MPLS network, the breakout technology can be used to transmit user traffic from the SD-
WAN site to the underlay MPLS network. Users at the SD-WAN site can directly
communicate with users at the legacy site through the underlay network.
In this scenario, the following traffic models can be used for mutual access, depending on
service requirements:
l Distributed local access
This model can be used if all SD-WAN sites can access legacy underlay MPLS network
sites through local breakout. In this model, the mutual access traffic of each site can be
offloaded locally.
l Centralized access
If some SD-WAN sites cannot access legacy sites through local breakout, you can select
one site that can communicate with the legacy sites as the centralized access site. Traffic
from other sites is sent to the centralized access site through overlay tunnels, and then
forwarded to the legacy sites through local breakout.
l Hybrid access
If a centralized access site is deployed on the SD-WAN network, it can provide the
centralized access function for the sites that cannot access the legacy network through
local breakout. In addition, the distributed access function can be configured for sites
that support local breakout. Then traffic of these distributed sites is preferentially
forwarded to the legacy underlay MPLS sites through local breakout. If the local link for
accessing the MPLS network is faulty, traffic can be transmitted to the centralized access
site through the overlay tunnel of other links, and then forwarded to the legacy site
through the centralized access site. This improves transmission reliability for traffic.
– Link priority: Plan the priority of a WAN link. If multiple WAN links are available
for MPLS network access, you can configure the link priorities so that the WAN
links can work in active/standby mode. The link priority is in the range from 1 to 3.
A larger value indicates a higher priority.
You can configure multiple links to work in active/standby mode or load balancing
mode by configuring the priority.
n If links have different priorities, they work in active/standby mode, and the
link with the highest priority is the active link.
n If the links have the same priority, they work in load balancing mode.
– Bandwidth allocation: Specify the proportion of local breakout traffic to the
available bandwidth that has been allocated to overlay services in the VPN. If the
available bandwidth for overlay services accounts for 30% of the total bandwidth
for the VPN and 10% of the bandwidth is allocated to the local breakout traffic, the
available bandwidth of the local breakout traffic accounts for 3% of the total
bandwidth of the WAN link. That is, if the total bandwidth of the interface is 100
Mbit/s, the bandwidth for local breakout traffic is 3 Mbit/s.
l Local access
– Site: Plan the site that uses the local access mode to communicate with legacy sites.
– IGW: Specify whether the IGW functions as the gateway for legacy sites to access
the Internet. If legacy sites access the Internet through the IGW, you need to enable
the IGW function of the site.
– WAN link: Specify the WAN link name in a site template to select the WAN link
used for MPLS network access. For sites using the same site template, only the
same WAN link can be used for Internet access.
– Link priority: Plan the priority of a WAN link. If multiple WAN links are available
for MPLS network access, you can configure the link priorities so that the WAN
links can work in active/standby mode. The link priority is in the range from 1 to 3.
A larger value indicates a higher priority.
You can configure multiple links to work in active/standby mode or load balancing
mode by configuring the priority.
n If links have different priorities, they work in active/standby mode, and the
link with the highest priority is the active link.
n If the links have the same priority, they work in load balancing mode.
– Bandwidth allocation: Specify the proportion of local breakout traffic to the
available bandwidth that has been allocated to overlay services in the VPN. If the
available bandwidth for overlay services accounts for 30% of the total bandwidth
for the VPN and 10% of the bandwidth is allocated to the local breakout traffic, the
available bandwidth of the local breakout traffic accounts for 3% of the total
bandwidth of the WAN link. That is, if the total bandwidth of the interface is 100
Mbit/s, the bandwidth for local breakout traffic is 3 Mbit/s.
l Hybrid Internet access
– Centralized access: For details, see Centralized access.
– Local access: For details, see Local access.
Configuration Tasks
Scenario Description Task
In Huawei SD-WAN Solution, the AR1000V, a virtual router, is deployed on the cloud and is
centrally managed by the SD-WAN@AC-Campus. The AR1000V integrates routing, VPN,
security, and centralized service orchestration capabilities, enabling multicloud
interconnection for enterprises. In addition, the AR1000V functions as a cloud site and can
provide basic network functions for customers to implement services such as VASs and WAN
optimization controller (WOC).
Transit VPC
The transit VPC solution is recommended for connecting Huawei SD-WAN Solution to the
AWS. In this solution, the transit VPC is introduced, and the AR1000V is deployed to
function as a cloud site on an enterprise's SD-WAN network. The cloud site is centrally
managed by the SD-WAN@AC-Campus and implements service orchestration. The transit
VPC also functions as a hub on the AWS to connect to the enterprise's spoke VPC (service
VPC) deployed on the AWS. For enterprises, the transit VPC solution can be used to
implement SD-WAN interconnection. The transit VPC solution implements cross-region
interconnection of VPCs. For an enterprise that has deployed multiple VPCs in several
regions on the AWS, the transit VPC can be deployed in a frequently accessed region. The
transit VPC can connect to the spoke VPCs and remote site CPEs of different regions on the
AWS.
In the transit VPC solution, the AR1000V is introduced to flexibly control the interconnection
between CPEs and VPCs through its routing and VPN capabilities. The following figure
shows the transit VPC solution.
1. Create a VPC (transit VPC) for the tenant on the AWS. The transit VPC serves as an
aggregation node of enterprise tenants on the cloud and connects to the enterprise's spoke
VPC, data centers, and CPE sites.
2. Deploy the AR1000V on the transit VPC. (The AR1000V can be purchased on AWS
Market Place.)
3. On the transit VPC, apply for an EIP for the instance where the AR1000V resides to
access the Internet through the IGW. Establish IPSec VPN and BGP connections
between the transit VPC and the VGW of the spoke VPC through the IGW to implement
access between the spoke VPC and transit VPC. In addition, implement on-demand
access control between the spoke VPC nodes through the VPN feature of the AR1000V.
4. The AR1000V of the transit VPC can also access the Internet through the IGW. The SD-
WAN@AC-Campus orchestrates SD-WAN services for the AR1000V and CPEs.
5. If Direct Connect connections are configured for the transit VPC, dual links of the IGW
and VGW can be established between the AR1000V and the CPE, and the intelligent
traffic steering feature can be applied.
6. The AR1000V also provides various QoS features for traffic control.
7. The AR1000V can report interface traffic statistics. The SD-WAN@AC-Campus can
monitor traffic statistics and analysis results on the cloud.
Configuration Tasks
1. Deploy the AR1000V.
2. Set Access Key in Global Parameters.
3. Create a cloud site.
4. Configure cloud resources in the ZTP configuration.
Set Cloud type to Amazon AWS and Deployment type to Transit VPC.
Host VPC
The host VPC solution is used by Huawei SD-WAN Solution to connect to HUAWEI
CLOUD. The host VPC is a service VPC. In this solution, the AR1000V is deployed to
function as a cloud site on a host VPC of an enterprise's SD-WAN network. The SD-
WAN@AC-Campus centrally manages the cloud site and implements service orchestration.
The host VPC solution implements cross-region interconnection of VPCs. For enterprises that
have deployed VPCs in multiple regions on HUAWEI CLOUD, the AR1000V is deployed on
each host VPC. The SD-WAN@AC-Campus uniformly orchestrates services and implements
mutual access between host VPCs and remote site CPEs in different regions of the cloud
through SD-WAN networks.
In the host VPC solution, the AR1000V is introduced to flexibly control the interconnection
between CPEs and VPCs through its routing and VPN capabilities. The following figure
shows the host VPC solution.
1. The AR1000V is deployed in each host VPC to function as a cloud site on an enterprise's
SD-WAN network. The SD-WAN@AC-Campus centrally orchestrates services. One
AR1000V can be deployed in each AZ to enhance reliability. The SD-WAN@AC-
Campus monitors the status of the AR1000V and sends instructions for route switching.
2. The AR1000V is used to establish SD-WAN connections between different host VPCs
on the Internet to implement communication between CPEs and host VPCs.
3. When providing the cloud private line service, the AR1000V can work with the Internet
to form dual links and apply features such as intelligent traffic steering.
4. The AR1000V can report interface traffic statistics. The SD-WAN@AC-Campus can
monitor traffic statistics and analysis results on the cloud.
Configuration Tasks
1. Deploy the AR1000V.
2. Create a cloud site.
3. Configure cloud resources in the ZTP configuration.
a. Set Cloud type to Huawei Cloud and Deployment type to Host VPC.
b. Set IP address of WAN interface and Gateway address of WAN interface of the
AR1000V.
c. View the configuration and copy the configuration file to inject the Elastic Cloud
Server (ECS) user data on HUAWEI CLOUD.
NOTE
l FPI
FPI can identify the application type at the first data flow of an application. It can
quickly identify applications, and is mainly used for SaaS applications with fixed
destination addresses or ports.
l DPI
DPI performs deep packet analysis and accurately identifies common applications based
on the characteristics in application payloads.
When a packet reaches the application identification module, the FPI is performed. If an
application can be identified through the first packet, the DPI is no longer performed. If the
application fails to be identified, the DPI is performed.
For the FPI and DPI, the FPI signature database and SA signature database are preconfigured
on CPEs. The CPEs can identify common applications based on the application definition
(port, feature, and behavior) in the signature database. In addition, the FPI and DPI also
support customized applications, so that users can customize special applications.
FPI
FPI is realized by matching the first packet through 5-tuple information or DSCP of the
packet and the domain name or DPI cache. The application is matched based on L3-L4
information of the packet. Therefore, if multiple applications have the same L3-L4
information, the applications may be incorrectly identified. In addition, the FPI process is
simple, so the processing performance of the FPI is higher than that of the DPI.
Applications can be identified in predefined application mode or through the FPI signature
database.
l Predefined application mode: Applications are identified based on the 5-tuple, DSCP, or
domain name. In this mode, the system first matches an application based on the defined
L3-L4 rule. If no match is found, the system matches the application by translating the
domain name to the IP address through DNS snooping. If no match is found, the system
matches the application based on the DPI. Some common applications are predefined in
the system based on the protocol number, port number, and domain name.
l FPI signature database: The FPI function is associated through the DNS. When a client
initiates a page access request, a DNS request is sent, requesting to access the specific IP
address. The DNS server sends back a DNS response packet. When the packet traverses
the CPE, the CPE parses it to obtain the IP address. The application ID, port number, and
protocol number are queried in the FPI signature database based on the URL. The triplet
information is then associated with the IP address, and a DNS association entry is
generated. When receiving the DNS response packet, the client requests to access the
application. Then, when the packet traverses the CPE, the application is identified based
on the DNS association entry.
DPI
Signature identification is the basic technology of service awareness. Different applications
usually use different protocols that have their distinctive characteristics. These characteristics
may be specific ports, specific character strings, or specific bit sequences, and characteristics
that can identify a protocol are called characteristic code. Signature identification determines
an application by detecting characteristic codes in data packets. Since characteristic codes of
some protocols are embedded in multiple packets, characteristics field-based identification
must collect multiple packets to identify the protocol type. This technology analyzes service
flows passing through a device and compares the analysis result with the signature database
loaded to the device. By detecting characteristic codes in data packets, the system can identify
applications and implement refined policy control based on the identification result.
The DPI signature database is also called the SA signature database. Applications can be
identified in predefined application mode or through the SA signature database predefined on
the CPE.
l Predefined application mode: Applications are identified based on URLs or keywords.
On the CPE, rules can be created through triplet, keywords, or both triplet and keywords.
The triplet refers to the server IP address, protocol type, and port number. The keywords
are signatures of a data packet or a data flow corresponding to the application and
uniquely identify the application.
l SA signature database: Applications are identified based on the SA signature database.
The SA signature database can have 500+ or 6000+ records, depending on the device
type. The SA signature database can be upgraded through Huawei Security Center
Platform. The SA signature database needs to be updated frequently because applications
on the live network change rapidly. If the SA signature database is not updated in time,
some applications may fail to be identified.
Configuration Tasks
DPI can accurately identify The enterprise network uses 1. Check predefined
the application type based a router as the egress applications.
on the in-depth packet gateway to connect to the 2. If predefined
analysis. Common WAN. To ensure network applications cannot meet
applications can be quality and regulate the requirements, create
accurately identified based employees' online a customized
on the characteristics in behaviors, the service application.
application payloads. awareness technology can
be used to identify various 3. Select the predefined
applications on the network DPI application or
and control identified customized application
application protocols. to create a customized
application group.
l Operation type: Set the relationship between rules in a traffic classifier to AND or OR.
– AND:
n If a traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rule, packets match the traffic
classifier only when they match all the non-ACL rules.
– OR: Packets match the traffic classifier if they match one or more rules in the
classifier.
l L3 ACL: Define multiple ACL rules. Packets that meet specified conditions are allowed
to pass.
– Priority: Specify the priority of an ACL rule. Packets preferentially match the Layer
3 ACL rule with a higher priority.
– Source IP address: Plan the source IP address of packets matching an ACL rule. If
no source IP address is specified, packets with any source IP address are allowed to
pass.
– Destination IP address: Plan the destination IP address of packets matching an ACL
rule. If no destination IP address is specified, packets with any destination IP
address are allowed to pass.
– DSCP: Specify the Differentiated Services Code Point (DSCP) of packets matching
an ACL rule.
– Protocol: Specify the protocol type of packets matching an ACL rule.
– Source port: Specify the source port of the UDP or TCP packets matching an ACL
rule. This parameter is valid only when the protocol of packets is TCP or UDP. If no
source port is specified, TCP or UDP packets with any source port are matched.
– Destination port: Specify the destination port of the UDP or TCP packets matching
ACL rules. This parameter is valid only when the protocol of packets is TCP or
UDP. If no destination port is specified, TCP or UDP packets with any destination
port are matched.
l Application: Select an application group that matches packets.
To select applications to match packets in the traffic classifier template, you can only
select an application group. Applications that are not added to the application group are
not displayed or only some applications in the application group are selected. You need
to plan application groups properly.
l Advanced settings: Take effect only on policies on inbound interfaces.
– VLAN ID: Specify the start outer VLAN ID and end outer VLAN ID of packets to
be matched.
– 802.1p: Specify the 802.1p priority of packets to be matched.
– Source MAC address: Specify the source MAC address of packets to be matched.
– Destination MAC address: Specify the destination MAC address of packets to be
matched.
– L2 protocol: Specify the Layer 2 protocol type of packets to be matched.
Effective Time Template
l Time type
– Periodic time range: Define a periodic time range based on days or weeks. The
associated traffic policy takes effect at an interval of one day or week. For example,
if the time range of a traffic policy is 8:00-12:00 per day or on every Monday, the
traffic policy takes effect at 8:00-12:00 per day or on every Monday.
– Absolute time range: Define a time range from YYYY/MM/DD hh:mm:ss to
YYYY/MM/DD hh:mm:ss. The associated traffic policy takes effect only within
this period.
l Start time: Specify the time when the traffic policy starts to takes effect.
l End time: Specify the time when the traffic policy stops taking effect.
Intelligent Traffic Steering
l VPN: Plan service policies for sites in each VPN if multiple VPNs are configured. You
need to first select the VPN for which the policy needs to be configured.
l Traffic classifier template: Select a traffic classifier template to specify packets to which
intelligent traffic steering needs to be applied.
NOTE
Intelligent traffic steering does not support the traffic classifier template with advanced settings or
operation type being set to OR.
l Policy priority: Set the priority of an intelligent traffic steering policy. For the same
traffic, the intelligent traffic steering policy with the highest priority is preferentially
matched.
l Switchover condition: Refer to the delay, jitter, and packet loss rate of a link. When the
traffic or application quality does not meet the conditions, traffic or applications are
switched.
By default, switchover conditions of voice, real-time video, low-delay data, and large-
capacity data services are defined. You can also set the delay, jitter, and packet loss rate
to customize switchover conditions.
l Transport network priority: Set the primary and secondary transport networks.
– Primary transport network: Configure multiple transport networks as primary
transport networks. A maximum of eight transport networks can be configured.
n For transport networks with the same priority, you are advised to set Policy
between TN to Loadbalance.
n For transport networks with different priorities, you are advised to set Policy
between TN to Prefer.
– Secondary transport network: Select a transport network as the secondary transport
network. Traffic is switched to the secondary transport network only when all
primary transport networks are unavailable.
l Advanced settings: Set bandwidth conditions list, priority, and other parameters. The
system determines whether to switch traffic to another link based on the current
bandwidth usage, application priority, and switchover threshold, and then determines the
application traffic to be switched based on the application priority.
– Switch upper/lower limit: Select links to transmit traffic based on the bandwidth
usage in addition to delay, jitter, and packet loss rate.
n If the link bandwidth usage is lower than the switch lower limit, all application
traffic, including new application traffic, is forwarded through the current
transport network.
n If the link bandwidth usage is greater than the switch lower limit and lower
than the switch upper limit, only the existing application traffic is forwarded
through the current transport network, and new application traffic cannot be
transmitted.
n If the link bandwidth usage is greater than the switch upper limit, some
existing application traffic is switched to another transport network for
transmission, and new application traffic cannot be transmitted.
It is recommended that this parameter be configured only when the bandwidth is
sufficient.
– Bandwidth conditions list: Configure bandwidth switchover conditions for a
transport network by specifying the link bandwidth (bandwidth upper/lower limit)
and application bandwidth (maximum/minimum bandwidth).
– Action when conditions not met: Specify an action when the traffic on the primary
transport network does not meet switchover conditions and bandwidth conditions.
The default value is Discard.
n Discard: If the traffic does not meet the conditions, packets are discarded.
n ECMP: If the traffic does not meet the conditions, packets are forwarded
continuously.
– Switchover mode: Specify whether traffic can be switched back to the original link
if the quality of the original link recovers after link switchover occurs. The default
value is Pre-emptive.
The link switchover consists of the switchover between primary transport networks
with different priorities and the switchover between primary and secondary
transport networks.
This parameter can be set for high-priority applications only when the bandwidth of
the primary link on which high-priority applications are located is sufficient.
– Policy between TN: Specify the scheduling mode between primary transport
networks. The default value is Prefer.
n Prefer: The transport network with the highest priority is selected first for
forwarding application traffic. If any of the switchover conditions exceeds the
threshold or the bandwidth usage exceeds the bandwidth upper limit, the traffic
is switched to another transport network with a lower priority.
n Loadbalance: Application traffic is load balanced between primary transport
networks with the same priority.
– Priority: Specify the application priority. The default value is 8.
l Effective time template: Select an effective time template to specify the time range for
the intelligent traffic steering policy to take effect.
l Site: Associate an intelligent traffic steering policy to a site. The policy takes effect only
on the selected site.
Configuration Tasks
Scenario Description Task
1.4.2.3 QoS
QoS is a mainstream function that implements differentiated services. Data packets are
classified into different priorities or multiple service classes through traffic classification.
These priorities and service classes are the prerequisite and basis for differentiating service
models. Different traffic policies can be configured based on packet priorities and service
classes to provide different services.
Huawei SD-WAN Solution supports traffic classification based on the IP 5-tuple, application
group, and DSCP, and supports QoS policies such as queue priority scheduling, traffic
policing, and traffic shaping. It also supports QoS functions such as multi-dimensional
bandwidth allocation and DSCP re-marking through HQoS.
l Queue priority
Traffic classification is used to specify different QoS priorities for services. Based on
QoS priorities, services are forwarded through queues with different priorities to provide
differentiated QoS services. If bandwidth resources are insufficient, the forwarding
bandwidth of high-priority services is preferentially guaranteed.
l Traffic policing
Traffic policing controls traffic by monitoring the bandwidth occupied by service traffic,
and discards excess traffic to limit the bandwidth within a proper range, ensuring
appropriate bandwidth resource allocation.
l Traffic shaping
Traffic shaping is a measure to adjust the traffic rate sent from an interface. If traffic
congestion occurs due to burst traffic, traffic shaping is performed to make irregular
traffic transmitted at an even rate, preventing traffic congestion on the network.
l Bandwidth allocation
HQoS uses multi-level queues to implement bandwidth allocation between VPNs and
within a VPN. The bandwidth of a physical link is divided into bandwidths of multiple
logical links, and the bandwidth of each logical link is used by different VPNs. The
bandwidth of the logical link used by each VPN can specify bandwidths of the overlay
network and the local breakout network. The bandwidth of the overlay network is used
for communication between the hub site, aggregation site, and branch site. The
bandwidth of the local breakout network is used for local access to the Internet or
interconnection between local and legacy sites.
l DSCP re-marking
– After the DSCP re-marking function is configured on the LAN interface, the DSCP
value in the IP header of a packet entering the CPE is modified. If the packet enters
the overlay tunnel for forwarding, the DSCP value in the outer IP packet header is
copied from the DSCP value in the inner IP packet header by default. At last, the
DSCP values in inner and outer IP packet headers are re-marked. Based on re-
marked values, traffic policies can be deployed on the WAN-side overlay network
to implement service management and scheduling.
– If the DSCP re-marking function is configured on the WAN interface, the DSCP
value in the IP header of a packet sent by the outbound interface on the underlay
network is modified. If the IP packet header of the overlay tunnel is added to the
packet, only the DSCP value in the outer IP packet header is modified. At last, the
DSCP values in inner and outer IP packet headers may be different, and the outer
DSCP value is the re-marked value.
– If the DSCP re-marking function is configured on both LAN and WAN interfaces,
the DSCP value in the IP header of a packet entering the CPE is modified. If the
packet is sent through the outbound interface on the underlay network, the DSCP
value in the outer IP packet header is modified again. At last, for the packet that the
IP header is encapsulated in overlay tunnels, the DSCP value in the inner IP packet
header is remarked on the LAN interface and the DSCP value in the outer IP packet
header is remarked on the WAN interface. For the local breakout packet, the DSCP
value in the IP packet header is remarked on the WAN interface.
bandwidth. The total WAN link bandwidth on the site is 100%. The maximum ratio of the
bandwidth that can be manually allocated to overlay services of each VPN is 90%. At least
10% of the remaining bandwidth is reserved for other traffic, such as protocol traffic on the
underlay network.
l Traffic distribution policy name: Specify the name of a policy. Multiple traffic
distribution policies can be configured.
l VPN bandwidth: Specify the bandwidth ratio of each VPN. For example, the bandwidth
ratio of VPN1, VPN2, VPN3, and remaining traffic can be set to 30%, 20%, 30%, and
20%, respectively.
l Local breakout bandwidth ratio: Plan the local breakout bandwidth ratio if a site accesses
the Internet or communicates with a traditional site. For details, see Bandwidth
Allocation in "Data Planning and Design" in 1.4.1.7 Internet Access and 1.4.1.8
Connecting to the Legacy MPLS Network.
l Site: Plan a site where the traffic distribution policy is applied and specifies different
traffic distribution policies for different sites. One traffic distribution policy can only be
applied to one site.
Traffic Classifier Template and Effective Time Template
For details, see Data Planning and Design in 1.4.2.2 Intelligent Traffic Steering.
QoS
l VPN: Plan service policies for sites in each VPN if multiple VPNs are configured. You
need to first select the VPN for which the policy needs to be configured.
l Traffic classifier template: Select a traffic classifier template to specify packets to which
the QoS policy needs to be applied.
l Policy priority: Set the priority of a QoS policy. For the same traffic, the QoS policy with
the highest priority is preferentially matched.
l Queue priority
Allow specified traffic to enter the LLQ queue (with the highest priority), EF queue
(with a high priority), and AF queue (with a medium priority) for scheduling and ensures
the minimum bandwidth of queues according to configured queues. Traffic that does not
match the preceding policy enters the BE queue (with a low priority).
This parameter can be set to a specific bandwidth value or a percentage of bandwidth
usage. The percentage is set to the available bandwidth of a department (VPN). The
available bandwidth cannot be exceeded.
For example, if the bandwidth of a WAN interface is 100 Mbit/s and the bandwidth
available to VPN1 is 50 Mbit/s, value 20% of this parameter indicates that packets
matching the traffic classifier can occupy 10 Mbit/s bandwidth (50 Mbit/s x 20%).
l Traffic bandwidth limit
– Limit type
n Traffic policing discards excess traffic to limit traffic within a proper range and
to protect network resources and enterprise users' interests. Traffic policing is
implemented using committed access rate (CAR).
n Traffic shaping is a measure to adjust the traffic rate sent from an interface.
When the rate of an inbound interface on a downstream device is lower than
that of an outbound interface on an upstream device or burst traffic occurs,
traffic congestion may occur on the inbound interface of the downstream
device. Traffic shaping can be configured on the outbound interface of the
upstream device so that outgoing traffic is sent at even rates and congestion is
avoided.
When the queue priority is set to Medium, you can set Limit type to Shaping.
– Bandwidth limit: Specify the upper limit of the traffic. If traffic exceeds the limit
specified by this parameter, the excess traffic is cached and sent later (traffic
shaping is configured) or directly discarded (traffic policing is configured).
Theoretically, the value of bandwidth limit must be greater than that of guaranteed
bandwidth.
l Re-mark DSCP: Set the DSCP priority in the IP header of a packet. For details, see
DSCP re-marking.
l Queue length: Specify the maximum number of bytes and packets that can be buffered in
a queue.
The queue length affects queue traffic shaping, congestion management, and congestion
avoidance. When the number of packets in a queue reaches the maximum value or the
total number of bytes in a queue reaches the maximum value, the queue does not receive
packets. Instead, the queue discards the excess packets.
A longer queue buffers more packets but introduces a longer delay. If congestion occurs
on a network intermittently, buffering more packets prevents unnecessary packet loss. If
congestion always occurs on a network, increasing the queue length cannot solve the
problem. You need to increase the bandwidth.
The queue length can be configured only when the queue priority is set to High or
Medium.
l Re-mark 8021p: Remark 802.1p priorities of VLAN packets when you need to provide
differentiated services based on the 802.1p priority of packets.
l Statistics: collection Enable traffic statistics collection when you need to view packet
statistics after a traffic policy is applied.
l Effective time template: Select an effective time template to specify the time range for
the QoS policy to take effect.
l Site: Specify the site that is associated with the QoS policy. The policy takes effect only
on the selected site.
Configuration Tasks
Scenario Description Task
Configure the Services are forwarded based Perform the operations in 1.8.5.5.6
queue priority. on queues with different Creating a QoS Policy for the Overlay
priorities. If bandwidth Network in the following sequence:
resources are insufficient, the 1. Match an application on which a
forwarding bandwidth of QoS policy is performed through
high-priority services is Traffic Classifier Template.
preferentially guaranteed.
2. Set the interface on which the QoS
policy is enabled to WAN.
3. Configure Queue Priority.
Functions
To control the traffic entering the CPE, configure an ACL rule to classify packets based on
packet information including the source IP address, destination IP address, source port
number, destination port number, and application information, and then filter packets who
match the ACL rule.
In the SD-WAN Solution, the ACL traffic filtering function is implemented through the ACL
policy. Currently, the ACL policy can be deployed on the WAN interface or LAN interface of
the CPE to control the traffic entering the CPE. You can define the priority of each ACL
policy, and parameters including filtering action (permit/deny) and effective period.
Application Scenarios
ACL rules can be used to accurately identify packets on the network, and ACL policies can be
used to control the traffic entering the CPE and filter specific traffic.
The following figure shows the typical application scenario of ACL traffic filtering.
l An ACL policy is deployed on the WAN side (1) to prevent specific traffic of external
networks from entering the CPE and the internal network.
l An ACL policy is deployed on the LAN side (2) to block specific traffic to access
external networks. In addition, the ACL policy can be deployed independently on each
virtual network and takes effect on all ports.
l Policy name: Specify the name of an ACL policy, for example, test_bj_acl_class1.
l Traffic classifier template: Plan a traffic classification rule, makes a traffic classifier
template, and applies an ACL policy to packets that match the traffic classification rule.
You can define local Internet access services by specifying the source and destination IP
addresses, and TCP or UDP source and destination port numbers, or by matching the
application group, VLAN ID, 802.1p priority, source and destination MAC addresses,
and Layer 2 protocol type. For details about the traffic classifier, see the description in
"Data Planning and Design" in 1.4.2.2 Intelligent Traffic Steering.
l Policy priority: Specify the priority of an ACL policy. The value is in the range from 1 to
5000 with the recommended step of 10.
If multiple ACL policies are applied to a site, the CPE matches the packets with the
traffic classifier template in the ACL policy based on the descending order of priority
after receiving packets. If the match succeeds, the CPE performs traffic filtering. If the
match fails, the CPE continues to match the traffic classifier template in the next ACL
policy.
l Interface: The value is LAN, indicating that the ACL policy of the overlay network is
applied to the LAN interface. This parameter is not specified. By default, LAN interfaces
(including Layer 3 interfaces, sub-interfaces, and VLANIF interfaces) on the overlay
network are included.
l Traffic filtering: Specify the action for the traffic. The value can be deny and permit.
– Deny: Packets matching the traffic classifier template are not allowed to be
forwarded.
– Permit: Packets matching the traffic classifier template are forwarded normally.
l Traffic direction: Specify whether the ACL policy takes effect on the traffic in the
inbound or outbound direction of an interface. Generally, the ACL policy applied on the
LAN interface takes effect on the traffic in the inbound direction of the interface.
l Effective time template: Specify the time range in which the policy takes effect. If no
time range is specified, the policy takes effect at any time. For details about the effective
time template, see the description in "Data Planning and Design" in 1.4.2.2 Intelligent
Traffic Steering.
l Site: Specify the site where the ACL policy is applied.
ACL Policy on the WAN Side (Underlay Network)
l Policy name: Specify the name of an ACL policy, for example, test_bj_acl_class2.
l Traffic classifier template: Plan a traffic classification rule, makes a traffic classifier
template, and applies an ACL policy to packets that match the traffic classification rule.
The ACL policy of the underlay network cannot use the traffic classifier template
matching an application group. You can define local Internet access services by
specifying the source and destination IP addresses, TCP or UDP source and destination
port numbers, VLAN ID, 802.1p priority, source and destination MAC addresses, and
Layer 2 protocol type. For details about the traffic classifier, see the description in "Data
Planning and Design" in 1.4.2.2 Intelligent Traffic Steering.
l Policy priority: Specify the priority of an ACL policy. The value is in the range from 1 to
5000 with the recommended step of 10.
If multiple ACL policies are applied to a site, the CPE matches the packets with the
traffic classifier template in the ACL policy based on the descending order of priority
after receiving packets. If the match succeeds, the CPE performs traffic filtering. If the
match fails, the CPE continues to match the traffic classifier template in the next ACL
policy.
l Interface: The value is WAN, indicating that the ACL policy of the underlay network is
applied only to the WAN interface. You need to select a site template and a WAN link in
the template to specify the WAN interface to which the ACL policy is applied.
– Site template: Specify the template used by the site where the ACL policy is
applied.
– WAN link: Specify the WAN link in the site template. The ACL policy is applied to
the WAN interface of the site.
l Traffic filtering: Specify the action for the traffic. The value can be deny and permit.
– Deny: Packets matching the traffic classifier template are not allowed to be
forwarded.
– Permit: Packets matching the traffic classifier template are forwarded normally.
l Traffic direction: Specify whether the ACL policy takes effect on the traffic in the
inbound or outbound direction of an interface. Generally, the ACL policy applied on the
LAN interface takes effect on the traffic in the inbound direction of the interface.
l Effective time template: Specify the time range in which the policy takes effect. If no
time range is specified, the policy takes effect at any time. For details about the effective
time template, see the description in "Data Planning and Design" in 1.4.2.2 Intelligent
Traffic Steering.
l Site: Specify the site where the ACL policy is applied.
Configuration Tasks
Deploy an ACL policy An ACL policy of the overlay 1. Create a traffic classifier
on the LAN side. network can block overlay template.
network service traffic 2. (Optional) Create an
transmitted to a CPE through effective time template.
a LAN interface. For
example, an ACL policy can 3. Create an ACL policy for
limit the use of some services the overlay network.
during a specified time
period.
1.4.3.2 Firewall
Functions
The firewall function provided by the CPE separates an internal network from an external
network logically to protect the internal network from unauthorized access.
l Security zone
A security zone, also named zone, is an interface or a group of multiple interfaces, and
the networks connected to these interfaces have the same security attributes. Each
security zone has a globally unique security priority.
l Interzone
Any two security zones constitute an interzone, and packets are transmitted between
these two security zones. Inbound indicates that packets are transmitted from a low-
priority security zone to a high-priority security zone, while outbound indicates that
packets are transmitted from a high-priority security zone to a low-priority security zone.
In the SD-WAN Solution, the firewall function is implemented through security policies,
which are applied to the interzone. A firewall security policy is deployed on the CPE to
ensure security for Internet access services of enterprise users, protecting the internal network
from unauthorized access.
In addition, the CPE provides the application specific packet filter (ASPF) function to detect
application-layer and transport-layer protocol information and dynamically determine whether
to allow packets to enter the internal network. The firewall security policy and the ASPF
function work together to provide more comprehensive service-based security protection for
the internal network of enterprises.
Application Scenarios
In the SD-WAN Solution, the firewall function is mainly used in the Site-to-Internet scenario,
that is, to implement security protection for Internet access services, as shown in the
following figure.
In this scenario, the Internet access traffic of all sites is directly transmitted from the
local CPE to the Internet. The firewall function is deployed on the local CPE to ensure
security of Internet access services.
NOTE
If a site has only MPLS links for Internet access and legacy network access, the system preferentially
ensures communication on legacy networks. In this case, the firewall function does not take effect.
Configuration Tasks
For details about how to enable the firewall function, see Configuration > Security Policy in
1.8.5.6.1 Creating a Network Security Policy.
1.4.3.3 IPS
Functions
The intrusion prevention system (IPS) is a security mechanism. IPS detects intrusion behavior
(such as buffer overflow attacks, Trojan horses, and worms) by analyzing the network traffic,
and terminates intrusion behavior in real time through certain responses. This protects
enterprise information systems and network architectures against intrusions.
The IPS signature database is preconfigured on the CPE to define common intrusion
behaviors. The IPS compares the packet characteristics with signatures in the signature
database. If they are matched, the IPS considers the behavior as intrusion behaviors and take
protection measures.
In the SD-WAN Solution, the IPS is implemented through security policies, which are applied
to the interzone. An IPS security policy is deployed on the CPE to implement security
protection for Internet access services of enterprise users, blocking various intrusion
behaviors from the Internet.
Application Scenarios
In the SD-WAN Solution, the IPS is mainly used in the Site-to-Internet scenario, that is, to
implement security protection for Internet access services, as shown in the following figure.
centralized Internet access site to implement security protection for Internet access
services and block various intrusion behaviors from the Internet.
l Local Internet access scenario
In this scenario, the Internet access traffic of all sites is directly transmitted from the
local CPE to the Internet. The IPS is deployed on the local CPE to implement security
protection for Internet access services and block various intrusion behaviors from the
Internet.
Configuration Tasks
For details about how to enable the IPS, see Configuration > Security Policy in 1.8.5.6.1
Creating a Network Security Policy.
Functions
URL filtering regulates online behaviors by controlling URLs that users can access and
permitting or denying user access to some web resources.
The CPE allows or denies user access to a URL or a type of URLs based on the pre-defined
categories, blacklist, and whitelist. The CPE extracts the URL field from the HTTP request
packet and matches the URL field with that in the blacklist, whitelist, or predefined category.
If they are matched, the CPE processes the HTTP request packet according to the configured
response action.
In the SD-WAN Solution, URL filtering is implemented through security policies, and the
security policies are applied to the interzone. A URL filtering security policy is deployed on
the CPE to control URLs accessed by enterprise users.
Application Scenarios
In the SD-WAN Solution, URL filtering can be applied in Site-to-Legacy Site, Site-to-SD-
WAN Site, and Site-to-Internet scenarios, as shown in the following figure.
l In the Site-to-Legacy Site scenario (1), URL filtering is deployed on the CPE to regulate
users' online behaviors by controlling URLs used by users to access the legacy site.
l In the Site-to-SD-WAN Site scenario (2), URL filtering is deployed on the CPE to
regulate users' online behaviors by controlling URLs used by users to access the SD-
WAN site.
l In the Site-to-Internet scenario (3), URL filtering is deployed on the CPE to regulate
users' online behaviors by controlling URLs used by users to access the Internet.
– Deny: Only traffic from the URLs included in the exception list or predefined URL
category is allowed to pass.
l Exception list
– URL: Specify exceptional URLs. During the processing, if a packet matches a URL
in the exception list, the system performs the action that is opposite to the default
action.
l Predefined URL category filtering level: Specify the filtering level for the predefined
category and uses the predefined classifier template of the system to perform URL
filtering. You can use the filtering level defined by the system or customize the action for
each predefined classifier template.
– Filtering level: Define high, medium, and low filtering levels, and configures an
initial action for all predefined URL categories according to each level. A high level
indicates a strict action for URL categories, for example, the device blocks requests
matching porn, P2P download, and video categories. A low level indicates a loose
action for URL categories, for example, the device blocks requests matching porn
categories only.
– Customization: Customize actions for each category. This method is applicable to
scenarios where URL categories need to be restricted.
l Site: Specify the site where the URL filtering policy is applied.
Configuration Tasks
For details about how to enable URL filtering, see Configuration > Security Policy in
1.8.5.6.1 Creating a Network Security Policy.
The following table describes orchestration principles of security zones and application
principles of security policies applied in interzones.
Item Description
Mapping between security zones and LAN: trust zone (default). If an Internet
interfaces egress exists on the LAN, the LAN can be
configured as an untrust zone (shown as 1 in
the preceding figure).
Overlay: middle zone
Interlink between dual gateways: middle
zone
Site to Internet: untrust zone
Site to Legacy Site: middle zone
Security policy application in interzones The firewall and IPS security policies are
applied:
trust zone -> untrust zone
middle zone -> untrust zone
Item Description
uCPE Architecture
Service Chain
On the uCPE, a service chain can be used to control specific traffic to pass through a specific
VNF sequence.
In Figure 1-17, the red traffic is processed by the VNF and only passes through the SD-WAN
router and does not traverse the service chain. After a uCPE goes online, the SD-WAN@AC-
Campus triggers each uCPE to create the preceding default forwarding path by default. The
blue traffic is the service chain that passes through the VNF. The SD-WAN@AC-Campus
creates the direction of the traffic entering the service chain based on the administrator's
configuration.
Each VNF template or VNF supports a maximum of eight service chains and at least one
default service chain. After traffic enters a LAN interface, the SD-WAN@AC-Campus
matches the service chains in the sequence in which the service chains are arranged. Once the
service rule of a service chain is matched, the SD-WAN@AC-Campus does not match the
service chains further and forwards traffic based on the traffic direction specified by the
service chain.
Two endpoints of a service chain are the physical LAN interface of a uCPE and the interface
connected to the SD-WAN router.
As an NE, a VNF has its own management system. The management system (EMS) can
manage VNFs in either of the following methods:
l Method 1: The IP address of the VNF is statically specified in the VNF management
system. In this manner, the packet transmitted between the VNF and the management
system cannot pass through any NAT device. Otherwise, the management system cannot
know the address after NAT is performed.
l Method 2: After being started, the VNF automatically registers with the corresponding
management system through the mechanism such as NETCONF CallHome. In this
manner, the VNF can be placed behind the NAT translation gateway.
To ensure the universality of VNF management, it is recommended that VNFs be managed
using method 1. The VNF management system is deployed at the headquarters of a tenant,
and a GRE over IPSec (DSVPN) tunnel is set up between the headquarters and uCPEs.
The administrator plans a VNF management IP address pool for each tenant network, and
configures large network segments and the same gateway addresses (for example,
10.1.1.1/16). When a tenant starts a VNF on the uCPE, the SD-WAN@AC-Campus allocates
a management IP address with a 30-bit mask and a gateway interface address to the VNF. The
IP address of the VNF management network interface can be imported using the initial file.
Alternatively, after the VNF is started, the IP address is dynamically obtained from the
gateway interface of the uCPE through DHCP.
The WAN-side routing protocol (for example, BGP) of the uCPE is used to release the
management network segment of each VNF to other uCPEs, including the Hub-CPE. In this
manner, the VNF management system connected to the uCPE can access the VNFs on each
uCPE.
Configuration Tasks
Scenario Description Task
Deploy WAN WOC and FW VNFs are Only the MSP administrator can configure
acceleration deployed on uCPE gateways the virtual lifecycle management on the
and firewall at the site, and service uCPE. Log in as the MSP administrator
services on the chains are configured to and perform the following operations in
uCPE. provision WAN acceleration sequence:
and firewall services. 1. 1.7.3 Obtaining and Uploading a
VM Image
2. 1.7.4.1 Authorizing an MSP to
Maintain Tenant Services
3. 1.7.4.2 (Optional) Accessing the
View for Managing Services for a
Tenant
4. 1.7.4.6.1 (Optional) Configuring a
Resource Pool
5. 1.7.4.6.2 (Optional) Configuring the
VM Access Mode
6. 1.7.4.6.5 Creating a Profile
7. 1.7.4.6.6 (Optional) Creating a VNF
Template
8. 1.7.4.6.7 Deploying the VNF
9. 1.7.4.6.9 Deploying a Service Chain
Deploy Endpoint services are Only the MSP administrator can configure
endpoint deployed on uCPE gateways the virtual lifecycle management on the
services on the at the site. uCPE. Log in as the MSP administrator
uCPE. and perform the following operations in
sequence:
1. 1.7.3 Obtaining and Uploading a
VM Image
2. 1.7.4.1 Authorizing an MSP to
Maintain Tenant Services
3. 1.7.4.2 (Optional) Accessing the
View for Managing Services for a
Tenant
4. 1.7.4.6.2 (Optional) Configuring the
VM Access Mode
5. 1.7.4.6.8 Deploying the Endpoint
supports zero touch provisioning (ZTP), including email- and USB-based deployment to solve
such problems.
The following describes roles involved in the deployment and their responsibilities:
l Network administrator: plans network deployment, maintains the network, and
configures and sends a deployment email. The email must contain the URL used to
activate the deployment process. It is recommended that the email contain instructions
for deployment engineers.
l Device administrator: manages purchased devices and information about device sites and
delivered devices. The device administrator of the system integrator performs USB-
based deployment to import initial configurations before device delivery.
l Deployment engineer (network installation or maintenance engineer) at the site: connects
terminals to gateways onsite after confirming that the deployment email has been
received, and performs email-based deployment. Email-based deployment can be
completed by onsite network installation or maintenance engineers, without the need of
onsite instructions of professional network engineers.
MPLS network. The CPE can connect to the SD-WAN@AC-Campus through MPLS
when the CPE accesses the public IP address on the Internet.
2. The network administrator plans and designs the network, selects site devices, configures
the ZTP on the SD-WAN@AC-Campus, and completes the deployment preparations
according to the deployment mode.
– Email-based deployment: After configuring the ZTP, the network administrator
needs to confirm that the deployment email has been sent to the deployment
engineer at the site.
– USB-based deployment: After configuring the ZTP, the network administrator
needs to download the ZTP deployment file and sends the ZTP deployment file to
the deployment engineer at the site.
3. The deployment engineer completes the deployment and checks whether the deployment
is successful onsite.
Email-based Deployment
Email-based deployment is also called URL-based deployment. After the network
administrator completes the ZTP configuration on the SD-WAN@AC-Campus, the SD-
WAN@AC-Campus automatically generates a deployment email. The URL parameters in the
deployment email carry the deployment information, and the deployment email is sent to a
specified deployment mailbox. After receiving the deployment email, the deployment
engineer clicks the URL in the email to start the deployment process. Subsequently, devices
automatically complete the deployment.
Email-based deployment is used when a CPE is installed at a site and deployment needs to be
performed onsite. Email-based deployment greatly simplifies the operation process of a
deployment engineer. The deployment engineer only needs to start the deployment process on
a web page by one click. In this way, the deployment can be completed automatically. This
does not impose requirements on professional skills of the deployment engineer, greatly
reducing the labor cost and shortening the deployment time.
Aromatic Recording of ESNs
Email-based deployment applies to the scenario where the ESN is not bound to the CPE and
automatically recorded on the SD-WAN@AC-Campus after deployment.
When the SD-WAN@AC-Campus allocates a CPE to a site, only the CPE model is specified
but the ESN of the CPE is not specified. In this case, the SD-WAN@AC-Campus
automatically allocates a token to the CPE when generating a ZTP deployment email of the
site. When the deployment engineer deploys the CPE, the CPE sends the token, ESN, and
other registration information to the SD-WAN@AC-Campus for registration. The SD-
WAN@AC-Campus then associates the CPE with the ESN based on the token to complete the
registration of the CPE that is not bound to the ESN.
USB-based Deployment
During the USB-based deployment, after the network administrator completes the ZTP
configuration on the SD-WAN@AC-Campus, the SD-WAN@AC-Campus automatically
generates the ZTP file that records the CPE deployment configuration information. Then, the
deployment engineer uses the tool to generate a configuration file and imports the
configuration file to a USB flash drive for USB-based deployment.
configurations to CPEs in warehouses and distributes the CPEs for onsite installation and
deployment.
NOTE
During batch deployment using a USB flash drive, the ESN of the CPE that is distributed to the site
must be the same as the ESN of the CPE configured on the SD-WAN@AC-Campus. Otherwise, the
deployment may fail.
NTP can be configured independently for each site in the following sequence: external clock
source > parent site > branch site.
On a network that requires high security, NTP authentication must be enabled. Password
authentication is configured between a client and a server to ensure that the client only
synchronizes with a server that is successfully authenticated, improving network security.
l Interface: WAN link parameters to be configured vary according to the interface type
specified in site planning.
The following interface types are supported:
– GE/FE/XGE: Ethernet interface and Ethernet sub-interface
– xDSL (ATM): ADSL interface or G.SHDSL interface (working in ATM mode by
default)
– xDSL (PTM): VDSL interface (working in PTM mode by default)
– LTE: 3G/LTE interface
The following table describes different network access modes of links supported by
interfaces.
Dynamic (DHCP)
PPPoE
Dynamic (DHCP)
PPPoA
PPPoEoA
PPPoE
l Sub-interface
This parameter is specified based on whether the sub-interface is required to terminate
the user VLAN. To terminate a user VLAN through a sub-interface, you can configure
the VLAN that is terminated by the sub-interface for Dot1q VLAN tag termination.
l Interface protocol type
This parameter is configured based on the mode in which an interface obtains an IP
address.
l Dynamic/Static IP address
The dynamic or static IP address is selected based on whether the gateway accesses the
Internet using static IP addresses or in dynamic DHCP mode.
l Static IP address, mask, and default gateway address
When the IP address is obtained in static mode, you need to manually configure the IP
address, mask, and gateway address of the interface.
l Interface negotiation mode
– Auto-negotiation: The interface rate and duplex mode are determined through
negotiation with the peer interface.
– Non-auto-negotiation: The interface rate and duplex mode are manually configured
as required.
In non-auto-negotiation mode, you can set the working mode, duplex mode, and rate of
the interface according to the actual interface status.
l Public IP address
This address is used by the edge site to access the vRR.
The public IP address must be the same as the interface IP address statically configured
or dynamically obtained. If a NAT device is deployed between the vRR site and WAN-
side network, the public IP address must be the same as the IP address of the interface
after NAT mapping.
l Uplink and downlink bandwidths of the interface
The uplink and downlink bandwidths of an interface are configured based on the actual
requirements. The unit is Mbit/s.
NTP Clock Synchronization
The following parameters are set for NTP clock synchronization at a site:
l Time zone
This parameter indicates the time zone to which a site gateway belongs.
l NTP authentication
This parameter is optional and indicates whether to enable NTP authentication when the
gateway at a specified site functions as an NTP server. If NTP authentication is enabled,
you need to set the authentication password and authentication ID. If the gateway at a
specified site functions as an NTP client, the configuration of the authentication
password and authentication ID must be the same as those on the parent site that
functions as the NTP server. Otherwise, the authentication fails and NTP clock
synchronization fails.
l NTP client mode
– Manual configuration: An NTP server needs to be deployed on the network to set
the WAN link through which a site gateway accesses the NTP server and NTP
server address. If NTP authentication is enabled on the NTP server, you can set the
NTP authentication mode (MD5 or HMAC-SHA256), authentication password, and
authentication ID based on requirements of the NTP server.
– Automatic synchronization with the parent site: The branch site automatically
synchronizes data with that of the aggregation site or hub site, and the aggregation
site automatically synchronizes data with the hub site.
– Disabled: NTP clock synchronization is not performed.
NTP Server
If a site functions as an NTP client and an NTP server is manually configured, you need
to plan and deploy the NTP server on the network. If no dedicated NTP server is
available, you are advised to use the FusionInsignt in the SD-WAN@AC-Campus as the
NTP server.
l IP address: IP address of the NTP server that can be accessed by the site.
l Authentication mode: If the authentication function is enabled on the NTP server, the
authentication mode on the NTP server must be MD5 or HMAC-SHA256.
l Authentication password: authentication password required by the NTP server.
l Authentication ID: key ID for NTP authentication, which must be a number other than 0.
The authentication ID is irrelevant to the NTP server. The authentication ID used when
the site functions as the client must be different from the authentication ID configured
for the NTP server.
Email Server
l SMTP address: address of the email server used by the SD-WAN@AC-Campus to send
emails. The email server must be accessible to the SD-WAN@AC-Campus. You can set
an IP address or domain name, for example, SMTP@email.com.
l Port number: port number of the email server. Generally, the port number of the email
server is 25, which must be the same as that provided by the email server provider.
l Test email address: email address used to test whether the email server can receive
emails sent by the SD-WAN@AC-Campus. Therefore, the server with which the email
address is registered must be reachable or be an email address registered on the email
server.
Device Activation Security Settings
l URL encryption key: Plan the key for encrypting the URL in the deployment email and
ZTP file. The value is a string of 6 to 12 digits, for example, 123456.
After the encryption key is set, you need to enter the correct encryption key on the Portal
page to perform email-based deployment on the CPE. Therefore, the key must be
correctly transmitted to the deployment personnel before the deployment.
l Token validity period: Specify the validity period of the token. The default value is seven
days. The value is in the range from 1 to 30, in days.
When the CPE whose ESN is not recorded in the SD-WAN@AC-Campus is deployed,
the system starts timing when sending a deployment email. After receiving the
registration information of the CPE, the SD-WAN@AC-Campus checks whether the
registration time of the CPE is in the token validity period. If the registration time is
within the validity period, the CPE registers successfully. Otherwise, the registration
fails.
Configuration Tasks
Scenario Description Task
l System administrator
The admin user is the default system administrator who has the highest permission, and
can create system, MSP, and tenant administrators by roles. After a system administrator
modifies the password policy, idle timeout policy, and other policies, the modifications
are effective for all users.
l MSP administrator
A system administrator can create a tenant administrator and an MSP administrator for
tenants. This MSP administrator is the default administrator of the MSP. The default
administrator of the MSP can create roles, and create MSP or tenant administrators by
roles.
l Tenant administrator
After an MSP administrator (in MSP O&M mode) or a system administrator (in
enterprise O&M mode) creates a tenant, the tenant administrator can create roles and
tenant administrators by roles.
4. The password can contain no more than two consecutive identical characters.
System administrator
l Account: Generally, the admin account is used.
l Default password: The default password of the admin account is Changeme123.
l Password: When the system administrator uses the default password to log in to the SD-
WAN@AC-Campus for the first time, the system prompts the system administrator to
change the password. Therefore, the system administrator needs to plan a new password
that meets the password requirements.
MSP administrator
l Account: The account is specified when the system administrator creates an MSP and is
the default administrator of the MSP. The account is in the format of an email address,
for example, MSP@test.com.
l Default password: When creating an MSP account, the system administrator specifies the
initial login password of the default account. The password must meet the password
requirements.
l Password: When the MSP administrator uses the default password to log in to the system
for the first time, the system prompts the MSP administrator to change the password.
Therefore, the MSP administrator needs to plan a new password that meets the password
requirements.
Tenant administrator
l Account: The account is specified when the system or MSP administrator creates a
tenant and is the default administrator of the tenant. The account is in the format of an
email address, for example, user1@test.com.
l Default password: When creating an MSP account, the system administrator specifies the
initial login password of the default account. The password must meet the password
requirements.
l Password: When the tenant administrator uses the default password to log in to the
system for the first time, the system prompts the tenant administrator to change the
password. Therefore, the tenant administrator needs to plan a new password that meets
the password requirements.
Context
After the Agile Controller-Campus is installed, an administrator can use a web browser to log
in to the Agile Controller-Campus WebUI to perform the system management and
maintenance operations. The following web browsers are supported:
l Internet Explorer 11
l Chrome 50 or Chrome 60
l Windows 10 (Microsoft Edge 20 or Microsoft Edge 40)
Procedure
Step 1 Logging in to the Agile Controller-Campus.
Step 2 Enter https://Agile Controller-Campus server IP address:port number in the address box,
and press Enter.
NOTE
Step 3 Ignore the security certificate problem to access the login page.
l Internet Explorer 11: Click Continue to this website (not recommended).
NOTE
To solve the security certificate problem, apply for a security certificate from an official CA. After
certificate application, the system administrator needs to replace the ER northbound certificates for
browser. For details, see Updating ER Certificates.
Step 4 Enter the default administrator name admin and password Changeme_123, and click Login.
Step 5 Upon the first login, change the password as prompt. Skip this step if it is not your first login.
Step 6 Select tenant module and license management policy upon first login. Skip this step if it is not
your first login.
Exercise caution when selecting a tenant mode and a license management policy, because
they cannot be modified. To modify the tenant mode, you need to reinstall the Agile
Controller-Campus.
1. Set the operating mode. The value Tenant Operating Mode is used as an example.
Select Tenant Operating Mode, and click Next Step.
– To use only the SD-WAN service, select Tenant Operating Mode, and click Next
Step.
– To use the uCPE service or use both uCPE and SD-WAN services, select MSP
Operating Mode, and click Next Step.
----End
Context
As devices provide more and more features, device prices keep growing. The license
mechanism allows you to purchase only required features, reducing operation costs and
shortening service deployment time. You can purchase only required features at the beginning
and enable license-control features as required later. Enabling license-controlled features does
not affect existing services.
A license file is usually encrypted by using the device sequence number as the key. You can
apply for a license through the Huawei technical support.
NOTE
In the MSP-operated public cloud and enterprise-operated private cloud scenarios, the system
administrator imports a license file (global license) to the cloud management platform when building the
platform. Tenants do not need to purchase license activation codes from the MSP.
The license management function is available to system administrators upon their first login to the Agile
Controller-Campus if the license mode is set to System Administrator Management License.
Procedure
Choose Administration > Administration > License on the home page. On the License
Management page, view license information.
l Loading a license
a. Click Obtain ESN to obtain the ESN.
b. Apply for the license file at ESDP platform based on the ESN. For details, see
License Usage Guide.
c. Click Upload License to load the license.
Select the obtained license and click OK to upload it. After the license is
successfully loaded, the following window is displayed.
After the license is loaded, the corresponding functions are automatically enabled,
and the resource items are controlled by the license.
By default, the AR license function is disabled. When an AR is added to a site, the
Agile Controller-Campus automatically enables the license function for the AR to
ensure that the license can be delivered successfully.
NOTE
l Removing a license
Click Remove License. The system enters a license-unloaded state.
NOTE
Only when no tenant under the system administrator has devices, you can remove the license.
Management Process
Prerequisites
Step 1 Configure global account policies.
You can configure account policies to define the user name length and login rules to improve
account security of the Agile Controller-Campus. Account policies have been configured on
the Agile Controller-Campus by default and can be modified as required.
Choose Administration > System Account > Account from the main menu. Click Account
Policy to configure global account policies.
NOTE
If PCI authentication is required, adjust the account policy and password policy as follows:
l Enable Disable unused accounts, and set Maximum number of consecutive idles days of account
to 90. An account is suppressed if the account does not log in for more than 90 days.
l Enable Account lockout trigger conditions, and set Invalid password monitoring period (min) to
30. If an account fails to log in for five consecutive times within 30 minutes, the account is locked
for 30 minutes.
l Set Number of historical passwords that cannot be reused of to 4.
----End
Procedure
Step 1 Choose Administration > System Account > Account from the main menu, and click the
Account tab.
By default, the admin account is preset on the Agile Controller-Campus.
admin: System administrator. The initial password is Changeme_123. When the admin user
adjusts the account policy, password policy, and idle timeout policy, the account policy of the
admin user is changed accordingly. The admin account cannot be modified or deleted. After
logging in to the Agile Controller-Campus as the admin for the first time, change the initial
password as prompted.
Step 3 On the Create User page, set appropriate parameters and click Next.
Confirm Password
Modify password first Whether to change the password upon first time login.
login
Parameter Description
Select All Resources If this function is enabled, the administrator can manage all
accounts, including accounts that will be created.
If this function is disabled, click Next. On the Managed
Object page that is displayed, select the accounts that can be
managed by the administrator.
NOTE
This parameter is available only after you select a role.
Step 4 Click Create, set the allowed IP address range, and click Confirm.
After the IP address range is added, the account can use only an IP address within this range
to log in to the Agile Controller-Campus. If no IP address range is added, the account can use
any IP address to log in to the Agile Controller-Campus.
NOTE
After logging in to the Agile Controller using this account, choose Administration > Administration >
My Account from the menu. Configure the IP address range on the Access Control page.
----End
Follow-up Procedure
l Modify the account information, reset the password, and disable/enable/ an account.
a. Choose Administration > System Account > Account from the main menu.
c. Delete an account.
i. Choose Administration > System Account > Account from the main menu.
ii. Select an account, and click Delete.
To enable multiple users to have the same permissions, create a user group and add these
users to the group.
To create a user group, choose Administration > System Account > Account from the
main menu. Click the User Group tab, and click Create to create a user group.
If Select All Resources is disabled, click Next to select objects to be managed by user
groups.
NOTE
ii. On the Basic Information page, set Simultaneous Online and click . The
value 0 indicates there is no limit on the maximum number of concurrent
online users.
Procedure
Step 1 Access the MSP Management menu.
Choose MSP Management > MSP Management > MSP Management.
Step 2 Click Create.
----End
Follow-up Procedure
If the MSP administrator has created one or more tenants, the MSP administrator account
cannot be deleted. To delete an MSP administrator account, delete the tenants created by this
account first.
Parameter Description
Parameter Description
Parameter Description
Context
Huawei SD-WAN Solution mainly uses IP overlay tunneling technology to construct
networks. It also provides enhanced Ethernet Virtual Private Network (EVPN) and Dynamic
Smart VPN (DSVPN) tunneling technologies to help enterprise customers implement flexible
overlay WAN networking. To ensure that both the DSVPN and EVPN tunnel modes can be
used, the system administrator can configure the tunnel mode. The tunnel mode used by a
newly created tenant is determined by the mode selected by the system administrator.
The DSVPN tunnel mode is the mainstream tunnel mode supported in versions earlier than
V300R003C00, but this mode is facing the following bottlenecks:
1. Each tunnel needs to be detected and requires BGP routes. As a result, the service
performance of the entire network is restricted and the network scale cannot be
expanded.
2. In the Full-Mesh topology model, each site requires high performance, and a small-
capacity device cannot meet the requirement.
3. Only the Hub-Spoke and Full-Mesh site interconnection models are supported. Complex
models such as hybrid networking are not supported.
In V300R003C10 and later versions, the tunnel mode of SD-WAN networks gradually
changes to the EVPN tunnel mode.
In the EVPN tunnel mode, an independent distributed control component vRR is introduced.
Under the control and guidance of the Agile Controller-Campus, based on the routes and VPN
topology policies configured on the Agile Controller-Campus, vRRs centrally control and
distribute service routes between branch sites through the extended EVPN protocol. EVPN
tunnels provide better performance and higher networking flexibility. In addition to Hub-
Spoke and Full-Mesh topology models, EVPN tunnels can also be deployed in hierarchical
and Partial-Mesh topology models.
Procedure
Step 1 Choose Administration > Administration > Tunnel Mode Setting.
----End
Context
A tenant administrator is responsible for configuring and maintaining services on a tenant
network.
Procedure
Step 1 Access the Tenant Management page.
Step 2 Click Create to configure tenant information, and click Next. The tenant name must be
different from existing accounts.
----End
Follow-up Procedure
After you delete a tenant, all existing data about this tenant, including the tenant account,
tenant administrator account, site, and tenant devices, will be automatically deleted from the
Agile Controller-Campus. Data delivered to devices will not be deleted, so tenant services are
not affected. To delete services, log in to devices and manually restore their factory settings.
Parameter Description
Tenant Tenant name Tenant name. The tenant's company name is recommended.
Information The tenant name contains a maximum of 64 characters. It
cannot be default or all-digits, and it cannot contain
slashes (/).
Parameter Description
Procedure
Step 1 Choose Administration > Third Party Service > Email Server.
NOTE
– Affected by the network quality and performance of the SMTP server, the time of receiving
emails will be delayed within two minutes.
– Some SMTP providers set the right control for third-party application access. If the test fails,
check whether the function of controlling third-party application access is enabled on the
SMTP server and set password to the authentication password of the SMTP server.
– Limited by security policies of email service providers, administrators may fail to receive
emails in some scenarios. If no email is received, log in to the email service website or contact
the email service provider to check whether the email is returned or other exceptions occur.
Alternatively, replace the email server and try again.
----End
Parameter Description
SMTP SMTP address of the mailbox from which emails are sent. The address
address must be an IP address or in the smtp.mail.com format.
NOTE
SMTP is short for Simple Mail Transfer Protocol. SMTP is mainly used to transfer
system emails and provide email notifications.
Port Port number of the SMTP service provided by the email server. You can
obtain the port number from the email service provider. By default, the
port number is 25.
Enable access Whether to enable the email account and password authentication.
Account The two parameters are valid only when Enable access is selected.
Password User name and password for logging in to the SMTP server.
Sender Email Sender email address, which must have been registered on the email
server. During the email test, this address is used as a recipient email
address. After the connectivity test is successfully performed and the
configurations are saved, this address is used as the sender email address.
Prerequisites
l You have obtained the VNF/Endpoint image.
l A third-party file server (SFTP or HTTPS) has been set up.
Procedure
Step 1 Interconnect the Agile Controller-Campus with the third-party file server. For details, see
Configuring the File Server.
Step 2 Create a VM image in the file list. For details, see File Management in Procedure.
----End
Follow-up Procedure
Editing or
deleting an In the uploaded Image list, click in the Operation
image column to update an image by modifying the values of the
Name, Description, Minimum Resource, and VNF
Initial Config parameters.
Context
After the Agile Controller-Campus is installed, an administrator can use a web browser to log
in to the Agile Controller-Campus WebUI to perform the system management and
maintenance operations. The following web browsers are supported:
l Internet Explorer 11
l Chrome 50 or Chrome 60
l Windows 10 (Microsoft Edge 20 or Microsoft Edge 40)
Prerequisites
The system administrator has created an MSP administrator account.
Procedure
Step 1 Logging in to the Agile Controller-Campus.
Step 2 Enter https://Agile Controller-Campus server IP address:port number in the address box,
and press Enter.
NOTE
Step 3 Ignore the security certificate problem to access the login page.
l Internet Explorer 11: Click Continue to this website (not recommended).
NOTE
To solve the security certificate problem, apply for a security certificate from an official CA. After
certificate application, the system administrator needs to replace the ER northbound certificates for
browser. For details, see Updating ER Certificates.
Step 4 Enter the MSP administrator account and password, and click Login. Change the password
upon the first-time login.
NOTE
If the MSP administrator forgets the password, the MSP administrator can click "Forgot password?" on
the Agile Controller-Campus login page to reset the password through an email.
----End
Context
If the Agile Controller-Campus needs to send emails to users, you need to configure an email
server first.
The Agile Controller-Campus needs to send emails in the following scenarios:
l If the system administrator forgets the password, the Agile Controller-Campus sends a
reset password to the administrator through an email.
l After the system administrator performs alarm settings on the Agile Controller-Campus,
the Agile Controller-Campus sends emails to notify users of reported alarms.
l After the system administrator inspects tenant devices, the inspection report is sent to the
administrator's mailbox if needed.
l If the tenant administrator wants to use the email-based deployment function, the Agile
Controller-Campus needs to send deployment emails to related personnel.
The system administrator has configured an email server for sending emails. If the MSP
administrator wants to use another email server, the MSP administrator needs to configure an
email server separately.
NOTE
If both the system administrator and MSP administrator have configured an email server, the email
server configured by the MSP administrator is used preferentially. If the email server configured by the
MSP administrator is not found, the email server configured by the system administrator is used.
Procedure
Step 1 Choose Administration > Administration > Email Server.
– Affected by the network quality and performance of the SMTP server, the time of receiving
emails will be delayed within two minutes.
– Some SMTP providers set the right control for third-party application access. If the test fails,
check whether the function of controlling third-party application access is enabled on the
SMTP server and set password to the authentication password of the SMTP server.
– Limited by security policies of email service providers, administrators may fail to receive
emails in some scenarios. If no email is received, log in to the email service website or contact
the email service provider to check whether the email is returned or other exceptions occur.
Alternatively, replace the email server and try again.
----End
Context
A tenant administrator is responsible for configuring and maintaining services on a tenant
network.
Procedure
Step 1 Access the tenant management menu.
Choose Tenant Management > Tenant Management >Tenant Management.
Step 2 Click Create to configure tenant information. The tenant name must be different from
existing accounts. Set Authorize MSP as required.
----End
Follow-up Procedure
After you delete a tenant, all existing data about this tenant including the tenant name, tenant
administrator account, site, and tenant devices will be automatically deleted from the Agile
Controller-Campus.
Parameter Description
Tenant Tenant name Tenant name. The tenant's company name is recommended.
Information The tenant name contains a maximum of 64 characters. It
cannot be default or all-digits, and it cannot contain
slashes (/).
Parameter Description
Tenant Tenant Tenant name. The tenant's company name is recommended. The
Informat name tenant name contains a maximum of 64 characters. It cannot be
ion default or all-digits, and it cannot contain slashes (/).
Parameter Description
Email Email address used for password retrieval, message pushing, and
other purposes. If this parameter is left empty, the account is used
as the default email address. The email address must be valid.
Prerequisites
You have obtained the VNF/Endpoint image.
Procedure
Step 1 Access the VNF image menu.
Choose VM Lifecycle > VM Lifecycle > Image from the main menu of the Agile Controller-
Campus.
Click Get Upload Tool to download the upload tool to the local device.
Set AC IP address to the IP: port or domain name of the Agile Controller-Campus web
interface.
2. Click Log In to log in to the upload tool.
Step 5 Upload the image to the Agile Controller-Campus.
----End
Follow-up Procedure
Editing or
deleting an In the uploaded Image list, click in the Operation
image column to update an image by modifying the values of the
Name, Description, Minimum Resource, and VNF
Initial Config parameters.
Parameter Description
Type Type of the image to be uploaded. The value can be VNF or Endpoint.
Function Function to be created for VNF or Endpoint images. If the type of the
image to be uploaded is VNF, there are two types of functions: FW and
WOC. If the type of the image to be uploaded is Endpoint, the function
is GENERIC.
Prerequisites
You have logged in to the Agile Controller-Campus using a tenant account that authorizes
maintenance operations to an MSP.
Procedure
Step 1 Access the authorization information page.
Choose Administration > Administration > Tenant Information from the main menu.
Step 2 Enable authorization on the authorization information page and set the authorization scope.
----End
1.7.4.2 (Optional) Accessing the View for Managing Services for a Tenant
An MSP provides tenants with cloud managed devices and cloud network services. After a
tenant applies to the MSP for the managed services, the MSP can maintain the tenant's
network on the Agile Controller-Campus. If a tenant does not need the managed services from
the MSP, skip this step.
Prerequisites
The tenant administrator has authorized the MSP to manage the services. For details, see
1.7.4.1 Authorizing an MSP to Maintain Tenant Services.
Procedure
Step 1 Log in to the Agile Controller-Campus home page as the MSP administrator.
Step 2 Under Tenants List, click the tenant name. The view for managing services for the tenant is
displayed.
----End
NOTE
When configuring a site template, if Reuse LAN-side L2 interface is enabled, you need to specify the
reserved VLAN ID range. In the uCPE and external vRouter scenario, the configuration of reserved
VLANs does not take effect and have no impact on services. In later versions, the web UI will be
optimized.
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Resource
Pool tab.
----End
Parameter Description
Reserved VLAN Reserved VLANs required for VNF deployment. This VLAN
address pool cannot overlap those for other services.
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Virtual
Machine Management tab.
----End
Parameter Description
Access Mode Before deploying a VM, you need to configure the VM access mode,
including underlay and overlay. If the access mode is not specified, the
underlay mode is used by default. If Access Mode is set to Underlay,
you can manage the floating IP address.
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Fault
Diagnosis tab.
Step 2 Choose Automatic NQA.
Step 3 Set the NQA interval in the NQA interval(S) text box.
----End
Prerequisites
1. A site has been created and activated. For details, see 1.8.3.4 Creating a Site.
2. The WAN-side links of the site have been configured. For details, see 1.8.3.6
Configuring the Network Access Mode for a Site.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
----End
Prerequisites
1. The MSP administrator has uploaded the VM image to the Agile Controller-Campus or
the system administrator has uploaded the image to the third-party file server. For details,
see 1.7.3 Obtaining and Uploading a VM Image or 1.6.8 (Optional) Uploading a VM
Image through Third-Party File Server.
2. The MSP administrator has accessed the tenant managed service view. For details, see
1.7.4.2 (Optional) Accessing the View for Managing Services for a Tenant.
Procedure
Step 1 Access the profile page.
Choose VM Lifecycle > VM Lifecycle > Profile from the main menu.
1. Click Create.
2. Enter a profile name in Name.
3. Select a type from the Type drop-down list, and an image from the Image drop-down
list.
4. Set vCPU, Memory, System Disk, and Data Disk. A recommended profile is preset for
each type of VNFs/endpoints to specify the minimum resource specifications.
5. Under Install Disk, choose External Disk or Built-in Disk to specify whether the VM
is installed on an external or the built-in hard disk. If no hard disk is specified, the VM is
installed on the external hard disk by default.
6. Click .
----End
Parameter Description
Paramet Description
er
name Profile name. The value is a string of 1 to 128 characters including only letters,
digits, underscores (_), minus signs (-), and dots (.).
Type Type of the profile to be created. Currently, only VNF and endpoint are
supported.
Image Image of the VM. You must select an image that has been uploaded to the
Agile Controller-Campus. The Agile Controller-Campus displays only the
images matching the profile type selected.
Paramet Description
er
Data Data disk size of the VNF. You need to set this parameter only when the profile
Disk type is VNF.
Install Installation disk of the VM. There is External Disk and Built-in Disk. If no
Disk hard disk is specified, the VM is installed on the external hard disk by default.
Prerequisites
The VNF profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
Procedure
Step 1 Access the deployment page.
Choose VM Lifecycle > Deployment > Template from the main menu.
5. Click Confirm.
6. In the template list, click the name of the created VNF template to view or edit the
template.
Step 3 Create a service chain. The first created service chain has the lowest priority.
NOTE
There is a default service chain named LAN-Router. Service chains can only be created or deleted but
cannot be modified.
----End
Parameter Description
Source Source address of the service chain data traffic. Currently, the
following types can be selected:
l Any: indicates any source address.
l Customized: indicates a customized source address.
Destinat Destination address of the service chain data traffic. Currently, the
ion following types can be selected:
l Any: indicates any destination address.
l Customized: indicates a customized destination address.
Parameter Description
Description
Protocol Protocol that specifies the type of packets matching service chain
rules.
SrcPort Source port of the packets matching service chain rules. Currently, the
following types can be selected:
l Any: indicates any source port.
l Customized: indicates a customized source port number range.
DstPort Destination port of the packets matching service chain rules. Currently,
the following types can be selected:
l Any: indicates any destination port.
l Customized: indicates a customized destination port number
range.
Path Path of the matched service chain traffic. The VNF is added to specify
the direction of the service chain traffic.
Context
The VNF image needs to be deployed on the uCPE to make the VNF take effect. The
following two VNF deployment modes are supported:
l VNF deployment on a single device: This deployment mode can be used if the VNF
needs to be deployed on only one device.
l Template-based VNF deployment on multiple devices: This deployment mode can be
used if the VNF needs to be deployed on multiple devices.
Prerequisites
1. Devices have been successfully deployed. For details, see 1.7.4.4 uCPE Deployment
and 1.7.4.3 Network Deployment.
2. The resource pool has been configured. For details, see 1.7.4.6.1 (Optional)
Configuring a Resource Pool.
3. The VNF profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
4. To deploy the VNF on multiple devices using a template, you must have been created a
VNF template and a service chain. For details, see 1.7.4.6.6 (Optional) Creating a VNF
Template.
Choose VM Lifecycle > Deployment > Device from the main menu.
Step 2 Select a device on which the VNF needs to be deployed.
Click a device name. The details page of the device is displayed.
Step 3 Deploy the VNF.
1. Click Deploy VNF in the Virtual Machines area.
2. In the Virtual Machines area, click Deploy L2 VNF if you need to deploy vWOCs,
vFWs, and vRouters, and add them to a service chain; click Deploy L3 VNF if you need
to deploy vFWs in a centralized manner.
3. On the Select VNF Profile page, select the VNF image to be deployed and click OK.
The VNF deployment status is determined by the value displayed in the Status column in the Virtual
Machines area. In some situations, for example, after the VNF deployment task is delivered and then
the device is restarted, Running is displayed in the Status column in the Virtual Machines area on the
device details page but Failed is displayed in the Status column on the Task tab page. In this situation,
the system is running normally.
1. In the navigation tree on the left, click the site for which the VNF needs to be deployed.
2. On the right of the page, select the devices to be associated with the VNF template.
NOTE
The VNF can be deployed on a single device or multiple devices. To deploy the VNF on multiple
devices, you can select multiple devices.
3. Click Deploy Template.
4. Select the created VNF template on the Deploy Template page. You can click to
view the topology and service chain information about the created VNF template.
5. Click OK.
----End
Follow-up Procedure
Function Procedure
Checking the device resource Click a device name to access the device page. In the
status Resource Status area, check the usage of resources, such
as storage, CPU, and memory.
Viewing the VNF topology Click a device name to access the device page. In the
Topology area, view the topology of the deployed VNF
template.
Operations Checking In the Virtual Machines area, check the parameters related
related to VM deployment to the deployed VM, including Name, IP, CPU, CPU
deployment parameters Usage, Memory, Memory Usage, Status, and Task.
Image Management Click a device name to go to the device page. Then, click
the Manage Image tab, select the image name, and click
Delete Images.
Parameter Description
VNF VNF function selected. The VNF function depends on the VNF image.
Prerequisites
1. Devices have been successfully deployed. For details, see 1.7.4.4 uCPE Deployment
and 1.7.4.3 Network Deployment.
2. The resource pool has been configured. For details, see 1.7.4.6.1 (Optional)
Configuring a Resource Pool.
3. The endpoint profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
Procedure
Step 1 Access the deployment page.
Choose VM Lifecycle > Deployment > Device from the main menu.
2. On the Deploy Endpoint page, select the created profile from the Profile drop-down
list.
3. Select the created endpoint network from the Network drop-down list.
4. Select IP-MAC from the IP-MAC drop-down list and click OK.
The endpoint deployment status is determined by the value displayed in the Status column in the
Virtual Machines area. In some situations, for example, after the endpoint deployment task is delivered
and then the device is restarted, Running is displayed in the Status column in the Virtual Machines
area on the device details page but Failed is displayed in the Status column on the Task tab page. In this
situation, the system is running normally.
----End
Follow-up Procedure
Checking the device resource In the Resource Status area, check the usage of resources,
status such as storage, CPU, and memory.
Operations Checking In the Virtual Machines area, check the parameters related
related to VM deployment to the deployed VM, including Name, IP, CPU, CPU
deployment parameters Usage, Memory, Memory Usage, Status, and Task.
Parameter Description
Prerequisites
1. Devices have been successfully deployed. For details, see 1.7.4.4 uCPE Deployment
and 1.7.4.3 Network Deployment.
2. The resource pool has been configured. For details, see 1.7.4.6.1 (Optional)
Configuring a Resource Pool.
3. VNFs have been successfully deployed on single device.
Procedure
Step 1 Access the deployment page.
Choose VM Lifecycle > Deployment > Device from the main menu.
----End
Follow-up Procedure
Operations Checking In the Service Chain area, check parameters about the
related to deployment created service chain, including Name, VLAN, Source IP,
service chain parameters Destination IP, Protocol, Source port, Destination port,
deployment Path, and Status.
Operating
the service In the Service Chain area, click and to modify
chain and delete the service chain, respectively.
Checking the status of the VNF, endpoint, or service chain task. 1. Choose VM
Lifecycle >
Deployment >
Task to view the
deployment or
operating status of
the VNF, endpoint,
or service chain.
2. Set filtering
parameters, such as
Task Type,
Object, and
Status, to view the
status.
Parameter Description
VLAN VLAN range. VLAN IDs function as the matching rule basis of a service
chain.
Source Source address of the service chain data traffic. Currently, the following types
can be selected:
l Any: indicates any source address.
l Customized: indicates a customized source address.
Destinatio Destination address of the service chain data traffic. Currently, the following
n types can be selected:
l Any: indicates any destination address.
l Customized: indicates a customized destination address.
Protocol Protocol that specifies the type of packets matching service chain rules.
SrcPort Source port of the packets matching service chain rules. Currently, the
following types can be selected:
l Any: indicates any source port.
l Customized: indicates a customized source port number range.
Paramete Description
r
DstPort Destination port of the packets matching service chain rules. Currently, the
following types can be selected:
l Any: indicates any destination port.
l Customized: indicates a customized destination port number range.
Path Path of the matched service chain traffic. The VNF is added to specify the
direction of the service chain traffic.
Status Service chain deployment status. The displayed status indicates successful
deployment, deployment failure, or deletion failure.
Context
After the Agile Controller-Campus is installed, an administrator can use a web browser to log
in to the Agile Controller-Campus WebUI to perform the system management and
maintenance operations. The following web browsers are supported:
l Internet Explorer 11
l Chrome 50 or Chrome 60
l Windows 10 (Microsoft Edge 20 or Microsoft Edge 40)
Prerequisites
A tenant administrator account has been created.
Procedure
Step 1 Logging in to the Agile Controller-Campus.
Step 2 Enter https://Agile Controller-Campus server IP address:port number in the address box,
and press Enter.
NOTE
Step 3 Ignore the security certificate problem to access the login page.
l Internet Explorer 11: Click Continue to this website (not recommended).
NOTE
To solve the security certificate problem, apply for a security certificate from an official CA. After
certificate application, the system administrator needs to replace the ER northbound certificates for
browser. For details, see Updating ER Certificates.
Step 4 Enter the tenant administrator account and password, and click Login.
Step 5 Upon the first login, change the password and re-log in using the new password. Skip this step
if it is not your first login.
----End
Context
The system administrator has configured account policies and password policies. Tenant
administrators can view these policies.
Procedure
Step 1 View global account policies.
Account policies have been configured on the Agile Controller-Campus by default. A tenant
administrator can view account policies, such as account length range policy and account
login policy.
Choose Administration > System Account > Account from the main menu, click Account
Policy, to view global account policies.
NOTE
If PCI authentication is required, adjust the account policy and password policy as follows:
l Enable Disable unused accounts, and set Maximum number of consecutive idles days of
account to 90. An account is suppressed if the account does not log in for more than 90 days.
l Enable Account lockout trigger conditions, and set Invalid password monitoring period (min)
to 30. If an account fails to log in for five consecutive times within 30 minutes, the account is
locked for 30 minutes.
l Set Number of historical passwords that cannot be reused of to 4.
----End
Context
The system manages users with the same operation rights by role. After a role is granted to an
account, the account has all the rights of this role.
Procedure
Step 1 Choose Administration > System Account > Account from the main menu, and click the
Role tab.
Step 2 Click Create. Enter the role name and select function rights for the role.
By default, a tenant has following roles. These roles cannot be deleted or modified.
l EVPN Tenant Administrator: The tenant administrator performs tenant services and
configurations.
In the function rights tree of roles, each node has a fixed name but the node order in the tree varies with
the Agile Controller-Campus version. Figures in this section are for reference only.
Step 3 In the SD-WAN Solution, you are advised to create roles and grant function rights based on
the following table. You can also create roles based on your actual needs.
Maintenance O&M personnel, with rights to maintain devices and manage files
and logs.
----End
Context
User account type: local account
Procedure
Step 1 Choose Administration > System Account > Account from the main menu.
By default, a tenant has following roles. These roles cannot be deleted or modified.
l Tenant Administrator: The tenant administrator performs tenant services and
configurations.
Parameter Description
Confirm Password
Modify password first Whether to change the password upon first time login.
login
Email address When resetting passwords, users can receive new random
passwords generated automatically through emails.
Step 4 On the Managed Object page that is displayed, select the sites to be managed by the tenant
administrator, and click Next. By default, Select All Resources is enabled. In this case, the
tenant administrator can manage all sites. If you disable Select All Resources, you can select
the sites to be managed by the tenant administrator
Step 7 Re-log in to the Agile Controller-Campus using the created tenant administrator account if
you need to manage services using this account subsequently.
----End
Follow-up Procedure
l Modify account information, reset the password, disable or enable the account.
a. Choose Administration > System Account > Account from the main menu.
l Delete an account.
a. Choose Administration > System Account > Account from the main menu.
b. Select an account, and click Delete.
Choose Administration > System Account > Account from the main menu. Click the
User Group tab, and click Create to create a user group.
l Personally Settings
Personal settings improve Agile Controller-Campus access security. This function
applies only to the current user.
ii. On the Basic Information page, click next to the password. In the dialog
box that is displayed, set a new password.
– Adjust the range of the IP address that allow the current account to log in to the
Agile Controller-Campus.
i. Choose Administration > Administration > My Account from the main
menu.
On the Access Control page, set the start IP address and end IP address of the IP
address range, and click Confirm. If the IP address range list is empty, it indicates
that login is permitted from any IP address.
Context
The CPEs that are uniquely identified by ESNs are added to the Agile Controller-Campus so
that the Agile Controller-Campus provides unified O&M. You can add CPEs in either of the
following modes:
l Adding CPEs one by one: applies to scenarios where a few devices need to be added.
l Adding CPEs in batches: applies to scenarios where a large number of devices need to be
added.
Mode of adding a device. The following modes are supported:
l ESN: If you have obtained the ESN of a device, add the device in ESN mode.
l Device model: If you have not obtained the ESN of a device, add the device based on its
model. This mode is generally used for pre-configuration. The selected device type must
be consistent with the actual device type.
NOTE
To deploy a cloud site, select the device whose device model is AR1000V when adding a device.
Step 3 Select Manually create from the Addition method drop-down list.
Step 4 Select a mode for adding CPEs. Currently, the following two modes are available. You can
select either one of the following modes based on the actual situation:
l ESN mode
Set Mode to ESN.
l Device model mode
Set Mode to Device Model.
Step 5 On the right of Device information, click Add to set parameters for devices to be added.
The parameters to be set vary with the mode of adding devices. You need to set parameters
according to the actual mode.
l ESN mode
After setting the device ESN and other parameters, click Submit.
----End
Step 3 Select Batch Import from the Addition method drop-down list.
Step 4 Click Template on the right of Upload file to download the template.
Step 6 Fill in and save the template. Enter device information in the template.
The parameters to be set vary with the mode of adding devices. You need to set parameters
according to the actual mode.
l ESN mode: Set parameters including ESN, Device Name, and Description.
l Device model mode: Set parameters including Device Name, Device Model, and
Description.
NOTE
Step 7 Import the created template. Check the imported data and select the imported devices. Click
OK.
----End
Follow-up Procedure
Viewing You can view detailed 1. Choose Device Management > Device
devices information about a site. List from the main menu.
2. Click different items in the navigation tree
on the left to view different device
information.
Modifyin You can modify the device 1. Choose Device Management > Device List
g devices name, ESN, and other device from the main menu.
information. 2. Click Modify in the Operation column.
Replacin When a device is faulty or 1. Choose Device Management > Device List
g devices obsolete or device upgrade from the main menu.
and replacement are required, 2. Click Replace in the Operation column.
the tenant administrator can
implement device
replacement and synchronize
old device information to the
new device on the Agile
Controller-Campus to ensure
normal service running.
NOTE
The model of the new device
for replacement must be
consistent with that of the
replaced device.
Parameter Description
Dev ESN ESN of a device. It is the unique identifier of a device. You can
ice obtain the ESN from the factory configuration list of the device or
info run the display esn command to obtain it.
rma
tion Device Name Unique name of a device. It is recommended that the site name be
included in the device name. If the value is left empty, the device
name is the same as the ESN by default. A device name can
contain a maximum of 64 characters.
Context
Global configuration parameters related to a tenant network include:
l Physical network: transmission network, IPSec encryption parameters, device activation
security configuration, link failure detection parameter configuration and routing policy
periodic parameter configuration.
l Virtual network: AS number of BGP routes, IP Pool, and DNS.
l Access credentials: Cloud type, API key, and Secret key.
NOTE
To interconnect the Agile Controller-Campus with the Amazon AWS cloud, you need to configure
access credentials. To interconnect the Agile Controller-Campus with the Huawei public cloud,
access credentials are not required.
Procedure
Step 1 Choose Configuration > Configuration > Global Parameters from the main menu.
Step 2 Click the Physical Network tab and set the global parameters related to the physical network.
1. Configure a transmission network to define a unified transmission network type for
communication between sites on the entire network.
– When the DSVPN tunnel mode is selected, the default transmission networks
provided by the Agile Controller-Campus include LTE, Internet, Internet1, MPLS,
and MPLS1.
– When the EVPN tunnel mode is selected, the default transmission networks
provided by the Agile Controller-Campus include Internet, Internet1, MPLS, and
MPLS1.
If the default transmission networks cannot meet requirements, click Create to create a
transmission network.
2. (Optional) If an IPSec tunnel requires encryption, you need to configure the encryption
mode and password for the IPSec tunnel.
After configuration, all IPSec tunnels requiring encryption use the same encryption mode
and password.
– When the DSVPN tunnel mode is selected, in the IPSec Encryption Parameters
area, configure Encryption algorithm and Pre-shared key.
– When the EVPN tunnel mode is selected, in the IPSec Encryption Parameters,
configure Encryption algorithm.
4. (Optional) To detect link failures of a site, set the link failure detection parameters.
– When the DSVPN tunnel mode is selected, configure Packet sending interval and
Number of detection failures.
– When the EVPN tunnel mode is selected, configure Packet sending interval,
Number of detection failures and Priority of detection packets.
– When the EVPN tunnel mode is selected, configure Switching period and
Flapping suppression.
Step 3 Click the Virtual Network tab and set the global parameters related to the virtual network.
1. Configure parameters for BGP routes.
– When the DSVPN tunnel mode is selected, configure AS number, Keepalive and
Hold time.
2. Configure reserved addresses. You can configure different address pool segments for
different network segment scales.
– When the DSVPN tunnel mode is selected, in the IP Pool area, set Network scale
and IP pool.
– When the EVPN tunnel mode is selected, in the IP Pool area, set IP pool.
Step 4 Click the llys Access Key tab and set global parameters for deploying a public cloud site.
1. Click Create and configure Cloud Type, API key, and Secreat key.
2. Click OK.
Step 5 Click Apply Changes.
----End
Parameter Description
Parameter Description
Device URL Key for encrypting the URL in a deployment email. Email-
Activat encryption based deployment will be successful only after you click
ion key the URL in the received email on your PC and enter this
Securit key.
y
Setting
s
Parameter Description
Token Validity period for a device to register its ESN with the
validity Agile Controller-Campus. The timer starts once a
period deployment email is sent.
(day) If the device ESN is not obtained, the device is added to the
Agile Controller-Campus based on the device model. After
a site is created and a deployment email is sent, the device
checks whether the token is valid. If so, the device registers
its ESN with the Agile Controller-Campus.
Parameter Description
Parameter Description
AS number Local AS number. Under the same tenant account, the sites
that are deployed using the Agile Controller-Campus
belong to the same AS.
Parameter Description
DNS DNS Domain Name System (DNS) used for domain name
Server resolution. The DNS server is usually deployed on a public
Group network. A maximum of 16 DNS groups can be configured
Name for a tenant, and each group can be configured with a
maximum of six DNS server IP addresses.
If you configure the same transmission network for physical links, link interworking can be
implemented. It is because that, after the same transmission network is configured, the Agile
Controller-Campus generates logical links for physical links of the same type between parent
and child site devices, implementing site interconnection.
Prerequisites
Global parameters of sites have been configured. For details, see 1.8.3.2 Setting Global
Parameters.
Procedure
Step 1 Choose Configuration > Site > Template from the main menu.
Step 4 Set Template name to the name of the site template to be created.
Step 5 Set Gateway to the gateway type.
Step 6 In the WAN Link area, click Create to create a link between the gateway and WAN.
The parameters that need to be set for the link between the gateway and WAN include the
name, device, port, transmission network of the WAN link, and link role. Multiple WAN links
can be created for each gateway.
At most three links can be created for a single gateway, and at most six links can be created
for dual gateways.
NOTE
Once being configured, all WAN link information (for example, the port and transmission network)
cannot be modified during site creation. Ensure that the WAN link configuration is correct.
Step 7 If Gateway is set to Dual gateways, configure the internal link between the dual gateways.
Otherwise, skip this step.
1. If the LAN-side Layer 2 physical interfaces need to be reused for establishing the
internal link between the dual gateways, set Reuse LAN-side L2 interface to .
STP is enabled on CPEs by default. If the internal link uses two Layer 2 physical
interfaces, the two interfaces are added to the same VLAN. If a loop occurs, STP sets
one physical interface to the Block state. In this case, if a user uses this physical interface
on the LAN side, the user traffic may be interrupted. Therefore, the physical interfaces
used by the internal link must be different from those transmitting user service traffic on
the LAN side.
2. Configure reserved VLANs. The internal link between dual gateways needs to use the
reserved VLANs.
3. Click Create, configure the internal link between the dual gateways, and configure the
physical interfaces used by the internal link.
At most two internal links can be created between dual gateways.
----End
Parameter Description
Parameter Description
Role Active or standby link. With the active and standby links are
configured, data travels only along the active link by
default. If the active link fails, data moves to the standby
link.
In the dual-gateway scenario, the role of all WAN links is
active by default and cannot be changed. The standby role
can be configured only in the single gateway scenario and
for only one WAN link, and the active role needs to be
configured for at least one WAN link.
The site template with the standby link role cannot be
selected for a hub site or an aggregation site.
Parameter Description
Inter- Reuse LAN- Whether to reuse Layer 2 physical interfaces on the LAN
CPE side L2 side as the physical interfaces of internal links between two
Link interface gateways. This parameter is available only when Gateway
is set to Dual gateways.
l If no direct link is configured between two gateways,
links on the LAN side need to be reused. The Agile
Controller-Campus creates a logical link for each VPN.
l If direct links are configured between two gateways,
links on the LAN side do not need to be reused.
Context
In V300R003C10 and later versions, cloud sites can be configured on the Agile Controller-
Campus. The AR1000V virtual devices are deployed on the public cloud and managed by the
Agile Controller-Campus in a unified manner. In this case, the public cloud functions as a
cloud site, and is incorporated into the SD-WAN service for centralized management.
Currently, cloud sites can be deployed only in the DSVPN tunnel mode. In later versions, the
EVPN tunnel mode will support cloud site deployment.
In the DSVPN and EVPN tunnel modes, site configurations vary according to different
definition of site roles.
l In the DSVPN tunnel mode, site roles include hub site, aggregation site, and branch site.
l In the EVPN tunnel mode, site roles include edge site and vRR site.
– Virtual Route Reflector (vRR): A vRR site is an independent CPE. It distributes
EVPN routes between CPEs based on VPN topology policies.
– Edge: An edge site is a WAN-side router. It establishes secure data channels with
multiple remote edge sites.
You can create sites on the Agile Controller-Campus for unified O&M and management.
Either of the following modes is available for you to create a site:
l Creating sites one by one: You can create sites one by one in scenarios where a small
number of sites need to be added.
l Creating sites in batches: You can create sites in batches in scenarios where a large
number of sites need to be added.
Prerequisites
1. Devices have been added to the Agile Controller-Campus. For details, see 1.8.3.1
Adding Devices.
2. Global parameters have been configured. For details, see 1.8.3.2 Setting Global
Parameters.
3. If the default site template provided by the Agile Controller-Campus does not meet the
site networking requirements, you need to create a template. For details, see 1.8.3.3
(Optional) Customizing a Site Template.
Step 2 Click Create to set basic site information on the Site tab page.
Step 4 Configure basic site information. Set Name, Site Type, Role, and Site template.
l DSVPN tunnel mode
NOTE
A cloud site can only be deployed as a branch site, and hub sites and aggregation sites must be
common sites.
Only cloud site templates and AR1000V devices can be selected for cloud sites.
NOTE
An edge site must be configured. If you select a vRR site as well, the vRR is deployed at the edge
site.
Step 6 In the Add Device area, set Device Model and Device ESN(Name) for devices at the site.
----End
Step 2 Click Create to set basic site information on the Site tab page.
Step 5 Open the downloaded site template and set basic site information, including SiteName, Role,
Site template, Address, Floor, and Device Model.
NOTE
Step 6 In the Upload area, upload the configured site template information.
----End
Follow-up Procedure
Mod A site can be modified only before being 1. In the Operation column of the
ifyin activated, but cannot be modified after being
ga activated. site to be modified, click .
site 2. Modify the site configuration.
3. Click OK.
Dele A site cannot be deleted in either of the 1. In the Operation column of the
ting following situations:
a site to be modified, click .
1. The site has sub-sites.
site 2. Click OK.
2. The site has centralized Internet access
policies configured.
After you delete a site, related site
configuration is deleted from the Agile
Controller-Campus. However, the site
configuration that has been delivered to
devices remains on the devices. You need to
click Reset to Deployment State to restore
the devices to the deployment state.
Parameter Description
Name Site name. It is recommended that you name a site in the format
of Site role_Geographical location. A maximum of two hub
sites are supported.
Parameter Description
Hub site role Role of a hub site. This parameter is available only when Role
is set to Hub Site. Currently, the value can be either of the
following:
l Active
l Standby
When dual hub sites are deployed, configure one site as Active
and the other as Standby to improve reliability. If all links from
a lower-layer site (branch or aggregation site) to the active hub
site fail, data between the lower-layer site and the hub sites
passes through the links between the lower-layer site and the
standby hub site.
In a single hub site scenario, you can select only Active but not
Standby.
Connected with Parent site of a branch site. This parameter is available only
when Role is set to Branch Site. You can select a hub site or an
aggregation site as the parent site of a branch site.
Site template Site template. Select a configured site template to define the
gateway type, number of WAN links, and WAN type for a site.
If the configured site template cannot meet the requirements,
choose Template > Site Template and create a site template.
WAN Link WAN link configured in the site template, which cannot be
modified.
Parameter Description
Postcode Postal code of a site, for example, 100000 in China, 951 - 8073
in Japan, 22162 - 1010 in the USA, and DN16 9AA in the UK.
Add Device Device model of the gateway at a site. Only the model of a
Device Model device in the device list can be selected.
Device ESN ESN and name of the gateway at a site. Only the ESN and name
(Name) of a device in the device list can be selected.
Context
In the EVPN tunnel mode, an edge site needs to be associated with a vRR. Skip this section if
the DSVPN tunnel mode is configured.
All vRRs in a vRR group are interconnected in Full-Mesh mode by default. It is
recommended that vRRs be deployed in different geographical areas.
When associating an edge site with a vRR, adhere to the following rules:
1. An edge site can be associated with a maximum of two vRRs. If two vRRs are associated
with an edge site, it is recommended that one vRR be deployed in the same physical area
with the edge site to decrease delay, and the other vRR be deployed in another physical
area to ensure service reliability through geographic redundancy.
2. One vRR can manage multiple edge sites, and the number of edge sites associated with
each vRR should be balanced.
Procedure
Step 1 Choose Configuration > Site > Site from the main menu.
Step 2 Click Connect to vRR, and the Connect to vRR page is displayed.
Step 4 On the Connect page, select the vRR to be associated with the edge site. Click Detect.
----End
Context
Table 1-38 lists possible status of a site after the site is created based on a template.
Configuration Whether the WAN-side links of the site have been configured.
status
l :
Unconfigured
l : Configured
Activation status Whether a deployment email has been sent to the site gateway.
l : Inactivated
l : Activated
Prerequisites
Sites have been added successfully. For details, see 1.8.3.4 Creating a Site.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration from the main menu.
Step 2 Select a site at which you need to configure the network access mode.
2. Click on the left of the site template to display sites that use the same template.
3. Click a site at which you need to configure the network access mode.
Step 3 Configure the WAN-side links for the site.
1. Click the WAN Link tab.
NOTE
For a cloud site in DSVPN tunnel mode, only the uplink bandwidth and downlink bandwidth need
to be configured. Use the default values for other parameters.
4. Click OK.
5. Click Apply Changes.
6. After WAN links are configured, the icon on the right of the site is displayed as .
Step 4 (Optional) Configure cloud resources for cloud sites.
1. Set Cloud type and Deployment type.
– If Cloud type is set to Amazon AWS:
ii. Click Apply Changes. In the dialog box that is displayed, a message is
displayed, indicating that the Host VPC is deployed successfully.
iii. Click View Configuration.
iv. On the Configure Virtual Router page that is displayed, click Copy to copy
the content of the configuration file.
v. Log in to the Huawei cloud, and deliver the copied configuration file to the
AR1000V deployed on the cloud.
----End
Parameter Description
Link name Name of a WAN link. If a WAN link is created using the
default site template, the link name is Internet or MPLS.
If a WAN link is created using a customized site
template, the link name is specified when the template is
created. The parameter value cannot be changed.
VPN instance VPN instance. When you deploy an SD-WAN site using
Agile-Controller Campus 2.0, you do not need to set
VPN instance names on the GUI.
By default, the VPN instance name is automatically set to
underlay_Internet or underlay_MPLS. While in Agile-
Controller Campus 3.0, the VPN instance name is
automatically set to a value such as underlay_1 or
underlay_2.
To take over the existing SD-WAN sites on the live
network and avoid deployment again after the upgrade of
the Agile Controller-Campus, you need to configure VPN
instances to be the same as those in Agile Controller-
Campus 2.0.
You do not need to change VPN instance names for a
new site, because the system automatically allocates
numbers to these VPN instances.
Parameter Description
Parameter Description
Parameter Description
Context
When an AR reports performance data, it carries timestamps in packets. If the time on the AR
is set incorrectly, the timestamps carried in the performance data do not reflect the actual time
when the administrator views the device performance data. Therefore, you can configure NTP
on the Agile Controller-Campus to synchronize the time among devices.
In the DSVPN tunnel mode, a branch site synchronizes its clock with that of an aggregation
site, the aggregation site synchronizes its clock with that of a hub site, and a hub site
synchronizes its clock with the external clock source. A hub site and an aggregation site can
function as the NTP server or an NTP client. When a cloud site is deployed as a branch site,
clock synchronization is needed.
In the EVPN tunnel mode, an edge site synchronizes its clock with that of a vRR, and a vRR
synchronizes its clock with the external clock source. A vRR can function as an NTP client or
the NTP server.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration from the main menu.
Step 4 Select a time zone for devices at a site from the Time zone drop-down list.
Step 5 When a site functions as an NTP server, set relevant parameters about the NTP server.
Set parameters including NTP authentication.
Step 6 When a site functions as an NTP client, set relevant parameters about the NTP client.
Set parameters including NTP client mode.
Step 7 Click Apply Changes.
----End
Parameter Description
Config NTP Whether to enable a site as an NTP server and enable NTP
uration authentication authentication. On a network that requires high security,
s of a NTP identity authentication must be enabled. During
site authentication, the authentication password and
when it authentication ID configured on the NTP client are matched
functio with those on the NTP server. If they are the same on the
ns as NTP client and NTP server, the authentication succeeds.
an NTP You can configure password authentication between the
server NTP client and NTP server, so that the NTP client only
synchronizes the clock with the server successfully
authenticated, improving network security.
By default, the system uses the HMAC-SHA256 encryption
algorithm with higher security.
Parameter Description
Config NTP client mode Mode in which a site functions as an NTP client:
uration l Manual configuration: A site functions as an NTP client
s of a and the NTP server needs to be manually specified. In
site the DSVPN tunnel mode, you are advised to configure a
when it hub site as an NTP client which synchronizes the clock
functio with the NTP server on the public network. In the EVPN
ns as tunnel mode, you are advised to configure a vRR as an
an NTP NTP client and synchronize the clock with the NTP
client server on the public network.
l Automatic synchronization with the parent site: A site
functions as an NTP client and its parent site functions as
the NTP server. This mode is the default setting. In the
DSVPN tunnel mode, only aggregation and branch sites
support this mode. In the EVPN tunnel mode, edge sites
are enabled with this mode by default.
l Disabled: A site does not function as an NTP client and
does not perform clock synchronization.
Skip this section if you plan to deploy cloud sites. The underlay network configuration is not required
for cloud sites.
Procedure
Step 1 Choose Configuration > Site > Underlay Configuration from the main menu.
Step 3 Click the Basic Info tab and set the parameter indicating whether to enable the FPI function
for devices under the site.
Step 4 Configure WAN interface parameters for a site's underlay network.
1. Click the WAN Interface tab.
The values of Negotiation mode, Uplink bandwidth, and Downlink bandwidth are the same as
those configured in 1.8.3.6 Configuring the Network Access Mode for a Site by default. You
can modify these parameters on this page.
Step 5 (Optional) Configure an Eth-trunk interface for the site if the site is connected to a transport
network through an Eth-trunk interface.
1. Click the Eth-Trunk tab.
2. Click Create and enter basic information about the Eth-Trunk.
3. Click OK.
4. Click Apply Changes.
----End
Parameter Description
Parameter Description
FPI Enable By default, a CPE uses FPI to identify packets received on its WAN
interfaces. The CPE first tries to identify packets using FPI. If the
CPE cannot identify the application to which the packets belong, it
uses DPI for in-depth identification. If FPI is disabled, the CPE uses
DPI directly.
Table 1-42 Parameters on the Set WAN Interface page under the WAN Interface tab page
Parameter Description
Negotiation mode The meanings of the parameters are the same on the ZTP
Configuration and Underlay Configuration tab pages. Details
Media about these parameters can be obtained from the ZTP Configuration
Parameter Description
Duplex tab page. The parameters on the Underlay Configuration tab page
need to be modified after site deployment.
Speed
Uplink bandwidth
Downlink
bandwidth
Parameter Description
Physical interface Physical member interface of an Eth-Trunk. A maximum of eight member interfaces can
be added to an Eth-Trunk. The signal types of all member interfaces must be the same. If
a Layer 2 Eth-Trunk is configured, its member interfaces must be Layer 2 physical
interfaces. If a Layer 3 Eth-Trunk is configured, its member interfaces must be Layer 3
physical interfaces.
Prerequisites
1. Sites have been added successfully. For details, see 1.8.3.4 Creating a Site.
2. Site WAN links have been configured. For details, see 1.8.3.6 Configuring the Network
Access Mode for a Site.
Procedure
Step 1 Choose Configuration > Site > Underlay Configuration from the main menu.
Step 4 On the WAN Route tab, click Click Here to Add WAN-Route.
Step 5 Select OSPF from the Protocol drop-down list and click OK.
Step 6 On the OSPF tab page, click Create and set related parameters.
----End
Parameter Description
Table 1-44 Parameters on the Create OSPF page under the WAN Route tab page
Parameter Description
Parameter Description
WAN Link Link with OSPF enabled. If the WAN link is specified, the interface for which OSPF
needs to be enabled is determined accordingly. An interface can be bound with only
one OSPF process.
Com Default route Whether to advertise the default route to common OSPF areas. After default route
mon advertisement advertisement is enabled, the device keeps advertising OSPF default routes.
Para
meter Default route Cost of an advertised OSPF default route.
cost
Internal Priority of an OSPF route (excluding AS-external routes). A smaller value indicates
preference a higher priority.
ASE Priority of an OSPF AS-external route. A smaller value indicates a higher priority.
preference
Key Key for cipher-text authentication on an interface. This parameter is available only
when the authentication mode is set to Cryptographic.
Password Password for cipher-text authentication. This parameter is available only when the
authentication mode is set to Simple or Cryptographic.
DR Priority Priority of an interface that participates in Designated Router (DR) election. The DR
priority of an interface determines whether the interface participates in DR election.
If the DR priority is 0, the router where the interface is located cannot be elected as a
DR or BDR.
Cost OSPF cost of an interface. The cost specified here will be added to the costs of OSPF
routes learned on the interface.
Rout Protocol Protocol of routes to be redistributed. Static, OSPF, BGP, and direct routes are
e supported for redistribution.
Redis
tribut Process ID Process ID of the imported OSPF route. This parameter is available only when the
e protocol is OSPF.
Parameter Description
Cost Cost of an imported route. The value of this parameter will overwrite the cost in the
original route.
Routi Export Expo Whether to filter routes to be advertised. When an SD-WAN site communicates with
ng rt a traditional site, OSPF can be used to control access paths. In the scenario where the
Polic current SD-WAN site has established a neighboring relationship with a traditional
y site, you can enable or disable this parameter to control the advertisement of the
underlay OSPF routing information. That is, after this parameter is enabled, the site
only advertises the routes based on its requirement or the requirement of its neighbor.
In this way, the access from the traditional site to LAN-side network segments of the
SD-WAN site can be controlled.
IP Routing range. You can specify a routing range by setting the following parameters.
prefi The parameter values must meet the following conditions: Mask ≤ Greater-equal ≤
x list Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network segment
l Less-equal: maximum mask to specify a smaller network segment
Cost Cost of a routing policy, which is used as the cost of the OSPF routes advertised by
an interface. This parameter is available only when Filtering type is set to Whitelist.
Import Impo Whether to filter routes to be received. When an SD-WAN site communicates with a
rt traditional site, OSPF can be used to control access paths. In the scenario where the
current SD-WAN site has established a neighboring relationship with a traditional
site, you can enable or disable this parameter to control the reception of the underlay
OSPF routing information. That is, after this parameter is enabled, the site only
receives the routes based on its requirement. In this way, the access from the SD-
WAN site to LAN-side network segments of the traditional site can be controlled.
IP Routing range. You can specify a routing range by setting the following parameters.
prefi The parameter values must meet the following conditions: Mask ≤ Greater-equal ≤
x list Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network segment
l Less-equal: maximum mask to specify a smaller network segment
Parameter Description
Filter Mode for filtering OSPF routes to be received from the underlay network:
ing l Blacklist: The site is allowed to receive only OSPF routes not in the network
type segment specified by IP prefix list.
l Whitelist: The site is allowed to receive only OSPF routes in the network segment
specified by IP prefix list.
Procedure
Step 1 Choose Configuration > Site > Underlay Configuration from the main menu.
Step 4 On the WAN Route tab, click Click Here to Add WAN-Route.
Step 5 Select BGP from the Protocol drop-down list and click OK.
Step 6 On the BGP tab page, click Create and set related parameters.
----End
Parameter Description
Table 1-45 Parameters on the BGP page under the WAN Route tab page
Parameter Description
Adva External Priority of EBGP routes. You can set different priorities for different devices. For a
nced preference dual-gateway site, you can specify a separate EBGP route priority for each
Settin gateway.
gs
Default route Whether to redistribute the default routes in the local IP routing table to the BGP
redistribution routing table.
Route Protocol of routes to be imported. Static and direct routes can be imported.
redistribution
Aggregation Route obtained by summarizing specific routes in the local BGP routing table. The
route system advertises only the summarized route, and suppresses the advertisement of
all specific routes within the summarized route. You can specify IP addresses and
masks of multiple summarized routes.
Table 1-46 Parameters on the Create BGP page under the WAN Route tab page
Parameter Description
Peer IP IP address of the peer device. In most cases, a BGP peer relationship is
established between the current SD-WAN site and a traditional site.
Local AS Fake AS number of the local device. Typically, a device supports only
one BGP process. That is, a device supports only one AS number. In
some special cases, for example, when AS numbers need to be changed
in the network migration scenario, you can set a fake AS number for a
specified peer to ensure successful network migration.
If this parameter is left empty, the AS number in the global
configuration is used by default.
Keepalive time (s) Interval for sending Keepalive packets to the peer. After establishing a
BGP connection, two peers periodically send Keepalive messages to
each other to detect the status of the BGP connection. If a device
receives no Keepalive message or any other type of packet from its
peer within the hold time, the device considers the BGP connection
terminated and closes the BGP connection.
Hold time (s) Hold time. The hold time should be at least three times the Keepalive
time.
MD5 encrypt Whether to use MD5 authentication between BGP peers. If this
parameter is enabled, you need to enter the password in cipher-text.
Parameter Description
Routin Expo Export Whether to filter routes to be advertised. When an SD-WAN site
g rt communicates with a traditional site, BGP can be used to control access
Policy paths.
In the scenario where the current SD-WAN site has established a
neighboring relationship with a traditional site, you can enable or
disable this parameter to control the advertisement of the underlay
OSPF routing information. That is, after this parameter is enabled, the
site only advertises the routes based on its requirement or the
requirement of its neighbor. In this way, the access from the traditional
site to LAN-side network segments of the SD-WAN site can be
controlled.
IP prefix Routing range. You can specify a routing range by setting the following
list parameters. The parameter values must meet the following conditions:
Mask ≤ Greater-equal ≤ Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network
segment
l Less-equal: maximum mask to specify a smaller network segment
Apply Filtering Mode for filtering BGP routes to the underlay network:
type l Blacklist: The site is allowed to advertise only BGP routes not in the
network segment specified by IP prefix list.
l Whitelist: The site is allowed to advertise only BGP routes in the
network segment specified by IP prefix list.
Parameter Description
IP prefix Routing range. You can specify a routing range by setting the following
list parameters. The parameter values must meet the following conditions:
Mask ≤ Greater-equal ≤ Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network
segment
l Less-equal: maximum mask to specify a smaller network segment
Apply Filtering Mode for filtering BGP routes to be received from the underlay
type network:
l Blacklist: The site is allowed to receive only BGP routes not in the
network segment specified by IP prefix list.
l Whitelist: The site is allowed to receive only BGP routes in the
network segment specified by IP prefix list.
Procedure
Step 1 Choose Configuration > Site > Underlay Configuration from the main menu.
Step 4 On the WAN Route tab, click Click Here to Add WAN-Route.
Step 5 Select Static from the Protocol drop-down list and click OK.
Step 6 On the Static tab page, click Create and set related parameters.
----End
Parameter Description
Table 1-47 Parameters on the Create Static Routes page under the WAN Route tab page
Parameter Description
Priority Priority of a static route. The value is an integer that ranges from 1 to 255. A smaller
value indicates a higher priority. If you specify the same priority for static routes with the
same destination, load balancing can be implemented among these routes. If you specify
different priorities for multiple static routes with the same destination, backup can be
implemented among these routes.
Parameter Description
Next Next-hop Type of the next hop in a static route. The value black_hole indicates that the packets
-Hop type destined for the destination network segment will be discarded. For example, it can be
used to block packets destined for a particular website.
IP address Next-hop IP address of a static route. This parameter is available only when Next-hop
type is set to IP address.
Target Destination address in an NQA test instance. If a static route is associated with an NQA
test instance, only ICMP test instances can be used to check whether there are reachable
routes between the source and destination.
Context
Services of multiple departments of an enterprise need to be isolated from each other.
Therefore, multiple SD-WAN overlay networks need to be constructed by using VPNs of
departments.
Procedure
Step 1 Choose Configuration > Overlay Network > VPN from the main menu.
Step 4 In the Sites area, select the site to which the department belongs, including common sites and
cloud sites.
NOTE
----End
Context
Currently, there are four typical topology models for interconnection between sites. In the
DSVPN tunnel mode, only the Hub-Spoke and Full-Mesh topology models are supported. In
the EVPN tunnel mode, all four models are supported.
l Hub-Spoke: This model is applicable to scenarios where mutual access traffic between
all branch sites of an enterprise must pass through the headquarters site for centralized
security monitoring.
l Full-Mesh: This model is applicable to scenarios where all sites of an enterprise need to
directly access each other. This model eliminates the delay of traffic transmission
through the headquarters site.
l Hierarchical topology: This model is applicable to large-scale multi-area enterprise
networks, on which enterprise sites are connected to each other through a hub area and
sites in different areas access each other through this hub area.
l Partial-Mesh: This model is applicable to scenarios where most sites of an enterprise
need to directly access each other, while some other sites need to communicate with each
other through a third site.
NOTE
In the DSVPN tunnel mode, the topology model can be configured only at hub sites or aggregation sites.
In the EVPN tunnel mode, only edge sites are included in the topology planning. A vRR is a route
reflector and is not included in the overlay topology planning.
Step 3 Click the Basic tab, and configure the topology model.
----End
n In the Full-Mesh topology model, a branch site must be configured, and you
can choose to configure a redirect site or not.
NOTE
iii. (Optional) Enable the area interconnection function and configure the
relationship between edge sites and other sites.
b. Enable Area interconnection, that is, the interconnection mode of edge sites in
each area.
----End
Parameter Description
Table 1-48 Parameters on the Topology tab page in the EVPN tunnel mode
Parameter Description
Parameter Description
Parameter Description
Context
A VPC needs to be configured only for Amazon AWS cloud sites. It is not required for
Huawei cloud sites and common sites.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 5 In the Select SpokeVPC dialog box that is displayed, select the Spoke VPC to be connected
to the Transit VPC, and click OK.
----End
Parameter Description
Table 1-49 Parameters on the Spoke VPC page under the WAN Route tab page.
Parameter Description
Display default VPC The default VPC is the Spoke VPC allocated by the
Amazon AWS cloud after a user registers with the
Amazon AWS cloud.
Parameter Description
Context
Huawei public cloud sites and common sites support the configuration of LAN-side interfaces
at Layer 3. Amazon AWS cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
NOTE
Step 7 Click the Maintenance > Maintenance >IP Resources tab to view the configuration result.
A Lan_Access Link is added to the corresponding site and VPN.
----End
Parameter Description
Table 1-50 Parameters on the Create L3 Interface page under the L3 Interface tab page
Parameter Description
Parameter Description
DHCP type DHCP type. After DHCP is enabled, you need to set
the DHCP type of the CPE. The following DHCP
types are supported:
l Server: A CPE functions as a DHCP server and
allocates network parameters to DHCP clients. The
IP addresses allocated by the DHCP server to
DHCP clients are obtained from the IP address
pool and secondary IP address pool.
l Relay: A CPE functions as a DHCP relay agent to
exchange DHCP messages between a DHCP server
and DHCP clients and help the DHCP server to
dynamically allocate network parameters to DHCP
clients. A DHCP relay agent is required in
scenarios where multiple network segments need to
be planned for an enterprise network and terminals
need to automatically obtain network parameters
(such as IP addresses) through DHCP. In this way,
terminals in different network segments can share
the DHCP server, saving server resources and
facilitating unified management.
Parameter Description
Parameter Description
Preempt delay (s) Delay for the backup device to preempt the role of the
master device.
You are advised to set the preemption delay of the
backup device in a VRRP group to 0, and set the
preemption delay of the master device to a value
longer than 15 seconds. These settings ensure that
there is enough time for the uplinks and downlinks on
the master and backup devices in a VRRP group to
synchronize their statuses on an unstable network. If
the preceding settings are not used, user devices may
learn an incorrect master address due to frequent
preemption, interrupting traffic.
Parameter Description
Trust mode Type of a security zone. The options are Trust and
Untrust.
VPN VPN name, which is configured on the Overlay Network > VPN page.
VRF Instance Name of the VRF instance to which the interface IP address belongs.
l Name of the VRF instance to which Underlay Link belongs. It is the
VPN instance specified in ZTP configuration.
l System Link belongs to the default VPN and its VRF instance name
is public.
l Other types of IP addresses are related to the overlay network. Each
VRF instance name maps a VPN name.
Parameter Description
Context
Only common sites support the configuration of LAN-side interfaces. Huawei public cloud
sites and Amazon AWS cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
In a dual-gateway scenario, if the internal link between the dual gateways uses two LAN-side
Layer 2 physical interfaces, when configuring a VLAN, ensure that the physical interfaces
used by the internal link are different from those transmitting user service traffic on the LAN
side. This is because STP is enabled on CPEs by default, and when the internal link uses two
Layer 2 physical interfaces, the interfaces are added to the same VLAN. If a loop occurs, STP
sets one physical interface to the Block state. At this time, if a user uses this physical interface
on the LAN side, the user traffic may be interrupted.
Step 7 Click the Maintenance > Maintenance > IP Resources tab to view the configuration result.
A Lan_Access Link is added to the corresponding site and VPN.
----End
Parameter Description
Table 1-52 Parameters on the Create VLAN page under the VLAN tab page
Parameter Description
Parameter Description
Parameter Description
DHC Serv IP address of the DHCP server served by the DHCP relay
P er IP agent. This parameter is available only when DHCP type is
para Relay. Each interface with DHCP relay enabled can have a
mete maximum of eight DHCP server addresses.
rs
VRR VRRP Whether to enable VRRP. VRRP can be configured only for
P dual-gateway sites. After VRRP is enabled, the two
gateways are virtualized into one device. After a VRRP
group is configured, traffic is forwarded through the master
device in normal circumstances. If the master device fails,
traffic is switched quickly to the backup device,
implementing gateway redundancy.
Parameter Description
Preempt Delay for the backup device to preempt the role of the
delay (s) master device.
Trust mode Type of a security zone. The options are Trust and Untrust.
VPN VPN name, which is configured on the Overlay Network > VPN page.
Parameter Description
VRF Instance Name of the VRF instance to which the interface IP address belongs.
l Name of the VRF instance to which Underlay Link belongs. It is the
VPN instance specified in ZTP configuration.
l System Link belongs to the default VPN and its VRF instance name
is public.
l Other types of IP addresses are related to the overlay network. Each
VRF instance name maps a VPN name.
Context
Currently, only common sites can be accessed by terminals through the WLAN on the LAN
side. Cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
----End
Parameter Description
Table 1-54 Parameters on the Create WLAN page under the WLAN tab page
Parameter Description
Effective radio Frequency band over which radio signals of a WLAN are
transmitted.
DHCP type DHCP type. After DHCP is enabled, you need to set the
DHCP type of the CPE. The following DHCP types are
supported:
l Server: A CPE functions as a DHCP server and
allocates network parameters to DHCP clients.
l Relay: A CPE functions as a DHCP relay agent to
exchange DHCP messages between a DHCP server
and DHCP clients and help the DHCP server to
dynamically allocate network parameters to DHCP
clients. A DHCP relay agent is required in scenarios
where multiple network segments need to be planned
for an enterprise network and terminals need to
automatically obtain network parameters (such as IP
addresses) through DHCP. In this way, terminals in
different network segments can share the DHCP
server, saving server resources and facilitating unified
management.
Parameter Description
Parameter Description
DHCP Ser IP address of the DHCP server served by the DHCP relay
parameter ver agent. This parameter is available only when DHCP type
s IP is Relay. Each interface with DHCP relay enabled can
have a maximum of eight DHCP server addresses.
Security Encryption mode Encryption mode. The options of this parameter are as
Authentic follows:
ation l WAP1: WPA1 authentication is used.
l WAP2: WPA2 authentication is used.
Advanced Hide SSID Whether to hide an SSID. If this parameter is enabled for
Settings an SSID, new users cannot detect the SSID. Only wireless
users who know the SSID name can connect to the
WALN.
Context
LAN-side static routes can be configured for Huawei public cloud sites and common sites.
Amazon AWS cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 4 Click the LAN-Route tab and then click Click Here to Add LAN-Route.
Step 5 Select Static from the Protocol drop-down list and click OK.
Step 6 Click Create. On the Create Static Routes tab page, set static route parameters.
----End
Parameter Description
Table 1-55 Parameters on the Create Static Routes page under the LAN Route tab page
Parameter Description
Priority Priority of a static route. The value is an integer that ranges from 1 to
255. A smaller value indicates a higher priority. If you specify the same
priority for static routes with the same destination, load balancing can be
implemented among these routes. If you specify different priorities for
multiple static routes with the same destination, backup can be
implemented among these routes.
Parameter Description
Context
Currently, only common sites support the configuration of OSPF routes on the LAN side.
Cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 4 Click the LAN-Route tab and then click Click Here to Add LAN-Route.
Step 5 Select OSPF from the Protocol drop-down list and click OK.
Step 6 Click Create. On the Create OSPF tab page, set OSPF parameters.
----End
Parameter Description
Table 1-56 Parameters on the Create OSPF page under the LAN Route tab page
Parameter Description
Co Default Whether to advertise the default route to common OSPF areas. After
mm route default route advertisement is enabled, the device keeps advertising
on advertisem OSPF default routes.
Para ent
Parameter Description
Cost OSPF cost of an interface. The cost specified here will be added to
the costs of OSPF routes learned on the interface.
Parameter Description
Cost Cost of an imported route. The value of this parameter will overwrite
the cost in the original route.
Rou Exp Mod Mode for filtering OSPF routes to be advertised to the LAN:
ter ort e l Blacklist: The site is allowed to advertise only OSPF routes not in
Filte filte the network segment specified by Filter IP.
r r
l Whitelist: The site is allowed to advertise only OSPF routes in the
network segment specified by Filter IP.
Filte Routing range. You can specify a routing range by setting the
r IP following parameters. The parameter values must meet the following
conditions: Mask ≤ Greater-equal ≤ Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network
segment
l Less-equal: maximum mask to specify a smaller network
segment
Imp Mod Mode for filtering OSPF routes to be received from the LAN:
ort e l Blacklist: The site is allowed to receive only OSPF routes not in
filte the network segment specified by Filter IP.
r
l Whitelist: The site is allowed to receive only OSPF routes in the
network segment specified by Filter IP.
Filte Routing range. You can specify a routing range by setting the
r IP following parameters. The parameter values must meet the following
conditions: Mask ≤ Greater-equal ≤ Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network
segment
l Less-equal: maximum mask to specify a smaller network
segment
Context
Currently, only common sites support the configuration of BGP routes on the LAN side.
Cloud sites do not support this function.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 4 Click the LAN-Route tab and then click Click Here to Add LAN-Route.
Step 5 Select BGP from the Protocol drop-down list and click OK.
Step 7 Click Create. On the Create BGP tab page, set BGP parameters.
----End
Parameter Description
Table 1-57 Parameters on the BGP page under the LAN Route tab page
Parameter Description
Adv External Priority of EBGP routes. You can set different priorities for
anc preference different devices. For a dual-gateway site, you can specify a
ed separate EBGP route priority for each gateway.
Sett
ings Default route Whether to redistribute the default routes in the local IP routing
redistribution table to the BGP routing table.
Table 1-58 Parameters on the Create BGP page under the LAN Route tab page
Parameter Description
Keepalive time (s) Interval for sending Keepalive packets to the peer. After
establishing a BGP connection, two peers periodically
send Keepalive messages to each other to detect the status
of the BGP connection. If a device receives no Keepalive
message or any other type of packet from its peer within
the hold time, the device considers the BGP connection
terminated and closes the BGP connection.
Hold time (s) Hold time. The hold time should be at least three times the
Keepalive time.
Parameter Description
Appl Filter Mode for filtering BGP routes to be received from the
y ing LAN:
type
Context
After the overlay network is configured, the system automatically deploys the BGP control
protocol between sites to advertise routes on the overlay network. Both common sites and
cloud sites support the configuration of WAN-side BGP routes.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 4 Click the WAN-Route tab and then click the BGP tab page.
Step 5 In the Overlay route filter area, set Filter Mode and Filter Address for the overlay routes.
----End
Parameter Description
Table 1-59 Parameters on the BGP page under the WAN Route tab page
Parameter Description
Filte IP Routing range. You can specify a routing range by setting the following
red Addres parameters. The parameter values must meet the following conditions:
Add s/Mask Mask ≤ Greater-equal ≤ Less-equal.
resse l IP Address/Mask: IP address and mask
s Greater
-equal l Greater-equal: minimum mask to specify a smaller network segment
l Less-equal: maximum mask to specify a smaller network segment
Parameter Description
Less-
equal
Context
Currently, only common sites support the configuration of static routes on the WAN side.
Cloud sites do not support this function.
Prerequisites
1. A site template where a standby link is configured has been created. The following is an
example. When creating a site template, set Gateway to Single Gateway, and set the
role of a WAN link to Standby.
2. A site containing a standby link has been created. Create a site based on the site template
where a standby link is configured.
3. A site containing a standby link has been activated.
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 4 Click the WAN-Route tab and then click the Static tab page.
Step 5 In the Create Static Routes area, set static route parameters.
----End
Parameter Description
Table 1-60 Parameters on the Create Static Routes page under the WAN Route tab page
Parameter Description
Priority This parameter indicates the priority of a static route. The value is an
integer that ranges from 1 to 255, and a smaller value indicates a higher
priority.
Destination This parameter indicates the destination IP address and mask of a static
address/mask route.
Next- Next- Only the site type is supported. Generally, static routes configured on the
hop hop WAN-Route tab page are applied when both the current site and next-hop
type site are of the standby type and the traffic destination is the LAN of the
next-hop site. You can specify a static route on the WAN-Route tab page
to ensure that data traffic can be forwarded over the standby link if the
active link fails.
Context
The overlay network traffic is allocated to each VPN based on physical interface bandwidth,
that is, the uplink and downlink bandwidth specified for WAN interfaces. After then, a certain
proportion of bandwidth can be allocated to transmit traffic of each service in each
department. For example, users can configure the proportion of bandwidth used to transmit
Internet access traffic, and the QoS bandwidth policy is defined based on applications. The
bandwidth that can be allocated to transmit service traffic is the department bandwidth.
Prerequisites
1. A site has been created. For details, see 1.8.3.4 Creating a Site.
2. A VPN has been configured. For details, see 1.8.3.9.1 Configuring a VPN.
Procedure
Step 1 Choose Configuration > Overlay Network > Traffic Distribution from the main menu.
Step 3 On the Config Policy tab, set the traffic value for each VPN.
----End
Prerequisites
l WAN-side underlay routes have been configured. For details, see 1.8.3.8.2 Configuring
Underlay Routes (OSPF).
l The overlay network has been created. For details, see 1.8.3.9 Creating an Overlay
Network.
Procedure
Step 1 Choose Maintenance > Provisioning Result.
Step 3 Click the By Site tab. Check whether the WAN-side underlay route configuration is
successfully delivered to devices.
If Succeeded is displayed in the Status column for all records, the site deployment is
successful.
NOTE
After the WAN-side underlay routes are configured, the Agile Controller-Campus delivers the site
configuration data to CPEs. If the network flaps during the configuration data delivery, data loss may
occur on the delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
configuration data to the CPEs.
Step 4 Click the By VPN tab. Check whether the Overlay network configuration is successfully
delivered to devices.
In the navigation tree on the left, click the department where the overlay network is deployed
and check the overlay network configuration result in the area on the right. If Succeeded is
displayed in the Status column for all records, the overlay network deployment is successful.
NOTE
After the overlay network is configured, the Agile Controller-Campus delivers the site configuration
data to CPEs. If the network flaps during the configuration data delivery, data loss may occur on the
delivered configuration. In this case, you are advised to click Redeploy to re-deliver the configuration
data to the CPEs.
The following options of Status are available:
l Alarm: An internal system error occurs. In this case, contact technical support personnel.
l Preconfigured: The configuration data in the Agile Controller-Campus is not delivered to the site.
The devices at the site are offline.
l Configuring: The delivery of the configuration data in the Agile Controller-Campus to site devices
is in progress.
l Failed: The configuration data in the Agile Controller-Campus fails to be delivered to the site.
l Succeeded: The configuration data in the Agile Controller-Campus is successfully delivered to the
site.
If Succeeded is not displayed in the Status column, you are advised to perform operations
according to Service Configuration in the Troubleshooting Guide.
----End
The Agile Controller-Campus provides a default email template named Enterprise AR PDT.
If the default email template can meet the requirements or the email-based deployment
scenario is not involved, you can skip this section. Otherwise, you can customize an email
template.
Procedure
Step 1 Choose Configuration > Site > Template from the main menu.
In normal cases, you only need to set Email Template, Subject and Content. You can
modify other parameters based on actual needs.
----End
Parameter Description
Content Body of a deployment email. You are advised to change the default settings
only when required.
To add a fixed field to a deployment email, click the label of the target field:
l Site Name: specifies a site name.
l Device Name: specifies a device name.
l Device ESN: specifies the ESN of a device.
l Link Information: indicates information about an interface for network
connection.
NOTE
The preceding fields are only displayed in the deployment email body, and they do
not affect the information in the URL of the deployment configuration page in the
email.
Paramete Description
r
Recipients Recipient list. If a template is selected for a deployment email, the recipients
of the deployment email are automatically set to those in the template. The
recipients can be changed in the deployment email.
To guarantee deployment success, ensure that CPEs use factory settings. If CPEs have other
configurations, the deployment will fail.
Prerequisites
1. The ESN that already exists in the device list cannot be the same as the ESN of the
device added by device model.
2. You have obtained the following tools before performing email-based deployment:
Tool Description
Procedure
Step 1 Check the device status.
1. On the Agile Controller-Campus, choose Device Management > Device Management
> Device List from the main menu.
2. The Status column of the devices is displayed as Unregistered.
a. Click Select Site and select a site based on the site role or the site template.
b. In the Available Sites area, select a site to which you want to send a deployment
email.
Step 3 Check all deployment emails and carry emails at the customer site.
Step 4 Install the CPE at the customer site and perform email-based deployment. Only two methods
are supported currently. Select one of them based on the site situation.
l Wired deployment mode
a. Complete the CPE installation and cable connection, and power the CPE on.
b. Configure an IP address in the same network segment as 192.168.1.1 (such as
192.168.1.2) for the network interface connecting to the PC. Use a network cable to
connect the PC to the management interface of the CPE.
NOTE
Values of parameters in the Check Parameters area need to be changed only when a data
error occurs. Never change them if no data error occurs.
2. Choose Device Management > Device List on the main menu of the Agile Controller-
Campus. Find the CPEs deployed through email-based deployment and check their
status.
a. (Optional) If Mode is set to Device Model when adding a device, check whether
the ESN of the device has been identified. Otherwise, skip this step.
b. If Status is Normal, the device has registered with the Agile Controller-Campus
and goes online.
----End
Context
USB-based deployment enables CPEs to connect to the WAN, register with the SD-
WAN@AC-Campus, and go online. Skip operations in this section if USB-based deployment
is not used. Common sites in the DSVPN tunnel mode along with edge sites and vRR sites in
the EVPN tunnel mode need to be deployed.
A network administrator sets ZTP parameters on the Agile Controller-Campus GUI, and the
Agile Controller-Campus generates a ZTP file based on the site settings. The ZTP file can be
converted into a configuration file using the IniConverter1.0.exe tool and imported to a USB
flash drive for USB-based deployment.
l If ESNs are bound to the CPEs to be deployed, the ZTP file can be converted into a
configuration file for multiple CPEs. Batch USB-based deployment is supported.
l If no ESN is bound to the CPEs to be deployed, the ZTP file can be converted into a
configuration file for only one CPE. Batch USB-based deployment is not supported.
NOTE
A URL encryption key is contained in the configuration file generated using the tool. To prevent the key
from being leaked, it is strongly recommended that the device administrator use a keystroke encryption
USB drive or fingerprint encryption USB flash drive for deployment. During deployment, keep the USB
flash drive with the deployment configuration file saved secure. After the deployment is complete,
delete the deployment configuration file in a timely manner.
Prerequisites
1. The ZTP settings have been completed. For details, see sections 1.8.3.6 Configuring the
Network Access Mode for a Site and Offline Configuring Site Clock synchronization
(Underlay Network).
2. The IniConverter1.0.exe tool for generating configuration files is available.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration. On the ZTP Configuration page that is
displayed, click Download ZTP File.
Step 2 In the Download ZTP File dialog box that is displayed, select the site to be deployed and
click .
NOTE
ESNs must have been bound to the devices at the selected site or the tool will fail to generate a
configuration file.
Step 3 Click OK. The system generates ZTP_xxx.csv file and automatically downloads it to the
browser's default download path.
Step 4 Use IniConverter1.0.exe to make configuration file.
1. Drag the downloaded ZTP_xxx.csv file to the IniConverter1.0.exe tool.
2. Set Password to the value of URL encryption key, which has been set on the Global
Parameters page.
3. Click Generate ini file, and save the configuration file as ZTP.ini.
Field Description
Field Description
Step 6 Save the index file USB_AR.ini and configuration file ZTP.ini to the root directory of the
USB flash drive.
Only AR1600 series support the status that the indicator is steady yellow.
– If the indicator is blinking green, USB-based deployment is ongoing.
– If the indicator is steady green, USB-based deployment is successful.
– If the indicator is steady red, USB-based deployment fails.
----End
Procedure
Step 1 Choose Maintenance > Provisioning Result > Generate Configuration from the main
menu.
If Succeeded is displayed in the Status column for all records, the configurations are
generated successfully.
NOTE
Only after successfully generating configurations, the Agile Controller-Campus can deliver the
configurations to devices.
Step 3 Click the Deploy to Device tab and check whether policies are successfully delivered to
devices.
1. Click the Deploy to Device tab and then click the By Site tab.
2. If Succeeded is displayed in the Status column for all records, the site deployment is
successful.
NOTE
After email-based deployment, the Agile Controller-Campus will deliver the configuration data of
the site to CPEs. If the network flaps during the configuration data delivery, data loss may occur
on the delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
configuration data to the CPEs.
If Succeeded is not displayed in the Status column, you are advised to perform
operations according to "Service Configuration Delivery Fails (SD-WAN)" in the
Troubleshooting Guide.
----End
Procedure
Step 1 Choose Configuration > Application Management > Predefined Application from the
main menu.
Step 2 In the navigation tree, select SA signature database, and click a category. All predefined
applications in the category are displayed on the right of the page.
NOTE
The SA_H30071000 (6000+) applications in SA signature database can be delivered to devices except
the following: the AR160 and AR160F series including AR161, AR161W, AR161F, AR161FGW-L,
AR161FW, AR168F, AR169F, and AR169FGW-L.
The SA_H30071002 (500+) applications in SA signature database can be delivered to all devices.
Predefined application categories include two types: DPI and FPI.
----End
Context
When predefined applications cannot meet the requirement, you can define a new application
according to characteristics of the application.
The types of customized applications include the first packet identification and service
awareness identification, with the former one preferred. If an application cannot be identified,
service awareness identification is used. Table 1-63 lists methods of identifying customized
applications.
Application Triplet: identifies an application based on the server address, protocol type,
that is and fixed port number.
identified
by using the
first packet
NOTE
l The number of user-defined applications cannot exceed that supported by any device on the tenant
network.
l If an application packet matches rules of multiple customized applications, the customized
application that is delivered first takes effect. That is, the application configured first takes effect.
l In predefined applications, the application signature database does not include applications of
enterprises' self-built servers, such as Outlook and office365 deployed on enterprise self-built
servers. If such applications need to be identified, customized applications need to be configured.
Procedure
Step 1 Choose Configuration > Application Management > Customized Application from the
main menu.
Step 2 Click Create to create a customized application.
Step 4 Select the application group to which the customized application belongs.
Step 5 Click Create and configure rules for the customized application.
----End
Follow-up Procedure
Viewing You can view 1. On the Customized Application tab page, click
details the detailed in the row where you want to view details about a
about a information customized application.
customized about a
application customized 2. In the expanded area, view details about the
application. customized application.
Parameter Description
Application group Application group. You can define an application and add
it to an existing application group, or define an application
group and add applications to it.
Prerequisites
A customized application has been created. For details, see 1.8.5.1.2 (Optional) Creating a
Customized Application.
Procedure
Step 1 Choose Configuration > Application Management > Application Group from the main
menu.
Step 2 Click Create.
Step 3 On the Applications Group page, set relevant parameters about the customized application
group.
Set the name of the application group Select SA signature database and add predefined or
customized applications to the application group.
NOTE
The SA_H30071000 (6000+) applications in SA signature database can be delivered to devices except
the following: the AR160 and AR160F series including AR161, AR161W, AR161F, AR161FGW-L,
AR161FW, AR168F, AR169F, and AR169FGW-L.
The SA_H30071002 (500+) applications in SA signature database can be delivered to all devices.
Predefined application categories include two types: DPI and FPI.
----End
Follow-up Procedure
Viewing You can view 1. On the Application Group tab page, click in the
details detailed row of the application group that you want to view the
about an information about details.
applicatio an application
n group group. 2. In the expanded area, view details about the
application group.
Parameter Description
Parameter Description
Prerequisites
An application group has been created. For details, see 1.8.5.1.3 Creating a Customized
Application Group.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click Traffic Classifier Template. Click Create to create a traffic classifier template.
1. In the Operator area, set the relationship between L3 ACL, Application, and Advance
rules to And or Or.
2. In the L3 ACL area, click Create to define multiple ACL rules. The default action is
permit.
3. In the Application area, select the application to which data flows belong.
4. In the Advance area, set VLAN ID, 8021P, Source MAC, Destination MAC, and L2-
Protocol to classify data flows.
5. Click OK.
----End
Follow-up Procedure
Cloning You can clone a traffic classifier template. That On the Traffic Classifier
a traffic is, you can quickly create a traffic classifier Template page, select the
classifier template by modifying an existing template. traffic classifier template to
template After you clone a traffic classifier template, the
template exists only on the Agile Controller- be cloned, and click .
Campus. To deliver the new policy to devices,
you need to perform the Commit operation.
Parameter Description
Parameter Description
Parameter Description
Adva Vlan ID Start Start VLAN ID in the outer tag of the VLAN packet to be
nce Vlan lD matched.
End Vlan End VLAN ID in the outer tag of the VLAN packet to be
lD matched. End Vlan lD must be greater than Start Vlan
lD. If End Vlan lD is not specified, only the packets
carrying Start Vlan lD are matched.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click Validity Period Template, and click Create to create an effective time template.
----End
Follow-up Procedure
Deleting Before deleting an effective time template, you On the Validity Period
an need to delete the associated traffic policy or Template page, select the
effective unbind the effective time template from the effective time template to be
time traffic policy. Otherwise, the effective time deleted, and click Delete.
template template cannot be deleted.
Parameter Description
Parameter Description
Parameter Description
Time type l Daily: Periodic time segment. The time range is defined by
day, indicating that the rule takes effect at an interval of one
day (for example, from 8:00 to 12:00 every day).
l Weekly: Periodic time segment. The time range is defined by
week, indicating that the rule takes effect at an interval of one
week (for example, from 8:00 to 12:00 on Mondays).
l Scheduled: Absolute time segment, indicating that the rule
takes effect in the time range from YYYY/MM/DD hh:mm to
YYYY/MM/DD hh:mm.
Weekly Date on which the time range takes effect. This parameter is
available only when Time type is set to Weekly. The value can
be one day (Monday to Sunday) or any day-of-week
combinations.
Context
In EVPN tunnel mode, if the overlay topology is hierarchical, you can specify a global
centralized Internet gateway and a regional centralized Internet gateway when configuring
centralized Internet access sites. If users require that Internet access traffic meet these
requirements:
1. The Internet access traffic in an area is preferentially routed through the regional
centralized Internet gateway.
2. The Internet access traffic across areas is preferentially routed through the global
centralized Internet gateway.
the following principles need to be followed:
1. It is recommended that the topology of an area be set to full-mesh mode.
As shown in the following figure, Area1 is in hub-spoke mode, Hub1 is a global
centralized Internet gateway, and Spoke2 is a regional centralized Internet gateway. In
this case, the Internet access traffic of Spoke1 is not forwarded to the Internet through
Spoke2. Instead, the traffic passes through Hub1 and is directly routed out to the
Internet.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. If a local Internet access policy is used by a site, the WAN links must have been
activated. For details, see 1.8.3.6 Configuring the Network Access Mode for a Site.
3. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click the Overlay tab.
Step 3 Set VPN to the department that needs to access the Internet.
Step 4 Click the Site-to-Internet tab and configure an Internet access policy for the site.
Step 5 If the centralized Internet access mode needs to be used, perform the following operations:
l In DSVPN tunnel mode:
In the centralized Internet access mode, the selected sites must be of the same type
such as hub, aggregation, or branch. One or two hub sites can be selected. Only one
aggregation site or one branch site can be selected.
d. Click OK.
l In EVPN tunnel mode:
c. Set Area, Active Internet GW, and Standby Internet GW, and click in the
Operation column.
d. Click Apply.
Step 6 If the local Internet access mode needs to be used, perform the following operations:
You can select one or more sites for local Internet access.
4. Click Next.
5. Configure a local Internet access policy.
If All is selected, the system does not create a PBR policy and applications access
the Internet via the default route.
If By Application is selected, the system creates a PBR policy and delivers it to
devices. Applications access the Internet according to the PBR policy.
b. Enable Shared track IP.
This parameter is configurable only when By Application is selected for the
Internet access policy.
All sites use the shared track IP address. After Shared track IP is enabled, the
track IP addresses of site links do not take effect.
c. To activate a link, click next to the link in the Operation column. The
configured local Internet access policy takes effect only after a link is activated.
d. If NAT is required for WAN links, enable NAT.
e. Configure the priorities of WAN links.
f. The local Internet access service and the overlay network share the bandwidth.
They consume bandwidth randomly by default. To guarantee rated bandwidth for
the local Internet access service, enable Bandwidth Allocation and set a bandwidth
percentage.
g. Configure a track IP address for links.
The track IP address of links can be configured only when Shared track IP is
disabled. All links of a device need to be configured with the same track IP address.
h. Select a traffic classifier template. The system will match application traffic and
execute the PBR policy according to the selected template.
i. Click Finish.
6. Click Apply.
----End
Parameter Description
Centr Centralized Internet access Centralized Internet access mode. The Internet access
alize traffic from a branch site is diverted to the hub site,
d implementing Internet accesses through a unified
Inter egress. This Internet access mode helps you deploy
net an independent firewall and configure
acces comprehensive security policies, facilitating security
s audit and access control.
Parameter Description
Loca Local Internet access Local Internet access mode. Traffic from a site is
l routed out of the local underlay network to quickly
Inter access the Internet. Compared with the Internet
net access in centralized mode, this mode has lower
acces latency and provides better service experience.
s Therefore, this mode is suitable for sites with rich
Internet connection resources (with large bandwidth
and low latency) to access SaaS application services.
Sele Select Site Site that supports Internet access in local mode.
ct NOTE
Site For example, a tenant network has a hub site Hub1 and two
branch sites Spoke1 and Spoke2. Hub1 is configured with
the centralized Internet access mode, Spoke1 is configured
with the local Internet access mode, and Spoke2 is not
configured with any Internet access mode. The Internet
access traffic from Hub1 is locally routed out. The Internet
access traffic from Spoke1 is preferentially routed out from
the local site. If the traffic fails to be routed out locally, the
traffic is routed out through Hub1. The Internet access
traffic from Spoke2 is routed out through Hub1.
Select mode Site selection mode. You can select sites by network
topology or site template.
Parameter Description
WAN Link WAN link of the selected site. This parameter is just
for display and does not need to be set.
Parameter Description
Track IP Sit Track IP address specified for a site. All WAN links
(configured e at a site must have the same track IP.
only when
Policy is set Tra The track IP specified for a link takes effect only
to ck when no shared track IP is specified.
Application IP
)
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 3 Set VPN to the department that requires mutual access between traditional sites.
Step 5 If the centralized mode needs to be used for mutual access between traditional sites, perform
the following operations:
In the centralized mutual-access mode, the selected sites must be of the same type such
as hub, aggregation, or branch. One or two hub sites can be selected. Only one
aggregation site or one branch site can be selected.
4. Click Next.
5. In the Operation column, click . Set a link priority and allocated bandwidth.
The local mutual access service and the overlay network share the bandwidth. They
consume bandwidth randomly by default. To guarantee rated bandwidth for the local
mutual access service, enable Bandwidth Allocation and set a bandwidth percentage.
6. Click Finish.
Step 6 If the distributed mode (local mode) needs to be used for mutual access between traditional
sites, perform the following operations:
The selected sites for mutual access in distributed mode can be of different types.
4. Click Next.
5. To activate a link, click next to the link in the Operation column. The configured
local mutual access policy takes effect only after a link is activated.
6. Set a link priority and allocated bandwidth.
The local mutual access service and the overlay network share the bandwidth. They
consume bandwidth randomly by default. To guarantee rated bandwidth for the local
mutual access service, enable Bandwidth Allocation and set a bandwidth percentage.
7. Click Finish.
NOTE
A site cannot be enabled with both centralized access and local access.
----End
Parameter Description
Parameter Description
Select Select Site that supports centralized access. When you set this
Site Site parameter, pay attention to the following constraints:
l The selected sites must be of the same type such as hub,
aggregation, or branch.
l If the selected site type is hub, a maximum of two hub
sites can be configured.
l If the selected site type is aggregation or branch, only
one site can be configured.
Confi Site Template of the selected site. This parameter is just for
gure Template display and does not need to be set.
Policy
WAN WAN link of the selected site. This parameter is just for
Link display and does not need to be set.
Parameter Description
Bandwidt Mutual access traffic and Internet access traffic share the
h bandwidth. For details, refer to the description about
Allocatio Bandwidth Allocation in Site-to-Internet.
n
Local Local access In local access mode, traffic from SD-WAN sites is directly
access routed to legacy sites.
Parameter Description
Link
Priority
Bandwidt
h
Allocatio
n
Operation
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. Traffic classifier templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click the Underlay tab, and then click ACL. The Policy Settings page is displayed by
default.
The ACL policy created for an underlay network cannot identify an L7-type traffic template.
3. Under Policy Priority, configure a policy priority.
4. Select WAN links from which the packets need to be blocked.
Click Create and set Site Template and WAN Link. You can select one or more WAN
links for WAN Link.
After a site template is selected, the policy can be applied only to the sites using the
selected site template.
5. Under Traffic filter, configure a traffic filter policy.
6. If you want the policy to take effect within a specified time range, select an effective
time range template from the Effective time template drop-down list. If you want the
policy to always take effect, skip this step.
7. Click OK.
Step 4 Apply the ACL policy to sites.
----End
Follow-up Procedure
After performing any of the following operations, you need to perform the Commit operation
for them to take effect at the sites.
Revoking You can revoke the operation on a On the ACL tab page, select the
the last policy that is not delivered to sites, policy for which the last operation
operation namely, a policy on which the needs to be revoked, click Revoke,
on an ACL Commit operation is not operated and select Revoke Selected.
policy (Committed not displayed in the
Status column). You cannot revoke
the operation on a committed policy.
The revoke function can only revoke
the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting an You can delete a policy regardless of On the ACL tab page, select the
ACL policy whether it is delivered to sites. After ACL policies to be deleted and
you delete a policy, the policy is click Delete.
deleted only from the Agile
Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying You can modify a policy regardless of 1. On the ACL tab page, click
an ACL whether it is delivered to sites. After in the Operation column of the
policy you modify a policy, the modification ACL policy to be modified.
takes effect only on the Agile
Controller-Campus. To modify the 2. Modify the policy.
policy on devices, you need to 3. Click OK.
perform the Commit operation.
Cloning an You can clone an ACL policy. That is, 1. On the ACL tab page, click
ACL policy you can quickly create a policy by
modifying an existing policy. After in the Operation column
you clone a policy, the policy exists of the ACL policy to be cloned.
only on the Agile Controller-Campus. 2. Modify the cloned policy.
To deliver the new policy to devices, 3. Click OK.
you need to perform the Commit
operation.
Disabling/ l Disabling: You can disable a policy l Disabling: On the ACL tab
Enabling an not to be used currently. You can
ACL policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the ACL
After you disable a policy, the policy to be disabled.
policy is disabled only on the Agile l Enabling: On the ACL tab
Controller-Campus. To disable the
policy on devices, you need to page, click in the
perform the Commit operation. Operation column of the ACL
l Enabling: You can enable a policy policy to be enabled.
that needs to be used. You can
enable a policy regardless of
whether it is delivered to sites.
After you enable a policy, the
policy is enabled only on the Agile
Controller-Campus. To enable the
policy on devices, you need to
perform the Commit operation.
Binding an You can bind a new policy to a site. 1. On the ACL tab page, click
ACL policy Site View.
in a site 2. In the site area, select a site.
view
3. Click Binding New Policy.
4. Select the policy to be bound to
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the ACL tab page, click
policies in bound to a site to other sites without Site View.
batches in a the policy being bound so that 2. Click Batch Configure.
site view different sites share the same policy.
3. In the Clone from a site area,
select a site with an ACL
policy bound.
4. In the Site area, select the
destination sites to which the
same policy is to be bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the ACL tab, click Site
all the data site. View.
in a site 2. In the site area, select a site.
view
3. Click Commit All.
4. Click OK.
Revoking You can revoke all the policies of a 1. On the ACL tab, click Site
all the data site. View.
in a site 2. In the site area, select a site.
view
3. Click Revoke All.
4. Click OK.
Parameter Description
Traffic classifier Traffic classifier template. The ACL specified by Policy name is
template applied to packets that match the traffic classifier template. Only
a traffic classifier template of the L4 or Any type can be selected
for an ACL on the underlay network. Any traffic classifier
template can be selected for an ACL on the overlay network.
Policy priority ACL priority. When a packet is received, the CPE matches it
against traffic classifier templates corresponding to ACLs in
descending order of priorities. If a match is found, the action
(traffic filtering) defined in the ACL is executed. If a mismatch
is found, the CPE continues to match the packet against the
traffic classifier template of the next ACL.
Interfa LAN All LAN-side Layer 3 interfaces for which the ACL is enabled,
ce including Layer 3 interfaces, sub-interfaces, and VLANIF
interfaces.
Parameter Description
Traffic filter l Deny: Packets that do not match the traffic classifier template
are denied.
l Permit: Packets that match the traffic classifier template are
permitted.
Effective time template Time range defined in the template. The ACL takes effect only in
the defined time range.
NOTE
The relationship between all conditions is AND. That is, for the underlay
network, an ACL takes effect as follows:
For packets entering the specified interface of a specified site within the
specified time range, the ACL denies the packets matching the traffic
classifier template or permits only packets matching the traffic classifier
template.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. LAN information has been configured. For details, see 1.8.3.9 Creating an Overlay
Network.
4. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 3 Set VPN to the department for which a traffic blocking policy needs to be configured.
Step 4 Click the ACL tab. Then, the Policy Settings page is displayed by default.
1. In the Operation column of the ACL policy, click to add sites to which the policy
needs to be applied.
2. On the Attach Sites page, select the sites to which the policy needs to be applied.
3. Click OK.
Step 7 Deliver the ACL policy to the sites and set the execution start time of the policy.
1. Select the ACL policy to be delivered.
2. Click Commit and select Commit Selected or Commit All.
3. On the Commit page, set the execution start time of the policy to Immediately or
Schedule.
4. Click OK.
----End
Follow-up Procedure
After performing any of the following operations, you need to perform the Commit operation
for them to take effect at the sites.
Revoking You can revoke the operation on a On the ACL tab page, select the
the last policy that is not delivered to sites, policy for which the last operation
operation namely, a policy on which the needs to be revoked, click Revoke,
on an ACL Commit operation is not operated and select Revoke Selected.
policy (Committed not displayed in the
Status column). You cannot revoke
the operation on a committed policy.
The revoke function can only revoke
the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting an You can delete a policy regardless of On the ACL tab page, select the
ACL policy whether it is delivered to sites. After ACL policies to be deleted and
you delete a policy, the policy is click Delete.
deleted only from the Agile
Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying You can modify a policy regardless of 1. On the ACL tab page, click
an ACL whether it is delivered to sites. After in the Operation column of the
policy you modify a policy, the modification ACL policy to be modified.
takes effect only on the Agile
Controller-Campus. To modify the 2. Modify the policy.
policy on devices, you need to 3. Click OK.
perform the Commit operation.
Cloning an You can clone an ACL policy. That is, 1. On the ACL tab page, click
ACL policy you can quickly create a policy by
modifying an existing policy. After in the Operation column
you clone a policy, the policy exists of the ACL policy to be cloned.
only on the Agile Controller-Campus. 2. Modify the cloned policy.
To deliver the new policy to devices, 3. Click OK.
you need to perform the Commit
operation.
Disabling/ l Disabling: You can disable a policy l Disabling: On the ACL tab
Enabling an not to be used currently. You can
ACL policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the ACL
After you disable a policy, the policy to be disabled.
policy is disabled only on the Agile l Enabling: On the ACL tab
Controller-Campus. To disable the
policy on devices, you need to page, click in the
perform the Commit operation. Operation column of the ACL
l Enabling: You can enable a policy policy to be enabled.
that needs to be used. You can
enable a policy regardless of
whether it is delivered to sites.
After you enable a policy, the
policy is enabled only on the Agile
Controller-Campus. To enable the
policy on devices, you need to
perform the Commit operation.
Binding an You can bind a new policy to a site. 1. On the ACL tab page, click
ACL policy Site View.
in a site 2. In the site area, select a site.
view
3. Click Binding New Policy.
4. Select the policy to be bound to
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the ACL tab page, click
policies in bound to a site to other sites without Site View.
batches in a the policy being bound so that 2. Click Batch Configure.
site view different sites share the same policy.
3. In the Clone from a site area,
select a site with an ACL
policy bound.
4. In the Site area, select the
destination sites to which the
same policy is to be bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the ACL tab, click Site
all the data site. View.
in a site 2. In the site area, select a site.
view
3. Click Commit All.
4. Click OK.
Revoking You can revoke all the policies of a 1. On the ACL tab, click Site
all the data site. View.
in a site 2. In the site area, select a site.
view
3. Click Revoke All.
4. Click OK.
Parameter Description
Traffic classifier Traffic classifier template. The ACL specified by Policy name is
template applied to packets that match the traffic classifier template. Only
a traffic classifier template of the L4 or Any type can be selected
for an ACL on the underlay network. Any traffic classifier
template can be selected for an ACL on the overlay network.
Policy priority ACL priority. When a packet is received, the CPE matches it
against traffic classifier templates corresponding to ACLs in
descending order of priorities. If a match is found, the action
(traffic filtering) defined in the ACL is executed. If a mismatch
is found, the CPE continues to match the packet against the
traffic classifier template of the next ACL.
Interfa LAN All LAN-side Layer 3 interfaces for which the ACL is enabled,
ce including Layer 3 interfaces, sub-interfaces, and VLANIF
interfaces.
Traffic filter l Deny: Packets that do not match the traffic classifier template
are denied.
l Permit: Packets that match the traffic classifier template are
permitted.
Parameter Description
Effective time template Time range defined in the template. The ACL takes effect only in
the defined time range.
NOTE
The relationship between all conditions is AND. That is, for the underlay
network, an ACL takes effect as follows:
For packets entering the specified interface of a specified site within the
specified time range, the ACL denies the packets matching the traffic
classifier template or permits only packets matching the traffic classifier
template.
Context
You can configure a NAT policy on the Underlay tab page in the following scenarios:
1. Internet access at sites: For the LAN-side traffic destined to the Internet, the egress
device on the underlay translates the LAN-side private IP address into a public IP
address.
2. External network access to intranet servers: A server providing external services, such as
the FTP server, is deployed on the LAN side of a site. The egress device on the underlay
translates the private IP address of the server into a public IP address to provide services.
For Internet traffic proactively accessing intranet servers, the public address of the
servers is translated into the actual private IP address.
3. Mutual access between SD-WAN sites and traditional sites: SD-WAN sites and
traditional sites may have duplicate addresses. Therefore, a static NAT policy must be
configured on both SD-WAN sites and traditional sites to implement mutual access,
removing the need to change LAN-side terminal addresses.
NOTE
If the access traffic is unidirectional, configure static NAT on the accessed party. For example, if a
traditional site needs to access an SD-WAN site but the SD-WAN site does not need to communicate
with the traditional site, configure static NAT only on the SD-WAN site.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 4 In the Site area, select the site for which a NAT policy needs to be configured.
3. Click OK.
Step 6 Configure a static NAT policy.
1. Click Create.
2. Enter information about the static NAT policy, including the name of the interface to be
bound, internal IP address, and external IP address.
3. Click OK.
----End
Follow-up Procedure
Deleting a You can delete a NAT On the NAT tab page, select the NAT policy to be
NAT policy policy. deleted and click Delete.
Modifying a You can modify any 1. On the NAT tab page, click in the
NAT policy NAT policy. Operation column of the NAT policy to be
modified.
2. Modify the policy.
3. Click OK.
Parameter Description
Parameter Description
IP Start IP address range after NAT. IP addresses in this range are public
addre IP IP addresses in most cases. This parameter is configurable only
ss addre when the NAT mode is set to PAT or No-PAT. The IP address
group ss range has the following restraints:
End l The end IP address must be greater than the start IP address.
IP l The number of IP addresses cannot exceed 255.
addre l On the same interface, the IP address segments configured in
ss different NAT policies cannot overlap.
Matc Matc Matching rule. Multiple ACL rules can be defined in an ACL. For
h h a packet matching an ACL rule, the CPE performs NAT on the
rules rules source IP address and source port number.
NOTE
If two NAT policies are configured with the same ACL rule but with
different IP address groups, the NAT policy configured first takes effect.
Priori Priority of an ACL rule. The ACL rule with a higher priority is
ty matched preferentially, and then the action defined by this rule is
performed.
Actio Action:
n l Permit: Packets that match the ACL rule are allowed to pass.
l Deny: Packets that match the ACL rule are not allowed to
pass.
Proto Protocol of the packets that can match the ACL rule.
col
Sourc Source IP address of the packets that can match the ACL rule.
e IP/
Prefi
x
Lengt
h
Parameter Description
Desti Destination IP address of the packets that can match the ACL
natio rule.
n IP/
Prefi
x
Lengt
h
Sourc Source port number of the packets that can match the ACL rule.
e Port This parameter is available only when the protocol is set to TCP
or UDP.
Desti Destination port number of the packets that can match the ACL
natio rule. This parameter is available only when the protocol is set to
n TCP or UDP.
Port
Parameter Description
Protocol type Protocol type, which is available only when the NAT type is set to
protocol translation.
l TCP: NAT is performed on packets whose source IP addresses
are internal IP addresses, source ports are internal ports, and
protocol type is TCP. After NAT, internal IP addresses are
translated into external IP addresses, and internal port
numbers are translated to external port numbers.
l UDP: NAT is performed on packets whose source IP
addresses are internal IP addresses, source ports are internal
ports, and protocol type is UDP. After NAT, internal IP
addresses are translated into external IP addresses, and
internal port numbers are translated to external port numbers.
l ICMP: NAT is performed on packets whose source IP
addresses are internal IP addresses and protocol type is ICMP.
After NAT, internal IP addresses are translated into external IP
addresses.
External port Port number after NAT. This parameter is available only when the
NAT type is set to protocol translation and the protocol type is set
to TCP or UDP.
Internal port Port number before NAT. This parameter is available only when
the NAT type is set to protocol translation and the protocol type is
set to TCP or UDP.
Adva Direc The default value is Bidirectional. You can specify whether to
nced tion perform NAT in the direction of External to Internal or Internal
Settin to External as needed. For example, if an FTP server providing
gs external services is deployed on the LAN side of a site and
proactive access from Internet to intranet servers exists, you can
set this value to Internal to External.
Context
On the Overlay tab page, you can configure a NAT policy for mutual access between SD-
WAN sites. Two SD-WAN sites may have duplicate addresses. In this case, static NAT needs
to be configured on each SD-WAN site to implement communication between the two SD-
WAN sites without the need to change LAN-side terminal addresses.
NOTE
If the access traffic is unidirectional, configure static NAT on the accessed party. For example, if site A
needs to access site B but site B does not need to communicate with site A, configure static NAT only on
site B.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. LAN information has been configured. For details, see 1.8.3.9 Creating an Overlay
Network.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 3 In the VPN area, select the department for which the QoS policy needs to be configured.
Step 5 In the Site area, select the site for which a NAT policy needs to be configured.
2. Click OK.
1. Click Create.
2. Enter information about the static NAT policy, including the name of the interface to be
bound, internal IP address, and external IP address.
3. Click OK.
----End
Follow-up Procedure
Deleting a You can delete a NAT On the NAT tab page, select the NAT policy to be
NAT policy policy. deleted and click Delete.
Modifying a You can modify any 1. On the NAT tab page, click in the
NAT policy NAT policy. Operation column of the NAT policy to be
modified.
2. Modify the policy.
3. Click OK.
Parameters
IP Start IP address range after NAT. IP addresses in this range are public
addre IP IP addresses in most cases. This parameter is configurable only
ss addre when the NAT mode is set to PAT or No-PAT. The IP address
group ss range has the following restraints:
End l The end IP address must be greater than the start IP address.
IP l The number of IP addresses cannot exceed 255.
addre l On the same interface, the IP address segments configured in
ss different NAT policies cannot overlap.
Matc Matc Matching rule. Multiple ACL rules can be defined in an ACL. For
h h a packet matching an ACL rule, the CPE performs NAT on the
rules rules source IP address and source port number.
NOTE
If two NAT policies are configured with the same ACL rule but with
different IP address groups, the NAT policy configured first takes effect.
Priori Priority of an ACL rule. The ACL rule with a higher priority is
ty matched preferentially, and then the action defined by this rule is
performed.
Parameter Description
Actio Action:
n l Permit: Packets that match the ACL rule are allowed to pass.
l Deny: Packets that match the ACL rule are not allowed to
pass.
Proto Protocol of the packets that can match the ACL rule.
col
Sourc Source IP address of the packets that can match the ACL rule.
e IP/
Prefi
x
Lengt
h
Desti Destination IP address of the packets that can match the ACL
natio rule.
n IP/
Prefi
x
Lengt
h
Sourc Source port number of the packets that can match the ACL rule.
e Port This parameter is available only when the protocol is set to TCP
or UDP.
Desti Destination port number of the packets that can match the ACL
natio rule. This parameter is available only when the protocol is set to
n TCP or UDP.
Port
Parameter Description
Protocol type Protocol type, which is available only when the NAT type is set to
protocol translation.
l TCP: NAT is performed on packets whose source IP addresses
are internal IP addresses, source ports are internal ports, and
protocol type is TCP. After NAT, internal IP addresses are
translated into external IP addresses, and internal port
numbers are translated to external port numbers.
l UDP: NAT is performed on packets whose source IP
addresses are internal IP addresses, source ports are internal
ports, and protocol type is UDP. After NAT, internal IP
addresses are translated into external IP addresses, and
internal port numbers are translated to external port numbers.
l ICMP: NAT is performed on packets whose source IP
addresses are internal IP addresses and protocol type is ICMP.
After NAT, internal IP addresses are translated into external IP
addresses.
External port Port number after NAT. This parameter is available only when the
NAT type is set to protocol translation and the protocol type is set
to TCP or UDP.
Internal port Port number before NAT. This parameter is available only when
the NAT type is set to protocol translation and the protocol type is
set to TCP or UDP.
Adva Direc The default value is Bidirectional. You can specify whether to
nced tion perform NAT in the direction of External to Internal or Internal
Settin to External as needed. For example, if an FTP server providing
gs external services is deployed on the LAN side of a site and
proactive access from Internet to intranet servers exists, you can
set this value to Internal to External.
1.8.5.5.5 Creating an Intelligent Traffic Steering Policy for the Overlay Network
An intelligent traffic steering policy automatically switches traffic between active links if
congestion occurs on a link and requirements of a specified application cannot be met. If
active links are unavailable, the traffic can be switched to the best-effort link. This ensures the
experience of key applications.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click the Overlay tab.
Step 3 Set VPN to a department that requires intelligent traffic steering.
Step 4 Click the Intelligent Traffic Steering tab. Then, the Policy Settings page is displayed by
default.
b. In the Switchover Condition area, select the four types of switchover conditions
predefined in the system, or set Delay, Jitter, and Packet loss rate as needed. The
system will evaluate the network health based on the thresholds, then determine
whether traffic needs to be switched to another link.
c. In the Transport Network Priority area, set the primary and secondary transport
networks.
d. In the Advanced Settings area, set Bandwidth conditions list, Priority and other
parameters. The system determines whether to switch traffic to another link based
on the current bandwidth usage, application priority, and switchover threshold, and
then determines the application traffic to be switched based on the application
priority.
e. If you want the policy to always take effect, skip this step. If you want the policy to
take effect within a specified time range, select an effective time range template
from the Effective Time Template drop-down list.
f. Click OK.
Step 6 Apply the intelligent traffic steering policy to a site. The policy takes effect only at the
selected site.
1. In the Operation column of the intelligent traffic steering policy, click to apply the
policy to a site.
2. On the Select Site page, select the sites to which the policy needs to be applied.
3. Click OK.
Step 7 Deliver the intelligent traffic steering policy to the site and set the execution start time of the
policy.
1. Select the intelligent traffic steering policy to be delivered.
2. Click Commit and select Commit Selected or Commit All.
3. On the Commit page, set the execution start time of the policy to Immediately or
Schedule.
4. Click OK.
----End
Follow-up Procedure
After performing any of the following operations, you need to perform the Commit operation
for them to take effect at the sites.
Revoking You can revoke the operation on a On the Path Strategy tab page,
the last policy that is not delivered to sites, select the intelligent traffic
operation namely, a policy on which the steering policy for which the last
performed Commit operation is not operated operation needs to be revoked,
on an (Committed not displayed in the click Revoke, and then click
intelligent Status column). You cannot revoke Revoke Selected.
traffic the operation on a committed policy.
steering The revoke function can only revoke
policy the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting an You can delete a policy regardless of On the Path Strategy tab page,
intelligent whether it is delivered to sites. After select the intelligent traffic
traffic you delete a policy, the policy is steering policy to be deleted, and
steering deleted only from the Agile click Delete.
policy Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying You can modify a policy regardless of 1. On the Path Strategy tab page,
an whether it is delivered to sites. After click in the Operation
intelligent you modify a policy, the modification column of the policy to be
traffic takes effect only on the Agile modified.
steering Controller-Campus. To modify the
policy policy on devices, you need to 2. Modify the policy.
perform the Commit operation. 3. Click OK.
Cloning an You can clone an intelligent traffic 1. On the Path Strategy tab page,
intelligent steering policy. That is, you can
traffic quickly create a policy by modifying click in the Operation
steering an existing policy. After you clone a column of the policy to be
policy policy, the policy exists only on the cloned.
Agile Controller-Campus. To deliver 2. Modify the cloned policy.
the new policy to devices, you need to 3. Click OK.
perform the Commit operation.
Binding a You can bind a new policy to a site. 1. On the Path Strategy tab page,
new policy click Site View.
in a site 2. In the site area, select a site.
view
3. Click Binding New Policy.
4. Select the policy to be bound to
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the Path Strategy tab page,
policies in bound to a site to other sites without click Site View.
batches in a the policy being bound so that 2. Click Batch Configure.
site view different sites share the same policy.
3. In the Clone from a site area,
select a site with a policy
bound.
4. In the Site area, select the
destination sites to which the
same policy is to be bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the Path Strategy tab page,
all the data site. click Site View.
in a site 2. In the site area, select a site.
view
3. Click Commit All.
4. Click OK.
Revoking You can revoke all the policies of a 1. On the Path Strategy tab page,
all the data site. click Site View.
in a site 2. In the site area, select a site.
view
3. Click Revoke All.
4. Click OK.
Parameter Description
Switch Switchover Condition Switchover conditions include delay, jitter, and packet
over loss rate. Different services have different
Conditi requirements on link quality. For example, voice and
on real-time-video services have low tolerance for delay
and packet loss rate. CPEs use the IPFMP protocol to
monitor the delay, jitter, and packet loss rate of
application traffic in real time. If one of the
switchover conditions exceeds the threshold, a link
switchover is triggered.
The system defines switchover conditions for Voice,
Real-time-video, Low-latency-data, and Bulk-data
services. You can directly select a service type, or
customize switchover conditions based on service
requirements. If this parameter value is set to
Custom, you can set Delay, Jitter, and Packet loss
rate as required.
Parameter Description
Advanc Switch threshold In addition to delay, jitter, packet loss rate, you can
ed upper(%) select links to transmit application traffic based on
Setting link bandwidth usages. For example, when the
Switch threshold bandwidth usage of a link reaches a specified
Lower(%) threshold, new data flows of some applications cannot
be transmitted over this link, preventing application
quality deterioration.
You can configure a link selection policy by setting
Switch threshold upper and Switch threshold
Lower:
l Link bandwidth usage < Switch threshold Lower:
All application traffic, including new application
traffic, is forwarded through the current transport
network.
l Switch threshold Lower < Link bandwidth usage
< Switch threshold upper: Only the existing
application traffic is forwarded through the current
transport network, and new application traffic
cannot be transmitted.
l Link bandwidth usage > Switch threshold upper:
The existing application traffic is switched to
another transport network for transmission, and
new application traffic cannot be transmitted.
Parameter Description
Bandwidth
Lower
Limit(%)
Bandwidth
Lower
Limit(Mbps)
Parameter Description
Bandwidth
Lower For
Application(M
bps)
Action when condition Way that traffic is steered if the SLA of the primary
not satisfied transport network fails to meet the requirement or the
bandwidth usage exceeds the threshold.
l ECMP: When the Prefer scheduling mode is
selected, a link with a better quality is selected
from the primary transport network based on the
CMI algorithm. When the Loadbalance
scheduling mode is selected, packets are
forwarded based on the routing table.
l Discard: If a best-effort link is configured, packets
will be forwarded through the best-effort link. If
no best-effort link is configured, packets will be
discarded.
Effective Time Template Time range defined in the template. The intelligent
traffic steering policy takes effect only in the defined
time range.
The number of applications supported in a QoS policy varies with the device model. For
example, the AR3760 supports a maximum of 1204 applications.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.
3. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click the Overlay tab.
Step 3 Set VPN to the department for which a QoS policy needs to be configured.
Step 4 Click the QoS tab. Then, the Policy Settings page is displayed by default.
5. If you want the policy to take effect within a specified time range, select an effective
time range template from the Effective Time Template drop-down list. If you want the
policy to always take effect, skip this step.
6. Click OK.
Step 6 Apply the QoS policy to sites.
----End
Follow-up Procedure
After performing any of the following operations, you need to perform the Commit operation
for them to take effect at the sites.
Revoking You can revoke the operation on a On the QoS tab page, select the
the last policy that is not delivered to sites, policy for which the last operation
operation namely, a policy on which the needs to be revoked, click Revoke,
on a QoS Commit operation is not operated and select Revoke Selected.
policy (Committed not displayed in the
Status column). You cannot revoke
the operation on a committed policy.
The revoke function can only revoke
the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting a You can delete a policy regardless of On the QoS tab page, select the
QoS policy whether it is delivered to sites. After QoS policy to be deleted and click
you delete a policy, the policy is Delete.
deleted only from the Agile
Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying a You can modify a policy regardless of 1. On the QoS tab page, click
QoS policy whether it is delivered to sites. After in the Operation column of the
you modify a policy, the modification QoS policy to be modified.
takes effect only on the Agile
Controller-Campus. To modify the 2. Modify the policy.
policy on devices, you need to 3. Click OK.
perform the Commit operation.
Disabling/ l Disabling: You can disable a policy l Disabling: On the QoS tab
Enabling a not to be used currently. You can
QoS policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the
After you disable a policy, the policy to be disabled.
policy is disabled only on the Agile l Enabling: On the QoS tab
Controller-Campus. To disable the
policy on devices, you need to page, click in the
perform the Commit operation. Operation column of the
l Enabling: You can enable a policy policy to be enabled.
that needs to be used. You can
enable a policy regardless of
whether it is delivered to sites.
After you enable a policy, the
policy is enabled only on the Agile
Controller-Campus. To enable the
policy on devices, you need to
perform the Commit operation.
Binding a You can bind a new policy to a site. 1. On the QoS tab page, click Site
new policy View.
in a site 2. In the site area, select a site.
view
3. Click Binding New Policy.
4. Select the policy to be bound to
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the QoS tab page, click Site
policies in bound to a site to other sites without View.
batches in a the policy being bound so that 2. Click Batch Configure.
site view different sites share the same policy.
3. In the Clone from a site area,
select a site with a QoS policy
bound.
4. In the Site area, select the
destination sites to which the
same policy is to be bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the QoS tab page, click Site
all the data site. View.
in a site 2. In the site area, select a site.
view
3. Click Commit All.
4. Click OK.
Revoking You can revoke all the policies of a 1. On the QoS tab page, click Site
all the data site. View.
in a site 1. In the site area, select a site.
view
2. Click Revoke All.
3. Click OK.
Parameter Description
Policy name QoS policy name. Currently, a QoS policy can be applied only to
the outbound direction of a WAN interface.
Traffic Classifier Traffic classifier template. The QoS policy specified by Policy
Template name is applied to packets that match the traffic classifier template.
Parameter Description
Que Queue Queue priority. You are advised to enable Queue Priority for key
ue Priority applications that need to be guaranteed. When Queue Priority is
Prior enabled, a CPE automatically sets queue types for identified
ity packets based on the defined queue priorities.
Traf Traffic Whether to limit the traffic bandwidth. After Traffic bandwidth
fic bandwidth limit is enabled, packets matching a certain rule are forwarded at a
band limit low delay.
widt
Parameter Description
h Limit type This parameter is available only when Traffic bandwidth limit is
limit enabled. The following types are supported:
l Traffic shaping: Traffic shaping is a measure to adjust the traffic
rate sent from an interface. When the rate of an inbound
interface on a downstream device is slower than that of an
outbound interface on an upstream device or burst traffic occurs,
traffic congestion may occur on the inbound interface of the
downstream device. Traffic shaping can be configured on the
outbound interface of the upstream device so that outgoing
traffic is sent at even rates and congestion is avoided.
l Traffic policing: Traffic policing discards excess traffic to limit
traffic within a proper range and to protect network resources
and enterprise users' interests. Traffic policing is implemented
using committed access rate (CAR).
If Queue Priority is enabled and the priority is set to Highest or
High, only Traffic policing can be selected.
Bandwidth Bandwidth limit. When traffic exceeds the limit specified by this
limit parameter, the excess traffic is cached and sent later (if traffic
shaping is configured) or directly discarded (if traffic policing is
configured).
Theoretically, the value of bandwidth limit must be greater than
that of Guaranteed bandwidth. This parameter is available only
when Traffic bandwidth limit is enabled.
Re-Mark DSCP Whether to re-mark DSCP. If this option is enabled, you need to
specify a value for the DSCP field. The CPE replaces the value of
the DSCP field in the outer IP header with the specified value.
Re-mark 802.1p Whether to re-mark the 802.1P priority of VLAN packets. A larger
value indicates a higher priority. If a traffic policy is applied to the
outbound direction on an interface, the CPE still processes outgoing
packets based on the original priority but the downstream Layer 2
device processes the packets based on the re-marked priority.
Effective Time Time range defined in the template. The QoS policy takes effect
Template only in the defined time range.
Prerequisites
1. Site deployment is complete. For details, see 1.8.4 Site Deployment.
2. The network has been deployed. For details, see 1.8.3 Network Deployment.
Procedure
Step 1 Choose Configuration > Configuration > Security Policy from the main menu.
Step 2 Set VPN to a department that requires a security policy.
Step 3 Click Create to create a security policy.
1. Set the name of the security policy.
Set Policy name to the name of the security policy.
2. To enable abnormal HTTP packet detection, configure a URL filtering policy.
Step 5 Deliver the security policy to the sites and set the execution start time of the policy.
1. Select the security policy to be delivered.
2. Click Commit and select Commit Selected or Commit All.
3. On the Commit page, set the execution start time of the policy to Immediately or
Schedule.
4. Click OK.
----End
Follow-up Procedure
Revoking a You can revoke the operation on a On the Security Policy tab page,
security policy that is not delivered to sites, select the policy on which the last
policy namely, a policy on which the operation performed needs to be
Commit operation is not operated revoked, click Revoke, and then
(Committed not displayed in the click Revoke Selected.
Status column). You cannot revoke
the operation on a committed policy.
The revoke function can only revoke
the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting a You can delete a policy regardless of On the Security Policy tab page,
security whether it is delivered to sites. After select the security policy to be
policy you delete a policy, the policy is deleted, and click Delete.
deleted only from the Agile
Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying a You can modify a policy regardless of 1. On the Security Policy tab
security whether it is delivered to sites. After page, click in the
policy you modify a policy, the modification Operation column of the
takes effect only on the Agile policy to be modified.
Controller-Campus. To modify the
policy on devices, you need to 2. Modify the policy.
perform the Commit operation. 3. Click OK.
Cloning a You can clone a security policy. That 1. On the Security Policy tab
security is, you can quickly create a policy by
policy modifying an existing policy. After page, click in the
you clone a policy, the policy exists Operation column of the
only on the Agile Controller-Campus. policy to be cloned.
To deliver the new policy to devices, 2. Modify the cloned policy.
you need to perform the Commit 3. Click OK.
operation.
Parameter Description
Parameter Description
Secu URL Enable URL Whether to permit or deny access from users to a URL
rity polic filtering or a type of URLs. When receiving an HTTP request, a
Poli ies device filters the content of the request. The device
cy extracts the URL, and compares the URL with the
content in Exception List and the pre-defined URL
category. If the URL is included in Exception List or
the pre-defined URL category, the device processes
the HTTP request according to the configured action.
Default action Action taken after URL filtering. After the device
queries a URL category matching an HTTP request, it
processes the HTTP request according to the action
taken for the URL category. Currently, the following
actions are supported:
l Permit: Traffic from all URLs except those included
in Exception List or the pre-defined URL category
is allowed to pass.
l Deny: Only traffic from the URLs included in
Exception List or the pre-defined URL category is
allowed to pass.
Parameter Description
Exception list List of URLs that are not filtered. For example:
l If the default action is Permit, traffic from URLs in
the exception list is not allowed to pass.
l If the default action is Deny, traffic from URLs in
the exception list is allowed to pass.
Parameter Description
Internet Intern Inbound ACL. Multiple ACL rules can be defined in the
-to- et-to- ACL.
User User
flow flow
Action Action:
l Permit: Inbound packets that match the ACL rule are
allowed to pass.
l Deny: Inbound packets that match the ACL rule are
denied.
Protoc Protocol of the packets that can match the ACL rule.
ol
Parameter Description
Source Source port number of the packets that can match the
Port ACL rule.
Action Action:
l Permit: Outbound packets that match the ACL rule
are allowed to pass.
l Deny: Outbound packets that match the ACL rule
are denied.
Protoc Protocol of the packets that can match the ACL rule.
ol
Source Source port number of the packets that can match the
Port ACL rule.
Parameter Description
Parameter Description
Parameter Description
Context
The function can query at most 1000 policy tasks under each tenant and only tasks generated
within one month can be checked.
Prerequisites
One or more of the following policies have been configured and the Commit operation has
been performed on the policies:
l ACL policy of the underlay network. For details, see 1.8.5.5.1 Creating an ACL Policy
for the Underlay Network.
l Traffic policy of the overlay network. For details, see 1.8.5.5 Configuring a Traffic
Policy.
l Security policy. For details, see 1.8.5.6.1 Creating a Network Security Policy.
Procedure
Step 1 Choose Maintenance > Task Management from the main menu.
Step 2 On the Task Management page, check the status of a committed policy.
----End
Follow-up Procedure
Del If a task that has been canceled or finished (namely, a In the Operation
ete task with Cancel or Finished displayed in the Execute
column, click .
a Status column) does not need to be displayed on the task
task management page, you can perform the Delete operation.
The Delete operation only deletes the task from the Agile
Controller-Campus but does not delete the task data from
devices. After you delete a policy task, only the data in
the Execute Status column on the Task Management
page is changed, but the status on the policy page is not
affected.
Can If a task that is not executed (namely, a task with To be In the Operation
cel committed, Processing, or Failed displayed in the
column, click .
a Execute Status column) does not need to be delivered,
task you can perform the Cancel operation.
The Cancel operation only cancels the task on the Agile
Controller-Campus but does not cancel the task data on
devices. After you cancel a policy task, Status of the
policy restores to the status before the policy is
committed, for example, Creation to be committed or
Modification to be committed.
Parameter Description
Task Task name. After you click Commit for each policy, a new task is added on the
Nam task management page. Task Name is automatically generated.
e
Obje Name of the policy department and policy type mapping the task.
ct
Effec When submitting a policy, if you set Effective Time to Immediately, the value of
tive this parameter is the same as the policy creation time. If you set Effective Time to
Time Schedule, the value of this parameter is the specified time for the policy to take
effect.
Para Description
mete
r
Oper Task operation. You can perform the following operations for a task.
ation
l : Check the configuration details of the policy.
l : Delete a task that has been cancelled or finished. A deleted task will not be
displayed on the task management page. The Delete operation can be
performed only when Execute Status is Cancel or Finished.
Context
During some operations for site deployment, network deployment, policy deployment, and
maintenance, the Agile Controller-Campus needs to deliver configurations to sites. The Agile
Controller-Campus needs to generate configurations before delivering them to devices.
Prerequisites
One or more of the following policies have been configured:
l ACL policy of the underlay network. For details, see 1.8.5.5.1 Creating an ACL Policy
for the Underlay Network.
l Traffic policy of the overlay network. For details, see 1.8.5.5 Configuring a Traffic
Policy.
l Security policy. For details, see 1.8.5.6.1 Creating a Network Security Policy.
l Internet access policy of sites. For details, see 1.8.5.3 Configuring an Internet Access
Policy for a Site.
l Policy for mutual access between traditional sites. For details, see 1.8.5.4 Configuring a
Mutual-Access Policy for Traditional Sites.
Procedure
Step 1 Choose Maintenance > Provisioning Result > Generate Configuration.
Step 2 Check whether the configurations are generated successfully.
If Succeeded is displayed in the Status column for all records, the policy configurations are
generated successfully. You can check the status by operation.
NOTE
Only after successfully generating configurations, the Agile Controller-Campus can deliver the
configurations to devices.
Step 3 Click the Maintenance > Provisioning Result > Deploy to Device tab and then the By
Policy Type tab to check whether policies are successfully delivered to devices.
1. In the navigation tree on the left, click the policy that you want to check.
2. In the area on the right, check the deployment result of the policy. If Succeeded is
displayed in the Status column for all records, the policy is deployed successfully.
If you open a specific record, the command line view of the configuration is displayed in
the Feature column.
If Succeeded is not displayed in the Status column, you are advised to perform
operations according to "Service Configuration Delivery Fails (SD-WAN)" in the
Troubleshooting Guide.
NOTE
After a policy is configured, the Agile Controller-Campus delivers the policy configuration data to
CPEs. If the network flaps during the configuration data delivery, data loss may occur on the
delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
configuration data to the CPEs.
----End
The procedure of configuring a new SD-WAN network consists of multiple steps, each of
which consists of a set of configurations. Typical configuration examples for each step are
provided in this chapter. Based on these examples, an SD-WAN network can be configured to
fulfill different networking and service requirements.
Table 2-1 illustrates eight typical networking scenarios and provides configuration examples
for each step. The following describes each of the scenarios:
l Scenario 1: The WAN-side enterprise networks are a Layer 3 MPLS network and the
Internet. BGP is used for WAN-side routing in the underlay network. Only one hub site
is deployed, and branch sites access the Internet in centralized mode through LAN-side
links of the hub site.
l Scenario 2: The WAN-side enterprise networks are a Layer 3 MPLS network and the
Internet. BGP is used for WAN-side routing in the underlay network. Only one hub site
is deployed, and branch sites centrally access the Internet through WAN-side links of the
hub site.
l Scenario 3: The WAN-side enterprise networks are a Layer 3 MPLS network and the
Internet. BGP is used for WAN-side routing in the underlay network. An active hub site
and a standby hub site are deployed, and branch sites centrally access the Internet
through LAN-side links of the hub sites.
l Scenario 4: The WAN-side enterprise network is a Layer 3 MPLS network. BGP is used
for WAN-side routing in the underlay network. An active hub site and a standby hub site
are deployed, and branch sites centrally access the Internet through LAN-side links of
the hub sites.
l Scenario 5: The WAN-side enterprise networks are a Layer 2 MPLS network and the
Internet. OSPF is used for WAN-side routing in the MPLS underlay network, and BGP is
used for WAN-side routing in the Internet underlay network. An active hub site and a
standby hub site are deployed, and branch sites centrally access the Internet through
LAN-side links of the hub sites.
l Scenario 6: The WAN-side enterprise network is a Layer 2 MPLS network. OSPF is used
for WAN-side routing in the underlay network. An active hub site and a standby hub site
are deployed, and branch sites centrally access the Internet through LAN-side links of
the hub sites.
l Scenario 7: The WAN-side enterprise networks are a Layer 3 MPLS network and the
Internet. BGP is used for WAN-side routing in the MPLS underlay network, and static
routes are used for WAN-site routing in the Internet underlay network. An active hub site
and a standby hub site are deployed, and branch sites centrally access the Internet
through LAN-side links of the hub sites.
l Scenario 8: The WAN-side enterprise network is a Layer 3 MPLS network. An active
hub site and a standby hub site are deployed. BGP is used for WAN-side routing in the
underlay network. Two departments need to be configured for the enterprise, and
network services of the two departments need to be deployed independently without
affecting each other. Branch sites centrally access the Internet through LAN-side links of
the hub sites.
Step Create 2.1.2.1 2.1.2.2 2.1.2.3 2.1.2 2.1.2.4 2.1.2. 2.1.2 2.1.2.5
1 SD- Single- Single- Dual- .5 Dual- 6 .3 Dual-
WAN Hub and Hub Hub Dua Hub Dual- Dua Hub
sites Single- and Netwo l- Networ Hub l- Netwo
and CPE Dual- rking Hub king Netw Hub rking
config Networki CPE with Net with orkin Net with
ure ng with Networ Layer wor Layer g wor Layer
ZTP. Layer 3 king 3 king 2 with king 3
MPLS with MPLS with MPLS Laye with MPLS
and Layer and Lay and r2 Lay Uplin
Internet 3 Intern er 3 Interne MPL er 3 ks
Uplinks MPLS et MP t S MP
and Uplin LS Uplink Uplin LS
Interne ks Upli s ks and
t nks Inte
Uplink rnet
s Upli
nks
Step Config 2.1.3.1 2.1.3.1 2.1.3.1 2.1.3 2.1.3.4 2.1.3. 2.1.3 2.1.3.1
2 ure Configuri Config Confi .1 Config 3 .2 Confi
WAN- ng BGP uring gurin Con uring Confi Con gurin
side Routes BGP g figu OSPF gurin figu g
routin Routes BGP ring and g ring BGP
g in Route BG BGP OSP BG Route
the s P Routes F P s
underl Rou Rout and
ay tes es Stati
networ c
k of Rou
sites. tes
Step Config 2.1.5.1 2.1.5.2 2.1.5.2 2.1.5 2.1.5.2 2.1.5. 2.1.5 2.1.5.2
4 ure Configuri Config Confi .1 Config 1 .2 Confi
LAN- ng uring gurin Con uring Confi Con gurin
side Interconn Interco g figu Interco gurin figu g
interfa ection nnectio Interc ring nnectio g ring Interc
ces on Between n onnec Inte n Inter Inte onnec
the VLANs Betwee tion rcon Betwee conn rcon tion
overla and LAN- n Betwe nect n ectio nect Betwe
y side VLAN en ion VLAN n ion en
networ Networks s and VLA Bet s and Betw Bet VLA
k of LAN- Ns wee LAN- een wee Ns
sites. side and n side VLA n and
Networ LAN- VL Networ Ns VL LAN-
ks and side ANs ks and and ANs side
Config Netwo and Config LAN and Netwo
uring a rks LA uring a -side LA rks
VRRP and N- VRRP Netw N- and
Group Confi side Group orks side Confi
gurin Net Net gurin
ga wor wor ga
VRRP ks ks VRRP
Grou and Grou
p Con p
figu
ring
a
VR
RP
Gro
up
Step Config 2.1.6.1 2.1.6.1 2.1.6.2 2.1.6 2.1.6.2 2.1.6. 2.1.6 2.1.6.2
5 ure Configuri Config Confi .2 Config 2 .2 Confi
LAN- ng LAN- uring gurin Con uring Confi Con gurin
side side LAN- g figu LAN- gurin figu g
routin OSPF side LAN- ring side g ring LAN-
g for Routes OSPF side LA BGP LAN LA side
the Routes BGP N- and -side N- BGP
overla and side OSPF BGP side and
y OSPF BG Routes and BG OSPF
networ Route P OSP P Route
k of s and F and s
sites. OSP Rout OSP
F es F
Rou Rou
tes tes
Step (Optio 2.1.8.1 2.1.8.1 2.1.8.1 2.1.8 2.1.8.1 2.1.8. 2.1.8 2.1.8.1
7 nal) Configuri Config Confi .1 Config 1 .1 Confi
Config ng uring gurin Con uring Confi Con gurin
ure Intelligen Intellig g figu Intellig gurin figu g
intelli t Traffic ent Intelli ring ent g ring Intelli
gent Steering Traffic gent Intel Traffic Intell Intel gent
traffic for Steerin Traffi lige Steerin igent lige Traffi
steerin Services g for c nt g for Traff nt c
g. Service Steeri Traf Service ic Traf Steeri
s ng for fic s Steer fic ng for
Servic Stee ing Stee Servic
es ring for ring es
for Servi for
Serv ces Serv
ices ices
Step Deplo 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2
8 y sites. Email- Email- Email Ema Email- Emai Ema Email
based based -based il- based l- il- -based
Deployme Deploy Deplo base Deploy base base Deplo
nt ment yment d ment d d yment
Depl Depl Depl
oym oyme oym
ent nt ent
2.1.2.1 Single-Hub and Single-CPE Networking with Layer 3 MPLS and Internet
Uplinks
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A is a small-sized enterprise with a headquarters and several branches. An SD-
WAN network needs to be constructed to replace the traditional enterprise network, and the
available WAN links are Layer 3 MPLS links and Internet links. However, some branches can
only use the traditional enterprise network where WAN-side links are MPLS links. As a
result, these sites cannot be integrated into the SD-WAN network.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an SD-WAN network with one hub site and multiple branch sites. The following
example creates an SD-WAN network with two branch sites, Site2 and Site3. The legacy
site, Site1, is not managed by the Agile Controller-Campus. Therefore, it does not need
to be created on the Agile Controller-Campus.
2. At the hub site, Site2 and Site3, one CPE is deployed as the gateway. Each CPE connects
to the MPLS network and the Internet each through one WAN link. The Internet link at
Site2 obtains a dynamic IP address through Point-to-Point Protocol over Ethernet
(PPPoE), whereas other links are configured with static IP addresses.
3. The Network Time Protocol (NTP) clock synchronization mechanism is used to
synchronize clocks on devices. The hub site has NTP clock synchronization configured
to synchronize its clock with that of the NTP server, whereas branch sites synchronize
their clocks with that of the hub site.
Data Plan
Account TenantA@test.com
Password PassA@1234
AS number 65001
IP pool 10.200.0.0/16
Description - -
Item Value
PPPoE - - - user@w - -
User eb.com
name
PPPoE - - - Pass123 - -
Passwo 4
rd
Item Value
NTP authentication ON
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
2. Retain the system defaults MPLS and Internet for the transport network. No additional
configuration is required.
3. Set IPSec encryption parameters.
Select Encryption algorithm and click Generate. A PSK is generated.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Batch import.
3. Click Template to download the template file.
4. Fill in the template with required information and save the file.
Step 4 Create two site templates, one for the hub site, and one for the branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
2. On the Site page that is displayed, click Create. Set Creation mode to Single.
3. Enter the site information, and select the site template configured in the previous step.
For a branch site, you need to select the hub site to which it connects.
4. Under Add Device, select the devices added in the previous step.
5. Click OK.
l Hub site
l Branch sites
----End
2.1.2.2 Single-Hub and Dual-CPE Networking with Layer 3 MPLS and Internet
Uplinks
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A has a headquarters and several branches. An SD-WAN network needs to be
constructed to replace the traditional enterprise network, and the available WAN links are
Layer 3 MPLS links and Internet links. However, some branches can only use the traditional
enterprise network where WAN-side links are MPLS links. As a result, these sites cannot be
integrated into the SD-WAN network.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an SD-WAN network with one hub site and multiple branch sites. The following
example creates an SD-WAN network with two branch sites, Site2 and Site3. The legacy
site, Site1, is not managed by the Agile Controller-Campus. Therefore, it does not need
to be created on the Agile Controller-Campus.
2. At the hub site and Site3, high reliability is required. To ensure this, two CPEs are
deployed as gateways. One CPE connects to the MPLS network through a WAN link,
and the other CPE connects to the Internet through a WAN link. At Site2, one CPE is
deployed as the gateway. It connects to the MPLS and Internet networks each through
one WAN link. The Internet link at Site2 obtains a dynamic IP address through PPPoE,
whereas other links are configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub site has NTP clock synchronization configured to synchronize its clock with
that of the NTP server, whereas branch sites synchronize their clocks with that of the hub
site.
Data Plan
Item Value
Account TenantA@test.com
Password PassA@1234
Item Value
AS number 65001
IP pool 10.200.0.0/16
Description - - -
Item Value
PPPoE - - - user@web - -
User name .com
PPPoE - - - Pass1234 - -
Password
NTP authentication ON
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 4 Create two site templates, one for the hub site, and one for the branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
3. Enter the site information, and select the site template configured in the previous step.
For a branch site, you need to select the hub site to which it connects.
4. Under Add Device, select the devices added in the previous step.
5. Click OK.
l Hub site
l Branch sites
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A has a headquarters and several branches. An SD-WAN network needs to be
constructed to replace the traditional enterprise network, and the available WAN links are
Layer 3 MPLS links and Internet links. To improve reliability, a standby hub site needs to be
created at the headquarters. If a fault occurs at the headquarters' active hub site, services can
be switched to the standby hub site, ensuring the normal operation of the entire network.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an SD-WAN network with an active hub site, a standby hub site and multiple
branch sites. The following example creates an SD-WAN network with three branch
sites: Site2, Site3, and Site4. The legacy site, Site1, is not managed by the Agile
Controller-Campus. Therefore, it does not need to be created on the Agile Controller-
Campus.
2. Two CPEs are deployed as gateways at both hub sites as well as at Site3. At each of
these three sites, one CPE connects to the MPLS network through a WAN link, and the
other CPE connects to the Internet through a WAN link. At Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At Site4,
two CPEs are deployed as gateways and each CPE connects to the Internet through a
WAN link. The Internet link at Site3 obtains a dynamic IP address through PPPoE,
whereas other links are configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub sites have NTP clock synchronization configured to synchronize their clocks
with that of the NTP server, whereas branch sites synchronize their clocks with that of
the hub site.
Data Plan
Account TenantA@test.com
Password PassA@1234
Encryption AES256
algorithm
Token validity 7
period (day)
AS number 65001
IP pool 10.200.0.0/16
Description - - - -
Item Value
Inte IPoE IPoE IPoE IPoE IPoE IPoE IPoE PPP IP IPoE
rfac oE oE
e
prot
ocol
Ite Value
m
PPP - - - - - - - user - -
oE @w
Use eb.c
r om
nam
e
PPP - - - - - - - Pas - -
oE s12
Pas 34
swo
rd
Neg Auto Auto Auto Auto Auto Auto Auto Aut A Auto
otia o ut
tion o
mo
de
Ite Value
m
Upl 100 100 100 100 100 100 100 100 10 100
ink 0
ban
dwi
dth
(Mb
ps)
NTP authentication ON
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Set global network parameters.
1. Choose Configuration > Global Parameters.
2. Configure a transport network.
Step 4 Create two site templates, one for the hub sites, and one for the branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
l Branch sites
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A has a headquarters and several branches. An SD-WAN network needs to be
constructed to replace the traditional enterprise network. The WAN-side networks are the
Layer 2 MPLS network and the Internet. To improve reliability, a standby hub site needs to be
created at the headquarters. If a fault occurs at the headquarters' active hub site, services can
be switched to the standby hub site, ensuring the normal operation of the entire network.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an SD-WAN network with an active hub site, a standby hub site and multiple
branch sites. The following example creates an SD-WAN network with three branch
sites: Site2, Site3, and Site4. The legacy site, Site1, is not managed by the Agile
Controller-Campus. Therefore, it does not need to be created on the Agile Controller-
Campus.
2. Two CPEs are deployed as gateways at both hub sites as well as at Site3. At each of
these three sites, one CPE connects to the MPLS network through a WAN link, and the
other CPE connects to the Internet through a WAN link. At Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At Site4,
two CPEs are deployed as gateways and each CPE connects to the Internet through a
WAN link. The Internet link at Site3 obtains a dynamic IP address through PPPoE,
whereas other links are configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub sites have NTP clock synchronization configured to synchronize their clocks
with that of the NTP server, whereas branch sites synchronize their clocks with that of
the hub site.
Data Plan
Account TenantA@test.com
Password PassA@1234
Encryption AES256
algorithm
Token validity 7
period (day)
AS number 65001
IP pool 10.200.0.0/16
Description - - - -
Item Value
Link MPL Intern MPL Intern MPL MPL MPL Intern Intern Intern
name S1 et1 S1 et1 S1 S2 S1 et1 et1 et2
Interf IPoE IPoE IPoE IPoE IPoE IPoE IPoE PPPo IPoE IPoE
ace E
proto
col
Item Value
Defa 172.1 10.10 172.1 10.10 172.1 172.1 172.1 - 10.10 10.10
ult 6.1.2 0.1.2 6.1.2 0.2.2 6.1.2 6.1.2 6.1.2 0.3.2 0.4.2
gatew 54 54 54 54 54
ay
PPPo - - - - - - - user - -
E @we
User b.co
name m
PPPo - - - - - - - Pass1 - -
E 234
Pass
word
Nego Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto
tiatio
n
mode
Uplin 100 100 100 100 100 100 100 100 100 100
k
band
width
(Mbp
s)
Dow 100 100 100 100 100 100 100 100 100 100
nlink
band
width
(Mbp
s)
NTP authentication ON
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 4 Create two site templates for the hub sites, and branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
l Branch sites
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A needs to construct a dedicated SD-WAN network. The WAN-side network is a
Layer 3 MPLS network. To improve network reliability, an active hub site and a standby hub
site need to be deployed. Since Enterprise A is a large-scale enterprise, hierarchical
networking is required to reduce the load on each hub site. To achieve this, two branch
regions each have one aggregation site deployed. Branch sites within one branch region
communicate with one another through the aggregation sites, whereas branch sites in different
branch regions interact with each other through the hub sites.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an active hub site and a standby hub site. The aggregation site Agg1 and branch
sites Site2 and Site3 are deployed in a region. The aggregation site Agg2 and branch
sites Site4, Site5, and Site6 are deployed in another region. The legacy site, Site1, is not
managed by the Agile Controller-Campus. Therefore, it does not need to be created on
the Agile Controller-Campus.
2. At both the hub sites, two CPEs are deployed as gateways and each CPE connects to the
MPLS network through a WAN link. At both the Agg1 and Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At each of
the Agg2, Site3, Site4, Site5, and Site6, one CPE is deployed as the gateway and
connects to the MPLS network through a WAN link. The WAN links at all sites are
configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub sites have NTP clock synchronization configured to synchronize their clocks
with the NTP server while the aggregation sites synchronize their clocks with the hub
sites and branch sites synchronize their clocks with the aggregation sites.
Data Plan
Item Value
Account TenantA@test.com
Password PassA@1234
Item Value
AS number 65001
IP pool 10.200.0.0/16
Item Value
Description - - - - -
WAN Name MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
Link 1 2 1 2 1 1 2 1
PPPoE User - - - -
name
PPPoE - - - -
Password
Link MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
name 1 2 1 2 1 1 1 1 1
Item Value
Interfa IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE
ce
protoc
ol
Defaul 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
t .1.22 .1.26 .1.30 .1.34 .1.38 .1.42 .1.46 .1.50 .1.54
gatew
ay
PPPo - - - - - - - - -
E User
name
PPPo - - - - - - - - -
E
Passw
ord
Negoti Auto Auto Auto Auto Auto Auto Auto Auto Auto
ation
mode
Uplin 100 100 100 100 100 100 100 100 100
k
bandw
idth
(Mbps
)
Downl 100 100 100 100 100 100 100 100 100
ink
bandw
idth
(Mbps
)
NTP authentication ON
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Set global network parameters.
1. Choose Configuration > Global Parameters.
2. Configure a transport network.
Step 4 Create three site templates for the hub sites, aggregation sites, and branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
3. Configure WAN links for the aggregation sites and branch sites.
Perform the same operations as those for the hub sites to configure WAN link parameters
for the aggregation sites and branch sites, and click Apply Changes.
– WAN link configuration for Agg1
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A needs to construct a dedicated SD-WAN network. The WAN-side network is a
Layer 2 MPLS network. To improve network reliability, an active hub site and a standby hub
site need to be deployed. Since Enterprise A is a large-scale enterprise, hierarchical
networking is required to reduce the load on each hub site. To achieve this, two branch
regions each have one aggregation site deployed. Branch sites within one branch region
communicate with one another through the aggregation sites, whereas branch sites in different
branch regions interact with each other through the hub sites.
Solution Design
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an active hub site and a standby hub site. The aggregation site Agg1 and branch
sites Site2 and Site3 are deployed in a region. The aggregation site Agg2 and branch
sites Site4, Site5, and Site6 are deployed in another region. The legacy site, Site1, is not
managed by the Agile Controller-Campus. Therefore, it does not need to be created on
the Agile Controller-Campus.
2. At both the hub sites, two CPEs are deployed as gateways and each CPE connects to the
MPLS network through a WAN link. At both the Agg1 and Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At each of
the Agg2, Site3, Site4, Site5, and Site6, one CPE is deployed as the gateway and
connects to the MPLS network through a WAN link. The WAN links at all sites are
configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub sites have NTP clock synchronization configured to synchronize their clocks
with the NTP server while the aggregation sites synchronize their clocks with the hub
sites and branch sites synchronize their clocks with the aggregation sites.
Data Plan
Item Value
Account TenantA@test.com
Password PassA@1234
Item Value
AS number 65001
IP pool 10.200.0.0/16
Description - - - - -
WAN Name MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
Link 1 2 1 2 1 1 2 1
Item Value
Item Value
PPPoE User - - - -
name
PPPoE - - - -
Password
Item Value
Item Value
Link MPLS MPL MPL MPL MPLS MPL MPLS MPLS MPLS1
name 1 S2 S1 S2 1 S1 1 1
Interf IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE
ace
protoc
ol
Defau 172.16 172.1 172.1 172.1 172.1 172.1 172.1 172.16 172.16.1.2
lt .1.254 6.1.2 6.1.2 6.1.2 6.1.25 6.1.2 6.1.25 .1.254 54
gatew 54 54 54 4 54 4
ay
PPPo - - - - - - - - -
E
User
name
PPPo - - - - - - - - -
E
Passw
ord
Negot Auto Auto Auto Auto Auto Auto Auto Auto Auto
iation
mode
Item Value
Uplin 100 100 100 100 100 100 100 100 100
k
band
width
(Mbps
)
Down 100 100 100 100 100 100 100 100 100
link
band
width
(Mbps
)
NTP ON
authentication
Authentication ntp123
password
Authentication 456789
key id
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 4 Create three site templates for the hub sites, aggregation sites, and branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
3. Configure WAN links for the aggregation sites and branch sites.
Perform the same operations as those for the hub sites to configure WAN link parameters
for the aggregation sites and branch sites, and click Apply Changes.
– WAN link configuration for Agg1
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-8 shows the SD-WAN networking of Enterprise A. On this network, the MPLS
network and Internet (both on the WAN side) provide BGP routes. During the setup of an SD-
WAN network, the tenant administrator needs to configure connectivity between the CPEs
and the WAN-side network.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites. To configure routes for the underlay network, perform the
following tasks:
restrict the network segments in which BGP routes are advertised and received. This
means all BGP routes are advertised and received in every network segment.
3. The Internet link at Site2 obtains a dynamic IP address through PPPoE, and the IP
address of the BGP peer is 10.100.3.1, as provided by the network provider.
Data Plan
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure BGP routes for the underlay network of the hub site.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select BGP.
4. On the BGP page, click Advanced Settings and enable Default route redistribution.
5. On the BGP page, click Create and set BGP route parameters.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-9 shows the SD-WAN networking of Enterprise A. During the setup of an SD-WAN
network, the tenant administrator needs to configure connectivity between the CPEs and the
WAN-side network.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites. To configure routes for the underlay network, perform the
following tasks:
1. BGP is supported in the MPLS network on the WAN side, allowing BGP routes to be
configured on the underlay network for connecting the CPEs and the MPLS network. To
improve the security of the BGP routing protocol, MD5 authentication is enabled.
2. Since BGP is not supported in the Internet, static routes need to be configured to connect
the CPEs to the Internet.
3. The information about BGP peers needs to be configured on the CPE of each site to
enable interconnection between the site and the MPLS network. No routing policy needs
to be configured because currently there is no need to restrict the network segments in
which BGP routes are advertised and received. This means all BGP routes are advertised
and received in every network segment.
4. When configuring static routes for Internet access, you need to configure a default route.
The Internet link at Site2 obtains a dynamic IP address through PPPoE. Therefore, an
outbound interface is specified as the next hop of the default route. To quickly detect
network faults, you are advised to set an IP address that is reachable through a public
network route as a probe address. The system then creates an NQA instance using this
address as the destination address for detecting link connectivity. In this example, the
probe address is 10.110.42.160.
Data Plan
Prio 60 60 60 60 60 60
rity
Ite Value
m
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure routes for the underlay network of the hub site.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select BGP.
4. On the BGP page, click Advanced Settings and enable Default route redistribution.
5. On the BGP page, click Create and set BGP route parameters.
6. On the WAN Route page that is displayed, click and select Static. Click Create and
set static route parameters. On the main page, click Apply Changes.
Step 4 Configure routes for the underlay networks of the branch sites.
1. Perform the same operations as those for the hub site to complete BGP route parameter
configuration for Site2 and click Apply Changes.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-10 shows the SD-WAN networking of Enterprise A. On this network, the WAN-side
network is a VPLS network, that is, a Layer 2 MPLS network. During the setup of an SD-
WAN network, the tenant administrator has created the hub sites and branch sites. Routes
need to be configured for the underlay network.
Solution Design
1. The MPLS network on the WAN side provides OSPF routes. This allows OSPF routes to
be configured on the underlay network for connecting the CPEs to the MPLS network.
2. OSPF process information needs to be configured on the CPEs of each site to enable
interconnection between the site and the MPLS network through OSPF routes. No
routing policy needs to be configured because currently there is no need to restrict the
network segments in which OSPF routes are advertised and received. This means all
OSPF routes are advertised and received in every network segment.
Data Plan
Item Value
Internal preference 10 10 10 10
Interface Area ID 0 0 0 0
Parameter
Item Value
Hello Timer 10 10 10 10
DR Priority 0 0 0 0
Cost - - - -
Route Redistribute - - - -
Table 2-50 OSPF routing information at the aggregation and branch sites
Item Value
Device Agg1 Agg1 Site2 Site2 Site3 Agg2 Site4 Site5 Site6
_1 _1 _1 _1 _1 _1 _1 _1 _1
Process ID 501 502 501 502 501 501 501 501 501
WAN link MPL MPL MPL MPL MPL MPL MPL MPL MPL
S1 S2 S1 S2 S1 S1 S1 S1 S2
Co Defaul OFF OFF OFF OFF OFF OFF OFF OFF OFF
mm t route
on adverti
Para sement
met
er Interna 10 10 10 10 10 10 10 10 10
l
prefere
nce
ASE 150 150 150 150 150 150 150 150 150
prefere
nce
Inte Area 0 0 0 0 0 0 0 0 0
rfac ID
e
Para Interfa GE3/ GE3/ GE0/ GE0/ GE0/ GE3/ GE0/ GE0/ GE0/
met ce 0/0 0/1 0/0 0/4 0/4 0/0 0/4 0/4 0/4
er Name
Item Value
Authen None None None None None None None None None
ticatio
n
Mode
Hello 10 10 10 10 10 10 10 10 10
Timer
DR 0 0 0 0 0 0 0 0 0
Priorit
y
Cost - - - - - - - - -
Route - - - - - - - - -
Redistribute
Rou Export OFF OFF OFF OFF OFF OFF OFF OFF OFF
ter filter
Filte
r Import OFF OFF OFF OFF OFF OFF OFF OFF OFF
filter
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure routes for the underlay network of the hub site.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select OSPF.
4. On the OSPF page, click Create and set OSPF route parameters. On the main page,
click Apply Changes.
Step 4 Configure routes for the underlay networks of the aggregation sites and branch sites.
1. In the list on the left, select Agg1, complete the OSPF routes configuration. On the main
page, click Apply Changes.
2. In the list on the left, select Site2, and configure OSPF routes. On the main page, click
Apply Changes.
3. In the list on the left, select Site3, and configure OSPF routes. On the main page, click
Apply Changes.
4. In the list on the left, select Agg2, and configure OSPF routes. On the main page, click
Apply Changes.
5. In the list on the left, select Site4, and configure OSPF routes. On the main page, click
Apply Changes.
6. In the list on the left, select Site5, and configure OSPF routes. On the main page, click
Apply Changes.
7. In the list on the left, select Site6, and configure OSPF routes. On the main page, click
Apply Changes.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-11 illustrates the SD-WAN networking of Enterprise A. On this network, the WAN-
side enterprise networks are a Layer 2 MPLS network and the Internet. The IP address of the
MPLS network gateway is 172.16.1.254/24, and BGP is supported in the WAN-side Internet.
During the setup of an SD-WAN network, the tenant administrator has created the hub sites
and branch sites. Routes need to be configured for the underlay networks.
Solution Design
1. The MPLS network on the WAN side is a Layer 2 network. On the underlay network,
OSPF routes can be configured to connect the CPEs to the MPLS network.
2. BGP is supported in the Internet, allowing BGP routes to be configured on the underlay
network for connecting the CPEs to the MPLS network. To improve the security of the
BGP routing protocol, MD5 authentication is enabled.
3. OSPF process information needs to be configured on the CPEs of each site to enable
interconnection between the site and the MPLS network through OSPF routes. The CPE
in the active hub site acts as the designated router (DR) in the OSPF area whereas the
CPE in the standby hub site acts as the backup designated router (BDR) in the OSPF
area. No routing policy needs to be configured because currently there is no need to
restrict the network segments in which OSPF routes are advertised and received. This
means all OSPF routes are advertised and received in every network segment.
4. The information about BGP peers needs to be configured on the CPE of each site to
enable interconnection between the site and the MPLS network. The Internet link at
Site3 obtains a dynamic IP address through PPPoE, and the IP address of the BGP peer
is 10.100.5.2, as provided by the network provider. No routing policy needs to be
configured because currently there is no need to restrict the network segments in which
BGP routes are advertised and received. This means all BGP routes are advertised and
received in every network segment.
Data Plan
Item Value
Default 10 11 - - -
route cost
Internal 10 10 10 10 10
preference
Interface Area ID 0 0 0 0 0
Parameter
Interface GE3/0/0 GE3/0/0 GE0/0/0 GE0/0/4 GE0/0/0
Name
Hello 10 10 10 10 10
Timer
DR 255 254 0 0 0
Priority
Cost - - - - -
Route - - - - - -
Redistribu
te
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure routes for the underlay network of the hub sites.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select OSPF.
4. On the OSPF page, click Create and set OSPF route parameters. On the main page,
click Apply Changes.
5. On the WAN Route page that is displayed, click and select BGP.
6. On the BGP page, click Advanced Settings and enable Default route redistribution.
7. On the BGP page, click Create and set BGP route parameters. On the main page, click
Apply Changes.
8. Perform the same operations to complete OSPF route configurations for Hub2, click
Apply Changes.
9. Perform the same operations to complete BGP configurations for Hub2, click Apply
Changes.
Step 4 Configure routes for the underlay networks of the branch sites.
1. In the list on the left, select Site2, and configure OSPF routes. On the main page, click
Apply Changes.
2. In the list on the left, select Site3, and configure OSPF routes. On the main page, click
Apply Changes.
3. In the list on the left, select Site3, and configure BGP routes. On the main page, click
Apply Changes.
4. In the list on the left, select Site4, and configure BGP routes. On the main page, click
Apply Changes.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-12 shows the SD-WAN networking of an enterprise. On the SD-WAN network built
by the tenant administrator, the R&D department and marketing departments of the enterprise
need to isolate services, independently deploying their own services.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub sites and branch sites, and has completed the underlay network configurations. To
implement service isolation between the two departments on the overlay, perform the
following tasks:
1. Configure VPNs for the two departments. Configure VPN2 for the marketing
department, and perform network and service configurations for this department in
VPN2.
2. Enable the R&D department to use the default VPN, VPN-Default, avoiding the need to
configure another VPN.
3. Configure services in the two VPNs separately.
Data Plan
Name MKT
Description -
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Create sites and configure WAN-side routes on the underlay network.
Step 4 Configure overlay networks, traffic policies, and security policies in the VPN-Default and
MKT VPN.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-13 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, different users at Site2 (a branch site) operate the
same services in different network segments. User hosts transmitting the same services belong
to different VLANs and need to communicate with one another.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites, and has completed the underlay network configurations. To
implement interconnection between VLANs and LAN-side overlay networks, perform the
following tasks:
1. Add LAN-side interfaces to VLANs and configure the interfaces to permit packets of the
VLANs that users belong to.
2. Configure IP addresses for VLANIF interfaces for Layer 3 connectivity.
3. To implement inter-VLAN communication, hosts in each VLAN must use the IP address
of the corresponding VLANIF interface as the default gateway address.
Data Plan
Item Value
VLAN 10 10 10 20 10 10
ID
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 5 Perform the same operations as those for Site2 to configure a VLAN for Site3.
l VLAN configuration for Site3_1
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-14 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, the dual gateways at the branch site Site3, that is,
Site3_1 and Site 3_2, are connected to the Layer 2 network of VLAN 10, and different users
are located in the same network segment. Hosts are dual-homed to Site3_1 and Site3_2
through Layer 2 switches. The user requirements are as follows:
l Hosts at Site3 use Site3_1 as the master gateway to connect to the MPLS network. If
Site3_1 fails, Site3_2 assumes the role of the master, implementing gateway backup.
l Site3_1 becomes the master gateway again after it recovers.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites, and has completed the underlay network configurations. To
1. Add LAN-side interfaces to VLANs and configure the interfaces to permit packets of the
VLANs that users belong to.
2. Configure IP addresses for VLANIF interfaces for Layer 3 connectivity.
3. Configure the VRRP master and backup gateways. Create a VRRP group and configure
a virtual IP address for this VRRP group.
Site3_1 functions as the master gateway to forward traffic and has the preemption delay
configured to 20s. Site3_2 functions as the backup gateway to ensure gateway
redundancy, and has the preemption delay configured to 0, indicating immediate
preemption.
Data Plan
Item Value
VLAN 10 10 10 20 10 10
ID
VRRP - - - - 10 10
ID
Preempt - - - - 20 0
delay
(s)
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
2. Select Site3_1 from the list on the left and click the VLAN tab in the right pane.
3. Click Create to configure VLAN parameters.
4. On the Create VLAN page, click Advanced Settings to configure the VRRP master and
backup gateways.
5. After configuring the VLAN and VRRP, click Apply Changes.
– VLAN configuration for Site3_1
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-15 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, two gateways at the hub site are connected to hosts
through the same Layer 3 switch. The gateways and Layer 3 switch are in the same VLAN
and therefore belong to the same network segment. The enterprise requires that the gateways
at the hub site communicate with the Layer 3 switch.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites, and configured LAN-side interfaces on the overlay network. To
configure OSPF routes on the LAN side for interconnection between LAN-side networks,
perform the following tasks:
Data Plan
Item Value
Internal preference 10 10
Item Value
Interface Area ID 0 0
Parameter
Interface Name Vlanif10 Vlanif10
Hello Timer 10 10
DR Priority 0 0
Route Protocol - -
Redistribute
Process ID - -
Cost - -
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-16 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, two gateways at each of the two hub sites are
connected to hosts through a Layer 3 switch. At Hub1, two gateways and the Layer 3 switch
are in the same VLAN and therefore belong to the same network segment. At Hub2, two
gateways and the Layer 3 switch belong to different VLANs and are located in different
network segments. The enterprise requires that the gateways at the hub sites communicate
with the Layer 3 switch in the same site.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub sites and branch sites, and configured LAN-side interfaces on the overlay network. To
enable interconnection between LAN-side networks, configure OSPF and BGP routes on the
LAN side.
To configure OSPF routes on the LAN side of Hub1, perform the following tasks:
To configure BGP routes on the LAN side of Hub2, perform the following tasks:
1. Configure a BGP peer, specifying an IP address and AS number for the peer.
2. Configure an MD5 authentication password.
Data Plan
Common Default ON ON
Parameter route
advertise
ment
Default 1 1
route cost
Internal 10 10
preference
Interface Area ID 0 0
Parameter
Interface Vlanif10 Vlanif10
Name
Hello 10 10
Timer
DR 0 0
Priority
Route Protocol - -
Redistribu
te Process - -
ID
Cost - -
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-17 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, the LAN-side networks of each site belong to
different network segments. The enterprise requires that devices in LAN-side networks
communicate with one another.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub sites and branch sites, and configured LAN-side interfaces on the overlay network. To
configure WAN-side routes on the overlay network, perform the following tasks:
1. At Hub1, configure a WAN-side static route whose next hop points to Branch2.
2. At Hub2, configure a WAN-side static route whose next hop points to Branch2.
3. At Branch2, configure a WAN-side static route whose next hop points to Hub1.
Data Plan
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
4. After the configuration is complete, the configured static routes are displayed in the list.
Step 5 Configure WAN-side static routes of Hub2. The operations are the same as those in Step 4.
4. After the configuration is complete, the configured static routes are displayed in the list.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-18 shows the SD-WAN networking of Enterprise A. After the tenant administrator
has completed the SD-WAN network deployment, the customer requires that key services,
including voice, video and telephone services, are preferentially transmitted through MPLS
links. To utilize multiple uplinks of a site, as well as improve link reliability and bandwidth
efficiency, active and standby links are configured.
Solution Design
1. Intelligent traffic steering needs to be enabled at the hub and branch sites to meet
customer requirements.
2. VoIP services can be identified based on application groups. For VoIP services, the active
link group consists of MPLS links and the standby link group consists of Internet links.
Internet links are preferentially used to transmit other services.
Data Plan
Name test_app_group_VoIP
Description -
Custom Applications -
DSCP - -
Type L7 Any
Application test_app_group_ -
VoIP
Table 2-62 Intelligent traffic steering information about the overlay network
Item Value
Policy Priority 1 2
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 5 Configure intelligent traffic steering policies for the overlay networks.
1. Choose Configuration > Traffic Policy.
2. Click Traffic Steering. On the Traffic Steering tab page, click Create and configure
intelligent traffic steering policies.
3. On the Traffic Steering tab page, click in the Operation column of the policy. In
the Attach Sites dialog box that is displayed, select a site to be bound to the policy.
Click and then click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected.
5. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-19 shows the SD-WAN networking of Enterprise A. On this network, the hub sites
connect to the Internet on the LAN side. The enterprise requires that both hub sites and branch
sites access the Internet through Internet links on the LAN side of hub sites.
Solution Design
The tenant administrator has completed SD-WAN network configurations. There are
reachable routes between CPEs at the active and standby hub sites and the Internet on the
LAN side.
Data Plan
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-20 shows the SD-WAN networking of Enterprise A. On this network, the hub site
and branch sites are connected to the Internet through Internet links. The legacy site is directly
connected to the MPLS network through an MPLS link and can only access the Internet
through the hub site. The enterprise requires that all sites can access the Internet.
Solution Design
The tenant administrator has completed SD-WAN network configurations.
1. The hub site functions as the gateway for centralized Internet access. Branch sites and
the legacy site can access the Internet through the WAN-side Internet link of the hub site.
2. Site2 and Site3 have local and therefore preferentially access the Internet locally.
3. Local Internet access also needs to be enabled at the hub site.
Data Plan
Item Value
Policy All
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
c. Click in the Operation column. Enable NAT and activate the egress link.
Configure a different link priority for each link. Onthe main page, click Apply
Changes.
----End
2.1.9.3 Configuring Hybrid Internet Access Through Local Internet Links and
LAN-side Links of Hubs
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-21 shows the SD-WAN networking of Enterprise A. On this network, hub sites
access the Internet on the LAN side. Site2 is only connected to the MPLS network through
two MPLS links. Site3 and Site4 are connected to the Internet through Internet links. The
enterprise requires that all sites can access the Internet.
Solution Design
The tenant administrator has completed SD-WAN network configurations. There are
reachable routes between CPEs at the active and standby hub sites and the Internet on the
LAN side.
1. Site2 uses the centralized Internet access mode, and thereby Site2 can access the Internet
through the Internet links of hub sites.
2. Site3 and Site4 preferentially use local Internet links to access the Internet.
3. Intranet users at hub sites access the Internet through the LAN-side Internet link, and
services are not forwarded to CPEs at hub sites.
Data Plan
Item Value
Interne 1
t2
Policy All
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
c. Click in the Operation column to activate the egress link. Enable NAT for
Internet links and configure a different link priority for each link. Click Apply
Changes to complete configurations on the main page.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-22 shows the SD-WAN networking of Enterprise A. On this network, Site1 is a
legacy site outside an SD-WAN network. The enterprise requires that all SD-WAN sites
communicate with Site1.
Solution Design
The tenant administrator has completed SD-WAN network configurations. The active and
standby hub site are each connected to the MPLS network through an MPLS link, and Site1 is
also connected to the MPLS network. The centralized access mode can be configured to
enable branch sites to communicate with Site1 through the hub sites.
Data Plan
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
communication between SD-WAN sites and the legacy site.
4. Click in the Operation column to activate the egress link. Configure the link priority
and click Apply Changes on the main page.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-23 shows the SD-WAN networking of Enterprise A. On this network, Site1 is a
legacy site outside an SD-WAN network. The enterprise requires that all SD-WAN sites
communicate with Site1.
Solution Design
The tenant administrator has completed SD-WAN network configurations. Only Site2 is
connected to the MPLS and Internet network, and Site1 is also connected to the MPLS
network. The centralized access mode can be configured to enable hub site and branch sites to
communicate with Site1 through Site2.
Data Plan
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure a site-to-legacy site policy at Site2 on the overlay network to enable
communication between SD-WAN sites and the legacy site.
1. Choose Configuration > Traffic Policy.
2. Click Site-to-Legacy Site. On the Site-to-Legacy Site tab page, click Centralized
access to configure the access mode.
3. Click Create, select Site2 and click IGW to enable the gateway function for
communication between SD-WAN sites and legacy sites.
4. Click in the Operation column to activate the egress link. Configure the link priority
and click Apply Changes on the main page.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-24 shows the SD-WAN networking of Enterprise A. On this network, Site1 is a
legacy site outside an SD-WAN network. The enterprise requires that all SD-WAN sites
communicate with Site1.
Solution Design
The tenant administrator has completed SD-WAN network configurations. The active and
standby hub site are each connected to the MPLS network through an MPLS link. Site1 is
also connected to the MPLS network. Site2 and Site3 are connected to the MPLS network,
whereas Site4 is connected only to the Internet. Therefore, Site2 and Site3 communicate with
Site1 through local MPLS links in local access mode, while Site4 communicates with Site1
through the hub sites in centralized access mode.
Data Plan
Item Value
WAN MPLS 3
links at 1
Hub2
Item Value
MPLS 2
2
WAN MPLS 3
links of 1
Site3
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
communication between SD-WAN sites and the legacy site.
1. Choose Configuration > Traffic Policy.
2. Click Site-to-Legacy Site.
3. Configure centralized access mode.
a. On the Site-to-Legacy Site tab page, enable Centralized access.
b. Click Create, select hub sites and click IGW to enable the gateway function for
communication between SD-WAN sites and legacy sites.
c. Click in the Operation column to activate the egress link and configure the link
priority.
c. Click in the Operation column to activate the egress link. Configure the link
priority and click Apply Changes on the main page.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-25 shows the SD-WAN networking of Enterprise A. The enterprise requires that
HTTP services transmitted between Site4 and hub sites (using TCP port 8080) be
preferentially transmitted.
Solution Design
QoS queue priorities are configured at Site4 and hub sites, and high-priority queues are
configured to ensure that HTTP services are preferentially forwarded.
Data Plan
Source IP -
Destination IP -
DSCP -
Type L4
Protocol TCP
Source Port -
Policy Priority 1
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
a. On the QoS tab page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the policy.
Click and then click OK.
b. Select the policy to be submitted, click Commit, and select Commit Selected.
c. In the Commit dialog box that is displayed, set Effective time to Immediately and
click OK.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-26 shows the SD-WAN networking of an enterprise. Employees need to be denied
access to YouTube during working hours from 09:00 to 17:00.
Solution Design
Configure an ACL policy on the overlay network to meet the enterprise requirements:
Configure a traffic classifier template to identify the YouTube service, configure the effective
time template to specify the working time, and associate the ACL policy with the site that
forbids employees to access the YouTube service.
Data Plan
Item Value
Name App_Group_Youtube
Description -
Item Value
Item Value
Source IP -
Destination IP -
DSCP -
Type L7
Application App_Group_Youtube
Item Value
Item Value
Policy priority 1
Interface LAN
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
4. On the ACL tab page, click in the Operation column of the policy. In the Attach
Sites dialog box that is displayed, select a site to be bound to the policy. Click and
then click OK.
5. Select the policy to be submitted, click Commit, and select Commit Selected.
6. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
3. Click Deploy to Device. In the list on the left, click the configured ACL policy to view
the configuration deployment result. The status is Succeeded.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Figure 2-27 shows the SD-WAN networking of Enterprise A. To ensure security of network
services at hub sites, intranet users must be restricted from accessing social media and video
sharing websites.
Solution Design
Configure a URL filtering security policy at hub sites. Use predefined categories on the Agile
Controller-Campus, set the filtering level to high and deny accesses to social media and video
sharing websites.
Data Plan
Item Value
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
1. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the policy. Click
and then click OK.
2. Select the policy to be submitted, click Commit, and select Commit Selected.
3. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
----End
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A has a headquarters network and multiple branch networks. A Layer 3 MPLS
network is used on the WAN side. Aiming to rebuild its own networks, the enterprise submits
a network construction application to a service provider (SP) to use both a Layer 3 MPLS
network and the Internet on the WAN side. To reduce network costs, the enterprise requires
that services be primarily transmitted over the Internet. If a fault occurs on the Internet,
service traffic can automatically move to the MPLS network. Figure 2-28 shows the
enterprise networking.
Solution Design
Based on the enterprise's networking and requirements, the SP recommends that the enterprise
replaces the existing traditional enterprise network with an SD-WAN network. Network
engineers of enterprise A are not able to deploy an SD-WAN network; therefore, the SP is
authorized as a managed service provider (MSP) to complete network deployment for
enterprise A. Figure 2-29 shows the networking diagram.
1. The SP creates a tenant for enterprise A and is authorized as an MSP to maintain the
network of enterprise A.
2. The MSP administrator creates a hub site (Hub1) and two branch sites (Site2 and Site3)
and completes the network configuration on the Agile Controller-Campus. Site1 does not
need to be created on and managed by the Agile Controller-Campus because it uses the
traditional network mode and does not need to be upgraded to an SD-WAN network.
3. The MSP administrator sets the IP address of the NTP server to 10.10.1.1, configures the
hub site to synchronize its clock with the NTP server, and configures the branch sites to
automatically synchronize their clocks with the hub site.
4. The WAN-side MPLS and Internet networks support BGP, so these networks can
exchange routes with the underlay networks using BGP. The CPEs of Hub1
communicate with the LAN-side Layer 3 switch through VLANs, and OSPF is deployed
on the LAN-side network of the hub site. The CPEs of the branch sites communicate
with the LAN-side Layer 2 network devices through VLANs.
5. The customer requires VoIP services to be preferentially forwarded over the MPLS
network and other services over the Internet, so the MSP administrator enables
centralized Internet access of the SD-WAN network through the hub site.
Communication between the SD-WAN sites and legacy sites is implemented in
centralized access mode.
6. The MSP administrator enables URL filtering in a security policy, sets the filtering level
of predefined categories to high, and denies access to social media and video sharing
websites to guarantee secure network usage of employees and improve their working
efficiency.
7. The email-based deployment mode is used for site deployment. After receiving a
deployment email, the deployment engineer goes to the hub and branch sites to install
and deploy the CPEs.
8. After the CPEs are deployed, they automatically obtain configurations from the Agile
Controller-Campus.
Data Plan
Password PassA@1234
Authorize MSP ON
Account UserA@tenantA.com
Password PassA@1234
Port 25
Account testmail
Password testmail
Email testmail@163.com
Encryption AES256
algorithm
Token validity 7
period (day)
AS number 65001
IP pool 10.200.0.0/16
Description - - -
Item Value
Item Value
PPPoE - - - user@web - -
User name .com
PPPoE - - - Pass1234 - -
Password
Item Value
NTP authentication ON
Item Value
Email Implementer
Templa
te
Item Value
Item Value
Item Value
VLAN ID 10 10 10 20 10 10
Item Value
Item Value
Internal preference 10 10
Hello Timer 10 10
DR Priority 0 0
Process ID - -
Cost - -
Item Value
Name test_app_group_VoIP
Description -
Custom Applications -
Item Value
Item Value
DSCP - -
Type L7 Any
Application test_app_group_V -
oIP
Table 2-93 Intelligent traffic steering information about the overlay network
Item Value
Policy Priority 1 2
Item Value
Site Hub1
IGW ON
Procedure
Step 1 Log in to the Agile Controller-Campus as an MSP administrator.
3. Click Test to test email sending. If the system displays the message indicating that the
test is successful and the test email can be received, the configuration is successful. Click
Save to complete the configuration.
Step 7 Create two site templates to create the hub site and branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter template information and click OK.
l Hub site template
Step 10 Complete the ZTP configuration for the sites and send a deployment email.
1. Configure the WAN links for the hub site.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the Not Activated list, click a created site. The WAN Link page displays link
information.
a. In the displayed Send Email dialog box, select the site to deploy and click .
b. Enter the recipient email address and CC email address, select the created email
template, modify the email content, and click OK.
Step 11 Configure BGP routes for the underlay network of the hub site.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select BGP.
4. On the BGP page, click Advanced Settings, and enable Default route redistribution.
5. On the BGP page, click Create and set BGP route parameters.
Step 12 Configure BGP routes for the underlay networks of the branch sites.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Site2 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select BGP.
4. On the BGP page, click Create and set BGP route parameters.
Step 17 Configure intelligent traffic steering policies for the overlay networks.
1. Choose Configuration > Traffic Policy.
2. Click Traffic Steering. On the Traffic Steering tab page, click Create and configure
intelligent traffic steering policies.
3. On the Traffic Steering tab page, click in the Operation column of the policy. In
the Attach Sites dialog box that is displayed, select a site to be bound to the policy.
Click and then click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected.
5. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
Step 19 Configure a mutual-access policy for the overlay network of the legacy site.
b. Click Next, click in the Operation column to activate the egress link, configure
the link priority, and click Apply Changes.
4. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the policy, click
and then click OK.
5. Select the policy to be submitted, click Commit, and select Commit Selected.
6. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
Step 21 Install the CPEs at the sites based on the site networking requirements and connect the WAN
ports of the CPEs to the WAN.
Step 22 Deploy the CPEs at the sites using email-based deployment.
1. Power on the CPEs.
2. Wait for a moment until the SYS indicator on the CPEs is blinking green slowly,
indicating that the CPEs have started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 23 After the deployment is successful, enable all CPEs to register with the Agile Controller-
Campus again to obtain the configurations of the new branch sites.
----End
Networking Requirements
An enterprise wants to deploy several branch sites, as shown in Figure 2-30. Information
about CPEs that serve as gateways of the branch sites is ready. It is time-consuming and
labor-intensive if software engineers go to the branch sites to deploy the CPEs site by site.
The enterprise requires a method to quickly deploy the branch sites in a batch through easy
operations without requiring high software commissioning skills.
Solution Design
If multiple CPEs need to be deployed and the CPE model and ESN information are available,
you can deploy the CPEs in a batch using USB-based deployment at a location where most
CPEs are located, and then assign the CPEs to the sites for installation and deployment. The
following example describes how to use USB-based deployment to deploy Site2.
1. The tenant administrator creates a branch site, Site2, on the Agile Controller-Campus,
completes the ZTP configuration for Site2, and downloads the ZTP file.
2. The tenant administrator uses the IniConverter.exe tool to convert the ZTP file into a
configuration file suffixed with .ini, creates the index file USB_AR.ini, and sends the
configuration file and index file to the deployment engineer.
3. The deployment engineer saves the received configuration file and index file to the root
directory of the USB flash drive and starts the CPEs for USB-based deployment.
Data Plan
Item Value
Item Value
Description -
Device Device1
Interface GE0/0/1
Transport Internet
Network
Role Active
2102351BTJ10H1000015 Site2_1
2102351BTJ10H1000008 Site3_1
2102351BTJ10H1000022 Site3_2
2102351BTJ10H1000013 Site4_1
2102351BTJ10H1000014 Site4_2
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet mask
Default 10.100.12.254
gateway
Negotiation Auto
mode
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
Procedure
Step 1 Create branch sites and complete the ZTP configuration on the Agile Controller-Campus as a
tenant administrator.
1. Log in to the Agile Controller-Campus as a tenant administrator.
2. Choose Configuration > Global Parameters and set global network parameters.
3. If no required site template is available in the system, create a site template for creating
branch sites.
a. Choose Configuration > Site > Template. On the Site Template page that is
displayed, click Create.
b. Enter the template information.
4. Add devices in a batch based on their ESNs and use them as the CPE gateways for the
new branch sites.
a. Choose Device Management > Device List. The Device List page is displayed.
b. Click Add Device and set Addition method to Batch import.
c. Click Template to download the template file.
d. Fill in the template with required information and save the file.
6. Complete the ZTP configuration for the new branch site and download the ZTP file.
a. Configure the WAN links.
i. Choose Configuration > Site > ZTP Configuration. The ZTP
Configuration page is displayed.
ii. In the Not Activated list, click a created site. The WAN Link page displays
link information.
iii. Click in the Operation column in the right pane. In the displayed dialog
box, set WAN link parameters and then click Apply Changes on the main
page.
8. After completing the ZTP configuration, click Download ZTP File and save the file as a
ZTP_xxx.csv file.
9. Complete the underlay and overlay network configurations for the branch site. For
details, see section 2.1.14.1 Example for Building an SD-WAN Network for an
Enterprise Tenant.
2. Set Password to the value of URL encryption key, which has been set on the Global
Parameters page.
3. Click Generate ini file, and save the configuration file as ZTP.ini.
4. Create a text file named USB_AR.ini and edit the index file.
During USB-based deployment, the device where the USB flash drive is installed
matches the ESN field of CONFIG in the index file. If a match is found, the
configuration file in the USB flash drive is copied.
BEGIN AR
[USB CONFIG]
SN=20180408.070632
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=DEFAULT
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-CONFIG
FILENAME1=ZTP.ini
END AR
Precautions
l During USB-based deployment, the SN in the index file used to deploy a CPE must be
different from the default USB-based deployment flag of the CPE.
The SN in an index file is a unique flag for USB-based deployment. A device has a
default USB-based deployment flag. If there is the USB_AR.ini file in the USB flash
drive, the device checks whether the default USB-based deployment flag and the SN in
the USB_AR.ini file are the same. If they are the same, the device does not start USB-
based deployment. If they are different, the device starts USB-based deployment and
starts with the deployment files specified in the USB flash drive. If the deployment
succeeds, the default USB-based deployment flag on the device is changed to the SN in
the USB_AR.ini file.
Networking Requirements
An enterprise wants to add a branch site, Site2, deploy a CPE as the gateway, and connect
Site2 to the WAN through an Internet link, as shown in Figure 2-31. No professional software
commissioning engineer is available at Site2. The hardware installation test engineer needs to
complete the CPE deployment after installing the CPE.
Solution Design
Hardware installation test engineers usually have limited skills in commissioning router
software. However, they have a basic understanding of the operations, for example,
connecting terminals such as mobile phones, tablets, and laptops to the network and browsing
web pages. Therefore, they can deploy the CPE at Site2 using email-based deployment in the
following ways:
1. The tenant administrator creates Site2 on the Agile Controller-Campus, completes the
ZTP configuration for Site2, and sends a deployment email to the specified email
address.
2. The hardware installation test engineer confirms that the mobile phone, tablet, or laptop
that is used as the deployment terminal receives the deployment email.
3. After installing the CPE at the site, the hardware installation test engineer connects the
deployment terminal to the CPE in wired or wireless mode and starts the deployment
process by accessing the URL in the deployment email. The CPE is automatically
deployed after receiving the URL access request.
Data Plan
Description -
Device Device1
Interface GE0/0/1
Transport Internet
Network
Role Active
Item Value
Email Implementer
Templa
te
Item Value
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet mask
Default 10.100.12.254
gateway
Negotiation Auto
mode
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
Procedure
Step 1 Create a branch site, complete the ZTP configuration, and send a deployment email on the
Agile Controller-Campus as a tenant administrator.
1. Log in to the Agile Controller-Campus as a tenant administrator.
2. Choose Configuration > Global Parameters and set global network parameters.
3. If no required site template is available in the system, create a site template for creating a
branch site.
a. Choose Configuration > Site > Template. On the Site Template page that is
displayed, click Create.
b. Enter the template information.
5. Add devices in a batch based on the device models and use them as the CPE gateways
for the new branch site.
a. Choose Device Management > Device List. The Device List page is displayed.
b. Click Add Device and set Addition method to Manually create.
c. Set Mode to Device Model, and click Add.
d. On the page that is displayed, set Type, Device Model, and Quantity, and click
OK.
e. Click Edit, change the value of Device Name, and click Submit.
f. Click OK.
7. Complete the ZTP configuration for the new branch site and send a deployment email.
a. Configure the WAN links.
i. Choose Configuration > Site > ZTP Configuration. The ZTP
Configuration page is displayed.
ii. In the Not Activated list, click the new branch site. The WAN Link page
displays link information.
8. Complete the underlay and overlay network configurations for the branch site. The
configuration details are not mentioned here.
Only the devices with the default WLAN mode as the AP mode support wireless access
of deployment terminals.
1. Wired access (the following example uses a PC with Windows 7 installed).
a. Use an Ethernet cable to connect the PC to the management interface of the CPE.
The CPE's management interface is often marked with the Management or MGMT
silkscreen. Management interfaces of some device models do not have this
silkscreen. You can check the position of the management interface by referring to
the product documentation.
If two gateways are deployed at a site, disconnect the cable between them before deployment, and then
reconnect it after deployment. If the cable is not disconnected, deployment may fail.
1. On the deployment terminal, open the deployment email, click the URL in the email or
copy the URL to the browser's address bar to execute it. The deployment Portal page is
then displayed in the browser.
2. On the page that is displayed, enter the password and click GO. The system uses the
password to decrypt the encrypted URL.
NOTE
The entered password must be the same as the value of URL encryption key specified in set
global network parameters.
3. Click Check Parameters to check the automatically parsed parameters and click
Confirm Deployment to start the deployment process.
4. After the CPE completes deployment and registers with the Agile Controller-Campus,
the following page is displayed on the deployment terminal, indicating that the
deployment is successful.
AR: V300R003C00
Networking Requirements
One CPE is deployed at the hub site (Hub1) of an enterprise as the gateway and it connects to
a WAN through an MPLS link, as shown in Figure 2-32. The enterprise wants to add an
Internet link to change the single-device single-link (MPLS uplink) networking to dual-device
dual-link (MPLS and Internet Uplinks) networking. Figure 2-33 shows the networking
diagram after the change.
Solution Design
The configuration roadmap is as follows:
1. Delete the branch sites and then the hub site.
2. Add a new CPE, create a hub site and two branch sites, and complete the service
configuration.
3. Perform the deployment operations for the site to which a new CPE is added. After the
new CPE is deployed, the CPE automatically obtains the modified configuration from
the Agile Controller-Campus. CPEs at other sites automatically obtain the modified
configuration from the Agile Controller-Campus after going online.
Figure 2-34 shows the detailed operation flowchart.
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Delete the service configurations of the hub and branch sites.
The sites to be deleted cannot be associated with any traffic distribution policy, Internet access
policy, or legacy site mutual access policy and cannot be added to any VPN. Otherwise, the
deletion fails.
b. On the VPN page that is displayed, click in the Operation column next to each
VPN. In the displayed dialog box, select all the sites and click to remove the
sites from the VPN.
c. Click OK.
Step 4 Add a CPE and recreate a hub site and two branch sites. For details, see section 2.1.14.1
Example for Building an SD-WAN Network for an Enterprise Tenant.
Step 5 Install the CPEs at the hub site based on the site networking requirements and connect the
WAN ports of the CPEs to the networks.
In this example, the CPE deployment configurations of the hub site and Site2 are changed.
Therefore, you need to re-deploy the CPEs at the two sites. For the branch sites where the
deployment configuration remains unchanged, the CPEs automatically register with the Agile
Controller-Campus using the original deployment configuration. Then, the Agile Controller-
Campus can manage these CPEs.
Step 6 Deploy the CPEs at the hub site and Site2 using email-based deployment.
1. Power on the CPEs.
2. Wait for a moment until the SYS indicator on the CPEs is blinking green slowly,
indicating that the CPEs have started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
----End
Single-CPE Single-CPE
single-link single-link
(Internet) (MPLS)
9 Single-CPE dual-link -
(MPLS)
10 Dual-CPE dual-link -
(MPLS)
Networking Requirements
One CPE is deployed at the branch site, Site1, of an enterprise as the gateway and it connects
to the WAN through an MPLS link, as shown in Figure 2-35. The enterprise wants to add an
Internet link to change the single-CPE single-link (MPLS) networking to single-CPE dual-
link (MPLS and Internet) networking. Figure 2-36 shows the networking diagram after the
change.
Solution Design
The configuration roadmap is as follows:
1. On the Agile Controller-Campus, create a new branch site according to the networking
requirements and complete the service configuration for the new branch site based on the
services configured at the old branch site. Unbind the service configuration from the old
site, delete the old site, and change the name of the new site to that of the old site.
2. At the new branch site, re-deploy the CPE, connect it to the WAN, and complete the CPE
deployment.
3. After the CPE is deployed, it automatically obtains the modified configuration from the
Agile Controller-Campus.
Figure 2-37 shows the detailed operation flowchart.
Data Plan
An Internet link needs to be added. In this example, static routes are used as the underlay
network routes for interworking with the WAN-side network. The following tables list
required data. The configuration of other services is the same as that of the old branch site,
and is not mentioned here.
Description -
Item Value
Priority 60 60
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
The system provides two default transport networks, Internet and Internet1, for which
Routing Domain is set to Internet. This configuration case uses the default transport
networks.
Step 4 Add a device based on the device model and use it as the CPE gateway for the new branch
site.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to Device Model, and click Add.
4. On the page that is displayed, set Type, Device Model, and Quantity, and click OK.
5. Click Edit, change the value of Device Name, and click Submit.
6. Click OK.
Step 6 Complete the ZTP configuration for the new branch site and send a deployment email.
1. Change the WAN link IP address of the old branch site.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the site list on the left, click the old branch site. The WAN Link page displays
link information.
c. Click next to the WAN link that will use the IP address of the new site in the
Operation column in the right pane.
d. In the Set WAN Link dialog box that is displayed, set the IP address to a value that
does not conflict with those of the other sites.
a. In the displayed Send Email dialog box, select the site to deploy and click .
b. Enter the recipient email address and CC email address, select the created email
template, modify the email content, and click OK.
Step 7 Configure WAN routes for the underlay network of the new branch site. The following
describes how to configure static routes.
1. Choose Configuration > Site > Underlay Configuration.
2. Select the new branch site with ZTP settings completed from the list on the left.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select Static.
4. On the Static page, click Create and configure static routes for WAN link access. Then,
click Apply Changes on the main page.
Step 8 Complete the site configuration for the overlay network of the new branch site, including the
interface connecting to the LAN, LAN-side routes, and WAN routing policies. The following
describes how to configure VLANs.
1. Choose Configuration > Overlay Network > Site Configuration.
2. On the Site Configuration page, select the VPN to which the site to be configured
belongs.
3. Select the new branch site and click VLAN in the right pane.
4. Click Create and enter VLAN information. On the main page, click Apply Changes.
5. (Optional) If multiple VPNs are configured for the old branch site, repeat the preceding
steps to configure all VPN services for the new branch site.
Step 9 (Optional) If a custom VPN is configured for the old branch site, add the new branch site to
this custom VPN.
1. Choose Configuration > Overlay Network > VPN.
2. On the VPN page, click in the Operation column of the VPN to bemodified. On the
page that is displayed, select the new branch site and click to add it to the VPN.
3. Click OK.
Step 10 (Optional) If a traffic distribution policy is configured for the old branch site, unbind this
policy from the old branch site and bind it to the new branch site.
1. Choose Configuration > Overlay Network > Traffic Distribution.
2. On the Traffic Distribution page, click in the Operation column next to a traffic
distribution policy and click Next. On the page that is displayed, select the new branch
site and click to associate the policy with it. Then, select the old branch site and click
to unbind the policy from it.
3. Click OK.
Step 11 (Optional) If a traffic policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site. The following uses a QoS policy as an example. The
operations are the same for an ACL policy or an intelligent traffic steering policy.
1. Choose Configuration > Traffic Policy.
2. On the Overlay page, select the VPN to which the sites to be configured belong.
3. Click QoS. On the QoS page that is displayed, click Site View.
4. Select the branch site from which you want to unbind policies, select all policies in the
policy list, and click Unbind. In the Confirm dialog box that is displayed, click OK.
5. Select the new branch site to which you want to bind policies and click Bind New
Policy. In the Bind New Policy dialog box that is displayed, select all the required
policies and click OK.
6. Click Commit All. In the Commit dialog box that is displayed, set Effective time and
click OK.
Step 12 (Optional) If a security policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site.
1. Choose Configuration > Security Policy.
2. On the Security Policy page, select the VPN to which the site to be configured belongs.
3. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select the new branch site and click to
bindthe policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected. In the
Commit dialog box that is displayed, set Effective time and click OK.
Step 13 Add a new CPE using a virtual ESN. The virtual ESN is used to remove the existing CPE
from the old branch site, so that the existing CPE can register with the new branch site after
deployment.
When setting the virtual ESN, change the last six digits in the ESN of the CPE at the old site
to random digits to ensure that the new ESN does not exist in the system.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to ESN and click Add.
4. Set ESN, Device Name, and Description and click Submit.
5. Click OK.
Step 14 Replace the CPE.
1. Choose Device Management > Device List. The Device List page is displayed.
2. In the device list, find the CPE of the old branch site. Click in the Operation column
of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select the device with the virtual ESN added in
the previous step and click OK.
2. In the device list, find the replaced CPE and click in the Operation column of this
CPE. In the High Risk dialog box that is displayed, click Yes to delete the device
information.
Step 16 Change the name of the new site to that of the old site.
1. Choose Configuration > Site.
2. On the Site page, click in the Operation column next to the old site, change the site
name to any value, and click OK.
3. On the Site page, click in the Operation column next to the new site, change the site
name to that of the old site, and click OK.
Step 17 Install the CPE at the new branch site based on the site networking requirements and connect
the WAN port of the CPE to the WAN.
Step 18 Deploy the CPE at the branch site using email-based deployment.
1. Press and hold the Reset button on the CPE for 5 seconds or longer to restore the factory
settings of the CPE.
2. Wait for a moment until the SYS indicator on the CPE is blinking green slowly,
indicating that the CPE has started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 19 After the deployment is successful, verify that the CPE registers with the Agile Controller-
Campus again to obtain the configuration of the new branch site.
Step 20 After the successful change operation, observe the site running status for a period of time. If
the site runs properly, go to the next step. Otherwise, refer to 2.4.5 Rolling Back from
Single-CPE Single-Link (Internet) Networking to Dual-CPE Dual-Link (MPLS and
Internet) Networking to roll back the change operation.
----End
Networking Requirements
One CPE is deployed at the branch site, Site1, of an enterprise as the gateway and it connects
to the WAN through an MPLS link, as shown in Figure 2-38. The enterprise wants to add one
CPE and one Internet link to change the single-CPE single-link (MPLS) networking to dual-
CPE dual-link (MPLS and Internet) networking. Figure 2-39 shows the networking diagram
after the change.
Solution Design
The configuration roadmap is as follows:
1. On the Agile Controller-Campus, create a new branch site according to the networking
requirements and complete the service configuration for the new branch site based on the
services configured at the old branch site. Unbind the service configuration from the old
site, delete the old site, and change the name of the new site to that of the old site.
2. At the new branch site, re-deploy the CPEs, connect them to the WAN, and complete the
CPE deployment.
3. After the CPEs are deployed, they automatically obtain the modified configuration from
the Agile Controller-Campus.
Figure 2-40 shows the operation flowchart.
Data Plan
One CPE and one Internet link need to be added. In this example, static routes are used as the
underlay network routes for interworking with the WAN-side networks. The following tables
list required data. The configuration of other services is the same as that of the old branch site,
and is not mentioned here.
Description -
Item Value
Item Value
Item Value
Priority 60 60
Item Value
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
The system provides two default transport networks, Internet and Internet1, for which
Routing Domain is set to Internet. This configuration case uses the default transport
networks.
Step 4 Add a device based on the device model and use it as the CPE gateway for the new branch
site.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to Device Model, and click Add.
4. On the page that is displayed, set Type, Device Model, and Quantity.
5. Click Edit, change the value of Device Name, and click Submit.
6. Click OK.
Step 6 Complete the ZTP configuration for the new branch site and send a deployment email.
1. Change the WAN link IP address of the old branch site.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the site list on the left, click the old branch site. The WAN Link page displays
link information.
c. Click next to the WAN link that will use the IP address of the new site in the
Operation column in the right pane.
d. In the Set WAN Link dialog box that is displayed, set the IP address to a value that
does not conflict with those of the other sites.
5. In the displayed Send Email dialog box, select the site to deploy and click .
6. Enter the recipient email address and CC email address, select the created email
template, modify the email content, and click OK.
Step 7 Configure WAN routes for the underlay network of the new branch site. The following
describes how to configure static routes.
1. Choose Configuration > Site > Underlay Configuration.
2. Select the new branch site with ZTP settings completed from the list on the left.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select Static.
4. On the Static page, click Create and configure static routes for WAN link access. Then,
click Apply Changes.
Step 8 Complete the site configuration for the overlay network of the new branch site, including the
interface connecting to the LAN, LAN-side routes, and WAN routing policies. The following
describes how to configure VLANs.
1. Choose Configuration > Overlay Network > Site Configuration.
2. On the Site Configuration page, select the VPN to which the site to be configured
belongs.
3. Select the new branch site and click VLAN in the right pane.
4. Click Create and enter VLAN information. On the main page, click Apply Changes.
5. (Optional) If multiple VPNs are configured for the old branch site, repeat the preceding
steps to configure all VPN services for the new branch site.
Step 9 (Optional) If a custom VPN is configured for the old branch site, add the new branch site to
this custom VPN.
1. Choose Configuration > Overlay Network > VPN.
2. On the VPN page, click in the Operation column of the VPN to be modified. On the
page that is displayed, select the new branch site and click to add it to the VPN.
3. Click OK.
Step 10 (Optional) If a traffic distribution policy is configured for the old branch site, unbind this
policy from the old branch site and bind it to the new branch site.
1. Choose Configuration > Overlay Network > Traffic Distribution.
2. On the Traffic Distribution page, click in the Operation column next to a traffic
distribution policy and click Next. On the page that is displayed, select the new branch
site and click to associate the policy with it. Then, select the old branch site and click
to unbind the policy from it.
3. Click OK.
Step 11 (Optional) If a traffic policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site. The following uses a QoS policy as an example. The
operations are the same for an ACL policy or an intelligent traffic steering policy.
1. Choose Configuration > Traffic Policy.
2. On the Overlay page, select the VPN to which the sites to be configured belong.
3. Click QoS. On the QoS page that is displayed, click Site View.
4. Select the branch site from which you want to unbind policies, select all policies in the
policy list, and click Unbind. In the Confirm dialog box that is displayed, click OK.
5. Select the new branch site to which you want to bind policies and click Bind New
Policy. In the Bind New Policy dialog box that is displayed, select all the required
policies and click OK.
6. Click Commit All. In the Commit dialog box that is displayed, set Effective time and
click OK.
Step 12 (Optional) If a security policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site.
1. Choose Configuration > Security Policy.
2. On the Security Policy page, select the VPN to which the site to be configured belongs.
3. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select the new branch site and click to
bind the policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected. In the
Commit dialog box that is displayed, set Effective time and click OK.
Step 13 Add a new CPE using a virtual ESN. The virtual ESN is used to remove the existing CPE
from the old branch site, so that the existing CPE can register with the new branch site after
deployment.
When setting the virtual ESN, change the last six digits in the ESN of the CPE at the old site
to random digits to ensure that the new ESN does not exist in the system.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to ESN and click Add.
4. Set ESN, Device Name, and Description and click Submit.
5. Click OK.
Step 14 Replace the CPE.
1. Choose Device Management > Device List. The Device List page is displayed.
2. In the device list, find the CPE of the old branch site. Click in the Operation column
of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select the device with the virtual ESN added in
the previous step and click OK.
2. In the device list, find the replaced CPE and click in the Operation column of this
CPE. In the High Risk dialog box that is displayed, click Yes to delete the device
information.
Step 16 Change the name of the new site to that of the old site.
1. Choose Configuration > Site.
2. On the Site page, click in the Operation column next to the old site, change the site
name to any value, and click OK.
3. On the Site page, click in the Operation column next to the new site, change the site
name to that of the old site, and click OK.
Step 17 Install the CPE at the new branch site based on the site networking requirements and connect
the WAN port of the CPE to the WAN.
Step 18 Deploy the CPE at the branch site using email-based deployment.
1. Press and hold the Reset button on the CPE for 5 seconds or longer to restore the factory
settings of the CPE.
2. Wait for a moment until the SYS indicator on the CPE is blinking green slowly,
indicating that the CPE has started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 19 After the deployment is successful, verify that the CPE registers with the Agile Controller-
Campus again to obtain the configuration of the new branch site.
Step 20 After the successful change operation, observe the site running status for a period of time. If
the site runs properly, go to the next step. Otherwise, refer to 2.4.5 Rolling Back from
Single-CPE Single-Link (Internet) Networking to Dual-CPE Dual-Link (MPLS and
Internet) Networking to roll back the change operation.
----End
Networking Requirements
Two CPEs are deployed at the branch site, Site1, of an enterprise as the gateways and they
connect to the WAN through an MPLS link and an Internet link, as shown in Figure 2-41.
The enterprise wants to remove one CPE and the MPLS link connecting to it. This changes
the dual-CPE dual-link (MPLS and Internet) networking to single-CPE single-link (Internet)
networking. Figure 2-42 shows the networking diagram after the change.
Solution Design
The configuration roadmap is as follows:
1. On the Agile Controller-Campus, create a new branch site according to the networking
requirements, complete the service configuration for the new branch site based on the
services configured at the old branch site. Unbind the service configuration from the old
site, delete the old site, and change the name of the new site to that of the old site.
2. At the new branch site, re-deploy the CPE, connect it to the WAN, and complete the CPE
deployment.
3. After the CPE is deployed, it automatically obtains the modified configuration from the
Agile Controller-Campus.
Figure 2-43 shows the detailed operation flowchart.
Data Plan
You need to delete the MPLS link. The following tables list required data. The configuration
of other services is the same as that of the old branch site, and is not mentioned here.
Item Value
Description -
Item Value
Device Device1
Interface GE0/0/1
Role Active
Site Site1_new
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 (Optional) Create transport networks.
The system provides two default transport networks, Internet and Internet1, for which
Routing Domain is set to Internet. This configuration case uses the default transport
networks.
Step 3 Create a site template for branch site creation.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
Step 4 Add a device based on the device model and use it as the CPE gateway for the new branch
site.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device. Set Addition method to Manually create.
3. Set Mode to Device Model, and click Add.
4. On the page that is displayed, set Type, Device Model, and Quantity, and click OK.
5. Click Edit, change the value of Device Name, and click Submit.
6. Click OK.
4. Under Add Device, select the device added in the previous step.
5. Click OK.
Step 6 Complete the ZTP configuration for the new branch site and send a deployment email.
1. Change the WAN link IP address of the old branch site.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the site list on the left, click the old branch site. The WAN Link page displays
link information.
c. Click next to the WAN link that will use the IP address of the new site in the
Operation column in the right pane.
d. In the Set WAN Link dialog box that is displayed, set the IP address to a value that
does not conflict with those of the other sites.
a. In the displayed Send Email dialog box, select the site to deploy and click .
b. Enter the recipient email address and CC email address, select the created email
template, modify the email content, and click OK.
Step 7 Configure WAN routes for the underlay network of the new branch site. The following
describes how to configure static routes.
1. Choose Configuration > Site > Underlay Configuration.
2. Select the new branch site with ZTP settings completed from the list on the left.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select Static.
4. On the Static page, click Create and configure static routes for WAN link access. Then,
click Apply Changes.
Step 8 Complete the site configuration for the overlay network of the new branch site, including the
interface connecting to the LAN, LAN-side routes, and WAN routing policies. The following
describes how to configure VLANs.
1. Choose Configuration > Overlay Network > Site Configuration.
2. On the Site Configuration page, select the VPN to which the site to be configured
belongs.
3. Select the new branch site and click VLAN in the right pane.
4. Click Create, enter VLAN information, and click Apply Changes.
5. (Optional) If multiple VPNs are configured for the old branch site, repeat the preceding
steps to configure all VPN services for the new branch site.
Step 9 (Optional) If a custom VPN is configured for the old branch site, add the new branch site to
this custom VPN.
1. Choose Configuration > Overlay Network > VPN.
2. On the VPN page, click in the Operation column of the VPN to be modified. On the
page that is displayed, select the new branch site and click to add it to the VPN.
3. Click OK.
Step 10 (Optional) If a traffic distribution policy is configured for the old branch site, unbind this
policy from the old branch site and bind it to the new branch site.
1. Choose Configuration > Overlay Network > Traffic Distribution.
2. On the Traffic Distribution page, click in the Operation column next to a traffic
distribution policy and click Next. On the page that is displayed, select the new branch
site and click to associate the policy with it. Then, select the old branch site and click
to unbind the policy from it.
3. Click OK.
Step 11 (Optional) If a traffic policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site. The following uses a QoS policy as an example. The
operations are the same for an ACL policy or an intelligent traffic steering policy.
1. Choose Configuration > Traffic Policy.
2. On the Overlay page, select the VPN to which the sites to be configured belong.
3. Click QoS. On the QoS page that is displayed, click Site View.
4. Select the branch site from which you want to unbind policies, select all policies in the
policy list, and click Unbind. In the Confirm dialog box that is displayed, click OK.
5. Select the new branch site to which you want to bind policies and click Bind New
Policy. In the Bind New Policy dialog box that is displayed, select all the required
policies and click OK.
6. Click Commit All. In the Commit dialog box that is displayed, set Effective time and
click OK.
Step 12 (Optional) If a security policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site.
1. Choose Configuration > Security Policy.
2. On the Security Policy page, select the VPN to which the site to be configured belongs.
3. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select the new branch site and click to
bind the policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected. In the
Commit dialog box that is displayed, set Effective time and click OK.
Step 13 Add a new CPE using a virtual ESN. The virtual ESN is used to remove the existing CPE
from the old branch site, so that the existing CPE can register with the new branch site after
deployment.
When setting the virtual ESN, change the last six digits in the ESN of the CPE at the old site
to random digits to ensure that the new ESN does not exist in the system.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to ESN and click Add.
4. Set ESN, Device Name, and Description and click Submit.
5. Click OK.
1. Choose Device Management > Device List. The Device List page is displayed.
2. In the device list, find the CPE of the old branch site. Click in the Operation column
of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select the device with the virtual ESN added in
the previous step and click OK.
2. In the device list, find the replaced CPE and click in the Operation column of this
CPE. In the High Risk dialog box that is displayed, click Yes to delete the device
information.
Step 16 Change the name of the new site to that of the old site.
1. Choose Configuration > Site.
2. On the Site page, click in the Operation column next to the old site, change the site
name to any value, and click OK.
3. On the Site page, click in the Operation column next to the new site, change the site
name to that of the old site, and click OK.
Step 17 Install the CPE at the new branch site based on the site networking requirements and connect
the WAN port of the CPE to the WAN.
Step 18 Deploy the CPE at the branch site using email-based deployment.
1. Press and hold the Reset button on the CPE for 5 seconds or longer to restore the factory
settings of the CPE.
2. Wait for a moment until the SYS indicator on the CPE is blinking green slowly,
indicating that the CPE has started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 19 After the deployment is successful, verify that the CPE registers with the Agile Controller-
Campus again to obtain the configuration of the new branch site.
Step 20 After the successful change operation, observe the site running status for a period of time. If
the site runs properly, go to the next step. Otherwise, refer to 2.4.5 Rolling Back from
Single-CPE Single-Link (Internet) Networking to Dual-CPE Dual-Link (MPLS and
Internet) Networking to roll back the change operation.
----End
Networking Requirements
The branch site, Site1, of an enterprise originally uses two CPEs as the gateways and connects
to the WAN through an MPLS link and an Internet link. After the site change operation, Site1
only uses the Internet link to connect to the WAN. However, a fault occurs during the trial
running phase after the change. Site1 needs to roll back to the dual-CPE dual-link networking
(MPLS and Internet).
In the trial running phase, the old site configured on the Agile Controller-Campus has not
been deleted. To facilitate site change, you are not advised to delete the new site from the
Agile Controller-Campus.
Solution Design
1. On the Agile Controller-Campus, check the old and new branch sites.
– Both the old and new branch sites exist on the Agile Controller-Campus.
– The new site uses the CPE Site1_2, which has a real ESN.
– The old site uses two CPEs: Site1_1 and Site1_2_dummy1, which have a real ESN
and a virtual ESN, respectively.
2. Perform the rollback on the Agile Controller-Campus.
– Use Site1_2 (real ESN) of the new site to replace Site1_2_dummy1 (virtual ESN)
of the old site so that the old site can use Site1_2.
– Change the WAN link IP address of the old site to the actual IP address.
3. At the branch site, deploy the physical connections for the CPEs to connect to the WAN
and perform deployment for the CPEs again.
4. After the CPEs are deployed, they automatically obtain the modified configuration from
the Agile Controller-Campus.
Figure 2-45 shows the detailed operation flowchart.
Data Plan
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Add the new device Site1_2_dummy2 that uses a virtual ESN in ESN mode to replace the
CPE of the new site so that the CPE can register with the old site after the deployment.
When setting the virtual ESN, you can change any of the last six digits of the ESN
corresponding to the CPE at the old site to use the new ESN as the ESN of the CPE at the new
site. The new ESN must be unique in the system.
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device. Set Addition method to Manually create.
Step 3 Use Site1_2_dummy2 (virtual ESN) to replace the CPE at the new site.
1. Choose Device Management > Device List. The Device List page is displayed.
2. In the device list, find the CPE of the new branch site. Click in the Operation
column of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select Site1_2_dummy2 (virtual ESN) and click
OK.
4. Check the ESNs of the two CPEs. The ESN of Site1_2_dummy2 changes to a real ESN,
and the ESN of Site1_2 changes to a virtual ESN.
Step 4 Use Site1_2_dummy2 (real ESN) to replace Site1_2_dummy1 (virtual ESN) at the old site.
1. Choose Device Management > Device List. The Device List page is displayed.
2. In the device list, find the CPE of the new branch site. Click in the Operation
column of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select Site1_2_dummy2 (real ESN) and click
OK.
NOTE
If a registered device with a real ESN is used to replace a device with a virtual ESN, the configuration of
the old site will be delivered to the device with a real ESN, conflicting with the original configuration on
the device. As a result, the configuration fails and an alarm is generated. In this case, you can ignore the
related alarms generated on the device. To prevent the configuration failure alarm, disable the WAN
interface on the device with a real ESN or restore the factory default settings for the CPE by holding
down the Reset button for at least 5 seconds before the replacement.
Step 5 Change the WAN link IP address of the new site to a virtual IP address and that of the old site
to a real IP address.
In the system, two sites cannot use the same WAN link IP address. During the rollback, you
need to change the WAN link IP address of the new site to a value that does not conflict with
those of the other sites and that of the old site to a real IP address.
1. Change the WAN link IP address of the old site. In this example, you only need to
change the IP address of the Internet link.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the site list on the left, click the old branch site. The WAN Link page displays
link information.
c. Click next to the WAN link that will use the IP address of the new site in the
Operation column in the right pane.
d. In the Set WAN Link dialog box that is displayed, set the IP address to a value that
does not conflict with those of the other sites.
Step 6 At the branch site, connect the CPEs according to the networking of the old site. Connect the
two CPEs to the MPLS and Internet, respectively. Restore the connections between the CPEs
and the connections between the CPEs and the LAN side.
Step 7 Deploy the CPE at the branch site using email-based deployment.
1. Press and hold the Reset button on the CPE for 5 seconds or longer to restore the factory
settings of the CPE.
2. Wait for a moment until the SYS indicator on the CPE is blinking green slowly,
indicating that the CPE has started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 8 After the deployment is successful, verify that the CPE registers with the Agile Controller-
Campus again to obtain the configuration of the old branch site.
----End
Networking Requirements
A hardware fault occurs on two CPEs at the hub site of an enterprise. The enterprise wants to
replace them with new CPEs to restore network services.
Solution Design
1. Add the new CPEs to the device management system of the Agile Controller-Campus.
Ensure that the model of the new CPEs is the same as that of the CPEs to be replaced.
2. Perform device replacement on the Agile Controller-Campus, select the site at which
CPEs need to be replaced, and send a deployment email.
3. At the site, use the new CPEs to replace the faulty CPEs and connect them to the WAN.
Then, deploy the CPEs again.
4. After the CPEs are deployed, they automatically obtain the modified configuration from
the Agile Controller-Campus.
Figure 2-46 shows the detailed operation flowchart.
Data Plan
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
2. In the device list, find the faulty CPEs. Click in the Operation column of the CPE
records.The Device Replacement page is displayed.
3. In the new device list, select the new CPEs after the replacement and click OK.
4. After the replacement is successful, the device ESNs are the ESNs of the new CPEs.
----End