SD-WAN Configuration Guide

SD-WAN
Configuration Guide
Issue 01
Date 2019-03-13
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. i

SD-WAN
Configuration Guide Contents
Contents
1 Configuration Guide.....................................................................................................................1
1.1 SD-WAN Network Architecture.....................................................................................................................................1
1.2 Typical Application Scenarios........................................................................................................................................2
1.2.1 Carrier Scenario........................................................................................................................................................... 2
1.2.2 Enterprise Self-Construction Scenario........................................................................................................................ 3
1.3 SD-WAN Network Deployment Overview.................................................................................................................... 8
1.4 Feature Configuration Planning......................................................................................................................................9
1.4.1 Networking.................................................................................................................................................................. 9
1.4.1.1 Network Model.........................................................................................................................................................9
1.4.1.2 Site Models............................................................................................................................................................. 13
1.4.1.2.1 Site WAN Model................................................................................................................................................. 14
1.4.1.2.2 Site LAN Model.................................................................................................................................................. 21
1.4.1.3 Underlay Route.......................................................................................................................................................28
1.4.1.4 Overlay Network.................................................................................................................................................... 30
1.4.1.5 VPN Service Isolation............................................................................................................................................ 36
1.4.1.6 Overlay Route.........................................................................................................................................................37
1.4.1.6.1 Address Pool Planning ( DSVPN )......................................................................................................................45
1.4.1.7 Internet Access....................................................................................................................................................... 49
1.4.1.8 Connecting to the Legacy MPLS Network.............................................................................................................51
1.4.1.9 Connecting to the Public Cloud..............................................................................................................................54
1.4.1.9.1 Connecting to the AWS....................................................................................................................................... 54
1.4.1.9.2 Connecting to HUAWEI CLOUD....................................................................................................................... 56
1.4.2 Application Experience–oriented Scheduling and Optimization.............................................................................. 58
1.4.2.1 Application Identification.......................................................................................................................................58
1.4.2.2 Intelligent Traffic Steering......................................................................................................................................63
1.4.2.3 QoS......................................................................................................................................................................... 68
1.4.3 Service Security......................................................................................................................................................... 73
1.4.3.1 ACL Traffic Filtering..............................................................................................................................................73
1.4.3.2 Firewall................................................................................................................................................................... 76
1.4.3.3 IPS.......................................................................................................................................................................... 79
1.4.3.4 URL Filtering......................................................................................................................................................... 81
1.4.3.5 Automatic Security Policy Orchestration............................................................................................................... 83
1.4.4 VM (uCPE) Lifecycle Management..........................................................................................................................85
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. ii

SD-WAN
1.4.5 Site Deployment........................................................................................................................................................ 88

1.5 Configuration Procedure...............................................................................................................................................95
1.5.1 Introduction to Administrator Levels........................................................................................................................ 95
1.5.2 Management Process in MSP Operating Mode.........................................................................................................97
1.5.3 Management Process in Tenant Operating Mode......................................................................................................99
1.6 System Administrator Configuration..........................................................................................................................101
1.6.1 Logging In to the Agile Controller-Campus............................................................................................................101
1.6.2 Importing a License................................................................................................................................................. 105
1.6.3 Managing Local Users.............................................................................................................................................107
1.6.4 Creating an MSP and the MSP Administrator.........................................................................................................118
1.6.5 Configuring the Tunnel Mode................................................................................................................................. 122
1.6.6 Creating Tenants and Tenant Administrators...........................................................................................................123
1.6.7 Configuring an Email Server................................................................................................................................... 127
1.6.8 (Optional) Uploading a VM Image through Third-Party File Server......................................................................130
1.7 Configurations Performed by MSP Administrator..................................................................................................... 130
1.7.2 Initial Configuration................................................................................................................................................ 132
1.7.2.1 (Optional) Configuring an Email Server.............................................................................................................. 133
1.7.2.2 Creating a Tenant Administrators.........................................................................................................................135
1.7.3 Obtaining and Uploading a VM Image................................................................................................................... 138
1.7.4 Configuring Tenant Services (MSP-Managed O&M).............................................................................................141
1.7.4.1 Authorizing an MSP to Maintain Tenant Services............................................................................................... 142
1.7.4.2 (Optional) Accessing the View for Managing Services for a Tenant................................................................... 142
1.7.4.3 Network Deployment........................................................................................................................................... 143
1.7.4.4 uCPE Deployment................................................................................................................................................ 143
1.7.4.5 Network Control and Optimization...................................................................................................................... 143
1.7.4.6 VM Lifecycle Management..................................................................................................................................143
1.7.4.6.1 (Optional) Configuring a Resource Pool........................................................................................................... 143
1.7.4.6.2 (Optional) Configuring the VM Access Mode.................................................................................................. 144
1.7.4.6.3 (Optional) Configuring the Fault Diagnosis Function.......................................................................................145
1.7.4.6.4 Creating an Endpoint Network.......................................................................................................................... 145
1.7.4.6.5 Creating a Profile...............................................................................................................................................146
1.7.4.6.6 (Optional) Creating a VNF Template................................................................................................................ 148
1.7.4.6.7 Deploying the VNF........................................................................................................................................... 151
1.7.4.6.8 Deploying the Endpoint.....................................................................................................................................154
1.7.4.6.9 Deploying a Service Chain................................................................................................................................ 156
1.8 Tenant Administrator Configuration...........................................................................................................................159
1.8.2 Initial Configuration................................................................................................................................................ 161
1.8.2.1 Configuring Account Policies and Password Policies..........................................................................................161
1.8.2.2 Creating Roles...................................................................................................................................................... 165
1.8.2.3 Creating Local Accounts...................................................................................................................................... 168
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. iii

SD-WAN
1.8.3 Network Deployment.............................................................................................................................................. 174

1.8.3.1 Adding Devices.................................................................................................................................................... 174
1.8.3.2 Setting Global Parameters.................................................................................................................................... 180
1.8.3.3 (Optional) Customizing a Site Template.............................................................................................................. 189
1.8.3.4 Creating a Site...................................................................................................................................................... 194
1.8.3.5 Associating an Edge Site with a vRR................................................................................................................... 200
1.8.3.6 Configuring the Network Access Mode for a Site............................................................................................... 202
1.8.3.7 Configuring Time Synchronization for a Site.......................................................................................................209
1.8.3.8 Configuring the Underlay Network...................................................................................................................... 211
1.8.3.8.1 Configuring WAN Interfaces.............................................................................................................................212
1.8.3.8.2 Configuring Underlay Routes (OSPF).............................................................................................................. 214
1.8.3.8.3 Configuring Underlay Routes (BGP)................................................................................................................ 218
1.8.3.8.4 Configuring Underlay Routes (Static Routes)...................................................................................................221
1.8.3.9 Creating an Overlay Network...............................................................................................................................223
1.8.3.9.1 Configuring a VPN............................................................................................................................................ 223
1.8.3.9.2 Configuring an Overlay Topology.....................................................................................................................224
1.8.3.9.3 Configuring a VPC............................................................................................................................................ 229
1.8.3.9.4 Configuring Network Access Parameters on the LAN Side (Layer 3)............................................................. 231
1.8.3.9.5 Configuring Network Access Parameters on the LAN Side (Layer 2)............................................................. 238
1.8.3.9.6 Configuring Network Access Parameters on the LAN Side (Terminals Accessing Sites Through Wi-Fi, Layer
2)....................................................................................................................................................................................... 245
1.8.3.9.7 Configuring Overlay LAN-Side Routes (Static Routes)................................................................................... 248
1.8.3.9.8 Configuring Overlay LAN-Side Routes (OSPF)...............................................................................................250
1.8.3.9.9 Configuring Overlay LAN-Side Routes (BGP).................................................................................................253
1.8.3.9.10 Configuring Overlay WAN-Side Routes (BGP)..............................................................................................256
1.8.3.9.11 Configuring Overlay WAN-Side Routes (Static Routes)................................................................................ 258
1.8.3.9.12 Configuring VPN Traffic Distribution............................................................................................................ 260
1.8.3.10 Checking the Network Deployment Result........................................................................................................ 261
1.8.4 Site Deployment...................................................................................................................................................... 262
1.8.4.1 (Optional) Customizing an Email Template......................................................................................................... 262
1.8.4.2 Deploying a Site by Email....................................................................................................................................264
1.8.4.3 USB-based Deployment....................................................................................................................................... 268
1.8.4.4 Checking the Email-based (Device) Deployment Result..................................................................................... 271
1.8.5 Network Control and Optimization......................................................................................................................... 272
1.8.5.1 Configuring Applications and Application Groups..............................................................................................272
1.8.5.1.1 Checking Predefined Applications.................................................................................................................... 272
1.8.5.1.2 (Optional) Creating a Customized Application................................................................................................. 273
1.8.5.1.3 Creating a Customized Application Group....................................................................................................... 277
1.8.5.2 Configuring a Traffic Policy Template................................................................................................................. 279
1.8.5.2.1 Creating a Traffic classifier template.................................................................................................................279
1.8.5.2.2 (Optional) Creating an Effective Time Template.............................................................................................. 282
1.8.5.3 Configuring an Internet Access Policy for a Site................................................................................................. 284
1.8.5.4 Configuring a Mutual-Access Policy for Traditional Sites.................................................................................. 291
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. iv

SD-WAN
1.8.5.5 Configuring a Traffic Policy.................................................................................................................................296

1.8.5.5.1 Creating an ACL Policy for the Underlay Network.......................................................................................... 296
1.8.5.5.2 Creating an ACL Policy for the Overlay Network............................................................................................ 301
1.8.5.5.3 Creating a NAT Policy for the Underlay Network............................................................................................ 306
1.8.5.5.4 Creating a NAT Policy for the Overlay Network.............................................................................................. 311
1.8.5.5.5 Creating an Intelligent Traffic Steering Policy for the Overlay Network......................................................... 316
1.8.5.5.6 Creating a QoS Policy for the Overlay Network............................................................................................... 325
1.8.5.6 Configuring a Security Policy.............................................................................................................................. 332
1.8.5.6.1 Creating a Network Security Policy.................................................................................................................. 332
1.8.5.7 (Optional) Checking Policy Tasks........................................................................................................................ 341
1.8.5.8 Checking the Policy Deployment Result..............................................................................................................344
2 Typical Configuration Examples............................................................................................346

2.1 Building an SD-WAN Network.................................................................................................................................. 346
2.1.1 Introduction to Building an SD-WAN Network...................................................................................................... 346
2.1.2 Creating SD-WAN Sites and Configuring ZTP.......................................................................................................355
2.1.2.1 Single-Hub and Single-CPE Networking with Layer 3 MPLS and Internet Uplinks.......................................... 355
2.1.2.2 Single-Hub and Dual-CPE Networking with Layer 3 MPLS and Internet Uplinks.............................................370
2.1.2.3 Dual-Hub Networking with Layer 3 MPLS and Internet Uplinks....................................................................... 383
2.1.2.4 Dual-Hub Networking with Layer 2 MPLS and Internet Uplinks....................................................................... 405
2.1.2.5 Dual-Hub Networking with Layer 3 MPLS Uplinks............................................................................................426
2.1.2.6 Dual-Hub Networking with Layer 2 MPLS Uplinks............................................................................................452
2.1.3 Configuring WAN-side Routes for Sites (Underlay Network)................................................................................477
2.1.3.1 Configuring BGP Routes......................................................................................................................................478
2.1.3.2 Configuring BGP and Static Routes..................................................................................................................... 482
2.1.3.3 Configuring OSPF Routes.................................................................................................................................... 491
2.1.3.4 Configuring OSPF and BGP Routes.................................................................................................................... 501
2.1.4 Configuring Multi-VPN Isolation........................................................................................................................... 510
2.1.4.1 Configuring Multiple VPNs................................................................................................................................. 510
2.1.5 Configuring LAN-side Interfaces for Sites (Overlay Network).............................................................................. 512
2.1.5.1 Configuring Interconnection Between VLANs and LAN-side Networks............................................................512
2.1.5.2 Configuring Interconnection Between VLANs and LAN-side Networks and Configuring a VRRP Group.......518
2.1.6 Configuring LAN-side Routes for Sites (Overlay Network)...................................................................................525
2.1.6.1 Configuring LAN-side OSPF Routes................................................................................................................... 525
2.1.6.2 Configuring LAN-side BGP and OSPF Routes................................................................................................... 528
2.1.7 Configuring WAN-side Routes for Sites (Overlay Network)..................................................................................533
2.1.7.1 Configuring WAN-side Static Routes...................................................................................................................533
2.1.8 Configuring Intelligent Traffic Steering.................................................................................................................. 537
2.1.8.1 Configuring Intelligent Traffic Steering for Services...........................................................................................538
2.1.9 Configuring a Site-to-Internet Policy...................................................................................................................... 543
2.1.9.1 Configuring Centralized Internet Access Through LAN-side Internet Links of Hubs........................................ 543
2.1.9.2 Configuring Centralized Internet Access Through WAN-side Internet Links of Hubs........................................545
2.1.9.3 Configuring Hybrid Internet Access Through Local Internet Links and LAN-side Links of Hubs.....................549
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. v

SD-WAN
2.1.10 Configuring a Site-to-Legacy Site Policy..............................................................................................................553

2.1.10.1 Configuring Communication Between SD-WAN Sites and Legacy Sites in Centralized Access Mode........... 553
2.1.10.2 Configuring Communication Between SD-WAN Sites and Legacy Sites in Centralized Access Mode Through a
Branch Site....................................................................................................................................................................... 556
2.1.10.3 Configuring Communication Between SD-WAN Sites and the Legacy Site in Hybrid Access Mode..............559
2.1.11 Configuring a QoS Policy......................................................................................................................................565
2.1.11.1 Configuring Preferential Transmission of HTTP Services from Branch Sites to Hub Sites.............................. 565
2.1.12 Configuring an ACL Policy (Overlay Network)................................................................................................... 569
2.1.12.1 Forbidding Access to YouTube During Working Hours.................................................................................... 570
2.1.13 Configuring a Security Policy............................................................................................................................... 575
2.1.13.1 Configuring a Security Policy for Hub Sites...................................................................................................... 576
2.1.14 Configuration Examples........................................................................................................................................ 578
2.1.14.1 Example for Building an SD-WAN Network for an Enterprise Tenant............................................................. 579
2.2 Site Deployment......................................................................................................................................................... 615
2.2.1 USB-based Deployment.......................................................................................................................................... 616
2.2.2 Email-based Deployment........................................................................................................................................ 622
2.3 Configuration Change of the Hub Site....................................................................................................................... 634
2.3.1 Changing Single-CPE Single-Link (MPLS) Networking to Dual-CPE Dual-Link (MPLS and Internet) Networking
.......................................................................................................................................................................................... 634
2.4 Configuration Changes in Different Branch Site Networking Modes........................................................................639
2.4.1 Overview of Configuration Changes in Different Branch Site Networking Modes............................................... 639
2.4.2 Changing Single-CPE Single-Link (MPLS) Networking to Single-CPE Dual-Link (MPLS and Internet)........... 643
2.4.3 Changing Single-CPE Single-Link (MPLS) Networking to Dual-CPE Dual-Link (MPLS and Internet) Networking
.......................................................................................................................................................................................... 657
2.4.4 Changing Dual-CPE Dual-Link (MPLS and Internet) Networking to Single-CPE Single-Link (Internet)
Networking....................................................................................................................................................................... 673
2.4.5 Rolling Back from Single-CPE Single-Link (Internet) Networking to Dual-CPE Dual-Link (MPLS and Internet)
Networking....................................................................................................................................................................... 686
2.5 Faulty CPE Replacement............................................................................................................................................692
2.5.1 Replacing Dual Faulty CPE Gateways.................................................................................................................... 693
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. vi

SD-WAN
Configuration Guide 1 Configuration Guide
1 Configuration Guide
1.1 SD-WAN Network Architecture

Huawei SD-WAN Solution uses the SD-WAN@AC-Campus to centrally deploy and manage
enterprise networks. Hub sites, data centers, and branch sites of each enterprise network are
mapped to edge sites on an SD-WAN network. Figure 1-1 shows the SD-WAN network
architecture.
The SD-WAN@AC-Campus is responsible for NE control, network service orchestration,
VNF orchestration on the universal customer premises equipment (uCPE), and network O&M
and monitoring. The SD-WAN@AC-Campus sends the service orchestration configurations
to the virtual route reflector (vRR), and the vRR distributes the configurations to CPEs at each
site to control routing information advertisement and tunnel establishment between CPEs. If
an enterprise deploys Virtual Private Cloud (VPC) resources on the public cloud, the SD-
WAN network of the enterprise can connect to the public cloud.
On SD-WAN networks, you can deploy services such as SaaS applications on the Internet,
access to legacy MPLS networks, QoS, intelligent traffic steering, as well as security policies
including URL filtering and access control list (ACL) through the SD-WAN@AC-Campus.
The SD-WAN@AC-Campus deploys services to CPEs at each site through the service
orchestration function. If a uCPE gateway is used, VASs such as WAN optimization and
security services can be deployed on the uCPE gateway.
Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 1

SD-WAN
Figure 1-1 SD-WAN network architecture
1. SD-WAN@AC-Campus: core component in the control system, which implements

functions such as network service orchestration, NE control, basic network O&M, uCPE
orchestration and management, and basic performance monitoring.
2. vRR: an RR deployed on a specified CPE to distribute VPN routes and tunnel
information between CPEs based on the VPN topology of the overlay network.
3. CPE: egress CPE of a site, which can be a traditional CPE, a uCPE, or an NFV vCPE.
4. VAS: Huawei-developed vFW or third-party VAS device that implements WAN
optimization, security and other services.
5. Third-party EMS: a system that manages third-party VAS devices.
1.2 Typical Application Scenarios
1.2.1 Carrier Scenario

Carriers provide network construction and O&M services for enterprises of different scales in
various industries, enabling enterprises to quickly complete network deployment and service
provisioning. Carriers, acting as SD-WAN managed service providers, provide SD-WAN
network construction, VASs, cloud services, and managed services for enterprises. Enterprises
can also implement O&M with their own professional network maintenance teams.

SD-WAN
Figure 1-2 Carrier deployment scenario
Deployment Process
After a carrier deploys the SD-WAN@AC-Campus, the system administrator needs to select
the operating mode when logging in to the system for the first time. Generally, the MSP
operating mode is recommended. In this mode, the carrier acts as the MSP administrator,
provides managed services for enterprise tenants, and provides VASs through VNF
management and provisioning. For details about the deployment process of the MSP
operating mode, see 1.5.2 Management Process in MSP Operating Mode.
1.2.2 Enterprise Self-Construction Scenario

In addition to SD-WAN networks constructed by carriers, enterprises can also construct SD-
WAN networks by themselves. Depending on the enterprise scale, enterprise self-construction
can be further divided into the categories of small and medium-sized enterprise (SME), large
enterprise, and multinational enterprise scenarios.
SME
SMEs usually consist of a headquarters and several branches.
Networking Model
The single-layer networking of Huawei SD-WAN Solution shown in Figure 1-3 is
recommended for SMEs.

SD-WAN
Figure 1-3 SME scenario
Deployment Process
To reduce network construction and maintenance costs, SMEs are advised to lease the SD-
WAN@AC-Campus deployed on HUAWEI CLOUD to obtain professional SD-WAN
network management services as tenants. Service providers are responsible for managing SD-
WAN networks for the SMEs. 1.5.2 Management Process in MSP Operating Mode shows
the deployment process.
Large Enterprise
Large enterprises generally have headquarters and branches that are widely dispersed across a
country or area and have their own network maintenance teams. Large enterprises with
distributed branches provide various types of services and have stringent requirements on
private line quality.
Networking Model
Based on the number of enterprise sites, Huawei SD-WAN Solution provides two networking
models for large enterprises: hierarchical networking and single-layer networking. The
hierarchical networking (shown in Figure 1-4) is recommended for large enterprises with a
large number of branches. The single-layer networking (shown in Figure 1-5) is
recommended for large enterprises with a small number of branches.

SD-WAN
Figure 1-4 Application scenario for large enterprises with a large number of branches
Figure 1-5 Application scenario for large enterprises with a small number of branches
Deployment Process
Large enterprises can deploy the SD-WAN@AC-Campus in the data center or HUAWEI
CLOUD. If no uCPE gateway is deployed on the network and VNF management is not
required, the deployment process for the two-layer operating mode (involving only system
administrators and tenants) can be used. For details, see 1.5.3 Management Process in
Tenant Operating Mode. If the uCPE gateway is deployed and the SD-WAN@AC-Campus

SD-WAN
implements VNF management and service chain orchestration on the uCPE, the deployment
process for the three-layer operating mode (involving system administrators, MSP
administrators, and tenant administrators) is used. For details, see 1.5.2 Management Process
in MSP Operating Mode.
Multinational Enterprise
Multinational enterprises have branches or subsidiaries in multiple countries or areas and
carry out transnational operations. They have a high IT investment, diversified applications,
and both national and international leased WAN networks.
Networking Model
Multinational enterprises often deploy one or two global headquarters and regional
headquarters and branches in each country or region (for example, Southeast Asia). Figure
1-6 shows the networking model of Huawei SD-WAN Solution for multinational enterprises.
The global headquarters and regional headquarters are connected through the international
WAN networks. The regional headquarters can serve as the aggregation node in the
corresponding country or region to forward traffic between branches and between the global
headquarters and branches. Typically, two CPEs or uCPEs are deployed at the regional
headquarters, and depending on reliability requirements, one or two CPEs or uCPEs are
deployed at branches.

SD-WAN
Figure 1-6 Multinational enterprise scenario
Deployment Process
Multinational enterprises use international WAN links for communication, which may have
diversified requirements. Therefore, the SD-WAN@AC-Campus can be deployed in
distributed mode to manage SD-WAN networks. For example, one SD-WAN@AC-Campus is
deployed in each country or region, and one SD-WAN@AC-Campus is deployed between
international links.
If no uCPE gateway is deployed on the network and VNF management is not required, the
deployment process for the two-layer operating mode (involving only system administrators
and tenants) can be used. For details, see 1.5.3 Management Process in Tenant Operating
Mode. If the uCPE gateway is deployed and the SD-WAN@AC-Campus implements VNF
management and service chain orchestration on the uCPE, the deployment process for the
three-layer operating mode (involving system administrators, MSP administrators, and tenant
administrators) is used. For details, see 1.5.2 Management Process in MSP Operating
Mode.

SD-WAN
1.3 SD-WAN Network Deployment Overview

As shown in Figure 1-7, the SD-WAN network of an enterprise is logically divided into three
layers from top to down: physical network layer (underlay network), logical network layer
(overlay network), and service policy layer.
l Underlay network
The underlay network can be an IP or MPLS network. For an IP underlay network,
services shall be reachable over IP routes; for an MPLS underlay network, all enterprise
services can be carried over one or more MPLS VPNs. The underlay network is the basis
of the SD-WAN solution. An overlay network can be built only after the underlay
network is connected.
l Overlay network
An overlay network is a logical network abstracted from a physical network. On the
connected underlay network, overlay network technologies such as EVPN, GRE, and
IPSec are used to automatically create VPNs that connect sites based on the overlay
network topology, and BGP is used for route exchange on the overlay network.
l Service policy
Service policies are configured on the overlay network to meet QoS, security, reliability,
and service experience requirements of enterprise services. The service policies include
QoS policies, intelligent traffic steering policies, and security policies.
Figure 1-7 Logical architecture of SD-WAN networks
During network planning and deployment, design and deploy an SD-WAN network as
follows:
1. Network deployment
a. Plan the underlay network model and site model to complete Zero Touch
Provisioning (ZTP) configuration for site deployment.
b. Plan the routing protocol for the WAN side of the underlay network.
c. Plan VPN service isolation.

SD-WAN
d. Plan the topology mode of the overlay network.

e. Plan overlay routes, including LAN-side routes and overlay WAN-side routing
policies.
f. Plan the policies for accessing the Internet and the legacy MPLS network.
g. Select the public cloud platform to be connected.
2. Service deployment
– Deploy route selection and optimization policies, including application
identification, application-based intelligent traffic steering, and QoS, based on
enterprise requirements.
– Plan security services, such as ACL policies, firewalls, URL filtering, and IPS.
– Plan the deployment of VNF services on the uCPE.
3. Device deployment
Select a site deployment mode, for example, email- or USB-based deployment.
1.4 Feature Configuration Planning
1.4.1 Networking
1.4.1.1 Network Model

To better support subsequent network deployment and expansion, the network needs to be
abstracted and modeled (including the network model, site model, and service model) during
network design.
Introduction to Network Models

Single-Layer Network Model
The single-layer network model, also called the flat network model, is typically applicable to
small enterprise networks that are centrally deployed or networks for branches of large
enterprises.

SD-WAN
Hierarchical Network Model

The single-layer network model is inapplicable to large-scale networks that span multiple
countries or continents due to linearly increased management complexity and leased network
costs. Hierarchical networks apply to such large-scale networks. According to the enterprise
management structure, multiple areas are created. Each area uses a single-layer network
model and deploys one or more sites as border sites. The border sites of each area constitute
the backbone area, namely, the level-1 network, for interconnection between areas. Border
sites of an area connect to both the level-2 area network and level-1 backbone network.
Based on physical services, Layer 2 overlay WAN networks are established to connect branch
sites in the specific area. Each area uses one or more sites as border sites. Each border site
connects to both the level-2 overlay WAN network and level-1 overlay WAN network.

SD-WAN
vRR Deployment Solution

To exchange overlay routes between sites, a routing protocol neighbor relationship needs to
be established between CPEs of the sites. If enterprises have a large number of sites, the
number of CPE neighbors cannot be estimated. The DSVPN tunnel deployment solution has
obvious limitations in large-scale deployment. To improve network scalability and alleviate
the pressure on CPEs during route switching, the vRR is introduced to deploy SD-WAN
networks in EVPN tunnel mode.
The vRR works based on instructions of the SD-WAN@AC-Campus. Based on the topology
model of the overlay network, the SD-WAN@AC-Campus generates BGP routing policies
and delivers the policies to the vRR. The BGP EVPN peer relationship is established between
the CPE and vRR. Based on the BGP routing policies delivered by the SD-WAN@AC-
Campus, the vRR controls the route sending and receiving at different sites. In this way, the
sites can communicate with each other based on the planned overlay topology.
The vRR supports two deployment modes: independent deployment and co-deployment.
l Independent deployment: The CPE or vCPE is deployed in the data center as the vRR.
The vRR is not bound to any site.
l Co-deployment: A medium- or large-sized edge site on the network is used as the vRR
site.
An edge site can establish the iBGP peer relationships with two vRR nodes to improve
reliability. Multiple vRR nodes can be deployed under a tenant and are connected in full-mesh
mode.

SD-WAN
l Independent deployment
l The vRR and edge are deployed on the same node. In this scenario, the site can be
configured with a single or dual gateways.
Data Planning and Design

Plan SD-WAN network models based on the scale and distribution of enterprise sites.
DSVPN Tunnel Mode
l Network model: Select the single-layer or hierarchical network model. Generally, the
single-layer network model is used. If there are a large number of sites or multinational
deployment is required, use the hierarchical network model. For details, see 1.2 Typical
Application Scenarios. The network model determines the site roles. If the single-layer
network model is used, aggregation sites do not need to be planned. If the hierarchical
network model is used, you need to plan areas and aggregation and branch sites in the
areas.
l Hub site: Generally, the headquarters or the site where the data center is located
functions as the hub site. The SD-WAN network uses a single hub site or dual hub sites
deployed in active/standby mode.

SD-WAN
l Aggregation site: If the hierarchical network model is used, you need to plane areas and
aggregation sites in the areas. Each area supports a maximum of two aggregation sites.
l Branch site: If the hierarchical network model is used, you need to plan the aggregation
site to which the branch site is connected. The branch site is then allocated to the area of
the aggregation site. If the single-layer network model is used, you only need to connect
the branch site to the hub site.
EVPN Tunnel Mode
l vRR site: Plan the edge sites that function as vRR sites. Generally, stable large edge sites
with high CPE performance and a large number of WAN links are used as vRR sites. In
the current version, vRR sites cannot be deployed separately.
l Edge site: Plan the vRR sites to which each edge site is connected. Generally, edge sites
are connected to vRR sites that are physically close to the edge sites and have good
network connectivity. An edge site can connect to a maximum of two vRR sites, and a
maximum of eight vRR sites can be configured for a tenant. If an edge site is not
connected to any vRR site, the edge site does not participate in overlay networking and
service deployment.
l Network model: Select the single-layer or hierarchical network model. Generally, the
single-layer network model is used. If there are a large number of sites or multinational
deployment is required, use the hierarchical network model. For details, see 1.2 Typical
Application Scenarios. The network model that is used determines the overlay topology
planning. For details, see 1.4.1.4 Overlay Network.
1.4.1.2 Site Models
Introduction
The site model needs to be determined based on enterprise branch characteristics. Based on
the similarity of site requirements, sites are classified into three categories: small site, medium
site, and large site.
For sites with high reliability requirements, the dual-gateway model can be used. For common
sites, the single-gateway model can be used.
Table 1-1 Site categories

Category Scale (Employees) Bandwidth O&M Capability
Requirement
Small site < 50 < 20 Mbit/s No professional IT

management team
Medium site 50 to 100 100 Mbit/s Independent

network equipment
room and
professional IT
personnel
Large site > 100 1 Gbit/s Independent

network equipment
room and
professional IT team

SD-WAN
1.4.1.2.1 Site WAN Model
WAN Model
In the SD-WAN network design, two or more links are selected as site egresses to transmit
key traffic over the preferred WAN link. After the preferred link is set up, other transmission
links are used to provide more bandwidth resources for non-key traffic. The following table
lists the WAN access models of Huawei SD-WAN Solution. In terms of reliability, a single or
dual routers can be deployed. A maximum of three WAN links can be configured for a single
gateway, and a maximum of six WAN links can be configured for dual gateways.
Table 1-2 WAN site models

WAN Access WAN Link Link Diagram
Model
Single gateway One MPLS link
Single gateway One Internet link
Single gateway One MPLS link and one

Internet link

SD-WAN
WAN Access WAN Link Link Diagram

Model
Single gateway One MPLS link and one LTE

link
Single gateway Two Internet links
Single gateway Two MPLS links
Single gateway One MPLS link, one Internet

link, and one LTE link
Dual-gateway One MPLS link
One Internet link
Different site roles are defined in DSVPN and EVPN tunnel modes. In DSVPN tunnel mode,
sites are classified into hub sites, aggregation sites, and branch sites. In EVPN tunnel mode,
sites are classified into edge sites and vRR sites.
l vRR: A vRR site is an independent CPE. It distributes EVPN routes between CPEs
based on VPN topology policies.

SD-WAN
l Edge: An edge site is a WAN-side router. It establishes secure data channels with
multiple remote edge sites.

Multiple sites are deployed to form an SD-WAN network. To prevent repeated configuration
of parameters for each site, configuration information such as the number of gateways and
WAN-side links is abstracted into a site template. Therefore, before creating a site, you need
to plan a site template for each site. If multiple sites have the same configurations, including
the gateway type, WAN link, and interconnection link between two gateways, the same site
template can be used.
Site Template
l Template name
The template name is a string of 1 to 64 characters.
l Gateway type at a site
A single gateway or dual gateways can be deployed at a specified site. For sites with
high reliability requirements, dual gateways can be deployed. If the gateway service
traffic is small and low requirements are imposed on reliability, a single gateway can be
deployed.
l WAN link at a site
– WAN link name: After specifying the gateway type, plan the number of WAN links
and specify a name for each link. The name can contain information such as the
network type and network provider.
– Device and interface: Specify the gateway and interface to which each WAN link
connects.
– Transmission network: Specify the WAN-side network to be connected, which
depends on the transmission network created in Global Parameters. For details
about the data planning for the transmission network in Global Parameters, see
Transmission Network in Data Planning and Design.
– Role: When multiple WAN links are configured for a single gateway, specify a
WAN link as the active or standby link. At least one active link must be configured.
l Interfaces connecting the two gateways
For a dual-gateway site, you need to configure links between the two CPEs. The two
CPEs can be connected through a single link, dual links, or LAN-side Layer 2 links.
– Single link: Specify the interfaces for interconnecting with each other on the CPEs.
– Dual links: Specify the two interfaces for interconnecting with each other on the
CPEs. The system automatically binds the two interfaces into an Eth-Trunk.
– LAN-side Layer 2 links: If a Layer 2 link is available between a CPE and the LAN
switch and no independent link is planned for the CPEs, you can specify a reserved
VLAN and use the LAN-side Layer 2 link as the data forwarding channel between
the CPEs. Data between CPEs and the data from the LAN side to the CPE are
isolated through VLANs without affecting each other.

SD-WAN
Site
Plan data for each site.
l Site name: The site name is a string of 1 to 64 characters, for example, Site1.
l Site role in DSVPN tunnel mode: Specify sites as hub sites, aggregation sites, or branch
sites.
If the SD-WAN network uses a single-layer network model, you need to create hub sites
and branch sites. If the SD-WAN network uses a hierarchical network model, you need
to create hub sites, aggregation sites, and branch sites.
Figure 1-8 Single-layer network model

SD-WAN
Figure 1-9 Hierarchical network model
l Hub site in DSVPN tunnel mode

If the SD-WAN network has only one hub site, the hub site works in active mode. If the
SD-WAN network has two hub site, the hub sites work in active/standby mode.
l Connection of a branch site to an aggregation site or a hub site in DSVPN tunnel mode:
If the single-layer network model is used, branch sites must be connected to a hub site. If
the hierarchical network model is used, you need to plan whether a branch site is
connected to the aggregation site or hub site. If a branch site connects to an aggregation
site, the aggregation site must connect to a hub site.
l Site role in EVPN tunnel mode: Based on the network model planning, specify sites as
edge sites or edge/vRR sites.
l Connection of an edge site to the vRR in EVPN tunnel mode: Specify the vRR
connected to an edge site based on the network model planning.
l Site template
Use the planned site template to specify the gateway and WAN link for each site.
l Site address and floor
Enter the gateway deployment information to facilitate subsequent network management
and maintenance.
l Gateway device information
Plan CPEs to be deployed at sites.
– Number of devices: Plan the number of CPEs at each site, and deploy a single or
dual gateways at each site.

SD-WAN
– CPE model: Plan the CPE model. The two CPEs deployed at a dual-gateway site
must be of the same model.
– Device name: To facilitate management and memorization, name the CPEs at each
site. For example, name the two CPEs at Site1 Site1_1 and Site1_2.
– ESN: If ESNs have been obtained, allocate the ESNs in the data planning table. The
CPE information must be consistent with that imported to the SD-WAN@AC-
Campus and that at the site.
– Whether an upgrade is required: Check whether the software version of the CPEs is
upgraded to the specified version.
– WAN link: The WAN links must be the same as those planned in the site template.
– CLI: The configurations that cannot be automatically orchestrated by the SD-
WAN@AC-Campus can be delivered through the CLI. For example, change the
system name of a CPE to Hub1_1.
ESN Device Name Command
2102350DQMDMGC00 Hub1_1 return

1089 system-view
system-name Hub1_1
WAN Interface
When a CPE is interconnected with a network device on the WAN side, you need to plan the
interconnection mode and configuration of the physical interface.
l Link name: The link name of a WAN interface is specified by the WAN-side link in the
site template. The WAN link name in the site template is used when a site template is
used to create a site.
l Access type and negotiation mode: The access type and negotiation mode have been
planned in the WAN link data plan in Site Deployment.
l MTU: The default value is 1500. Adjust the MTU based on the link type. For example,
for PPPoE, set the MTU to 1492 because the PPPoE header is added before the IP
packet.
When the CPE forwards data packets, the data packet length and MTU are compared at
the IP layer. If a data packet is longer than the MTU, the data packet needs to be
fragmented at the IP layer. After fragmentation, the packet length can be equal to or
shorter than the MTU. If the MTU is too small, the transmission efficiency decreases due
to a large number of fragments. If the MTU is too large, packets on the network may be
discarded.
l MSS: The default value is 1200. To prevent TCP packets from being fragmented, you
must configure a proper MSS based on the MTU. To ensure that a complete packet is
transmitted properly, ensure that the MSS plus all the header lengths (TCP header and IP
header) do not exceed the MTU. For example, the default MTU of an Ethernet interface
is 1500 bytes. To prevent packets from being fragmented, do not set the MSS to a value
equal to or smaller than 1460 bytes (1500 - 20 - 20). In the preceding formula, the two
20s indicate the minimum length of the TCP header and IP header, respectively. It is
recommended that you set the MSS to 1200 bytes.
l Uplink capacity: Plan the uplink capacity based on the actual uplink bandwidth of the
network.

SD-WAN
l Downlink capacity: Plan the downlink capacity based on the actual downlink bandwidth
of the network.
Configuration Tasks
Scenario Description Task
Single-layer Enterprise sites are directly DSVPN tunnel mode:

network connected through an SD-WAN 1. 1.8.3.3 (Optional)
fabric. In non-fault scenarios, any Customizing a Site
two branch sites communicate with Template
each other through direct tunnels. If
no direct tunnel is available, the two 2. Creating a hub site
branch sites communicate with each 3. Creating branch sites
other through other sites (the (common sites or cloud
headquarters or data centers). sites)
To provide direct tunnels, the EVPN tunnel mode:
underlay network must be a fully- 1. 1.8.3.3 (Optional)
connected reliable network and is Customizing a Site
usually used for small-scale Template
enterprise networks or branch
networks of large enterprises. 1. Creating an edge site at
the headquarters
2. Creating branch edge
sites
3. Creating an edge/vRR
site
4. Associating edge sites
with the vRR site

SD-WAN
Hierarchical Based on physical services, Layer 2 DSVPN tunnel mode:

network overlay WAN networks are 1. 1.8.3.3 (Optional)
established to connect branch sites in Customizing a Site
the specific area. Each area uses one Template
or more sites as edge sites. Each
edge site connects to both the level-2 2. Creating a hub site
overlay WAN network and level-1 1. Creating an
overlay WAN network. The aggregation site
construction of a level-2 overlay 2. Creating branch sites
WAN network is based on the local (common sites or cloud
public network or regional MPLS sites)
provided by the local carrier. The
level-1 overlay WAN network is EVPN tunnel mode:
constructed based on the 1. 1.8.3.3 (Optional)
international private line, Customizing a Site
multinational MPLS network, or top- Template
quality Internet, and has high costs. 1. Creating an edge/vRR
Therefore, it is not recommended site at the headquarters
that a large number of sites be
2. Creating an edge/vRR
deployed on the level-1 overlay
site
WAN.
3. Creating branch edge
sites
4. Associating edge sites
with the vRR site
1.4.1.2.2 Site LAN Model
LAN Model
The LAN model design adapts to the current LAN-side network. Huawei SD-WAN Solution
can connect to the LAN at Layer 2 or Layer 3, which depends on the actual network
deployment.
The following table describes the structure in which Huawei SD-WAN Solution connects to
the LAN at Layer 2.
Typical Networking Deployment Scenario
A single CPE functions as the gateway and directly

connects to a Layer 2 switch.

SD-WAN
Typical Networking Deployment Scenario
A single CPE functions as the gateway and connects to

terminals through Wi-Fi.
Two CPEs function as gateways and connect to a Layer 2

switch through VRRP.
Two CPEs function as gateways and connect to multiple

Layer 2 switches through VRRP.
For a large site, the site network has a complex structure (hierarchical structure and multi-
network design) and complex network facilities (large number of routers and switches). In
Layer 3 interconnection scenarios, SD-WAN routers can establish Layer 3 connections to the
LAN through static or dynamic routes. Currently, Huawei SD-WAN Solution can use BGP,
OSPF, and static routes to connect to the LAN.
The following table describes the structure in which Huawei SD-WAN Solution connects to
the LAN at Layer 3.

SD-WAN
Typical Networking Deployment Mode
A single CPE functions as the

gateway and directly connects to a
Layer 3 switch.
Two CPEs function as gateways and

connect to a Layer 3 switch.
Two CPEs function as gateways and

connect to multiple Layer 3
switches.
NOTE
1. If two CPEs are deployed at a site, they can be interconnected directly or through the LAN. If the
two CPEs are directly interconnected, the interconnection links can be added to an Eth-Trunk.
2. The LAN-side interfaces of the CPE are Ethernet interfaces (GE/FE), which cannot be bound.

SD-WAN

If multiple VPNs are planned for service isolation between departments, you need to plan
LAN-side configurations for sites in each VPN and use Layer 3 interfaces or VLANs to
connect to LAN-side devices. The same Layer 3 interface, Layer 3 sub-interface, or VLAN
cannot be configured for the same site in different VPNs. That is, you need to plan different
Layer 3 interfaces, Layer 3 sub-interfaces, or VLANs for different VPNs when planning
configurations for sites to interconnect with LAN devices in different VPNs.
l Site name: Specify the name of the site where the LAN-side device is to be
interconnected.
l Device: Specify the CPE to be configured at a site, especially at a site where two CPEs
are deployed.
l Interconnection with the LAN side through Layer 3 interfaces or sub-interfaces
– Interface: Plan the interface on the CPE for connecting to the LAN-side device. You
can select Layer 3 interfaces, including GE, FE, XGE, or Eth-Trunk.
If the Eth-Trunk is used, you need to plan the following items:
n Eth-Trunk ID: The Eth-Trunk ID is in the range from 0 to 63. In a dual-
gateway scenario, if the two gateways are connected through two Layer 3
physical links, the system automatically creates the Eth-Trunk 0 interface for
the two gateways. You cannot create an Eth-Trunk interface with ID 0 on the
two gateways.
n Interface type: Plan the interface as a Layer 3 interface.
n Physical interfaces: Plan the Eth-Trunk member interfaces for connecting to
the LAN side. A maximum of eight member interfaces can be added. The Eth-
Trunk member interfaces must be Layer 3 physical interfaces.
– VLAN ID of the sub-interface: If a sub-interface is used to connect to a LAN-side
device, plan a VLAN ID for the sub-interface. A Dot1q sub-interface is created on
the interface, and the terminated VLAN tag is the VLAN ID. The VLAN ID must
be the same as the VLAN tag configured on the interconnected device.
l Interconnection with the LAN side through VLANs
– VLAN ID: Plan the VLAN ID used for Layer 2 communication between the site
and the LAN.
The system automatically creates VLANIF interfaces based on VLAN IDs. For a
dual-gateway site, if the CPE is directly connected to a Layer 2 switch in the
downstream direction, to implement the VRRP function on the LAN side, the two
CPEs must use the VLANIF interface with the same VLAN ID to communicate
with the LAN side.
– Physical interface: Plan the interface on the CPE for connecting to the LAN-side
device. You can select Layer 2 interfaces, including GE, FE, XGE, or Eth-Trunk.
If the Eth-Trunk is used, you need to plan the following items:
n Eth-Trunk ID: The Eth-Trunk ID is in the range from 0 to 63. In a dual-
gateway scenario, if the two gateways are connected through two Layer 3
physical links, the system automatically creates the Eth-Trunk 0 interface for
the two gateways. You cannot create an Eth-Trunk interface with ID 0 on the
two gateways.
n Interface type: Plan the interface as a Layer 2 interface.

SD-WAN
n Physical interfaces: Plan the Eth-Trunk member interfaces for connecting to

the LAN side. A maximum of eight member interfaces can be added. The Eth-
Trunk member interfaces must be Layer 2 physical interfaces.
l IP address: Plan the IP address of the interface. The IP address is configured on the
specified Layer 3 interface, sub-interface, or VLANIF interface. The local IP address
must be in the same network segment as the IP address of the LAN side.
l Trust mode: Plan the type of a firewall security domain to which the interface is added.
You can add an interface to the trust or untrust domain of the firewall.
The trust mode takes effect only when the firewall is enabled with the security policy.
Generally, LAN-side interfaces are trusted because the LAN side is the internal network
of the site. If the LAN side is connected to a network with poor security, you can set the
trust mode to Untrust and configure the interzone policy on the firewall to enhance
service security.
l DHCP: Plan whether to enable the DHCP function on the device to automatically assign
IP addresses to clients on the LAN side. If DHCP is enabled, you need to plan the
following items:
– DHCP type: Select the DHCP server or DHCP relay agent to be used. If the
gateway of each site manages the IP addresses of clients on the LAN side, use the
DHCP server. If a dedicated DHCP server is planned to centrally manage the IP
addresses of clients on the LAN side of each site, use the DHCP relay agent.
– DHCP server: If the DHCP server mode is selected, the DHCP server function is
enabled on the interface. The IP address pool uses the interface IP address as the
egress gateway address, and an IP address segment can be assigned as the network
segment where the interface IP address resides. In DHCP server mode, you can also
plan the following data, which is optional:
n Exclude IP: Specify the address or address segment that is not allowed to be
assigned by the DHCP server. For example, some addresses are already
occupied by terminals and cannot be allocated to other DHCP clients. These
addresses can be included in the excluded IP address list.
n Domain name: Plan the domain name suffix sent from the DHCP server to the
DHCP client.
n Lease time: By default, the lease time is one day. In locations where clients
often move and stay online for a short period of time, for example, in cafes,
Internet bars, and airports, plan a short lease time to ensure that IP addresses
are released quickly after the clients go offline. In locations where clients
seldom move and stay online for a long period of time, for example, in office
areas of an enterprise, plan a long lease time to prevent system resources from
being occupied by frequent lease or address renewals.
n DNS server: Specify the DNS server group name to plan the DNS server used
by the DHCP client. The DNS server group is planned in Global Parameters.
For details, see the description of the DNS server in "Data Planning and
Design" in 1.4.1.4 Overlay Network. After the DNS server group name is
specified, the DHCP server sends the IP addresses in the specified DNS server
group to DHCP clients when assigning IP addresses to the DHCP clients.
n NetBIOS node type: Plan the NetBIOS node type for DHCP clients. The
options include: B-Node (node in broadcast mode), P-Node (node in peer-to-
peer mode), M-Node (node in mixed mode), and H-Node (node in hybrid
mode).
n NetBIOS server: Plan the NetBIOS server address for DHCP clients.

SD-WAN
n Static binding: Plan IP addresses for DHCP clients that need to use fixed IP
addresses. For example, if a server functions as a DHCP client to apply for an
IP address from the DHCP server and needs to use a fixed IP address to ensure
stability, select an IP address from the address pool and bind the IP address to
the MAC address of the server. The DHCP server then assigns a fixed IP
address to the server based on the MAC address.
– DHCP relay agent: If the DHCP relay agent mode is selected, plan the DHCP server
address for the DHCP relay agent. You can specify a maximum of eight DHCP
servers.
l VRRP: If two gateways are deployed at a site, VRRP can be configured. LAN users
access the WAN network through the master device by default. When the master device
fails, services are automatically switched to the backup device. In this manner,
redundancy is implemented between gateways to enhance reliability.
– VRRP ID: Plan the VRRP ID, which is in the range from 1 to 255. The same VRRP
ID must be specified for the two gateways.
– Virtual IP address: Plan the virtual IP address of the VRRP group. The virtual IP
address must be in the same network segment as the gateway interface address. It
can be the same as the gateway interface address but cannot be the same as the user
host IP address. Otherwise, packets from the local network segment will be sent to
the user host. As a result, data on the local network segment cannot be correctly
forwarded.
– Default role: Specify the master gateway and backup gateway in the dual-gateway
scenario.
– Preemption delay: Specify the VRRP preemption delay. The value is in the range
from 0 to 3600, in seconds. The default value is 0. For the two devices in a VRRP
group, you are advised to set the preemption delay to 0 for the backup device and to
15 seconds or a larger value for the master device. If the preceding settings are not
used, two masters may coexist and user devices may learn an incorrect master
address, interrupting traffic.
l ARP proxy: Configure whether to enable the ARP proxy. Only the routed ARP proxy is
supported.
The routed ARP proxy enables network devices on the same network segment but on
different physical networks to communicate.
As shown in the figure below, the IP addresses of Host_1 and Host_2 are 172.16.1.10/16
and 172.16.2.20/16, respectively, which are on the same network segment. The CPE
connects to two networks through VLAN 10 and VLAN 20. The IP addresses of
VLANIF10 and VLANIF20 are on different network segments.

SD-WAN
When Host_1 needs to communicate with Host_2, Host_1 broadcasts an ARP Request
packet, requesting the MAC address of Host_2. However, Host_1 and Host_2 are on
different physical networks (in different broadcast domains). Host_2 cannot receive the
ARP Request packet sent from Host_1 and therefore cannot respond with an ARP Reply
packet. If the routed ARP proxy is enabled, the CPE queries the routing table after
receiving the ARP Request packet. Host_2 is directly connected to the CPE, so the CPE
has the routing entry of Host_2. The CPE then uses its MAC address to send an ARP
Reply packet to Host_1. Host_1 forwards data based on the MAC address of the CPE. In
this case, the CPE functions as the proxy of Host_2. The MAC address corresponding to
Host_2's IP address in the ARP table of Host_1 is the MAC address of VLANIF10 on
the CPE.
l MTU: The default value is 1500. Adjust the MTU based on the link type.
When the CPE forwards data packets, the data packet length and MTU are compared at
the IP layer. If a data packet is longer than the MTU, the data packet needs to be
fragmented at the IP layer. After fragmentation, the packet length is shorter than the
MTU. If the MTU is too small, the transmission efficiency decreases due to a large
number of fragments. If the MTU is too large, packets on the network may be discarded.
l MSS: The default value is 1200. To prevent TCP packets from being fragmented, you
must configure a proper MSS based on the MTU. To ensure that a complete packet is
transmitted properly, ensure that the MSS plus all the header lengths (TCP header and IP
header) do not exceed the MTU. For example, the default MTU of an Ethernet interface
is 1500 bytes. To prevent packets from being fragmented, do not set the MSS to a value
greater than 1460 bytes (1500 - 20 - 20). In the preceding formula, the two 20s indicate
the minimum length of the TCP header and IP header, respectively. It is recommended
that you set the MSS to 1200 bytes.
Configuration Tasks
Connecting to Configure the WLAN to allow After selecting the VPN to be

terminals terminal users to access the CPE configured, perform the following
through Wi-Fi through Wi-Fi. The CPE provides tasks:
the WLAN function. 1.8.3.9.6 Configuring Network
Access Parameters on the LAN
Side (Terminals Accessing Sites
Through Wi-Fi, Layer 2)
Interconnectio The CPE functions as a gateway After selecting the VPN to be

n with Layer 2 and is connected to a Layer 2 configured, perform the following
switches switch. If two CPEs are deployed, tasks:
VRRP can be configured. 1.8.3.9.5 Configuring Network
Access Parameters on the LAN
Side (Layer 2)

SD-WAN
Interconnectio The CPE functions as a gateway After selecting the VPN to be

n with Layer 3 and connects to a Layer 3 device configured, perform the following
devices on the LAN side through a Layer 3 operations in sequence:
interface or sub-interface. A static 1. 1.8.3.9.4 Configuring Network
route, OSPF route, or BGP route is Access Parameters on the
configured on the CPE to LAN Side (Layer 3)
communicate with the LAN side.
2. 1.8.3.9.7 Configuring Overlay
LAN-Side Routes (Static
Routes)
LAN-Side Routes (OSPF)
LAN-Side Routes (BGP)
1.4.1.3 Underlay Route
Functions
After a site CPE connects to a WAN, the CPE must have reachable underlay network
(physical network) routes to the PE, so that an overlay network can be normally established to
forward services. BGP, OSPF, or static routes can be used based on WAN access
requirements.
Application Scenarios
One SD-WAN network can be configured with one or more types of underlay routes based on
network requirements.
l BGP route
If an MPLS VPN network is connected and BGP dynamic routing is used, the CPE
typically needs to use BGP to exchange routing information with the PE. The SD-
WAN@AC-Campus can configure route filtering rules based on IP network segments to
control the receiving and advertisement of BGP routes.
l OSPF route
If a Layer 2 WAN network is used, OSPF routes can be used to exchange routes. This
can be implemented by creating OSPF processes. The SD-WAN@AC-Campus can
configure the OSPF routing protocol priority and control the receiving and advertisement
of routes through the blacklist and whitelist route filtering policies.
l Static route
Static routes are applicable to many scenarios, for example, Internet access, wireless
network access using the LTE link, and using blackhole routes to prevent routing loops.
Static routes do not involve protocol interaction and cannot detect faults on indirectly
connected links of the WAN. This may cause service interruption. To prevent this
problem, you can track the IP address of a WAN network and use an NQA test instance
to detect the IP address. If the detection fails, the system considers that the WAN
network is faulty and automatically selects another backup link for forwarding.

SD-WAN

Typically, the underlay network uses static routes to communicate with the WAN. If a site
uses DHCP to obtain IP addresses, a UNR route is automatically generated to instruct the
CPE to communicate with the WAN. In this case, you do not need to configure static routes.
Static Route
l Site: Plan the site where underlay routes need to be configured.

l Device: Select the CPE for which static routes are to be configured. In the dual-gateway
scenario, you need to configure static routes for both the two CPEs.
l Priority: Set the priority of static routes. The priority is in the range from 1 to 255 and is
60 by default. A smaller value indicates a higher priority.
If the same priority is configured for multiple static routes with the same destination,
traffic is load balanced among these static routes. If different priorities are configured,
the static routes back up each other.
l WAN link: Select the link for which static routes are to be configured. A CPE can
connect to a WAN through multiple links.
l Destination network segment/mask: Specify the destination network segment and mask
of a static route. If both the destination IP address and mask are set to 0.0.0.0, a default
route is configured.
l Next hop: Plan the next hop, which can be an IP address, outbound interface, or
blackhole route.
Generally, you can set the next hop to an IP address. If the WAN interface accesses the
network through a P2P protocol (for example, PPPoE), set the next hop to an outbound
interface. If you want to forbid access to certain network segments, set the next hop to
black_hole, which means that packets destined for the network segments will be
discarded.
l Detection address: Plan the address to be detected. Ensure that the address is reachable
through the configured static route.
If the next-hop IP address manually specified for a static route changes, the device on
which the static route is configured is unaware of the change. As a result, traffic fails to
be forwarded along the static route. After the address to be detected is specified, the
system associates the static route with the NQA test instance and creates an ICMP NQA
test instance to check whether the IP address is reachable. If the NQA test instance fails,
the static route is withdrawn. In this way, invalid static routes can be detected in a timely
manner.
Configuration Tasks
Configuring If the WAN network is an MPLS 1.8.3.8.2 Configuring Underlay

BGP routes VPN network that uses BGP to Routes (OSPF)
transmit routing information, BGP
routes can be configured.
Configuring If a Layer 2 WAN network is used, 1.8.3.8.2 Configuring Underlay

OSPF routes OSPF routes can be configured. Routes (OSPF)

SD-WAN
Configuring Static routes are often used in the 1.8.3.8.4 Configuring Underlay
static routes following situations: Routes (Static Routes)
l Static routes are used to
connect to the WAN.
l LTE links are used to access the
wireless network.
l IP addresses need to be
detected.
l Blackhole routes need to be
configured.
1.4.1.4 Overlay Network

The overlay network carries services between sites.
Topology
Based on users' service requirements, the SD-WAN Solution supports the following typical
topology models for inter-site interconnection:
l Hub-spoke: This model is applicable to scenarios where traffic between all branch sites
of an enterprise must pass through the headquarters for centralized security monitoring.
l Full-mesh: This model is applicable to scenarios where all sites of an enterprise need to
directly access each other. This model eliminates the delay caused by traffic transmission
through the headquarters.
l Partial-mesh: This model is applicable to scenarios where most sites of an enterprise
need to directly access each other, while some other sites need to communicate with each
other through a third site.
l Hierarchical topology: This model is applicable to large-scale multi-area enterprise
networks, on which enterprise sites access each other through the hub site.
In DSVPN tunnel mode, only the hub-spoke and full-mesh topology models are supported. In
EVPN tunnel mode, all the preceding topology models are supported.
NOTE
In the current version, the partial-mesh and hierarchical topology are not supported in EVPN tunnel
mode.
Topology Implementation
On the SD-WAN@AC-Campus, you can specify the topology model between sites. The SD-
WAN@AC-Campus then generates the corresponding network model based on the topology
model, converts the network model into BGP routing policies, and delivers the policies to the
RR. The RR controls the route sending and receiving of different sites based on the routing
policy delivered by the SD-WAN@AC-Campus. In this way, the sites can communicate with
each other based on the specified topology model.

SD-WAN
1. Different overlay topologies are constructed in different VPNs.

2. The overlay topology is implemented by controlling the route receiving and sending of
each site.
3. A routing policy is configured on the RR to determine route learning at sites. The routing
policy on the RR is automatically orchestrated by the SD-WAN@AC-Campus based on
the configured topology model.
4. The routing policy is matched by site ID to filter routes or modify the next-hop site ID.
5. Sites in different areas can use different networking modes.
6. In the hub-spoke networking, when a spoke site learns a route from another spoke site,
the next hop of this route needs to be changed to the hub site.
7. In the full-mesh networking, routes advertised by all sites can be learned. If a redirect
site exists, all routes need to use the redirect site as the backup next hop.
8. Hierarchical networking:
a. When a non-border site in an area learns routes advertised from other areas, the site
ID of the next hop needs to be changed to that of the border site in the local area.
b. When a border site in an area learns routes advertised from other areas, the next hop
points to a border site in another area or the hub site which resides in an area
interconnected to the local area.
Table 1-3 Site roles
Site Role Description
Hub site In the hub-spoke networking, all sites communicate with each
other through the headquarters. The site where the headquarters
is located is called the hub site.
Branch site The other user sites are called branch sites.
Redirect site In the full-mesh networking, if two sites cannot communicate

with each other directly, they can communicate through a third
site. The third site is called a redirect site.

SD-WAN
Site Role Description
Border site A border site is an edge site through which sites in an area
communicate with sites in other areas.
Overlay Tunnel
Generally, sites on an SD-WAN network have multiple physical uplinks that connect to
different types of networks provided by different carriers. Overlay tunnels are established
based on physical links that are reachable to a certain type of network.
The transport network defines the type of a physical link on the WAN side of a site and is
determined by the type of a WAN access network provided by carriers. Generally, a type of
network provided by a carrier is defined as a transport network. For example, the Internet of
China Mobile is defined as a transport network, and the Internet of China Unicom is defined
as another transport network.
The routing domain defines whether routes between different transport networks are
reachable. That is, physical links of different transport networks that belong to the same
routing domain are reachable to each other. Generally, if the transport networks that are of the
same type and are provided by different carriers can communicate with each other, they are
defined as an independent routing domain. For example, the Internet of China Mobile and that
of China Unicom can be defined in the same routing domain.
Several types of transport networks and routing domains are predefined in the system. You
can use the predefined transport networks and routing domains or customize them based on
the site requirements.

Transport Network
The transport network defines the information about the physical network between the site
and the WAN. The following lists the data to be planned for each transport network. The
defined transport network name can be directly referenced when physical links are specified
for site WAN links and policies.
l Transport network: For details, see the description in Overlay Tunnel.
l Routing domain: For details, see the description in Overlay Tunnel.
l Encryption flag: Configure whether to use IPSec to encrypt data on tunnels. Generally, if
the routing domain connects to an MPLS, encryption is not required; if the routing
domain connects to the Internet, encryption is required.
IPSec Encryption Parameters
You need to set the following IPSec encryption parameters for a transport network on which
the encryption function is enabled:
l Protocol: Currently, only ESP is supported.
l Authentication algorithm: Currently, only SHA2-256 is supported.
l Encryption algorithm: AES128 and AES256 are supported. You are advised to use
AES256 to enhance reliability.
DNS Server

SD-WAN
Plan the DNS server used for network access. If the DNS server used by each site cannot
communicate with each other, you can group multiple DNS servers. When configuring LAN
services on the overlay network, you can reference different DNS server group names to
specify the DNS servers used for network access.
l DNS server group name: Plan the DNS server group and specify the group name, for
example, DNS_Server1.
l DNS server IP address: Plan the IP addresses of the DNS servers in each group.
Overlay Topology in DSVPN Tunnel Mode
When planning the network model in 1.4.1.1 Network Model, you have determined whether
the physical network between sites uses the single-layer or hierarchical network model.
If multiple VPNs are planned for service isolation between departments, you need to plan an
overlay topology for sites in each VPN. The same site in different VPNs can use different
overlay topologies.
l Overlay topology in the single-layer network model: Select hub-spoke or full-mesh.

l Overlay topology in the hierarchical network model:
a. Overlay topology between the hub site and aggregation sites: Select hub-spoke or
full-mesh.
b. Overlay topology between aggregation sites and branch sites in each area: Select
hub-spoke or full-mesh. Different areas can use different overlay topologies and do
not affect each other.
Overlay Topology in EVPN Tunnel Mode
If multiple VPNs are planned for service isolation between departments, you need to plan an
overlay topology for sites in each VPN. The same site in different VPNs can use different
overlay topologies.
l Network model: If there are a small number of sites and multinational interconnection is
not involved, use the single-layer network model. If there are a large number of sites (for
example, more than 500) or multinational interconnection is involved, use the
hierarchical network model.
l Overlay topology in the single-layer network model
In the single-layer network model, all sites in a VPN belong to the same area. Therefore,
the entire network of a VPN can use the hub-spoke or full-mesh mode.
– Hub site: In hub-spoke mode, the hub site needs to be specified. You can specify a
maximum of two hub sites that work in active/standby mode. Select a site with a
strong and stable network as the hub site. Generally, select the enterprise
headquarters or the site where the data center is located as the hub site.
– Redirect site: In full-mesh mode, you can configure the redirect site in scenarios
where two sites may fail to directly communicate with each other or the reliability
of interconnection between two sites needs to be enhanced. A site with good
network connections and physically near the two sites is recommended as the
redirect site.
l Overlay topology in the hierarchical network model
In the hierarchical network model, sites on the network are divided into multiple areas,
which are level-1 areas and are also called leaf areas. Areas are interconnected through
one or two border sites. Sites 4, 5, 6.1, and 6.2 in the figure are border sites of the

SD-WAN
corresponding areas. All border sites form an area, which is a level-2 area and is also
called the backbone area. A network can have only one backbone area.
– Area name: Specifies the name of each leaf area, for example, Area1.
– Area overlay topology: Specify the topology (hub-spoke or full-mesh) for each
area. Different overlay topologies can be specified for areas.
n Hub-spoke
○ Hub site: Similar to the hub-spoke mode in the single-layer network
model. The hub site needs to be specified in the hierarchical network
model.
○ Border site: The hub site functions as a border site, and no border site
needs to be specified again.
n Full-mesh
○ Redirect site: You can specify whether to configure a redirect site based
on actual requirements.
○ Border site: If an area using the full-mesh mode needs to interconnect
with other areas, you need to specify the border site. The border site must
be able to communicate with border sites in other areas and have good
network connections and stability. You can configure a maximum of two
border sites that work in active/standby mode.
– Inter-area interconnection: Select hub-spoke or full-mesh for the backbone area. If
the hub-spoke mode is used, you need to specify the hub site. If the full-mesh mode
is used, you need to specify whether to configure a redirect site as required.

SD-WAN
Configuration Tasks
For details, see Configuration > Global Parameters > Physical Network > Transport
Network in 1.8.3.2 Setting Global Parameters.
Topology Configuration Tasks
Table 1-4 Topology configuration tasks

Scenario Topology Topology Diagram Task
Sites communicate Hub-Spoke Perform the operations in

with each other 1.8.3.9.2 Configuring an
through the hub Overlay Topology in the
site. following sequence:
1. Select the department to
be configured.
2. In simple mode, set the
topology mode to Hub-
Spoke.
3. Configure a hub site.
4. Configure branch sites.
Sites communicate Full-mesh Perform the operations in

with each other 1.8.3.9.2 Configuring an
through direct Overlay Topology in the
tunnels. following sequence:
1. Select the department to
be configured.
2. In simple mode, set the
topology mode to Full-
Mesh.
3. Configure branch sites.
4. (Optional) Configure a
redirect site.
Most sites are Partial-mesh Perform the operations in

fully meshed, and 1.8.3.9.2 Configuring an
a few sites cannot Overlay Topology in the
be directly following sequence:
interconnected. 1. Select the department to
be configured.
2. Set the topology model
to Full-Mesh.
3. Configure a redirect
site.

SD-WAN
Scenario Topology Topology Diagram Task
Sites are deployed Hierarchical Perform the operations in

in different areas. topology 1.8.3.9.2 Configuring an
Sites in an area Overlay Topology in the
communicate with following sequence:
each other directly 1. Select the department to
or through the hub be configured.
site in the area.
Sites in different 2. In advanced mode,
areas create an area topology
communicate with and enable the area
each other through interconnection
the hub site. function.
3. Configure border sites.
4. Configure inter-area
interconnection.
1.4.1.5 VPN Service Isolation

In many cases, due to increasingly high security requirements, a network must be divided into
multiple VPNs to realize fine-grained service management and enhance security. Services of
users in different VPNs must be completely isolated.
The SD-WAN Solution uses multiple VPNs to isolate services of multiple departments under
a single tenant. The logical networks of different VPNs are independent of each other. The
CPE establishes and maintains a VPN instance, namely, the VPN routing and forwarding
(VRF) table, for different VPNs.
Each VPN has an independent overlay topology (hub-spoke, full-mesh, partial-mesh, or

hierarchical topology). LAN-side settings, traffic policies, and security policies of all sites are
configured based on VPNs. Different policies can be configured for different VPNs.
NOTE
Currently, addresses of different VPNs cannot overlap.

l VPN name: Plan VPN names based on specific rules, for example, by department. In
DSVPN tunnel mode, all sites belong to the virtual network VPN-Default by default.
The name and description of VPN-Default can be modified. However, the site cannot be
deleted.
l Site: Plan sites for each VPN.
l VPN topology: Plan the overlay topology (hub-spoke or full-mesh) of each VPN. VPNs
are independent of each other and can use different topology models even if they contain
the same sites. For details about the overlay topology planning, see "Data Planning and
Design" in 1.4.1.4 Overlay Network.
l Configuration on the LAN side of the site: If multiple VPNs are configured, plan
configurations for sites in each VPN. For example, if Site1 belongs to both VPN1 and
VPN2, you need to plan the configurations on the LAN side for Site1 in both VPN1 and

SD-WAN
VPN2. For details about the planning of LAN-side configurations, see "Data Planning
and Design" in 1.4.1.2.2 Site LAN Model.
l Policy configuration: Plan service policies for sites in each VPN if multiple VPNs are
configured. For details about policy configuration, see "Data Planning and Design" in
1.4.1.7 Internet Access, 1.4.1.8 Connecting to the Legacy MPLS Network, and 1.4.2
Application Experience–oriented Scheduling and Optimization.
Configuration Tasks
1. Determine the number of departments, for example, R&D department, finance
department, and marketing department, whose services need to be isolated based on
service isolation requirements.
2. Plan LAN-side interfaces required by different departments. Each department can have
an independent LAN-side physical interface. Alternatively, all departments share one
physical interface, and services are isolated by VLANs.
3. Configure initial policies for departments, including: ACL policy, QoS policy, traffic
steering policy, Internet access policy, policy for access to legacy networks, and
URL/IPS/firewall policy.
For details, see Configuration > Overlay Network > VPN in 1.8.3.9.1 Configuring a VPN.
1.4.1.6 Overlay Route
Overall Routing Solution for SD-WAN Networking

The following figure shows the routing solution of the underlay and overlay on SD-WAN
networks.

SD-WAN
1. Underlay LAN route: OSPF, eBGP, and static routes are supported. Currently, LAN-side
routes are manually configured by customers based on the connection mode on the LAN
side.
2. Local breakout tunnel route: OSPF is used for the interconnection between VPNs on the
overlay and underlay networks. This route is automatically orchestrated and configured
by the system if Site to Internet or Site to Legacy is enabled. This route will not be
enabled if Site to Internet or Site to Legacy is disabled.
3. Interconnection link route: OSPF is used to exchange routes between two CPEs in
scenarios where two CPEs are deployed. The routes are automatically orchestrated and
configured by the system and do not need to be manually configured.
4. Overlay WAN route: BGP or EVPN is used to advertise routes on the overlay network.
The routes are automatically orchestrated and configured by the system and do not need
to be manually configured.
5. Underlay WAN route: OSPF, eBGP, and static routes are supported. The routes are
manually configured by customers based on the access conditions on the WAN side.
Overlay Route
Overlay routes refer to the routes at the overlay network layer on SD-WAN networks and are
classified into WAN-side and LAN-side routes.
l Overlay WAN route

To enable sites on the SD-WAN network to communicate with each other on the overlay
network, configure overlay WAN routes. Based on the topology model of the overlay
network, the SD-WAN@AC-Campus automatically orchestrates overlay WAN routes.
You only need to configure the blacklist and whitelist policies on the WAN side of the
overlay network to filter overlay routes in the receive and transmit directions.
l Overlay LAN route
To enable the CPE at each site to communicate with the LAN, configure overlay LAN
routes. This ensures that services on the LAN side run properly. BGP, OSPF, and static
routes can be configured for the LAN side on the overlay network, depending on the
LAN-side networking.

Overlay Global Route Parameters
An overlay network is established between sites through EVPN tunnels. Routes on the
overlay network between sites use BGP to establish the IBGP peer relationship. By default,
the BGP AS number of a site is 65001, which can be modified.
l Routing protocol: Only BGP is supported.

l AS number: The default value is 65001. Generally, you do not need to change the value.
If the default value cannot be used due to reasons such as a conflict with the BGP AS
number planned for an existing device on the network, use another value in the range
from 1 to 65535. A value in the range from 64512 to 65534 is recommended.
Address Pool
When the SD-WAN@AC-Campus automatically orchestrates services such as overlay

tunnels, overlay WAN routes, and site network access, IP addresses need to be allocated,
including tunnel interface addresses, local breakout tunnel interface addresses, loopback

SD-WAN
interface addresses of CPEs, and interface addresses of an internal link between dual
gateways. Therefore, you need to plan an address pool so that the SD-WAN@AC-Campus
can automatically assign IP addresses in the address pool to the preceding interfaces. The
number of addresses to be planned is proportional to the number of sites.
l Address pool in DSVPN tunnel mode: The number of address pools on a single-layer
network and that on a hierarchical network are different. For details, see 1.4.1.6.1
Address Pool Planning ( DSVPN ).
l Address pool in EVPN tunnel mode: Configure the mask length of the address pool
according to the site quantity listed in Table 1-5. The mask length determines the
number of addresses in the address pool.
For example, if the number of sites of a tenant is 150, the recommended mask length is
19. If the planned address segment is 20.100.0.0, the address pool can be set to
20.100.0.0/19. Ensure that the planned address segment does not conflict with the
planned public network segment and private network segment on the tenant network.
Table 1-5 Mapping between the mask length and the network scale
Network Scale/Number of Sites Recommended Configuration

(Single Network Segment)
2-10 /23
11-30 /22
31-60 /21
61-120 /20
121-250 /19
251-500 /18
501-1000 /17
1000+ /16
Overlay WAN Route
BGP routes on the overlay WAN side are automatically orchestrated by the system. You can
configure the blacklist and whitelist to control the advertisement and receiving of BGP routes
on the overlay WAN side. If multiple VPNs are planned for service isolation between
departments, you need to plan overlay WAN routes for sites in each VPN.
l Filtering direction: Specify whether to filter the routes to be advertised or received. For
example, if some routes on the LAN side cannot be accessed by other sites, you can use
the blacklist to filter out the routes on the LAN side.
l Filtering mode: Specify whether to use the blacklist or whitelist for filtering. If the
blacklist is used, the routes in the blacklist cannot be advertised or received based on the
filtering direction, and the routes not contained in the blacklist can be advertised or
received normally. If the whitelist is used, the routes in the whitelist can be advertised or
received normally, and the routes not contained in the whitelist cannot be advertised or
received.

SD-WAN
l IP address prefix list: Plan the IP address prefixes in the blacklist and whitelist for
filtering. You can specify the destination IP address/mask and mask range for filtering.
Multiple network segments can be configured.
– IP address/mask: Plan the IP addresses and masks for filtering. The address prefix
list filters routes by matching destination addresses. Therefore, ensure that the
destination addresses to be filtered are in the specified IP address range. For
example, if you do not want the 172.16.12.0/24 network segment on the overlay
LAN side of the site to be accessed by other sites, you can use the blacklist to filter
the routes that are advertised with the IP address being 172.16.12.0/24.
– Lower limit of the mask range. Specify the lower limit of the mask range. The
following condition must be met: Mask ≤ Lower limit of the mask range ≤ Upper
limit of the mask range. For example, if the mask of an address prefix is set to
172.16.12.0/24, the lower limit is 25, and the upper limit is 26, the 172.16.12.0/25
and 172.16.12.0/26 network segments are filtered out. If the mask range is not
specified, only 172.16.12.0/24 is filtered out.
– Upper limit of the mask range: Specify the upper limit of the mask range.
Overlay LAN Route
If multiple VPNs are planned for service isolation between departments, you need to plan
overlay LAN routes for sites in each VPN.
OSPF, BGP, and static routes can be configured on the LAN side. Currently, OSPF routes are
planned for the LAN side at the headquarters site, and static routes are planned for the LAN
side at branch sites.
l OSPF
– Site: Plan the site where overlay LAN routes need to be configured.
– Device: Select the CPE for which OSPF routes are to be configured. In the dual-
gateway scenario, you need to configure OSPF routes for both the two CPEs.
– Process ID: Plan the ID of the OSPF process.
n In DSVPN tunnel mode, the process ID is in the range from 1001 to 65535.
n In EVPN tunnel mode, the process ID is in the range from 1 to 20000.
– General parameters: The following data is valid in the OSPF area of all interfaces
on the LAN side.
n Default route advertisement flag: Plan whether to advertise the default route to
the common OSPF area.
n Default route cost: Plan the default route cost for advertising the default route.
The default value is 1.
n Internal priority: Plan the priority of OSPF routes (excluding AS external
routes). A smaller value indicates a higher priority.
n ASE priority: Plan the priority of the OSPF AS external route. A smaller value
indicates a higher priority.
– Interface parameters: Plan data for all LAN-side interfaces on which OSPF routes
need to be enabled.
n Area ID: Plan the ID of an OSPF area.
n Interface name: Select the LAN-side interface on which OSPF routes are to be
enabled.

SD-WAN
n Authentication mode: Plan the authentication mode used by the OSPF area.
The authentication modes and passwords of all the devices must be the same in
any given area, but can differ between several areas.
The following authentication modes are supported:
○ None: Authentication is not performed on OSPF packets.
○ Simple: A password needs to be configured.
○ Cryptographic: The MD5, HMAC-MD5, or HMAC-SHA256
authentication mode can be selected.
n Key: Plan the authentication key identifier for interface ciphertext
authentication. This parameter needs to be set only when the cryptographic
authentication mode is used. The value must be the same as the authentication
key identifier of the peer end.
n Password: Plan the authentication key. This parameter needs to be set only
when the simple authentication mode is used.
n Hello packet interval: Plan the interval for sending Hello packets on an
interface, in seconds. The default value is 10. Hello packets are periodically
exchanged by OSPF interfaces to establish and maintain neighbor
relationships. A smaller interval means shorter time taken to detect network
topology changes but a higher route cost. The interval must be the same as that
of the neighbor.
n DR priority: Plan the priority of an interface during designated router (DR)
election. The default value is 0. The DR priority of an interface determines
whether the interface participates in DR election. If the DR priority is 0, the
router where the interface is located cannot be elected as a DR or BDR.
n Cost: Plan the OSPF cost for the interface. By default, OSPF automatically
calculates the cost based on the interface bandwidth. Load balancing can be
performed among several LAN-side routes with the same protocol type, cost,
and destination address. You can change the interface costs to change the load
balancing mode to the active/standby mode according to the actual
networking.
– Route importing: Import routes discovered by other routing protocols to enrich
OSPF routing information. When OSPF imports external routes, you can set the
cost of imported routes.
n Protocol: Plan the source routing protocol. By default, WAN-side BGP routes
on the overlay network are imported to implement communication on the
entire network. Static, OSPF, and direct routes can also be imported.
n Process ID: Specify the ID of the imported OSPF process when OSPF routes
are imported.
n Cost: Plan the cost of the imported route. The default value is 1. You can
change the cost to determine whether load balancing is achieved for multiple
routes destined for a network segment.
– Route filtering: You can plan the following parameters to use the blacklist and
whitelist for route filtering to control the advertisement and receiving of OSPF
routes. For details, see the description in Overlay WAN Route.
n Filtering direction: Specify whether to filter the routes to be advertised or
received.
n Filtering mode: Specify whether to use the blacklist or whitelist for filtering.

SD-WAN
n Filtering address: Plan the address prefixes for blacklist and whitelist filtering.
You can specify the destination IP address/mask and mask range for filtering.
Multiple network segments can be configured.
l BGP
– Advanced parameters
n External priority: Plan the priority of eBGP routes. In the dual-gateway
scenario, you can configure different priorities for the two devices.
n Default route importing: Specify whether to import the existing default route
in the local routing table to the BGP routing table. Generally, the default route
importing function does not need to be enabled. If the LAN side connects to
the Internet and other sites need to access the Internet through the LAN side of
the site, the default route importing function needs to be enabled.
n Route importing: Specify the source routing protocol. By default, static and
direct routes are imported.
n Aggregated route: If routes need to be aggregated, plan the network segments
of aggregated routes. You can specify the IP addresses and masks of the
aggregated routes.
After the network segment of the summarized routes is specified, if LAN-side
routes are subnets of the specified network segment, these subnets are
aggregated into one route and then advertised. If there are too many LAN-side
routes or the information about the LAN-side routes need to be hidden, routes
of multiple network segments can be aggregated into one network segment.
This reduces the size of the CPE routing table and hides the internal routing
information of the local site.
– Device: Select the CPE for which BGP routes are to be configured. In the dual-
gateway scenario, you need to configure BGP routes for both the two CPEs.
– Peer IP address: Plan the IPv4 address of the peer. The IPv4 address can be the IP
address of an interface that is directly connected to the peer or the IP address of a
loopback interface of the reachable peer.
– Peer AS: Specify the AS number of the peer device. The BGP AS number must be
the same as that of the peer device. Otherwise, the BGP peer relationship cannot be
established.
– Local AS: Configure the local end to establish a connection with a specified peer by
using a fake AS number. By default, the local end uses the actual AS number to
establish a connection.
– Keepalive time: Specify the BGP keepalive time, in seconds. The default value is
60.
– Holdtime: Specify the BGP hold time, in seconds. The default value is 180. The
holdtime must be at least three times the keepalive time.
n If short Keepalive time and holdtime are set, BGP can detect a link fault
quickly. This speeds up BGP network convergence, but increases the number
of keepalive messages on the network and loads of devices, and consumes
more network bandwidth resources.
n If long Keepalive time and holdtime are set, the number of keepalive messages
on the network is reduced, loads of devices are reduced, and fewer network
bandwidths are consumed. If the keepalive time is too long, BGP is unable to
detect link status changes in a timely manner. This is unhelpful for

SD-WAN
implementing rapid BGP network convergence and may cause many packets
to be lost.
– MD5 encryption: Specify whether to use MD5 authentication between BGP peers.
If MD5 encryption is used, a ciphertext password must be specified. The MD5
authentication configuration and the ciphertext password must be the same as the
BGP configuration of the peer device. Otherwise, the BGP peer relationship fails to
be established.
– Routing policy: You can configure route filtering to control the advertisement and
receiving of BGP routes.
n Filtering direction: Specify whether to filter the routes to be advertised or
received.
n IP address prefix list: Configure the IP address prefix list in the blacklist and
whitelist for filtering. You can specify the destination IP address/mask and
mask range for filtering. Multiple network segments can be configured.
n Filtering mode: Specify whether to use the blacklist or whitelist for filtering.
n MED: Specify the MED value of BGP routes corresponding to the network
segment specified in the IP address prefix list.
Similar to the metric of an IGP, the MED value is used to determine the
optimal route for the traffic to enter an AS. When a BGP-enabled device
obtains multiple routes to the same destination address but with different next
hops from EBGP peers, it selects the route with the smallest MED value as the
optimal route.
n Community: Specify the community attribute of BGP routes corresponding to
the network segment specified in the IP address prefix list.
The community attribute is a private BGP route attribute. It is transmitted
between BGP peers and is not restricted to within an AS. The community
attribute allows a group of BGP-enabled devices in multiple ASs to share the
same routing policies. This allows routing policies to be flexibly used and
makes it simple to maintain and manage routing policies.
n AS_Path: Specify the AS path of BGP routes corresponding to the network
segment specified in the IP address prefix list.
The AS_Path attribute records the numbers of all ASs that a route passes
through, from the source to the destination, in the vector order. You can
configure the AS_Path attribute to implement flexible route selection.
l Static Route
– Device: Select the CPE for which static routes are to be configured. In the dual-
gateway scenario, you need to configure static routes for both the two CPEs.
– Priority: Set the priority of static routes. The priority is in the range from 1 to 255
and is 60 by default. A smaller value indicates a higher priority.
If the same priority is configured for multiple static routes with the same
destination, traffic is load balanced among these static routes. If different priorities
are configured, the static routes back up each other.
– Destination network segment/mask: Specify the destination network segment and
mask of a static route. If both the destination IP address and mask are set to 0.0.0.0,
a default route is configured.
– Next hop: Plan the next hop, which can be an IP address or blackhole route.

SD-WAN
Generally, you can set the next hop to an IP address. If you want to forbid access to
certain network segments, set the next hop to black_hole, which means that packets
destined for the network segments will be discarded.
– Detection address: Plan the address to be detected. Ensure that the address is
reachable through the configured static route.
If the next-hop IP address manually specified for a static route changes, the device
on which the static route is configured is unaware of the change. As a result, traffic
fails to be forwarded along the static route. After the address to be detected is
specified, the system associates the static route with the NQA test instance and
creates an ICMP NQA test instance to check whether the IP address is reachable. If
the NQA test instance fails, the static route is withdrawn. In this way, invalid static
routes can be detected in a timely manner.
Configuration Tasks
Connect a site The vRR site needs to be 1. 1.8.3.4 Creating a Site

to the vRR. configured and associated only 2. 1.8.3.5 Associating an Edge Site
in EVPN tunnel mode. In with a vRR
DSVPN mode, the vRR does not
need to be configured.
Configure You need to configure the 1.8.3.9.10 Configuring Overlay

BGP routing blacklist and whitelist policies WAN-Side Routes (BGP)
policies on the on the WAN side of the overlay
WAN side of network to filter overlay routes
the overlay in the receive and transmit
network. directions.
Configure If the site uses a single CPE 1.8.3.9.11 Configuring Overlay

static routes on configured with active and WAN-Side Routes (Static Routes)
the WAN side standby links, you can specify
of the overlay the next-hop site and route
network. priority of the standby link. The
system automatically
orchestrates the static routes of
the standby link.
Configure BGP is used for communication 1.8.3.9.9 Configuring Overlay

static routes on with the Layer 3 switch or router LAN-Side Routes (BGP)
the LAN side on the LAN side.
of the overlay
network.
Configure OSPF is used for communication 1.8.3.9.8 Configuring Overlay

OSPF routes with the Layer 3 switch or router LAN-Side Routes (OSPF)
on the LAN on the LAN side.
side of the
overlay
network.

SD-WAN
Configure Static routes are used to 1.8.3.9.7 Configuring Overlay

static routes on communicate with the LAN. LAN-Side Routes (Static Routes)
the LAN side
of the overlay
network.
1.4.1.6.1 Address Pool Planning ( DSVPN )

IP addresses in an address pool are applicable to:
1. DSVPN tunnel interface
2. Interface of a local breakout
3. Loopback interface on a CPE
4. Interface of an internal link between dual gateways
The number of IP addresses to be planned for an address pool depends on the network scale,
that is, the number of sites. A larger number of sites require more IP addresses.
Based on the network model, the following sections describe how to plan an address pool on a
single-layer network and a dual-layer network. A single-layer network is a flattened network
with only central and branch sites, but no aggregation site. A dual-layer network is a
hierarchical domain-based network with central, aggregation, and branch sites. Address pool
planning on a dual-layer network is based on a single-layer network. Therefore, you need to
understand how to plan an address pool on a single-layer network first.
Single-Layer Network
The total number of IP addresses in an address pool is related to the number of network
segments and subnet masks. The larger the number of network segments or the shorter the
mask length, the more the total number of IP addresses. The following describes how to
calculate the number of network segments and the longest mask length. You can set the
required network segments and longest mask length according to the calculation results to
meet your IP address requirement.
NOTE
The longest mask length refers to the least required mask length that needs to be configured for a
network scale. You can set a smaller value than the longest mask length. In this case, the number of
network segments can be reduced, but you need to ensure that the total number of IP addresses does not
decrease.
1. Longest mask length

The longest mask length depends on the network scale, that is, the number of sites
(central or branch site). Table1 Mapping between the longest mask length and the
network scale lists the mapping between the longest mask length and the network scale.

SD-WAN
Table 1-6 Mapping between the longest mask length and the network scale
Network Scale/Number of Sites Longest Mask Length
2-10 28
11-30 27
31-60 26
61-120 25
121-250 24
251-500 23
501-1000 22
> 1000 20
2. Number of network segments

The number of network segments is determined by the number of WAN links connecting
the central site to each routing domain (RD). In addition, the system itself requires two
network segments. The central site can have one or two hubs (active/standby mode)
deployed. In the two different scenarios, the formulas are different, which are described
as follows:
a. Central site with one hub
Total number of network segments = Number of network segments at the
single-hub site + 2
In this formula: Number of network segments at the single-hub site = Square of the
number of WAN links connecting the hub to RD1 + Square of the number of WAN
links connecting the hub to RD2 + ... + Square of the number of WAN links
connecting the hub to RDn
b. Central site with two hubs
Total number of network segments = Number of network segments of Hub1 +
Number of network segments of Hub2 + Number of network segments
required for connection between Hub1 and Hub2 + 2
In this formula: Number of network segments required for interconnection
between Hub1 and Hub2 = MAX (Number of network segments of Hub1,
Number of network segments of Hub2)
NOTE
In the preceding formulas, 2 indicates the two network segments occupied by the system. One
network segment must contain at least 192 IP addresses. Therefore, if the number of IP addresses
calculated based on the longest mask length is less than 192, you need to add a network segment.
3. The following uses a dual-hub site as an example to describe how to calculate the
number of network segments using the formula.

SD-WAN
Number of network segments of Hub1 = 22 + 12= 5

Number of network segments of Hub2 = 12 + 12= 2
Total number of network segments = 5 + 2 + 5 + 2 = 14
NOTE
1. Assume that the number of sites is 100. According to Table1 Mapping between the longest mask
length and the network scale, the longest mask length is 25.
2. Either of the two network segments occupied by the system must contain at least 192 IP addresses.
However, 27 equals to 128, which is less than 192. Therefore, you need to add a network segment.
3. Finally, the longest mask length is 25 according to the calculation result, so 15 network segments
need to be configured. However, the system supports a maximum of eight network segments. In this
case, you need to decrease the mask value to reduce the number of required network segments. For
example, if the mask length is 23, configure seven network segments.
Dual-Layer Network
The formula for calculating the number of network segments on a dual-layer network is as
follows: Total number of network segments = Number of network segments between the
central site and aggregation site + Number of network segments between the aggregation site
and branch site.

SD-WAN
1. Longest mask length

Assume that there are 304 sites in total, including two central sites, two aggregation
sites, and 300 branch sites. According to Table1 Mapping between the longest mask
length and the network scale, the longest mask length is 23.
2. Number of network segments
a. Number of required network segments between the central site and aggregation
sites:
( 22+ 12 ) + ( 12 + 12 ) + MAX ( 22+ 12, 12 + 12 ) = 12
b. Number of required network segments between the aggregation sites and branch
sites:
i. Agg 1: 12 + 12 = 2
ii. Agg 2: 12 + 12 = 2
c. Total number of network segments: 12 + 2 + 2 + 2 = 18
NOTE
Either of the two network segments occupied by the system must contain at least 192 IP addresses.
However, 29 equals to 512, which is larger than 192. Therefore, you do not need to add any
network segment.
3. Finally, the longest mask length is 23 according to the calculation result, so 18 network
segments need to be configured. However, the system supports a maximum of eight
network segments. In this case, you need to decrease the mask value to reduce the
number of required network segments. For example, if the mask length is 20, configure
three network segments.

SD-WAN
1.4.1.7 Internet Access
Functions
The SD-WAN Solution provides the following Internet access modes:
l Local Internet access: The Internet access traffic of a site is routed from the local Internet
link to the Internet. In local Internet access mode, NAT in Easy-IP mode is provided.
You can determine whether to enable the NAT function based on the outbound interface.
After NAT is enabled, the system uses the IP address of the outbound interface as the
public IP address after NAT is performed and translates the IP address of the traffic
passing through the interface.
l Centralized Internet access: All sites in an enterprise access the Internet through a
centralized Internet gateway.
l Hybrid Internet access: The system allows some applications to access the Internet in
local Internet access mode and other applications to access the Internet in centralized
Internet access mode. If local Internet access with the default policies (Policy is set to
All) is used and centralized Internet access is enabled, local Internet access is preferred.
If the local link is faulty, the centralized Internet access mode is used. In hybrid Internet
access mode, the NAT function in Easy-IP mode can also be enabled on the outbound
interface for local Internet access.
l Local Internet access is applicable to small-scale enterprises or scenarios where
centralized security control is not required for Internet access traffic and links for
accessing the Internet are available on the WAN side.
l Centralized Internet access is applicable to scenarios where the site does not have links
for accessing the Internet or where Internet access traffic needs to be centrally controlled.
In this mode, a centralized Internet gateway is configured. Traffic from other sites is
forwarded to the centralized Internet gateway through the overlay network to access the
Internet.
l Hybrid Internet access is applicable to scenarios where Internet access traffic needs to be
managed centrally but the traffic of specified services (such as Office 365) is routed out
from the local site to minimize the access delay.

If multiple VPNs are planned for service isolation between departments, you need to plan the
network access mode for sites in each VPN.
l Centralized Internet access
– Internet gateway: Plan a site that functions as the centralized Internet gateway.
n In EVPN tunnel mode, a maximum of two sites can be specified as the active
gateway and standby gateway. You can configure all areas to access the
network through the specified gateway or specify an Internet gateway for each
area.
n In DSVPN tunnel mode, a maximum of two sites can be specified as the
Internet gateway for the hub site, and only one Internet gateway can be
specified for aggregation sites and branch sites. All areas access the network
through the specified Internet gateway, which cannot be specified for each area
separately. Generally, the hub site is used as the Internet gateway. If a branch

SD-WAN
site is planned as the centralized Internet gateway, the branch site is used as the
Internet gateway.
l Local Internet access
– Site: Plan the site that uses the local Internet access mode.
– WAN link: Specify the WAN link name in the site template to select the WAN link
used for local Internet access. A site can access the Internet through the specified
WAN link. For sites using the same site template, only the same WAN link can be
used for Internet access.
– NAT: Plan whether to enable the NAT function. Generally, the NAT function needs
to be enabled for Internet access services at sites.
– Link priority: Plan the priority of a WAN link. If multiple WAN links are available
for Internet access, you can configure the link priorities so that the WAN links can
work in active/standby mode. The link priority is in the range from 1 to 3. A larger
value indicates a higher priority.
– Bandwidth allocation: Specify the proportion of local breakout traffic to the
available bandwidth that has been allocated to overlay services in the VPN. If the
available bandwidth for overlay services accounts for 30% of the total bandwidth
for the VPN and 10% of the bandwidth is allocated to the local breakout traffic, the
available bandwidth of the local breakout traffic accounts for 3% of the total
bandwidth of the WAN link. That is, if the total bandwidth of the interface is 100
Mbit/s, the bandwidth for local breakout traffic is 3 Mbit/s.
– Policy: By default, All is selected, which indicates that all services of a site
preferentially use local Internet access.
l Hybrid Internet access
– Centralized Internet gateway: For details, see Centralized Internet access.
– Local Internet access: For details, see Local Internet access. The following
parameters for hybrid Internet access are different from those for local Internet
access:
n Policy: Select All or Application. If All is selected, all services of a site
preferentially use local Internet access. If local Internet access is unavailable,
centralized Internet access is used. In this case, local Internet access and
centralized Internet access back up each other. If Application is selected,
traffic classifiers need to be configured so that some services use local Internet
access and other sites use centralized Internet access.
n Traffic classifier: If Policy is set to Application, plan the traffic classifiers for
the local Internet access service.
You can define local Internet access services by specifying the source and
destination IP addresses, and TCP or UDP source and destination port
numbers, or by matching the application group, VLAN ID, 802.1p priority,
source and destination MAC addresses, and Layer 2 protocol type. For details
about the traffic classifier, see the description in "Data Planning and Design" in
1.4.2.2 Intelligent Traffic Steering.
n Detection IP address: If Policy is set to Application, you can plan a detection
IP address for the site. The system creates an NQA instance to detect the IP
address, test the network connectivity, and quickly detect the network fault on
the WAN side. When the detection fails, services can switch to the centralized
Internet access mode in a timely manner. You can plan a public detection IP
address (for example, the DNS server address) that can be accessed by all sites

SD-WAN
or a separate detection IP address (for example, gateway address of the WAN

link of the site) for each site.
Configuration Tasks
Configure a local Configure the site to access the 1.8.5.3 Configuring an

Internet access Internet through the local Internet Internet Access Policy for
policy. link. a Site
On the Site-to-Internet
page, configure local
Internet access.
Configure a Configure the site to access the 1.8.5.3 Configuring an

centralized Internet Internet through the centralized Internet Access Policy for
access policy. Internet gateway. a Site
On the Site-to-Internet
page, configure centralized
Internet access.
Configure hybrid l Configure some sites to access the Perform the operations in
Internet access. Internet through the centralized 1.8.5.3 Configuring an
Internet gateway and the other Internet Access Policy for
sites to access the Internet through a Site in the following
the local Internet link. sequence:
l Configure certain services of the 1. On the Site-to-Internet
site to access the Internet through page, select
the local Internet link and the Centralized Internet
other services to access the access to configure the
Internet through the centralized site to access the
Internet gateway. Internet through the
centralized Internet
gateway.
2. On the Site-to-Internet
page, select Local
Internet access, specify
the sites that access the
Internet through the
local Internet link, and
specify policies for
services that access the
Internet through the
local Internet link.
1.4.1.8 Connecting to the Legacy MPLS Network

Before deploying the SD-WAN solution, enterprises may have multiple sites connected
through legacy MPLS private lines. When new sites are deployed or some legacy sites are
reconstructed into SD-WAN sites, an enterprise has two types of logical networks: SD-WAN

SD-WAN
and legacy logical network. These two types of networks require communication between
each other.
When the underlay network connected to an SD-WAN site can communicate with the legacy
MPLS network, the breakout technology can be used to transmit user traffic from the SD-
WAN site to the underlay MPLS network. Users at the SD-WAN site can directly
communicate with users at the legacy site through the underlay network.
In this scenario, the following traffic models can be used for mutual access, depending on
service requirements:
l Distributed local access
This model can be used if all SD-WAN sites can access legacy underlay MPLS network
sites through local breakout. In this model, the mutual access traffic of each site can be
offloaded locally.
l Centralized access
If some SD-WAN sites cannot access legacy sites through local breakout, you can select
one site that can communicate with the legacy sites as the centralized access site. Traffic
from other sites is sent to the centralized access site through overlay tunnels, and then
forwarded to the legacy sites through local breakout.
l Hybrid access
If a centralized access site is deployed on the SD-WAN network, it can provide the
centralized access function for the sites that cannot access the legacy network through
local breakout. In addition, the distributed access function can be configured for sites
that support local breakout. Then traffic of these distributed sites is preferentially
forwarded to the legacy underlay MPLS sites through local breakout. If the local link for
accessing the MPLS network is faulty, traffic can be transmitted to the centralized access
site through the overlay tunnel of other links, and then forwarded to the legacy site
through the centralized access site. This improves transmission reliability for traffic.

If multiple VPNs are planned for service isolation between departments, you need to plan the
legacy site access mode for sites in each VPN.
l Centralized access
– Mutual access gateway: Plan the site that functions as the gateway for centralized
access.
n In EVPN tunnel mode, a maximum of two sites in active/standby mode can be
specified.
n In DSVPN tunnel mode, a maximum of two hub sites can be specified as
mutual access gateways, and only one mutual access gateway can be specified
for aggregation sites and branch sites. Generally, the hub site is used as the
mutual access gateway. If a branch site is planned as the mutual access
gateway on the MPLS network, the branch site functions as the mutual access
gateway.
– IGW: Specify whether the IGW functions as the gateway for legacy sites to access
the Internet. If legacy sites access the Internet through the IGW, you need to enable
the IGW function of the site.
– WAN link: Specify the WAN link name in a site template to select the WAN link
used for MPLS network access. For sites using the same site template, only the
same WAN link can be used for Internet access.

SD-WAN
for MPLS network access, you can configure the link priorities so that the WAN
links can work in active/standby mode. The link priority is in the range from 1 to 3.
A larger value indicates a higher priority.
You can configure multiple links to work in active/standby mode or load balancing
mode by configuring the priority.
n If links have different priorities, they work in active/standby mode, and the
link with the highest priority is the active link.
n If the links have the same priority, they work in load balancing mode.
l Local access
– Site: Plan the site that uses the local access mode to communicate with legacy sites.
– IGW: Specify whether the IGW functions as the gateway for legacy sites to access
the Internet. If legacy sites access the Internet through the IGW, you need to enable
the IGW function of the site.
– WAN link: Specify the WAN link name in a site template to select the WAN link
used for MPLS network access. For sites using the same site template, only the
same WAN link can be used for Internet access.
for MPLS network access, you can configure the link priorities so that the WAN
links can work in active/standby mode. The link priority is in the range from 1 to 3.
A larger value indicates a higher priority.
You can configure multiple links to work in active/standby mode or load balancing
mode by configuring the priority.
n If links have different priorities, they work in active/standby mode, and the
link with the highest priority is the active link.
n If the links have the same priority, they work in load balancing mode.
l Hybrid Internet access
– Centralized access: For details, see Centralized access.
– Local access: For details, see Local access.

SD-WAN
Configuration Tasks
Configure the Configure sites to 1.8.5.4 Configuring a Mutual-Access

distributed communicate with legacy Policy for Traditional Sites
local access sites through local MPLS On the Site-to-Legacy Site page,
mode. links. configure local access.
Configure the Configure sites to 1.8.5.4 Configuring a Mutual-Access

centralized communicate with legacy Policy for Traditional Sites
access mode. sites through the centralized On the Site-to-Legacy Site page,
Internet gateway. configure centralized access.
Configure the Configure some sites to Perform the operations in 1.8.5.4

hybrid access communicate with legacy Configuring a Mutual-Access Policy for
mode. sites through the centralized Traditional Sites in the following
Internet gateway and the sequence:
other sites to preferentially 1. On the Site-to-Legacy Site page,
use the local access mode to select Centralized access to configure
communicate with legacy sites to access legacy sites through the
sites. centralized Internet gateway.
2. On the Site-to-Legacy Site page,
select Local access to configure the
sites that use the local access mode.
1.4.1.9 Connecting to the Public Cloud

With the development of cloud computing and virtualization technologies, the public cloud
has comprehensive computing, storage, network, and security capabilities. The public cloud is
cost-efficient. Additionally, professional O&M teams help enterprises run their IT systems on
the cloud. Therefore, a growing number of enterprises are deploying their IT systems on the
cloud. This imposes requirements on availability, flexibility, and security as enterprises'
branch sites access services on the public cloud.
In Huawei SD-WAN Solution, the AR1000V, a virtual router, is deployed on the cloud and is
centrally managed by the SD-WAN@AC-Campus. The AR1000V integrates routing, VPN,
security, and centralized service orchestration capabilities, enabling multicloud
interconnection for enterprises. In addition, the AR1000V functions as a cloud site and can
provide basic network functions for customers to implement services such as VASs and WAN
optimization controller (WOC).
1.4.1.9.1 Connecting to the AWS
Transit VPC
The transit VPC solution is recommended for connecting Huawei SD-WAN Solution to the
AWS. In this solution, the transit VPC is introduced, and the AR1000V is deployed to
function as a cloud site on an enterprise's SD-WAN network. The cloud site is centrally
managed by the SD-WAN@AC-Campus and implements service orchestration. The transit
VPC also functions as a hub on the AWS to connect to the enterprise's spoke VPC (service

SD-WAN
VPC) deployed on the AWS. For enterprises, the transit VPC solution can be used to
implement SD-WAN interconnection. The transit VPC solution implements cross-region
interconnection of VPCs. For an enterprise that has deployed multiple VPCs in several
regions on the AWS, the transit VPC can be deployed in a frequently accessed region. The
transit VPC can connect to the spoke VPCs and remote site CPEs of different regions on the
AWS.
In the transit VPC solution, the AR1000V is introduced to flexibly control the interconnection
between CPEs and VPCs through its routing and VPN capabilities. The following figure
shows the transit VPC solution.
The implementation of the transit VPC solution is described as follows:

SD-WAN
1. Create a VPC (transit VPC) for the tenant on the AWS. The transit VPC serves as an
aggregation node of enterprise tenants on the cloud and connects to the enterprise's spoke
VPC, data centers, and CPE sites.
2. Deploy the AR1000V on the transit VPC. (The AR1000V can be purchased on AWS
Market Place.)
3. On the transit VPC, apply for an EIP for the instance where the AR1000V resides to
access the Internet through the IGW. Establish IPSec VPN and BGP connections
between the transit VPC and the VGW of the spoke VPC through the IGW to implement
access between the spoke VPC and transit VPC. In addition, implement on-demand
access control between the spoke VPC nodes through the VPN feature of the AR1000V.
4. The AR1000V of the transit VPC can also access the Internet through the IGW. The SD-
WAN@AC-Campus orchestrates SD-WAN services for the AR1000V and CPEs.
5. If Direct Connect connections are configured for the transit VPC, dual links of the IGW
and VGW can be established between the AR1000V and the CPE, and the intelligent
traffic steering feature can be applied.
6. The AR1000V also provides various QoS features for traffic control.
7. The AR1000V can report interface traffic statistics. The SD-WAN@AC-Campus can
monitor traffic statistics and analysis results on the cloud.
Configuration Tasks
1. Deploy the AR1000V.
2. Set Access Key in Global Parameters.
3. Create a cloud site.
4. Configure cloud resources in the ZTP configuration.
Set Cloud type to Amazon AWS and Deployment type to Transit VPC.
5. Configure VPCs on the overlay network.
1.4.1.9.2 Connecting to HUAWEI CLOUD
Host VPC
The host VPC solution is used by Huawei SD-WAN Solution to connect to HUAWEI
CLOUD. The host VPC is a service VPC. In this solution, the AR1000V is deployed to
function as a cloud site on a host VPC of an enterprise's SD-WAN network. The SD-
WAN@AC-Campus centrally manages the cloud site and implements service orchestration.

SD-WAN
The host VPC solution implements cross-region interconnection of VPCs. For enterprises that
have deployed VPCs in multiple regions on HUAWEI CLOUD, the AR1000V is deployed on
each host VPC. The SD-WAN@AC-Campus uniformly orchestrates services and implements
mutual access between host VPCs and remote site CPEs in different regions of the cloud
through SD-WAN networks.
In the host VPC solution, the AR1000V is introduced to flexibly control the interconnection
between CPEs and VPCs through its routing and VPN capabilities. The following figure
shows the host VPC solution.
The implementation of the host VPC solution is described as follows:
1. The AR1000V is deployed in each host VPC to function as a cloud site on an enterprise's
SD-WAN network. The SD-WAN@AC-Campus centrally orchestrates services. One
AR1000V can be deployed in each AZ to enhance reliability. The SD-WAN@AC-
Campus monitors the status of the AR1000V and sends instructions for route switching.

SD-WAN
2. The AR1000V is used to establish SD-WAN connections between different host VPCs
on the Internet to implement communication between CPEs and host VPCs.
3. When providing the cloud private line service, the AR1000V can work with the Internet
to form dual links and apply features such as intelligent traffic steering.
4. The AR1000V can report interface traffic statistics. The SD-WAN@AC-Campus can
monitor traffic statistics and analysis results on the cloud.
Configuration Tasks
1. Deploy the AR1000V.
2. Create a cloud site.
3. Configure cloud resources in the ZTP configuration.
a. Set Cloud type to Huawei Cloud and Deployment type to Host VPC.
b. Set IP address of WAN interface and Gateway address of WAN interface of the
AR1000V.
c. View the configuration and copy the configuration file to inject the Elastic Cloud
Server (ECS) user data on HUAWEI CLOUD.
NOTE
HUAWEI CLOUD supports only single-gateway sites.
1.4.2 Application Experience–oriented Scheduling and

Optimization
1.4.2.1 Application Identification

Precise identification of applications on a network is the prerequisite and basis for network
services such as intelligent traffic steering, QoS, application optimization, and security.
Service policies can be applied in subsequent service processes only after applications are
identified.
SD-WAN application identification can be implemented in two modes: first packet

identification (FPI) and deep packet inspection (DPI), as shown in Figure 1-10.

SD-WAN
Figure 1-10 Application identification
l FPI
FPI can identify the application type at the first data flow of an application. It can
quickly identify applications, and is mainly used for SaaS applications with fixed
destination addresses or ports.
l DPI
DPI performs deep packet analysis and accurately identifies common applications based
on the characteristics in application payloads.
When a packet reaches the application identification module, the FPI is performed. If an
application can be identified through the first packet, the DPI is no longer performed. If the
application fails to be identified, the DPI is performed.
For the FPI and DPI, the FPI signature database and SA signature database are preconfigured
on CPEs. The CPEs can identify common applications based on the application definition
(port, feature, and behavior) in the signature database. In addition, the FPI and DPI also
support customized applications, so that users can customize special applications.
FPI
FPI is realized by matching the first packet through 5-tuple information or DSCP of the
packet and the domain name or DPI cache. The application is matched based on L3-L4
information of the packet. Therefore, if multiple applications have the same L3-L4
information, the applications may be incorrectly identified. In addition, the FPI process is
simple, so the processing performance of the FPI is higher than that of the DPI.
Applications can be identified in predefined application mode or through the FPI signature
database.

SD-WAN
l Predefined application mode: Applications are identified based on the 5-tuple, DSCP, or
domain name. In this mode, the system first matches an application based on the defined
L3-L4 rule. If no match is found, the system matches the application by translating the
domain name to the IP address through DNS snooping. If no match is found, the system
matches the application based on the DPI. Some common applications are predefined in
the system based on the protocol number, port number, and domain name.
l FPI signature database: The FPI function is associated through the DNS. When a client
initiates a page access request, a DNS request is sent, requesting to access the specific IP
address. The DNS server sends back a DNS response packet. When the packet traverses
the CPE, the CPE parses it to obtain the IP address. The application ID, port number, and
protocol number are queried in the FPI signature database based on the URL. The triplet
information is then associated with the IP address, and a DNS association entry is
generated. When receiving the DNS response packet, the client requests to access the
application. Then, when the packet traverses the CPE, the application is identified based
on the DNS association entry.
DPI
Signature identification is the basic technology of service awareness. Different applications
usually use different protocols that have their distinctive characteristics. These characteristics
may be specific ports, specific character strings, or specific bit sequences, and characteristics
that can identify a protocol are called characteristic code. Signature identification determines
an application by detecting characteristic codes in data packets. Since characteristic codes of
some protocols are embedded in multiple packets, characteristics field-based identification
must collect multiple packets to identify the protocol type. This technology analyzes service
flows passing through a device and compares the analysis result with the signature database
loaded to the device. By detecting characteristic codes in data packets, the system can identify
applications and implement refined policy control based on the identification result.
The DPI signature database is also called the SA signature database. Applications can be
identified in predefined application mode or through the SA signature database predefined on
the CPE.
l Predefined application mode: Applications are identified based on URLs or keywords.
On the CPE, rules can be created through triplet, keywords, or both triplet and keywords.
The triplet refers to the server IP address, protocol type, and port number. The keywords
are signatures of a data packet or a data flow corresponding to the application and
uniquely identify the application.
l SA signature database: Applications are identified based on the SA signature database.
The SA signature database can have 500+ or 6000+ records, depending on the device
type. The SA signature database can be upgraded through Huawei Security Center
Platform. The SA signature database needs to be updated frequently because applications
on the live network change rapidly. If the SA signature database is not updated in time,
some applications may fail to be identified.

l FPI: By default, both the FPI and DPI are enabled on a CPE. For packets traversing the
CPE, the FPI is preferentially used to identify applications. Generally, the FPI is enabled.
To identify applications only through DPI, you need to disable FPI.
l Customized application
When predefined applications cannot meet the identification requirements, you can
define new applications according to their characteristics.

SD-WAN
– Destination IP address: Specify the destination IP address of packets for customized

applications.
In most cases, the IP address of an application server is a fixed public IP address.
This allows the system to identify application packets based on a specified
destination IP address.
– Port number: Specify the destination port number of packets for customized
applications.
– Protocol: Specify the transport layer protocol type of a customized application rule.
The options are All, TCP, and UDP.
– Signature:
Specify signature information. Data packets of some applications contain the same
piece of character strings, which is regarded as a signature.
– Content: Select the packet- or flow-based mode for signature identification.
In the packet-based mode, the system checks every packet of applications. In flow-
based mode, the system only checks the first packet in the application data flow and
does not check the subsequent packets if the system detects that the subsequent
packets belong to the same data flow based on the 5-tuple information.
– Direction: Specify the direction of packets to be identified.
You can configure a rule to identify signatures only in request or response packets,
or in both of them.
– Plaintext character string: Specify character strings that can identify application
packet features.
You can create rules through triplet information (including destination IP address, port
number, and protocol).
Additionally, you can create rules through keywords (including destination IP address,
protocol, and signature).
l Application group
You can select an application group in a traffic classifier to identify applications. Only an
application group can be selected. Applications that are not added to the application
group are not displayed. You cannot select only some applications in an application
group. You need to plan application groups properly.
– SA signature database: The SA signature database can have 500+ or 6000+ records,
depending on the device type. The SA signature database can be upgraded through
Huawei Security Center Platform.
– Predefined applications (FPI): Select an application from the FPI signature database
and add it to the application group.
If the FPI application is selected, the corresponding DPI application is also selected
by default.
– Predefined applications (DPI): Select an application from the DPI signature
database and add it to the application group.
– Customized application: Select a customized application. You can also add a
customized application to the application group after the application is created.

SD-WAN
Configuration Tasks
Table 1-7 Overview of application identification configuration tasks

FPI can identify the 1. NAT must be configured 1. Check predefined

application type at the first on the path that the applications.
data flow of an application. application passes 2. If predefined
It can quickly identify through. If the applications cannot meet
applications, and is mainly application cannot be the requirements, create
used for SaaS applications identified, it may be a customized
with fixed destination discarded after route application.
addresses or ports. selection because NAT is
not configured for SYN 3. Select the predefined FPI
and ACK packets. application or
customized application
2. As the pervasive use of to create a customized
clouds, customers want application group.
to send SaaS and trusted
network traffic directly
from branches to the
Internet instead of
forwarding data through
the data center. This
improves the bandwidth
utilization and reduces
the transmission delay
and costs.
3. When enterprises use
their own applications or
applications that run on
the Internet, the Internet
traffic is known and
trusted, but other HTTP/
HTTPS traffic is
unknown or suspicious.
If the specific application
cannot be identified
through the first data
packet, all HTTP/HTTPS
traffic must be sent to the
Internet or to the security
web gateway or
headquarters for further
check through the
enterprise firewall and
IDS/IPS resources.

SD-WAN
DPI can accurately identify The enterprise network uses 1. Check predefined
the application type based a router as the egress applications.
on the in-depth packet gateway to connect to the 2. If predefined
analysis. Common WAN. To ensure network applications cannot meet
applications can be quality and regulate the requirements, create
accurately identified based employees' online a customized
on the characteristics in behaviors, the service application.
application payloads. awareness technology can
be used to identify various 3. Select the predefined
applications on the network DPI application or
and control identified customized application
application protocols. to create a customized
application group.
1.4.2.2 Intelligent Traffic Steering

Huawei SD-WAN Solution supports traffic steering based on the application quality, load
balancing, application priority, and bandwidth.
l Traffic steering based on the application quality
Different applications have different requirements on the link quality. For example, voice
and video services are sensitive to delay and packet loss rate and have high requirements
on the link quality. Therefore, an MPLS link with good quality can be configured as the
primary link of voice and video services, and an Internet link is configured as the backup
link with service SLA requirements. Intelligent traffic steering is performed based on
link SLAs, meeting the SLA and bandwidth requirements of applications.
l Traffic steering based on load balancing
When an enterprise has multiple links, traffic steering based on load balancing can be
configured to fully utilize the link bandwidth. During service forwarding, different
applications select different primary links based on link weights to improve the
bandwidth utilization.
l Traffic steering based on the application priority
If multiple types of service packets are transmitted on the same link, traffic steering
based on the application priority is performed to ensure that high-priority applications
are preferentially used in the case of link congestion and services of high-priority
applications are preferentially processed when congestion occurs. For example, voice
and video services and files are transmitted on the MPLS link. If the link bandwidth is
insufficient, voice and video services are not affected.
l Traffic steering based on the bandwidth
If traffic steering based on the bandwidth is performed, when the link bandwidth reaches
the threshold, this link is not selected for new traffic of some applications, and other
links that meet the requirements are preferred. This mode ensures the bandwidth usage of
high-priority services and prevents application quality and link quality from deteriorating
due to network congestion.

Traffic Classifier Template

SD-WAN
l Operation type: Set the relationship between rules in a traffic classifier to AND or OR.
– AND:
n If a traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rule, packets match the traffic
classifier only when they match all the non-ACL rules.
– OR: Packets match the traffic classifier if they match one or more rules in the
classifier.
l L3 ACL: Define multiple ACL rules. Packets that meet specified conditions are allowed
to pass.
– Priority: Specify the priority of an ACL rule. Packets preferentially match the Layer
3 ACL rule with a higher priority.
– Source IP address: Plan the source IP address of packets matching an ACL rule. If
no source IP address is specified, packets with any source IP address are allowed to
pass.
– Destination IP address: Plan the destination IP address of packets matching an ACL
rule. If no destination IP address is specified, packets with any destination IP
address are allowed to pass.
– DSCP: Specify the Differentiated Services Code Point (DSCP) of packets matching
an ACL rule.
– Protocol: Specify the protocol type of packets matching an ACL rule.
– Source port: Specify the source port of the UDP or TCP packets matching an ACL
rule. This parameter is valid only when the protocol of packets is TCP or UDP. If no
source port is specified, TCP or UDP packets with any source port are matched.
– Destination port: Specify the destination port of the UDP or TCP packets matching
ACL rules. This parameter is valid only when the protocol of packets is TCP or
UDP. If no destination port is specified, TCP or UDP packets with any destination
port are matched.
l Application: Select an application group that matches packets.
To select applications to match packets in the traffic classifier template, you can only
select an application group. Applications that are not added to the application group are
not displayed or only some applications in the application group are selected. You need
to plan application groups properly.
l Advanced settings: Take effect only on policies on inbound interfaces.
– VLAN ID: Specify the start outer VLAN ID and end outer VLAN ID of packets to
be matched.
– 802.1p: Specify the 802.1p priority of packets to be matched.
– Source MAC address: Specify the source MAC address of packets to be matched.
– Destination MAC address: Specify the destination MAC address of packets to be
matched.
– L2 protocol: Specify the Layer 2 protocol type of packets to be matched.
Effective Time Template
l Time type
– Periodic time range: Define a periodic time range based on days or weeks. The
associated traffic policy takes effect at an interval of one day or week. For example,

SD-WAN
if the time range of a traffic policy is 8:00-12:00 per day or on every Monday, the
traffic policy takes effect at 8:00-12:00 per day or on every Monday.
– Absolute time range: Define a time range from YYYY/MM/DD hh:mm:ss to
YYYY/MM/DD hh:mm:ss. The associated traffic policy takes effect only within
this period.
l Start time: Specify the time when the traffic policy starts to takes effect.
l End time: Specify the time when the traffic policy stops taking effect.
Intelligent Traffic Steering
l VPN: Plan service policies for sites in each VPN if multiple VPNs are configured. You
need to first select the VPN for which the policy needs to be configured.
l Traffic classifier template: Select a traffic classifier template to specify packets to which
intelligent traffic steering needs to be applied.
NOTE
Intelligent traffic steering does not support the traffic classifier template with advanced settings or
operation type being set to OR.
l Policy priority: Set the priority of an intelligent traffic steering policy. For the same
traffic, the intelligent traffic steering policy with the highest priority is preferentially
matched.
l Switchover condition: Refer to the delay, jitter, and packet loss rate of a link. When the
traffic or application quality does not meet the conditions, traffic or applications are
switched.
By default, switchover conditions of voice, real-time video, low-delay data, and large-
capacity data services are defined. You can also set the delay, jitter, and packet loss rate
to customize switchover conditions.
l Transport network priority: Set the primary and secondary transport networks.
– Primary transport network: Configure multiple transport networks as primary
transport networks. A maximum of eight transport networks can be configured.
n For transport networks with the same priority, you are advised to set Policy
between TN to Loadbalance.
n For transport networks with different priorities, you are advised to set Policy
between TN to Prefer.
– Secondary transport network: Select a transport network as the secondary transport
network. Traffic is switched to the secondary transport network only when all
primary transport networks are unavailable.
l Advanced settings: Set bandwidth conditions list, priority, and other parameters. The
system determines whether to switch traffic to another link based on the current
bandwidth usage, application priority, and switchover threshold, and then determines the
application traffic to be switched based on the application priority.
– Switch upper/lower limit: Select links to transmit traffic based on the bandwidth
usage in addition to delay, jitter, and packet loss rate.
n If the link bandwidth usage is lower than the switch lower limit, all application
traffic, including new application traffic, is forwarded through the current
transport network.
n If the link bandwidth usage is greater than the switch lower limit and lower
than the switch upper limit, only the existing application traffic is forwarded
through the current transport network, and new application traffic cannot be
transmitted.

SD-WAN
n If the link bandwidth usage is greater than the switch upper limit, some
existing application traffic is switched to another transport network for
transmission, and new application traffic cannot be transmitted.
It is recommended that this parameter be configured only when the bandwidth is
sufficient.
– Bandwidth conditions list: Configure bandwidth switchover conditions for a
transport network by specifying the link bandwidth (bandwidth upper/lower limit)
and application bandwidth (maximum/minimum bandwidth).
– Action when conditions not met: Specify an action when the traffic on the primary
transport network does not meet switchover conditions and bandwidth conditions.
The default value is Discard.
n Discard: If the traffic does not meet the conditions, packets are discarded.
n ECMP: If the traffic does not meet the conditions, packets are forwarded
continuously.
– Switchover mode: Specify whether traffic can be switched back to the original link
if the quality of the original link recovers after link switchover occurs. The default
value is Pre-emptive.
The link switchover consists of the switchover between primary transport networks
with different priorities and the switchover between primary and secondary
transport networks.
This parameter can be set for high-priority applications only when the bandwidth of
the primary link on which high-priority applications are located is sufficient.
– Policy between TN: Specify the scheduling mode between primary transport
networks. The default value is Prefer.
n Prefer: The transport network with the highest priority is selected first for
forwarding application traffic. If any of the switchover conditions exceeds the
threshold or the bandwidth usage exceeds the bandwidth upper limit, the traffic
is switched to another transport network with a lower priority.
n Loadbalance: Application traffic is load balanced between primary transport
networks with the same priority.
– Priority: Specify the application priority. The default value is 8.
l Effective time template: Select an effective time template to specify the time range for
the intelligent traffic steering policy to take effect.
l Site: Associate an intelligent traffic steering policy to a site. The policy takes effect only
on the selected site.

SD-WAN
Configuration Tasks
Configure a SLA parameters that meet the Perform the operations in

traffic steering application requirements are 1.8.5.5.5 Creating an Intelligent
policy based specified. If the link quality cannot Traffic Steering Policy for the
on the meet the requirements, applications Overlay Network in the
application are automatically switched to the link following sequence:
quality. that meets the requirements. 1. Match an application on
which traffic steering is
performed through Traffic
Classifier Template.
2. Configure Switchover
Condition.
3. Configure Transport
Network Priority.
Configure a SLA parameters that meet the Perform the operations in

traffic steering application requirements and the 1.8.5.5.5 Creating an Intelligent
policy based priority of the transmission link are Traffic Steering Policy for the
on load specified. Load balancing is Overlay Network in the
balancing. implemented on multiple links of following sequence:
primary transport networks. 1. Match an application on
Condition.
Network Priority.
4. Enable Advanced Settings,
configure Switch threshold,
and set Policy between TN to
Loadbalance.

SD-WAN
Configure a Priorities of applications are Perform the operations in

traffic steering specified. When link congestion 1.8.5.5.5 Creating an Intelligent
policy based occurs, high-priority services are Traffic Steering Policy for the
on the preferentially processed, ensuring the Overlay Network in the
application link bandwidth of high-priority following sequence:
priority. applications. 1. Match an application on
Condition.
Network Priority.
4. Enable Advanced Settings
and set the value of Priority
to specify the priority of the
application.
Configure a The bandwidth requirements of links Perform the operations in

traffic steering are specified. When the link 1.8.5.5.5 Creating an Intelligent
policy based bandwidth reaches the threshold, this Traffic Steering Policy for the
on the link is not selected for new Overlay Network in the
bandwidth. application traffic, and other links following sequence:
that meet the requirements are 1. Match an application on
preferred. which traffic steering is
Condition.
Network Priority.
4. Enable Advanced Settings
and set Switch threshold and
Bandwidth condition list.
1.4.2.3 QoS
QoS is a mainstream function that implements differentiated services. Data packets are
classified into different priorities or multiple service classes through traffic classification.
These priorities and service classes are the prerequisite and basis for differentiating service
models. Different traffic policies can be configured based on packet priorities and service
classes to provide different services.
Huawei SD-WAN Solution supports traffic classification based on the IP 5-tuple, application
group, and DSCP, and supports QoS policies such as queue priority scheduling, traffic
policing, and traffic shaping. It also supports QoS functions such as multi-dimensional
bandwidth allocation and DSCP re-marking through HQoS.

SD-WAN
l Queue priority
Traffic classification is used to specify different QoS priorities for services. Based on
QoS priorities, services are forwarded through queues with different priorities to provide
differentiated QoS services. If bandwidth resources are insufficient, the forwarding
bandwidth of high-priority services is preferentially guaranteed.
l Traffic policing
Traffic policing controls traffic by monitoring the bandwidth occupied by service traffic,
and discards excess traffic to limit the bandwidth within a proper range, ensuring
appropriate bandwidth resource allocation.
l Traffic shaping
Traffic shaping is a measure to adjust the traffic rate sent from an interface. If traffic
congestion occurs due to burst traffic, traffic shaping is performed to make irregular
traffic transmitted at an even rate, preventing traffic congestion on the network.
l Bandwidth allocation
HQoS uses multi-level queues to implement bandwidth allocation between VPNs and
within a VPN. The bandwidth of a physical link is divided into bandwidths of multiple
logical links, and the bandwidth of each logical link is used by different VPNs. The
bandwidth of the logical link used by each VPN can specify bandwidths of the overlay
network and the local breakout network. The bandwidth of the overlay network is used
for communication between the hub site, aggregation site, and branch site. The
bandwidth of the local breakout network is used for local access to the Internet or
interconnection between local and legacy sites.
l DSCP re-marking
– After the DSCP re-marking function is configured on the LAN interface, the DSCP
value in the IP header of a packet entering the CPE is modified. If the packet enters
the overlay tunnel for forwarding, the DSCP value in the outer IP packet header is
copied from the DSCP value in the inner IP packet header by default. At last, the
DSCP values in inner and outer IP packet headers are re-marked. Based on re-
marked values, traffic policies can be deployed on the WAN-side overlay network
to implement service management and scheduling.
– If the DSCP re-marking function is configured on the WAN interface, the DSCP
value in the IP header of a packet sent by the outbound interface on the underlay
network is modified. If the IP packet header of the overlay tunnel is added to the
packet, only the DSCP value in the outer IP packet header is modified. At last, the
DSCP values in inner and outer IP packet headers may be different, and the outer
DSCP value is the re-marked value.
– If the DSCP re-marking function is configured on both LAN and WAN interfaces,
the DSCP value in the IP header of a packet entering the CPE is modified. If the
packet is sent through the outbound interface on the underlay network, the DSCP
value in the outer IP packet header is modified again. At last, for the packet that the
IP header is encapsulated in overlay tunnels, the DSCP value in the inner IP packet
header is remarked on the LAN interface and the DSCP value in the outer IP packet
header is remarked on the WAN interface. For the local breakout packet, the DSCP
value in the IP packet header is remarked on the WAN interface.

Bandwidth Allocation
You can configure a traffic distribution policy to implement bandwidth allocation. If no traffic
distribution policy is configured for a site, all service VPNs on the site share the WAN link

SD-WAN
bandwidth. The total WAN link bandwidth on the site is 100%. The maximum ratio of the
bandwidth that can be manually allocated to overlay services of each VPN is 90%. At least
10% of the remaining bandwidth is reserved for other traffic, such as protocol traffic on the
underlay network.
l Traffic distribution policy name: Specify the name of a policy. Multiple traffic
distribution policies can be configured.
l VPN bandwidth: Specify the bandwidth ratio of each VPN. For example, the bandwidth
ratio of VPN1, VPN2, VPN3, and remaining traffic can be set to 30%, 20%, 30%, and
20%, respectively.
l Local breakout bandwidth ratio: Plan the local breakout bandwidth ratio if a site accesses
the Internet or communicates with a traditional site. For details, see Bandwidth
Allocation in "Data Planning and Design" in 1.4.1.7 Internet Access and 1.4.1.8
Connecting to the Legacy MPLS Network.
l Site: Plan a site where the traffic distribution policy is applied and specifies different
traffic distribution policies for different sites. One traffic distribution policy can only be
applied to one site.
Traffic Classifier Template and Effective Time Template
For details, see Data Planning and Design in 1.4.2.2 Intelligent Traffic Steering.
QoS
l VPN: Plan service policies for sites in each VPN if multiple VPNs are configured. You
need to first select the VPN for which the policy needs to be configured.
l Traffic classifier template: Select a traffic classifier template to specify packets to which
the QoS policy needs to be applied.
l Policy priority: Set the priority of a QoS policy. For the same traffic, the QoS policy with
the highest priority is preferentially matched.
l Queue priority
Allow specified traffic to enter the LLQ queue (with the highest priority), EF queue
(with a high priority), and AF queue (with a medium priority) for scheduling and ensures
the minimum bandwidth of queues according to configured queues. Traffic that does not
match the preceding policy enters the BE queue (with a low priority).
This parameter can be set to a specific bandwidth value or a percentage of bandwidth
usage. The percentage is set to the available bandwidth of a department (VPN). The
available bandwidth cannot be exceeded.
For example, if the bandwidth of a WAN interface is 100 Mbit/s and the bandwidth
available to VPN1 is 50 Mbit/s, value 20% of this parameter indicates that packets
matching the traffic classifier can occupy 10 Mbit/s bandwidth (50 Mbit/s x 20%).
l Traffic bandwidth limit
– Limit type
n Traffic policing discards excess traffic to limit traffic within a proper range and
to protect network resources and enterprise users' interests. Traffic policing is
implemented using committed access rate (CAR).
n Traffic shaping is a measure to adjust the traffic rate sent from an interface.
When the rate of an inbound interface on a downstream device is lower than
that of an outbound interface on an upstream device or burst traffic occurs,
traffic congestion may occur on the inbound interface of the downstream
device. Traffic shaping can be configured on the outbound interface of the

SD-WAN
upstream device so that outgoing traffic is sent at even rates and congestion is
avoided.
When the queue priority is set to Medium, you can set Limit type to Shaping.
– Bandwidth limit: Specify the upper limit of the traffic. If traffic exceeds the limit
specified by this parameter, the excess traffic is cached and sent later (traffic
shaping is configured) or directly discarded (traffic policing is configured).
Theoretically, the value of bandwidth limit must be greater than that of guaranteed
bandwidth.
l Re-mark DSCP: Set the DSCP priority in the IP header of a packet. For details, see
DSCP re-marking.
l Queue length: Specify the maximum number of bytes and packets that can be buffered in
a queue.
The queue length affects queue traffic shaping, congestion management, and congestion
avoidance. When the number of packets in a queue reaches the maximum value or the
total number of bytes in a queue reaches the maximum value, the queue does not receive
packets. Instead, the queue discards the excess packets.
A longer queue buffers more packets but introduces a longer delay. If congestion occurs
on a network intermittently, buffering more packets prevents unnecessary packet loss. If
congestion always occurs on a network, increasing the queue length cannot solve the
problem. You need to increase the bandwidth.
The queue length can be configured only when the queue priority is set to High or
Medium.
l Re-mark 8021p: Remark 802.1p priorities of VLAN packets when you need to provide
differentiated services based on the 802.1p priority of packets.
l Statistics: collection Enable traffic statistics collection when you need to view packet
statistics after a traffic policy is applied.
l Effective time template: Select an effective time template to specify the time range for
the QoS policy to take effect.
l Site: Specify the site that is associated with the QoS policy. The policy takes effect only
on the selected site.
Configuration Tasks
Configure the Services are forwarded based Perform the operations in 1.8.5.5.6
queue priority. on queues with different Creating a QoS Policy for the Overlay
priorities. If bandwidth Network in the following sequence:
resources are insufficient, the 1. Match an application on which a
forwarding bandwidth of QoS policy is performed through
high-priority services is Traffic Classifier Template.
preferentially guaranteed.
2. Set the interface on which the QoS
policy is enabled to WAN.
3. Configure Queue Priority.

SD-WAN
Configure Traffic policing controls Perform the operations in 1.8.5.5.6

traffic traffic by monitoring the Creating a QoS Policy for the Overlay
policing. bandwidth occupied by Network in the following sequence:
service traffic, and discards 1. Match an application on which a
excess traffic to limit the QoS policy is performed through
bandwidth within a proper Traffic Classifier Template.
range.
3. Set CAR in Traffic bandwidth
limit.
Configure During traffic shaping, if Perform the operations in 1.8.5.5.6

traffic shaping. traffic congestion occurs due Creating a QoS Policy for the Overlay
to burst traffic, irregular Network in the following sequence:
traffic is transmitted at an 1. Match an application on which a
even rate, preventing traffic QoS policy is performed through
congestion on the network. Traffic Classifier Template.
3. Set Shaping in Traffic bandwidth
limit.
Configure A bandwidth allocation policy 1.8.3.9.12 Configuring VPN Traffic

bandwidth is configured for multiple Distribution
allocation. VPNs. On the Traffic Distribution page,
configure a traffic distribution policy
between VPNs and associate the policy
with the site.
A bandwidth allocation policy Perform the operations in 1.8.5.3

is configured for overlay and Configuring an Internet Access Policy
local breakout services at each for a Site in the following sequence:
site. 1. On the Site-to-Internet page, enable
Local Internet access.
2. Create a local Internet access policy.
After a site is selected for local
Internet access, the Configure
Policy page is displayed.
3. On the Configure Policy page,
activate the WAN link, enable
Bandwidth Allocation, and specify
the bandwidth ratio of the local
breakout traffic.

SD-WAN
Configure l The DSCP re-marking Perform the operations in 1.8.5.5.6

DSCP re- function is configured on Creating a QoS Policy for the Overlay
marking. the LAN interface to Network in the following sequence:
modify the DSCP value in 1. Match an application on which a
the header of the IP packet QoS policy is performed through
entering the CPE. Traffic Classifier Template.
l The DSCP re-marking 2. Set the interface on which the QoS
function is configured on policy is enabled.
the WAN interface to
modify the DSCP value in 3. Enable Re-mark DSCP and specify
the header of the IP packet the re-marked DSCP value.
sent from the CPE.
1.4.3 Service Security

Huawei SD-WAN Solution ensures service security through the built-in security capability of
CPEs, including ACL traffic filtering, firewall, URL filtering, and IPS, meeting service
security requirements in different scenarios.
This solution also provides the uCPE sub-solution. When a user requires more advanced
security value-added services, a uCPE can be used and a vFW can be deployed on the uCPE
to provide the next-generation firewall function. For example, Huawei vFW (USG6000V) or
Fortinet vFW (FortiGate) can be deployed on a uCPE.
1.4.3.1 ACL Traffic Filtering
Functions
To control the traffic entering the CPE, configure an ACL rule to classify packets based on
packet information including the source IP address, destination IP address, source port
number, destination port number, and application information, and then filter packets who
match the ACL rule.
In the SD-WAN Solution, the ACL traffic filtering function is implemented through the ACL
policy. Currently, the ACL policy can be deployed on the WAN interface or LAN interface of
the CPE to control the traffic entering the CPE. You can define the priority of each ACL
policy, and parameters including filtering action (permit/deny) and effective period.
ACL rules can be used to accurately identify packets on the network, and ACL policies can be
used to control the traffic entering the CPE and filter specific traffic.
The following figure shows the typical application scenario of ACL traffic filtering.

SD-WAN
Figure 1-11 Application scenario of ACL traffic filtering
l An ACL policy is deployed on the WAN side (1) to prevent specific traffic of external
networks from entering the CPE and the internal network.
l An ACL policy is deployed on the LAN side (2) to block specific traffic to access
external networks. In addition, the ACL policy can be deployed independently on each
virtual network and takes effect on all ports.

ACL Policy on the LAN Side (Overlay Network)
l Policy name: Specify the name of an ACL policy, for example, test_bj_acl_class1.
l Traffic classifier template: Plan a traffic classification rule, makes a traffic classifier
template, and applies an ACL policy to packets that match the traffic classification rule.
You can define local Internet access services by specifying the source and destination IP
addresses, and TCP or UDP source and destination port numbers, or by matching the
application group, VLAN ID, 802.1p priority, source and destination MAC addresses,

SD-WAN
and Layer 2 protocol type. For details about the traffic classifier, see the description in
"Data Planning and Design" in 1.4.2.2 Intelligent Traffic Steering.
l Policy priority: Specify the priority of an ACL policy. The value is in the range from 1 to
5000 with the recommended step of 10.
If multiple ACL policies are applied to a site, the CPE matches the packets with the
traffic classifier template in the ACL policy based on the descending order of priority
after receiving packets. If the match succeeds, the CPE performs traffic filtering. If the
match fails, the CPE continues to match the traffic classifier template in the next ACL
policy.
l Interface: The value is LAN, indicating that the ACL policy of the overlay network is
applied to the LAN interface. This parameter is not specified. By default, LAN interfaces
(including Layer 3 interfaces, sub-interfaces, and VLANIF interfaces) on the overlay
network are included.
l Traffic filtering: Specify the action for the traffic. The value can be deny and permit.
– Deny: Packets matching the traffic classifier template are not allowed to be
forwarded.
– Permit: Packets matching the traffic classifier template are forwarded normally.
l Traffic direction: Specify whether the ACL policy takes effect on the traffic in the
inbound or outbound direction of an interface. Generally, the ACL policy applied on the
LAN interface takes effect on the traffic in the inbound direction of the interface.
l Effective time template: Specify the time range in which the policy takes effect. If no
time range is specified, the policy takes effect at any time. For details about the effective
time template, see the description in "Data Planning and Design" in 1.4.2.2 Intelligent
Traffic Steering.
l Site: Specify the site where the ACL policy is applied.
ACL Policy on the WAN Side (Underlay Network)
l Policy name: Specify the name of an ACL policy, for example, test_bj_acl_class2.
l Traffic classifier template: Plan a traffic classification rule, makes a traffic classifier
template, and applies an ACL policy to packets that match the traffic classification rule.
The ACL policy of the underlay network cannot use the traffic classifier template
matching an application group. You can define local Internet access services by
specifying the source and destination IP addresses, TCP or UDP source and destination
port numbers, VLAN ID, 802.1p priority, source and destination MAC addresses, and
Layer 2 protocol type. For details about the traffic classifier, see the description in "Data
Planning and Design" in 1.4.2.2 Intelligent Traffic Steering.
l Policy priority: Specify the priority of an ACL policy. The value is in the range from 1 to
5000 with the recommended step of 10.
If multiple ACL policies are applied to a site, the CPE matches the packets with the
traffic classifier template in the ACL policy based on the descending order of priority
after receiving packets. If the match succeeds, the CPE performs traffic filtering. If the
match fails, the CPE continues to match the traffic classifier template in the next ACL
policy.
l Interface: The value is WAN, indicating that the ACL policy of the underlay network is
applied only to the WAN interface. You need to select a site template and a WAN link in
the template to specify the WAN interface to which the ACL policy is applied.
– Site template: Specify the template used by the site where the ACL policy is
applied.

SD-WAN
– WAN link: Specify the WAN link in the site template. The ACL policy is applied to
the WAN interface of the site.
l Traffic filtering: Specify the action for the traffic. The value can be deny and permit.
– Deny: Packets matching the traffic classifier template are not allowed to be
forwarded.
– Permit: Packets matching the traffic classifier template are forwarded normally.
l Traffic direction: Specify whether the ACL policy takes effect on the traffic in the
inbound or outbound direction of an interface. Generally, the ACL policy applied on the
LAN interface takes effect on the traffic in the inbound direction of the interface.
l Effective time template: Specify the time range in which the policy takes effect. If no
time range is specified, the policy takes effect at any time. For details about the effective
time template, see the description in "Data Planning and Design" in 1.4.2.2 Intelligent
Traffic Steering.
l Site: Specify the site where the ACL policy is applied.
Configuration Tasks
Table 1-8 Overview of ACL policy configuration tasks
Deploy an ACL policy An ACL policy of the 1. Create a traffic classifier

on the WAN side. underlay network can block template.
packets to be transmitted to a 2. (Optional) Create an
CPE through a WAN effective time template.
interface. This prevents
unauthorized access to the 3. Create an ACL policy for
CPE and internal network, the underlay network.
ensuring network security.
Deploy an ACL policy An ACL policy of the overlay 1. Create a traffic classifier
on the LAN side. network can block overlay template.
network service traffic 2. (Optional) Create an
transmitted to a CPE through effective time template.
a LAN interface. For
example, an ACL policy can 3. Create an ACL policy for
limit the use of some services the overlay network.
during a specified time
period.
1.4.3.2 Firewall
Functions
The firewall function provided by the CPE separates an internal network from an external
network logically to protect the internal network from unauthorized access.
The firewall function involves the following two concepts:

SD-WAN
l Security zone
A security zone, also named zone, is an interface or a group of multiple interfaces, and
the networks connected to these interfaces have the same security attributes. Each
security zone has a globally unique security priority.
l Interzone
Any two security zones constitute an interzone, and packets are transmitted between
these two security zones. Inbound indicates that packets are transmitted from a low-
priority security zone to a high-priority security zone, while outbound indicates that
packets are transmitted from a high-priority security zone to a low-priority security zone.
In the SD-WAN Solution, the firewall function is implemented through security policies,
which are applied to the interzone. A firewall security policy is deployed on the CPE to
ensure security for Internet access services of enterprise users, protecting the internal network
from unauthorized access.
In addition, the CPE provides the application specific packet filter (ASPF) function to detect
application-layer and transport-layer protocol information and dynamically determine whether
to allow packets to enter the internal network. The firewall security policy and the ASPF
function work together to provide more comprehensive service-based security protection for
the internal network of enterprises.
In the SD-WAN Solution, the firewall function is mainly used in the Site-to-Internet scenario,
that is, to implement security protection for Internet access services, as shown in the
following figure.
Figure 1-12 Application scenarios of firewalls
l Centralized Internet access scenario

In this scenario, the Internet access traffic of all sites is diverted to the centralized
Internet access site, and is then forwarded to the Internet. The firewall function is
deployed on the centralized Internet access site to ensure security of Internet access
services.
l Local Internet access scenario

SD-WAN
In this scenario, the Internet access traffic of all sites is directly transmitted from the
local CPE to the Internet. The firewall function is deployed on the local CPE to ensure
security of Internet access services.
NOTE
If a site has only MPLS links for Internet access and legacy network access, the system preferentially
ensures communication on legacy networks. In this case, the firewall function does not take effect.

l Policy name: Specify the name of a security policy. The value can contain only letters,
digits, underscores (_), and hyphens (-).
l Internet-to-user flow list: Specify the list of ACL rules for matching packets in the
inbound direction. Multiple ACL rules can be defined. Inbound is the direction from a
low-priority zone to a high-priority zone. The default action in the inbound direction is
deny. Only packets matching the Internet-to-user flow list are allowed to pass.
– Protocol: Specify the protocol type of packets matching an ACL rule. The protocol
can be TCP, UDP, ICMP, GRE, IGMP, IP, IPinIP, and OSPF. You can also set the
protocol number to specify other protocols.
– Source IP address: Plan the source IP address of packets matching an ACL rule.
You can specify a host address or an address segment, or set the value to any to
match source IP addresses of all packets.
– Source port: Plan the TCP or UDP source port number of packets matching an ACL
rule. If this parameter is left blank, it indicates that the source port number is not
limited.
rule. You can specify a host address or an address segment, or set the value to any
to match destination IP addresses of all packets.
– Destination port: Plan the TCP or UDP destination port number of packets
matching an ACL rule. If this parameter is left blank, the destination port number is
not limited.
l User-to-Internet flow list: Plan the list of ACL rules for matching packets in the
outbound direction. Multiple ACL rules can be defined. Outbound is the direction from a
high-priority zone to a low-priority zone. The default action in the outbound direction is
permit. Only packets matching the user-to-Internet flow list are allowed to pass.
– Protocol: Plan the protocol type of packets matching an ACL rule. The protocol can
be TCP, UDP, ICMP, GRE, IGMP, IP, IPinIP, and OSPF. You can also set the
protocol number to specify other protocols.
– Source IP address: Plan the source IP address of packets matching an ACL rule.
You can specify a host address or an address segment, or set the value to any to
match source IP addresses of all packets.
– Source port: Plan the TCP or UDP source port number of packets matching an ACL
rule. If this parameter is left blank, the source port number is not limited.
rule. You can specify a host address or an address segment, or set the value to any
to match destination IP addresses of all packets.
– Destination port: Plan the TCP or UDP destination port number of packets
matching an ACL rule. If this parameter is left blank, the destination port number is
not limited.

SD-WAN
l Site: Plan the site where the firewall policy is applied.
Configuration Tasks
For details about how to enable the firewall function, see Configuration > Security Policy in
1.8.5.6.1 Creating a Network Security Policy.
1.4.3.3 IPS
Functions
The intrusion prevention system (IPS) is a security mechanism. IPS detects intrusion behavior
(such as buffer overflow attacks, Trojan horses, and worms) by analyzing the network traffic,
and terminates intrusion behavior in real time through certain responses. This protects
enterprise information systems and network architectures against intrusions.
The IPS signature database is preconfigured on the CPE to define common intrusion
behaviors. The IPS compares the packet characteristics with signatures in the signature
database. If they are matched, the IPS considers the behavior as intrusion behaviors and take
protection measures.
In the SD-WAN Solution, the IPS is implemented through security policies, which are applied
to the interzone. An IPS security policy is deployed on the CPE to implement security
protection for Internet access services of enterprise users, blocking various intrusion
behaviors from the Internet.
In the SD-WAN Solution, the IPS is mainly used in the Site-to-Internet scenario, that is, to
implement security protection for Internet access services, as shown in the following figure.
Figure 1-13 Application scenarios of IPS
l Centralized Internet access scenario

In this scenario, the Internet access traffic of all sites is diverted to the centralized
Internet access site, and is then forwarded to the Internet. The IPS is deployed on the

SD-WAN
centralized Internet access site to implement security protection for Internet access
services and block various intrusion behaviors from the Internet.
l Local Internet access scenario
In this scenario, the Internet access traffic of all sites is directly transmitted from the
local CPE to the Internet. The IPS is deployed on the local CPE to implement security
protection for Internet access services and block various intrusion behaviors from the
Internet.

l IPS profile: Specify the IPS profile used by the security policy. The SD-WAN@AC-
Campus presets multiple security configuration files for different application scenarios.
The preset security configuration files can be viewed or directly referenced by the IPS
profile, and cannot be modified or deleted. The following security configuration files are
supported:
– strict: It contains all signatures and the action is block. It applies to all protocols
and threat categories. This configuration file applies to scenarios where all packets
that match signatures need to be blocked.
– web_server: It contains all signatures and the default action is used. It applies to
DNS, HTTP, and FTP protocols, as well as all threat categories. This configuration
file applies to scenarios where the device is deployed in front of a web server.
– file_server: It contains all signatures and the default action is used. It applies to
DNS, SMB, NetBIOS, NFS, SunRPC, MSRPC, File, and Telnet protocols, as well
as all threat categories. This configuration file applies to scenarios where the device
is deployed in front of a file server.
– dns_server: It contains all signatures and the default action is used. It applies to the
DNS protocol and all threat categories. This configuration file applies to scenarios
where the device is deployed in front of a DNS server.
– mail_server: It contains all signatures and the default action is used. It applies to
DNS, IMAP4, SMTP, and POP3 protocols, as well as all threat categories. This
configuration file applies to scenarios where the device is deployed in front of a
mail server.
– inside_firewall: It contains all signatures and the default action is used. It applies to
all protocols and threat categories. This configuration file applies to scenarios
where the device is deployed inside a firewall.
– dmz: It contains all signatures and the default action is used. It applies to all
protocols except NetBIOS, NFS, SMB, Telnet, and TFTP, as well as all threat
categories. This configuration file applies to scenarios where the device is deployed
in front of the DMZ.
– outside_firewall: It contains all signatures and the default action is used. It applies
to all protocols and threat categories except Scanner. This configuration file applies
to scenarios where the device is deployed outside a firewall.
– default: It contains all signatures and the default action is used. It applies to all
protocols and threat categories. This configuration file applies to scenarios where
the device is deployed in IPS (in-line) mode.
l Site: Specify the site where the IPS policy is applied.

SD-WAN
Configuration Tasks
For details about how to enable the IPS, see Configuration > Security Policy in 1.8.5.6.1
Creating a Network Security Policy.
1.4.3.4 URL Filtering
Functions
URL filtering regulates online behaviors by controlling URLs that users can access and
permitting or denying user access to some web resources.
The CPE allows or denies user access to a URL or a type of URLs based on the pre-defined
categories, blacklist, and whitelist. The CPE extracts the URL field from the HTTP request
packet and matches the URL field with that in the blacklist, whitelist, or predefined category.
If they are matched, the CPE processes the HTTP request packet according to the configured
response action.
In the SD-WAN Solution, URL filtering is implemented through security policies, and the
security policies are applied to the interzone. A URL filtering security policy is deployed on
the CPE to control URLs accessed by enterprise users.
In the SD-WAN Solution, URL filtering can be applied in Site-to-Legacy Site, Site-to-SD-
WAN Site, and Site-to-Internet scenarios, as shown in the following figure.

SD-WAN
Figure 1-14 Application scenarios of URL filtering
l In the Site-to-Legacy Site scenario (1), URL filtering is deployed on the CPE to regulate
users' online behaviors by controlling URLs used by users to access the legacy site.
l In the Site-to-SD-WAN Site scenario (2), URL filtering is deployed on the CPE to
regulate users' online behaviors by controlling URLs used by users to access the SD-
WAN site.
l In the Site-to-Internet scenario (3), URL filtering is deployed on the CPE to regulate
users' online behaviors by controlling URLs used by users to access the Internet.

l Default action: Specify the default response action after URL filtering. After URL
filtering, the device forwards URL packets between security zones, and responds to the
packets based on the configured default action. Currently, the following actions are
supported:
– Permit: Traffic from all URLs except those included in the exception list or
predefined URL category is allowed to pass.

SD-WAN
– Deny: Only traffic from the URLs included in the exception list or predefined URL
category is allowed to pass.
l Exception list
– URL: Specify exceptional URLs. During the processing, if a packet matches a URL
in the exception list, the system performs the action that is opposite to the default
action.
l Predefined URL category filtering level: Specify the filtering level for the predefined
category and uses the predefined classifier template of the system to perform URL
filtering. You can use the filtering level defined by the system or customize the action for
each predefined classifier template.
– Filtering level: Define high, medium, and low filtering levels, and configures an
initial action for all predefined URL categories according to each level. A high level
indicates a strict action for URL categories, for example, the device blocks requests
matching porn, P2P download, and video categories. A low level indicates a loose
action for URL categories, for example, the device blocks requests matching porn
categories only.
– Customization: Customize actions for each category. This method is applicable to
scenarios where URL categories need to be restricted.
l Site: Specify the site where the URL filtering policy is applied.
Configuration Tasks
For details about how to enable URL filtering, see Configuration > Security Policy in
1.8.5.6.1 Creating a Network Security Policy.
1.4.3.5 Automatic Security Policy Orchestration

In the SD-WAN Solution, the firewall, IPS, and URL filtering functions provided by the CPE
are implemented through security policies. When deploying these functions on the CPE, you
need to consider the security zone planning and the interzones to which the security policies
are applied.
To implement these functions and simplify the configuration, the SD-WAN@AC-Campus
automatically orchestrates security zones based on actual requirements in the SD-WAN
Solution, as shown in the following figure.

SD-WAN
Figure 1-15 Networking diagram of automatic orchestration
The following table describes orchestration principles of security zones and application
principles of security policies applied in interzones.
Item Description
Division of security zones Zone1: trust zone (priority H)

Zone2: untrust zone (priority L)
Zone3: middle zone (priority M)
Mapping between security zones and LAN: trust zone (default). If an Internet
interfaces egress exists on the LAN, the LAN can be
configured as an untrust zone (shown as 1 in
the preceding figure).
Overlay: middle zone
Interlink between dual gateways: middle
zone
Site to Internet: untrust zone
Site to Legacy Site: middle zone
Security policy application in interzones The firewall and IPS security policies are
applied:
trust zone -> untrust zone
middle zone -> untrust zone

SD-WAN
Item Description
URL filtering security policies are applied:

trust zone -> untrust zone
trust zone -> middle zone
NOTE
1. The firewall and IPS functions cannot be deployed for Site-to-Site.
2. When the same WAN link is used for Site-to-Legacy Site and Site-to-Internet (a legacy site accesses
the Internet), the link is added to a middle zone while a firewall is usually deployed on a legacy site
(shown as 2 in the preceding figure).
1.4.4 VM (uCPE) Lifecycle Management

Basic Concepts of the uCPE
Traditionally, different hardware devices with fixed functions are deployed on the branch
egress to provide different VAS functions, leading to complex service deployment and
provisioning and difficult management and maintenance. Generally, the Universal Customer
Premises Equipment (uCPE) uses the X86/ARM hardware platform to implement service
virtualization, and provides the firewall, WAN optimization controller (WOC), and SD-WAN
functions by running the virtualized network function (VNF). The uCPE replaces the legacy
hardware device and reduces network deployment costs. In addition, the SD-WAN@AC-
Campus can deploy the VNF on the uCPE in centralized mode on demand, accelerating
service provisioning and significantly reducing the O&M cost.

SD-WAN
uCPE Architecture
Figure 1-16 uCPE architecture
Figure 1-16 shows the uCPE architecture.

l VNF: virtualizes functions (such as the WOC and firewall) of NEs on the legacy
network. The VNF needs to be deployed on the KVM platform and is present as an
independent virtualized NE.
l Endpoint: indicates a VM that carries a common function on the LAN. It can be used as
a common server at a tenant site and does not need to be connected to a service chain.
l uCPE OS: includes the KVM, vSwitch, SD-WAN router, and host OS.
– KVM: indicates the VM virtualization layer.
– SD-WAN router: implements the SD-WAN function. Huawei uCPEs are equipped
with the SD-WAN function.
Service Chain
On the uCPE, a service chain can be used to control specific traffic to pass through a specific
VNF sequence.
In Figure 1-17, the red traffic is processed by the VNF and only passes through the SD-WAN
router and does not traverse the service chain. After a uCPE goes online, the SD-WAN@AC-
Campus triggers each uCPE to create the preceding default forwarding path by default. The
blue traffic is the service chain that passes through the VNF. The SD-WAN@AC-Campus

SD-WAN
creates the direction of the traffic entering the service chain based on the administrator's
configuration.
Each VNF template or VNF supports a maximum of eight service chains and at least one
default service chain. After traffic enters a LAN interface, the SD-WAN@AC-Campus
matches the service chains in the sequence in which the service chains are arranged. Once the
service rule of a service chain is matched, the SD-WAN@AC-Campus does not match the
service chains further and forwards traffic based on the traffic direction specified by the
service chain.
Two endpoints of a service chain are the physical LAN interface of a uCPE and the interface
connected to the SD-WAN router.
Figure 1-17 Service chain
As an NE, a VNF has its own management system. The management system (EMS) can
manage VNFs in either of the following methods:
l Method 1: The IP address of the VNF is statically specified in the VNF management
system. In this manner, the packet transmitted between the VNF and the management
system cannot pass through any NAT device. Otherwise, the management system cannot
know the address after NAT is performed.
l Method 2: After being started, the VNF automatically registers with the corresponding
management system through the mechanism such as NETCONF CallHome. In this
manner, the VNF can be placed behind the NAT translation gateway.
To ensure the universality of VNF management, it is recommended that VNFs be managed
using method 1. The VNF management system is deployed at the headquarters of a tenant,
and a GRE over IPSec (DSVPN) tunnel is set up between the headquarters and uCPEs.
The administrator plans a VNF management IP address pool for each tenant network, and
configures large network segments and the same gateway addresses (for example,
10.1.1.1/16). When a tenant starts a VNF on the uCPE, the SD-WAN@AC-Campus allocates
a management IP address with a 30-bit mask and a gateway interface address to the VNF. The
IP address of the VNF management network interface can be imported using the initial file.
Alternatively, after the VNF is started, the IP address is dynamically obtained from the
gateway interface of the uCPE through DHCP.
The WAN-side routing protocol (for example, BGP) of the uCPE is used to release the
management network segment of each VNF to other uCPEs, including the Hub-CPE. In this
manner, the VNF management system connected to the uCPE can access the VNFs on each
uCPE.

SD-WAN
Configuration Tasks
Deploy WAN WOC and FW VNFs are Only the MSP administrator can configure
acceleration deployed on uCPE gateways the virtual lifecycle management on the
and firewall at the site, and service uCPE. Log in as the MSP administrator
services on the chains are configured to and perform the following operations in
uCPE. provision WAN acceleration sequence:
and firewall services. 1. 1.7.3 Obtaining and Uploading a
VM Image
2. 1.7.4.1 Authorizing an MSP to
Maintain Tenant Services
3. 1.7.4.2 (Optional) Accessing the
View for Managing Services for a
Tenant
4. 1.7.4.6.1 (Optional) Configuring a
Resource Pool
5. 1.7.4.6.2 (Optional) Configuring the
VM Access Mode
6. 1.7.4.6.5 Creating a Profile
7. 1.7.4.6.6 (Optional) Creating a VNF
Template
8. 1.7.4.6.7 Deploying the VNF
9. 1.7.4.6.9 Deploying a Service Chain
Deploy Endpoint services are Only the MSP administrator can configure
endpoint deployed on uCPE gateways the virtual lifecycle management on the
services on the at the site. uCPE. Log in as the MSP administrator
uCPE. and perform the following operations in
sequence:
1. 1.7.3 Obtaining and Uploading a
VM Image
2. 1.7.4.1 Authorizing an MSP to
Maintain Tenant Services
3. 1.7.4.2 (Optional) Accessing the
View for Managing Services for a
Tenant
4. 1.7.4.6.2 (Optional) Configuring the
VM Access Mode
5. 1.7.4.6.8 Deploying the Endpoint
1.4.5 Site Deployment

In legacy site deployment, professional IT engineers are required to deploy devices onsite.
Misoperations may occur due to scattered devices and long online operations and errors may
occur due to manual operations during initial configuration. Huawei SD-WAN Solution

SD-WAN
supports zero touch provisioning (ZTP), including email- and USB-based deployment to solve
such problems.
The following describes roles involved in the deployment and their responsibilities:
l Network administrator: plans network deployment, maintains the network, and
configures and sends a deployment email. The email must contain the URL used to
activate the deployment process. It is recommended that the email contain instructions
for deployment engineers.
l Device administrator: manages purchased devices and information about device sites and
delivered devices. The device administrator of the system integrator performs USB-
based deployment to import initial configurations before device delivery.
l Deployment engineer (network installation or maintenance engineer) at the site: connects
terminals to gateways onsite after confirming that the deployment email has been
received, and performs email-based deployment. Email-based deployment can be
completed by onsite network installation or maintenance engineers, without the need of
onsite instructions of professional network engineers.
Deployment Planning and Procedure

1. Before the deployment, a public or private IP address needs to be planned for the SD-
WAN@AC-Campus to ensure that the CPE can connect to the SD-WAN@AC-Campus
through the public or private network.
The SD-WAN@AC-Campus is deployed in the data center or HUAWEI CLOUD.

Currently, the SD-WAN@AC-Campus supports only one southbound IP address. The
SD-WAN@AC-Campus maps the private IP address to the public IP address through
NAT and connects to the Internet. The CPE can connect to the southbound public IP
address of the SD-WAN@AC-Campus through the Internet link. For the CPE that
accesses only the MPLS network, the Internet gateway (IGW) must be deployed on the

SD-WAN
MPLS network. The CPE can connect to the SD-WAN@AC-Campus through MPLS
when the CPE accesses the public IP address on the Internet.
2. The network administrator plans and designs the network, selects site devices, configures
the ZTP on the SD-WAN@AC-Campus, and completes the deployment preparations
according to the deployment mode.
– Email-based deployment: After configuring the ZTP, the network administrator
needs to confirm that the deployment email has been sent to the deployment
engineer at the site.
– USB-based deployment: After configuring the ZTP, the network administrator
needs to download the ZTP deployment file and sends the ZTP deployment file to
the deployment engineer at the site.
3. The deployment engineer completes the deployment and checks whether the deployment
is successful onsite.
Email-based Deployment
Email-based deployment is also called URL-based deployment. After the network
administrator completes the ZTP configuration on the SD-WAN@AC-Campus, the SD-
WAN@AC-Campus automatically generates a deployment email. The URL parameters in the
deployment email carry the deployment information, and the deployment email is sent to a
specified deployment mailbox. After receiving the deployment email, the deployment
engineer clicks the URL in the email to start the deployment process. Subsequently, devices
automatically complete the deployment.
Figure 1-18 Email-based deployment process
Email-based deployment is used when a CPE is installed at a site and deployment needs to be
performed onsite. Email-based deployment greatly simplifies the operation process of a

SD-WAN
deployment engineer. The deployment engineer only needs to start the deployment process on
a web page by one click. In this way, the deployment can be completed automatically. This
does not impose requirements on professional skills of the deployment engineer, greatly
reducing the labor cost and shortening the deployment time.
Aromatic Recording of ESNs
Email-based deployment applies to the scenario where the ESN is not bound to the CPE and
automatically recorded on the SD-WAN@AC-Campus after deployment.
When the SD-WAN@AC-Campus allocates a CPE to a site, only the CPE model is specified
but the ESN of the CPE is not specified. In this case, the SD-WAN@AC-Campus
automatically allocates a token to the CPE when generating a ZTP deployment email of the
site. When the deployment engineer deploys the CPE, the CPE sends the token, ESN, and
other registration information to the SD-WAN@AC-Campus for registration. The SD-
WAN@AC-Campus then associates the CPE with the ESN based on the token to complete the
registration of the CPE that is not bound to the ESN.
USB-based Deployment
During the USB-based deployment, after the network administrator completes the ZTP
configuration on the SD-WAN@AC-Campus, the SD-WAN@AC-Campus automatically
generates the ZTP file that records the CPE deployment configuration information. Then, the
deployment engineer uses the tool to generate a configuration file and imports the
configuration file to a USB flash drive for USB-based deployment.
Figure 1-19 USB-based deployment process
USB-based deployment is mainly used in batch deployment scenarios. The device

administrator of system integrators or enterprises uniformly imports deployment

SD-WAN
configurations to CPEs in warehouses and distributes the CPEs for onsite installation and
deployment.
NOTE
During batch deployment using a USB flash drive, the ESN of the CPE that is distributed to the site
must be the same as the ESN of the CPE configured on the SD-WAN@AC-Campus. Otherwise, the
deployment may fail.
NTP Clock Synchronization

When a CPE registers with the SD-WAN@AC-Campus and reports performance data, the
CPE carries the timestamp. If the time on the CPE is incorrect, the registration fails and the
time of the performance data is inconsistent with the actual time. Therefore, NTP is
configured on the SD-WAN@AC-Campus to synchronize the time on devices at the site.
NTP can be configured independently for each site in the following sequence: external clock
source > parent site > branch site.
On a network that requires high security, NTP authentication must be enabled. Password
authentication is configured between a client and a server to ensure that the client only
synchronizes with a server that is successfully authenticated, improving network security.

Before site deployment, the network administrator must configure the ZTP. The WAN
interface on the CPE used by the site and the WAN link to be connected have been determined
during site planning. This section describes how to plan the IP address and interface
parameters of the WAN interface.
l Interface: WAN link parameters to be configured vary according to the interface type
specified in site planning.
The following interface types are supported:
– GE/FE/XGE: Ethernet interface and Ethernet sub-interface
– xDSL (ATM): ADSL interface or G.SHDSL interface (working in ATM mode by
default)
– xDSL (PTM): VDSL interface (working in PTM mode by default)
– LTE: 3G/LTE interface
The following table describes different network access modes of links supported by
interfaces.
Link Type Interface Type Type of the Access Network
Ethernet link GE/FE/XGE IPoE Static
Dynamic (DHCP)
PPPoE
xDSL link xDSL (ATM) IPoA

(ATM)
IPoEoA Static
Dynamic (DHCP)

SD-WAN
Link Type Interface Type Type of the Access Network
PPPoA
PPPoEoA
xDSL link xDSL (PTM) IPoE Static

(PTM)
Dynamic (DHCP)
PPPoE
3G/LTE link LTE -
l Sub-interface
This parameter is specified based on whether the sub-interface is required to terminate
the user VLAN. To terminate a user VLAN through a sub-interface, you can configure
the VLAN that is terminated by the sub-interface for Dot1q VLAN tag termination.
l Interface protocol type
This parameter is configured based on the mode in which an interface obtains an IP
address.
l Dynamic/Static IP address
The dynamic or static IP address is selected based on whether the gateway accesses the
Internet using static IP addresses or in dynamic DHCP mode.
l Static IP address, mask, and default gateway address
When the IP address is obtained in static mode, you need to manually configure the IP
address, mask, and gateway address of the interface.
l Interface negotiation mode
– Auto-negotiation: The interface rate and duplex mode are determined through
negotiation with the peer interface.
– Non-auto-negotiation: The interface rate and duplex mode are manually configured
as required.
In non-auto-negotiation mode, you can set the working mode, duplex mode, and rate of
the interface according to the actual interface status.
l Public IP address
This address is used by the edge site to access the vRR.
The public IP address must be the same as the interface IP address statically configured
or dynamically obtained. If a NAT device is deployed between the vRR site and WAN-
side network, the public IP address must be the same as the IP address of the interface
after NAT mapping.
l Uplink and downlink bandwidths of the interface
The uplink and downlink bandwidths of an interface are configured based on the actual
requirements. The unit is Mbit/s.
NTP Clock Synchronization
The following parameters are set for NTP clock synchronization at a site:
l Time zone
This parameter indicates the time zone to which a site gateway belongs.

SD-WAN
l NTP authentication
This parameter is optional and indicates whether to enable NTP authentication when the
gateway at a specified site functions as an NTP server. If NTP authentication is enabled,
you need to set the authentication password and authentication ID. If the gateway at a
specified site functions as an NTP client, the configuration of the authentication
password and authentication ID must be the same as those on the parent site that
functions as the NTP server. Otherwise, the authentication fails and NTP clock
synchronization fails.
l NTP client mode
– Manual configuration: An NTP server needs to be deployed on the network to set
the WAN link through which a site gateway accesses the NTP server and NTP
server address. If NTP authentication is enabled on the NTP server, you can set the
NTP authentication mode (MD5 or HMAC-SHA256), authentication password, and
authentication ID based on requirements of the NTP server.
– Automatic synchronization with the parent site: The branch site automatically
synchronizes data with that of the aggregation site or hub site, and the aggregation
site automatically synchronizes data with the hub site.
– Disabled: NTP clock synchronization is not performed.
NTP Server
If a site functions as an NTP client and an NTP server is manually configured, you need
to plan and deploy the NTP server on the network. If no dedicated NTP server is
available, you are advised to use the FusionInsignt in the SD-WAN@AC-Campus as the
NTP server.
l IP address: IP address of the NTP server that can be accessed by the site.
l Authentication mode: If the authentication function is enabled on the NTP server, the
authentication mode on the NTP server must be MD5 or HMAC-SHA256.
l Authentication password: authentication password required by the NTP server.
l Authentication ID: key ID for NTP authentication, which must be a number other than 0.
The authentication ID is irrelevant to the NTP server. The authentication ID used when
the site functions as the client must be different from the authentication ID configured
for the NTP server.
Email Server
l SMTP address: address of the email server used by the SD-WAN@AC-Campus to send
emails. The email server must be accessible to the SD-WAN@AC-Campus. You can set
an IP address or domain name, for example, SMTP@email.com.
l Port number: port number of the email server. Generally, the port number of the email
server is 25, which must be the same as that provided by the email server provider.
l Test email address: email address used to test whether the email server can receive
emails sent by the SD-WAN@AC-Campus. Therefore, the server with which the email
address is registered must be reachable or be an email address registered on the email
server.
Device Activation Security Settings
l URL encryption key: Plan the key for encrypting the URL in the deployment email and
ZTP file. The value is a string of 6 to 12 digits, for example, 123456.
After the encryption key is set, you need to enter the correct encryption key on the Portal
page to perform email-based deployment on the CPE. Therefore, the key must be
correctly transmitted to the deployment personnel before the deployment.

SD-WAN
l Token validity period: Specify the validity period of the token. The default value is seven
days. The value is in the range from 1 to 30, in days.
When the CPE whose ESN is not recorded in the SD-WAN@AC-Campus is deployed,
the system starts timing when sending a deployment email. After receiving the
registration information of the CPE, the SD-WAN@AC-Campus checks whether the
registration time of the CPE is in the token validity period. If the registration time is
within the validity period, the CPE registers successfully. Otherwise, the registration
fails.
Configuration Tasks
Perform site Email-based deployment is 1.8.3.6 Configuring the Network Access

deployment recommended for scenarios Mode for a Site
through email- where the installation and 1.8.3.7 Configuring Time
based maintenance engineer need Synchronization for a Site
deployment. to be present at the site to
deploy CPEs. 1.8.4.2 Deploying a Site by Email
Perform site USB-based deployment is 1.8.3.6 Configuring the Network Access

deployment recommended for scenarios Mode for a Site
through USB- where the device 1.8.3.7 Configuring Time
based administrator centrally Synchronization for a Site
deployment. processes a batch of CPEs
and deploys them in 1.8.4.3 USB-based Deployment
batches.
1.5 Configuration Procedure

The configuration procedure varies according to the operating mode of a tenant.
1.5.1 Introduction to Administrator Levels
Two Tenant Modes

Based on the permission management mode, the SD-WAN@AC-Campus supports two tenant
O&M modes.
l Enterprise O&M mode

The two-layer management mode (involving system and tenant administrators) is
deployed, which is applicable to the scenario where enterprises build SD-WAN services
by themselves and applies to large enterprises.
l MSP O&M mode
The three-layer management mode (involving system, MSP, and tenant administrators) is
used, which is applicable to the scenario where a service provider provides SD-WAN
management services for enterprises.

SD-WAN
Level of Three Administrators

The administrators of the SD-WAN@AC-Campus management system are divided into three
levels, and users at different levels have different permissions. The following figure shows the
level of three administrators.
l System administrator
The admin user is the default system administrator who has the highest permission, and
can create system, MSP, and tenant administrators by roles. After a system administrator
modifies the password policy, idle timeout policy, and other policies, the modifications
are effective for all users.
l MSP administrator
A system administrator can create a tenant administrator and an MSP administrator for
tenants. This MSP administrator is the default administrator of the MSP. The default
administrator of the MSP can create roles, and create MSP or tenant administrators by
roles.
l Tenant administrator
After an MSP administrator (in MSP O&M mode) or a system administrator (in
enterprise O&M mode) creates a tenant, the tenant administrator can create roles and
tenant administrators by roles.

During data planning, you need to plan the administrator account and password.
The password must meet the following requirements:
1. The password must be a string of 10 to 128 characters.

2. The password cannot contain the account or the account in reverse order.
3. The password must contain special characters (such as ! @ # $ %) and must contain at
least two types of the following: uppercase letters, lowercase letters, and digits.

SD-WAN
4. The password can contain no more than two consecutive identical characters.
System administrator
l Account: Generally, the admin account is used.
l Default password: The default password of the admin account is Changeme123.
l Password: When the system administrator uses the default password to log in to the SD-
WAN@AC-Campus for the first time, the system prompts the system administrator to
change the password. Therefore, the system administrator needs to plan a new password
that meets the password requirements.
MSP administrator
l Account: The account is specified when the system administrator creates an MSP and is
the default administrator of the MSP. The account is in the format of an email address,
for example, MSP@test.com.
l Default password: When creating an MSP account, the system administrator specifies the
initial login password of the default account. The password must meet the password
requirements.
l Password: When the MSP administrator uses the default password to log in to the system
for the first time, the system prompts the MSP administrator to change the password.
Therefore, the MSP administrator needs to plan a new password that meets the password
requirements.
Tenant administrator
l Account: The account is specified when the system or MSP administrator creates a
tenant and is the default administrator of the tenant. The account is in the format of an
email address, for example, user1@test.com.
l Default password: When creating an MSP account, the system administrator specifies the
initial login password of the default account. The password must meet the password
requirements.
l Password: When the tenant administrator uses the default password to log in to the
system for the first time, the system prompts the tenant administrator to change the
password. Therefore, the tenant administrator needs to plan a new password that meets
the password requirements.
1.5.2 Management Process in MSP Operating Mode

The MSP operating mode is applied to two scenarios depending on whether the tenant
services are managed by the tenant or MSP. Figure 1-20 shows the management processes in
MSP operating mode.

SD-WAN
Figure 1-20 Management process in MSP operating mode

SD-WAN
1.5.3 Management Process in Tenant Operating Mode

In the tenant operating mode, you need to perform configurations according to the following
management process.

SD-WAN
Figure 1-21 Management process in tenant operating mode

SD-WAN
1.6 System Administrator Configuration
1.6.1 Logging In to the Agile Controller-Campus

Log in to the Agile Controller-Campus using a system administrator account.
Context
After the Agile Controller-Campus is installed, an administrator can use a web browser to log
in to the Agile Controller-Campus WebUI to perform the system management and
maintenance operations. The following web browsers are supported:
l Internet Explorer 11
l Chrome 50 or Chrome 60
l Windows 10 (Microsoft Edge 20 or Microsoft Edge 40)
Procedure
Step 1 Logging in to the Agile Controller-Campus.
Step 2 Enter https://Agile Controller-Campus server IP address:port number in the address box,
and press Enter.
NOTE
l The IP address of the Agile Controller-Campus server is Northbound management IP specified

when you configure the Agile Controller-Campus.
l The port number is 18008.
Step 3 Ignore the security certificate problem to access the login page.
l Internet Explorer 11: Click Continue to this website (not recommended).
l Chrome 50/60: Choose Advanced > Proceed to... (unsafe).

SD-WAN
l Edge 20/40: Click Continue to this webpage (not recommended).
NOTE
To solve the security certificate problem, apply for a security certificate from an official CA. After
certificate application, the system administrator needs to replace the ER northbound certificates for
browser. For details, see Updating ER Certificates.
Step 4 Enter the default administrator name admin and password Changeme_123, and click Login.

SD-WAN
Step 5 Upon the first login, change the password as prompt. Skip this step if it is not your first login.
Step 6 Select tenant module and license management policy upon first login. Skip this step if it is not
your first login.
Exercise caution when selecting a tenant mode and a license management policy, because
they cannot be modified. To modify the tenant mode, you need to reinstall the Agile
Controller-Campus.
1. Set the operating mode. The value Tenant Operating Mode is used as an example.
Select Tenant Operating Mode, and click Next Step.
– To use only the SD-WAN service, select Tenant Operating Mode, and click Next
Step.
– To use the uCPE service or use both uCPE and SD-WAN services, select MSP
Operating Mode, and click Next Step.

SD-WAN
2. Set the license mode.

In the SD-WAN scenario, you must select System Administrator manage License,
click Next Step.

SD-WAN
----End
1.6.2 Importing a License

Some service functions and the maximum number of resource items that can be loaded are
controlled by licenses. When deploying new devices, purchase licenses to obtain required
service functions and resources, extend device functions.
Context
As devices provide more and more features, device prices keep growing. The license
mechanism allows you to purchase only required features, reducing operation costs and
shortening service deployment time. You can purchase only required features at the beginning
and enable license-control features as required later. Enabling license-controlled features does
not affect existing services.
A license file is usually encrypted by using the device sequence number as the key. You can
apply for a license through the Huawei technical support.
NOTE
In the MSP-operated public cloud and enterprise-operated private cloud scenarios, the system
administrator imports a license file (global license) to the cloud management platform when building the
platform. Tenants do not need to purchase license activation codes from the MSP.
The license management function is available to system administrators upon their first login to the Agile
Controller-Campus if the license mode is set to System Administrator Management License.

SD-WAN
Procedure
Choose Administration > Administration > License on the home page. On the License
Management page, view license information.
l Loading a license
a. Click Obtain ESN to obtain the ESN.
b. Apply for the license file at ESDP platform based on the ESN. For details, see
License Usage Guide.
c. Click Upload License to load the license.
Select the obtained license and click OK to upload it. After the license is
successfully loaded, the following window is displayed.
After the license is loaded, the corresponding functions are automatically enabled,
and the resource items are controlled by the license.
By default, the AR license function is disabled. When an AR is added to a site, the
Agile Controller-Campus automatically enables the license function for the AR to
ensure that the license can be delivered successfully.

SD-WAN
NOTE
If the license fails to be loaded, the possible reasons are as follows:

l The license file signature is incorrect.
l The license file is tampered with.
l The license file type is incorrect.
l The license file size exceeds 50 KB.
l The license is invalid or has expired.
l Revoking a license
In the scenario where the Agile Controller-Campus server needs to be changed, to ensure
that the license can be used also on the new server, you can use the function of revoking
the license.
Click Revoke License to revoke the commercial license used on the original Agile
Controller-Campus server. Then, the commercial license changes to a trial license with a
grace period of 2 months. After the grace period ends, the trial license will be invalid
automatically, all devices will be forced to go offline, and a revoke code is generated.
Use the revoke code and ESN of the new Agile Controller-Campus server to apply for a
license from the ESDP. Then, all resource items available in the original license are
obtained.
l Removing a license
Click Remove License. The system enters a license-unloaded state.
NOTE
Only when no tenant under the system administrator has devices, you can remove the license.
1.6.3 Managing Local Users

Creating a local user account is essential to local user management. The operations performed
before, during, and after local user creation constitute local user management.

SD-WAN
Management Process
Figure 1-22 Managing local users
Prerequisites
Step 1 Configure global account policies.
You can configure account policies to define the user name length and login rules to improve
account security of the Agile Controller-Campus. Account policies have been configured on
the Agile Controller-Campus by default and can be modified as required.
Choose Administration > System Account > Account from the main menu. Click Account
Policy to configure global account policies.

SD-WAN
Step 2 Configure global password policies.

A simple administrator password can be easily cracked. To prevent this problem, configure
password policies that define the complexity requirements of Agile Controller-Campus
administrator passwords, the password change interval, and the character limitation. Password
policies have been configured on the Agile Controller-Campus by default and can be modified
as required.
Choose Administration > System Account > Account from the main menu. Click Password
Policy to set the global password policy.

SD-WAN
NOTE
If PCI authentication is required, adjust the account policy and password policy as follows:
l Enable Disable unused accounts, and set Maximum number of consecutive idles days of account
to 90. An account is suppressed if the account does not log in for more than 90 days.
l Enable Account lockout trigger conditions, and set Invalid password monitoring period (min) to
30. If an account fails to log in for five consecutive times within 30 minutes, the account is locked
for 30 minutes.
l Set Number of historical passwords that cannot be reused of to 4.

SD-WAN

SD-WAN
Step 3 Create roles.

If existing roles in the system do not meet requirements, you can create new roles before
creating accounts.
Choose Administration > System Account > Account from the main menu, and click the
Role tab. Click Create, and select function rights to create a role.
By default, a system administrator has following roles. These roles cannot be deleted or
modified.
l System Administrator: The system administrator has the right to manage the Agile
Controller servers. This includes monitoring clusters and configuring the mail serve.
l Operator Group: System operator group.
l Auditor: The auditor audits system operation records.
----End
Procedure
Step 1 Choose Administration > System Account > Account from the main menu, and click the
Account tab.
By default, the admin account is preset on the Agile Controller-Campus.
admin: System administrator. The initial password is Changeme_123. When the admin user
adjusts the account policy, password policy, and idle timeout policy, the account policy of the
admin user is changed accordingly. The admin account cannot be modified or deleted. After
logging in to the Agile Controller-Campus as the admin for the first time, change the initial
password as prompted.

SD-WAN
Step 2 Click Create and create an account.
Step 3 On the Create User page, set appropriate parameters and click Next.
Table 1-9 Description of parameters on the Create Account page

Parameter Description
Account Login account of a newly created administrator (must be in

the email address format).
Password Initial login password of the newly created administrator.
Confirm Password
Modify password first Whether to change the password upon first time login.
login
Email Address Email Address

SD-WAN
Role Selected the role from the drop-down list.
Select All Resources If this function is enabled, the administrator can manage all
accounts, including accounts that will be created.
If this function is disabled, click Next. On the Managed
Object page that is displayed, select the accounts that can be
managed by the administrator.
NOTE
This parameter is available only after you select a role.
Step 4 Click Create, set the allowed IP address range, and click Confirm.
After the IP address range is added, the account can use only an IP address within this range
to log in to the Agile Controller-Campus. If no IP address range is added, the account can use
any IP address to log in to the Agile Controller-Campus.

SD-WAN
NOTE
After logging in to the Agile Controller using this account, choose Administration > Administration >
My Account from the menu. Configure the IP address range on the Access Control page.
Step 5 Click Confirm.
----End
Follow-up Procedure
l Modify the account information, reset the password, and disable/enable/ an account.
a. Choose Administration > System Account > Account from the main menu.
b. In the Operation column, click to modify account information, click to

reset the password, and click to disable the account. If the account has been
disabled, click to enable the account.
c. Delete an account.
i. Choose Administration > System Account > Account from the main menu.
ii. Select an account, and click Delete.
l Create a user group.

SD-WAN
To enable multiple users to have the same permissions, create a user group and add these
users to the group.
To create a user group, choose Administration > System Account > Account from the
main menu. Click the User Group tab, and click Create to create a user group.
If Select All Resources is disabled, click Next to select objects to be managed by user
groups.
NOTE
Only a user with administrator rights can configure user groups.

SD-WAN
l Configure personal settings.

Personal settings improve Agile Controller-Campus access security. This function
applies only to the current user.
– Set the maximum number of concurrent online users.
i. Choose Administration > Administration > My Account from the main
menu.
ii. On the Basic Information page, set Simultaneous Online and click . The
value 0 indicates there is no limit on the maximum number of concurrent
online users.
– Change the password.

menu.
ii. On the Basic Information page, click Modify next to the password. In the
dialog box that is displayed, set a new password.
l Configure the idle timeout period.

To prevent unauthorized users from using the administrator account while the
administrator is away, set the idle timeout time. If an administrator does not perform any
operation within the specified period, the account will be automatically logged out. To
perform further operations after the account is logged out, the administrator must log in
to the Agile Controller-Campus again.
To configure the idle timeout period, choose Administration > System Account >
Account from the main menu, click Idle timeout setting.

SD-WAN
l Check online user management information.

To check such information, choose Administration > System Account > Account from
the main menu, and click the Online User tab
1.6.4 Creating an MSP and the MSP Administrator

When an MSP is authorized for network construction, a system administrator does not
directly provide services to tenants. Instead, an MSP provides services to tenants. Therefore,
you need to create an MSP and the MSP administrator first. The MSP is responsible for
providing cloud managed devices and cloud network services to tenants. After a tenant
applies for managed services from an MSP, the MSP can use the Agile Controller-Campus to
query the device status and maintain devices on the tenant network. If the tenant operating
mode is used, skip operations in this section.
Procedure
Step 1 Access the MSP Management menu.
Choose MSP Management > MSP Management > MSP Management.
Step 2 Click Create.
Step 3 On the MSP Information tab page, configure MSP information.

SD-WAN
Step 4 Click Next.
Step 5 On the Administrator Information page, configure administrator information.

SD-WAN

SD-WAN
Step 6 Click OK.
----End
Follow-up Procedure
If the MSP administrator has created one or more tenants, the MSP administrator account
cannot be deleted. To delete an MSP administrator account, delete the tenants created by this
account first.
Table 1-10 MSP and MSP administrator parameters
MSP MSP name MSP name.

Information
Number of Maximum number of administrator accounts of the MSP.
administrato
r accounts
Postal code Postal code of an MSP administrator, which is provided

for easy contact by tenants under the MSP.

SD-WAN
Address Postal address of an MSP administrator, which is

provided for easy contact by tenants under the MSP.
Service Email address of an MSP administrator, which is

mailbox provided for easy and prompt contact by tenants under
the MSP. The email address must be valid.
Service Phone number of an MSP administrator, which is

phone provided for easy and prompt contact by tenants under
number the MSP. The phone number must be valid.
Administrator Account Account used by an MSP administrator to log in to the

Information Agile Controller-Campus. The account must be in the
format of an email address, for example, xxx@xxx.com.
You are advised to ask for an account from the MSP or
apply for a valid email address and assign this email
address to the MSP administrator.
Password Initial password used by an MSP administrator to log in

to the Agile Controller-Campus for the first time. The
initial password must be changed upon the first login.
By default, a password can contain 10 to 128 uppercase
and lowercase letters, digits, and special characters, but
cannot contain the account name or its reverse. At most
two consecutive repeats are allowed for a character in the
password.
Confirm Confirm password, which must be identical to that of

password Password.
Email Email address used for password retrieval, message

pushing, and other purposes. If this parameter is left
empty, the account is used as the default email address.
The email address must be valid.
Area Country or area to which an MSP administrator belongs.
1.6.5 Configuring the Tunnel Mode
Context
Huawei SD-WAN Solution mainly uses IP overlay tunneling technology to construct
networks. It also provides enhanced Ethernet Virtual Private Network (EVPN) and Dynamic
Smart VPN (DSVPN) tunneling technologies to help enterprise customers implement flexible
overlay WAN networking. To ensure that both the DSVPN and EVPN tunnel modes can be
used, the system administrator can configure the tunnel mode. The tunnel mode used by a
newly created tenant is determined by the mode selected by the system administrator.
The DSVPN tunnel mode is the mainstream tunnel mode supported in versions earlier than
V300R003C00, but this mode is facing the following bottlenecks:

SD-WAN
1. Each tunnel needs to be detected and requires BGP routes. As a result, the service
performance of the entire network is restricted and the network scale cannot be
expanded.
2. In the Full-Mesh topology model, each site requires high performance, and a small-
capacity device cannot meet the requirement.
3. Only the Hub-Spoke and Full-Mesh site interconnection models are supported. Complex
models such as hybrid networking are not supported.
In V300R003C10 and later versions, the tunnel mode of SD-WAN networks gradually
changes to the EVPN tunnel mode.
In the EVPN tunnel mode, an independent distributed control component vRR is introduced.
Under the control and guidance of the Agile Controller-Campus, based on the routes and VPN
topology policies configured on the Agile Controller-Campus, vRRs centrally control and
distribute service routes between branch sites through the extended EVPN protocol. EVPN
tunnels provide better performance and higher networking flexibility. In addition to Hub-
Spoke and Full-Mesh topology models, EVPN tunnels can also be deployed in hierarchical
and Partial-Mesh topology models.
Procedure
Step 1 Choose Administration > Administration > Tunnel Mode Setting.
Step 2 Set Tunnel mode to EVPN or DSVPN.
Step 3 Click Apply.
----End
1.6.6 Creating Tenants and Tenant Administrators

The system administrator needs to create tenants and tenant administrators when the tenant
operating mode is used. When the MSP operating mode is used, operations in this section are
performed by MSP administrators.
Context
A tenant administrator is responsible for configuring and maintaining services on a tenant
network.
Procedure
Step 1 Access the Tenant Management page.
Choose Tenant Management > Tenant Management >Tenant Management.
Step 2 Click Create to configure tenant information, and click Next. The tenant name must be
different from existing accounts.

SD-WAN
Step 3 On the Administrator Information page, configure administrator information.

SD-WAN

SD-WAN
Step 4 Click OK.
----End
Follow-up Procedure
After you delete a tenant, all existing data about this tenant, including the tenant account,
tenant administrator account, site, and tenant devices, will be automatically deleted from the
Agile Controller-Campus. Data delivered to devices will not be deleted, so tenant services are
not affected. To delete services, log in to devices and manually restore their factory settings.
Table 1-11 Tenant and tenant administrator parameters

Tenant Tenant name Tenant name. The tenant's company name is recommended.
Information The tenant name contains a maximum of 64 characters. It
cannot be default or all-digits, and it cannot contain
slashes (/).

SD-WAN
Number of Maximum number of administrator accounts of the tenant.

administrator
accounts
Postal code Postal code of a tenant administrator, which is provided for

easy contact by the system administrator.
Address Postal address of a tenant administrator, which is provided

for easy contact by the system administrator.
Administrat Account Account used by a tenant administrator to log in to the

or Agile Controller-Campus. The account must be in the
Information format of an email address, for example, xxx@xxx.com.
You are advised to ask for an account from the tenant or
address to the tenant administrator.
Password Initial password used by a tenant administrator to log in to

the Agile Controller-Campus for the first time. The initial
password must be changed upon the first login.

password Password.

pushing, and other purposes. If this parameter is left empty,
the account is used as the default email address. The email
address must be valid.
Area Country or area to which a tenant administrator belongs.
1.6.7 Configuring an Email Server

Context
If the Agile Controller-Campus needs to send emails to users, you need to configure an email
server first.
The Agile Controller-Campus needs to send emails in the following scenarios:
l If the system administrator forgets the password, the Agile Controller-Campus sends a
reset password to the administrator through an email.
l After the system administrator performs alarm settings on the Agile Controller-Campus,
the Agile Controller-Campus sends emails to notify users of reported alarms.
l After the system administrator inspects tenant devices, the inspection report is sent to the
administrator's mailbox if needed.
l The Agile Controller-Campus sends a notification email to a tenant if a tenant license is
about to expire.

SD-WAN
Procedure
Step 1 Choose Administration > Third Party Service > Email Server.
Step 2 Set parameters for connecting to the email server.
Step 3 Click Test to verify the email sending function.

l If the message "The test succeeds" is displayed and the mailbox receives the test email,
the configuration is successful. Click Save.
l If the message "The test succeeds" is displayed but the mailbox does not receive the
test email, check whether the email function of the SMTP server is normal.
l If the message "Failed to connect to the email server" is displayed, check whether the
above parameters are correctly configured.

SD-WAN
NOTE
– Affected by the network quality and performance of the SMTP server, the time of receiving
emails will be delayed within two minutes.
– Some SMTP providers set the right control for third-party application access. If the test fails,
check whether the function of controlling third-party application access is enabled on the
SMTP server and set password to the authentication password of the SMTP server.
– Limited by security policies of email service providers, administrators may fail to receive
emails in some scenarios. If no email is received, log in to the email service website or contact
the email service provider to check whether the email is returned or other exceptions occur.
Alternatively, replace the email server and try again.
----End
Table 1-12 Parameters on the Email Server tab page

SMTP SMTP address of the mailbox from which emails are sent. The address
address must be an IP address or in the smtp.mail.com format.
NOTE
SMTP is short for Simple Mail Transfer Protocol. SMTP is mainly used to transfer
system emails and provide email notifications.
Port Port number of the SMTP service provided by the email server. You can
obtain the port number from the email service provider. By default, the
port number is 25.
Enable Whether encryption is enabled.

encryption
Encryption Protocol for establishing an encrypted communication link between the

connection Agile Controller-Campus and SMTP server. This parameter is available
type only when Enable encryption is selected.
Validate To improve system security, select Enable encryption and Validate

server server certificate.
certificate NOTE
Secure protocols TLSv1.1 and TLSv1.2 are recommended. TLSv1.0 and SSL are
insecure protocols; therefore, exercise caution when using them.
Enable access Whether to enable the email account and password authentication.
Account The two parameters are valid only when Enable access is selected.
Password User name and password for logging in to the SMTP server.
Sender Email Sender email address, which must have been registered on the email
server. During the email test, this address is used as a recipient email
address. After the connectivity test is successfully performed and the
configurations are saved, this address is used as the sender email address.

SD-WAN
1.6.8 (Optional) Uploading a VM Image through Third-Party File

Server
NOTE
The VM life cycle management is supported only in the MSP mode.
A VNF/endpoint image is a VNF/endpoint software package. The VNF/endpoint function is

available only after the VNF/endpoint image is deployed on the uCPE. VNF images need to
be purchased from the corresponding vendors. For information about vendors, see Table1
Vendor information. Endpoint images need to be created by yourself. If you have any
questions, contact technical support engineers.
Prerequisites
l You have obtained the VNF/Endpoint image.
l A third-party file server (SFTP or HTTPS) has been set up.
Procedure
Step 1 Interconnect the Agile Controller-Campus with the third-party file server. For details, see
Configuring the File Server.
Step 2 Create a VM image in the file list. For details, see File Management in Procedure.
----End
Follow-up Procedure
Table 1-13 Image management

Function Procedure
Editing or
deleting an In the uploaded Image list, click in the Operation
image column to update an image by modifying the values of the
Name, Description, Minimum Resource, and VNF
Initial Config parameters.
In the uploaded Image list, click in the Operation

column to delete an image.
1.7 Configurations Performed by MSP Administrator

In the SD-WAN scenario, you need to create an MSP and the MSP administrator if the MSP
operating mode is used. If the tenant operating mode is used, skip operations in this section.

Log in to the Agile Controller-Campus using an MSP administrator account.

SD-WAN
Context
Prerequisites
The system administrator has created an MSP administrator account.
Procedure
and press Enter.
NOTE


SD-WAN
NOTE
Step 4 Enter the MSP administrator account and password, and click Login. Change the password
upon the first-time login.
NOTE
If the MSP administrator forgets the password, the MSP administrator can click "Forgot password?" on
the Agile Controller-Campus login page to reset the password through an email.
----End
1.7.2 Initial Configuration

SD-WAN
1.7.2.1 (Optional) Configuring an Email Server
Context
If the Agile Controller-Campus needs to send emails to users, you need to configure an email
server first.
The Agile Controller-Campus needs to send emails in the following scenarios:
l If the system administrator forgets the password, the Agile Controller-Campus sends a
reset password to the administrator through an email.
l After the system administrator performs alarm settings on the Agile Controller-Campus,
the Agile Controller-Campus sends emails to notify users of reported alarms.
l After the system administrator inspects tenant devices, the inspection report is sent to the
administrator's mailbox if needed.
l If the tenant administrator wants to use the email-based deployment function, the Agile
Controller-Campus needs to send deployment emails to related personnel.
The system administrator has configured an email server for sending emails. If the MSP
administrator wants to use another email server, the MSP administrator needs to configure an
email server separately.
NOTE
If both the system administrator and MSP administrator have configured an email server, the email
server configured by the MSP administrator is used preferentially. If the email server configured by the
MSP administrator is not found, the email server configured by the system administrator is used.
Procedure
Step 1 Choose Administration > Administration > Email Server.
Step 2 Set parameters for connecting to the email server.

SD-WAN
Step 3 Click Test to verify the email sending function.

l If the message "The test succeeds" is displayed and the mailbox receives the test email,
the configuration is successful. Click Save.
l If the message "The test succeeds" is displayed but the mailbox does not receive the
test email, check whether the email function of the SMTP server is normal.
l If the message "Failed to connect to the email server" is displayed, check whether the
above parameters are correctly configured.
NOTE
– Affected by the network quality and performance of the SMTP server, the time of receiving
emails will be delayed within two minutes.
– Some SMTP providers set the right control for third-party application access. If the test fails,
check whether the function of controlling third-party application access is enabled on the
SMTP server and set password to the authentication password of the SMTP server.
– Limited by security policies of email service providers, administrators may fail to receive
emails in some scenarios. If no email is received, log in to the email service website or contact
the email service provider to check whether the email is returned or other exceptions occur.
Alternatively, replace the email server and try again.
----End

SD-WAN
1.7.2.2 Creating a Tenant Administrators
Context
A tenant administrator is responsible for configuring and maintaining services on a tenant
network.
Procedure
Step 1 Access the tenant management menu.
Choose Tenant Management > Tenant Management >Tenant Management.
Step 2 Click Create to configure tenant information. The tenant name must be different from
existing accounts. Set Authorize MSP as required.
Step 3 Click Next to configure tenant administrator information.

SD-WAN
Step 4 Click OK.
----End
Follow-up Procedure
After you delete a tenant, all existing data about this tenant including the tenant name, tenant
administrator account, site, and tenant devices will be automatically deleted from the Agile
Controller-Campus.
Table 1-14 Tenant and tenant administrator parameters

Tenant Tenant name Tenant name. The tenant's company name is recommended.
Information The tenant name contains a maximum of 64 characters. It
cannot be default or all-digits, and it cannot contain
slashes (/).

SD-WAN
Number of Maximum number of administrator accounts of the tenant.

administrator
accounts
Postal code Postal code of a tenant administrator, which is provided for

easy contact by the system administrator.
Address Postal address of a tenant administrator, which is provided

for easy contact by the system administrator.
Administrat Account Account used by a tenant administrator to log in to the

or Agile Controller-Campus. The account must be in the
Information format of an email address, for example, xxx@xxx.com.
You are advised to ask for an account from the tenant or
address to the tenant administrator.
Password Initial password used by a tenant administrator to log in to

the Agile Controller-Campus for the first time. The initial
password must be changed upon the first login.

password Password.

pushing, and other purposes. If this parameter is left empty,
the account is used as the default email address. The email
address must be valid.
Table 1-15 Tenant and tenant administrator

Tenant Tenant Tenant name. The tenant's company name is recommended. The
Informat name tenant name contains a maximum of 64 characters. It cannot be
ion default or all-digits, and it cannot contain slashes (/).
Number Maximum number of administrator accounts of the tenant.

of
administr
ator
accounts
Address Postal address of a tenant administrator, which is provided for easy

contact by the system administrator.
Service Email address of a tenant administrator, which provides easy

mailbox contact with the tenant administrator. The email address must be
correct.

SD-WAN
Service Phone number of a tenant administrator, which provides easy

phone contact with the tenant administrator. The phone number must be
number correct.
CLI If the CLI whitelist is disabled, conflicts between configurations in

whitelist the CLI and those on the GUI may lead to function abnormality.
Therefore, you can disable the CLI whitelist only after being
authorized by the customer.
Adminis Account Account used by a tenant administrator to log in to the Agile

trator Controller-Campus. The account must be in the format of an email
Informat address, for example, xxx@xxx.com. You are advised to ask for an
ion account from the tenant or apply for a valid email address and
assign this email address to the tenant administrator.
Password Initial password used by a tenant administrator to log in to the

Agile Controller-Campus for the first time. The initial password
must be changed upon the first login.
Confirm Confirm password, which must be identical to that of Password.

password
Email Email address used for password retrieval, message pushing, and
other purposes. If this parameter is left empty, the account is used
as the default email address. The email address must be valid.
1.7.3 Obtaining and Uploading a VM Image

A VNF/endpoint image is a VNF/endpoint software package. The VNF/endpoint function is
available only after the VNF/endpoint image is deployed on the uCPE. VNF images need to
be purchased from the corresponding vendors. For information about vendors, see Table1
Vendor information. Endpoint images need to be created by yourself. If you have any
questions, contact technical support engineers.
Prerequisites
You have obtained the VNF/Endpoint image.
Procedure
Step 1 Access the VNF image menu.
Choose VM Lifecycle > VM Lifecycle > Image from the main menu of the Agile Controller-
Campus.
Step 2 Download the upload tool.
Click Get Upload Tool to download the upload tool to the local device.

SD-WAN
You need to store VnfUploadTool.rar in a path containing no Chinese characters; otherwise,

the tool fails to work.
Step 3 Start the upload tool.

1. Decompress VnfUploadTool.rar.
2. Double-click VnfUploadTool.exe to start the upload tool.
Step 4 Log in to the upload tool.
1. On the login page, enter the MSP user name and password.
Set AC IP address to the IP: port or domain name of the Agile Controller-Campus web
interface.
2. Click Log In to log in to the upload tool.
Step 5 Upload the image to the Agile Controller-Campus.

SD-WAN
1. Click VM on the main menu of the upload tool.

2. Enter the name of the image in Name.
3. Click Browse on the right of File path, and select an image path.
4. Select an image type from the Type drop-down list.
– To upload a VNF image, select VNF.
– To upload an endpoint image, select ENDPOINT.
5. Select the VNF/endpoint function to be created from the Function drop-down list.
6. Select the vendor and version of the image from the Vendor/Version drop-down list.
7. Enter the image description in Description.
8. Click Upload to upload the VNF image.
9. Click Task List to check the image upload progress.
When the value of Upload Progress reaches 100%, the image is uploaded successfully.
Step 6 Check the VNF image upload result.

1. Choose VM Lifecycle > VM Lifecycle > Image from the main menu of the Agile
Controller-Campus. The VNF image page is displayed.
2. On the Image page, check the vendor, category, function, and version information about
the VNF image.
----End

SD-WAN
Follow-up Procedure
Table 1-16 Image management

Function Procedure
Editing or
deleting an In the uploaded Image list, click in the Operation
image column to update an image by modifying the values of the
Name, Description, Minimum Resource, and VNF
Initial Config parameters.
In the uploaded Image list, click in the Operation

column to delete an image.
Table 1-17 Upload tool

Lo User MSP administrator name.

g In name
Password MSP administrator password.
AC IP IP address of the Agile Controller-Campus, which is the IP address or

address domain name of the Agile Controller-Campus web page.
VN Name Name of an image.

F
File path VNF/Endpoint image path. A VNF or Endpoint image must be in
QCOW2 format, and the file size cannot be greater than 8 GB.
Type Type of the image to be uploaded. The value can be VNF or Endpoint.
Function Function to be created for VNF or Endpoint images. If the type of the
image to be uploaded is VNF, there are two types of functions: FW and
WOC. If the type of the image to be uploaded is Endpoint, the function
is GENERIC.
Vendor/ Vendor and version of the image.

Version
Descriptio Description of the image file.

n
1.7.4 Configuring Tenant Services (MSP-Managed O&M)

SD-WAN
1.7.4.1 Authorizing an MSP to Maintain Tenant Services

After a tenant applies for managed services from an MSP, the MSP can directly maintain
services of this tenant. If you do not want an MSP to maintain tenant services or an MSP has
been authorized to maintain tenant services, skip operations in this section.
Prerequisites
You have logged in to the Agile Controller-Campus using a tenant account that authorizes
maintenance operations to an MSP.
Procedure
Step 1 Access the authorization information page.
Choose Administration > Administration > Tenant Information from the main menu.
Step 2 Enable authorization on the authorization information page and set the authorization scope.
----End
1.7.4.2 (Optional) Accessing the View for Managing Services for a Tenant
An MSP provides tenants with cloud managed devices and cloud network services. After a
tenant applies to the MSP for the managed services, the MSP can maintain the tenant's
network on the Agile Controller-Campus. If a tenant does not need the managed services from
the MSP, skip this step.
Prerequisites
The tenant administrator has authorized the MSP to manage the services. For details, see
1.7.4.1 Authorizing an MSP to Maintain Tenant Services.
Procedure
Step 1 Log in to the Agile Controller-Campus home page as the MSP administrator.

SD-WAN
Step 2 Under Tenants List, click the tenant name. The view for managing services for the tenant is
displayed.
----End
1.7.4.3 Network Deployment

Network deployment operations are the same as those performed by a tenant administrator.
For example, see 1.8.3 Network Deployment.
NOTE
When configuring a site template, if Reuse LAN-side L2 interface is enabled, you need to specify the
reserved VLAN ID range. In the uCPE and external vRouter scenario, the configuration of reserved
VLANs does not take effect and have no impact on services. In later versions, the web UI will be
optimized.
1.7.4.4 uCPE Deployment

Before deploying the uCPE service, ensure that the following requirements are met:
1. Hard disks have been properly inserted to the ARs that provide the uCPE service, and the
ARs are working properly. For details, see the Hardware Installation and Maintenance
Guide of ARs.
2. The ARs that provide the uCPE service have been fully inserted with hard disks.
Other site deployment operations are the same as those performed by a tenant administrator.
For example, see 1.8.4 Site Deployment.
1.7.4.5 Network Control and Optimization

Policy deployment operations are the same as those performed by a tenant administrator. For
example, see 1.8.5 Network Control and Optimization.
1.7.4.6 VM Lifecycle Management
1.7.4.6.1 (Optional) Configuring a Resource Pool

Before deploying VMs, you need to configure a resource pool. The resource pool includes the
VLAN segment and management network address pool. If related parameters are not set, the
default settings on the Agile Controller-Campus are used.

SD-WAN
The default resource pool settings are as follows:
Management IP address pool: 10.2.0.0/16
Reserved VLANs: 3900 - 3999
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Resource
Pool tab.
Step 2 Set Management Network Address Pool to an IP address segment.
Step 3 Set Reserved VLAN to the range of reserved VLANs.
Step 4 Click Apply Changes.
----End
Table 1-18 Resource pool

Management Network IP address segment required for VNF deployment.

Address Pool
Reserved VLAN Reserved VLANs required for VNF deployment. This VLAN
address pool cannot overlap those for other services.
1.7.4.6.2 (Optional) Configuring the VM Access Mode

Before deploying a VM, you need to configure the VM access mode, including underlay and
overlay. If a VM has been deployed, the access mode cannot be changed. If the access mode
is not specified, the underlay mode is used by default.
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Virtual
Machine Management tab.

SD-WAN
Step 2 Set Access Mode.
----End
Table 1-19 VM access mode

Access Mode Before deploying a VM, you need to configure the VM access mode,
including underlay and overlay. If the access mode is not specified, the
underlay mode is used by default. If Access Mode is set to Underlay,
you can manage the floating IP address.
1.7.4.6.3 (Optional) Configuring the Fault Diagnosis Function

To diagnose parameters globally, you need to configure the fault diagnosis function before
deploying VMs.
Procedure
Step 1 Choose VM Lifecycle > Deployment > Settings from the main menu. Click the Fault
Diagnosis tab.
Step 2 Choose Automatic NQA.
Step 3 Set the NQA interval in the NQA interval(S) text box.
Step 4 Select whether to perform NQA Linkage based on the requirement.
----End
1.7.4.6.4 Creating an Endpoint Network

Before deploying an endpoint, create an endpoint network first.
Prerequisites
1. A site has been created and activated. For details, see 1.8.3.4 Creating a Site.
2. The WAN-side links of the site have been configured. For details, see 1.8.3.6
Configuring the Network Access Mode for a Site.

SD-WAN
Procedure
Step 1 Choose Configuration > Overlay Network > Site Configuration from the main menu.
Step 2 Click the VLAN tab.
Step 3 Click Create to create a VLAN.
1. Select an AR and enter a VLAN ID.

2. Click Create next to Physical interfaces to set a physical interface that is not occupied.
3. Set IP address.
4. Enable DHCP under Advanced Settings.
5. In the Static area, click Create to bind multiple IP addresses and MAC addresses.
6. Click OK.
----End
1.7.4.6.5 Creating a Profile

Profiles are used to define the mapping between VM images and resources.
Prerequisites
1. The MSP administrator has uploaded the VM image to the Agile Controller-Campus or
the system administrator has uploaded the image to the third-party file server. For details,
see 1.7.3 Obtaining and Uploading a VM Image or 1.6.8 (Optional) Uploading a VM
Image through Third-Party File Server.

SD-WAN
2. The MSP administrator has accessed the tenant managed service view. For details, see
1.7.4.2 (Optional) Accessing the View for Managing Services for a Tenant.
Procedure
Step 1 Access the profile page.
Choose VM Lifecycle > VM Lifecycle > Profile from the main menu.
Step 2 Create a profile.
1. Click Create.
2. Enter a profile name in Name.
3. Select a type from the Type drop-down list, and an image from the Image drop-down
list.
4. Set vCPU, Memory, System Disk, and Data Disk. A recommended profile is preset for
each type of VNFs/endpoints to specify the minimum resource specifications.
5. Under Install Disk, choose External Disk or Built-in Disk to specify whether the VM
is installed on an external or the built-in hard disk. If no hard disk is specified, the VM is
installed on the external hard disk by default.
6. Click .
----End
Table 1-20 Profile
Paramet Description
er
name Profile name. The value is a string of 1 to 128 characters including only letters,
digits, underscores (_), minus signs (-), and dots (.).
Type Type of the profile to be created. Currently, only VNF and endpoint are
supported.
Image Image of the VM. You must select an image that has been uploaded to the
Agile Controller-Campus. The Agile Controller-Campus displays only the
images matching the profile type selected.
vCPU Number of vCPUs of the VM.
Memory Memory size of the VM.

SD-WAN
Paramet Description
er
System System disk size of the VM.

Disk
Data Data disk size of the VNF. You need to set this parameter only when the profile
Disk type is VNF.
Install Installation disk of the VM. There is External Disk and Built-in Disk. If no
Disk hard disk is specified, the VM is installed on the external hard disk by default.
1.7.4.6.6 (Optional) Creating a VNF Template

If the VNF function needs to be deployed on multiple devices in batches, you need to create a
VNF template and a service chain. If you need to deploy the VNF/endpoint function on a
single device, skip this section. A VNF template defines the VNF function and profile details.
Prerequisites
The VNF profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
Procedure
Step 1 Access the deployment page.
Choose VM Lifecycle > Deployment > Template from the main menu.
Step 2 Create a VNF template.

1. Click Create to create a VNF template.
2. Enter a template name in Name.
3. Select a router model from the Model drop-down list.
4. Drag or according to the VNF function to be created to the middle

of the page. Select the created profile from the Profile drop-down list.

SD-WAN
5. Click Confirm.
6. In the template list, click the name of the created VNF template to view or edit the
template.
Step 3 Create a service chain. The first created service chain has the lowest priority.
NOTE
There is a default service chain named LAN-Router. Service chains can only be created or deleted but
cannot be modified.
1. In the Service Chain area, click Create to create a service chain.

SD-WAN
2. Enter the name of the service chain to be created in Name.

3. Select the VNF function from the Path drop-down list, and click to add a service
chain based on the path of the specified data traffic.
4. (Optional) Set VLAN to a VLAN range.
5. (Optional) Set related parameters in the Advanced area.
a. Set Source IP to a source address that matches traffic rules.
b. Set Destination IP to a destination address that matches traffic rules.
c. Select a routing protocol from the Protocol drop-down list.
d. Set Source port to a source port number range.
e. Set Destination port to a destination port number range.
6. Click OK.
7. Click Save.
8. In the template list, click a template name to view or edit the created service chain.
----End
Table 1-21 VNF template

Description
Name VNF template name. The value is a string of 1 to 128 characters

including letters, digits, underscores (_), minus signs (-), and dots (.).
Model Router model.
VNF VNF function.
Profile VNF profile.
Operation Operations. You can click , , or to edit, copy, or delete a

created template.
Servic Name Name of a service chain.

e
Chain VLAN VLAN range. VLAN IDs function as the matching rule basis of a
service chain.
Source Source address of the service chain data traffic. Currently, the
following types can be selected:
l Any: indicates any source address.
l Customized: indicates a customized source address.
Destinat Destination address of the service chain data traffic. Currently, the
ion following types can be selected:
l Any: indicates any destination address.
l Customized: indicates a customized destination address.

SD-WAN
Description
Protocol Protocol that specifies the type of packets matching service chain
rules.
SrcPort Source port of the packets matching service chain rules. Currently, the
l Any: indicates any source port.
l Customized: indicates a customized source port number range.
DstPort Destination port of the packets matching service chain rules. Currently,
the following types can be selected:
l Any: indicates any destination port.
l Customized: indicates a customized destination port number
range.
Path Path of the matched service chain traffic. The VNF is added to specify
the direction of the service chain traffic.
Operatio Deletion operation. The created service chain can be deleted.

n
1.7.4.6.7 Deploying the VNF
Context
The VNF image needs to be deployed on the uCPE to make the VNF take effect. The
following two VNF deployment modes are supported:
l VNF deployment on a single device: This deployment mode can be used if the VNF
needs to be deployed on only one device.
l Template-based VNF deployment on multiple devices: This deployment mode can be
used if the VNF needs to be deployed on multiple devices.
Prerequisites
1. Devices have been successfully deployed. For details, see 1.7.4.4 uCPE Deployment
and 1.7.4.3 Network Deployment.
2. The resource pool has been configured. For details, see 1.7.4.6.1 (Optional)
Configuring a Resource Pool.
3. The VNF profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
4. To deploy the VNF on multiple devices using a template, you must have been created a
VNF template and a service chain. For details, see 1.7.4.6.6 (Optional) Creating a VNF
Template.
Procedure (VNF Deployment on a Single Device)


SD-WAN
Choose VM Lifecycle > Deployment > Device from the main menu.
Step 2 Select a device on which the VNF needs to be deployed.
Click a device name. The details page of the device is displayed.
Step 3 Deploy the VNF.
1. Click Deploy VNF in the Virtual Machines area.
2. In the Virtual Machines area, click Deploy L2 VNF if you need to deploy vWOCs,
vFWs, and vRouters, and add them to a service chain; click Deploy L3 VNF if you need
to deploy vFWs in a centralized manner.
3. On the Select VNF Profile page, select the VNF image to be deployed and click OK.
Step 4 View the deployment status.

l If Running is displayed in the Status column in the Virtual Machines area, the
deployment is successful.
l If Abnormal is displayed in the Status column in the Virtual Machines area, the
deployment fails.
NOTE
The VNF deployment status is determined by the value displayed in the Status column in the Virtual
Machines area. In some situations, for example, after the VNF deployment task is delivered and then
the device is restarted, Running is displayed in the Status column in the Virtual Machines area on the
device details page but Failed is displayed in the Status column on the Task tab page. In this situation,
the system is running normally.
Step 5 (Optional) Redeploy the VNF.

If deployment fails, select Redeploy from the Operation drop-down list box.
----End
Procedure (Template-based VNF Deployment on Multiple Devices)

Step 2 Deploy the VNF on devices in batches.

SD-WAN
1. In the navigation tree on the left, click the site for which the VNF needs to be deployed.
2. On the right of the page, select the devices to be associated with the VNF template.
NOTE
The VNF can be deployed on a single device or multiple devices. To deploy the VNF on multiple
devices, you can select multiple devices.
3. Click Deploy Template.
4. Select the created VNF template on the Deploy Template page. You can click to
view the topology and service chain information about the created VNF template.
5. Click OK.
----End
Follow-up Procedure
Table 1-22 Follow-up procedure of VNF deployment on devices
Function Procedure
Previewing the changes after

VNF deployment On the Deploy Template page, click to view the
changes after VNF deployment.
Checking the device resource Click a device name to access the device page. In the
status Resource Status area, check the usage of resources, such
as storage, CPU, and memory.
Viewing the VNF topology Click a device name to access the device page. In the
Topology area, view the topology of the deployed VNF
template.
Operations Checking In the Virtual Machines area, check the parameters related
related to VM deployment to the deployed VM, including Name, IP, CPU, CPU
deployment parameters Usage, Memory, Memory Usage, Status, and Task.
Operating l In the Operation column in the Virtual Machines area,

the start, stop, restart, delete, or manage the floating IP
deployed address of the deployed VM. Only when Access Mode
VM is set to Underlay, you can change the floating IP
address.
l For a VM that is successfully deployed, click VNC in
the Operation column to access the VM background
control page.
Ping diagnosis After the VM deployment is complete, click the device

name to access the device page of each device. Click the
Diagnosis tab to manually perform the ping diagnosis.
Image Management Click a device name to go to the device page. Then, click
the Manage Image tab, select the image name, and click
Delete Images.

SD-WAN
Table 1-23 VNF deployment

Paramete Description
r
Name VNF profile name.
Function VNF function, including WOC and firewall.
Image VNF image.
Table 1-24 VNF template deployment

r
Name VNF template name.
VNF VNF function selected. The VNF function depends on the VNF image.
Model Router model.
Operate Operation to preview the changes after VNF deployment.
1.7.4.6.8 Deploying the Endpoint

The endpoint image needs to be deployed on a single uCPE to enable the endpoint. This
section describes how to deploy the endpoint image on a single uCPE.
Prerequisites
3. The endpoint profile has been created. For details, see 1.7.4.6.5 Creating a Profile.
Procedure
Step 2 Select a device on which the endpoint needs to be deployed.
Step 3 Deploy the endpoint.

1. Click Deploy Endpoint in the Virtual Machines area.

SD-WAN
2. On the Deploy Endpoint page, select the created profile from the Profile drop-down
list.
3. Select the created endpoint network from the Network drop-down list.
4. Select IP-MAC from the IP-MAC drop-down list and click OK.
Step 4 View the deployment status.

l If Running is displayed in the Status column in the Virtual Machines area, the
l If Abnormal is displayed in the Status column in the Virtual Machines area, the
deployment fails.
NOTE
The endpoint deployment status is determined by the value displayed in the Status column in the
Virtual Machines area. In some situations, for example, after the endpoint deployment task is delivered
and then the device is restarted, Running is displayed in the Status column in the Virtual Machines
area on the device details page but Failed is displayed in the Status column on the Task tab page. In this
situation, the system is running normally.
Step 5 (Optional) Redeploy the endpoint.

If deployment fails, select Redeploy from the Operation drop-down list box.
----End

SD-WAN
Follow-up Procedure
Table 1-25 Follow-up procedure of endpoint deployment on a single device

Function Procedure
Checking the device resource In the Resource Status area, check the usage of resources,
status such as storage, CPU, and memory.
Operations Checking In the Virtual Machines area, check the parameters related
related to VM deployment to the deployed VM, including Name, IP, CPU, CPU
deployment parameters Usage, Memory, Memory Usage, Status, and Task.
Operating l In the Operation column in the Virtual Machines area,

the start, stop, restart or delete the deployed VM.
deployed l For a VM that is successfully deployed, click VNC in
VM the Operation column to access the VM background
control page.
Table 1-26 Endpoint deployment

Paramet Description
er
Profile Created profile of the endpoint type.
Network Created endpoint network.
1.7.4.6.9 Deploying a Service Chain

The VNF service chain needs to be deployed on uCPEs so that the deployed VNFs are
connected in serial connection mode and packets are then forwarded based on the traffic
direction specified by the service chain. This deployment applies only to the scenario where a
service chain is deployed on a single device.
Prerequisites
3. VNFs have been successfully deployed on single device.
Procedure

SD-WAN
Step 2 Select a device on which the service chain needs to be deployed.

Step 3 Deploy the VNF service chain.
1. Click Deploy in the Service Chain area. The service chain deployment page is
displayed.
2. Enter the service chain name in Name.
3. Select the VNF function from the Path drop-down list, and click to add a service
chain based on the path of the specified data traffic.
4. Set VLAN and Advanced. For details, see step 3 in Step 3.
5. Click OK.
Step 4 View the service chain deployment status.
l If Deployed is displayed in the Status column in the Service Chain area, the
l If Abnormal is displayed in the Status column in the Service Chain area, the
deployment fails.
Step 5 (Optional) Redeploy the service chain.
If deployment fails, click Redeploy in the Service Chain area to redeploy the service chain.
----End
Follow-up Procedure
Table 1-27 Follow-up procedure of service chain deployment on a single device

Function Procedure
Operations Checking In the Service Chain area, check parameters about the
related to deployment created service chain, including Name, VLAN, Source IP,
service chain parameters Destination IP, Protocol, Source port, Destination port,
deployment Path, and Status.
Operating
the service In the Service Chain area, click and to modify
chain and delete the service chain, respectively.

SD-WAN
Table 1-28 Task status check

Function Procedure
Checking the status of the VNF, endpoint, or service chain task. 1. Choose VM
Lifecycle >
Deployment >
Task to view the
deployment or
operating status of
the VNF, endpoint,
or service chain.
2. Set filtering
parameters, such as
Task Type,
Object, and
Status, to view the
status.
Table 1-29 Service chain deployment

r
Name Name of a service chain.
VLAN VLAN range. VLAN IDs function as the matching rule basis of a service
chain.
Source Source address of the service chain data traffic. Currently, the following types
can be selected:
l Any: indicates any source address.
l Customized: indicates a customized source address.
Destinatio Destination address of the service chain data traffic. Currently, the following
n types can be selected:
l Any: indicates any destination address.
l Customized: indicates a customized destination address.
Protocol Protocol that specifies the type of packets matching service chain rules.
SrcPort Source port of the packets matching service chain rules. Currently, the
l Any: indicates any source port.
l Customized: indicates a customized source port number range.

SD-WAN
r
DstPort Destination port of the packets matching service chain rules. Currently, the
l Any: indicates any destination port.
l Customized: indicates a customized destination port number range.
Path Path of the matched service chain traffic. The VNF is added to specify the
direction of the service chain traffic.
Status Service chain deployment status. The displayed status indicates successful
deployment, deployment failure, or deletion failure.
Operation Deletion operation. The created service chain can be deleted.
1.8 Tenant Administrator Configuration

Log in to the Agile Controller-Campus using a tenant administrator account.
Context
Prerequisites
A tenant administrator account has been created.
Procedure
and press Enter.
NOTE


SD-WAN

SD-WAN
NOTE
Step 4 Enter the tenant administrator account and password, and click Login.
Step 5 Upon the first login, change the password and re-log in using the new password. Skip this step
if it is not your first login.
----End
1.8.2 Initial Configuration
1.8.2.1 Configuring Account Policies and Password Policies
Context
The system administrator has configured account policies and password policies. Tenant
administrators can view these policies.
Procedure
Step 1 View global account policies.

SD-WAN
Account policies have been configured on the Agile Controller-Campus by default. A tenant
administrator can view account policies, such as account length range policy and account
login policy.
Choose Administration > System Account > Account from the main menu, click Account
Policy, to view global account policies.
Step 2 View global password policies.

Password policies have been configured on the Agile Controller-Campus by default. A tenant
administrator can view password policies, for example, password complexity policy,
password change interval policy, and character limitation policy.
Choose Administration > System Account > Account from the main menu, click Password
Policy, to view global account policies.

SD-WAN
NOTE
If PCI authentication is required, adjust the account policy and password policy as follows:
l Enable Disable unused accounts, and set Maximum number of consecutive idles days of
account to 90. An account is suppressed if the account does not log in for more than 90 days.
l Enable Account lockout trigger conditions, and set Invalid password monitoring period (min)
to 30. If an account fails to log in for five consecutive times within 30 minutes, the account is
locked for 30 minutes.
l Set Number of historical passwords that cannot be reused of to 4.

SD-WAN

SD-WAN
----End
1.8.2.2 Creating Roles

When default user roles in the system cannot meet requirements, new roles need to be created.
Context
The system manages users with the same operation rights by role. After a role is granted to an
account, the account has all the rights of this role.
Procedure
Step 1 Choose Administration > System Account > Account from the main menu, and click the
Role tab.
Step 2 Click Create. Enter the role name and select function rights for the role.
By default, a tenant has following roles. These roles cannot be deleted or modified.
l EVPN Tenant Administrator: The tenant administrator performs tenant services and
configurations.

SD-WAN
l Northbound Interface Operator: Northbound Interface Operator

NOTE
In the function rights tree of roles, each node has a fixed name but the node order in the tree varies with
the Agile Controller-Campus version. Figures in this section are for reference only.
Step 3 In the SD-WAN Solution, you are advised to create roles and grant function rights based on
the following table. You can also create roles based on your actual needs.
Role Type Rights
Management Global management personnel, with all the rights.
Monitoring Global monitoring personnel, with all the monitoring rights.
Configuration Network configuration personnel, with rights to configure the

network. Policy configuration personnel, with rights to configure
traffic policies and security policies.
Maintenance O&M personnel, with rights to maintain devices and manage files
and logs.

SD-WAN
l Management: Select Agile Controller and all functions under it.
l Monitoring: Select Monitor and all functions under it.
l Configuration: Select Configuration and all functions under it.

SD-WAN
l Maintenance: Select Maintenance and all functions under it.
Step 4 Click OK.
----End
1.8.2.3 Creating Local Accounts

Tenant administrators can create tenant administrator accounts and grant rights to accounts of
specific role.
Context
User account type: local account

SD-WAN
Procedure
Step 1 Choose Administration > System Account > Account from the main menu.
Step 2 Click Create and create an account.
Step 3 Configure basic information.

Click Next after you configure basic information on the Basic Information page.
By default, a tenant has following roles. These roles cannot be deleted or modified.
l Tenant Administrator: The tenant administrator performs tenant services and
configurations.
Table 1-30 Description of parameters on the Create Account page

Account Login account of a newly created administrator (must be in

the email address format).

SD-WAN
Password Initial login password of the newly created administrator.
Confirm Password
Modify password first Whether to change the password upon first time login.
login
Email address When resetting passwords, users can receive new random
passwords generated automatically through emails.
Role Selected the role from the drop-down list.
Step 4 On the Managed Object page that is displayed, select the sites to be managed by the tenant
administrator, and click Next. By default, Select All Resources is enabled. In this case, the
tenant administrator can manage all sites. If you disable Select All Resources, you can select
the sites to be managed by the tenant administrator
Step 5 (Optional) Configure access control.

Click Next after you configure the range of IP addresses that can be used to log in to the
system on the Access Control page.

SD-WAN
Step 6 Click OK.
Step 7 Re-log in to the Agile Controller-Campus using the created tenant administrator account if
you need to manage services using this account subsequently.
----End
Follow-up Procedure
l Modify account information, reset the password, disable or enable the account.
b. In the Operation column, click to modify account information, click to

reset the password, or click to disable the account. If the account has been
disabled, click to enable the account.
l Delete an account.
b. Select an account, and click Delete.
l Set a user group.

To enable multiple users to have the same permissions, create a user group and add these
users to the group.

SD-WAN
Choose Administration > System Account > Account from the main menu. Click the
User Group tab, and click Create to create a user group.
Click Next to select objects to be managed by user groups.
l Personally Settings
Personal settings improve Agile Controller-Campus access security. This function
applies only to the current user.

SD-WAN
– Set the number of concurrently online users.

menu.
ii. On the Basic Information page, modify the value of Simultaneous online
and click Apply. The default value is 0, indicating that the number of
concurrently online users is not restricted.
– Change the password.

menu.
ii. On the Basic Information page, click next to the password. In the dialog
box that is displayed, set a new password.
– Adjust the range of the IP address that allow the current account to log in to the
Agile Controller-Campus.
menu.
On the Access Control page, set the start IP address and end IP address of the IP
address range, and click Confirm. If the IP address range list is empty, it indicates
that login is permitted from any IP address.

SD-WAN
– Set the idle timeout interval for tenant administrator account.

The Agile Controller-Campus provides the idle timeout interval to prevent
unauthorized operations when the administrator is unattended. If an administrator
does not perform any operation within a specified period of time, the administrator
will be deregistered automatically and needs to re-log in to the Agile Controller-
Campus.
Choose Administration > System Account > Account from the main menu. Click
, set the idle duration, and click Confirm.
– Check online administrators.

Choose Administration > System Account > Account from the main menu, and
click the Online User tab. View online administrators.
1.8.3 Network Deployment
1.8.3.1 Adding Devices
Context
The CPEs that are uniquely identified by ESNs are added to the Agile Controller-Campus so
that the Agile Controller-Campus provides unified O&M. You can add CPEs in either of the
following modes:

SD-WAN
l Adding CPEs one by one: applies to scenarios where a few devices need to be added.
l Adding CPEs in batches: applies to scenarios where a large number of devices need to be
added.
Mode of adding a device. The following modes are supported:
l ESN: If you have obtained the ESN of a device, add the device in ESN mode.
l Device model: If you have not obtained the ESN of a device, add the device based on its
model. This mode is generally used for pre-configuration. The selected device type must
be consistent with the actual device type.
NOTE
To deploy a cloud site, select the device whose device model is AR1000V when adding a device.
Procedure (Adding CPEs One by One)

Step 1 Choose Device Management > Device Management > Device List from the main menu.
Step 2 Click Add Device.
Step 3 Select Manually create from the Addition method drop-down list.
Step 4 Select a mode for adding CPEs. Currently, the following two modes are available. You can
select either one of the following modes based on the actual situation:
l ESN mode
Set Mode to ESN.
l Device model mode
Set Mode to Device Model.
Step 5 On the right of Device information, click Add to set parameters for devices to be added.
The parameters to be set vary with the mode of adding devices. You need to set parameters
according to the actual mode.
l ESN mode
After setting the device ESN and other parameters, click Submit.
l Device model mode

Select AR from the Type drop-down list. Select the AR model from the Device Model
drop-down list. Enter the number of devices in Number dialog box. Click OK.

SD-WAN
Step 6 Click OK.
----End
Procedure (Adding CPEs in Batches)

Step 1 Choose Device Management > Device List from the main menu.
Step 2 Click Add Device.
Step 3 Select Batch Import from the Addition method drop-down list.
Step 4 Click Template on the right of Upload file to download the template.
Step 5 Double-click the downloaded template BatchImportTemplate_en.xls.
Step 6 Fill in and save the template. Enter device information in the template.
The parameters to be set vary with the mode of adding devices. You need to set parameters
according to the actual mode.
l ESN mode: Set parameters including ESN, Device Name, and Description.
l Device model mode: Set parameters including Device Name, Device Model, and
Description.

SD-WAN
NOTE
In SD-WAN scenarios, you do not need to set Site.
Step 7 Import the created template. Check the imported data and select the imported devices. Click
OK.
Step 8 In the Result area, view the devices imported in batches.
----End

SD-WAN
Follow-up Procedure
Table 1-31 Follow-up Procedure of Device Management

Functio Operation Scenario and Procedure
n Constraint
Viewing You can view detailed 1. Choose Device Management > Device
devices information about a site. List from the main menu.
2. Click different items in the navigation tree
on the left to view different device
information.
l Click All Devices to view all devices.

l Click Devices Not Added to view all
devices that have not been added to the
site.
l Click Added Devices to view all
devices at all sites.
l Click a site under Added Devices to
view all devices at the site.
Resetting Resetting to deployment state 1. Choose Device Management > Device

to means that only the List from the main menu.
deploym deployment-related 2. Select the target device.
ent state configuration (including
interfaces and sub-interfaces 3. Click Reset to Deployment State to
and their IP addresses) restore a device to deployment state.
remains on a device, and all
the other configuration is
deleted.
You need to use the resetting
to deployment state function
in the following situations:
1. After a site is deleted, the
Agile Controller-Campus
only deletes the
configuration in the Agile
Controller-Campus
database, and the related
site configuration remains
on the device.
2. The Agile Controller-
Campus needs to
redeliver the
configuration to a device.

SD-WAN
Functio Operation Scenario and Procedure

n Constraint
Modifyin You can modify the device 1. Choose Device Management > Device List
g devices name, ESN, and other device from the main menu.
information. 2. Click Modify in the Operation column.
Replacin When a device is faulty or 1. Choose Device Management > Device List
g devices obsolete or device upgrade from the main menu.
and replacement are required, 2. Click Replace in the Operation column.
the tenant administrator can
implement device
replacement and synchronize
old device information to the
new device on the Agile
Controller-Campus to ensure
normal service running.
NOTE
The model of the new device
for replacement must be
consistent with that of the
replaced device.
Table 1-32 Parameters on the Add Device page

Addition method Method of adding a device.
Mode Mode of adding a device. The following modes are supported:

l ESN: If you have obtained the ESN of a device, add the device
in ESN mode.
l Device model: If you have not obtained the ESN of a device,
add the device based on its model. This mode is generally used
for pre-configuration. The selected device type must be
consistent with the actual device type.
Dev ESN ESN of a device. It is the unique identifier of a device. You can
ice obtain the ESN from the factory configuration list of the device or
info run the display esn command to obtain it.
rma
tion Device Name Unique name of a device. It is recommended that the site name be
included in the device name. If the value is left empty, the device
name is the same as the ESN by default. A device name can
contain a maximum of 64 characters.

SD-WAN
1.8.3.2 Setting Global Parameters

This section describes how to set global parameters related to a tenant network.
Context
Global configuration parameters related to a tenant network include:
l Physical network: transmission network, IPSec encryption parameters, device activation
security configuration, link failure detection parameter configuration and routing policy
periodic parameter configuration.
l Virtual network: AS number of BGP routes, IP Pool, and DNS.
l Access credentials: Cloud type, API key, and Secret key.
NOTE
To interconnect the Agile Controller-Campus with the Amazon AWS cloud, you need to configure
access credentials. To interconnect the Agile Controller-Campus with the Huawei public cloud,
access credentials are not required.
Procedure
Step 1 Choose Configuration > Configuration > Global Parameters from the main menu.
Step 2 Click the Physical Network tab and set the global parameters related to the physical network.
1. Configure a transmission network to define a unified transmission network type for
communication between sites on the entire network.
– When the DSVPN tunnel mode is selected, the default transmission networks
provided by the Agile Controller-Campus include LTE, Internet, Internet1, MPLS,
and MPLS1.
– When the EVPN tunnel mode is selected, the default transmission networks
provided by the Agile Controller-Campus include Internet, Internet1, MPLS, and
MPLS1.
If the default transmission networks cannot meet requirements, click Create to create a
transmission network.
2. (Optional) If an IPSec tunnel requires encryption, you need to configure the encryption
mode and password for the IPSec tunnel.
After configuration, all IPSec tunnels requiring encryption use the same encryption mode
and password.

SD-WAN
– When the DSVPN tunnel mode is selected, in the IPSec Encryption Parameters
area, configure Encryption algorithm and Pre-shared key.
– When the EVPN tunnel mode is selected, in the IPSec Encryption Parameters,
configure Encryption algorithm.
3. Configure the email-based deployment information if email-based deployment is

involved.
In the Device Activation Security Settings area, set URL encryption key and Token
validity period.
4. (Optional) To detect link failures of a site, set the link failure detection parameters.
– When the DSVPN tunnel mode is selected, configure Packet sending interval and
Number of detection failures.

SD-WAN
– When the EVPN tunnel mode is selected, configure Packet sending interval,
Number of detection failures and Priority of detection packets.
5. (Optical) Set the routing policy periodic parameters.

– When the DSVPN tunnel mode is selected, configure Enable to enhance
functionality, Switching period and Flapping suppression.
– When the EVPN tunnel mode is selected, configure Switching period and
Flapping suppression.

SD-WAN
Step 3 Click the Virtual Network tab and set the global parameters related to the virtual network.
1. Configure parameters for BGP routes.
– When the DSVPN tunnel mode is selected, configure AS number, Keepalive and
Hold time.
– When the EVPN tunnel mode is selected, configure AS number.
2. Configure reserved addresses. You can configure different address pool segments for
different network segment scales.
– When the DSVPN tunnel mode is selected, in the IP Pool area, set Network scale
and IP pool.
– When the EVPN tunnel mode is selected, in the IP Pool area, set IP pool.
3. Configure a DNS server group and an IP address.

In the DNS area, set DNS Server Group Name and DNS server IP.

SD-WAN
Step 4 Click the llys Access Key tab and set global parameters for deploying a public cloud site.
1. Click Create and configure Cloud Type, API key, and Secreat key.
2. Click OK.
----End
Table 1-33 Parameters on the Global configuration page

Phys Transp Transport Type of the transport network to which a WAN-side

ical ort Network physical link belongs. This parameter describes the
Net Networ transport networks with the same link quality attributes. It
wor k is used to identify networks of the same type provided by
k an ISP. The network connected by each physical link on the
WAN side of a site maps a transport network.

SD-WAN
Routing Routing domain to which a transport network belongs.

Domain Transport networks can communicate with each other in the
same routing domain.
The Agile Controller-Campus provides the following types
of routing domains by default:
l MPLS: MPLS leased line, which carries normal
services of users in wired mode.
l Internet: public Internet, which carries normal services
of users in wired mode.
l Escape: best-effort link, which is mainly used for escape
in wireless mode. This link takes effect when all the
other links fail.
NOTE
The Escape routing domain is supported only in the DSVPN
tunnel mode.
If the default types of routing domains cannot meet
requirements, set a routing domain according to actual
situations.
IPSec Whether to enable IPSec encryption. The options are as

Encryption follows:
l : IPSec encryption is disabled. In this case,

enable protocol 47 of all devices on the firewall.
l : IPSec encryption is enabled. In this case, use

the encryption algorithm and password that are set in
IPSec Encryption Parameters for encryption.
IPSec Protocol Security protocol. The default value is ESP.

Encryp
tion Authentica Authentication algorithm. The default value is SHA2-256.
Parame tion
ters algorithm
Encryption Encryption mode of a link. AES128 and AES256

algorithm encryption algorithms are supported. AES256 is
recommended. The key length of the AES-256 encryption
algorithm is 256 bits, and the security level is higher than
AES-128.
Pre-shared Tunnel encryption password. This parameter is available

key only when the DSVPN tunnel mode is selected.
Device URL Key for encrypting the URL in a deployment email. Email-
Activat encryption based deployment will be successful only after you click
ion key the URL in the received email on your PC and enter this
Securit key.
y
Setting
s

SD-WAN
Token Validity period for a device to register its ESN with the
validity Agile Controller-Campus. The timer starts once a
period deployment email is sent.
(day) If the device ESN is not obtained, the device is added to the
Agile Controller-Campus based on the device model. After
a site is created and a deployment email is sent, the device
checks whether the token is valid. If so, the device registers
its ESN with the Agile Controller-Campus.
Link Modify Whether to modify detection parameters. Link detection is

Failure detection periodically performed between gateways of SD-WAN
Detecti parameters sites under a certain tenant. In the DSVPN tunnel mode,
on BFD packets are sent to detect link connectivity. In the
Parame EVPN tunnel mode, GRE packets are sent to detect link
ter connectivity.
Config If this function is disabled, the device sends detection
uration packets at the default interval. If the number of detection
failures exceeds the default value, the link is considered
faulty. If this function is enabled, you can define the
interval for sending detection packets and the maximum
number of detection failures permitted. Generally, you do
not need to set this parameter. Use the default value.
Packet Interval at which an AR sends detection packets, in

sending milliseconds. The value is in the range 10 to 2000.
interval If Detection enable is disabled, the default value of this
parameter is 100 milliseconds.
Number of Number of detection failures permitted before an AR

detection automatically switches the link. The value is in the range 3
failures to 50.
If Detection enable is disabled, the default value of this
parameter is 10.
Priority of Priority in the IP header of a detection packet. A

detection numerically higher value indicates a higher priority. This
packets parameter is available only when the EVPN tunnel mode is
selected.

SD-WAN
Routin Enable to The enhanced functions are:

g enhance 1. Multiple primary transport networks can be configured.
policy functionali
periodi ty 2. Traffic can be load balanced among primary transport
c networks. Multiple primary transport networks can be
parame arranged in descending order of priority.
ter 3. Traffic can be steered based on the link bandwidth
configu usage.
ration 4. Traffic can be steered based on the application priority
To ensure the version's forward compatibility, you can
select whether to enhance functionality in DSVPN tunnel
mode. In EVPN tunnel mode, functionality enhancement is
enabled by default.
Custom Whether to customize the intelligent traffic steering period.

period When a site is activated, the system delivers the default
enable configuration of the intelligent traffic steering period. You
can also customize this period.
Switching Period after which the traffic is switched to another link. If

period the quality of a link cannot meet requirements of a certain
service or the bandwidth usage exceeds the threshold, the
CPE starts the link switching timer. When the timer times
out, the service traffic is switched to another link. The
default value of the switching period is 5 seconds.
Flapping Flapping suppression to prevent frequent link switchovers.

suppressio If a network is unstable, service traffic is switched over
n links frequently, which degrades service experience.
Flapping suppression on the CPE can prevent this problem.
The flapping suppression period does not take effect by
default. The flapping suppression timer starts only after a
link switchover occurs. After the flapping suppression
period ends, if the current link (that is, the link used after
the switchover) meets service requirements, the service
traffic is still transmitted over this link. If the current link
cannot meet service requirements, the service traffic is
switched to another link or the original link. The default
value of the flapping suppression period is 30 seconds.
Virt Routin Routing By default, after a site is deployed, it creates DSVPN

ual g protocol tunnels and establishes a BGP peer relationship with an
Net RR. Via the RR, the site can obtain the network-wide
wor routing information, thereby implementing overlay network
k connectivity with an SD-WAN site. Currently, by default,
hub sites and aggregation sites are RRs. If a site is
connected to a hub site, it sets up a peer relationship with
the hub site. If a site is connected to an aggregation site, it
sets up a peer relationship with the aggregation site.

SD-WAN
AS number Local AS number. Under the same tenant account, the sites
that are deployed using the Agile Controller-Campus
belong to the same AS.
Keepalive Interval for sending Keepalive packets to the peer. This

time parameter is configurable only in DSVPN tunnel mode.
After establishing a BGP connection, two peers
periodically send Keepalive messages to each other to
detect the status of the BGP connection. If a device
receives no Keepalive message or any other type of packet
from its peer within the hold time, the device considers the
BGP connection terminated and closes the BGP
connection.
NOTE
The Keepalive time and hold time configured take effect only on
BGP WAN routes on the overlay network.
Hold time Hold time. This parameter is configurable only in DSVPN

tunnel mode. The hold time should be at least three times
the Keepalive time.
IP Pool Network Approximate number of sites. This parameter is available

scale only when the DSVPN tunnel mode is selected.
(based on
CPEs)
IP pool Reserved addresses. A reserved address can be the address

of a DSVPN tunnel, a local breakout, a CPE, or an internal
link between dual gateways.
Plan address pools based on the network scale. The number
of required address pools increases with the number of
sites. For details about the relationship between them, click
Details.
After a user enters reserved addresses, the Agile Controller-
Campus automatically assigns an address segment
according to the following rules:
One or more IP address pools can be configured and the IP
addresses in these address pools are automatically divided
into multiple address segments, which are used by the
following interfaces:
l Loopback interface on a CPE.
l Interface of a local breakout.
l Interface of an internal link between dual gateways.
l Interface of a tunnel. Interface of a DSVPN tunnel in
the DSVPN tunnel mode, or interface of an EVPN
tunnel in the EVPN tunnel mode.

SD-WAN
DNS DNS Domain Name System (DNS) used for domain name
Server resolution. The DNS server is usually deployed on a public
Group network. A maximum of 16 DNS groups can be configured
Name for a tenant, and each group can be configured with a
maximum of six DNS server IP addresses.
DNS You can plan multiple DNS server IP addresses. A DNS

Server IP server IP address is used when a LAN interface is
configured. If a CPE is enabled as the DHCP server, you
can select a DNS server group name for the CPE. The DNS
server address is sent to a client on the LAN side via a
DHCP response.
Acc Cloud Type Cloud type. SD-WAN network supports interconnection

ess with Huawei public cloud and Amazon AWS public cloud.
certi An access certificate is required for interconnection with
ficat Amazon AWS public cloud. With the certificate, the Agile
e Controller-Campus can invoke AWS APIs to automatically
deploy the AWS-side network.
API key Access key ID for accessing AWS APIs.
Secreat key Secret access key for accessing AWS APIs.

NOTE
You need to create the access key ID and secret access key on the
AWS and authorize the services that can be accessed by the Agile
Controller-Campus.
1.8.3.3 (Optional) Customizing a Site Template

When adding multiple sites, generally, you need to configure the same gateway type, the same
number of WAN links, and the same transmission network for them. To improve the
efficiency, you can customize a site template to cover the repeated information and use the
site template during site configuration. A site template is essentially a classification of sites.
In a policy, you can quickly find a site by specifying the site template. Once a site template is
used by a site, only the template name and description can be modified. You need to properly
plan the data and then create a site template.
Table 1-34 describes the default site templates provided by the Agile Controller-Campus. If
the default templates can meet your requirements, you can skip the template creation.
Otherwise, you can create a site template based on the requirement.

SD-WAN
Table 1-34 Default site templates provided by the Agile Controller-Campus

Templ Templat WAN Link (Device, Inter-CPE Topology
ate e Port, Transmission Link
Name Descript Network) (Device,
ion Port)
Single_ Single Internet (Device1, -

gatewa gateway GE0/0/0, Internet)
y_mixe with dual MPLS (Device1, GE0/0/1,
d_links hybrid MPLS)
links
Single_ Single MPLS (Device1, GE0/0/0, -

gatewa gateway MPLS)
y_mpls with an
_link MPLS
link

y_inter with an
net_lin Internet
k link
Single_ Single Internet1 (Device1, -

y_dual with dual Internet2 (Device1,
_intern Internet GE0/0/1, Internet)
et_link links
s

SD-WAN
Templ Templat WAN Link (Device, Inter-CPE Topology

ate e Port, Transmission Link
Name Descript Network) (Device,
ion Port)
Dual_g Dual Internet (Device1, Device1:

ateway gateways GE0/0/0, Internet) GE0/0/1,
s_mixe with an MPLS (Device1, GE0/0/0, Device2:
d_links MPLS MPLS) GE0/0/1
link and
an
Internet
link
respectiv
ely

y_inter with an
net_lin Internet
k_clou link
d
Dual_g Dual Internet1 (Device1, -

ateway gateways GE0/0/0, Internet)
s_inter with two Internet2 (Device2,
net_lin Internet GE0/0/0, Internet)
k_clou links
d
If you configure the same transmission network for physical links, link interworking can be
implemented. It is because that, after the same transmission network is configured, the Agile
Controller-Campus generates logical links for physical links of the same type between parent
and child site devices, implementing site interconnection.
Prerequisites
Global parameters of sites have been configured. For details, see 1.8.3.2 Setting Global
Parameters.
Procedure
Step 1 Choose Configuration > Site > Template from the main menu.
Step 2 Click Site Template.
Step 3 Click Create to create a site template.

SD-WAN
Step 4 Set Template name to the name of the site template to be created.
Step 5 Set Gateway to the gateway type.
Step 6 In the WAN Link area, click Create to create a link between the gateway and WAN.
The parameters that need to be set for the link between the gateway and WAN include the
name, device, port, transmission network of the WAN link, and link role. Multiple WAN links
can be created for each gateway.
At most three links can be created for a single gateway, and at most six links can be created
for dual gateways.
NOTE
Once being configured, all WAN link information (for example, the port and transmission network)
cannot be modified during site creation. Ensure that the WAN link configuration is correct.
Step 7 If Gateway is set to Dual gateways, configure the internal link between the dual gateways.
Otherwise, skip this step.
1. If the LAN-side Layer 2 physical interfaces need to be reused for establishing the
internal link between the dual gateways, set Reuse LAN-side L2 interface to .
STP is enabled on CPEs by default. If the internal link uses two Layer 2 physical
interfaces, the two interfaces are added to the same VLAN. If a loop occurs, STP sets
one physical interface to the Block state. In this case, if a user uses this physical interface
on the LAN side, the user traffic may be interrupted. Therefore, the physical interfaces
used by the internal link must be different from those transmitting user service traffic on
the LAN side.
2. Configure reserved VLANs. The internal link between dual gateways needs to use the
reserved VLANs.

SD-WAN
3. Click Create, configure the internal link between the dual gateways, and configure the
physical interfaces used by the internal link.
At most two internal links can be created between dual gateways.
Step 8 Click OK.
----End
Table 1-35 Parameters on the Site Template tab page
Template name Name of a site template.
Gateway Type of the gateway at a site.

l Single-gateway
l Dual-gateways
WAN Name Name of a WAN link.

Link
Device Name of the gateway at a site.
Interface Type and number of a physical interface used by a WAN-

side link.
NOTICE
Ensure that the physical interface is a Layer 3 interface. If the
interface is not a Layer 3 interface, log in to the device and switch
the interface to a Layer 3 interface. Otherwise, the configuration
fails to be delivered.
Transport Type of the transport network to which a WAN-side

Network physical link belongs. Transport networks of the same type
must have the same link quality attributes. It identifies a
type of networks provided by the same ISP. The network
connected by each physical link on the WAN side of a site
maps a transport network.
Transport network. If the transport network type does not
meet the requirements, create a transport network on the
Global Parameters page.
Role Active or standby link. With the active and standby links are
configured, data travels only along the active link by
default. If the active link fails, data moves to the standby
link.
In the dual-gateway scenario, the role of all WAN links is
active by default and cannot be changed. The standby role
can be configured only in the single gateway scenario and
for only one WAN link, and the active role needs to be
configured for at least one WAN link.
The site template with the standby link role cannot be
selected for a hub site or an aggregation site.

SD-WAN
Inter- Reuse LAN- Whether to reuse Layer 2 physical interfaces on the LAN
CPE side L2 side as the physical interfaces of internal links between two
Link interface gateways. This parameter is available only when Gateway
is set to Dual gateways.
l If no direct link is configured between two gateways,
links on the LAN side need to be reused. The Agile
Controller-Campus creates a logical link for each VPN.
l If direct links are configured between two gateways,
links on the LAN side do not need to be reused.
Reserved Reserved VLAN for internal links between two gateways.

VLAN This parameter is available only when Reuse LAN-side L2
interface is enabled. In a dual-gateway scenario, the Agile
Controller-Campus creates a separate sub-interface for each
VPN on the interfaces of internal links between the two
gateways to isolate the VPNs. The number of reserved
VLANs must be the same as that of VPNs.
Device1 Physical interface used by internal links between two

Interface gateways. If two interfaces on a gateway are used to connect
to the peer gateway, the two interfaces must be of the same
Device2 type. The interface on a gateway and that on the peer
Interface gateway, which are used for connecting the two gateways,
must be of the same type.
The interface type varies according to whether a direct link
exists between two gateways:
l If a direct link exists between two gateways (that is,
Reuse LAN-side L2 interface is disabled), Layer 3
interfaces must be used. After two links are created, the
Agile Controller-Campus automatically binds the two
links into an Eth-Trunk to ensure link reliability.
l If no direct link exists between two gateways (that is,
Reuse LAN-side L2 interface is enabled), Layer 2
interfaces must be used.
1.8.3.4 Creating a Site
Context
In V300R003C10 and later versions, cloud sites can be configured on the Agile Controller-
Campus. The AR1000V virtual devices are deployed on the public cloud and managed by the
Agile Controller-Campus in a unified manner. In this case, the public cloud functions as a
cloud site, and is incorporated into the SD-WAN service for centralized management.
Currently, cloud sites can be deployed only in the DSVPN tunnel mode. In later versions, the
EVPN tunnel mode will support cloud site deployment.
In the DSVPN and EVPN tunnel modes, site configurations vary according to different
definition of site roles.

SD-WAN
l In the DSVPN tunnel mode, site roles include hub site, aggregation site, and branch site.
l In the EVPN tunnel mode, site roles include edge site and vRR site.
– Virtual Route Reflector (vRR): A vRR site is an independent CPE. It distributes
EVPN routes between CPEs based on VPN topology policies.
– Edge: An edge site is a WAN-side router. It establishes secure data channels with
multiple remote edge sites.
You can create sites on the Agile Controller-Campus for unified O&M and management.
Either of the following modes is available for you to create a site:
l Creating sites one by one: You can create sites one by one in scenarios where a small
number of sites need to be added.
l Creating sites in batches: You can create sites in batches in scenarios where a large
number of sites need to be added.
Prerequisites
1. Devices have been added to the Agile Controller-Campus. For details, see 1.8.3.1
Adding Devices.
2. Global parameters have been configured. For details, see 1.8.3.2 Setting Global
Parameters.
3. If the default site template provided by the Agile Controller-Campus does not meet the
site networking requirements, you need to create a template. For details, see 1.8.3.3
(Optional) Customizing a Site Template.
Procedure (Creating Sites One by One)

Step 1 Choose Configuration > Site > Site from the main menu.
Step 2 Click Create to set basic site information on the Site tab page.
Step 3 Set Creation mode to Single.
Step 4 Configure basic site information. Set Name, Site Type, Role, and Site template.
l DSVPN tunnel mode
NOTE
A cloud site can only be deployed as a branch site, and hub sites and aggregation sites must be
common sites.
Only cloud site templates and AR1000V devices can be selected for cloud sites.

SD-WAN
l EVPN tunnel mode
NOTE
An edge site must be configured. If you select a vRR site as well, the vRR is deployed at the edge
site.
Step 5 Click More Settings to set Email and Postcode.
Step 6 In the Add Device area, set Device Model and Device ESN(Name) for devices at the site.

SD-WAN
Step 7 Click OK.
----End
Procedure (Creating Sites in Batches)

Step 1 Choose Configuration > Site from the main menu.
Step 2 Click Create to set basic site information on the Site tab page.
Step 3 Set Creation mode to Batch.
Step 4 Click to download the site template.
Step 5 Open the downloaded site template and set basic site information, including SiteName, Role,
Site template, Address, Floor, and Device Model.
NOTE
Device ID indicates the line ID of a device, which can be changed directly.

In the EVPN tunnel mode, site roles include edge site and vRR in edge site. A site whose role is vRR in
edge site is an edge site where a vRR is deployed.
Step 6 In the Upload area, upload the configured site template information.
Step 7 Click OK.
----End
Follow-up Procedure
Table 1-36 Follow-up procedure of a site

Fun Operation Scenario and Constraint Procedure
ctio
n
Mod A site can be modified only before being 1. In the Operation column of the
ifyin activated, but cannot be modified after being
ga activated. site to be modified, click .
site 2. Modify the site configuration.
3. Click OK.

SD-WAN
Fun Operation Scenario and Constraint Procedure

ctio
n
Dele A site cannot be deleted in either of the 1. In the Operation column of the
ting following situations:
a site to be modified, click .
1. The site has sub-sites.
site 2. Click OK.
2. The site has centralized Internet access
policies configured.
After you delete a site, related site
configuration is deleted from the Agile
Controller-Campus. However, the site
configuration that has been delivered to
devices remains on the devices. You need to
click Reset to Deployment State to restore
the devices to the deployment state.
Table 1-37 Parameters on the Site page

Name Site name. It is recommended that you name a site in the format
of Site role_Geographical location. A maximum of two hub
sites are supported.
Site Type Type of a site:

l Common site: is not deployed on a cloud.
l Cloud site: is deployed on Amazon cloud or Huawei cloud.
Role ( DSVPN tunnel Role of a site:

mode ) l Branch site: It is an enterprise branch.
l Aggregation site: If a network is large-scale and widely-
distributed, layer- and domain-based network deployment is
needed. An aggregation site connects branch sites in a region
and upstream connects to a hub site.
l Hub site: It is usually the enterprise HQ or the data center.
NOTE
A cloud site can only be deployed as a branch site. A common site can
be a hub site, an aggregation site, or a branch site.

SD-WAN
Role ( EVPN tunnel Role of a site:

mode ) l Edge site: An edge site is a WAN-side router. It establishes
secure data channels with multiple remote edge sites.
l vRR site: Virtual route reflector. Under the guidance of the
Agile Controller-Campus, based on a user-defined VPN
topology policy, vRRs distribute VPN route and tunnel
information to CPEs on demand, so that CPEs at different
sites are securely connected on demand.
NOTE
Multiple RRs can be deployed for a tenant, and all RRs of a certain
tenant are connected in the Full-Mesh mode.
A vRR can be deployed at an edge site. In this case, the role of this site
is vRR in edge site. During configuration, select both an edge site and a
vRR site. It is recommended that an edge site and a vRR site be
deployed independently.
Hub site role Role of a hub site. This parameter is available only when Role
is set to Hub Site. Currently, the value can be either of the
following:
l Active
l Standby
When dual hub sites are deployed, configure one site as Active
and the other as Standby to improve reliability. If all links from
a lower-layer site (branch or aggregation site) to the active hub
site fail, data between the lower-layer site and the hub sites
passes through the links between the lower-layer site and the
standby hub site.
In a single hub site scenario, you can select only Active but not
Standby.
Connected with Parent site of a branch site. This parameter is available only
when Role is set to Branch Site. You can select a hub site or an
aggregation site as the parent site of a branch site.
Site template Site template. Select a configured site template to define the
gateway type, number of WAN links, and WAN type for a site.
If the configured site template cannot meet the requirements,
choose Template > Site Template and create a site template.
WAN Link WAN link configured in the site template, which cannot be
modified.
Site address Postal address of a site.
Floor Floor where a site is located.
More Email Email address to which a deployment email is to be sent. By

Settings default, this email address is automatically associated during
email-based deployment.

SD-WAN
Postcode Postal code of a site, for example, 100000 in China, 951 - 8073
in Japan, 22162 - 1010 in the USA, and DN16 9AA in the UK.
Responsible Responsible person of a site.

person
Phone Phone number of the responsible person.

number
Add Device Device model of the gateway at a site. Only the model of a
Device Model device in the device list can be selected.
Device ESN ESN and name of the gateway at a site. Only the ESN and name
(Name) of a device in the device list can be selected.
1.8.3.5 Associating an Edge Site with a vRR
Context
In the EVPN tunnel mode, an edge site needs to be associated with a vRR. Skip this section if
the DSVPN tunnel mode is configured.
All vRRs in a vRR group are interconnected in Full-Mesh mode by default. It is
recommended that vRRs be deployed in different geographical areas.
When associating an edge site with a vRR, adhere to the following rules:
1. An edge site can be associated with a maximum of two vRRs. If two vRRs are associated
with an edge site, it is recommended that one vRR be deployed in the same physical area
with the edge site to decrease delay, and the other vRR be deployed in another physical
area to ensure service reliability through geographic redundancy.
2. One vRR can manage multiple edge sites, and the number of edge sites associated with
each vRR should be balanced.
Procedure
Step 1 Choose Configuration > Site > Site from the main menu.
Step 2 Click Connect to vRR, and the Connect to vRR page is displayed.
Step 3 Select an edge site and click Connect.

SD-WAN
Step 4 On the Connect page, select the vRR to be associated with the edge site. Click Detect.
Step 5 The value Successful is displayed in the Detection Result column.

SD-WAN
Step 6 Click OK.
----End
1.8.3.6 Configuring the Network Access Mode for a Site

Configuring WAN-side physical links of a site is the prerequisite for email-based deployment.
Context
Table 1-38 lists possible status of a site after the site is created based on a template.
Table 1-38 Site status
Site Status Description
Configuration Whether the WAN-side links of the site have been configured.
status
l :
Unconfigured
l : Configured
Activation status Whether a deployment email has been sent to the site gateway.
l : Inactivated
l : Activated

SD-WAN
Prerequisites
Sites have been added successfully. For details, see 1.8.3.4 Creating a Site.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration from the main menu.
Step 2 Select a site at which you need to configure the network access mode.
1. Click the Not Activated or All tab on the left.
2. Click on the left of the site template to display sites that use the same template.
3. Click a site at which you need to configure the network access mode.
Step 3 Configure the WAN-side links for the site.
1. Click the WAN Link tab.
2. Select the link to be configured and click in the Operation column.

3. On the Settings tab page, set related parameters about the WAN-side link. Set
parameters according to the interface type.

SD-WAN
NOTE
For a cloud site in DSVPN tunnel mode, only the uplink bandwidth and downlink bandwidth need
to be configured. Use the default values for other parameters.
4. Click OK.
5. Click Apply Changes.
6. After WAN links are configured, the icon on the right of the site is displayed as .
Step 4 (Optional) Configure cloud resources for cloud sites.
1. Set Cloud type and Deployment type.
– If Cloud type is set to Amazon AWS:

SD-WAN
i. Click Start Deployment.

ii. In the Deploy window that is displayed, enter the information about the Transit
VPC.
iii. Click OK.

– If Cloud type is set to Huawei Cloud:
i. Set IP address of WAN interface and Gateway address of WAN interface

of the virtual router.

SD-WAN
ii. Click Apply Changes. In the dialog box that is displayed, a message is
displayed, indicating that the Host VPC is deployed successfully.
iii. Click View Configuration.
iv. On the Configure Virtual Router page that is displayed, click Copy to copy
the content of the configuration file.
v. Log in to the Huawei cloud, and deliver the copied configuration file to the
AR1000V deployed on the cloud.
----End
Table 1-39 Parameters on the WAN Link tab page

Link name Name of a WAN link. If a WAN link is created using the
default site template, the link name is Internet or MPLS.
If a WAN link is created using a customized site
template, the link name is specified when the template is
created. The parameter value cannot be changed.
Interface Type and number of a physical interface used by the

current link. The parameter value cannot be changed.
NOTICE
Ensure that the interface is a Layer 3 interface. If the interface is
not a Layer 3 interface, log in to the device and switch the
interface to a Layer 3 interface. Otherwise, the configuration
fails to be delivered.
VPN instance VPN instance. When you deploy an SD-WAN site using
Agile-Controller Campus 2.0, you do not need to set
VPN instance names on the GUI.
By default, the VPN instance name is automatically set to
underlay_Internet or underlay_MPLS. While in Agile-
Controller Campus 3.0, the VPN instance name is
automatically set to a value such as underlay_1 or
underlay_2.
To take over the existing SD-WAN sites on the live
network and avoid deployment again after the upgrade of
the Agile Controller-Campus, you need to configure VPN
instances to be the same as those in Agile Controller-
Campus 2.0.
You do not need to change VPN instance names for a
new site, because the system automatically allocates
numbers to these VPN instances.
APN Multi-APN function of an LTE cellular interface used to

implement data and VoIP communication. This parameter
is available only when Interface is set to LTE.

SD-WAN
PVC PVC with specified VPI or VCI values. This parameter is

available only when Interface is set to xDSL (ATM).
Sub-interface Whether to enable sub-interfaces. Currently, only Dot1q

sub-interfaces are supported. This parameter is available
only when Interface is set to GE, FE, or XGE.
VLAN ID VLAN ID of a sub-interface. This parameter is available

only when Interface is set to GE, FE, or XGE.
NOTE
The name of a sub-interface on a device is automatically
generated by the system. It is in the format Device port. ID
generated by the system, instead of Device port. VLAN ID.
Interface protocol Interface protocol type of the physical link between a

CPE and the WAN. This parameter is available only
when Interface is set to GE, FE, XGE, xDSL (PTM), or
xDSL (ATM).
GE, FE, XGE, and xDSL (PTN) interfaces support the
following protocol types:
l IPoE
l PPPoE
xDSL (ATM) interfaces support the following protocol
types:
l IPoA
l IPoEoA
l PPPoA
l PPPoEoA
IP address access mode IP address assignment mode of the interface connecting a

CPE to the WAN. This parameter is available only when
Interface protocol is set to IPoE or IPoEoA. The
options are as follows:
l Static: static IP address configuration. This mode is
recommended for a hub site or an aggregation site.
l DHCP: dynamic IP address assignment mode using
DHCP. This mode is recommended for a branch site.
IP address IP address statically assigned to the interface connecting

a CPE to the WAN and corresponding subnet mask. For a
Subnet mask hub site or an aggregation site, the IP address must be the
same as the value of Public IP. These parameters are
available only when Interface protocol is set to IPoE or
IPoEoA and IP address access mode is set to Static or
when Interface protocol is set to IPoA.

SD-WAN
Default gateway IP address of the interface used by a PE on the WAN side

to communicate with a site. This parameter is available
only when Interface protocol is set to IPoE or IPoEoA
and IP address access mode is set to Static or when
Interface protocol is set to IPoA.
Mapping peer IP Peer IP address that is mapped to the PVC. An IP address

cannot be mapped to different ATM interfaces on the
device; otherwise, forwarding is interrupted. This
parameter is available only when Interface is set to
xDSL (PTN) and Interface protocol is set to IPoA.
User name User name and password allocated by the carrier to

connect to the WAN. These parameters are available only
Password when Interface is set to LTE or Interface protocol is set
to PPPoE, PPPoA, or PPPoEoA.
Negotiation mode Negotiation mode. This parameter is available only when

Interface is set to GE, FE, or XGE. Interfaces at both
ends of a link must use the same negotiation mode. If an
interface frequently alternates between Up and Down
with auto-negotiation enabled, disable auto-negotiation
and set the same rate and duplex mode on both interfaces.
Media Interface working mode. Only combo interfaces support

both optical and electrical interface modes. You can
select either of the two modes based on networking
requirements. For the other types of interfaces, select a
proper working mode supported by the interfaces.
NOTE
If an interface cannot work as an optical interface but Media is
set to Fiber, the configuration fails to take effect after being
delivered to the CPE.
Duplex Duplex mode. Interfaces at both ends of a link must use

the same duplex mode.
An optical interface works in full duplex mode by
default. You can select the full-duplex or half-duplex
mode for an electrical interface according to the actual
specifications.
Speed Interface rate. Interfaces at both ends of a link must use

the same rate.

SD-WAN
Public IP IP address used by a CPE to connect to the WAN. This

parameter is available only when Interface is set to GE,
FE, or XGE. In the DSVPN tunnel mode, only hub sites
or aggregation sites need to be configured. In the EVPN
tunnel mode, only vRRs need to be configured.
The public IP address can be accessed by external
systems. A branch site can register with a hub site or an
aggregation site through this IP address. An edge site can
register with a vRR site through this address.
In the carrier network scenario, the public IP address is
uniformly assigned by the carrier. In the enterprise
network scenario, an enterprise administrator selects one
public IP address from the network segment assigned by
the carrier.
In NAT scenarios, Public IP must be set.
Uplink bandwidth Maximum uplink and downlink transmission rates, which

need to be configured based on the actual link
Downlink bandwidth bandwidths.
1.8.3.7 Configuring Time Synchronization for a Site
Context
When an AR reports performance data, it carries timestamps in packets. If the time on the AR
is set incorrectly, the timestamps carried in the performance data do not reflect the actual time
when the administrator views the device performance data. Therefore, you can configure NTP
on the Agile Controller-Campus to synchronize the time among devices.
In the DSVPN tunnel mode, a branch site synchronizes its clock with that of an aggregation
site, the aggregation site synchronizes its clock with that of a hub site, and a hub site
synchronizes its clock with the external clock source. A hub site and an aggregation site can
function as the NTP server or an NTP client. When a cloud site is deployed as a branch site,
clock synchronization is needed.
In the EVPN tunnel mode, an edge site synchronizes its clock with that of a vRR, and a vRR
synchronizes its clock with the external clock source. A vRR can function as an NTP client or
the NTP server.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration from the main menu.
Step 2 Select a site at which you need to configure time synchronization.
Step 3 Click the NTP tab.

SD-WAN
Step 4 Select a time zone for devices at a site from the Time zone drop-down list.
Step 5 When a site functions as an NTP server, set relevant parameters about the NTP server.
Set parameters including NTP authentication.
Step 6 When a site functions as an NTP client, set relevant parameters about the NTP client.
Set parameters including NTP client mode.
----End
Table 1-40 Parameters on the NTP tab page

Time zone Time zone of devices at a site.
DST Daylight saving time (DST). This parameter specifies

whether to set DST.
Config NTP Whether to enable a site as an NTP server and enable NTP
uration authentication authentication. On a network that requires high security,
s of a NTP identity authentication must be enabled. During
site authentication, the authentication password and
when it authentication ID configured on the NTP client are matched
functio with those on the NTP server. If they are the same on the
ns as NTP client and NTP server, the authentication succeeds.
an NTP You can configure password authentication between the
server NTP client and NTP server, so that the NTP client only
synchronizes the clock with the server successfully
authenticated, improving network security.
By default, the system uses the HMAC-SHA256 encryption
algorithm with higher security.
Authentication Password used for NTP identity authentication.

password
Authentication Key ID used for NTP identity authentication. When a site

key id functions as both the NTP client and server, different
authentication key IDs must be configured for the site.

SD-WAN
Config NTP client mode Mode in which a site functions as an NTP client:
uration l Manual configuration: A site functions as an NTP client
s of a and the NTP server needs to be manually specified. In
site the DSVPN tunnel mode, you are advised to configure a
when it hub site as an NTP client which synchronizes the clock
functio with the NTP server on the public network. In the EVPN
ns as tunnel mode, you are advised to configure a vRR as an
an NTP NTP client and synchronize the clock with the NTP
client server on the public network.
l Automatic synchronization with the parent site: A site
functions as an NTP client and its parent site functions as
the NTP server. This mode is the default setting. In the
DSVPN tunnel mode, only aggregation and branch sites
support this mode. In the EVPN tunnel mode, edge sites
are enabled with this mode by default.
l Disabled: A site does not function as an NTP client and
does not perform clock synchronization.
NTP Device CPE that functions as an NTP client.

client
(These WAN WAN-side link connecting a site to the NTP server.
param Link
eters NTP IP address of the NTP server.
are Server
availa Address
ble
only Authenti Whether to enable the authentication function. If NTP
when cation identity authentication is enabled on the NTP server, the
NTP authentication function must also be enabled on the NTP
client client. Otherwise, clock synchronization cannot be
mode performed.
is set
to Mode Authentication mode, which can be MD5 or HMAC-
Manu SHA256. The authentication mode selected must be the
al same as that enabled on the NTP server.
Confi
Authenti Password used for NTP identity authentication.
gurati
cation
on.)
Passwor
d
Authenti Key ID used for NTP identity authentication.

cation
Key ID
1.8.3.8 Configuring the Underlay Network

NOTE
Skip this section if you plan to deploy cloud sites. The underlay network configuration is not required
for cloud sites.

SD-WAN
1.8.3.8.1 Configuring WAN Interfaces
Procedure
Step 1 Choose Configuration > Site > Underlay Configuration from the main menu.
Step 2 Select the site for which underlay need to be configured.
Step 3 Click the Basic Info tab and set the parameter indicating whether to enable the FPI function
for devices under the site.
Step 4 Configure WAN interface parameters for a site's underlay network.
1. Click the WAN Interface tab.
2. In the Operation column, click and modify WAN interface parameters.

NOTE
The values of Negotiation mode, Uplink bandwidth, and Downlink bandwidth are the same as
those configured in 1.8.3.6 Configuring the Network Access Mode for a Site by default. You
can modify these parameters on this page.
Step 5 (Optional) Configure an Eth-trunk interface for the site if the site is connected to a transport
network through an Eth-trunk interface.
1. Click the Eth-Trunk tab.
2. Click Create and enter basic information about the Eth-Trunk.

SD-WAN
3. Click OK.
----End
Table 1-41 Parameters on the Basic Info tab page
FPI Enable By default, a CPE uses FPI to identify packets received on its WAN
interfaces. The CPE first tries to identify packets using FPI. If the
CPE cannot identify the application to which the packets belong, it
uses DPI for in-depth identification. If FPI is disabled, the CPE uses
DPI directly.
Table 1-42 Parameters on the Set WAN Interface page under the WAN Interface tab page
Negotiation mode The meanings of the parameters are the same on the ZTP
Configuration and Underlay Configuration tab pages. Details
Media about these parameters can be obtained from the ZTP Configuration

SD-WAN
Duplex tab page. The parameters on the Underlay Configuration tab page
need to be modified after site deployment.
Speed
Uplink bandwidth
Downlink
bandwidth
MTU Maximum transmission unit of a WAN interface of a site.
MSS Maximum segment size of a TCP packet on a WAN interface of a

site.
Table 1-43 Parameters on the Eth-Trunk tab page
Device Site gateway on which an Eth-trunk needs to be created.
Eth-Trunk ID ID of an Eth-Trunk. In a dual-gateway scenario, if the two gateways are connected

through two Layer 3 physical links, the system automatically creates Eth-Trunk 0 for the
two gateways. In such scenario, you cannot create an Eth-Trunk with ID 0.
Eth-Trunk type Type of an Eth-Trunk interface, Layer 2 or Layer 3.
Physical interface Physical member interface of an Eth-Trunk. A maximum of eight member interfaces can
be added to an Eth-Trunk. The signal types of all member interfaces must be the same. If
a Layer 2 Eth-Trunk is configured, its member interfaces must be Layer 2 physical
interfaces. If a Layer 3 Eth-Trunk is configured, its member interfaces must be Layer 3
physical interfaces.
1.8.3.8.2 Configuring Underlay Routes (OSPF)

This section describes how to configure WAN-side underlay routes.
Prerequisites
1. Sites have been added successfully. For details, see 1.8.3.4 Creating a Site.
2. Site WAN links have been configured. For details, see 1.8.3.6 Configuring the Network
Access Mode for a Site.
Procedure
Step 3 Click WAN Route.

SD-WAN
Step 4 On the WAN Route tab, click Click Here to Add WAN-Route.
Step 5 Select OSPF from the Protocol drop-down list and click OK.
Step 6 On the OSPF tab page, click Create and set related parameters.
Step 7 Click OK.
----End
Table 1-44 Parameters on the Create OSPF page under the WAN Route tab page
Device CPE on which an OSPF route needs to be configured.
Process ID OSPF process ID.

l In the DSVPN tunnel mode, if OSPF routes are deployed on an underlay network,
the process ID is in the range from 501 to 1000. If OSPF routes are deployed on
an overlay network, the process ID is in the range from 1001 to 65535.
l In the EVPN tunnel mode, if OSPF routes are deployed on an underlay network,
the process ID is in the range from 20001 to 30000. If OSPF routes are deployed
on an overlay network, the process ID is in the range from 1 to 20000.

SD-WAN
WAN Link Link with OSPF enabled. If the WAN link is specified, the interface for which OSPF
needs to be enabled is determined accordingly. An interface can be bound with only
one OSPF process.
Com Default route Whether to advertise the default route to common OSPF areas. After default route
mon advertisement advertisement is enabled, the device keeps advertising OSPF default routes.
Para
meter Default route Cost of an advertised OSPF default route.
cost
Internal Priority of an OSPF route (excluding AS-external routes). A smaller value indicates
preference a higher priority.
ASE Priority of an OSPF AS-external route. A smaller value indicates a higher priority.
preference
Interf Area ID OSPF area ID.

ace
Para Interface Name Name of an interface with OSPF enabled. You do not need to set this parameter. The
meter system will automatically set this parameter based the value of WAN Link.
Authentication Authentication mode. OSPF packets must be authenticated before a neighbor

Mode relationship can be established. The authentication modes that can be used in an
OSPF area are as follows:
l None: Authentication is not performed on OSPF packets.
l Simple: A password needs to be configured.
l Cryptographic: The MD5, HMAC-MD5, or HMAC-SHA256 authentication
mode can be selected.
NOTE
The simple, MD5, and HMAC-MD5 authentication modes may pose potential security risks. As
such, the HMAC-SHA256 authentication mode is recommended.
Key Key for cipher-text authentication on an interface. This parameter is available only
when the authentication mode is set to Cryptographic.
Password Password for cipher-text authentication. This parameter is available only when the
authentication mode is set to Simple or Cryptographic.
Hello Timer Interval for an interface to send Hello packets, in seconds.
DR Priority Priority of an interface that participates in Designated Router (DR) election. The DR
priority of an interface determines whether the interface participates in DR election.
If the DR priority is 0, the router where the interface is located cannot be elected as a
DR or BDR.
Cost OSPF cost of an interface. The cost specified here will be added to the costs of OSPF
routes learned on the interface.
Rout Protocol Protocol of routes to be redistributed. Static, OSPF, BGP, and direct routes are
e supported for redistribution.
Redis
tribut Process ID Process ID of the imported OSPF route. This parameter is available only when the
e protocol is OSPF.

SD-WAN
Cost Cost of an imported route. The value of this parameter will overwrite the cost in the
original route.
Routi Export Expo Whether to filter routes to be advertised. When an SD-WAN site communicates with
ng rt a traditional site, OSPF can be used to control access paths. In the scenario where the
Polic current SD-WAN site has established a neighboring relationship with a traditional
y site, you can enable or disable this parameter to control the advertisement of the
underlay OSPF routing information. That is, after this parameter is enabled, the site
only advertises the routes based on its requirement or the requirement of its neighbor.
In this way, the access from the traditional site to LAN-side network segments of the
SD-WAN site can be controlled.
Type Type. Routes can be filtered only by IP address prefix.
IP Routing range. You can specify a routing range by setting the following parameters.
prefi The parameter values must meet the following conditions: Mask ≤ Greater-equal ≤
x list Less-equal.
l IP Address/Mask: IP address and mask
l Greater-equal: minimum mask to specify a smaller network segment
l Less-equal: maximum mask to specify a smaller network segment
Filter Mode for filtering OSPF routes to the underlay network:

ing l Blacklist: The site is allowed to advertise only OSPF routes not in the network
type segment specified by IP prefix list.
l Whitelist: The site is allowed to advertise only OSPF routes in the network
segment specified by IP prefix list.
Cost Cost of a routing policy, which is used as the cost of the OSPF routes advertised by
an interface. This parameter is available only when Filtering type is set to Whitelist.
Import Impo Whether to filter routes to be received. When an SD-WAN site communicates with a
rt traditional site, OSPF can be used to control access paths. In the scenario where the
current SD-WAN site has established a neighboring relationship with a traditional
site, you can enable or disable this parameter to control the reception of the underlay
OSPF routing information. That is, after this parameter is enabled, the site only
receives the routes based on its requirement. In this way, the access from the SD-
WAN site to LAN-side network segments of the traditional site can be controlled.
Type Type. Routes can be filtered only by IP address prefix.
IP Routing range. You can specify a routing range by setting the following parameters.
prefi The parameter values must meet the following conditions: Mask ≤ Greater-equal ≤
x list Less-equal.
l Greater-equal: minimum mask to specify a smaller network segment

SD-WAN
Filter Mode for filtering OSPF routes to be received from the underlay network:
ing l Blacklist: The site is allowed to receive only OSPF routes not in the network
type segment specified by IP prefix list.
l Whitelist: The site is allowed to receive only OSPF routes in the network segment
specified by IP prefix list.
1.8.3.8.3 Configuring Underlay Routes (BGP)
Procedure
Step 5 Select BGP from the Protocol drop-down list and click OK.
Step 6 On the BGP tab page, click Create and set related parameters.
Step 7 Click OK.
----End

SD-WAN
Table 1-45 Parameters on the BGP page under the WAN Route tab page
Adva External Priority of EBGP routes. You can set different priorities for different devices. For a
nced preference dual-gateway site, you can specify a separate EBGP route priority for each
Settin gateway.
gs
Default route Whether to redistribute the default routes in the local IP routing table to the BGP
redistribution routing table.
Route Protocol of routes to be imported. Static and direct routes can be imported.
redistribution
Aggregation Route obtained by summarizing specific routes in the local BGP routing table. The
route system advertises only the summarized route, and suppresses the advertisement of
all specific routes within the summarized route. You can specify IP addresses and
masks of multiple summarized routes.
Table 1-46 Parameters on the Create BGP page under the WAN Route tab page
Device CPE on which a BGP route needs to be configured.
Peer IP IP address of the peer device. In most cases, a BGP peer relationship is
established between the current SD-WAN site and a traditional site.
Peer AS AS number of the peer device.
Local AS Fake AS number of the local device. Typically, a device supports only
one BGP process. That is, a device supports only one AS number. In
some special cases, for example, when AS numbers need to be changed
in the network migration scenario, you can set a fake AS number for a
specified peer to ensure successful network migration.
If this parameter is left empty, the AS number in the global
configuration is used by default.
Keepalive time (s) Interval for sending Keepalive packets to the peer. After establishing a
BGP connection, two peers periodically send Keepalive messages to
each other to detect the status of the BGP connection. If a device
receives no Keepalive message or any other type of packet from its
peer within the hold time, the device considers the BGP connection
terminated and closes the BGP connection.
Hold time (s) Hold time. The hold time should be at least three times the Keepalive
time.
MD5 encrypt Whether to use MD5 authentication between BGP peers. If this
parameter is enabled, you need to enter the password in cipher-text.
WAN link Link where an EBGP route is to be deployed.

SD-WAN
Routin Expo Export Whether to filter routes to be advertised. When an SD-WAN site
g rt communicates with a traditional site, BGP can be used to control access
Policy paths.
In the scenario where the current SD-WAN site has established a
neighboring relationship with a traditional site, you can enable or
disable this parameter to control the advertisement of the underlay
OSPF routing information. That is, after this parameter is enabled, the
site only advertises the routes based on its requirement or the
requirement of its neighbor. In this way, the access from the traditional
site to LAN-side network segments of the SD-WAN site can be
controlled.
Match Type Type. Routes can be filtered only by IP address prefix.
IP prefix Routing range. You can specify a routing range by setting the following
list parameters. The parameter values must meet the following conditions:
Mask ≤ Greater-equal ≤ Less-equal.
l Greater-equal: minimum mask to specify a smaller network
segment
Apply Filtering Mode for filtering BGP routes to the underlay network:
type l Blacklist: The site is allowed to advertise only BGP routes not in the
network segment specified by IP prefix list.
l Whitelist: The site is allowed to advertise only BGP routes in the
MED MED value of a BGP route in the network segment specified in IP

prefix list. Similar to the metric of an IGP, the MED value is used to
determine the optimal route for the traffic to enter an AS. When a BGP-
enabled device obtains multiple routes to the same destination address
but with different next hops from EBGP peers, it selects the route with
the smallest MED value as the optimal route.
This parameter is available only when Filtering type is set to
Whitelist.
Commu Community attribute to be added to a BGP route in the network

nity segment specified in IP prefix list. The community attribute is a
private BGP route attribute. It is transmitted between BGP peers and is
not restricted to within an AS. The community attribute allows a group
of BGP-enabled devices in multiple ASs to share the same routing
policies. This allows routing policies to be flexibly used and makes it
simple to maintain and manage routing policies.
Whitelist.

SD-WAN
AS Path AS path of a BGP route in the network segment specified in IP prefix

list. The AS_Path attribute records the numbers of all ASs that a route
passes through, from the source to the destination, in the vector order.
You can configure the AS_Path attribute to implement flexible route
selection.
Whitelist.
Impo Import Whether to filter routes to be imported. When an SD-WAN site

rt communicates with a traditional site, BGP can be used to control access
paths.
In the scenario where the current SD-WAN site has established a
neighboring relationship with a traditional site, you can enable or
disable this parameter to control the reception of the underlay OSPF
routing information. That is, after this parameter is enabled, the site
only receives the routes based on its requirement. In this way, the
access from the SD-WAN site to LAN-side network segments of the
traditional site can be controlled.
Match Type Type. Routes can be filtered only by IP address prefix.
IP prefix Routing range. You can specify a routing range by setting the following
list parameters. The parameter values must meet the following conditions:
Mask ≤ Greater-equal ≤ Less-equal.
segment
Apply Filtering Mode for filtering BGP routes to be received from the underlay
type network:
l Blacklist: The site is allowed to receive only BGP routes not in the
l Whitelist: The site is allowed to receive only BGP routes in the
1.8.3.8.4 Configuring Underlay Routes (Static Routes)
Procedure
Step 5 Select Static from the Protocol drop-down list and click OK.

SD-WAN
Step 6 On the Static tab page, click Create and set related parameters.
Step 7 Click OK.
----End
Table 1-47 Parameters on the Create Static Routes page under the WAN Route tab page
Device CPE on which a static route needs to be configured.
Priority Priority of a static route. The value is an integer that ranges from 1 to 255. A smaller
value indicates a higher priority. If you specify the same priority for static routes with the
same destination, load balancing can be implemented among these routes. If you specify
different priorities for multiple static routes with the same destination, backup can be
implemented among these routes.
WAN Link Link where a static route is to be deployed.
Destination Destination IP address and mask of a static route.

address/mask

SD-WAN
Next Next-hop Type of the next hop in a static route. The value black_hole indicates that the packets
-Hop type destined for the destination network segment will be discarded. For example, it can be
used to block packets destined for a particular website.
IP address Next-hop IP address of a static route. This parameter is available only when Next-hop
type is set to IP address.
Track Whether to associate a static route with an NQA test instance.
Target Destination address in an NQA test instance. If a static route is associated with an NQA
test instance, only ICMP test instances can be used to check whether there are reachable
routes between the source and destination.
1.8.3.9 Creating an Overlay Network
1.8.3.9.1 Configuring a VPN
Context
Services of multiple departments of an enterprise need to be isolated from each other.
Therefore, multiple SD-WAN overlay networks need to be constructed by using VPNs of
departments.
Procedure
Step 1 Choose Configuration > Overlay Network > VPN from the main menu.
Step 2 Click Create to create a department.
Step 3 Enter a department name in Name.
Step 4 In the Sites area, select the site to which the department belongs, including common sites and
cloud sites.
NOTE
A Huawei cloud site can be added to only one non-default VPN.
Step 5 Click OK.
----End

SD-WAN
1.8.3.9.2 Configuring an Overlay Topology

An inter-site interconnection topology model needs to be configured based on service
communication requirements.
Context
Currently, there are four typical topology models for interconnection between sites. In the
DSVPN tunnel mode, only the Hub-Spoke and Full-Mesh topology models are supported. In
the EVPN tunnel mode, all four models are supported.
l Hub-Spoke: This model is applicable to scenarios where mutual access traffic between
all branch sites of an enterprise must pass through the headquarters site for centralized
security monitoring.
l Full-Mesh: This model is applicable to scenarios where all sites of an enterprise need to
directly access each other. This model eliminates the delay of traffic transmission
through the headquarters site.
l Hierarchical topology: This model is applicable to large-scale multi-area enterprise
networks, on which enterprise sites are connected to each other through a hub area and
sites in different areas access each other through this hub area.
l Partial-Mesh: This model is applicable to scenarios where most sites of an enterprise
need to directly access each other, while some other sites need to communicate with each
other through a third site.
NOTE
In the DSVPN tunnel mode, the topology model can be configured only at hub sites or aggregation sites.
In the EVPN tunnel mode, only edge sites are included in the topology planning. A vRR is a route
reflector and is not included in the overlay topology planning.
Procedure (DSVPN Tunnel Mode)

Step 2 Click the VPN tab to enter department information.
Step 3 Click the Basic tab, and configure the topology model.
----End
Procedure (EVPN Tunnel Mode)

Step 1 Choose Configuration > Overlay Network > Topology from the main menu.
Step 2 In the VPN area, select the department to be configured.

SD-WAN
Step 3 Click Predefine Topology.
Step 4 Set Mode.

l Simple Mode: In this mode, the Hub-Spoke and Full-Mesh topology models can be
configured.
a. Set Topology mode.
n In the Hub-Spoke topology model, you need to configure a hub site and
branch site.
n In the Full-Mesh topology model, a branch site must be configured, and you
can choose to configure a redirect site or not.
b. Click Apply Changes.

l Advanced Mode: In this mode, the hierarchical topology can be configured.
a. Configure an area topology.
i. Click Create on the Area Topology tab page.

SD-WAN
NOTE
○ If Mode is set to Simple Mode in initial configuration, the system automatically

creates a default area in the advanced mode. The topology model and sites in the
default area are those configured in the simple mode. To switch the department
topology from Simple Mode to Advanced Mode, you can create an area, and
configure interconnection between this area and the default area.
○ If Mode is set to Advanced Mode in initial configuration, you cannot switch to
Simple Mode.
ii. Enter an area name, set the topology model, and configure hub sites, branch
sites and redirect sites as required. The operations are similar to those
performed for Simple Mode.
iii. (Optional) Enable the area interconnection function and configure the
relationship between edge sites and other sites.
b. Enable Area interconnection, that is, the interconnection mode of edge sites in
each area.
i. Click the Area Interconnection tab.

SD-WAN
ii. Set Topology mode.

○ In the Hub-Spoke topology model, configure a hub site.
○ In the Full-Mesh topology model, you can choose to configure a redirect
site or not.
----End
Table 1-48 Parameters on the Topology tab page in the EVPN tunnel mode
Pred Sim Simple Mode Simple mode. This mode applies to

efine ple small- and medium-sized enterprises that
Top Mod use a single-layer network model.
olog e
y Topolo Topology mode Topology mode. Hub-Spoke: This model
gy is applicable to scenarios where mutual
mode access traffic between all branch sites of
an enterprise must pass through the
headquarters site for centralized security
monitoring.
Full-Mesh: This model is applicable to
scenarios where all sites of an enterprise
need to directly access each other. This
model eliminates the delay of traffic
transmission through the headquarters
site.
Hub Hub Site Hub site. If the Hub-Spoke model is

Sites configured, you need to configure a hub
site. It is usually the enterprise HQ or the
data center.
NOTE
Hub sites, redirect sites, and spoke sites can
only be selected from edge sites or sites
whose role is vRR in edge site. vRRs are not
included in the topology planning of the
overlay network.
Active/ l If only one hub site is deployed, this

standby site needs to be configured as the
active site.
l If two hub sites are deployed, they
can work in active/standby mode.
That is, one is the active site and the
other is the standby site.

SD-WAN
Redirec Redirect If the Full-Mesh topology model is

t sites sites configured, you can choose to deploy
redirect sites or not.
If spoke sites cannot directly
communicate with each other, the mutual
access traffic can be forwarded through a
redirect site to ensure communication
between spoke sites.
Redirect Select one or two sites from the sites

Site deployed for each department to function
as redirect sites.
Active/ l If only one redirect site is deployed,

standby this site needs to be deployed as the
active site.
l If two redirect sites are deployed, they
can work in active/standby mode or
active-active mode. In active/standby
mode, one redirect site functions as
the active site and the other works as
the standby site. In active-active
mode, both the two redirect sites work
as active sites.
Spoke sites In the Hub-Spoke and Full-Mesh

topology models, spoke sites must be
deployed. Configure Spoke sites from the
sites deployed for each department.
Adv Advanced Mode Advanced mode. This mode is applicable

ance to large-scale multi-area enterprises that
d use a hierarchical topology model. In the
Mod hierarchical topology model, enterprise
e sites are deployed in multiple areas and
are connected to each other through a
hub area. In this case, the sites in
different areas access each other through
the hub area.
Area Area Name Area name.

Topolo
gy Topology Mode Topology model of an area. The Hub-
Spoke and Full-Mesh topology models
are supported.
Hub Sites Hub site in an area.
Redirect Sites Redirect site in an area.
Spoke Sites Branch site in an area.

SD-WAN
Area Interconnection Whether to enable area interconnection.

enable After area interconnection is enabled, the
configured border site will be added to
the hub area.
Border Border Site A border site is an edge site through

Sites which sites in an area communicate with
sites in other areas. Border sites vary
according to the topology model.
l In Hub-Spoke topology model areas,
the hub site is a border site by default.
l In Full-Mesh topology model areas:
– A site can be configured to
function as the active or standby
border site.
– A redirect site can function as a
border site, or a redirect site and a
border site can be independently
deployed.
Active/ l If only one hub site is deployed, this

standby site needs to be configured as the
active site.
l If two hub sites are deployed, they
can work in active/standby mode.
That is, one is the active site and the
other is the standby site.
Sites relationship This parameter is configurable only when

Topology Mode is set to Full Mesh. For
each border site, the active or standby
role can be switched.
Area Topology mode Topology model of the hub area. The

Interco Hub-Spoke and Full-Mesh topology
nnectio models are supported. The Full-Mesh
n topology model is used by default. Sites
in the hub area are border sites of all
other areas.
Hub Sites Hub site in the hub area.
Redirect Sites Redirect site in the hub area.
1.8.3.9.3 Configuring a VPC
Context
A VPC needs to be configured only for Amazon AWS cloud sites. It is not required for
Huawei cloud sites and common sites.

SD-WAN
Procedure
Step 3 Click the Configure VPC tab.
Step 4 Click Configure VPC Connection.
Step 5 In the Select SpokeVPC dialog box that is displayed, select the Spoke VPC to be connected
to the Transit VPC, and click OK.
----End
Table 1-49 Parameters on the Spoke VPC page under the WAN Route tab page.
Display default VPC The default VPC is the Spoke VPC allocated by the
Amazon AWS cloud after a user registers with the
Amazon AWS cloud.
Spoke VPC Name Name of the Spoke VPC.
VPC ID ID of the Spoke VPC.
CIDR CIDR of the Spoke VPC.
Area Area to which the Spoke VPC belongs.
Status l Pending: The Spoke VPC is unavailable.

l Available: The Spoke VPC is available.

SD-WAN
Configuration l Connected: The Spoke VPC is connected to the

Status Transit VPC.
l Not Connected: The Spoke VPC is disconnected
from the Transit VPC.
You can select only sites that are not connected. The
connected sites cannot be connected to other cloud
sites.
1.8.3.9.4 Configuring Network Access Parameters on the LAN Side (Layer 3)
Context
Huawei public cloud sites and common sites support the configuration of LAN-side interfaces
at Layer 3. Amazon AWS cloud sites do not support this function.
Procedure
Step 3 In the site area, select a site.
Step 4 Click the L3 Interface tab. Click Create.
Step 5 On the L3 Interface tab page, configure the Layer 3 interface.

SD-WAN
NOTE
Huawei cloud sites do not support the configuration of Layer 3 sub-interfaces.
Step 7 Click the Maintenance > Maintenance >IP Resources tab to view the configuration result.
A Lan_Access Link is added to the corresponding site and VPN.
----End

SD-WAN
Table 1-50 Parameters on the Create L3 Interface page under the L3 Interface tab page
Device Device where a Layer 3 interface resides.
Interface Name of a Layer 3 interface. You can create a Layer 3

Eth-Trunk under Site > Underlay Configuration.
S Sub-interface Whether to create a sub-interface.

u
b- VLAN ID Number range of Layer 3 sub-interfaces: 1-4094. The
in value of Dot1q Vlan is the number of a Layer 3 sub-
te interface.
rf
a
c
e
IP address IP address of the Layer 3 interface or sub-interface.
A Secondary IP address Secondary IP addresses of a Layer 3 interface.

d Generally, an interface needs only a primary IP
v address. In some scenarios, you need to configure
a secondary IP addresses for an interface. For example, a
n CPE connects to a physical network through an
c interface, and hosts on this network belong to two
e network segments. To enable the CPE to communicate
d with all hosts on the physical network, you need to
S configure a primary IP address and a secondary IP
et address for this interface.
ti Each Layer 3 interface can be configured with one
n primary IP address and a maximum of 31 secondary IP
g addresses.
s
D DHCP Whether to enable DHCP on an interface.
H
C
P

SD-WAN
DHCP type DHCP type. After DHCP is enabled, you need to set
the DHCP type of the CPE. The following DHCP
types are supported:
l Server: A CPE functions as a DHCP server and
allocates network parameters to DHCP clients. The
IP addresses allocated by the DHCP server to
DHCP clients are obtained from the IP address
pool and secondary IP address pool.
l Relay: A CPE functions as a DHCP relay agent to
exchange DHCP messages between a DHCP server
and DHCP clients and help the DHCP server to
dynamically allocate network parameters to DHCP
clients. A DHCP relay agent is required in
scenarios where multiple network segments need to
be planned for an enterprise network and terminals
need to automatically obtain network parameters
(such as IP addresses) through DHCP. In this way,
terminals in different network segments can share
the DHCP server, saving server resources and
facilitating unified management.
DHCP Exclud Range of IP addresses that will not be automatically

parameters e IP assigned to clients from the DHCP address pool. A
(These DHCP address pool is a set of address segments
parameters specified in IP addresses and secondary IP address.
are available In the address pool, some IP addresses need to be
only when reserved for other services, and some are statically
DHCP type assigned to hosts such as the web server, which cannot
is set to be automatically assigned to clients. You can specify
Server.) the IP addresses or range of IP addresses in Exclude
IP for the DHCP server.
Domai Domain name that the DHCP server assigns to a client.

n name When allocating an IP address to a client, the DHCP
server also sends the domain name to the client.
Lease Lease of IP addresses in the interface address pool on a

time DHCP server.
DNS- DSN server. You can specify the DNS server IP

server address to be assigned to a DHCP client by selecting a
DNS group (which is configured in DNS server IP
under Global Parameters). The DNS server address is
contained in the DHCP response sent to the client.

SD-WAN
Option Option type.

l [44] Wins/Netbios server: indicates a WINS server
address allocated to a DHCP client.
l [46] Wins/Netbios node type: is applicable to the
DHCP server. When a DHCP client uses NetBIOS
for communication, its host name needs to be
mapped to an IP address, and the NetBIOS node
type needs to be specified for it.
Value Value. If the value of Option is [44] Wins/Netbios

server, you need to set this parameter to the server IP
address. If the value of Option is [46] Wins/Netbios
node type, you can select any of the following for this
parameter:
l 1. B-Node: node in broadcast mode. A B-Node
obtains the mapping between host names and IP
addresses in broadcast mode.
l 2. P-Node: node in peer-to-peer mode. A P-Node
addresses by communicating with a NetBIOS
server.
l 3. M-Node: node in mixed mode. An M-Node is a
P-Node with some broadcast features.
l 4. H-Node: node in hybrid mode. An H-Node is a
B-Node enabled with the peer-to-peer
communication mechanism.
Static Static binding. To configure a static binding, you need

to set the following parameters:
l IP: indicates a static IP address allocated to a
DHCP client.
l MAC: indicates the client MAC address statically
bound to an IP address.
DHCP Server IP address of the DHCP server served by the DHCP

parameters IP relay agent. This parameter is available only when
DHCP type is Relay. Each interface with DHCP relay
enabled can have a maximum of eight DHCP server
addresses.
V VRRP Whether to enable VRRP. VRRP can be configured

R only for dual-gateway sites. After VRRP is enabled,
R the two gateways are virtualized into one device. After
P a VRRP group is configured, traffic is forwarded
through the master device in normal circumstances. If
the master device fails, traffic is switched quickly to
the backup device, implementing gateway redundancy.

SD-WAN
VRRP ID ID of a VRRP group. The two gateways need to be

configured with the same VRRP group ID.
Virtual IP IP address of a virtual device. The two gateways need

to be configured with the same virtual IP address.
Default role Device role, which is master or backup.
Preempt delay (s) Delay for the backup device to preempt the role of the
master device.
You are advised to set the preemption delay of the
backup device in a VRRP group to 0, and set the
preemption delay of the master device to a value
longer than 15 seconds. These settings ensure that
there is enough time for the uplinks and downlinks on
the master and backup devices in a VRRP group to
synchronize their statuses on an unstable network. If
the preceding settings are not used, user devices may
learn an incorrect master address due to frequent
preemption, interrupting traffic.
Proxy ARP Whether to enable ARP proxy. If this parameter is

enabled, routed ARP proxy is used by default.
If the LANs of two sites belong to the same network
segment and neither of them are configured with
default gateways, the two LANs cannot communicate
with each other. To allow the two LANs to
communicate with each other, enable routed ARP
proxy on the LAN interfaces of the two sites.
MTU Maximum transmission unit of an interface. This

parameter cannot be configured for a physical interface
of the xDSL type.
The size of data packets is limited at the network layer.
When a network layer device receives an IP packet, it
determines the destination interface and obtains the
MTU configured on the interface. The device then
compares the MTU with the IP packet length. If the IP
packet length is longer than the MTU, the device
fragments the IP packet. Each fragment has a length
less than or equal to the MTU
l If the MTU is too small whereas the packet size is
large, the packet is probably split into many
fragments. Therefore, the packet may be discarded
due to the insufficient QoS queue length.
l If the MTU is too large, the packet is transmitted
slowly or even lost.

SD-WAN
MSS Maximum segment size of TCP packets on an

interface. The MSS is an option defined in the TCP
protocol and refers to the maximum segment size of
TCP packets that can be received by a peer device.
When setting up a TCP connection, the local and peer
devices negotiate an MSS value. If the length of a TCP
packet exceeds the negotiated MSS value, the packet is
fragmented.
NOTICE
To prevent TCP packets from being fragmented, you must
configure a proper MSS based on the MTU. The MTU is an
option used to determine whether IP packets will be
fragmented. If the size of an IP packet sent by a peer device
exceeds the MTU, the IP packet will be fragmented. To
ensure that a complete packet is transmitted properly, the
MSS plus all the header lengths (TCP header and IP header)
cannot exceed the MTU. For example, the default MTU of an
Ethernet interface is 1500 bytes. To ensure that packets are
not fragmented, the maximum MSS value is 1460 bytes
[1500 - 20 (minimum length of the TCP header) - 20
(minimum length of the IP header)]. You are advised to set
the MSS to 1200 bytes.
Trust mode Type of a security zone. The options are Trust and
Untrust.
Table 1-51 Parameters on the IP Resources tab page

Site Site name.
Device CPE name.
VPN VPN name, which is configured on the Overlay Network > VPN page.
VRF Instance Name of the VRF instance to which the interface IP address belongs.
l Name of the VRF instance to which Underlay Link belongs. It is the
VPN instance specified in ZTP configuration.
l System Link belongs to the default VPN and its VRF instance name
is public.
l Other types of IP addresses are related to the overlay network. Each
VRF instance name maps a VPN name.
IP Address IP address of the interface.

SD-WAN
Usage The following seven types of IP addresses are supported:

l DSVPN Link: IP address of a DSVPN tunnel interface.
l Inter-CPE Link: Interface address of an internal link between two
gateways. In different Overlay VPN instances, interfaces of the
links connecting two gateways use different IP addresses.
l Interworking Link (Loopback): IP address of a loopback interface
on the CPE. After the Site-to-Internet service or mutual access
between sites is configured, the system automatically creates a local
breakout to implement the connectivity between the internal
Overlay VPN instance of the CPE and the VPN instance to which
the WAN link belongs. A local breakout has two loopback interface
addresses and two tunnel interface addresses. A local breakout of a
WAN link corresponds to two Loopback interface addresses and two
tunnel interface addresses.
l Interworking Link (Tunnel): IP address of a local breakout interface.
l System Link: Management IP address of a CPE.
l Lan_Access Link: IP address of a LAN-side interface. This address
is configured by administrators on the Overlay page.
l Underlay Link: IP address for the WAN link to access the network.
NOTE
l The IP addresses of the first five types are automatically orchestrated by the
Agile Controller-Campus from the IP pool configured on the Global
Parameters > Virtual Network > IP Pool page.
l Lan_Access Link is configured on a Layer 3 interface or VLAN of the
overlay network and needs to be manually orchestrated.
l Underlay Link is configured in ZTP configuration. A WAN link can access
the network in static or dynamic mode. In static mode, you need to manually
orchestrate the IP address for the WAN link to access the network. In
dynamic mode, the CPE automatically applies for an IP address from the
DHCP server. If the Agile Controller-Campus queries the dynamic IP address
from the CPE and displays the IP address on the Web UI, it will take a long
time. You can enable or disable the Display dynamic IP function to
determine whether the Agile Controller-Campus needs to query the IP
address from the CPE and display the IP address on the Web UI.
Tunnel Name Interface name.
1.8.3.9.5 Configuring Network Access Parameters on the LAN Side (Layer 2)
Context
Only common sites support the configuration of LAN-side interfaces. Huawei public cloud
sites and Amazon AWS cloud sites do not support this function.
Procedure

SD-WAN
Step 4 Click the VLAN tab. Click Create.
Step 5 On the Create VLAN tab page, configure VLAN information.
In a dual-gateway scenario, if the internal link between the dual gateways uses two LAN-side
Layer 2 physical interfaces, when configuring a VLAN, ensure that the physical interfaces
used by the internal link are different from those transmitting user service traffic on the LAN
side. This is because STP is enabled on CPEs by default, and when the internal link uses two
Layer 2 physical interfaces, the interfaces are added to the same VLAN. If a loop occurs, STP
sets one physical interface to the Block state. At this time, if a user uses this physical interface
on the LAN side, the user traffic may be interrupted.
Step 7 Click the Maintenance > Maintenance > IP Resources tab to view the configuration result.
A Lan_Access Link is added to the corresponding site and VPN.

SD-WAN
----End
Table 1-52 Parameters on the Create VLAN page under the VLAN tab page
Device Device where a Layer 2 interface resides.
VLAN ID VLAN ID. This VLAN is used for Layer 2 communication

between a site and the LAN. It cannot overlap with the
VLAN ID of a WLAN, or the VLAN ID of an internal link
between dual gateways.
The system creates VLANIF interfaces based on VLAN
IDs. For a dual-gateway site, if the CPEs are directly
connected downstream to the Layer 2 switch, the two CPEs
must use VLANIF interfaces created based on the same
VLAN ID to communicate with the LAN-side network,
implementing the VRRP function on the LAN-side
network.
Phys Mode Tagged or untagged mode in which a specified interface is

ical added to a VLAN. If the LAN-side device is a PC, the mode
inter must be set to untagged. In other cases, you need to set the
faces mode based on the actual networking requirements.
Interface Interface information. Select the type of the interface to be

added, enter the number of the interface to be added (for
example, 0 or 0/0/0), and then click to add the interface

to the list.
NOTICE
Ensure that the specified interface is a Layer 2 interface. If the
interface is not a Layer 2 interface, log in to the device and switch
the interface to a Layer 2 interface. Otherwise, the configuration
fails to be delivered. You can create a Layer 2 Eth-Trunk interface
under Site > Underlay Configuration.
IP address IP address of a VLANIF interface.

SD-WAN
Adv Secondary IP Secondary IP addresses of a Layer 3 interface. Generally, an

ance interface needs only a primary IP address. In some
d scenarios, you need to configure secondary IP addresses for
Setti an interface. For example, a CPE connects to a physical
ngs network through an interface, and hosts on this network
belong to two network segments. To enable the CPE to
communicate with all hosts on the physical network, you
need to configure a primary IP address and a secondary IP
address for this interface.
Each Layer 3 interface can be configured with one primary
IP address and a maximum of 31 secondary IP addresses.
DHC DHCP Whether to enable DHCP on an interface.

P
DHCP type DHCP type. After DHCP is enabled, you need to set the
DHCP type of the CPE. The following DHCP types are
supported:
allocates network parameters to DHCP clients. The IP
addresses allocated by the DHCP server to DHCP
clients are obtained from the IP address pool and
secondary IP address pool.
exchange DHCP messages between a DHCP server and
DHCP clients and help the DHCP server to dynamically
allocate network parameters to DHCP clients. A DHCP
relay agent is required in scenarios where multiple
network segments need to be planned for an enterprise
network and terminals need to automatically obtain
network parameters (such as IP addresses) through
DHCP. In this way, terminals in different network
segments can share the DHCP server, saving server
resources and facilitating unified management.
DHC Excl Range of IP addresses that will not be automatically

P ude assigned to clients from the DHCP address pool. A DHCP
para IP address pool is a set of address segments specified in IP
mete addresses. In the address pool, some IP addresses need to
rs be reserved for other services, and some are statically
(The assigned to hosts such as the web server, which cannot be
se automatically assigned to clients. You can specify the IP
para addresses or range of IP addresses in Exclude IP for the
mete DHCP server.
rs
are Dom Domain name that the DHCP server assigns to a client.
avail ain When allocating an IP address to a client, the DHCP server
able nam also sends the domain name to the client.
only e
whe
n

SD-WAN
DH Leas Lease of IP addresses in the interface address pool on a

CP e DHCP server.
type time
is set
to Opti Option type.
Serv on l [44] Wins/Netbios server: indicates a WINS server
er.) address allocated to a DHCP client.
DHCP server. When a DHCP client uses NetBIOS for
communication, its host name needs to be mapped to an
IP address, and the NetBIOS node type needs to be
specified for it.
Valu Value. If the value of Option is [44] Wins/Netbios server,

e you need to set this parameter to the server IP address. If
the value of Option is [46] Wins/Netbios node type, you
can select any of the following for this parameter:
l 1. B-Node: node in broadcast mode. A B-Node obtains
the mapping between host names and IP addresses in
broadcast mode.
l 2. P-Node: node in peer-to-peer mode. A P-Node obtains
the mapping between host names and IP addresses by
communicating with a NetBIOS server.
l 3. M-Node: node in mixed mode. An M-Node is a P-
Node with some broadcast features.
l 4. H-Node: node in hybrid mode. An H-Node is a B-
Node enabled with the peer-to-peer communication
mechanism.
Stati Static binding. To configure a static binding, you need to set

c the following parameters:
l IP: indicates a static IP address allocated to a DHCP
client.
l MAC: indicates the client MAC address statically bound
to an IP address.
DHC Serv IP address of the DHCP server served by the DHCP relay
P er IP agent. This parameter is available only when DHCP type is
para Relay. Each interface with DHCP relay enabled can have a
mete maximum of eight DHCP server addresses.
rs
VRR VRRP Whether to enable VRRP. VRRP can be configured only for
P dual-gateway sites. After VRRP is enabled, the two
gateways are virtualized into one device. After a VRRP
group is configured, traffic is forwarded through the master
device in normal circumstances. If the master device fails,
traffic is switched quickly to the backup device,
implementing gateway redundancy.

SD-WAN
VRRP ID ID of a VRRP group. The two gateways need to be

configured with the same VRRP group ID.
Virtual IP IP address of a virtual device. The two gateways need to be

configured with the same virtual IP address.
Default role Device role, which is master or backup.
Preempt Delay for the backup device to preempt the role of the
delay (s) master device.
Proxy ARP Whether to enable ARP proxy. If this parameter is enabled,

routed ARP proxy is used by default.
MTU Maximum transmission unit of an interface. This parameter

cannot be configured for a physical interface of the xDSL
type.
MSS Maximum segment size of TCP packets on an interface.

The MSS is an option defined in the TCP protocol and
refers to the maximum segment size of TCP packets that
can be received by a peer device. When setting up a TCP
connection, the local and peer devices negotiate an MSS
value. If the length of a TCP packet exceeds the negotiated
MSS value, the packet is fragmented.
NOTICE
To prevent TCP packets from being fragmented, you must
configure a proper MSS based on the MTU. The MTU is an option
used to determine whether IP packets will be fragmented. If the
size of an IP packet sent by a peer device exceeds the MTU, the IP
packet will be fragmented. To ensure that a complete packet is
transmitted properly, the MSS plus all the header lengths (TCP
header and IP header) cannot exceed the MTU. For example, the
default MTU of an Ethernet interface is 1500 bytes. To ensure that
packets are not fragmented, the maximum MSS value is 1460 bytes
[1500 - 20 (minimum length of the TCP header) - 20 (minimum
length of the IP header)]. You are advised to set the MSS to 1200
bytes.
Trust mode Type of a security zone. The options are Trust and Untrust.
Table 1-53 Parameters on the IP Resources tab page

Site Site name.
Device CPE name.
VPN VPN name, which is configured on the Overlay Network > VPN page.

SD-WAN
VRF Instance Name of the VRF instance to which the interface IP address belongs.
l Name of the VRF instance to which Underlay Link belongs. It is the
VPN instance specified in ZTP configuration.
l System Link belongs to the default VPN and its VRF instance name
is public.
l Other types of IP addresses are related to the overlay network. Each
VRF instance name maps a VPN name.
IP Address IP address of the interface.
Usage The following seven types of IP addresses are supported:

l DSVPN Link: IP address of a DSVPN tunnel interface.
l Inter-CPE Link: Interface address of an internal link between two
gateways. In different Overlay VPN instances, interfaces of the
links connecting two gateways use different IP addresses.
l Interworking Link (Loopback): IP address of a loopback interface
on the CPE. After the Site-to-Internet service or mutual access
between sites is configured, the system automatically creates a local
breakout to implement the connectivity between the internal
Overlay VPN instance of the CPE and the VPN instance to which
the WAN link belongs. A local breakout has two loopback interface
addresses and two tunnel interface addresses. A local breakout of a
WAN link corresponds to two Loopback interface addresses and two
tunnel interface addresses.
l Interworking Link (Tunnel): IP address of a local breakout interface.
l System Link: Management IP address of a CPE.
l Lan_Access Link: IP address of a LAN-side interface. This address
is configured by administrators on the Overlay page.
l Underlay Link: IP address for the WAN link to access the network.
NOTE
l The IP addresses of the first five types are automatically orchestrated by the
Agile Controller-Campus from the IP pool configured on the Global
Parameters > Virtual Network > IP Pool page.
l Lan_Access Link is configured on a Layer 3 interface or VLAN of the
overlay network and needs to be manually orchestrated.
l Underlay Link is configured in ZTP configuration. A WAN link can access
the network in static or dynamic mode. In static mode, you need to manually
orchestrate the IP address for the WAN link to access the network. In
dynamic mode, the CPE automatically applies for an IP address from the
DHCP server. If the Agile Controller-Campus queries the dynamic IP address
from the CPE and displays the IP address on the Web UI, it will take a long
time. You can enable or disable the Display dynamic IP function to
determine whether the Agile Controller-Campus needs to query the IP
address from the CPE and display the IP address on the Web UI.
Tunnel Name Interface name.

SD-WAN
1.8.3.9.6 Configuring Network Access Parameters on the LAN Side (Terminals

Accessing Sites Through Wi-Fi, Layer 2)
Context
Currently, only common sites can be accessed by terminals through the WLAN on the LAN
side. Cloud sites do not support this function.
Procedure
Step 4 Click the WLAN tab and then click Create.
Step 5 On the Create WLAN tab page, configure WLAN information.
Step 6 Click OK.
----End

SD-WAN
Table 1-54 Parameters on the Create WLAN page under the WLAN tab page
Device CPE as the WLAN configuration object.
SSID WLAN identifier, namely, the network service set

identifier (SSID).
Effective radio Frequency band over which radio signals of a WLAN are
transmitted.
VLAN ID Service VLAN ID of a WLAN. It cannot overlap with the

VLAN ID of a Layer 2 interface, or the VLAN ID of an
internal link between dual gateways.
Interface IP IP address of the VLANIF interface that connects an AP

(Access Point) to an AC (Access Controller).
DHCP DHCP Whether to enable DHCP on an interface.
DHCP type DHCP type. After DHCP is enabled, you need to set the
DHCP type of the CPE. The following DHCP types are
supported:
allocates network parameters to DHCP clients.
exchange DHCP messages between a DHCP server
and DHCP clients and help the DHCP server to
dynamically allocate network parameters to DHCP
clients. A DHCP relay agent is required in scenarios
where multiple network segments need to be planned
for an enterprise network and terminals need to
automatically obtain network parameters (such as IP
addresses) through DHCP. In this way, terminals in
different network segments can share the DHCP
server, saving server resources and facilitating unified
management.
DHCP Exc Range of IP addresses that will not be automatically

parameter lude assigned to clients from the DHCP address pool. A DHCP
s IP address pool is a set of address segments specified in IP
(These addresses. In the address pool, some IP addresses need to
parameter be reserved for other services, and some are statically
s are assigned to hosts such as the web server, which cannot be
available automatically assigned to clients. You can specify the IP
only when addresses or range of IP addresses in Exclude IP for the
DHCP DHCP server.
type is set
to
Server.)

SD-WAN
Do Domain name that the DHCP server assigns to a client.

mai When allocating an IP address to a client, the DHCP
n server also sends the domain name to the client.
nam
e
Lea Lease of IP addresses in the interface address pool on a

se DHCP server.
time
DN DSN server. You can specify the DNS server IP address to

S- be assigned to a DHCP client by selecting a DNS group
serv (which is configured in DNS server IP under Global
er Parameters). The DNS server address is contained in the
DHCP response sent to the client.
Opti Option type.

on l [44] Wins/Netbios server: indicates a WINS server
address allocated to a DHCP client.
DHCP server. When a DHCP client uses NetBIOS for
communication, its host name needs to be mapped to
an IP address, and the NetBIOS node type needs to be
specified for it.
Val Value. If the value of Option is [44] Wins/Netbios

ue server, you need to set this parameter to the server IP
address. If the value of Option is [46] Wins/Netbios
node type, you can select any of the following for this
parameter:
l 1. B-Node: node in broadcast mode. A B-Node obtains
the mapping between host names and IP addresses in
broadcast mode.
l 2. P-Node: node in peer-to-peer mode. A P-Node
addresses by communicating with a NetBIOS server.
l 3. M-Node: node in mixed mode. An M-Node is a P-
Node with some broadcast features.
l 4. H-Node: node in hybrid mode. An H-Node is a B-
Node enabled with the peer-to-peer communication
mechanism.
Stat Static binding. To configure a static binding, you need to

ic set the following parameters:
l IP: indicates a static IP address allocated to a DHCP
client.
l MAC: indicates the client MAC address statically
bound to an IP address.

SD-WAN
DHCP Ser IP address of the DHCP server served by the DHCP relay
parameter ver agent. This parameter is available only when DHCP type
s IP is Relay. Each interface with DHCP relay enabled can
have a maximum of eight DHCP server addresses.
Security Encryption mode Encryption mode. The options of this parameter are as
Authentic follows:
ation l WAP1: WPA1 authentication is used.
l WAP2: WPA2 authentication is used.
PSK Shared key for PSK authentication.
Advanced Hide SSID Whether to hide an SSID. If this parameter is enabled for
Settings an SSID, new users cannot detect the SSID. Only wireless
users who know the SSID name can connect to the
WALN.
Maximum access Maximum number of access users permitted on a WLAN.

user quantity
Downlink traffic Uplink traffic of a WLAN.
Uplink traffic Downlink traffic of a WLAN.
1.8.3.9.7 Configuring Overlay LAN-Side Routes (Static Routes)
Context
LAN-side static routes can be configured for Huawei public cloud sites and common sites.
Amazon AWS cloud sites do not support this function.
Procedure
Step 4 Click the LAN-Route tab and then click Click Here to Add LAN-Route.
Step 5 Select Static from the Protocol drop-down list and click OK.
Step 6 Click Create. On the Create Static Routes tab page, set static route parameters.

SD-WAN
Step 7 Click OK.
----End
Table 1-55 Parameters on the Create Static Routes page under the LAN Route tab page
Device CPE on which a static route needs to be configured.
Priority Priority of a static route. The value is an integer that ranges from 1 to
255. A smaller value indicates a higher priority. If you specify the same
priority for static routes with the same destination, load balancing can be
implemented among these routes. If you specify different priorities for
multiple static routes with the same destination, backup can be
implemented among these routes.
Destination Destination IP address and mask of a static route.

address/mask

SD-WAN
Next- Next- Next-hop type of a static route.

Hop hop l For a common site, the Next-hop type can be set to IP address or
type black_hole.
Type of the next hop in the static route. The value black_hole
indicates that the packets destined for the destination network
segment will be discarded. For example, it can be used to block
packets destined for a particular website.
l For a cloud site, the Next-hop type is set to Out interface by default.
Interf Outbound interface of a static route. This parameter needs to be specified

ace only when the site is a cloud site.
IP Next-hop IP address of a static route.

addre l For a common site, this parameter is available only when Next-hop
ss type is set to IP address.
l For a cloud site, you must specify an outbound interface. This
parameter is optional. If an IP address is not configured, the device
automatically orchestrates an IP address based on the outbound
interface.
Track Whether to associate a static route with an NQA test instance.
Target Destination address in an NQA test instance. If a static route is associated

with an NQA test instance, only ICMP test instances can be used to
check whether there are reachable routes between the source and
destination.
1.8.3.9.8 Configuring Overlay LAN-Side Routes (OSPF)
Context
Currently, only common sites support the configuration of OSPF routes on the LAN side.
Cloud sites do not support this function.
Procedure
Step 5 Select OSPF from the Protocol drop-down list and click OK.
Step 6 Click Create. On the Create OSPF tab page, set OSPF parameters.

SD-WAN
Step 7 Click OK.
----End
Table 1-56 Parameters on the Create OSPF page under the LAN Route tab page
Device CPE on which an OSPF route needs to be configured.
Process ID OSPF process ID.

l In the DSVPN tunnel mode, if OSPF routes are deployed on an
underlay network, the process ID is in the range from 501 to
1000. If OSPF routes are deployed on an overlay network, the
process ID is in the range from 1001 to 65535.
l In the EVPN tunnel mode, if OSPF routes are deployed on an
underlay network, the process ID is in the range from 20001 to
30000. If OSPF routes are deployed on an overlay network, the
process ID is in the range from 1 to 20000.
Co Default Whether to advertise the default route to common OSPF areas. After
mm route default route advertisement is enabled, the device keeps advertising
on advertisem OSPF default routes.
Para ent

SD-WAN
met Default Cost of an advertised OSPF default route.

er route cost
Internal Priority of an OSPF route (excluding AS-external routes). A smaller

preference value indicates a higher priority.
ASE Priority of an OSPF AS-external route. A smaller value indicates a

preference higher priority.
Inter Area ID OSPF area ID.

face
Para Interface Name of a LAN interface with OSPF enabled.
met Name
er Authenticat Authentication mode. OSPF packets must be authenticated before a
ion Mode neighbor relationship can be established. The authentication modes
that can be used in an OSPF area are as follows:
l None: Authentication is not performed on OSPF packets.
l Simple: A password needs to be configured.
l Cryptographic: The MD5, HMAC-MD5, or HMAC-SHA256
authentication mode can be selected.
NOTE
The simple, MD5, and HMAC-MD5 authentication modes may pose potential
security risks. As such, the HMAC-SHA256 authentication mode is
recommended.
Key Key for cipher-text authentication on an interface. This parameter is

available only when the authentication mode is set to
Cryptographic.
Password Password for cipher-text authentication. This parameter is available

only when the authentication mode is set to Simple or
Cryptographic.
Hello Interval for an interface to send Hello packets, in seconds.

Timer
DR Priority Priority of an interface that participates in Designated Router (DR)

election. The DR priority of an interface determines whether the
interface participates in DR election. If the DR priority is 0, the router
where the interface is located cannot be elected as a DR or BDR.
Cost OSPF cost of an interface. The cost specified here will be added to
the costs of OSPF routes learned on the interface.
Rou Protocol Protocol of routes to be redistributed. By default, WAN-side BGP

te routes on the overlay network are redistributed to implement
Redi communication on the entire network. Static, OSPF, and direct routes
strib can also be redistributed.
ute
Process ID Process ID of the imported OSPF route. This parameter is available
only when the protocol is OSPF.

SD-WAN
Cost Cost of an imported route. The value of this parameter will overwrite
the cost in the original route.
Rou Exp Mod Mode for filtering OSPF routes to be advertised to the LAN:
ter ort e l Blacklist: The site is allowed to advertise only OSPF routes not in
Filte filte the network segment specified by Filter IP.
r r
l Whitelist: The site is allowed to advertise only OSPF routes in the
network segment specified by Filter IP.
Filte Routing range. You can specify a routing range by setting the
r IP following parameters. The parameter values must meet the following
conditions: Mask ≤ Greater-equal ≤ Less-equal.
segment
l Less-equal: maximum mask to specify a smaller network
segment
Imp Mod Mode for filtering OSPF routes to be received from the LAN:
ort e l Blacklist: The site is allowed to receive only OSPF routes not in
filte the network segment specified by Filter IP.
r
l Whitelist: The site is allowed to receive only OSPF routes in the
network segment specified by Filter IP.
Filte Routing range. You can specify a routing range by setting the
r IP following parameters. The parameter values must meet the following
conditions: Mask ≤ Greater-equal ≤ Less-equal.
segment
l Less-equal: maximum mask to specify a smaller network
segment
1.8.3.9.9 Configuring Overlay LAN-Side Routes (BGP)
Context
Currently, only common sites support the configuration of BGP routes on the LAN side.
Procedure

SD-WAN
Step 5 Select BGP from the Protocol drop-down list and click OK.
Step 6 Click Advanced Settings to configure the advanced BGP options.
Step 7 Click Create. On the Create BGP tab page, set BGP parameters.
Step 8 Click OK.
----End
Table 1-57 Parameters on the BGP page under the LAN Route tab page
Adv External Priority of EBGP routes. You can set different priorities for
anc preference different devices. For a dual-gateway site, you can specify a
ed separate EBGP route priority for each gateway.
Sett
ings Default route Whether to redistribute the default routes in the local IP routing
redistribution table to the BGP routing table.
Route Protocol of routes to be imported. Static and direct routes can be

redistribution imported.
Aggregation Route obtained by summarizing specific routes in the local BGP

route routing table. The system advertises only the summarized route,
and suppresses the advertisement of all specific routes within the
summarized route. You can specify IP addresses and masks of
multiple summarized routes.

SD-WAN
Table 1-58 Parameters on the Create BGP page under the LAN Route tab page
Device CPE on which a BGP route needs to be configured.
Peer IP IP address of the peer neighboring device.
Peer AS AS number of the peer device.
Local AS Fake AS number of the local device. If this parameter is

left empty, the AS number in the global configuration is
used by default.
Keepalive time (s) Interval for sending Keepalive packets to the peer. After
establishing a BGP connection, two peers periodically
send Keepalive messages to each other to detect the status
of the BGP connection. If a device receives no Keepalive
message or any other type of packet from its peer within
the hold time, the device considers the BGP connection
terminated and closes the BGP connection.
Hold time (s) Hold time. The hold time should be at least three times the
Keepalive time.
MD5 encrypt Whether to use MD5 authentication between BGP peers.

If this parameter is enabled, you need to enter the
password in cipher-text.
Routi Expo Export Whether to filter the route information to be advertised by

ng rt an SD-WAN site if the LAN uses BGP to exchange routes
Polic with the SD-WAN site.
y
Matc Type Type. Routes can be filtered only by IP address prefix.
h
IP Routing range. You can specify a routing range by setting
prefi the following parameters. The parameter values must meet
x list the following conditions: Mask ≤ Greater-equal ≤ Less-
equal.
l Greater-equal: minimum mask to specify a smaller
network segment
l Less-equal: maximum mask to specify a smaller
network segment
Appl Filter Mode for filtering BGP routes to be advertised to the

y ing LAN:
type
MED MED value of a BGP route in the network segment

specified in IP prefix list. Similar to the metric of an IGP,
the MED value is used to determine the optimal route for
the traffic to enter an AS. When a BGP-enabled device
obtains multiple routes to the same destination address but
with different next hops from EBGP peers, it selects the
route with the smallest MED value as the optimal route.

SD-WAN
Com Community attribute to be added to a BGP route in the

muni network segment specified in IP prefix list. The
ty community attribute is a private BGP route attribute. It is
transmitted between BGP peers and is not restricted to
within an AS. The community attribute allows a group of
BGP-enabled devices in multiple ASs to share the same
routing policies. This allows routing policies to be flexibly
used and makes it simple to maintain and manage routing
policies.
AS AS path of a BGP route in the network segment specified

Path in IP prefix list. The AS_Path attribute records the
numbers of all ASs that a route passes through, from the
source to the destination, in the vector order. You can
configure the AS_Path attribute to implement flexible
route selection.
Impo Import Whether to filter the route information to be received by

rt an SD-WAN site if the LAN uses BGP to exchange routes
with the SD-WAN site.
Matc Type Type. Routes can be filtered only by IP address prefix.

h
IP Routing range. You can specify a routing range by setting
prefi the following parameters. The parameter values must meet
x list the following conditions: Mask ≤ Greater-equal ≤ Less-
equal.
l Greater-equal: minimum mask to specify a smaller
network segment
l Less-equal: maximum mask to specify a smaller
network segment
Appl Filter Mode for filtering BGP routes to be received from the
y ing LAN:
type
1.8.3.9.10 Configuring Overlay WAN-Side Routes (BGP)
Context
After the overlay network is configured, the system automatically deploys the BGP control
protocol between sites to advertise routes on the overlay network. Both common sites and
cloud sites support the configuration of WAN-side BGP routes.
Procedure

SD-WAN
Step 4 Click the WAN-Route tab and then click the BGP tab page.
Step 5 In the Overlay route filter area, set Filter Mode and Filter Address for the overlay routes.
Step 6 Click OK.
----End
Table 1-59 Parameters on the BGP page under the WAN Route tab page
Filtering Filtering direction:

Direction l Filter Exported Routes: Filter the LAN-side routes to be advertised by
the current SD-WAN site to the WAN-side overlay network.
l Filter Imported Routes: Filter the routes to be learned by the current
SD-WAN site from other sites on the WAN-side overlay network.
Filtering Mode Filtering mode:

l Blacklist: The site is allowed to advertise/receive only BGP routes not
in the network segment specified in Filtered Addresses.
l Whitelist: The site is allowed to advertise/receive only BGP routes in
the network segment specified in Filtered Addresses.
Filte IP Routing range. You can specify a routing range by setting the following
red Addres parameters. The parameter values must meet the following conditions:
Add s/Mask Mask ≤ Greater-equal ≤ Less-equal.
resse l IP Address/Mask: IP address and mask
s Greater
-equal l Greater-equal: minimum mask to specify a smaller network segment

SD-WAN
Less-
equal
1.8.3.9.11 Configuring Overlay WAN-Side Routes (Static Routes)
Context
Currently, only common sites support the configuration of static routes on the WAN side.
Prerequisites
1. A site template where a standby link is configured has been created. The following is an
example. When creating a site template, set Gateway to Single Gateway, and set the
role of a WAN link to Standby.
2. A site containing a standby link has been created. Create a site based on the site template
where a standby link is configured.
3. A site containing a standby link has been activated.
Procedure
Step 4 Click the WAN-Route tab and then click the Static tab page.
Step 5 In the Create Static Routes area, set static route parameters.

SD-WAN
Step 6 Click OK.
----End
Table 1-60 Parameters on the Create Static Routes page under the WAN Route tab page
Logical The default value is Standby logical link(s).

Link(s)
Priority This parameter indicates the priority of a static route. The value is an
integer that ranges from 1 to 255, and a smaller value indicates a higher
priority.
Destination This parameter indicates the destination IP address and mask of a static
address/mask route.
Next- Next- Only the site type is supported. Generally, static routes configured on the
hop hop WAN-Route tab page are applied when both the current site and next-hop
type site are of the standby type and the traffic destination is the LAN of the
next-hop site. You can specify a static route on the WAN-Route tab page
to ensure that data traffic can be forwarded over the standby link if the
active link fails.
Site This parameter indicates the name of the next-hop site.

SD-WAN
1.8.3.9.12 Configuring VPN Traffic Distribution

Overlay network traffic of departments is allocated at sites. If no traffic value is specified, the
Agile Controller-Campus evenly allocates traffic to each VPN.
Context
The overlay network traffic is allocated to each VPN based on physical interface bandwidth,
that is, the uplink and downlink bandwidth specified for WAN interfaces. After then, a certain
proportion of bandwidth can be allocated to transmit traffic of each service in each
department. For example, users can configure the proportion of bandwidth used to transmit
Internet access traffic, and the QoS bandwidth policy is defined based on applications. The
bandwidth that can be allocated to transmit service traffic is the department bandwidth.
Prerequisites
1. A site has been created. For details, see 1.8.3.4 Creating a Site.
2. A VPN has been configured. For details, see 1.8.3.9.1 Configuring a VPN.
Procedure
Step 1 Choose Configuration > Overlay Network > Traffic Distribution from the main menu.
Step 3 On the Config Policy tab, set the traffic value for each VPN.
Step 4 Click Next.
Step 5 Select the target site.

SD-WAN
Step 6 Click Finish.
----End
1.8.3.10 Checking the Network Deployment Result

This section describes how to check the network deployment status after the underlay and
overlay network configurations are complete.
Prerequisites
l WAN-side underlay routes have been configured. For details, see 1.8.3.8.2 Configuring
Underlay Routes (OSPF).
l The overlay network has been created. For details, see 1.8.3.9 Creating an Overlay
Network.
Procedure
Step 1 Choose Maintenance > Provisioning Result.
Step 2 Click the Deploy to Device tab.
Step 3 Click the By Site tab. Check whether the WAN-side underlay route configuration is
successfully delivered to devices.
If Succeeded is displayed in the Status column for all records, the site deployment is
successful.
NOTE
After the WAN-side underlay routes are configured, the Agile Controller-Campus delivers the site
configuration data to CPEs. If the network flaps during the configuration data delivery, data loss may
occur on the delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
configuration data to the CPEs.
Step 4 Click the By VPN tab. Check whether the Overlay network configuration is successfully
delivered to devices.
In the navigation tree on the left, click the department where the overlay network is deployed
and check the overlay network configuration result in the area on the right. If Succeeded is
displayed in the Status column for all records, the overlay network deployment is successful.

SD-WAN
NOTE
After the overlay network is configured, the Agile Controller-Campus delivers the site configuration
data to CPEs. If the network flaps during the configuration data delivery, data loss may occur on the
delivered configuration. In this case, you are advised to click Redeploy to re-deliver the configuration
data to the CPEs.
The following options of Status are available:
l Alarm: An internal system error occurs. In this case, contact technical support personnel.
l Preconfigured: The configuration data in the Agile Controller-Campus is not delivered to the site.
The devices at the site are offline.
l Configuring: The delivery of the configuration data in the Agile Controller-Campus to site devices
is in progress.
l Failed: The configuration data in the Agile Controller-Campus fails to be delivered to the site.
l Succeeded: The configuration data in the Agile Controller-Campus is successfully delivered to the
site.
If Succeeded is not displayed in the Status column, you are advised to perform operations
according to Service Configuration in the Troubleshooting Guide.
----End
1.8.4 Site Deployment

This section describes how to deploy sites through emails.
1.8.4.1 (Optional) Customizing an Email Template

In the email-based deployment scenario, the deployment data needs to be configured on
multiple CPEs. That is, emails with the same content including the subject and body format
need to be configured on different CPEs. To reduce repeated operations, you can customize an
email template. When configuring email deployment parameters on each CPE, you can
reference the email template. Then parameters are set automatically.
The Agile Controller-Campus provides a default email template named Enterprise AR PDT.
If the default email template can meet the requirements or the email-based deployment
scenario is not involved, you can skip this section. Otherwise, you can customize an email
template.
Procedure
Step 1 Choose Configuration > Site > Template from the main menu.
Step 2 Click Email Template.
Step 3 Click Create to create an email template.

SD-WAN
In normal cases, you only need to set Email Template, Subject and Content. You can
modify other parameters based on actual needs.
Step 4 Click OK.
----End
Table 1-61 Parameters on the Email Template tab page

r
Email Name of an email template. If multiple CPEs need to be deployed, the

template personnel responsible for email-based deployment can create an email
template to configure general information for the CPEs.
Subject Title of a deployment email.
Content Body of a deployment email. You are advised to change the default settings
only when required.
To add a fixed field to a deployment email, click the label of the target field:
l Site Name: specifies a site name.
l Device Name: specifies a device name.
l Device ESN: specifies the ESN of a device.
l Link Information: indicates information about an interface for network
connection.
NOTE
The preceding fields are only displayed in the deployment email body, and they do
not affect the information in the URL of the deployment configuration page in the
email.

SD-WAN
r
Default Whether to configure a template as the default email template. If this

template parameter is enabled, the current template is selected by default when you
configure the Send Email function for a site.
Recipients Recipient list. If a template is selected for a deployment email, the recipients
of the deployment email are automatically set to those in the template. The
recipients can be changed in the deployment email.
CC CC list. If a template is selected for a deployment email, the CCs of the

deployment email are automatically set to those in the template. The CCs can
be changed in the deployment email.
1.8.4.2 Deploying a Site by Email

Email-based deployment enables CPEs to connect to the WAN, register with the Agile
Controller-Campus, and go online. Skip operations in this section if email-based deployment
is not used. Common sites in the DSVPN tunnel mode along with edge sites and vRR sites in
the EVPN tunnel mode need to be deployed.
To guarantee deployment success, ensure that CPEs use factory settings. If CPEs have other
configurations, the deployment will fail.
Prerequisites
1. The ESN that already exists in the device list cannot be the same as the ESN of the
device added by device model.
2. You have obtained the following tools before performing email-based deployment:
Tool Description
PC or laptop Used to receive deployment emails. After a PC or laptop is connected

to a CPE device, deployment personnel can perform deployment
operations.
Network Used to connect the PC or laptop to the CPE device.

cable
Procedure
Step 1 Check the device status.
1. On the Agile Controller-Campus, choose Device Management > Device Management
> Device List from the main menu.
2. The Status column of the devices is displayed as Unregistered.

SD-WAN
Step 2 Send a deployment email.

1. Choose Configuration > Site > ZTP Configuration from the main menu.
2. Select the site to which a deployment email needs to be sent.
3. Click Send Email.
4. On the Send Email tab page, select the site and enter the email content.
a. Click Select Site and select a site based on the site role or the site template.
b. In the Available Sites area, select a site to which you want to send a deployment
email.
c. Click to move the selected site to the Selected Sites area.

d. Set the recipient email address on the right of the site.
e. Enter the CC recipient email address in CC.
f. Select the created email template from the Email Template drop-down list.
1. Click OK.
2. After the deployment email is sent successfully (indicating that the site is activated), the
icon on the right of the site is displayed as .

SD-WAN
Step 3 Check all deployment emails and carry emails at the customer site.
Step 4 Install the CPE at the customer site and perform email-based deployment. Only two methods
are supported currently. Select one of them based on the site situation.
l Wired deployment mode
a. Complete the CPE installation and cable connection, and power the CPE on.
b. Configure an IP address in the same network segment as 192.168.1.1 (such as
192.168.1.2) for the network interface connecting to the PC. Use a network cable to
connect the PC to the management interface of the CPE.
NOTE
Generally, a device's management interface is marked with the management or MGMT

silkscreen. If a device does not have a silkscreen, find the location of the management
network interface according to the
AR100&AR120&AR150&AR160&AR200&AR1200&AR1600&AR2200&AR3200&AR3600
V200R009 Product Documentation.
c. On the PC, open the deployment email and copy the URL to the browser's address
bar to execute it or directly click the URL.
d. On the displayed page, enter the password as prompted. The password must be the
same as the URL encryption key specified when you configure global parameters.

SD-WAN
e. On the displayed page, click Check Parameters to check automatically parsed

parameters and click Confirm Deployment.
NOTE
Values of parameters in the Check Parameters area need to be changed only when a data
error occurs. Never change them if no data error occurs.
l Wireless deployment mode

In the device's factory settings, the deployment Wi-Fi network SSID is a character string
that consists of PnP_ and the last six digits of the device's ESN, in the PnP_xxxxxx
format. The deployment Wi-Fi password is a character string that consists of AR and the
last six digits of the network SSID, in the ARxxxxxx format.
The deployment engineer uses a deployment terminal to search for the deployment Wi-Fi
network SSID and enters the deployment Wi-Fi password to access the device. When the
deployment terminal has been connected to the specified deployment Wi-Fi network and
obtained an IP address, this deployment terminal has been connected to the device.
Only the devices with the default WLAN mode as the AP mode support wireless access
of deployment terminals.
Step 5 Wait 1 to 2 minutes and check the deployment result.
1. If the deployment is successful, a success prompt is displayed on the page.

SD-WAN
2. Choose Device Management > Device List on the main menu of the Agile Controller-
Campus. Find the CPEs deployed through email-based deployment and check their
status.
a. (Optional) If Mode is set to Device Model when adding a device, check whether
the ESN of the device has been identified. Otherwise, skip this step.
b. If Status is Normal, the device has registered with the Agile Controller-Campus
and goes online.
----End
1.8.4.3 USB-based Deployment
Context
USB-based deployment enables CPEs to connect to the WAN, register with the SD-
WAN@AC-Campus, and go online. Skip operations in this section if USB-based deployment
is not used. Common sites in the DSVPN tunnel mode along with edge sites and vRR sites in
the EVPN tunnel mode need to be deployed.
A network administrator sets ZTP parameters on the Agile Controller-Campus GUI, and the
Agile Controller-Campus generates a ZTP file based on the site settings. The ZTP file can be
converted into a configuration file using the IniConverter1.0.exe tool and imported to a USB
flash drive for USB-based deployment.
l If ESNs are bound to the CPEs to be deployed, the ZTP file can be converted into a
configuration file for multiple CPEs. Batch USB-based deployment is supported.
l If no ESN is bound to the CPEs to be deployed, the ZTP file can be converted into a
configuration file for only one CPE. Batch USB-based deployment is not supported.
NOTE
A URL encryption key is contained in the configuration file generated using the tool. To prevent the key
from being leaked, it is strongly recommended that the device administrator use a keystroke encryption
USB drive or fingerprint encryption USB flash drive for deployment. During deployment, keep the USB
flash drive with the deployment configuration file saved secure. After the deployment is complete,
delete the deployment configuration file in a timely manner.
Prerequisites
1. The ZTP settings have been completed. For details, see sections 1.8.3.6 Configuring the
Network Access Mode for a Site and Offline Configuring Site Clock synchronization
(Underlay Network).
2. The IniConverter1.0.exe tool for generating configuration files is available.
Procedure
Step 1 Choose Configuration > Site > ZTP Configuration. On the ZTP Configuration page that is
displayed, click Download ZTP File.

SD-WAN
Step 2 In the Download ZTP File dialog box that is displayed, select the site to be deployed and
click .
NOTE
ESNs must have been bound to the devices at the selected site or the tool will fail to generate a
configuration file.
Step 3 Click OK. The system generates ZTP_xxx.csv file and automatically downloads it to the
browser's default download path.
Step 4 Use IniConverter1.0.exe to make configuration file.
1. Drag the downloaded ZTP_xxx.csv file to the IniConverter1.0.exe tool.
2. Set Password to the value of URL encryption key, which has been set on the Global
Parameters page.
3. Click Generate ini file, and save the configuration file as ZTP.ini.
Step 5 Making an index file.

Create a text file named USB_AR.ini and edit the index file.
During USB-based deployment, the device where the USB flash drive is installed matches the
ESN field of CONFIG in the index file. If a match is found, the configuration file in the USB
flash drive is copied.
BEGIN AR
[USB CONFIG]
SN=20180408.070632
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=DEFAULT
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-CONFIG-LITE
FILENAME1=ZTP.ini
END AR
Table 1-62 Fields in the index file

Field Description
BEGIN AR Start flag of the index file. This field cannot

be modified.
USB CONFIG USB flash drive configuration. This field

cannot be modified.

SD-WAN
Field Description
SN Data change time in the

YearMonthDay.HourMinuteSecond
format.
For example, if the index file is edited at
07:06:32 on April 8, 2018, this field is
20180408.070632.
EMS_ONLINE_STATE Whether the NMS is online. This field has a

fixed value NO, indicating that the NMS is
offline. This field cannot be modified.
UPGRADE INFO Upgrade information header. This field

cannot be modified.
OPTION Upgrade mode flag. This field has a fixed

value AUTO.
DEVICENUM Number of devices to be upgraded using

this index file. This field has a fixed value 1
and cannot be modified.
NOTE
This field cannot be modified because the
number of devices to be upgraded is not
displayed in the index file but specified by the
FILENAME1 field.
DEVICE1 DESCRIPTION Description information header of device 1.
OPTION Whether USB-based deployment is required

for the device. This field has a fixed value
OK, indicating that USB-based deployment
is required. This field cannot be modified.
ESN Serial number of a device. This field has a

fixed value DEFAULT, indicating that the
index file is applicable to all devices. This
field cannot be modified.
MAC MAC address of a device. This field has a

fixed value DEFAULT, indicating that the
index file is applicable to all devices. This
field cannot be modified.
VERSION Version number after the upgrade.

NOTE
The factory default version is used in USB-based
deployment by default. Therefore, this field is
meaningless but cannot be left blank.
DIRECTORY Path for storing deployment files. This field

has a fixed value DEFAULT, indicating that
the deployment files are stored in the root
directory of the USB flash drive. This field
cannot be modified.

SD-WAN
Field Description
FILENUM Number of files to be loaded. This field has

a fixed value 1, indicating that only the
system software needs to be loaded to the
device. This field cannot be modified.
TYPE1 Upgrade file type. This field has a fixed

value SYSTEM-CONFIG-LITE, indicating
that only the configuration file used in
streamlined USB-based deployment needs
to be loaded to the device. This field cannot
be modified.
FILENAME1 Configuration file name.

NOTE
Ensure that this file name is the same as that used
in USB-based deployment.
END AR End flag of the file. This field cannot be

modified.
Step 6 Save the index file USB_AR.ini and configuration file ZTP.ini to the root directory of the
USB flash drive.
Step 7 Performing USB-based Deployment.

1. Power on the CPE and started successfully.
2. Install the prepared USB flash drive to the USB port on the device. The system
automatically starts the USB-based deployment process.
3. During deployment, the device system obtains the configuration file from the USB flash
drive based on the description in the index file and saves it to the default storage
medium. Based on the configuration file information, the system delivers deployment
configuration to the device with the matched ESN. The device saves the configuration to
the configuration file for next startup.
4. Observe the USB indicator on the device to determine the progress of USB-based
deployment, USB-based deployment is successful. Then remove the USB flash drive.
– If the indicator is steady yellow, the USB-based deployment has not started yet and
the interface card is to be registered.
NOTE
Only AR1600 series support the status that the indicator is steady yellow.
– If the indicator is blinking green, USB-based deployment is ongoing.
– If the indicator is steady green, USB-based deployment is successful.
– If the indicator is steady red, USB-based deployment fails.
----End
1.8.4.4 Checking the Email-based (Device) Deployment Result

After email-based deployment, you can check whether devices are successfully deployed.

SD-WAN
Procedure
Step 1 Choose Maintenance > Provisioning Result > Generate Configuration from the main
menu.
Step 2 Check whether the configurations are generated successfully.
If Succeeded is displayed in the Status column for all records, the configurations are
generated successfully.
NOTE
Only after successfully generating configurations, the Agile Controller-Campus can deliver the
configurations to devices.
Step 3 Click the Deploy to Device tab and check whether policies are successfully delivered to
devices.
1. Click the Deploy to Device tab and then click the By Site tab.
2. If Succeeded is displayed in the Status column for all records, the site deployment is
successful.
NOTE
After email-based deployment, the Agile Controller-Campus will deliver the configuration data of
the site to CPEs. If the network flaps during the configuration data delivery, data loss may occur
on the delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
If Succeeded is not displayed in the Status column, you are advised to perform
operations according to "Service Configuration Delivery Fails (SD-WAN)" in the
Troubleshooting Guide.
----End
1.8.5 Network Control and Optimization
1.8.5.1 Configuring Applications and Application Groups

Users can configure block, redirection, intelligent traffic steering, and QoS policies, or
application link detection by application group. The Agile Controller-Campus predefines
some common applications. If the predefined applications do not meet requirements, you can
customize applications and group the predefined and customized applications so that the
Agile Controller-Campus can identify more applications.
1.8.5.1.1 Checking Predefined Applications

The Agile Controller-Campus can identify common predefined applications using the built-in
application signature database. To view applications predefined on the Agile Controller-
Campus, perform the following operations:

SD-WAN
Procedure
Step 1 Choose Configuration > Application Management > Predefined Application from the
main menu.
Step 2 In the navigation tree, select SA signature database, and click a category. All predefined
applications in the category are displayed on the right of the page.
NOTE
The SA_H30071000 (6000+) applications in SA signature database can be delivered to devices except
the following: the AR160 and AR160F series including AR161, AR161W, AR161F, AR161FGW-L,
AR161FW, AR168F, AR169F, and AR169FGW-L.
The SA_H30071002 (500+) applications in SA signature database can be delivered to all devices.
Predefined application categories include two types: DPI and FPI.
----End
1.8.5.1.2 (Optional) Creating a Customized Application
Context
When predefined applications cannot meet the requirement, you can define a new application
according to characteristics of the application.
The types of customized applications include the first packet identification and service
awareness identification, with the former one preferred. If an application cannot be identified,
service awareness identification is used. Table 1-63 lists methods of identifying customized
applications.
Table 1-63 Methods of identifying a customized application

Customize Method of Identifying Applications
d
Applicatio
n Type
Application Triplet: identifies an application based on the server address, protocol type,
that is and fixed port number.
identified
by using the
first packet

SD-WAN
Customize Method of Identifying Applications

d
Applicatio
n Type
Application Keyword: identifies an application based on the server address, protocol

that is type, and unfixed port number.
identified
by service Triplet + keyword: identifies an application through the server using the
awareness same port number to provide two or more services.
NOTE
l The number of user-defined applications cannot exceed that supported by any device on the tenant
network.
l If an application packet matches rules of multiple customized applications, the customized
application that is delivered first takes effect. That is, the application configured first takes effect.
l In predefined applications, the application signature database does not include applications of
enterprises' self-built servers, such as Outlook and office365 deployed on enterprise self-built
servers. If such applications need to be identified, customized applications need to be configured.
Procedure
Step 1 Choose Configuration > Application Management > Customized Application from the
main menu.
Step 2 Click Create to create a customized application.
Step 3 Set Application name to a customized application.
Step 4 Select the application group to which the customized application belongs.
Step 5 Click Create and configure rules for the customized application.
Step 6 Click OK.
----End

SD-WAN
Follow-up Procedure
Table 1-64 Follow-up procedure of customized applications

Function Operation Procedure
Scenario and
Constraint
Viewing You can view 1. On the Customized Application tab page, click
details the detailed in the row where you want to view details about a
about a information customized application.
customized about a
application customized 2. In the expanded area, view details about the
application. customized application.
Modifying You cannot

a modify 1. On the Customized Application tab page, click
customized Application in the Operation column of the customized
application Name of a application to be modified.
customized 2. On the page that is displayed, modify the customized
application that application.
is being 3. Click OK.
referenced by an
application
group.
Cloning a You can quickly

customized create a 1. On the Customized Application tab page, click
application customized in the Operation column of the customized
application by application to be cloned.
simply 2. Modify the cloned customized application.
modifying an 3. Click OK.
existing
customized
application.
Deleting a You cannot

customized delete a 1. On the Customized Application tab page, click
application customized in the Operation column of the customized
application that application to be deleted.
is being 2. Click Yes.
referenced by an
application
group.

SD-WAN
Table 1-65 Parameters on the Customized Application page

Name Name of a user-defined application.
Description Description of a user-defined application's function.
Application group Application group. You can define an application and add
it to an existing application group, or define an application
group and add applications to it.
Rule Name Name of a rule defined for identifying application packets.

A rule contains the protocol number and port number used
by an application, and other basic attributes.
Description Description of a rule.
Destination IP Destination IP address of an application packet.

In most cases, the IP address of an application server is a
fixed public IP address. This allows the system to identify
the application packets based on a specified destination IP
address.
Port number Destination port number of an application packet.
Protocol Transport layer protocol type of a user-defined application

rule, which can be All, TCP, or UDP.
Signatu Signatur Signature information. Data packets of some applications

re e contain the same piece of character strings, which is
regarded as a signature.
Context You can select the packet- or flow-based mode for

signature identification:
l If you select the packet-based mode, the rule checks
every packet in an application data flow.
l If you select the flow-based mode, the rule only checks
the first packet in an application data flow. After
detecting that the subsequent packets belong to the
same data flow based on the quintuple information, the
rule does not check the subsequent packets.
Directio Direction of packets to be identified. You can configure a

n rule to identify the signatures only in request or response
packets, or in both of them.
Plain- Signature string, which is case-sensitive.

text
String

SD-WAN
1.8.5.1.3 Creating a Customized Application Group

When configuring policies, you need to select an application group before selecting an
application.
When creating an application group, you need to add predefined or customized applications to
the customized application group. An application can be added to only one application group.
However, the following requirements must be met when you configure the ACL policy, QoS
policy, intelligent traffic steering policy, Internet access policy at a site, and application
quality monitoring:
1. Applications in the application group of the selected traffic classifier template must be
different from each other between the ACL policy, QoS policy, and Internet access
policy of the same site.
2. Applications in the application group of the selected traffic classifier template must be
different from each other between different ACL policies, QoS policies, intelligent traffic
steering policies, application quality monitoring policies, or Internet access policies of
the same site.
Prerequisites
A customized application has been created. For details, see 1.8.5.1.2 (Optional) Creating a
Customized Application.
Procedure
Step 1 Choose Configuration > Application Management > Application Group from the main
menu.
Step 3 On the Applications Group page, set relevant parameters about the customized application
group.
Set the name of the application group Select SA signature database and add predefined or
customized applications to the application group.
NOTE
The SA_H30071000 (6000+) applications in SA signature database can be delivered to devices except
the following: the AR160 and AR160F series including AR161, AR161W, AR161F, AR161FGW-L,
AR161FW, AR168F, AR169F, and AR169FGW-L.
The SA_H30071002 (500+) applications in SA signature database can be delivered to all devices.
Predefined application categories include two types: DPI and FPI.

SD-WAN
Step 4 Click OK.
----End
Follow-up Procedure
Table 1-66 Follow-up procedure of an application group

Function Operation Procedure
Scenario and
Constraint
Viewing You can view 1. On the Application Group tab page, click in the
details detailed row of the application group that you want to view the
about an information about details.
applicatio an application
n group group. 2. In the expanded area, view details about the
application group.
Modifyin You cannot

g an modify the name 1. On the Application Group tab page, click in the
applicatio of a customized Operation column of the application group to be
n group application that is modified.
being referenced 2. On the page that is displayed, modify the application
by a traffic group.
classifier 3. Click OK.
template or
application
quality
monitoring.
Deleting You cannot delete

an a customized 1. On the Application Group tab page, click in the
applicatio application that is Operation column of the application group to be
n group being referenced deleted.
by a traffic 2. Click Yes.
classifier
template or
application
quality
monitoring.
Table 1-67 Parameters on the Application Group page

Name Name of an application group.
Description Description of an application, for example, video application

software or social application software.

SD-WAN
Applic Predef SA SA signature database. Before selecting applications for FPI

ations ined signat and DPI, you need to select an SA signature database. There
applic ure are two available signature databases: SA_H30071000 (6000+)
ations databa and SA_H30071002 (500+). The numbers in parentheses
se represent the numbers of contained applications. The options
for FPI and DPI vary according to signature database.
FPI Predefined applications for FPI. You can select predefined

applications here and add them to an application group.
DPI Predefined applications for DPI. You can select predefined

applications here and add them to an application group.
FPI has higher requirements on packets than DPI. Therefore,
DPI can identify more applications, and FPI applications are a
subset of DPI applications.
Customized User-defined application. You need to select a configured user-

Applications defined application.
1.8.5.2 Configuring a Traffic Policy Template

When configuring a traffic policy, you need to use the created traffic classifier template and
effective time template.
1.8.5.2.1 Creating a Traffic classifier template

A traffic classifier defines a group of traffic matching rules to classify packets.
You can configure a traffic classifier template to add packets matching the same rules to a
category. This ensures that the device processes packets matching the same rules identically.
Prerequisites
An application group has been created. For details, see 1.8.5.1.3 Creating a Customized
Application Group.
Procedure
Step 1 Choose Configuration > Configuration > Traffic Policy from the main menu.
Step 2 Click Traffic Classifier Template. Click Create to create a traffic classifier template.

SD-WAN
1. In the Operator area, set the relationship between L3 ACL, Application, and Advance
rules to And or Or.
2. In the L3 ACL area, click Create to define multiple ACL rules. The default action is
permit.
3. In the Application area, select the application to which data flows belong.
4. In the Advance area, set VLAN ID, 8021P, Source MAC, Destination MAC, and L2-
Protocol to classify data flows.
5. Click OK.
----End
Follow-up Procedure
Table 1-68 Follow-up procedure of a traffic classifier template

Functio Operation Scenario and Constraint Procedure
n
Modifyin The traffic classifier template referenced by a On the Traffic Classifier

g a traffic policy cannot be modified. Before modifying a
classifier traffic classifier template, you need to delete Template page, click in
template the traffic policy that is applied to the traffic the Operation column of the
classifier template or unbind the traffic traffic classifier template to
classifier template from the traffic policy. be modified.
Deleting The traffic classifier template referenced by a On the Traffic Classifier

a traffic policy cannot be deleted. Before deleting a Template page, select the
classifier traffic classifier template, you need to delete traffic classifier template to
template the traffic policy that is applied to the traffic be deleted, and click Delete.
classifier template or unbind the traffic
classifier template from the traffic policy.
Cloning You can clone a traffic classifier template. That On the Traffic Classifier
a traffic is, you can quickly create a traffic classifier Template page, select the
classifier template by modifying an existing template. traffic classifier template to
template After you clone a traffic classifier template, the
template exists only on the Agile Controller- be cloned, and click .
Campus. To deliver the new policy to devices,
you need to perform the Commit operation.
Table 1-69 Parameter on the Traffic Classifier Template page

Traffic classifier name Name of a traffic classifier template

SD-WAN
Operator l The and parameter indicates that the relationship

between the rules in the traffic classifier is AND,
which means that:
– If a traffic classifier contains ACL rules, packets
match the traffic classifier only when the packets
match one ACL rule and all the non-ACL rules.
– If the traffic classifier does not contain any ACL
rules, packets match the traffic classifier only when
they match all the rules in the classifier.
l The or parameter that the relationship between the
rules in the traffic classifier is OR. That is, packets
match the traffic classifier if the packets match one or
more rules in the traffic classifier.
By default, the relationship between rules in a traffic
classifier is AND.
L3 Priority ACL rule priority. Multiple Layer 3 ACL rules can be

ACL configured. Packets match the Layer 3 ACL rule with a
higher priority first. The default value is permit.
Source IP Source IP address of the packet to be matched. If this

parameter is not specified, packets with any source IP
address are matched.
Destination IP Destination IP address of the packet to be matched. If this

parameter is not specified, packets with any destination IP
address are matched.
DSCP Differentiated Services Code Point (DSCP) value. The

DSCP is a field in the IP header of a packet. It identifies
the service class and priority of the packet to ensure the
QoS level of the communication.
Protocol Layer 3 protocol type of the packet to be matched.

Currently, TCP/UDP/OSPF/IPinIP/IP/IGMP/ICMP/GRE
protocols and protocols with customized protocol
numbers are supported.
Source Port Source port number of the packet to be matched. If this

parameter is not specified, packets with any source port
are matched.
Destination Port Destination port number of the packet to be matched. If

this parameter is not specified, packets with any
destination port are matched.
Application Application to which matched packets belong. Only an

application group can be selected. Applications that are
not added to an application group are not displayed, and
you cannot select only some applications in an application
group. Therefore, you need to plan application groups
properly. You need to plan application groups properly.

SD-WAN
Adva Vlan ID Start Start VLAN ID in the outer tag of the VLAN packet to be
nce Vlan lD matched.
End Vlan End VLAN ID in the outer tag of the VLAN packet to be
lD matched. End Vlan lD must be greater than Start Vlan
lD. If End Vlan lD is not specified, only the packets
carrying Start Vlan lD are matched.
8021P 802.1P priority of the VLAN packet to be matched.
Source MAC Source MAC address of the VLAN packet to be matched.
Destination MAC Destination MAC address of the VLAN packet to be

matched.
L2-Protocol Layer 2 protocol type of the VLAN packet to be matched.

Currently, ARP/IP/MPLS/RARP protocols and protocols
with customized protocol numbers are supported.
1.8.5.2.2 (Optional) Creating an Effective Time Template

By default, a traffic policy takes effect immediately after it is applied to a service module. If
you want a traffic policy to take effect only in a certain period, you can define a time range
and associate the time range with the traffic policy. Defining and associating time ranges with
traffic policies so that you can use time-based traffic policies to control services. For example,
by using a time-based traffic policy, enterprises can limit employees' access to the Internet
during work hours and restrict the bandwidth for services such as P2P and downloading
services in peak hours to avoid network congestion. The purpose of creating an effective time
template is defining a time range during which a policy takes effect.
You can associate a time range with a traffic policy in either of the following modes:
l Periodic time range: defines a periodic time range based on days or weeks. The
associated traffic policy takes effect at an interval of one week. For example, if the time
range of a traffic policy is 8:00-12:00 per day or on Monday, the traffic policy takes
effect at 8:00-12:00 per day or on every Monday.
l Absolute time range: defines a time range from YYYY/MM/DD hh:mm to
YYYY/MM/DD hh:mm. The associated traffic policy takes effect only in this period.
Procedure
Step 2 Click Validity Period Template, and click Create to create an effective time template.

SD-WAN
1. Set Template name to the name of the effective time template.

2. Set Time type.
3. If you set Time type to Weekly, set Weekly to a day on which the policy takes effect.
Otherwise, skip this step.
4. Set Start time and End time for the policy to take effect.
5. Click OK.
----End
Follow-up Procedure
Table 1-70 Follow-up procedure of the effective time template
Functio Operation Scenario and Constraint Procedure

n
Modifyin Before modifying an effective time template, On the Validity Period

g an you need to delete the associated traffic policy
effective or unbind the effective time template from the Template page, click in
time traffic policy. Otherwise, the effective time the Operation column of the
template template cannot be modified. effective time template to be
modified.
Deleting Before deleting an effective time template, you On the Validity Period
an need to delete the associated traffic policy or Template page, select the
effective unbind the effective time template from the effective time template to be
time traffic policy. Otherwise, the effective time deleted, and click Delete.
template template cannot be deleted.
Table 1-71 Parameters on the Validity Period Template page
Template name Time range name.

SD-WAN
Time type l Daily: Periodic time segment. The time range is defined by
day, indicating that the rule takes effect at an interval of one
day (for example, from 8:00 to 12:00 every day).
l Weekly: Periodic time segment. The time range is defined by
week, indicating that the rule takes effect at an interval of one
week (for example, from 8:00 to 12:00 on Mondays).
l Scheduled: Absolute time segment, indicating that the rule
takes effect in the time range from YYYY/MM/DD hh:mm to
YYYY/MM/DD hh:mm.
Weekly Date on which the time range takes effect. This parameter is
available only when Time type is set to Weekly. The value can
be one day (Monday to Sunday) or any day-of-week
combinations.
Start time Start time when a traffic policy takes effect.
End time End time when a traffic policy takes effect.
1.8.5.3 Configuring an Internet Access Policy for a Site

If a site needs to access the Internet, you need to configure an Internet access policy for the
site. Currently, two Internet access modes are supported: centralized and distributed. (That is,
distributed sites can be configured to access the Internet centrally or locally.) If both the
centralized and distributed Internet access modes are configured for a site, the distributed
access mode (namely, local Internet access mode) is used preferentially.
Context
In EVPN tunnel mode, if the overlay topology is hierarchical, you can specify a global
centralized Internet gateway and a regional centralized Internet gateway when configuring
centralized Internet access sites. If users require that Internet access traffic meet these
requirements:
1. The Internet access traffic in an area is preferentially routed through the regional
2. The Internet access traffic across areas is preferentially routed through the global
the following principles need to be followed:
1. It is recommended that the topology of an area be set to full-mesh mode.
As shown in the following figure, Area1 is in hub-spoke mode, Hub1 is a global
centralized Internet gateway, and Spoke2 is a regional centralized Internet gateway. In
this case, the Internet access traffic of Spoke1 is not forwarded to the Internet through
Spoke2. Instead, the traffic passes through Hub1 and is directly routed out to the
Internet.

SD-WAN
2. It is recommended that an inter-area interconnection site be configured as a global

As shown in the following figure, Hub1 is an inter-area interconnection site and also the
regional centralized Internet gateway of Area1. Spoke2 is a global centralized Internet
gateway. The Internet access traffic of Spoke3 does not pass through Spoke2, but is
forwarded to Hub1, then to Hub2, and is then routed out to the Internet directly.
Prerequisites
1. Sites have been added. For details, see 1.8.3.4 Creating a Site.
2. If a local Internet access policy is used by a site, the WAN links must have been
activated. For details, see 1.8.3.6 Configuring the Network Access Mode for a Site.
3. Traffic policy templates have been configured. For details, see 1.8.5.2.1 Creating a
Traffic classifier template.
Procedure
Step 2 Click the Overlay tab.
Step 3 Set VPN to the department that needs to access the Internet.
Step 4 Click the Site-to-Internet tab and configure an Internet access policy for the site.
Step 5 If the centralized Internet access mode needs to be used, perform the following operations:
l In DSVPN tunnel mode:
a. Set Centralized Internet Access to .
b. Click and configure a gateway for centralized Internet access.

c. On the Select Site page, select the site where the gateway for centralized Internet
access is located.

SD-WAN
In the centralized Internet access mode, the selected sites must be of the same type
such as hub, aggregation, or branch. One or two hub sites can be selected. Only one
aggregation site or one branch site can be selected.
d. Click OK.
l In EVPN tunnel mode:
a. Set Centralized Internet access to .

b. Click Create and configure a gateway for centralized Internet access.
c. Set Area, Active Internet GW, and Standby Internet GW, and click in the
Operation column.
d. Click Apply.
Step 6 If the local Internet access mode needs to be used, perform the following operations:
1. Set Local Internet Access to .

2. Click Create.
3. On the Create page, select the site to which a local Internet access policy needs to be
delivered.

SD-WAN
You can select one or more sites for local Internet access.
4. Click Next.
5. Configure a local Internet access policy.
a. Select a local Internet access policy.

SD-WAN
If All is selected, the system does not create a PBR policy and applications access
the Internet via the default route.
If By Application is selected, the system creates a PBR policy and delivers it to
devices. Applications access the Internet according to the PBR policy.
b. Enable Shared track IP.
This parameter is configurable only when By Application is selected for the
Internet access policy.
All sites use the shared track IP address. After Shared track IP is enabled, the
track IP addresses of site links do not take effect.
c. To activate a link, click next to the link in the Operation column. The
configured local Internet access policy takes effect only after a link is activated.
d. If NAT is required for WAN links, enable NAT.
e. Configure the priorities of WAN links.
f. The local Internet access service and the overlay network share the bandwidth.
They consume bandwidth randomly by default. To guarantee rated bandwidth for
the local Internet access service, enable Bandwidth Allocation and set a bandwidth
percentage.
g. Configure a track IP address for links.
The track IP address of links can be configured only when Shared track IP is
disabled. All links of a device need to be configured with the same track IP address.
h. Select a traffic classifier template. The system will match application traffic and
execute the PBR policy according to the selected template.
i. Click Finish.
6. Click Apply.
----End
Table 1-72 Parameters on the Site-to-Internet page

Centr Centralized Internet access Centralized Internet access mode. The Internet access
alize traffic from a branch site is diverted to the hub site,
d implementing Internet accesses through a unified
Inter egress. This Internet access mode helps you deploy
net an independent firewall and configure
acces comprehensive security policies, facilitating security
s audit and access control.

SD-WAN
Internet GW Site that supports centralized Internet access mode.

The parameter setting has the following constraints:
l The selected sites must be of the same type such
as hub, aggregation, or branch.
l If the selected site type is hub, a maximum of two
hub sites can be configured.
l If the selected site type is aggregation or branch,
only one site can be configured.
NOTE
If a site in centralized Internet access mode uses the LAN-
side firewall to connect to the Internet, you do not need to
configure an Internet access policy for the site. If the WAN-
side egress interface is used to connect to the Internet, you
need to add the site to the local Internet access site and
configure Internet access policies, such as NAT and link
priority for the site.
Loca Local Internet access Local Internet access mode. Traffic from a site is
l routed out of the local underlay network to quickly
Inter access the Internet. Compared with the Internet
net access in centralized mode, this mode has lower
acces latency and provides better service experience.
s Therefore, this mode is suitable for sites with rich
Internet connection resources (with large bandwidth
and low latency) to access SaaS application services.
Sele Select Site Site that supports Internet access in local mode.
ct NOTE
Site For example, a tenant network has a hub site Hub1 and two
branch sites Spoke1 and Spoke2. Hub1 is configured with
the centralized Internet access mode, Spoke1 is configured
with the local Internet access mode, and Spoke2 is not
configured with any Internet access mode. The Internet
access traffic from Hub1 is locally routed out. The Internet
access traffic from Spoke1 is preferentially routed out from
the local site. If the traffic fails to be routed out locally, the
traffic is routed out through Hub1. The Internet access
traffic from Spoke2 is routed out through Hub1.
Select mode Site selection mode. You can select sites by network
topology or site template.

SD-WAN
Conf Policy Local Internet access policy:

igure l All: All Internet access traffic from the LAN side
Polic of a site is routed out matching the WAN-side
y routes.
l by Application: The LAN-side Internet access
traffic of a certain type (defined using a traffic
classification template) is routed out matching
Policy-based Routing (PBR). PBRs are
automatically created by the Agile-Controller
Campus and then delivered to gateways.
Application traffic that does not match the traffic
classifier template accesses the Internet in
centralized mode.
Shared track IP Destination IP address of an NQA test instance. You

(configured only can create an NQA test instance to send ICMP
when Policy is set packets to check whether the destination IP address
to Application) of a WAN link is reachable.
A shared track IP address can be used by multiple
sites. If a shared track IP is specified, the link track
IP of a site does not take effect.
Site Template Template of the selected site. This parameter is just

for display and does not need to be set.
WAN Link WAN link of the selected site. This parameter is just
for display and does not need to be set.
NAT Whether to enable NAT on the WAN-side interface.

If Internet access packets use private IP addresses,
the gateway needs to translate the private IP
addresses into public ones before forwarding these
packets to the Internet.
By default, Easy-IP is used. That is, source IP
addresses of all Internet access packets are replaced
with the IP address of the WAN-side interface, and
the source port number is mapped to different ones.
This ensures that the quintuple information about a
port before NAT is in one-to-one mapping with that
after NAT.
Link Priority Priority configured for a WAN link of a site. Service

traffic is transmitted along WAN links selected in
descending order of priority.
PBRs support only primary and secondary links. If a
site has three WAN links and Policy is set to by
Application, only two WAN links with higher
priorities take effect. If Policy is set to All, all of the
three WAN links take effect.

SD-WAN
Bandwidth Percentage of bandwidth permitted for a VPN to

Allocation access the Internet over a WAN link. The base value
is the total available bandwidth of the VPN on an
interface. You can set this value under Overlay
Network > Traffic Distribution.
For example, the Internet access bandwidth of a site
is 100 Mbit/s. After bandwidth allocation, VPN1
occupies 10% of the bandwidth, that is, 10 Mbit/s. If
the percentage value is set to 40%, the bandwidth
allocated for VPN1 to access the Internet is 4 Mbit/s,
and the remaining 6 Mbit/s is used for mutual access
between SD-WAN sites.
Note that mutual access traffic between SD-WAN
sites and traditional sites share the bandwidth with
the Internet access traffic. On the site mutual access
page, the allocated bandwidth percentage is
automatically changed to 40%.
In addition, Internet access traffic is forwarded
through Assured Forwarding (AF) queues by default.
This ensures that, if the traffic requires more than the
allocated bandwidth, it can occupy the remaining
bandwidth.
Track IP Sit Track IP address specified for a site. All WAN links
(configured e at a site must have the same track IP.
only when
Policy is set Tra The track IP specified for a link takes effect only
to ck when no shared track IP is specified.
Application IP
)
Operation Operation for enabling or disabling a WAN link as

the Internet access path. At least one WAN link must
be enabled at a site.
Traffic Classifier Traffic classifier template. Packets matching the

Template specified traffic classifier template access the Internet
(configured only via a PBR.
when Policy is set
to Application)
1.8.5.4 Configuring a Mutual-Access Policy for Traditional Sites
Prerequisites
2. Sites have been activated. For details, see 1.8.3.6 Configuring the Network Access
Mode for a Site.

SD-WAN
Procedure
Step 3 Set VPN to the department that requires mutual access between traditional sites.
Step 4 Click the Site-to-Legacy Site tab.
Step 5 If the centralized mode needs to be used for mutual access between traditional sites, perform
the following operations:
1. Set Centralized Access to .

2. Click Create.
3. On the Create page, select the sites that the traffic for mutual access between traditional
sites needs to pass through.
In the centralized mutual-access mode, the selected sites must be of the same type such
as hub, aggregation, or branch. One or two hub sites can be selected. Only one
aggregation site or one branch site can be selected.
4. Click Next.
5. In the Operation column, click . Set a link priority and allocated bandwidth.

SD-WAN
The local mutual access service and the overlay network share the bandwidth. They
consume bandwidth randomly by default. To guarantee rated bandwidth for the local
mutual access service, enable Bandwidth Allocation and set a bandwidth percentage.
6. Click Finish.
Step 6 If the distributed mode (local mode) needs to be used for mutual access between traditional
sites, perform the following operations:
1. Set Local Access to .

2. Click Create.
3. On the Create page, select the sites that the traffic for mutual access between traditional
sites needs to pass through.
The selected sites for mutual access in distributed mode can be of different types.
4. Click Next.
5. To activate a link, click next to the link in the Operation column. The configured
local mutual access policy takes effect only after a link is activated.
6. Set a link priority and allocated bandwidth.

SD-WAN
The local mutual access service and the overlay network share the bandwidth. They
consume bandwidth randomly by default. To guarantee rated bandwidth for the local
mutual access service, enable Bandwidth Allocation and set a bandwidth percentage.
7. Click Finish.
NOTE
A site cannot be enabled with both centralized access and local access.
----End
Table 1-73 Parameters on the Site-to-Legacy Site page
Centra Centralized access On the live network of enterprises, a large number of

lized legacy devices and third-party devices do not support the
access SD-WAN capability. Legacy branches need to be
interconnected with the SD-WAN sites for smooth
evolution.
Central access mode: All access traffic between SD-WAN
sites and legacy sites is transmitted to the central access site
and then routed out in a unified manner.
Select Select Site that supports centralized access. When you set this
Site Site parameter, pay attention to the following constraints:
l The selected sites must be of the same type such as hub,
aggregation, or branch.
l If the selected site type is hub, a maximum of two hub
sites can be configured.
l If the selected site type is aggregation or branch, only
one site can be configured.
IGW Whether a site gateway functions as the gateway for legacy

sites to access the Internet. That is, the Internet access
traffic from legacy sites is transmitted to the Internet
through SD-WAN sites.
Role Role of a site enabled with centralized access. The value

can be Active or Standby. You can select a maximum of
two sites enabled with centralized access, and at least one
of them assumes the active role. If you select two sites,
deploy them in active/standby mode.
Confi Site Template of the selected site. This parameter is just for
gure Template display and does not need to be set.
Policy
WAN WAN link of the selected site. This parameter is just for
Link display and does not need to be set.

SD-WAN
Link Priority configured for a WAN link of a site. The data

Priority traffic from SD-WAN sites to legacy sites is transmitted
along WAN links selected in descending order of priority. If
the same priority is configured for different WAN links of a
site, traffic is load balanced among the selected egress
interfaces.
NOTE
You need to set the priority of routes advertised by the WAN-side
links based on the link priority to ensure that the traffic from
legacy sites to SD-WAN sites is preferentially transmitted along
high-priority links.
Bandwidt Mutual access traffic and Internet access traffic share the
h bandwidth. For details, refer to the description about
Allocatio Bandwidth Allocation in Site-to-Internet.
n
Operation Enable or disable a WAN link as the mutual access path. At

least one WAN link must be enabled at a site.
Local Local access In local access mode, traffic from SD-WAN sites is directly
access routed to legacy sites.
Select Select Site that supports local access.

Site Site NOTE
By default, traffic between an SD-WAN site and a legacy site is
directly routed out from the local SD-WAN site. If the link to the
legacy network is faulty, the traffic traverses the overlay tunnel and
then is routed out through the centralized access site. This
improves the reliability of access between SD-WAN sites and
legacy sites.
You can configure a routing policy on the WAN-side interface of
the centralized access site so that the priority of the LAN-side
routes of the SD-WAN site advertised by the centralized access site
is lower than that of the LAN-side routes advertised by the local
site. In this way, the traffic from a legacy site to an SD-WAN site is
preferentially sent to the local site.
IGW Whether a site gateway functions as the gateway for legacy

sites to access the Internet. That is, the Internet access
traffic from legacy sites is transmitted to the Internet
through SD-WAN sites.
NOTE
If both the central access gateway and local site are enabled as
IGWs, configure a routing policy on the WAN-side interface of the
centralized access site so that the default priority of routes
advertised by the centralized access site is lower than that of routes
advertised by the local site. In this way, the Internet access traffic
from legacy sites is preferentially sent to the local site.
Confi Site The meaning of this parameter is the same as that of

gure Template Configure Policy in Centralized access. For details, see
Policy the preceding description.
WAN
Link

SD-WAN
Link
Priority
Bandwidt
h
Allocatio
n
Operation
1.8.5.5 Configuring a Traffic Policy

You can configure a traffic policy to control the traffic on an overlay network based on the
requirement.
1.8.5.5.1 Creating an ACL Policy for the Underlay Network

If service packets on the WAN-side inbound interface at a site need to be blocked, you can
configure an ACL policy for the underlay network.
Prerequisites
Mode for a Site.
3. Traffic classifier templates have been configured. For details, see 1.8.5.2.1 Creating a
Procedure
Step 2 Click the Underlay tab, and then click ACL. The Policy Settings page is displayed by
default.
Step 3 Click Create. Configure an ACL-based blocking policy.

SD-WAN
1. Set Policy name to the name of the blocking policy to be configured.

2. Select a traffic matching rule from the Traffic classifier template drop-down list.
NOTE
The ACL policy created for an underlay network cannot identify an L7-type traffic template.
3. Under Policy Priority, configure a policy priority.
4. Select WAN links from which the packets need to be blocked.
Click Create and set Site Template and WAN Link. You can select one or more WAN
links for WAN Link.
After a site template is selected, the policy can be applied only to the sites using the
selected site template.
5. Under Traffic filter, configure a traffic filter policy.
6. If you want the policy to take effect within a specified time range, select an effective
time range template from the Effective time template drop-down list. If you want the
policy to always take effect, skip this step.
7. Click OK.
Step 4 Apply the ACL policy to sites.
1. In the Operation column of the ACL policy, click .

2. On the Attach Sites page, select the sites to which the policy needs to be applied.
3. Click OK.
Step 5 Deliver the ACL policy to the sites and set the execution start time of the policy.
1. Select the ACL policy to be delivered.

SD-WAN
2. Click Commit and select Commit Selected or Commit All.

3. On the Commit page, set the execution start time of the policy to Immediately or
Schedule.
4. Click OK.
----End
Follow-up Procedure
After performing any of the following operations, you need to perform the Commit operation
for them to take effect at the sites.
Table 1-74 Follow-up procedure of an ACL policy

Function Operation Scenario and Procedure
Constraint
Revoking You can revoke the operation on a On the ACL tab page, select the
the last policy that is not delivered to sites, policy for which the last operation
operation namely, a policy on which the needs to be revoked, click Revoke,
on an ACL Commit operation is not operated and select Revoke Selected.
policy (Committed not displayed in the
Status column). You cannot revoke
the operation on a committed policy.
The revoke function can only revoke
the last operation on a policy. For
example, you can use this function to
revoke the modification, creation, and
deletion of a policy. After you revoke
the last operation on a policy, only the
configuration of the policy is rolled
back. That is, the operation takes
effect only on the Agile Controller-
Campus, but does not take effect on
devices.
Deleting an You can delete a policy regardless of On the ACL tab page, select the
ACL policy whether it is delivered to sites. After ACL policies to be deleted and
you delete a policy, the policy is click Delete.
deleted only from the Agile
Controller-Campus. To delete the
policy from devices, you need to
perform the Commit operation.
Modifying You can modify a policy regardless of 1. On the ACL tab page, click
an ACL whether it is delivered to sites. After in the Operation column of the
policy you modify a policy, the modification ACL policy to be modified.
takes effect only on the Agile
Controller-Campus. To modify the 2. Modify the policy.
policy on devices, you need to 3. Click OK.

SD-WAN

Constraint
Cloning an You can clone an ACL policy. That is, 1. On the ACL tab page, click
ACL policy you can quickly create a policy by
modifying an existing policy. After in the Operation column
you clone a policy, the policy exists of the ACL policy to be cloned.
only on the Agile Controller-Campus. 2. Modify the cloned policy.
To deliver the new policy to devices, 3. Click OK.
you need to perform the Commit
operation.
Disabling/ l Disabling: You can disable a policy l Disabling: On the ACL tab
Enabling an not to be used currently. You can
ACL policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the ACL
After you disable a policy, the policy to be disabled.
policy is disabled only on the Agile l Enabling: On the ACL tab
Controller-Campus. To disable the
policy on devices, you need to page, click in the
perform the Commit operation. Operation column of the ACL
l Enabling: You can enable a policy policy to be enabled.
that needs to be used. You can
enable a policy regardless of
whether it is delivered to sites.
After you enable a policy, the
policy is enabled only on the Agile
Controller-Campus. To enable the
policy on devices, you need to
Binding an You can bind a new policy to a site. 1. On the ACL tab page, click
ACL policy Site View.
in a site 2. In the site area, select a site.
view
3. Click Binding New Policy.
4. Select the policy to be bound to
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the ACL tab page, click
policies in bound to a site to other sites without Site View.
batches in a the policy being bound so that 2. Click Batch Configure.
site view different sites share the same policy.
3. In the Clone from a site area,
select a site with an ACL
policy bound.
4. In the Site area, select the
destination sites to which the
same policy is to be bound.
5. Click OK.

SD-WAN

Constraint
Committing You can commit all the policies of a 1. On the ACL tab, click Site
all the data site. View.
view
3. Click Commit All.
4. Click OK.
Revoking You can revoke all the policies of a 1. On the ACL tab, click Site
view
3. Click Revoke All.
4. Click OK.
Table 1-75 Parameters on the ACL page

Policy name ACL name.
Traffic classifier Traffic classifier template. The ACL specified by Policy name is
template applied to packets that match the traffic classifier template. Only
a traffic classifier template of the L4 or Any type can be selected
for an ACL on the underlay network. Any traffic classifier
template can be selected for an ACL on the overlay network.
Policy priority ACL priority. When a packet is received, the CPE matches it
against traffic classifier templates corresponding to ACLs in
descending order of priorities. If a match is found, the action
(traffic filtering) defined in the ACL is executed. If a mismatch
is found, the CPE continues to match the packet against the
traffic classifier template of the next ACL.
Interfa LAN All LAN-side Layer 3 interfaces for which the ACL is enabled,
ce including Layer 3 interfaces, sub-interfaces, and VLANIF
interfaces.
WA Site Site template.

N Templa An ACL needs to be associated with a site. This ensures that
te only sites that use the site template can be selected.
WAN WAN link, on which the ACL is enabled.

Link

SD-WAN
Traffic filter l Deny: Packets that do not match the traffic classifier template
are denied.
l Permit: Packets that match the traffic classifier template are
permitted.
Traffic direction Traffic direction. This parameter is set to Inbound by default.
Effective time template Time range defined in the template. The ACL takes effect only in
the defined time range.
NOTE
The relationship between all conditions is AND. That is, for the underlay
network, an ACL takes effect as follows:
For packets entering the specified interface of a specified site within the
specified time range, the ACL denies the packets matching the traffic
classifier template or permits only packets matching the traffic classifier
template.
1.8.5.5.2 Creating an ACL Policy for the Overlay Network

If service packets on the LAN-side inbound interface at a site need to be blocked, you can
configure an ACL policy for the overlay network.
Prerequisites
Mode for a Site.
3. LAN information has been configured. For details, see 1.8.3.9 Creating an Overlay
Network.
Procedure
Step 3 Set VPN to the department for which a traffic blocking policy needs to be configured.
Step 4 Click the ACL tab. Then, the Policy Settings page is displayed by default.
Step 5 Click Create. Configure an ACL-based blocking policy.

SD-WAN
1. Set Policy name to the name of the blocking policy to be configured.

2. Select a traffic matching rule from the Traffic classifier template drop-down list.
3. Under Policy Priority, configure a policy priority.
4. Under Traffic filter, configure a traffic filter policy.
time range template from the Effective time template drop-down list. If you want the
6. Click OK.
Step 6 Apply the ACL policy to sites.
1. In the Operation column of the ACL policy, click to add sites to which the policy
needs to be applied.
2. On the Attach Sites page, select the sites to which the policy needs to be applied.
3. Click OK.
Step 7 Deliver the ACL policy to the sites and set the execution start time of the policy.
1. Select the ACL policy to be delivered.
Schedule.
4. Click OK.
----End

SD-WAN
Follow-up Procedure
Table 1-76 Follow-up procedure of an ACL policy

Constraint
Revoking You can revoke the operation on a On the ACL tab page, select the
on an ACL Commit operation is not operated and select Revoke Selected.
devices.
Deleting an You can delete a policy regardless of On the ACL tab page, select the
ACL policy whether it is delivered to sites. After ACL policies to be deleted and
you delete a policy, the policy is click Delete.
Modifying You can modify a policy regardless of 1. On the ACL tab page, click
an ACL whether it is delivered to sites. After in the Operation column of the
policy you modify a policy, the modification ACL policy to be modified.
Cloning an You can clone an ACL policy. That is, 1. On the ACL tab page, click
ACL policy you can quickly create a policy by
modifying an existing policy. After in the Operation column
you clone a policy, the policy exists of the ACL policy to be cloned.
operation.

SD-WAN

Constraint
Disabling/ l Disabling: You can disable a policy l Disabling: On the ACL tab
ACL policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the ACL
policy is disabled only on the Agile l Enabling: On the ACL tab
perform the Commit operation. Operation column of the ACL
Binding an You can bind a new policy to a site. 1. On the ACL tab page, click
ACL policy Site View.
view
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the ACL tab page, click
policies in bound to a site to other sites without Site View.
select a site with an ACL
policy bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the ACL tab, click Site
view
4. Click OK.

SD-WAN

Constraint
Revoking You can revoke all the policies of a 1. On the ACL tab, click Site
view
4. Click OK.
Table 1-77 Parameters on the ACL page

Policy name ACL name.
Traffic classifier Traffic classifier template. The ACL specified by Policy name is
template applied to packets that match the traffic classifier template. Only
a traffic classifier template of the L4 or Any type can be selected
for an ACL on the underlay network. Any traffic classifier
template can be selected for an ACL on the overlay network.
Policy priority ACL priority. When a packet is received, the CPE matches it
against traffic classifier templates corresponding to ACLs in
descending order of priorities. If a match is found, the action
(traffic filtering) defined in the ACL is executed. If a mismatch
is found, the CPE continues to match the packet against the
traffic classifier template of the next ACL.
Interfa LAN All LAN-side Layer 3 interfaces for which the ACL is enabled,
ce including Layer 3 interfaces, sub-interfaces, and VLANIF
interfaces.
WA Site Site template.

N Templa An ACL needs to be associated with a site. This ensures that
te only sites that use the site template can be selected.
WAN WAN link, on which the ACL is enabled.

Link
Traffic filter l Deny: Packets that do not match the traffic classifier template
are denied.
l Permit: Packets that match the traffic classifier template are
permitted.
Traffic direction Traffic direction. This parameter is set to Inbound by default.

SD-WAN
Effective time template Time range defined in the template. The ACL takes effect only in
the defined time range.
NOTE
The relationship between all conditions is AND. That is, for the underlay
network, an ACL takes effect as follows:
For packets entering the specified interface of a specified site within the
specified time range, the ACL denies the packets matching the traffic
classifier template or permits only packets matching the traffic classifier
template.
1.8.5.5.3 Creating a NAT Policy for the Underlay Network
Context
You can configure a NAT policy on the Underlay tab page in the following scenarios:
1. Internet access at sites: For the LAN-side traffic destined to the Internet, the egress
device on the underlay translates the LAN-side private IP address into a public IP
address.
2. External network access to intranet servers: A server providing external services, such as
the FTP server, is deployed on the LAN side of a site. The egress device on the underlay
translates the private IP address of the server into a public IP address to provide services.
For Internet traffic proactively accessing intranet servers, the public address of the
servers is translated into the actual private IP address.
3. Mutual access between SD-WAN sites and traditional sites: SD-WAN sites and
traditional sites may have duplicate addresses. Therefore, a static NAT policy must be
configured on both SD-WAN sites and traditional sites to implement mutual access,
removing the need to change LAN-side terminal addresses.
NOTE
If the access traffic is unidirectional, configure static NAT on the accessed party. For example, if a
traditional site needs to access an SD-WAN site but the SD-WAN site does not need to communicate
with the traditional site, configure static NAT only on the SD-WAN site.
Prerequisites
Mode for a Site.
Procedure
Step 2 Click the Underlay tab.
Step 3 Click the NAT tab.
Step 4 In the Site area, select the site for which a NAT policy needs to be configured.

SD-WAN
Step 5 Configure a dynamic NAT policy.

1. Click Create.
2. Enter information about the dynamic NAT policy to be configured, including the name of
the interface to be bound, NAT mode, external IP address group, and match rules.
3. Click OK.
Step 6 Configure a static NAT policy.
1. Click Create.
2. Enter information about the static NAT policy, including the name of the interface to be
bound, internal IP address, and external IP address.

SD-WAN
3. Click OK.
----End
Follow-up Procedure
Table 1-78 Follow-up procedure of a NAT policy

Function Operation Scenario Procedure
and Constraint
Deleting a You can delete a NAT On the NAT tab page, select the NAT policy to be
NAT policy policy. deleted and click Delete.
Modifying a You can modify any 1. On the NAT tab page, click in the
NAT policy NAT policy. Operation column of the NAT policy to be
modified.
2. Modify the policy.
3. Click OK.
Table 1-79 Parameters on the NAT page

Dyna Policy name Name of a dynamic NAT policy.

mic
NAT Device Name of the CPE where the dynamic NAT policy needs to be
deployed.
Interface Interface on which the dynamic NAT policy needs to be enabled:

name l For an overlay NAT policy, interfaces on the overlay tunnel or
LAN-side interfaces can be selected. If this policy is
configured on the overlay tunnel, NAT is performed on all
tunnel interfaces.
l For an underlay NAT policy, only the WAN interface can be
selected.

SD-WAN
NAT mode NAT mode:

l Easy IP: The interface IP address is used as the IP address
after NAT.
NOTE
Only one dynamic NAT rule in Easy IP mode can be configured on
each interface. In the Internet access configuration of a site, if NAT
has been enabled, no NAT rule in Easy IP mode can be configured in
the NAT policy. It is because that the NAT configuration in the
Internet access configuration of the site is in Easy IP mode by default.
l PAT: Port translation is supported and address translation is in
many-to-one mode.
l No-PAT: Port translation is not supported, and address
translation is in one-to-one mode.
IP Start IP address range after NAT. IP addresses in this range are public
addre IP IP addresses in most cases. This parameter is configurable only
ss addre when the NAT mode is set to PAT or No-PAT. The IP address
group ss range has the following restraints:
End l The end IP address must be greater than the start IP address.
IP l The number of IP addresses cannot exceed 255.
addre l On the same interface, the IP address segments configured in
ss different NAT policies cannot overlap.
Matc Matc Matching rule. Multiple ACL rules can be defined in an ACL. For
h h a packet matching an ACL rule, the CPE performs NAT on the
rules rules source IP address and source port number.
NOTE
If two NAT policies are configured with the same ACL rule but with
different IP address groups, the NAT policy configured first takes effect.
Priori Priority of an ACL rule. The ACL rule with a higher priority is
ty matched preferentially, and then the action defined by this rule is
performed.
Actio Action:
n l Permit: Packets that match the ACL rule are allowed to pass.
l Deny: Packets that match the ACL rule are not allowed to
pass.
Proto Protocol of the packets that can match the ACL rule.
col
Sourc Source IP address of the packets that can match the ACL rule.
e IP/
Prefi
x
Lengt
h

SD-WAN
Desti Destination IP address of the packets that can match the ACL
natio rule.
n IP/
Prefi
x
Lengt
h
Sourc Source port number of the packets that can match the ACL rule.
e Port This parameter is available only when the protocol is set to TCP
or UDP.
Desti Destination port number of the packets that can match the ACL
natio rule. This parameter is available only when the protocol is set to
n TCP or UDP.
Port
Static Policy name Name of a static NAT policy.

NAT
Device Name of the CPE where a static NAT policy needs to be
deployed.
Interface Interface on which a static NAT policy needs to be enabled:

tunnel interfaces.
l For an underlay NAT policy, WAN-side interfaces on the
underlay network can be selected.
External IP IP address after NAT, which is a public IP address in most cases:

l IP address of the current interface
l User-defined IP address
Internal IP IP address before NAT, which is a private IP address in most

cases.
Translation l Address translation: NAT is performed on packets whose

type source IP addresses are internal IP addresses.
l Protocol translation: NAT is performed on packets based on
packet protocols.

SD-WAN
Protocol type Protocol type, which is available only when the NAT type is set to
protocol translation.
l TCP: NAT is performed on packets whose source IP addresses
are internal IP addresses, source ports are internal ports, and
protocol type is TCP. After NAT, internal IP addresses are
translated into external IP addresses, and internal port
numbers are translated to external port numbers.
l UDP: NAT is performed on packets whose source IP
addresses are internal IP addresses, source ports are internal
ports, and protocol type is UDP. After NAT, internal IP
addresses are translated into external IP addresses, and
internal port numbers are translated to external port numbers.
l ICMP: NAT is performed on packets whose source IP
addresses are internal IP addresses and protocol type is ICMP.
After NAT, internal IP addresses are translated into external IP
addresses.
External port Port number after NAT. This parameter is available only when the
NAT type is set to protocol translation and the protocol type is set
to TCP or UDP.
Internal port Port number before NAT. This parameter is available only when
the NAT type is set to protocol translation and the protocol type is
set to TCP or UDP.
Adva Direc The default value is Bidirectional. You can specify whether to
nced tion perform NAT in the direction of External to Internal or Internal
Settin to External as needed. For example, if an FTP server providing
gs external services is deployed on the LAN side of a site and
proactive access from Internet to intranet servers exists, you can
set this value to Internal to External.
Matc Matching rule. If you need to specify the range of packets to be

h translated using static NAT, for example, if you require that NAT
rules be performed on TCP packets with specified destination ports,
you can configure an ACL rule to match the target packets.
For details, see matching rules in dynamic NAT.
1.8.5.5.4 Creating a NAT Policy for the Overlay Network
Context
On the Overlay tab page, you can configure a NAT policy for mutual access between SD-
WAN sites. Two SD-WAN sites may have duplicate addresses. In this case, static NAT needs
to be configured on each SD-WAN site to implement communication between the two SD-
WAN sites without the need to change LAN-side terminal addresses.

SD-WAN
NOTE
If the access traffic is unidirectional, configure static NAT on the accessed party. For example, if site A
needs to access site B but site B does not need to communicate with site A, configure static NAT only on
site B.
Prerequisites
Mode for a Site.
3. LAN information has been configured. For details, see 1.8.3.9 Creating an Overlay
Network.
Procedure
Step 3 In the VPN area, select the department for which the QoS policy needs to be configured.
Step 4 Click the NAT tab.
Step 5 In the Site area, select the site for which a NAT policy needs to be configured.
Step 6 Configure a dynamic NAT policy.

1. Click Create.
1. Enter information about the dynamic NAT policy to be configured, including the name of
the interface to be bound, NAT mode, external IP address group, and match rules.
2. Click OK.
Step 7 Configure a static NAT policy.

SD-WAN
1. Click Create.
2. Enter information about the static NAT policy, including the name of the interface to be
bound, internal IP address, and external IP address.
3. Click OK.
----End
Follow-up Procedure
Table 1-80 Follow-up procedure of a NAT policy

Function Operation Scenario Procedure
and Constraint
Deleting a You can delete a NAT On the NAT tab page, select the NAT policy to be
NAT policy policy. deleted and click Delete.
Modifying a You can modify any 1. On the NAT tab page, click in the
NAT policy NAT policy. Operation column of the NAT policy to be
modified.
2. Modify the policy.
3. Click OK.

SD-WAN
Parameters
Table 1-81 Parameters on the NAT page

Dyna Policy name Name of a dynamic NAT policy.

mic
NAT Device Name of the CPE where the dynamic NAT policy needs to be
deployed.
Interface Interface on which the dynamic NAT policy needs to be enabled:

tunnel interfaces.
l For an underlay NAT policy, only the WAN interface can be
selected.
NAT mode NAT mode:

l Easy IP: The interface IP address is used as the IP address
after NAT.
NOTE
Only one dynamic NAT rule in Easy IP mode can be configured on
each interface. In the Internet access configuration of a site, if NAT
has been enabled, no NAT rule in Easy IP mode can be configured in
the NAT policy. It is because that the NAT configuration in the
Internet access configuration of the site is in Easy IP mode by default.
l PAT: Port translation is supported and address translation is in
many-to-one mode.
l No-PAT: Port translation is not supported, and address
translation is in one-to-one mode.
IP Start IP address range after NAT. IP addresses in this range are public
addre IP IP addresses in most cases. This parameter is configurable only
ss addre when the NAT mode is set to PAT or No-PAT. The IP address
group ss range has the following restraints:
End l The end IP address must be greater than the start IP address.
IP l The number of IP addresses cannot exceed 255.
addre l On the same interface, the IP address segments configured in
ss different NAT policies cannot overlap.
Matc Matc Matching rule. Multiple ACL rules can be defined in an ACL. For
h h a packet matching an ACL rule, the CPE performs NAT on the
rules rules source IP address and source port number.
NOTE
If two NAT policies are configured with the same ACL rule but with
different IP address groups, the NAT policy configured first takes effect.
Priori Priority of an ACL rule. The ACL rule with a higher priority is
ty matched preferentially, and then the action defined by this rule is
performed.

SD-WAN
Actio Action:
n l Permit: Packets that match the ACL rule are allowed to pass.
l Deny: Packets that match the ACL rule are not allowed to
pass.
Proto Protocol of the packets that can match the ACL rule.
col
Sourc Source IP address of the packets that can match the ACL rule.
e IP/
Prefi
x
Lengt
h
Desti Destination IP address of the packets that can match the ACL
natio rule.
n IP/
Prefi
x
Lengt
h
Sourc Source port number of the packets that can match the ACL rule.
e Port This parameter is available only when the protocol is set to TCP
or UDP.
Desti Destination port number of the packets that can match the ACL
natio rule. This parameter is available only when the protocol is set to
n TCP or UDP.
Port
Static Policy name Name of a static NAT policy.

NAT
Device Name of the CPE where a static NAT policy needs to be
deployed.
Interface Interface on which a static NAT policy needs to be enabled:

tunnel interfaces.
l For an underlay NAT policy, WAN-side interfaces on the
underlay network can be selected.
External IP IP address after NAT, which is a public IP address in most cases:

l IP address of the current interface
l User-defined IP address
Internal IP IP address before NAT, which is a private IP address in most

cases.

SD-WAN
Translation l Address translation: NAT is performed on packets whose

type source IP addresses are internal IP addresses.
l Protocol translation: NAT is performed on packets based on
packet protocols.
Protocol type Protocol type, which is available only when the NAT type is set to
protocol translation.
l TCP: NAT is performed on packets whose source IP addresses
are internal IP addresses, source ports are internal ports, and
protocol type is TCP. After NAT, internal IP addresses are
translated into external IP addresses, and internal port
numbers are translated to external port numbers.
l UDP: NAT is performed on packets whose source IP
addresses are internal IP addresses, source ports are internal
ports, and protocol type is UDP. After NAT, internal IP
addresses are translated into external IP addresses, and
internal port numbers are translated to external port numbers.
l ICMP: NAT is performed on packets whose source IP
addresses are internal IP addresses and protocol type is ICMP.
After NAT, internal IP addresses are translated into external IP
addresses.
External port Port number after NAT. This parameter is available only when the
NAT type is set to protocol translation and the protocol type is set
to TCP or UDP.
Internal port Port number before NAT. This parameter is available only when
the NAT type is set to protocol translation and the protocol type is
set to TCP or UDP.
Adva Direc The default value is Bidirectional. You can specify whether to
nced tion perform NAT in the direction of External to Internal or Internal
Settin to External as needed. For example, if an FTP server providing
gs external services is deployed on the LAN side of a site and
proactive access from Internet to intranet servers exists, you can
set this value to Internal to External.
Matc Matching rule. If you need to specify the range of packets to be

h translated using static NAT, for example, if you require that NAT
rules be performed on TCP packets with specified destination ports,
you can configure an ACL rule to match the target packets.
For details, see matching rules in dynamic NAT.
1.8.5.5.5 Creating an Intelligent Traffic Steering Policy for the Overlay Network
An intelligent traffic steering policy automatically switches traffic between active links if
congestion occurs on a link and requirements of a specified application cannot be met. If
active links are unavailable, the traffic can be switched to the best-effort link. This ensures the
experience of key applications.

SD-WAN
Prerequisites
Mode for a Site.
Procedure
Step 3 Set VPN to a department that requires intelligent traffic steering.
Step 4 Click the Intelligent Traffic Steering tab. Then, the Policy Settings page is displayed by
default.
Step 5 Click Create. Configure an intelligent traffic steering policy.

l In DSVPN tunnel mode, Enable to enhance functionality can be configured in the
Traffic Steering Policy Global Configuration area. If Enable to enhance
functionality is disabled, the configuration page is as follows:

SD-WAN
a. Set Policy Name to the name of an intelligent traffic steering policy.

b. Select a traffic matching rule from the Traffic Classifier Template drop-down list.
c. In Policy Priority, configure a policy priority.
d. Under LQM, set the thresholds for the delay, jitter, and packet loss ratio. The
system will evaluate the network health based on the thresholds, then determine
whether traffic needs to be switched to a standby link.
e. Under Path Strategy, select primary and secondary transmission networks from the
drop-down lists.
f. If you want the policy to always take effect, skip this step. If you want the policy to
take effect within a specified time range, select an effective time range template
from the Effective Time Template drop-down list.
g. Click OK.
l In DSVPN tunnel mode, if Enable to enhance functionality in the Traffic Steering
Policy Global Configuration area is enabled, the configuration page is as follows. In
EVPN tunnel mode, the enhanced function is enabled by default. The configuration page
is as follows:
a. Set Policy name, Traffic Classifier Template, and Policy Priority.
b. In the Switchover Condition area, select the four types of switchover conditions
predefined in the system, or set Delay, Jitter, and Packet loss rate as needed. The
system will evaluate the network health based on the thresholds, then determine
whether traffic needs to be switched to another link.
c. In the Transport Network Priority area, set the primary and secondary transport
networks.
d. In the Advanced Settings area, set Bandwidth conditions list, Priority and other
parameters. The system determines whether to switch traffic to another link based

SD-WAN
on the current bandwidth usage, application priority, and switchover threshold, and
then determines the application traffic to be switched based on the application
priority.
e. If you want the policy to always take effect, skip this step. If you want the policy to
take effect within a specified time range, select an effective time range template
from the Effective Time Template drop-down list.
f. Click OK.
Step 6 Apply the intelligent traffic steering policy to a site. The policy takes effect only at the
selected site.
1. In the Operation column of the intelligent traffic steering policy, click to apply the
policy to a site.
2. On the Select Site page, select the sites to which the policy needs to be applied.
3. Click OK.
Step 7 Deliver the intelligent traffic steering policy to the site and set the execution start time of the
policy.
1. Select the intelligent traffic steering policy to be delivered.
Schedule.
4. Click OK.
----End
Follow-up Procedure

SD-WAN
Table 1-82 Follow-up procedure of an intelligent traffic steering policy

Constraint
Revoking You can revoke the operation on a On the Path Strategy tab page,
the last policy that is not delivered to sites, select the intelligent traffic
operation namely, a policy on which the steering policy for which the last
performed Commit operation is not operated operation needs to be revoked,
on an (Committed not displayed in the click Revoke, and then click
intelligent Status column). You cannot revoke Revoke Selected.
traffic the operation on a committed policy.
steering The revoke function can only revoke
policy the last operation on a policy. For
devices.
Deleting an You can delete a policy regardless of On the Path Strategy tab page,
intelligent whether it is delivered to sites. After select the intelligent traffic
traffic you delete a policy, the policy is steering policy to be deleted, and
steering deleted only from the Agile click Delete.
policy Controller-Campus. To delete the
Modifying You can modify a policy regardless of 1. On the Path Strategy tab page,
an whether it is delivered to sites. After click in the Operation
intelligent you modify a policy, the modification column of the policy to be
traffic takes effect only on the Agile modified.
steering Controller-Campus. To modify the
policy policy on devices, you need to 2. Modify the policy.
perform the Commit operation. 3. Click OK.
Cloning an You can clone an intelligent traffic 1. On the Path Strategy tab page,
intelligent steering policy. That is, you can
traffic quickly create a policy by modifying click in the Operation
steering an existing policy. After you clone a column of the policy to be
policy policy, the policy exists only on the cloned.
Agile Controller-Campus. To deliver 2. Modify the cloned policy.
the new policy to devices, you need to 3. Click OK.

SD-WAN

Constraint
Disabling/ l Disabling: You can disable a policy l Disabling: On the Path

intelligent disable a policy regardless of Strategy tab page, click in
traffic whether it is delivered to sites. the Operation column of the
steering After you disable a policy, the policy to be disabled.
policy policy is disabled only on the Agile l Enabling: On the Path
policy on devices, you need to Strategy tab page, click in
perform the Commit operation. the Operation column of the
Binding a You can bind a new policy to a site. 1. On the Path Strategy tab page,
new policy click Site View.
view
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the Path Strategy tab page,
policies in bound to a site to other sites without click Site View.
select a site with a policy
bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the Path Strategy tab page,
all the data site. click Site View.
view
4. Click OK.

SD-WAN

Constraint
Revoking You can revoke all the policies of a 1. On the Path Strategy tab page,
all the data site. click Site View.
view
4. Click OK.
Table 1-83 Parameters on the Traffic Steering page

Policy name Name of the intelligent traffic steering policy.
Traffic Classifier Template Traffic classifier template. The intelligent traffic

steering policy specified by Policy name is applied to
packets that match the traffic classifier template.
Policy Priority Priority of the intelligent traffic steering policy. A data

flow is matched against intelligent traffic steering
policies in descending order of priority.
Switch Switchover Condition Switchover conditions include delay, jitter, and packet
over loss rate. Different services have different
Conditi requirements on link quality. For example, voice and
on real-time-video services have low tolerance for delay
and packet loss rate. CPEs use the IPFMP protocol to
monitor the delay, jitter, and packet loss rate of
application traffic in real time. If one of the
switchover conditions exceeds the threshold, a link
switchover is triggered.
The system defines switchover conditions for Voice,
Real-time-video, Low-latency-data, and Bulk-data
services. You can directly select a service type, or
customize switchover conditions based on service
requirements. If this parameter value is set to
Custom, you can set Delay, Jitter, and Packet loss
rate as required.
Delay (ms) Delay.
Jitter (ms) Jitter.
Packet loss rate Packet loss ratio threshold.

SD-WAN
Transp Prim Priority Priority of the primary transport network. A

ort ary numerically smaller value indicates a higher priority.
Networ Trans The same priority can be configured for multiple
k port transport networks.
Priority Netw
ork Transport You can configure multiple primary transport
List Network networks and specify their priorities. You can define
the scheduling mode between different transport
networks by setting Policy between TN.
l Transport networks with the same priority: It is
recommended that the Loadbalance scheduling
mode be selected.
l Transport networks with different priorities: It is
recommended that the Prefer scheduling mode be
selected. That is, the transport network with the
highest priority is selected first for forwarding
application traffic. If any of the switchover
conditions exceeds the threshold or the bandwidth
usage exceeds the threshold, the traffic is switched
to another transport network with a lower priority.
Secondary Transport Secondary transport network. Secondary transport

Network List enable networks provide escape links. Application traffic is
switched to a secondary transport network only when
the primary transport network fails.
Advanc Switch threshold In addition to delay, jitter, packet loss rate, you can
ed upper(%) select links to transmit application traffic based on
Setting link bandwidth usages. For example, when the
Switch threshold bandwidth usage of a link reaches a specified
Lower(%) threshold, new data flows of some applications cannot
be transmitted over this link, preventing application
quality deterioration.
You can configure a link selection policy by setting
Switch threshold upper and Switch threshold
Lower:
l Link bandwidth usage < Switch threshold Lower:
All application traffic, including new application
traffic, is forwarded through the current transport
network.
l Switch threshold Lower < Link bandwidth usage
< Switch threshold upper: Only the existing
application traffic is forwarded through the current
transport network, and new application traffic
cannot be transmitted.
l Link bandwidth usage > Switch threshold upper:
The existing application traffic is switched to
another transport network for transmission, and
new application traffic cannot be transmitted.

SD-WAN
Band Transport Bandwidth conditions for a transport network. You

width Network can configure this parameter in either of the following
condi scenarios:
tions l Configuring Bandwidth Upper Limit and
list Bandwidth Lower Limit: By default, Switch
threshold upper and Switch threshold Lower are
applied to all transport networks by default. If you
need to customize configurations for a certain
transport network, Bandwidth Upper Limit and
Bandwidth Lower Limit can be configured in
bandwidth conditions.
l Configuring Bandwidth Upper For Application
and Bandwidth Lower For Application: Links
are selected for traffic transmission based on the
bandwidth usage of applications.
NOTE
The application bandwidth usage guides traffic steering
based on applications, and the link bandwidth usage guides
traffic steering based on links. It is recommended that the
two bandwidth conditions be used separately. The way that
traffic is steered when the application bandwidth usage
exceeds the threshold is the same as that when the link
bandwidth usage exceeds the threshold.
Bandwidth Link bandwidth usage. The value is the bandwidth

Upper occupied by all applications carried over links to the
Limit(%) total bandwidth of the current transport network.
Bandwidth
Lower
Limit(%)
Bandwidth Bandwidth upper limit and bandwidth lower limit of

Upper the numeral type.
Limit(Mbps)
Bandwidth
Lower
Limit(Mbps)
Bandwidth Application bandwidth usage. The value is the

Upper For bandwidth occupied by applications specified in the
Application(%) traffic classifier template to the total bandwidth of the
current transport network.
Bandwidth
Lower For
Application(%)
Bandwidth Bandwidth upper limit for application and bandwidth

Upper For lower limit for application of the numeral type.
Application(M
bps)

SD-WAN
Bandwidth
Lower For
Application(M
bps)
Action when condition Way that traffic is steered if the SLA of the primary
not satisfied transport network fails to meet the requirement or the
bandwidth usage exceeds the threshold.
l ECMP: When the Prefer scheduling mode is
selected, a link with a better quality is selected
from the primary transport network based on the
CMI algorithm. When the Loadbalance
scheduling mode is selected, packets are
forwarded based on the routing table.
l Discard: If a best-effort link is configured, packets
will be forwarded through the best-effort link. If
no best-effort link is configured, packets will be
discarded.
Switchover mode Whether traffic can be switched back to the original

link if the quality of the original link recovers or the
bandwidth usage of the original link decreases. The
link switchover consists of the switchover between
the primary transport networks with different
priorities and the switchover between primary and
secondary transport networks.
NOTE
If bandwidth conditions are configured and the bandwidth
usage guides traffic steering, it is not recommended to set
Switchover mode to pre-emptive.
Policy between TN The Prefer scheduling mode is used by default for

transport networks with different priorities. You can
also select the Loadbalance scheduling mode.
Priority Application priority. A numerically smaller value has

a higher priority. If service packets of different types
are transmitted over the same link and packet
congestion occurs, packets of high-priority
applications are preferentially transmitted. This
parameter is configurable only when Policy between
TN is set to Loadbalance.
Effective Time Template Time range defined in the template. The intelligent
traffic steering policy takes effect only in the defined
time range.
1.8.5.5.6 Creating a QoS Policy for the Overlay Network

To limit the bandwidths of applications or traffic, you need to configure a QoS policy.

SD-WAN
The number of applications supported in a QoS policy varies with the device model. For
example, the AR3760 supports a maximum of 1204 applications.
Prerequisites
Mode for a Site.
Procedure
Step 3 Set VPN to the department for which a QoS policy needs to be configured.
Step 4 Click the QoS tab. Then, the Policy Settings page is displayed by default.
Step 5 Click Create and configure a QoS policy.
1. Set Policy name to the name of the QoS policy to be configured.

2. Select a traffic matching rule from the Traffic Classifier Template drop-down list.
3. In Policy Priority, configure a policy priority.
4. Enable Queue priority, Traffic bandwidth limit, Re-mark DSCP, and Queue length,
and set corresponding parameters as needed.

SD-WAN
time range template from the Effective Time Template drop-down list. If you want the
6. Click OK.
Step 6 Apply the QoS policy to sites.
1. In the Operation column of the QoS policy, click to add sites.

2. On the Select Site page, select the sites to which the policy needs to be applied.
The policy can take effect only when branch sites are selected. For example, you can
select the combination of hub and branch sites or the combination of aggregation and
branch sites.
3. Click OK.
Step 7 Deliver the QoS policy to the sites and set the execution start time of the policy.
1. Select the QoS policy to be delivered.
Schedule.
4. Click OK.
----End
Follow-up Procedure
Table 1-84 Follow-up procedure of a QoS policy

Constraint
Revoking You can revoke the operation on a On the QoS tab page, select the
on a QoS Commit operation is not operated and select Revoke Selected.
devices.

SD-WAN

Constraint
Deleting a You can delete a policy regardless of On the QoS tab page, select the
QoS policy whether it is delivered to sites. After QoS policy to be deleted and click
you delete a policy, the policy is Delete.
Modifying a You can modify a policy regardless of 1. On the QoS tab page, click
QoS policy whether it is delivered to sites. After in the Operation column of the
you modify a policy, the modification QoS policy to be modified.
Cloning a You can clone a QoS policy. That is,

QoS policy you can quickly create a policy by 1. On the QoS tab page, click
modifying an existing policy. After in the Operation column of the
you clone a policy, the policy exists QoS policy to be cloned.
operation.
Disabling/ l Disabling: You can disable a policy l Disabling: On the QoS tab
Enabling a not to be used currently. You can
QoS policy disable a policy regardless of page, click in the
whether it is delivered to sites. Operation column of the
policy is disabled only on the Agile l Enabling: On the QoS tab
perform the Commit operation. Operation column of the

SD-WAN

Constraint
Binding a You can bind a new policy to a site. 1. On the QoS tab page, click Site
new policy View.
view
the selected site.
5. Click OK.
Configuring You can bind the policy that has been 1. On the QoS tab page, click Site
policies in bound to a site to other sites without View.
select a site with a QoS policy
bound.
5. Click OK.
Committing You can commit all the policies of a 1. On the QoS tab page, click Site
view
4. Click OK.
Revoking You can revoke all the policies of a 1. On the QoS tab page, click Site
view
3. Click OK.
Table 1-85 Parameters on the QoS page

Policy name QoS policy name. Currently, a QoS policy can be applied only to
the outbound direction of a WAN interface.
Traffic Classifier Traffic classifier template. The QoS policy specified by Policy
Template name is applied to packets that match the traffic classifier template.
Policy Priority QoS policy priority.

SD-WAN
Que Queue Queue priority. You are advised to enable Queue Priority for key
ue Priority applications that need to be guaranteed. When Queue Priority is
Prior enabled, a CPE automatically sets queue types for identified
ity packets based on the defined queue priorities.
Priority QoS priority. When network congestion occurs, the system

Level preferentially transmits packets of higher-priority applications. This
parameter is available only when Queue Priority is enabled.
The following QoS priorities are supported:
l Medium: Assured Forwarding (AF) is used to ensure low drop
probability of packets when the rate of outgoing service traffic
does not exceed the minimum bandwidth.
l High: After packets matching traffic classification rules enter
Expedited Forwarding (EF) queues, they are scheduled in Strict
Priority (SP) mode. Packets in other queues are scheduled only
after all the packets in EF queues are scheduled. In addition, EF
queues can preempt the available bandwidth in AF or BE
queues.
l Highest: Low Latency Queuing (LLQ) is used to schedule
packets with the highest priority. LLQ queues are a special type
of EF queues and are scheduled in SP mode. They can achieve
lower latency than common EF queues and ensure the service
quality of latency-sensitive applications, for example, VoIP
services. LLQ queues do not preempt the available bandwidth in
AF or BE queues.
Guaranteed Guaranteed bandwidth. This parameter is available only when

bandwidth Queue Priority is enabled.
For AF and EF queues, the guaranteed bandwidth is the minimum
bandwidth that can be guaranteed. If traffic exceeds the guaranteed
bandwidth, the available bandwidth can be preempted.
LLQ queues do not preempt the available bandwidth, and the
guaranteed bandwidth is the maximum bandwidth that can be
guaranteed. As a result, if traffic exceeds the guaranteed bandwidth,
the excess traffic is discarded.
This parameter can be set to a specific bandwidth value or a
percentage to the available bandwidth for a department (VPN) on
an interface. If this parameter is set to a specific value, it cannot
exceed the available bandwidth for a department.
For example, if the bandwidth of a WAN interface is 100 Mbit/s
and the bandwidth available to VPN1 is 50 Mbit/s, value 20% of
this parameter indicates that packets matching the traffic classifier
can occupy 10 Mbit/s bandwidth (50 Mbit/s x 20%).
Traf Traffic Whether to limit the traffic bandwidth. After Traffic bandwidth
fic bandwidth limit is enabled, packets matching a certain rule are forwarded at a
band limit low delay.
widt

SD-WAN
h Limit type This parameter is available only when Traffic bandwidth limit is
limit enabled. The following types are supported:
l Traffic shaping: Traffic shaping is a measure to adjust the traffic
rate sent from an interface. When the rate of an inbound
interface on a downstream device is slower than that of an
outbound interface on an upstream device or burst traffic occurs,
traffic congestion may occur on the inbound interface of the
downstream device. Traffic shaping can be configured on the
outbound interface of the upstream device so that outgoing
traffic is sent at even rates and congestion is avoided.
l Traffic policing: Traffic policing discards excess traffic to limit
traffic within a proper range and to protect network resources
and enterprise users' interests. Traffic policing is implemented
using committed access rate (CAR).
If Queue Priority is enabled and the priority is set to Highest or
High, only Traffic policing can be selected.
Bandwidth Bandwidth limit. When traffic exceeds the limit specified by this
limit parameter, the excess traffic is cached and sent later (if traffic
shaping is configured) or directly discarded (if traffic policing is
configured).
Theoretically, the value of bandwidth limit must be greater than
that of Guaranteed bandwidth. This parameter is available only
when Traffic bandwidth limit is enabled.
Re-Mark DSCP Whether to re-mark DSCP. If this option is enabled, you need to
specify a value for the DSCP field. The CPE replaces the value of
the DSCP field in the outer IP header with the specified value.
Queue length Maximum length of a queue. This parameter is configurable only

when Queue Priority is set to High or Medium.
You can specify the maximum number of bytes that can be stored in
a queue, the maximum number of packets that can be stored in a
queue, or both of them. If both of them are specified, when the
number of packets in a queue reaches the maximum value or the
total number of bytes in a queue reaches the maximum value, the
queue does not receive packets.
Re-mark 802.1p Whether to re-mark the 802.1P priority of VLAN packets. A larger
value indicates a higher priority. If a traffic policy is applied to the
outbound direction on an interface, the CPE still processes outgoing
packets based on the original priority but the downstream Layer 2
device processes the packets based on the re-marked priority.
Enable statistics Whether to enable statistics collection. After this function is

collection enabled, you can view traffic statistics on CPEs.
Effective Time Time range defined in the template. The QoS policy takes effect
Template only in the defined time range.

SD-WAN
1.8.5.6 Configuring a Security Policy
1.8.5.6.1 Creating a Network Security Policy

This section describes how to configure a URL filtering policy, firewall policy, and IPS
policy.
Prerequisites
1. Site deployment is complete. For details, see 1.8.4 Site Deployment.
2. The network has been deployed. For details, see 1.8.3 Network Deployment.
Procedure
Step 1 Choose Configuration > Configuration > Security Policy from the main menu.
Step 2 Set VPN to a department that requires a security policy.
Step 3 Click Create to create a security policy.
1. Set the name of the security policy.
Set Policy name to the name of the security policy.
2. To enable abnormal HTTP packet detection, configure a URL filtering policy.
a. Set Enable URL Filter to .

b. Set Default action to an action that takes effect after URL filtering.
c. In Excluded list, configure URLs of target networks.
d. Set Use predefine url classification to .

e. Set Predefined URL filter level to the URL filter level for the action.
3. When users need to access the Internet and a security policy is required, you can perform
the following configurations:
a. Configure a firewall policy.

SD-WAN
i. Set Enable firewall to .

ii. Set Internet-to-User default action to specify the default action to be
performed on inbound packets. Generally, the default value is used.
iii. In Internet-to-User permit flow, configure a policy for filtering inbound
packets.
iv. Set User-to-Internet default action to specify the default action for outbound
packets. Generally, the default value is used.
v. In User-to-Internet deny flow, configure a policy for filtering outbound
packets.
b. Configure an IPS policy to analyze network traffic and detect intrusion behavior.
i. Set Enable IPS to .

ii. Select the name of the security configuration file from the drop-down list on
the right of Enable IPS. Click Details to view the control policy of the
security configuration file.
4. Click OK.
Step 4 Apply the security policy to sites.
1. In the Operation column of the security policy, click to add sites.

2. On the Selected Sites page, select sites to which the policy is applied.
3. Click OK.
Step 5 Deliver the security policy to the sites and set the execution start time of the policy.
1. Select the security policy to be delivered.
Schedule.
4. Click OK.
----End

SD-WAN
Follow-up Procedure
Table 1-86 Follow-up procedure of a security policy

Constraint
Revoking a You can revoke the operation on a On the Security Policy tab page,
security policy that is not delivered to sites, select the policy on which the last
policy namely, a policy on which the operation performed needs to be
Commit operation is not operated revoked, click Revoke, and then
(Committed not displayed in the click Revoke Selected.
devices.
Deleting a You can delete a policy regardless of On the Security Policy tab page,
security whether it is delivered to sites. After select the security policy to be
policy you delete a policy, the policy is deleted, and click Delete.
Modifying a You can modify a policy regardless of 1. On the Security Policy tab
security whether it is delivered to sites. After page, click in the
policy you modify a policy, the modification Operation column of the
takes effect only on the Agile policy to be modified.
Controller-Campus. To modify the
policy on devices, you need to 2. Modify the policy.
perform the Commit operation. 3. Click OK.
Cloning a You can clone a security policy. That 1. On the Security Policy tab
security is, you can quickly create a policy by
policy modifying an existing policy. After page, click in the
you clone a policy, the policy exists Operation column of the
only on the Agile Controller-Campus. policy to be cloned.
To deliver the new policy to devices, 2. Modify the cloned policy.
you need to perform the Commit 3. Click OK.
operation.

SD-WAN

Constraint
Disabling/ l Disabling: You can disable a policy l Disabling: On the Security

Enabling a not to be used currently. You can
Policy tab page, click in
security disable a policy regardless of
the Operation column of the
policy whether it is delivered to sites.
policy to be disabled.
After you disable a policy, the
policy is disabled only on the Agile l Enabling: On the Security
policy on devices, you need to Policy tab page, click in
perform the Commit operation. the Operation column of the
policy to be enabled.
l Enabling: You can enable a policy
Table 1-87 Parameters on the Security Policy page
Policy name Name of a security policy.
Secu URL Enable URL Whether to permit or deny access from users to a URL
rity polic filtering or a type of URLs. When receiving an HTTP request, a
Poli ies device filters the content of the request. The device
cy extracts the URL, and compares the URL with the
content in Exception List and the pre-defined URL
category. If the URL is included in Exception List or
the pre-defined URL category, the device processes
the HTTP request according to the configured action.
Default action Action taken after URL filtering. After the device
queries a URL category matching an HTTP request, it
processes the HTTP request according to the action
taken for the URL category. Currently, the following
actions are supported:
l Permit: Traffic from all URLs except those included
in Exception List or the pre-defined URL category
is allowed to pass.
l Deny: Only traffic from the URLs included in
Exception List or the pre-defined URL category is
allowed to pass.

SD-WAN
Exception list List of URLs that are not filtered. For example:
l If the default action is Permit, traffic from URLs in
the exception list is not allowed to pass.
l If the default action is Deny, traffic from URLs in
the exception list is allowed to pass.
Enable pre- Whether to use the predefined URL category database

defined URL to define the block action.
category A predefined URL category database is preset on CPEs
before delivery. It contains more than 40 URL
categories, and each category contains multiple URLs.
Predefined URL Filter level. This parameter is available only when

filter level Enable pre-defined URL category is enabled. If
actions are configured for each type of URL, the
workload is heavy. To simplify user configurations,
three filter levels are defined: high, medium, and low. If
the three default filter levels do not meet your
requirements, you can customize an action for each
predefined application category. The following filter
levels are supported:
l High: indicates that the access control is strict. For
example, access to adult websites, illegal activities,
social media websites, and video sharing websites is
controlled.
l Medium: indicates that the access control is
medium. For example, the access to all adult
websites and illegal websites is controlled.
l Low: indicates that the access control is loose. For
example, the access to adult websites is controlled.
l Customized: If you click Customized and then Set,
you can customize an action (by clicking Permit or
Deny) for each predefined application category in
the displayed dialog box.

SD-WAN
Fire Enable firewall Whether to enable firewall policies. If this parameter is

wall enabled, the following functions are enabled
polic automatically:
ies 1. Packet filtering firewall: This function allows a
device to compare data packets with data in
Internet-to-User permit flow and User-to-Internet
deny flow, and forwards or discards the packets
based on the comparison result.
2. Application Specific Packer Filter (ASPF): This
function allows a device to check FTP packets, SIP
packets, and RTSP BPDUs at the application layer
and determines whether to allow them to pass
through the firewall and then enter the internal
network. ASPF can prevent malicious attacks and
prevent normal data packets from being blocked by
ACLs. ACLs are often configured on devices to
prevent hosts on external networks from accessing
the internal network, thereby protecting the internal
network. For example, ACLs may filter out all
packets from an FTP server, causing connection
setup failures. If ASPF is enabled for a device, the
device can detect FTP sessions and then create a
temporary access control list (TACL). That is, a
temporary channel is established on the external
interface of the firewall for the packets returned by
FTP applications.
Internet-to-User Default action performed on inbound packets. The

default action default action is taken for the data packets that do not
match the inbound ACL. By default, all inbound
packets are rejected. You can set the default action taken
for inbound packets to permit. An inbound packet is
sent from a low-priority zone to a high-priority zone.
Internet Intern Inbound ACL. Multiple ACL rules can be defined in the
-to- et-to- ACL.
User User
flow flow
Priorit Priority of an ACL rule. The ACL rule with a higher

y priority is matched preferentially, and the action defined
by this rule is performed.
Action Action:
l Permit: Inbound packets that match the ACL rule are
allowed to pass.
l Deny: Inbound packets that match the ACL rule are
denied.
Protoc Protocol of the packets that can match the ACL rule.
ol

SD-WAN
Source Source IP address of the packets that can match an ACL

IP rule.
Source Source port number of the packets that can match the
Port ACL rule.
Destin Destination IP address of the packets that can match the

ation ACL rule.
IP
Destin Destination port number of the packets that can match

ation the ACL rule.
Port
User-to-Internet Default action performed on outbound packets. The

default action default action is taken for the data packets that do not
match the outbound ACL. By default, all outbound
packets are allowed to pass through. You can set the
default action taken for inbound packets to deny. An
outbound packet is sent from a high-priority zone to a
low-priority zone.
User- User- Outbound ACL. Multiple ACL rules can be defined in

to- to- the ACL.
Internet Intern
flow et
flow
Priorit Priority of an ACL rule. The ACL rule with a higher

y priority is matched preferentially, and the action defined
by this rule is performed.
Action Action:
l Permit: Outbound packets that match the ACL rule
are allowed to pass.
l Deny: Outbound packets that match the ACL rule
are denied.
Protoc Protocol of the packets that can match the ACL rule.
ol
Source Source IP address of the packets that can match the

IP ACL rule.
Source Source port number of the packets that can match the
Port ACL rule.
Destin Destination IP address of the packets that can match the

ation ACL rule.
IP

SD-WAN
Destin Destination port number of the packets that can match

ation the ACL rule.
Port
IPS Enable IPS Whether to enable an Intrusion Prevention System (IPS)

polic policy.
ies

SD-WAN
Security By default, the Agile Controller-Campus has multiple

configuration security configuration files for different application
files scenarios. The default security configuration files can
be viewed or referenced by security policies. The
following security configuration files are supported:
l strict: It contains all signatures and the action is
block. It applies to all protocols and intrusion
categories. This security configuration file applies to
scenarios where all packets that match signatures
need to be blocked.
l web_server: It contains all signatures and the
default action is used. It applies to DNS, HTTP, and
FTP protocols, as well as all intrusion categories.
This security configuration file applies to scenarios
where the device is deployed in front of a web
server.
l file_server: It contains all signatures and the default
action is used. It applies to the DNS, SMB,
NetBIOS, NFS, SunRPC, MSRPC, File, and Telnet
protocols, as well as all intrusion categories. This
security configuration file applies to scenarios where
the device is deployed in front of a file server.
l dns_server: It contains all signatures and the default
action is used. It applies to the DNS protocol and all
intrusion categories. This security configuration file
applies to scenarios where the device is deployed in
front of a DNS server.
l mail_server: It contains all signatures and the
default action is used. It applies to DNS, IMAP4,
SMTP, and POP3 protocols, as well as all intrusion
scenarios where the device is deployed in front of a
mail server.
l inside_firewall: It contains all signatures and the
default action is used. It applies to all protocols and
applies to scenarios where the device is deployed
inside a firewall.
l dmz: It contains all signatures and the default action
is used. It applies to all protocols except NetBIOS,
NFS, SMB, Telnet, and TFTP, as well as all intrusion
scenarios where the device is deployed in front of
the DMZ.
l outside_firewall: It contains all signatures and the
default action is used. It applies to all protocols and
intrusion categories except Scanner. This security

SD-WAN
configuration file applies to scenarios where the

device is deployed outside a firewall.
l default: It contains all signatures and the default
action is used. It applies to all protocols and
applies to scenarios where the device is deployed in
IPS (in-line) mode.
1.8.5.7 (Optional) Checking Policy Tasks

After a policy is committed, a policy task is added. You can use the policy task check function
to check the execution status of each policy.
Context
The function can query at most 1000 policy tasks under each tenant and only tasks generated
within one month can be checked.
Prerequisites
One or more of the following policies have been configured and the Commit operation has
been performed on the policies:
l ACL policy of the underlay network. For details, see 1.8.5.5.1 Creating an ACL Policy
for the Underlay Network.
l Traffic policy of the overlay network. For details, see 1.8.5.5 Configuring a Traffic
Policy.
l Security policy. For details, see 1.8.5.6.1 Creating a Network Security Policy.
Procedure
Step 1 Choose Maintenance > Task Management from the main menu.
Step 2 On the Task Management page, check the status of a committed policy.
Step 3 Click to check the details of the policy in the task.

SD-WAN
----End
Follow-up Procedure
Table 1-88 Follow-up procedure of policy tasks

Fu Operation Scenario and Constraint Procedure
nct
ion
Del If a task that has been canceled or finished (namely, a In the Operation
ete task with Cancel or Finished displayed in the Execute
column, click .
a Status column) does not need to be displayed on the task
task management page, you can perform the Delete operation.
The Delete operation only deletes the task from the Agile
Controller-Campus but does not delete the task data from
devices. After you delete a policy task, only the data in
the Execute Status column on the Task Management
page is changed, but the status on the policy page is not
affected.

SD-WAN
Fu Operation Scenario and Constraint Procedure

nct
ion
Can If a task that is not executed (namely, a task with To be In the Operation
cel committed, Processing, or Failed displayed in the
column, click .
a Execute Status column) does not need to be delivered,
task you can perform the Cancel operation.
The Cancel operation only cancels the task on the Agile
Controller-Campus but does not cancel the task data on
devices. After you cancel a policy task, Status of the
policy restores to the status before the policy is
committed, for example, Creation to be committed or
Modification to be committed.
Table 1-89 Parameters on the Task Management page

Para Description
mete
r
Task Task name. After you click Commit for each policy, a new task is added on the
Nam task management page. Task Name is automatically generated.
e
Obje Name of the policy department and policy type mapping the task.
ct
Creat Name of the tenant that creates a policy.

or
Creat Time when a policy is submitted.

ion
Time
Effec When submitting a policy, if you set Effective Time to Immediately, the value of
tive this parameter is the same as the policy creation time. If you set Effective Time to
Time Schedule, the value of this parameter is the specified time for the policy to take
effect.
Statu Task execution status. The options are as follows:

s l To be committed: The Commit operation has been performed for a policy but
the policy has not been executed.
l Finished: The Commit operation has been performed for a policy and the
policy has been executed.
l Cancel: The Cancel operation has been performed for a policy in To be
committed state.

SD-WAN
Para Description
mete
r
Oper Task operation. You can perform the following operations for a task.
ation
l : Check the configuration details of the policy.
l : Cancel policy delivery to devices. The Cancel operation can be performed

only for tasks whose Execute Status is To be committed.
l : Delete a task that has been cancelled or finished. A deleted task will not be
displayed on the task management page. The Delete operation can be
performed only when Execute Status is Cancel or Finished.
1.8.5.8 Checking the Policy Deployment Result
Context
During some operations for site deployment, network deployment, policy deployment, and
maintenance, the Agile Controller-Campus needs to deliver configurations to sites. The Agile
Controller-Campus needs to generate configurations before delivering them to devices.
Prerequisites
One or more of the following policies have been configured:
l ACL policy of the underlay network. For details, see 1.8.5.5.1 Creating an ACL Policy
for the Underlay Network.
l Traffic policy of the overlay network. For details, see 1.8.5.5 Configuring a Traffic
Policy.
l Security policy. For details, see 1.8.5.6.1 Creating a Network Security Policy.
l Internet access policy of sites. For details, see 1.8.5.3 Configuring an Internet Access
Policy for a Site.
l Policy for mutual access between traditional sites. For details, see 1.8.5.4 Configuring a
Mutual-Access Policy for Traditional Sites.
Procedure
Step 1 Choose Maintenance > Provisioning Result > Generate Configuration.
Step 2 Check whether the configurations are generated successfully.
If Succeeded is displayed in the Status column for all records, the policy configurations are
generated successfully. You can check the status by operation.
NOTE
Only after successfully generating configurations, the Agile Controller-Campus can deliver the
configurations to devices.
Step 3 Click the Maintenance > Provisioning Result > Deploy to Device tab and then the By
Policy Type tab to check whether policies are successfully delivered to devices.

SD-WAN
1. In the navigation tree on the left, click the policy that you want to check.
2. In the area on the right, check the deployment result of the policy. If Succeeded is
displayed in the Status column for all records, the policy is deployed successfully.
If you open a specific record, the command line view of the configuration is displayed in
the Feature column.
If Succeeded is not displayed in the Status column, you are advised to perform
operations according to "Service Configuration Delivery Fails (SD-WAN)" in the
Troubleshooting Guide.
NOTE
After a policy is configured, the Agile Controller-Campus delivers the policy configuration data to
CPEs. If the network flaps during the configuration data delivery, data loss may occur on the
delivered configuration. In this case, you are advised to click Redeploy to re-deliver the
----End

SD-WAN
Configuration Guide 2 Typical Configuration Examples
2 Typical Configuration Examples
2.1 Building an SD-WAN Network
2.1.1 Introduction to Building an SD-WAN Network

An SD-WAN network is designed based on the customer's network environment, service and
networking scenarios, site scale, and service requirements. Network configurations are
delivered through the Agile Controller-Campus, and site deployment is completed at the site.
Figure 2-1 shows the procedure of configuring an SD-WAN network on the Agile Controller-
Campus and deploying a site. For the detailed procedure, see section 2.1.14.1 Example for
Building an SD-WAN Network for an Enterprise Tenant.

SD-WAN
Figure 2-1 SD-WAN network configuration procedure

SD-WAN
The procedure of configuring a new SD-WAN network consists of multiple steps, each of
which consists of a set of configurations. Typical configuration examples for each step are
provided in this chapter. Based on these examples, an SD-WAN network can be configured to
fulfill different networking and service requirements.
Table 2-1 illustrates eight typical networking scenarios and provides configuration examples
for each step. The following describes each of the scenarios:
l Scenario 1: The WAN-side enterprise networks are a Layer 3 MPLS network and the
Internet. BGP is used for WAN-side routing in the underlay network. Only one hub site
is deployed, and branch sites access the Internet in centralized mode through LAN-side
links of the hub site.
Internet. BGP is used for WAN-side routing in the underlay network. Only one hub site
is deployed, and branch sites centrally access the Internet through WAN-side links of the
hub site.
Internet. BGP is used for WAN-side routing in the underlay network. An active hub site
and a standby hub site are deployed, and branch sites centrally access the Internet
through LAN-side links of the hub sites.
l Scenario 4: The WAN-side enterprise network is a Layer 3 MPLS network. BGP is used
for WAN-side routing in the underlay network. An active hub site and a standby hub site
are deployed, and branch sites centrally access the Internet through LAN-side links of
the hub sites.
Internet. OSPF is used for WAN-side routing in the MPLS underlay network, and BGP is
used for WAN-side routing in the Internet underlay network. An active hub site and a
standby hub site are deployed, and branch sites centrally access the Internet through
LAN-side links of the hub sites.
l Scenario 6: The WAN-side enterprise network is a Layer 2 MPLS network. OSPF is used
for WAN-side routing in the underlay network. An active hub site and a standby hub site
are deployed, and branch sites centrally access the Internet through LAN-side links of
the hub sites.
Internet. BGP is used for WAN-side routing in the MPLS underlay network, and static
routes are used for WAN-site routing in the Internet underlay network. An active hub site
and a standby hub site are deployed, and branch sites centrally access the Internet
through LAN-side links of the hub sites.
l Scenario 8: The WAN-side enterprise network is a Layer 3 MPLS network. An active
hub site and a standby hub site are deployed. BGP is used for WAN-side routing in the
underlay network. Two departments need to be configured for the enterprise, and
network services of the two departments need to be deployed independently without
affecting each other. Branch sites centrally access the Internet through LAN-side links of
the hub sites.

SD-WAN
Table 2-1 Configurations in typical scenarios

Configurati Scenario Scenar Scena Sce Scenar Scen Sce Scena
on 1 io 2 rio 3 nari io 5 ario nari rio 8
Procedure o4 6 o7
Step Create 2.1.2.1 2.1.2.2 2.1.2.3 2.1.2 2.1.2.4 2.1.2. 2.1.2 2.1.2.5
1 SD- Single- Single- Dual- .5 Dual- 6 .3 Dual-
WAN Hub and Hub Hub Dua Hub Dual- Dua Hub
sites Single- and Netwo l- Networ Hub l- Netwo
and CPE Dual- rking Hub king Netw Hub rking
config Networki CPE with Net with orkin Net with
ure ng with Networ Layer wor Layer g wor Layer
ZTP. Layer 3 king 3 king 2 with king 3
MPLS with MPLS with MPLS Laye with MPLS
and Layer and Lay and r2 Lay Uplin
Internet 3 Intern er 3 Interne MPL er 3 ks
Uplinks MPLS et MP t S MP
and Uplin LS Uplink Uplin LS
Interne ks Upli s ks and
t nks Inte
Uplink rnet
s Upli
nks
Step Config 2.1.3.1 2.1.3.1 2.1.3.1 2.1.3 2.1.3.4 2.1.3. 2.1.3 2.1.3.1
2 ure Configuri Config Confi .1 Config 3 .2 Confi
WAN- ng BGP uring gurin Con uring Confi Con gurin
side Routes BGP g figu OSPF gurin figu g
routin Routes BGP ring and g ring BGP
g in Route BG BGP OSP BG Route
the s P Routes F P s
underl Rou Rout and
ay tes es Stati
networ c
k of Rou
sites. tes
Step (Optio - - - - - - - 2.1.4.1

3 nal) Confi
Config gurin
ure g
multip Multi
le ple
VPNs. VPNs

SD-WAN

Procedure o4 6 o7
Step Config 2.1.5.1 2.1.5.2 2.1.5.2 2.1.5 2.1.5.2 2.1.5. 2.1.5 2.1.5.2
LAN- ng uring gurin Con uring Confi Con gurin
side Interconn Interco g figu Interco gurin figu g
interfa ection nnectio Interc ring nnectio g ring Interc
ces on Between n onnec Inte n Inter Inte onnec
the VLANs Betwee tion rcon Betwee conn rcon tion
overla and LAN- n Betwe nect n ectio nect Betwe
y side VLAN en ion VLAN n ion en
networ Networks s and VLA Bet s and Betw Bet VLA
k of LAN- Ns wee LAN- een wee Ns
sites. side and n side VLA n and
Networ LAN- VL Networ Ns VL LAN-
ks and side ANs ks and and ANs side
Config Netwo and Config LAN and Netwo
uring a rks LA uring a -side LA rks
VRRP and N- VRRP Netw N- and
Group Confi side Group orks side Confi
gurin Net Net gurin
ga wor wor ga
VRRP ks ks VRRP
Grou and Grou
p Con p
figu
ring
a
VR
RP
Gro
up
Step Config 2.1.6.1 2.1.6.1 2.1.6.2 2.1.6 2.1.6.2 2.1.6. 2.1.6 2.1.6.2
LAN- ng LAN- uring gurin Con uring Confi Con gurin
side side LAN- g figu LAN- gurin figu g
routin OSPF side LAN- ring side g ring LAN-
g for Routes OSPF side LA BGP LAN LA side
the Routes BGP N- and -side N- BGP
overla and side OSPF BGP side and
y OSPF BG Routes and BG OSPF
networ Route P OSP P Route
k of s and F and s
sites. OSP Rout OSP
F es F
Rou Rou
tes tes

SD-WAN

Procedure o4 6 o7
Step (Optio - - 2.1.7.1 - - - - -

6 nal) Confi
Config gurin
ure g
WAN- WAN-
side side
routin Static
g for Route
the s
overla
y
networ
k of
sites.
Step (Optio 2.1.8.1 2.1.8.1 2.1.8.1 2.1.8 2.1.8.1 2.1.8. 2.1.8 2.1.8.1
7 nal) Configuri Config Confi .1 Config 1 .1 Confi
Config ng uring gurin Con uring Confi Con gurin
ure Intelligen Intellig g figu Intellig gurin figu g
intelli t Traffic ent Intelli ring ent g ring Intelli
gent Steering Traffic gent Intel Traffic Intell Intel gent
traffic for Steerin Traffi lige Steerin igent lige Traffi
steerin Services g for c nt g for Traff nt c
g. Service Steeri Traf Service ic Traf Steeri
s ng for fic s Steer fic ng for
Servic Stee ing Stee Servic
es ring for ring es
for Servi for
Serv ces Serv
ices ices

SD-WAN

Procedure o4 6 o7
Config 2.1.9.1 2.1.9.2 2.1.9.3 2.1.9 2.1.9.1 2.1.9. 2.1.9 2.1.9.1

ure a Configuri Config Confi .1 Config 1 .2 Confi
site- ng uring gurin Con uring Confi Con gurin
to- Centraliz Centra g figu Centra gurin figu g
Intern ed lized Hybri ring lized g ring Centr
et Internet Interne d Cen Interne Cent Cen alized
policy. Access t Intern trali t ralize trali Intern
Through Access et zed Access d zed et
LAN-side Throu Acces Inte Throu Inter Inte Acces
Internet gh s rnet gh net rnet s
Links of WAN- Throu Acc LAN- Acce Acc Throu
Hubs side gh ess side ss ess gh
Interne Local Thr Interne Thro Thr LAN-
t Links Intern oug t Links ugh oug side
of et h of LAN h Intern
Hubs Links LA Hubs -side WA et
and N- Inter N- Links
LAN- side net side of
side Inte Link Inte Hubs
Links rnet s of rnet
of Lin Hubs Lin
Hubs ks of ks of
Hub Hub
s s

SD-WAN

Procedure o4 6 o7
Config 2.1.10.1 2.1.10. 2.1.10. 2.1.1 2.1.10. 2.1.1 2.1.1 2.1.10.

ure a Configuri 1 3 0.1 1 0.1 0.1 1
site- ng Config Confi Con Config Confi Con Confi
to- Communi uring gurin figu uring gurin figu gurin
legacy cation Comm g ring Comm g ring g
site Between unicati Com Co unicati Com Co Com
policy. SD-WAN on munic mm on muni mm munic
Sites and Betwee ation unic Betwee catio unic ation
Legacy n SD- Betwe atio n SD- n atio Betwe
Sites in WAN en n WAN Betw n en
Centraliz Sites SD- Bet Sites een Bet SD-
ed Access and WAN wee and SD- wee WAN
Mode Legacy Sites n Legacy WAN n Sites
Sites in and SD- Sites in Sites SD- and
Centra the WA Centra and WA Legac
lized Legac N lized Lega N y Sites
Access y Site Sites Access cy Sites in
Mode in and Mode Sites and Centr
Hybri Leg in Leg alized
d acy Cent acy Acces
Acces Sites ralize Sites s
s in d in Mode
Mode Cen Acce Cen
trali ss trali
zed Mod zed
Acc e Acc
ess ess
Mod Mod
e e

SD-WAN

Procedure o4 6 o7
(Optio 2.1.11.1 2.1.11. 2.1.11. 2.1.1 2.1.11. 2.1.1 2.1.1 2.1.11.

nal) Configuri 1 1 1.1 1 1.1 1.1 1
Config ng Config Confi Con Config Confi Con Confi
ure a Preferenti uring gurin figu uring gurin figu gurin
QoS al Prefere g ring Prefere g ring g
policy. Transmis ntial Prefer Pref ntial Prefe Pref Prefer
sion of Trans ential eren Trans renti eren ential
HTTP missio Trans tial missio al tial Trans
Services n of missio Tra n of Tran Tra missio
from HTTP n of nsm HTTP smiss nsm n of
Branch Service HTTP issio Service ion issio HTTP
Sites to s from Servic n of s from of n of Servic
Hub Sites Branch es HT Branch HTT HT es
Sites to from TP Sites to P TP from
Hub Branc Serv Hub Servi Serv Branc
Sites h ices Sites ces ices h
Sites fro from fro Sites
to m Bran m to
Hub Bra ch Bra Hub
Sites nch Sites nch Sites
Sites to Sites
to Hub to
Hub Sites Hub
Sites Sites
(Optio 2.1.12.1 2.1.12. 2.1.12. 2.1.1 2.1.12. 2.1.1 2.1.1 2.1.12.

nal)Co Forbiddi 1 1 2.1 1 2.1 2.1 1
nfiguri ng Access Forbid Forbi For Forbid Forbi For Forbi
ng an to ding dding bidd ding ddin bidd dding
ACL YouTube Access Acces ing Access g ing Acces
Policy During to s to Acc to Acce Acc s to
(Overl Working YouTu YouT ess YouTu ss to ess YouT
ay Hours be ube to be YouT to ube
Netwo During Durin You During ube You Durin
rk) Worki g Tub Worki Duri Tub g
ng Worki e ng ng e Worki
Hours ng Duri Hours Wor Duri ng
Hours ng king ng Hours
Wor Hour Wor
king s king
Hou Hou
rs rs

SD-WAN

Procedure o4 6 o7
(Optio 2.1.13.1 2.1.13. 2.1.13. 2.1.1 2.1.13. 2.1.1 2.1.1 2.1.13.

nal) Configuri 1 1 3.1 1 3.1 3.1 1
Config ng a Config Confi Con Config Confi Con Confi
ure a Security uring a gurin figu uring a gurin figu gurin
securit Policy for Securit ga ring Securit ga ring ga
y Hub Sites y Securi a y Secu a Securi
policy. Policy ty Secu Policy rity Secu ty
for Policy rity for Polic rity Policy
Hub for Poli Hub y for Poli for
Sites Hub cy Sites Hub cy Hub
Sites for Sites for Sites
Hub Hub
Sites Sites
Step Deplo 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2 2.2.2
8 y sites. Email- Email- Email Ema Email- Emai Ema Email
based based -based il- based l- il- -based
Deployme Deploy Deplo base Deploy base base Deplo
nt ment yment d ment d d yment
Depl Depl Depl
oym oyme oym
ent nt ent
2.1.2 Creating SD-WAN Sites and Configuring ZTP
2.1.2.1 Single-Hub and Single-CPE Networking with Layer 3 MPLS and Internet
Uplinks
Related Products
Agile Controller-Campus: V300R003C00
AR: V300R003C00
Networking Requirements
Enterprise A is a small-sized enterprise with a headquarters and several branches. An SD-
WAN network needs to be constructed to replace the traditional enterprise network, and the
available WAN links are Layer 3 MPLS links and Internet links. However, some branches can
only use the traditional enterprise network where WAN-side links are MPLS links. As a
result, these sites cannot be integrated into the SD-WAN network.

SD-WAN
Solution Design
Figure 2-2 Enterprise networking
Based on customer requirements and the networking plan, perform the following tasks:
1. Create an SD-WAN network with one hub site and multiple branch sites. The following
example creates an SD-WAN network with two branch sites, Site2 and Site3. The legacy
site, Site1, is not managed by the Agile Controller-Campus. Therefore, it does not need
to be created on the Agile Controller-Campus.
2. At the hub site, Site2 and Site3, one CPE is deployed as the gateway. Each CPE connects
to the MPLS network and the Internet each through one WAN link. The Internet link at
Site2 obtains a dynamic IP address through Point-to-Point Protocol over Ethernet
(PPPoE), whereas other links are configured with static IP addresses.
3. The Network Time Protocol (NTP) clock synchronization mechanism is used to
synchronize clocks on devices. The hub site has NTP clock synchronization configured
to synchronize its clock with that of the NTP server, whereas branch sites synchronize
their clocks with that of the hub site.
Data Plan
Table 2-2 Tenant information

Item Value
Tenant Name TenantA
Account TenantA@test.com
Password PassA@1234

SD-WAN
Table 2-3 Global network parameters

Item Value
Transport Network MPLS Internet
Routing Domain MPLS Internet
IPSec Encryption OFF ON
Encryption algorithm AES256
Pre-shared key Generate
URL encryption key 123456
Token validity period (day) 7
AS number 65001
Network scale (based CPEs) 500
IP pool 10.200.0.0/16
DNS Server IP 8.8.8.8
Table 2-4 Information about devices

Device ESN Device Name Device Model
2102114484P0GC000030 Hub1_1 AR3670
2102351BTJ10H1000020 Site2_1 AR161EW
2102351BTJ10H1000021 Site3_1 AR161EW
Table 2-5 Site template

Item Value
Template name Hub Branch
Description - -
Gateway Single Gateway Single Gateway
WAN Link Name MPLS Interne MPLS Internet

t
Device Device1 Device Device1 Device1

1
Interface GE3/0/0 GE3/0/ GE0/0/0 GE0/0/4

1

SD-WAN
Item Value
Transport MPLS Interne MPLS Internet

Network t
Role Active Active Active Active
Table 2-6 ZTP configurations at sites

Item Value
Site Hub1 Site2 Site3
Site Hub Branch Branch

templat
e
Link MPLS Internet MPLS Internet MPLS Internet

name
Interfa IPoE IPoE IPoE PPPoE IPoE IPoE

ce
protoc
ol
IP Static Static Static - Static Static

address
access
mode
IP 172.16.1 10.100. 172.16. - 172.16.1.1 10.100.2.1/30

address .1/30 1.1/30 1.9/30 3/30
/
Subnet
mask
Default 172.16.1 10.100. 172.16. - 172.16.1.1 10.100.2.2

gatewa .2 1.2 1.10 4
y
PPPoE - - - user@w - -
User eb.com
name
PPPoE - - - Pass123 - -
Passwo 4
rd
Public 172.16.1 10.100. - - - -

IP .1 1.1
Negoti Auto Auto Auto Auto Auto Auto

ation
mode

SD-WAN
Item Value
Uplink 100 100 100 100 100 100

bandwi
dth
(Mbps)
Downli 100 100 100 100 100 100

nk
bandwi
dth
(Mbps)
Table 2-7 NTP information at hub site

Item Value
Time zone (UTC+08:00)Beijing,Chongqing,Hong Kong,Urumqi
NTP authentication ON
Authentication password ntp123
Authentication key id 456789
NTP client mode Manual Configuration
Device Hub1_1 Hub1_1
WAN Link MPLS Internet
NTP Server Address 10.10.1.1 10.10.1.1
Authentication OFF OFF
Table 2-8 NTP information about branch sites

Item Value
NTP authentication OFF
NTP client mode Automatic Synchronization with Parent Node
Procedure
Step 1 Log in to the Agile Controller-Campus as a tenant administrator.
Step 2 Set global network parameters.

1. Choose Configuration > Global Parameters.

SD-WAN
2. Retain the system defaults MPLS and Internet for the transport network. No additional
configuration is required.
3. Set IPSec encryption parameters.
Select Encryption algorithm and click Generate. A PSK is generated.
4. Configure device activation security.

Enter a URL encryption key, and set Token validity period.

6. Click Virtual Network. The Virtual Network page is displayed.
7. Configure a route.
Enter the AS number of the BGP route. The default value is 65001.
8. Select the number of sites and add an address pool.

9. Add the DNS server IP address.

Step 3 Add devices in batches based on ESNs.

SD-WAN
1. Choose Device Management > Device List. The Device List page is displayed.
2. Click Add Device and set Addition method to Batch import.
3. Click Template to download the template file.
4. Fill in the template with required information and save the file.
5. Click , select the configured template file, and click Upload.

6. Confirm the imported data, select the data to be created for CPEs, and click OK.
Step 4 Create two site templates, one for the hub site, and one for the branch sites separately.
1. Choose Configuration > Site > Template. On the Site Template page that is displayed,
click Create.
2. Enter the template information and click OK.
l Hub site template
l Branch site template
Step 5 Create a hub site and two branch sites.

1. Choose Configuration > Site.

SD-WAN
2. On the Site page that is displayed, click Create. Set Creation mode to Single.
3. Enter the site information, and select the site template configured in the previous step.
For a branch site, you need to select the hub site to which it connects.
4. Under Add Device, select the devices added in the previous step.
5. Click OK.
l Hub site
l Branch sites

SD-WAN
Step 6 Configure ZTP for sites.

1. Configure WAN links for the hub site.
a. Choose Configuration > Site > ZTP Configuration. The ZTP Configuration
page is displayed.
b. In the Not Activated list, click the created site. The WAN Link page displays link
information.
c. Click in the Operation column.

d. In the Set WAN Link dialog box that is displayed, configure WAN link parameters
of the site.
e. Click Apply Changes to complete the WAN link configuration.

SD-WAN

SD-WAN
2. Configure NTP for the hub site.

a. Click NTP.
b. On the NTP page that is displayed, select a time zone. Enter the NTP information
and click Apply Changes to complete the NTP configuration.
3. Configure WAN links for the branch sites.

Perform the same operations as those for the hub sites to configure WAN link parameters
for the branch sites and click Apply Changes.
– WAN link configuration for Site2

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure NTP for the branch sites.

a. On the NTP page that is displayed, select a time zone.
b. Set NTP client mode to Automatic Synchronization with Parent Node.
c. Click Apply Changes.
----End

SD-WAN
2.1.2.2 Single-Hub and Dual-CPE Networking with Layer 3 MPLS and Internet
Uplinks
Related Products
AR: V300R003C00
Enterprise A has a headquarters and several branches. An SD-WAN network needs to be
constructed to replace the traditional enterprise network, and the available WAN links are
Layer 3 MPLS links and Internet links. However, some branches can only use the traditional
enterprise network where WAN-side links are MPLS links. As a result, these sites cannot be
integrated into the SD-WAN network.
Solution Design
1. Create an SD-WAN network with one hub site and multiple branch sites. The following
example creates an SD-WAN network with two branch sites, Site2 and Site3. The legacy
site, Site1, is not managed by the Agile Controller-Campus. Therefore, it does not need
to be created on the Agile Controller-Campus.
2. At the hub site and Site3, high reliability is required. To ensure this, two CPEs are
deployed as gateways. One CPE connects to the MPLS network through a WAN link,
and the other CPE connects to the Internet through a WAN link. At Site2, one CPE is
deployed as the gateway. It connects to the MPLS and Internet networks each through

SD-WAN
one WAN link. The Internet link at Site2 obtains a dynamic IP address through PPPoE,
whereas other links are configured with static IP addresses.
3. The NTP clock synchronization mechanism is used to synchronize clocks on devices.
The hub site has NTP clock synchronization configured to synchronize its clock with
that of the NTP server, whereas branch sites synchronize their clocks with that of the hub
site.
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
AS number 65001
IP pool 10.200.0.0/16
2102114484P0GC000130 Hub1_1 AR3670
2102114484P0GC000131 Hub1_2 AR3670

SD-WAN
2102351BTJ10H1000120 Site2_1 AR161EW
2102351BTJ10H1000121 Site3_1 AR161EW
2102351BTJ10H1000122 Site3_2 AR161EW

Item Value
Template name Hub Branch1 Branch2
Description - - -
Gateway Dual Gateways Single Gateway Dual Gateways
WAN Name MPLS Internet MPLS Internet MPLS Internet

Link
Device Device1 Device2 Device1 Device1 Device1 Device2
Interface GE3/0/0 GE3/0/0 GE0/0/0 GE0/0/4 GE0/0/4 GE0/0/4
Transport MPLS Internet MPLS Internet MPLS Internet

Network
Role Active Active Active Active Active Active
Inter- Reuse OFF - - OFF

CPE LAN-side
Link L2
interface
Device1 GE3/0/1 GE3/0/2 - - GE0/0/1 GE0/0/2

Interface
Device2 GE3/0/1 GE3/0/2 - - G00/0/1 GE0/0/2

Interface

Item Value
Site Hub Branch1 Branch2

template
Link name MPLS Internet MPLS Internet MPLS Internet
Interface IPoE IPoE IPoE PPPoE IPoE IPoE

protocol

SD-WAN
Item Value
IP address Static Static Static - Static Static

access
mode
IP 172.16.1.1 10.100.1.1 172.16.1.9 - 172.16.1.1 10.100.2.1

address/ /30 /30 /30 3/30 /30
Subnet
mask
Default 172.16.1.2 10.100.1.2 172.16.1.1 - 172.16.1.1 10.100.2.2

gateway 0 4
PPPoE - - - user@web - -
User name .com
PPPoE - - - Pass1234 - -
Password
Public IP 172.16.1.1 10.100.1.1 - - - -
Negotiatio Auto Auto Auto Auto Auto Auto

n mode
Uplink 100 100 100 100 100 100

bandwidth
(Mbps)
Downlink 100 100 100 100 100 100

bandwidth
(Mbps)

Item Value
Time zone (UTC+08:00)Beijing,Chongqing,Hong

Kong,Urumqi

SD-WAN

Item Value

Kong,Urumqi
NTP client mode Automatic Synchronization with Parent

Node
Procedure




SD-WAN



Step 4 Create two site templates, one for the hub site, and one for the branch sites separately.
click Create.
l Hub site template

SD-WAN


SD-WAN
5. Click OK.
l Hub site
l Branch sites

SD-WAN

1. Configure WAN links for the hub site.
page is displayed.
information.

of the site.

SD-WAN
2. Configure NTP for the hub site.

a. Click NTP.


SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure NTP for the branch sites.

----End
2.1.2.3 Dual-Hub Networking with Layer 3 MPLS and Internet Uplinks
Related Products

SD-WAN
AR: V300R003C00
constructed to replace the traditional enterprise network, and the available WAN links are
Layer 3 MPLS links and Internet links. To improve reliability, a standby hub site needs to be
created at the headquarters. If a fault occurs at the headquarters' active hub site, services can
be switched to the standby hub site, ensuring the normal operation of the entire network.
Solution Design
1. Create an SD-WAN network with an active hub site, a standby hub site and multiple
branch sites. The following example creates an SD-WAN network with three branch
sites: Site2, Site3, and Site4. The legacy site, Site1, is not managed by the Agile
Controller-Campus. Therefore, it does not need to be created on the Agile Controller-
Campus.
2. Two CPEs are deployed as gateways at both hub sites as well as at Site3. At each of
these three sites, one CPE connects to the MPLS network through a WAN link, and the
other CPE connects to the Internet through a WAN link. At Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At Site4,
two CPEs are deployed as gateways and each CPE connects to the Internet through a
WAN link. The Internet link at Site3 obtains a dynamic IP address through PPPoE,
The hub sites have NTP clock synchronization configured to synchronize their clocks
with that of the NTP server, whereas branch sites synchronize their clocks with that of
the hub site.

SD-WAN
Data Plan

Item Value
Tenant Name TenantA
Password PassA@1234

Item Value
Transport MPLS1 Internet1 MPLS2 Internet2

Network
Routing MPLS Internet MPLS Internet

Domain
IPSec OFF ON OFF ON

Encryption
Encryption AES256
algorithm
URL encryption 123456

key
Token validity 7
period (day)
AS number 65001
Network scale 500

(based CPEs)
IP pool 10.200.0.0/16

2102114484P0GC000230 Hub1_1 AR3670
2102114484P0GC000231 Hub1_2 AR3670
2102114484P0GC000232 Hub2_1 AR3670

SD-WAN
2102114484P0GC000233 Hub2_2 AR3670
2102351BTJ10H1000220 Site2_1 AR161EW
2102351BTJ10H1000221 Site3_1 AR161EW
2102351BTJ10H1000222 Site3_2 AR161EW
2102351BTJ10H1000223 Site4_1 AR161EW
2102351BTJ10H1000224 Site4_2 AR161EW

Item Value
Template name Hub Branch1 Branch Branch

2 3
Description - - - -
Gateway Dual Gateways Single Dual Dual

Gateway Gatew Gatew
ays ays
WAN Link Name MPLS1 Internet1 MPLS1 M M In In In

P P te te te
L L rn rn rn
S S et et et
2 1 1 1 2
Device Device1 Device2 Device1 D D D D D

ev ev ev ev ev
ic ic ic ic ic
e1 e1 e2 e1 e2
Interface GE3/0/0 GE3/0/0 GE0/0/0 G G G G G

E E E E E
0/ 0/ 0/ 0/ 0/
0/ 0/ 0/ 0/ 0/
4 4 4 4 4
Transport MPLS1 Internet1 MPLS1 M M In In In

Network P P te te te
L L rn rn rn
S S et et et
2 1 1 1 2

SD-WAN
Item Value
Role Active Active Active St A A A A

an ct ct ct ct
d iv iv iv iv
b e e e e
y
Inter-CPE Link Reuse OFF - - OFF OFF

LAN-side
L2
interface
Device1 GE3/0/1 GE3/0/2 - - G G G G

Interface E E E E
0/ 0/ 0/ 0/
0/ 0/ 0/ 0/
1 2 1 2

Interface 0 E 0 E
0/ 0/ 0/ 0/
0/ 0/ 0/ 0/
1 2 1 2

Ite Value
m
Site Hub1 Hub2 Site2 Site3 Site4
Site Hub Hub Branch1 Branch2 Branch3

tem
plat
e
Lin MPLS1 Internet1 MPLS Intern MPL MP MP Inte Int Intern

k 1 et1 S1 LS2 LS1 rnet er et2
nam 1 ne
e t1
Inte IPoE IPoE IPoE IPoE IPoE IPoE IPoE PPP IP IPoE
rfac oE oE
e
prot
ocol

SD-WAN
Ite Value
m
IP Static Static Static Static Static Stati Stati - St Static

add c c ati
ress c
acce
ss
mo
de
IP 172.16. 10.100.1. 172.1 10.10 172.1 172. 172. - 10 10.10

add 1.1/30 1/30 6.2.1/ 0.2.1/ 6.4.1/ 16.5. 16.6. . 0.4.1/
ress 30 30 30 1/30 1/30 10 30
/ 0.
Sub 3.
net 1/
mas 30
k
Def 172.16. 10.100.1. 172.1 10.10 172.1 172. 172. - 10 10.10

ault 1.2 2 6.2.2 0.2.2 6.4.2 16.5. 16.6. . 0.4.2
gate 2 2 10
way 0.
3.
2
PPP - - - - - - - user - -
oE @w
Use eb.c
r om
nam
e
PPP - - - - - - - Pas - -
oE s12
Pas 34
swo
rd
Pub 172.16. 10.100.1. 172.1 10.10 - - - - - -

lic 1.1 1 6.2.1 0.2.1
IP
Neg Auto Auto Auto Auto Auto Auto Auto Aut A Auto
otia o ut
tion o
mo
de

SD-WAN
Ite Value
m
Upl 100 100 100 100 100 100 100 100 10 100
ink 0
ban
dwi
dth
(Mb
ps)
Do 100 100 100 100 100 100 100 100 10 100

wnl 0
ink
ban
dwi
dth
(Mb
ps)
Table 2-21 NTP information at hub sites

Item Value
Device Hub1_1 Hub1_2 Hub2_1 Hub2_2
WAN Link MPLS1 Internet MPLS1 Internet1

1
NTP Server Address 10.10.1.1 10.10.1. 10.10.1.1 10.10.1.1

1
Authentication OFF OFF OFF OFF

Item Value

SD-WAN
Procedure
2. Configure a transport network.




SD-WAN


Step 4 Create two site templates, one for the hub sites, and one for the branch sites separately.
click Create.
l Hub site template

SD-WAN

SD-WAN
Step 5 Create hub sites, and branch sites.

l Hub sites

SD-WAN
l Branch sites

SD-WAN

1. Configure WAN links for hub sites.
page is displayed.
information.

of the site.
– WAN link configuration for Hub1

SD-WAN

SD-WAN

SD-WAN

SD-WAN
2. Configure NTP for hub sites.

a. Click NTP.
– NTP configuration for Hub1

SD-WAN


SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure ZTP for the branch sites.

----End
2.1.2.4 Dual-Hub Networking with Layer 2 MPLS and Internet Uplinks
Related Products

SD-WAN
AR: V300R003C00
constructed to replace the traditional enterprise network. The WAN-side networks are the
Layer 2 MPLS network and the Internet. To improve reliability, a standby hub site needs to be
created at the headquarters. If a fault occurs at the headquarters' active hub site, services can
be switched to the standby hub site, ensuring the normal operation of the entire network.
Solution Design
1. Create an SD-WAN network with an active hub site, a standby hub site and multiple
branch sites. The following example creates an SD-WAN network with three branch
sites: Site2, Site3, and Site4. The legacy site, Site1, is not managed by the Agile
Controller-Campus. Therefore, it does not need to be created on the Agile Controller-
Campus.
2. Two CPEs are deployed as gateways at both hub sites as well as at Site3. At each of
these three sites, one CPE connects to the MPLS network through a WAN link, and the
other CPE connects to the Internet through a WAN link. At Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At Site4,
two CPEs are deployed as gateways and each CPE connects to the Internet through a
WAN link. The Internet link at Site3 obtains a dynamic IP address through PPPoE,
with that of the NTP server, whereas branch sites synchronize their clocks with that of
the hub site.

SD-WAN
Data Plan

Item Value
Tenant Name TenantA
Password PassA@1234

Item Value
Transport MPLS1 Internet1 MPLS2 Internet2

Network
Routing MPLS Internet MPLS Internet

Domain
IPSec OFF ON OFF ON

Encryption
Encryption AES256
algorithm

key
Token validity 7
period (day)
AS number 65001
Network scale 500

(based CPEs)
IP pool 10.200.0.0/16

2102114484P0GC000330 Hub1_1 AR3670
2102114484P0GC000331 Hub1_2 AR3670
2102114484P0GC000332 Hub2_1 AR3670

SD-WAN
2102114484P0GC000333 Hub2_2 AR3670
2102351BTJ10H1000320 Site2_1 AR161EW
2102351BTJ10H1000321 Site3_1 AR161EW
2102351BTJ10H1000322 Site3_2 AR161EW
2102351BTJ10H1000323 Site4_1 AR161EW
2102351BTJ10H1000324 Site4_2 AR161EW

Item Value
Template name Hub Branch1 Branch Branch

2 3
Description - - - -
Gateway Dual Gateways Single Dual Dual

Gateway Gatew Gatew
ays ays
WAN Link Name MPLS1 Internet1 MPLS1 M M In In In

P P te te te
L L rn rn rn
S S et et et
2 1 1 1 2
Device Device1 Device2 Device1 D D D D D

ev ev ev ev ev
ic ic ic ic ic
e1 e1 e2 e1 e2
Interface GE3/0/0 GE3/0/0 GE0/0/0 G G G G G

E E E E E
0/ 0/ 0/ 0/ 0/
0/ 0/ 0/ 0/ 0/
4 4 4 4 4
Transport MPLS1 Internet1 MPLS1 M M In In In

Network P P te te te
L L rn rn rn
S S et et et
2 1 1 1 2
Role Active Active Active A A A A A

ct ct ct ct ct
iv iv iv iv iv
e e e e e

SD-WAN
Item Value
Inter-CPE Link Reuse OFF - - OFF OFF

LAN-side
L2
interface

Interface E E E E
0/ 0/ 0/ 0/
0/ 0/ 0/ 0/
1 2 1 2

Interface 0 E 0 E
0/ 0/ 0/ 0/
0/ 0/ 0/ 0/
1 2 1 2

Item Value
Site Hub1 Hub2 Site2 Site3 Site4
Site Hub Hub Branch1 Branch2 Branch3

templ
ate
Link MPL Intern MPL Intern MPL MPL MPL Intern Intern Intern
name S1 et1 S1 et1 S1 S2 S1 et1 et1 et2
Interf IPoE IPoE IPoE IPoE IPoE IPoE IPoE PPPo IPoE IPoE
ace E
proto
col
IP Static Static Static Static Static Static Static - Static Static

addre
ss
acces
s
mode
IP 172.1 10.10 172.1 10.10 172.1 172.1 172.1 - 10.10 10.10

addre 6.1.1/ 0.1.1/ 6.1.2/ 0.2.1/ 6.1.4/ 6.1.5/ 6.1.6/ 0.3.1/ 0.4.1/
ss/ 24 30 24 30 24 24 24 30 30
Subn
et
mask

SD-WAN
Item Value
Defa 172.1 10.10 172.1 10.10 172.1 172.1 172.1 - 10.10 10.10
ult 6.1.2 0.1.2 6.1.2 0.2.2 6.1.2 6.1.2 6.1.2 0.3.2 0.4.2
gatew 54 54 54 54 54
ay
PPPo - - - - - - - user - -
E @we
User b.co
name m
PPPo - - - - - - - Pass1 - -
E 234
Pass
word
Publi 172.1 10.10 172.1 10.10 - - - - - -

c IP 6.1.1 0.1.1 6.1.2 0.2.1
Nego Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto
tiatio
n
mode
Uplin 100 100 100 100 100 100 100 100 100 100
k
band
width
(Mbp
s)
Dow 100 100 100 100 100 100 100 100 100 100
nlink
band
width
(Mbp
s)

Item Value

SD-WAN
Item Value
WAN Link MPLS1 Internet1 MPLS1 Internet1
NTP Server Address 10.10.1.1 10.10.1.1 10.10.1. 10.10.1.1

1

Item Value
Procedure




SD-WAN




SD-WAN
Step 4 Create two site templates for the hub sites, and branch sites separately.
click Create.
l Hub site template

SD-WAN
Step 5 Create hub sites and branch sites.

5. Click OK.
l Hub sites

SD-WAN
l Branch sites

SD-WAN

page is displayed.
information.

of the site.

SD-WAN

SD-WAN

SD-WAN

SD-WAN

a. Click NTP.

SD-WAN


SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure ZTP for the branch sites.

----End
2.1.2.5 Dual-Hub Networking with Layer 3 MPLS Uplinks
Related Products

SD-WAN
AR: V300R003C00
Enterprise A needs to construct a dedicated SD-WAN network. The WAN-side network is a
Layer 3 MPLS network. To improve network reliability, an active hub site and a standby hub
site need to be deployed. Since Enterprise A is a large-scale enterprise, hierarchical
networking is required to reduce the load on each hub site. To achieve this, two branch
regions each have one aggregation site deployed. Branch sites within one branch region
communicate with one another through the aggregation sites, whereas branch sites in different
branch regions interact with each other through the hub sites.
Solution Design
1. Create an active hub site and a standby hub site. The aggregation site Agg1 and branch
sites Site2 and Site3 are deployed in a region. The aggregation site Agg2 and branch
sites Site4, Site5, and Site6 are deployed in another region. The legacy site, Site1, is not
managed by the Agile Controller-Campus. Therefore, it does not need to be created on
the Agile Controller-Campus.
2. At both the hub sites, two CPEs are deployed as gateways and each CPE connects to the
MPLS network through a WAN link. At both the Agg1 and Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At each of
the Agg2, Site3, Site4, Site5, and Site6, one CPE is deployed as the gateway and
connects to the MPLS network through a WAN link. The WAN links at all sites are
configured with static IP addresses.
with the NTP server while the aggregation sites synchronize their clocks with the hub
sites and branch sites synchronize their clocks with the aggregation sites.

SD-WAN
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
Transport Network MPLS1 MPLS2
Routing Domain MPLS MPLS
IPSec Encryption OFF OFF
AS number 65001
IP pool 10.200.0.0/16
2102114484P0GC000430 Hub1_1 AR3670
2102114484P0GC000431 Hub1_2 AR3670
2102114484P0GC000432 Hub2_1 AR3670
2102114484P0GC000433 Hub2_2 AR3670
2102114484P0GC000434 Agg1_1 AR3670
2102114484P0GC000435 Agg2_1 AR3670
2102351BTJ10H1000420 Site2_1 AR161EW

SD-WAN
2102351BTJ10H1000421 Site3_1 AR161EW
2102351BTJ10H1000422 Site4_1 AR161EW
2102351BTJ10H1000423 Site5_1 AR161EW
2102351BTJ10H1000424 Site6_1 AR161EW
Item Value
Template name Hub Agg1 Agg2 Branch1 Branc

h2
Description - - - - -
Gateway Dual Gateways Single Gateway Single Single Gateway Single

Gatew Gatew
ay ay
WAN Name MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
Link 1 2 1 2 1 1 2 1
Devic Devic Devic Devic Devic Devic Devic Devic Devic

e e1 e2 e1 e1 e1 e1 e1 e1
Interfa GE3/0 GE3/0 GE3/0 GE3/0 GE3/0 GE0/0 GE0/0 GE0/0

ce /0 /0 /0 /1 /0 /0 /4 /4
Transp MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS

ort 1 2 1 2 1 1 2 1
Netwo
rk
Role Active Active Active Active Active Active Active Active
Inter- Reuse OFF - - - - - -

CPE LAN-
Link side
L2
interfa
ce
Devic GE3/0 GE3/0 - - - - - -

e1 /1 /2
Interfa
ce
Devic GE3/0 GE3/0 - - - - - -

e2 /1 /2
Interfa
ce

SD-WAN
Table 2-34 ZTP configurations at hub sites

Item Value
Site Hub1 Hub2
Site template Hub Hub
Link name MPLS1 MPLS2 MPLS1 MPLS2
Interface IPoE IPoE IPoE IPoE

protocol
IP address Static Static Static Static

access mode
IP address/ 172.16.1.1/30 172.16.1.5/30 172.16.1.9/30 172.16.1.13/30

Subnet mask
Default 172.16.1.2/30 172.16.1.6/30 172.16.1.10/30 172.16.1.14/30

gateway
PPPoE User - - - -
name
PPPoE - - - -
Password
Public IP 172.16.1.1 172.16.1.5 172.16.1.9 172.16.1.13
Negotiation Auto Auto Auto Auto

mode
Uplink 100 100 100 100

bandwidth
(Mbps)
Downlink 100 100 100 100

bandwidth
(Mbps)
Table 2-35 ZTP configurations at aggregation sites and branch sites

Item Value
Site Agg1 Site2 Site3 Agg2 Site4 Site5 Site6
Site Agg1 Branch1 Branc Agg2 Branc Branc Branc

templa h2 h2 h2 h2
te
Link MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
name 1 2 1 2 1 1 1 1 1

SD-WAN
Item Value
Interfa IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE
ce
protoc
ol
IP Static Static Static Static Static Static Static Static Static

addres
s
access
mode
IP 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16

addres . . . . . . . . .
s/ 1.21/3 1.25/3 1.29/3 1.33/3 1.37/3 1.41/3 1.45/3 1.49/3 1.53/3
Subne 0 0 0 0 0 0 0 0 0
t mask
Defaul 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16 172.16
t .1.22 .1.26 .1.30 .1.34 .1.38 .1.42 .1.46 .1.50 .1.54
gatew
ay
PPPo - - - - - - - - -
E User
name
PPPo - - - - - - - - -
E
Passw
ord
Public 172.16 172.16 - - - 172.16 - - -

IP .1.21 .1.25 .1.41
Negoti Auto Auto Auto Auto Auto Auto Auto Auto Auto
ation
mode
Uplin 100 100 100 100 100 100 100 100 100
k
bandw
idth
(Mbps
)
Downl 100 100 100 100 100 100 100 100 100
ink
bandw
idth
(Mbps
)

SD-WAN

Item Value
WAN Link MPLS1 MPLS2 MPLS1 MPLS2
NTP Server Address 10.10.1.1 10.10.1.1 10.10.1. 10.10.1.1

1
Table 2-37 NTP information at aggregation sites and branch sites

Item Value
Procedure


SD-WAN





SD-WAN
Step 4 Create three site templates for the hub sites, aggregation sites, and branch sites separately.
click Create.
l Hub site template
l Aggregation site template

SD-WAN
Step 5 Create hub sites, aggregation sites, and branch sites.

3. Enter the site information, select the hub site to which each branch site and aggregation
site needs to be connected, and select the site templates configured in the previous step.
– Hub sites

SD-WAN
– Aggregation site Agg1 and branch sites in the region

SD-WAN
– Aggregation site Agg2 and branch sites in the region

SD-WAN

page is displayed.
information.

of the site.

SD-WAN

SD-WAN

SD-WAN

SD-WAN

a. Click NTP.

SD-WAN
3. Configure WAN links for the aggregation sites and branch sites.
for the aggregation sites and branch sites, and click Apply Changes.
– WAN link configuration for Agg1

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure ZTP at the aggregation sites and branch sites.

page is displayed.
b. In the Not Activated list, click the created site, and click NTP.
c. On the NTP page that is displayed, select a time zone.
d. Set NTP client mode to Automatic Synchronization with Parent Node.
e. Click Apply Changes.
----End

SD-WAN
2.1.2.6 Dual-Hub Networking with Layer 2 MPLS Uplinks
Related Products
AR: V300R003C00
Enterprise A needs to construct a dedicated SD-WAN network. The WAN-side network is a
Layer 2 MPLS network. To improve network reliability, an active hub site and a standby hub
site need to be deployed. Since Enterprise A is a large-scale enterprise, hierarchical
networking is required to reduce the load on each hub site. To achieve this, two branch
regions each have one aggregation site deployed. Branch sites within one branch region
communicate with one another through the aggregation sites, whereas branch sites in different
branch regions interact with each other through the hub sites.
Solution Design
1. Create an active hub site and a standby hub site. The aggregation site Agg1 and branch
sites Site2 and Site3 are deployed in a region. The aggregation site Agg2 and branch
sites Site4, Site5, and Site6 are deployed in another region. The legacy site, Site1, is not
managed by the Agile Controller-Campus. Therefore, it does not need to be created on
2. At both the hub sites, two CPEs are deployed as gateways and each CPE connects to the
MPLS network through a WAN link. At both the Agg1 and Site2, one CPE is deployed
as the gateway and connects to the MPLS network through two WAN links. At each of
the Agg2, Site3, Site4, Site5, and Site6, one CPE is deployed as the gateway and
connects to the MPLS network through a WAN link. The WAN links at all sites are
configured with static IP addresses.

SD-WAN
with the NTP server while the aggregation sites synchronize their clocks with the hub
sites and branch sites synchronize their clocks with the aggregation sites.
Data Plan
Item Value
Tenant Name TenantA
Password PassA@1234
Item Value
Transport Network MPLS1 MPLS2
Routing Domain MPLS MPLS
IPSec Encryption OFF OFF
AS number 65001
IP pool 10.200.0.0/16
2102114484P0GC000530 Hub1_1 AR3670
2102114484P0GC000531 Hub1_2 AR3670
2102114484P0GC000532 Hub2_1 AR3670
2102114484P0GC000533 Hub2_2 AR3670
2102114484P0GC000534 Agg1_1 AR3670

SD-WAN
2102114484P0GC000535 Agg2_1 AR3670
2102351BTJ10H1000520 Site2_1 AR161EW
2102351BTJ10H1000521 Site3_1 AR161EW
2102351BTJ10H1000522 Site4_1 AR161EW
2102351BTJ10H1000523 Site5_1 AR161EW
2102351BTJ10H1000524 Site6_1 AR161EW

Item Value
Template name Hub Agg1 Agg2 Branch1 Branc

h2
Description - - - - -
Gateway Dual Gateways Single Gateway Single Single Gateway Single

Gatew Gatew
ay ay
WAN Name MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS
Link 1 2 1 2 1 1 2 1
Devic Devic Devic Devic Devic Devic Devic Devic Devic

e e1 e2 e1 e1 e1 e1 e1 e1
Interfa GE3/0 GE3/0 GE3/0 GE3/0 GE3/0 GE0/0 GE0/0 GE0/0

ce /0 /0 /0 /1 /0 /0 /4 /4
Transp MPLS MPLS MPLS MPLS MPLS MPLS MPLS MPLS

ort 1 2 1 2 1 1 2 1
Netwo
rk
Role Active Active Active Active Active Active Active Active
Inter- Reuse OFF - - - - - -

CPE LAN-
Link side
L2
interfa
ce
Devic GE3/0 GE3/0 - - - - - -

e1 /1 /2
Interfa
ce

SD-WAN
Item Value
Devic GE3/0 GE3/0 - - - - - -

e2 /1 /2
Interfa
ce
Table 2-42 ZTP configurations at hub sites
Item Value
Site Hub1 Hub2
Site template Hub Hub
Link name MPLS1 MPLS2 MPLS1 MPLS2
Interface IPoE IPoE IPoE IPoE

protocol
IP address Static Static Static Static

access mode
IP address/ 172.16.1.1/24 172.16.1.2/24 172.16.1.3/24 172.16.1.4/24

Subnet mask
Default 172.16.1.254 172.16.1.254 172.16.1.254 172.16.1.254

gateway
PPPoE User - - - -
name
PPPoE - - - -
Password
Public IP 172.16.1.1 172.16.1.2 172.16.1.3 172.16.1.4
Negotiation Auto Auto Auto Auto

mode
Uplink 100 100 100 100

bandwidth
(Mbps)
Downlink 100 100 100 100

bandwidth
(Mbps)
Table 2-43 ZTP configurations at aggregation sites and branch sites
Item Value

SD-WAN
Item Value
Site Agg1 Branch1 Branc Agg2 Branc Branch Branch2

templ h2 h2 2
ate
Link MPLS MPL MPL MPL MPLS MPL MPLS MPLS MPLS1
name 1 S2 S1 S2 1 S1 1 1
Interf IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE IPoE
ace
protoc
ol
IP Static Static Static Static Static Static Static Static Static

addres
s
access
mode
IP 172.16 172.1 172.1 172.1 172.1 172.1 172.1 172.16 172.16.1.1

addres .1.6/24 6.1.7/ 6.1.8/ 6.1.9/ 6.1.10 6.1.1 6.1.12 . 4/24
s/ 24 24 24 /24 1/24 /24 1.13/2
Subne 4
t
mask
Defau 172.16 172.1 172.1 172.1 172.1 172.1 172.1 172.16 172.16.1.2
lt .1.254 6.1.2 6.1.2 6.1.2 6.1.25 6.1.2 6.1.25 .1.254 54
gatew 54 54 54 4 54 4
ay
PPPo - - - - - - - - -
E
User
name
PPPo - - - - - - - - -
E
Passw
ord
Public 172.16 172.1 - - - 172.1 - - -

IP .1.6 6.1.7 6.1.1
1
Negot Auto Auto Auto Auto Auto Auto Auto Auto Auto
iation
mode

SD-WAN
Item Value
Uplin 100 100 100 100 100 100 100 100 100
k
band
width
(Mbps
)
Down 100 100 100 100 100 100 100 100 100
link
band
width
(Mbps
)
Table 2-44 NTP information at the hub sites

Item Value
NTP ON
authentication
Authentication ntp123
password
Authentication 456789
key id
NTP client Manual Configuration

mode
WAN Link MPLS1 MPLS2 MPLS1 MPLS2
NTP Server 10.10.1.1 10.10.1.1 10.10.1.1 10.10.1.1

Address
Table 2-45 NTP information at aggregation sites and branch sites

Item Value

SD-WAN
Procedure





SD-WAN


Step 4 Create three site templates for the hub sites, aggregation sites, and branch sites separately.
click Create.
l Hub site template

SD-WAN
l Aggregation site template

SD-WAN
Step 5 Create hub sites, aggregation sites, and branch sites.

5. Click OK.
l Hub sites
l Aggregation site Agg1 and branch sites in the region

SD-WAN
l Aggregation site Agg2 and branch sites in the region

SD-WAN

SD-WAN

page is displayed.
information.

of the site.

SD-WAN

SD-WAN

SD-WAN

SD-WAN

a. Click NTP.

SD-WAN
3. Configure WAN links for the aggregation sites and branch sites.
for the aggregation sites and branch sites, and click Apply Changes.

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Configure ZTP at the aggregation sites and branch sites.

page is displayed.
b. In the Not Activated list, click the created site, and click NTP.
c. On the NTP page that is displayed, select a time zone.
d. Set NTP client mode to Automatic Synchronization with Parent Node.
----End
2.1.3 Configuring WAN-side Routes for Sites (Underlay Network)

SD-WAN
2.1.3.1 Configuring BGP Routes
Related Products
AR: V300R003C00
Figure 2-8 shows the SD-WAN networking of Enterprise A. On this network, the MPLS
network and Internet (both on the WAN side) provide BGP routes. During the setup of an SD-
WAN network, the tenant administrator needs to configure connectivity between the CPEs
and the WAN-side network.
Solution Design
Based on customer requirements and the networking plan, the tenant administrator has created
the hub site and branch sites. To configure routes for the underlay network, perform the
following tasks:
1. BGP is supported in the WAN-side network, allowing BGP routes to be configured on

the underlay network for connecting the CPEs to the WAN-side network. To improve the
security of the BGP routing protocol, MD5 authentication is enabled.
2. Information about BGP peers needs to be configured on the CPE at each site to enable
interconnection between the site and the MPLS network and between the site and the
Internet. No routing policy needs to be configured because currently there is no need to

SD-WAN
restrict the network segments in which BGP routes are advertised and received. This
means all BGP routes are advertised and received in every network segment.
3. The Internet link at Site2 obtains a dynamic IP address through PPPoE, and the IP
address of the BGP peer is 10.100.3.1, as provided by the network provider.
Data Plan
Table 2-46 BGP route information
Item Value
Advance Default ON OFF OFF

d route
Settings redistrib
ution
Device Hub1_1 Hub1_2 Site2_1 Site2_1 Site3_1 Site3_2
Peer IP 172.16.1 10.100.1 172.16.1 10.100.3 172.16.1 10.100.2

.2 .2 .10 .1 .14 .2
Peer AS 100 200 100 200 100 200
Local AS 101 102 104 104 105 106
Keepalive time (s) 60 60 60 60 60 60
Hold time (s) 180 180 180 180 180 180
MD5 encrypt admin12 admin12 admin12 admin12 admin12 admin12

3 3 3 3 3 3
WAN link MPLS Internet MPLS Internet MPLS Internet
Routing Export OFF OFF OFF OFF OFF OFF

Policy
Import OFF OFF OFF OFF OFF OFF
Procedure
Step 2 Finish creating sites.
Step 3 Configure BGP routes for the underlay network of the hub site.
1. Choose Configuration > Site > Underlay Configuration.
2. Select Hub1 from the left list and click WAN Route.
3. On the WAN Route page that is displayed, click Click Here to Add Routing Protocol
and select BGP.
4. On the BGP page, click Advanced Settings and enable Default route redistribution.

SD-WAN
5. On the BGP page, click Create and set BGP route parameters.

Step 4 Configure BGP routes for the underlay networks of the branch sites.
Perform the same operations as those for the hub site to complete BGP route parameter
configuration for the branch sites and click Apply Changes.

SD-WAN
l BGP route configuration for Site2
l BGP route configuration for Site3

SD-WAN
----End
2.1.3.2 Configuring BGP and Static Routes
Related Products
AR: V300R003C00
Figure 2-9 shows the SD-WAN networking of Enterprise A. During the setup of an SD-WAN
network, the tenant administrator needs to configure connectivity between the CPEs and the
WAN-side network.

SD-WAN
Solution Design
the hub site and branch sites. To configure routes for the underlay network, perform the
following tasks:
1. BGP is supported in the MPLS network on the WAN side, allowing BGP routes to be
configured on the underlay network for connecting the CPEs and the MPLS network. To
improve the security of the BGP routing protocol, MD5 authentication is enabled.
2. Since BGP is not supported in the Internet, static routes need to be configured to connect
the CPEs to the Internet.
3. The information about BGP peers needs to be configured on the CPE of each site to
enable interconnection between the site and the MPLS network. No routing policy needs
to be configured because currently there is no need to restrict the network segments in
which BGP routes are advertised and received. This means all BGP routes are advertised
and received in every network segment.
4. When configuring static routes for Internet access, you need to configure a default route.
The Internet link at Site2 obtains a dynamic IP address through PPPoE. Therefore, an
outbound interface is specified as the next hop of the default route. To quickly detect
network faults, you are advised to set an IP address that is reachable through a public
network route as a probe address. The system then creates an NQA instance using this
address as the destination address for detecting link connectivity. In this example, the
probe address is 10.110.42.160.

SD-WAN
Data Plan

Item Value
Advanced Default route redistribution ON OFF OFF

Settings
Device Hub1_1 Site2_1 Site3_1
Peer IP 172.16.1.2 172.16.1 172.16.1.

.10 14
Peer AS 100 100 100
Local AS 101 104 105
Keepalive time (s) 60 60 60
Hold time (s) 180 180 180
MD5 encrypt admin123 admin12 admin12

3 3
WAN link MPLS MPLS MPLS
Routing Policy Export OFF OFF OFF
Import OFF OFF OFF
Table 2-48 Static route information

Ite Value
m
Dev Hub1_2 Hub1_2 Site2_1 Site2_1 Site3_2 Site3_2

ice
Prio 60 60 60 60 60 60
rity
WA Internet Internet Internet Internet Internet Internet

N
link

SD-WAN
Ite Value
m
Des 0.0.0.0/0 10.110.42.1 0.0.0.0/0 10.110.42. 0.0.0.0/ 10.110.42.160/32

tinat 60/32 160/32 0
ion
addr
ess/
mas
k
Nex IP address IP address Outboun Outbound IP IP address

t- d interface address
hop interface
type
IP 10.100.1. 10.100.1.2 - - 10.100. 10.100.2.2

addr 2 2.2
ess
Trac ON OFF ON OFF ON OFF

k
Targ 10.110.42 - 10.110.4 - 10.110. -

et .160 2.160 42.160
Procedure
Step 3 Configure routes for the underlay network of the hub site.
and select BGP.

SD-WAN
6. On the WAN Route page that is displayed, click and select Static. Click Create and
set static route parameters. On the main page, click Apply Changes.

SD-WAN
Step 4 Configure routes for the underlay networks of the branch sites.
1. Perform the same operations as those for the hub site to complete BGP route parameter
configuration for Site2 and click Apply Changes.
2. Configure static routes for Site2, and click Apply Changes.

SD-WAN

SD-WAN
3. Configure BGP routes for Site3, and click Apply Changes.
4. Configure static routes for Site3, and click Apply Changes.

SD-WAN

SD-WAN
----End
2.1.3.3 Configuring OSPF Routes
Related Products
AR: V300R003C00
Figure 2-10 shows the SD-WAN networking of Enterprise A. On this network, the WAN-side
network is a VPLS network, that is, a Layer 2 MPLS network. During the setup of an SD-
WAN network, the tenant administrator has created the hub sites and branch sites. Routes
need to be configured for the underlay network.

SD-WAN
Solution Design
1. The MPLS network on the WAN side provides OSPF routes. This allows OSPF routes to
be configured on the underlay network for connecting the CPEs to the MPLS network.
2. OSPF process information needs to be configured on the CPEs of each site to enable
interconnection between the site and the MPLS network through OSPF routes. No
routing policy needs to be configured because currently there is no need to restrict the
network segments in which OSPF routes are advertised and received. This means all
OSPF routes are advertised and received in every network segment.
Data Plan
Table 2-49 OSPF routing information at the hub sites
Item Value
Site Hub1 Hub2
Device Hub1_1 Hub1_ Hub2 Hub2_2

2 _1
Process ID 501 501 501 501
WAN link MPLS1 MPLS MPL MPLS2

2 S1
Common Default route ON ON ON ON

Parameter advertisement
Default route cost 1 2 3 4
Internal preference 10 10 10 10
ASE preference 150 150 150 150
Interface Area ID 0 0 0 0
Parameter

SD-WAN
Item Value
Interface Name GE3/0/0 GE3/0/ GE3/ GE3/0/0

0 0/0
Authentication None None None None

Mode
Hello Timer 10 10 10 10
DR Priority 0 0 0 0
Cost - - - -
Route Redistribute - - - -
Router Filter Export filter OFF OFF OFF OFF
Import filter OFF OFF OFF OFF
Table 2-50 OSPF routing information at the aggregation and branch sites
Item Value
Device Agg1 Agg1 Site2 Site2 Site3 Agg2 Site4 Site5 Site6
_1 _1 _1 _1 _1 _1 _1 _1 _1
Process ID 501 502 501 502 501 501 501 501 501
WAN link MPL MPL MPL MPL MPL MPL MPL MPL MPL
S1 S2 S1 S2 S1 S1 S1 S1 S2
Co Defaul OFF OFF OFF OFF OFF OFF OFF OFF OFF
mm t route
on adverti
Para sement
met
er Interna 10 10 10 10 10 10 10 10 10
l
prefere
nce
ASE 150 150 150 150 150 150 150 150 150
prefere
nce
Inte Area 0 0 0 0 0 0 0 0 0
rfac ID
e
Para Interfa GE3/ GE3/ GE0/ GE0/ GE0/ GE3/ GE0/ GE0/ GE0/
met ce 0/0 0/1 0/0 0/4 0/4 0/0 0/4 0/4 0/4
er Name

SD-WAN
Item Value
Authen None None None None None None None None None
ticatio
n
Mode
Hello 10 10 10 10 10 10 10 10 10
Timer
DR 0 0 0 0 0 0 0 0 0
Priorit
y
Cost - - - - - - - - -
Route - - - - - - - - -
Redistribute
Rou Export OFF OFF OFF OFF OFF OFF OFF OFF OFF
ter filter
Filte
r Import OFF OFF OFF OFF OFF OFF OFF OFF OFF
filter
Procedure
Step 3 Configure routes for the underlay network of the hub site.
and select OSPF.
4. On the OSPF page, click Create and set OSPF route parameters. On the main page,
click Apply Changes.

SD-WAN
5. Configure OSPF routes for Hub2, and click Apply Changes.

SD-WAN
Step 4 Configure routes for the underlay networks of the aggregation sites and branch sites.
1. In the list on the left, select Agg1, complete the OSPF routes configuration. On the main
page, click Apply Changes.

SD-WAN
2. In the list on the left, select Site2, and configure OSPF routes. On the main page, click
Apply Changes.

SD-WAN
Apply Changes.

SD-WAN
4. In the list on the left, select Agg2, and configure OSPF routes. On the main page, click
Apply Changes.
Apply Changes.

SD-WAN
Apply Changes.
Apply Changes.

SD-WAN
----End
2.1.3.4 Configuring OSPF and BGP Routes
Related Products
AR: V300R003C00
Figure 2-11 illustrates the SD-WAN networking of Enterprise A. On this network, the WAN-
side enterprise networks are a Layer 2 MPLS network and the Internet. The IP address of the
MPLS network gateway is 172.16.1.254/24, and BGP is supported in the WAN-side Internet.
During the setup of an SD-WAN network, the tenant administrator has created the hub sites
and branch sites. Routes need to be configured for the underlay networks.

SD-WAN
Solution Design
1. The MPLS network on the WAN side is a Layer 2 network. On the underlay network,
OSPF routes can be configured to connect the CPEs to the MPLS network.
2. BGP is supported in the Internet, allowing BGP routes to be configured on the underlay
network for connecting the CPEs to the MPLS network. To improve the security of the
BGP routing protocol, MD5 authentication is enabled.
3. OSPF process information needs to be configured on the CPEs of each site to enable
interconnection between the site and the MPLS network through OSPF routes. The CPE
in the active hub site acts as the designated router (DR) in the OSPF area whereas the
CPE in the standby hub site acts as the backup designated router (BDR) in the OSPF
area. No routing policy needs to be configured because currently there is no need to
restrict the network segments in which OSPF routes are advertised and received. This
means all OSPF routes are advertised and received in every network segment.
4. The information about BGP peers needs to be configured on the CPE of each site to
enable interconnection between the site and the MPLS network. The Internet link at
Site3 obtains a dynamic IP address through PPPoE, and the IP address of the BGP peer
is 10.100.5.2, as provided by the network provider. No routing policy needs to be
configured because currently there is no need to restrict the network segments in which
BGP routes are advertised and received. This means all BGP routes are advertised and
received in every network segment.
Data Plan
Table 2-51 OSPF route information

Item Value
Site Hub1 Hub2 Site2 Site3
Device Hub1_1 Hub2_1 Site2_1 Site2_1 Site3_1

SD-WAN
Item Value
Process ID 501 501 501 502 501
WAN link MPLS1 MPLS1 MPLS1 MPLS2 MPLS1
Common Default ON ON OFF OFF OFF

Parameter route
advertise
ment
Default 10 11 - - -
route cost
Internal 10 10 10 10 10
preference
ASE 150 150 150 150 150

preference
Interface Area ID 0 0 0 0 0
Parameter
Interface GE3/0/0 GE3/0/0 GE0/0/0 GE0/0/4 GE0/0/0
Name
Authentic None None None None None

ation
Mode
Hello 10 10 10 10 10
Timer
DR 255 254 0 0 0
Priority
Cost - - - - -
Route - - - - - -
Redistribu
te
Router Export OFF OFF OFF OFF OFF

Filter filter
Import OFF OFF OFF OFF OFF

filter

Item Value
Site Hub1 Hub2 Site3 Site4

SD-WAN
Item Value
Advanced Default ON ON OFF OFF OFF

Settings route
redistribut
ion
Peer IP 10.100.1.2 10.100.2.2 10.100.5.2 10.100.3.2 10.100.4.2
Peer AS 100 100 100 100 100
Local AS 101 102 103 104 105
Keepalive time (s) 60 60 60 60 60
Hold time (s) 180 180 180 180 180
MD5 encrypt admin123 admin123 admin123 admin123 admin123
WAN link Internet1 Internet1 Internet1 Internet1 Internet2
Routing Export OFF OFF OFF OFF OFF

Policy
Import OFF OFF OFF OFF OFF
Procedure
Step 3 Configure routes for the underlay network of the hub sites.
and select OSPF.
4. On the OSPF page, click Create and set OSPF route parameters. On the main page,

SD-WAN
5. On the WAN Route page that is displayed, click and select BGP.
7. On the BGP page, click Create and set BGP route parameters. On the main page, click
Apply Changes.

SD-WAN
8. Perform the same operations to complete OSPF route configurations for Hub2, click
Apply Changes.
9. Perform the same operations to complete BGP configurations for Hub2, click Apply
Changes.

SD-WAN
Step 4 Configure routes for the underlay networks of the branch sites.
Apply Changes.

SD-WAN
Apply Changes.

SD-WAN
3. In the list on the left, select Site3, and configure BGP routes. On the main page, click
Apply Changes.
4. In the list on the left, select Site4, and configure BGP routes. On the main page, click
Apply Changes.

SD-WAN
----End
2.1.4 Configuring Multi-VPN Isolation
2.1.4.1 Configuring Multiple VPNs
Related Products
AR: V300R003C00
Figure 2-12 shows the SD-WAN networking of an enterprise. On the SD-WAN network built
by the tenant administrator, the R&D department and marketing departments of the enterprise
need to isolate services, independently deploying their own services.

SD-WAN
Solution Design
the hub sites and branch sites, and has completed the underlay network configurations. To
implement service isolation between the two departments on the overlay, perform the
following tasks:
1. Configure VPNs for the two departments. Configure VPN2 for the marketing
department, and perform network and service configurations for this department in
VPN2.
2. Enable the R&D department to use the default VPN, VPN-Default, avoiding the need to
configure another VPN.
3. Configure services in the two VPNs separately.
Data Plan
Table 2-53 VPN information

Item Value
Name MKT
Description -
Sites Hub1, Hub2, Agg1, Site2, Site3, Agg2,

Site4, Site5, Site6
VRF Instance vpn2
Procedure

SD-WAN
Step 2 Create sites and configure WAN-side routes on the underlay network.
Step 3 Configure multiple VPNs and add sites to VPNs.

1. Choose Configuration > Overlay Network > VPN.
2. On the VPN page that is displayed, click Create. In the dialog box that is displayed, set
Name to MKT.
3. Select sites to be added to the VPN and click .

4. Click OK.
Step 4 Configure overlay networks, traffic policies, and security policies in the VPN-Default and
MKT VPN.
----End
2.1.5 Configuring LAN-side Interfaces for Sites (Overlay

Network)
2.1.5.1 Configuring Interconnection Between VLANs and LAN-side Networks
Related Products
AR: V300R003C00
Figure 2-13 shows the SD-WAN networking of an enterprise. On the SD-WAN network
constructed by the tenant administrator, different users at Site2 (a branch site) operate the
same services in different network segments. User hosts transmitting the same services belong
to different VLANs and need to communicate with one another.

SD-WAN
Solution Design
the hub site and branch sites, and has completed the underlay network configurations. To
implement interconnection between VLANs and LAN-side overlay networks, perform the
following tasks:
1. Add LAN-side interfaces to VLANs and configure the interfaces to permit packets of the
VLANs that users belong to.
2. Configure IP addresses for VLANIF interfaces for Layer 3 connectivity.
3. To implement inter-VLAN communication, hosts in each VLAN must use the IP address
of the corresponding VLANIF interface as the default gateway address.
Data Plan
Table 2-54 VLAN information
Item Value
VLAN 10 10 10 20 10 10
ID

SD-WAN
Item Value
Physica GE8/0/2 GE8/0/ GE0/0/1 GE0/0/2 GE0/0/2 GE0/0/2

l 2
interfac
es
Mode Untag Untag Untag Untag Untag Untag
IP 10.1.1.1/ 10.1.1.2 10.3.1.254 10.4.1.2 10.5.1.252/ 10.5.1.253/24

address 24 /24 /24 54/24 24
Trust Trust Trust Trust Trust Trust Trust

mode
Procedure
Step 3 Configure a VLAN for Hub1.

1. Choose Configuration > Overlay Network > Site Configuration.
2. Select Hub1 from the list on the left and click the VLAN tab in the right pane.
3. Click Create and enter VLAN information. On the main page, click Apply Changes.
l VLAN configurations for Hub1_1

SD-WAN
l VLAN configurations for Hub1_2
Step 4 Configure a VLAN for Site2.

Perform the same operations as those for the hub site to configure a VLAN for Site2.
l VLAN configuration for Site2_1

SD-WAN
Step 5 Perform the same operations as those for Site2 to configure a VLAN for Site3.

SD-WAN
----End

SD-WAN
2.1.5.2 Configuring Interconnection Between VLANs and LAN-side Networks

and Configuring a VRRP Group
Related Products
AR: V300R003C00
constructed by the tenant administrator, the dual gateways at the branch site Site3, that is,
Site3_1 and Site 3_2, are connected to the Layer 2 network of VLAN 10, and different users
are located in the same network segment. Hosts are dual-homed to Site3_1 and Site3_2
through Layer 2 switches. The user requirements are as follows:
l Hosts at Site3 use Site3_1 as the master gateway to connect to the MPLS network. If
Site3_1 fails, Site3_2 assumes the role of the master, implementing gateway backup.
l Site3_1 becomes the master gateway again after it recovers.
Figure 2-14 Enterprise networking diagram
Solution Design
the hub site and branch sites, and has completed the underlay network configurations. To

SD-WAN
implement interconnection between VLANs and LAN-side overlay networks, as well as

deploy the VRRP master and backup gateways, perform the following tasks:
1. Add LAN-side interfaces to VLANs and configure the interfaces to permit packets of the
VLANs that users belong to.
2. Configure IP addresses for VLANIF interfaces for Layer 3 connectivity.
3. Configure the VRRP master and backup gateways. Create a VRRP group and configure
a virtual IP address for this VRRP group.
Site3_1 functions as the master gateway to forward traffic and has the preemption delay
configured to 20s. Site3_2 functions as the backup gateway to ensure gateway
redundancy, and has the preemption delay configured to 0, indicating immediate
preemption.
Data Plan
Table 2-55 VLAN information
Item Value
VLAN 10 10 10 20 10 10
ID
Physica GE8/0/2 GE8/0/2 GE0/0/1 GE0/0/ GE0/0/ GE0/0/2

l 2 2
interfac
es
Mode Untag Untag Untag Untag Untag Untag
IP 10.1.1.1/2 10.1.1.2/24 10.3.1.25 10.4.1. 10.5.1. 10.5.1.253/24

address 4 4/24 254/24 252/24

mode
VRRP OFF OFF - - ON ON
VRRP - - - - 10 10
ID
Virtual - - - - 10.5.1. 10.5.1.254

IP 254
Default - - - - Master Backup

role
Preempt - - - - 20 0
delay
(s)

SD-WAN
Procedure
Step 3 Configure a VLAN for Hub1.

2. Select Hub1 from the list on the left and click the VLAN tab in the right pane.
– VLAN configurations for Hub1_1
– VLAN configurations for Hub1_2

SD-WAN

Perform the same operations as those for the hub site to configure a VLAN for Site2.

SD-WAN


SD-WAN
2. Select Site3_1 from the list on the left and click the VLAN tab in the right pane.
3. Click Create to configure VLAN parameters.
4. On the Create VLAN page, click Advanced Settings to configure the VRRP master and
backup gateways.
5. After configuring the VLAN and VRRP, click Apply Changes.
– VLAN configuration for Site3_1
– VRRP configurations for Site3_1

SD-WAN
– VLAN configuration for Site3_2
– VRRP configurations for Site3_2

SD-WAN
----End
2.1.6 Configuring LAN-side Routes for Sites (Overlay Network)
2.1.6.1 Configuring LAN-side OSPF Routes
Related Products
AR: V300R003C00
constructed by the tenant administrator, two gateways at the hub site are connected to hosts
through the same Layer 3 switch. The gateways and Layer 3 switch are in the same VLAN
and therefore belong to the same network segment. The enterprise requires that the gateways
at the hub site communicate with the Layer 3 switch.

SD-WAN
Solution Design
the hub site and branch sites, and configured LAN-side interfaces on the overlay network. To
configure OSPF routes on the LAN side for interconnection between LAN-side networks,
perform the following tasks:
1. Configure two gateways to run the same OSPF process.

2. Enable OSPF on LAN-side interfaces.
Data Plan
Table 2-56 LAN-side OSPF route information
Item Value
Process ID 1001 1001
Common Default route ON ON

Parameter advertisement
Default route cost 1 1
Internal preference 10 10

SD-WAN
Item Value
ASE preference 150 150
Interface Area ID 0 0
Parameter
Interface Name Vlanif10 Vlanif10
Authentication None None

Mode
Hello Timer 10 10
DR Priority 0 0
Route Protocol - -
Redistribute
Process ID - -
Cost - -
Router Filter Export filter OFF OFF
Import filter OFF OFF
Procedure
Step 3 Configure LAN-side interfaces on the overlay network of sites.
Step 4 Configure OSPF routes on the LAN side of Hub1.

2. Select Hub1 from the list on the left and click the LAN Route tab in the right pane.
3. Click Click Here to Add Routing Protocol or ,and select OSPF.

4. On the OSPF page, click Create to configure OSPF routes and click Apply Changes on
the main page.
l OSPF configurations for Hub1_1

SD-WAN
l OSPF configurations for Hub1_2
----End
2.1.6.2 Configuring LAN-side BGP and OSPF Routes
Related Products

SD-WAN
AR: V300R003C00
constructed by the tenant administrator, two gateways at each of the two hub sites are
connected to hosts through a Layer 3 switch. At Hub1, two gateways and the Layer 3 switch
are in the same VLAN and therefore belong to the same network segment. At Hub2, two
gateways and the Layer 3 switch belong to different VLANs and are located in different
network segments. The enterprise requires that the gateways at the hub sites communicate
with the Layer 3 switch in the same site.
Solution Design
the hub sites and branch sites, and configured LAN-side interfaces on the overlay network. To
enable interconnection between LAN-side networks, configure OSPF and BGP routes on the
LAN side.
To configure OSPF routes on the LAN side of Hub1, perform the following tasks:
1. Configure two gateways to run the same OSPF process.

2. Enable OSPF on LAN-side interfaces.
To configure BGP routes on the LAN side of Hub2, perform the following tasks:
1. Configure a BGP peer, specifying an IP address and AS number for the peer.
2. Configure an MD5 authentication password.

SD-WAN
Data Plan

Item Value
Common Default ON ON
Parameter route
advertise
ment
Default 1 1
route cost
Internal 10 10
preference
ASE 150 150

preference
Interface Area ID 0 0
Parameter
Interface Vlanif10 Vlanif10
Name
Authentic None None

ation
Mode
Hello 10 10
Timer
DR 0 0
Priority
Route Protocol - -
Redistribu
te Process - -
ID
Cost - -
Router Export OFF OFF

Filter filter
Import OFF OFF

filter

SD-WAN
Table 2-58 BGP routing information on the LAN side

Item Value
Peer IP 10.2.2.254 10.2.1.254
Peer AS 3000 3000
Local AS 3001 3001
Keepalive time (s) - -
Hold time (s) - -
MD5 encrypt 123456 123456
Routing Export OFF OFF

Policy
Import OFF OFF
Procedure
Step 4 Configure OSPF routes on the LAN side of Hub1.

2. Select Hub1 from the list on the left and click the LAN Route tab in the right pane.
3. Click Click Here to Add Routing Protocol and select OSPF.
4. On the OSPF page, click Create to configure OSPF routes and click Apply Changes on
the main page.
– OSPF configurations for Hub1_1

SD-WAN
– OSPF configurations for Hub1_2
Step 5 Configure BGP routes on the LAN side of Hub2.

2. Select Hub2, and click LAN Route tab in the right pane.
3. Click on the page, and select BGP.

4. On the BGP page, click Create to configure BGP routes and click Apply Changes on
the main page.
– BGP configurations for Hub2_1

SD-WAN
– BGP configurations for Hub2_2
----End
2.1.7 Configuring WAN-side Routes for Sites (Overlay Network)
2.1.7.1 Configuring WAN-side Static Routes
Related Products
AR: V300R003C00
constructed by the tenant administrator, the LAN-side networks of each site belong to
different network segments. The enterprise requires that devices in LAN-side networks
communicate with one another.

SD-WAN
Solution Design
the hub sites and branch sites, and configured LAN-side interfaces on the overlay network. To
configure WAN-side routes on the overlay network, perform the following tasks:
1. At Hub1, configure a WAN-side static route whose next hop points to Branch2.
2. At Hub2, configure a WAN-side static route whose next hop points to Branch2.
3. At Branch2, configure a WAN-side static route whose next hop points to Hub1.
Data Plan
Table 2-59 WAN-side static route information
Item Value
Site Hub1 Hub2 Branch2
Logical Link(s) Standby logical Standby logical link(s) Standby logical

link(s) link(s)
Priority 220 220 220
Destination address/ 10.4.1.0/24 10.4.1.0/24 0.0.0.0/0

mask 10.5.1.0/24 10.5.1.0/24
Next-hop type Site Site Site
Site Branch2 Branch2 Hub1, Hub2

SD-WAN
Procedure
Step 4 Configure WAN-side static routes of Hub1.

2. Select Hub1 from the list on the left, click WAN Route tab in the right pane, and select
Static.
3. On the Static page, click Create to configure static routes, and click Apply Changes on
the main page.

SD-WAN
4. After the configuration is complete, the configured static routes are displayed in the list.
Step 5 Configure WAN-side static routes of Hub2. The operations are the same as those in Step 4.
Step 6 Configure WAN-side static routes of Branch2.

2. Select Branch2 from the list on the left, click WAN Route tab in the right pane, and
select Static.
3. On the Static page, click Create to configure static routes, and click Apply Changes on
the main page.

SD-WAN
4. After the configuration is complete, the configured static routes are displayed in the list.
----End
2.1.8 Configuring Intelligent Traffic Steering

SD-WAN
2.1.8.1 Configuring Intelligent Traffic Steering for Services
Related Products
AR: V300R003C00
Figure 2-18 shows the SD-WAN networking of Enterprise A. After the tenant administrator
has completed the SD-WAN network deployment, the customer requires that key services,
including voice, video and telephone services, are preferentially transmitted through MPLS
links. To utilize multiple uplinks of a site, as well as improve link reliability and bandwidth
efficiency, active and standby links are configured.
Solution Design
1. Intelligent traffic steering needs to be enabled at the hub and branch sites to meet
customer requirements.
2. VoIP services can be identified based on application groups. For VoIP services, the active
link group consists of MPLS links and the standby link group consists of Internet links.
Internet links are preferentially used to transmit other services.

SD-WAN
Data Plan
Table 2-60 Application group

Item Value
Name test_app_group_VoIP
Description -
Predefined Applications VoIP
Custom Applications -
Table 2-61 Traffic classifier template information

Item Value
Traffic classifier name test_traffic_VoIP test_traffic_service
Source IP Any Any
Destination IP Any Any
DSCP - -
Type L7 Any
Application test_app_group_ -
VoIP
Table 2-62 Intelligent traffic steering information about the overlay network
Item Value
Policy name test_traffic_polic test_steering_service

y_steering
Traffic Classifier Template test_traffic_VoIP test_traffic_service
Policy Priority 1 2
Switchover Delay (ms) 50 50

Condition
Jitter (ms) 50 50
Packet loss rate 50 50

(‰)
Steering Primary MPLS Internet

Strategy Transport
Network

SD-WAN
Item Value
Secondary Internet MPLS

Transport
Network
Site Hub1, Site2, and Hub1, Site2, and Site3

Site3
Procedure
Step 3 Configure an application group.

1. Choose Configuration > Application Management.
2. Click Application Group. On the Application Group page that is displayed, click
Create.
3. Enter the application group information and select the predefined application VoIP.
Step 4 Configure a traffic classifier template.

1. Choose Configuration > Traffic Policy.
2. Click Traffic Classifier Template. Click Create to create a traffic classifier template.
3. Configure a traffic classification rule.

SD-WAN
Step 5 Configure intelligent traffic steering policies for the overlay networks.
2. Click Traffic Steering. On the Traffic Steering tab page, click Create and configure
intelligent traffic steering policies.

SD-WAN
3. On the Traffic Steering tab page, click in the Operation column of the policy. In
the Attach Sites dialog box that is displayed, select a site to be bound to the policy.
Click and then click OK.

SD-WAN
4. Select the policy to be submitted, click Commit, and select Commit Selected.
5. In the Commit dialog box that is displayed, set Effective time to Immediately and click
OK.
----End
2.1.9 Configuring a Site-to-Internet Policy
2.1.9.1 Configuring Centralized Internet Access Through LAN-side Internet

Links of Hubs
Related Products
AR: V300R003C00
Figure 2-19 shows the SD-WAN networking of Enterprise A. On this network, the hub sites
connect to the Internet on the LAN side. The enterprise requires that both hub sites and branch
sites access the Internet through Internet links on the LAN side of hub sites.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. There are
reachable routes between CPEs at the active and standby hub sites and the Internet on the
LAN side.
1. Access the Internet in centralized access mode.

2. In centralized access mode, traffic from branch sites to the Internet is forwarded to the
hub sites through the overlay network. After CPEs at the hub sites receive the traffic, the
CPEs forward the traffic to the Internet on the LAN side and forward the traffic from the
Internet to branch sites through the overlay network.
Data Plan
Table 2-63 Site-to-Internet policy information

Item Value
Centralized Internet GW Hub1, Hub2

Internet
access
Procedure

SD-WAN
Step 3 Configure Internet access policies for the overlay networks.

2. Click Site-to-Internet, and the Site-to-Internet page is displayed.
3. Configure centralized Internet access.
a. Enable Centralized Internet access and click .

b. In the displayed Select Site dialog box, select the site that provides the Internet
access gateway and click .
c. Click OK.
----End
2.1.9.2 Configuring Centralized Internet Access Through WAN-side Internet

Links of Hubs
Related Products
AR: V300R003C00
Figure 2-20 shows the SD-WAN networking of Enterprise A. On this network, the hub site
and branch sites are connected to the Internet through Internet links. The legacy site is directly
connected to the MPLS network through an MPLS link and can only access the Internet
through the hub site. The enterprise requires that all sites can access the Internet.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations.
1. The hub site functions as the gateway for centralized Internet access. Branch sites and
the legacy site can access the Internet through the WAN-side Internet link of the hub site.
2. Site2 and Site3 have local and therefore preferentially access the Internet locally.
3. Local Internet access also needs to be enabled at the hub site.
Data Plan
Item Value
Centralized Internet GW Hub1

Internet
access
Local Site Hub1, Site2, Site3

Internet
access Link Priority Internet 3
Policy All
Procedure

SD-WAN


b. In the displayed Select Site dialog box, select a site as the Internet access gateway
and click .
c. Click OK.
4. Configure local Internet access.

a. Enable Local Internet access.
b. Click Create. Select the sites to access the Internet in local mode.

SD-WAN
c. Click in the Operation column. Enable NAT and activate the egress link.
Configure a different link priority for each link. Onthe main page, click Apply
Changes.

SD-WAN
----End
2.1.9.3 Configuring Hybrid Internet Access Through Local Internet Links and
LAN-side Links of Hubs
Related Products
AR: V300R003C00
Figure 2-21 shows the SD-WAN networking of Enterprise A. On this network, hub sites
access the Internet on the LAN side. Site2 is only connected to the MPLS network through
two MPLS links. Site3 and Site4 are connected to the Internet through Internet links. The
enterprise requires that all sites can access the Internet.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. There are
reachable routes between CPEs at the active and standby hub sites and the Internet on the
LAN side.
1. Site2 uses the centralized Internet access mode, and thereby Site2 can access the Internet
through the Internet links of hub sites.
2. Site3 and Site4 preferentially use local Internet links to access the Internet.
3. Intranet users at hub sites access the Internet through the LAN-side Internet link, and
services are not forwarded to CPEs at hub sites.
Data Plan

Item Value
Central Internet GW Hub1 and Hub2

ized
Interne
t
access
Local Site Site3 and Site4

Interne
t Link WAN links of Interne 2
access Priority Site3 t1
WAN links of Interne 2

Site4 t1

SD-WAN
Item Value
Interne 1
t2
Policy All
Procedure
Step 3 Configure a site-to-Internet policy for the overlay network.


b. In the Select Site dialog box that is displayed, select a site as the Internet gateway,
and click .
c. Click OK.
4. Configure local Internet access.

a. Enable Local Internet access.
b. Click Create and select a site.

SD-WAN
c. Click in the Operation column to activate the egress link. Enable NAT for
Internet links and configure a different link priority for each link. Click Apply
Changes to complete configurations on the main page.

SD-WAN
----End
2.1.10 Configuring a Site-to-Legacy Site Policy
2.1.10.1 Configuring Communication Between SD-WAN Sites and Legacy Sites

in Centralized Access Mode
Related Products
AR: V300R003C00
Figure 2-22 shows the SD-WAN networking of Enterprise A. On this network, Site1 is a
legacy site outside an SD-WAN network. The enterprise requires that all SD-WAN sites
communicate with Site1.

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. The active and
standby hub site are each connected to the MPLS network through an MPLS link, and Site1 is
also connected to the MPLS network. The centralized access mode can be configured to
enable branch sites to communicate with Site1 through the hub sites.
Data Plan
Table 2-66 Site-to-legacy site policy information

Item Value
Centralized access Hub1, Hub2
Link WAN links at MPLS1 3

Priority Hub1
WAN links at MPLS1 3

Hub2
Procedure
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
communication between SD-WAN sites and the legacy site.

SD-WAN

2. Click Site-to-Legacy Site. On the Site-to-Legacy Site tab page, click Centralized
access to configure the access mode.
3. Click Create, select hub sites and click IGW to enable the gateway function for
communication between SD-WAN sites and legacy sites.
4. Click in the Operation column to activate the egress link. Configure the link priority
and click Apply Changes on the main page.

SD-WAN
----End
2.1.10.2 Configuring Communication Between SD-WAN Sites and Legacy Sites

in Centralized Access Mode Through a Branch Site
Related Products
AR: V300R003C00

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. Only Site2 is
connected to the MPLS and Internet network, and Site1 is also connected to the MPLS
network. The centralized access mode can be configured to enable hub site and branch sites to
communicate with Site1 through Site2.
Data Plan
Item Value
Centralized access Site2
Link WAN links at MPLS1 3

Priority Site2
Procedure

SD-WAN
Step 3 Configure a site-to-legacy site policy at Site2 on the overlay network to enable
2. Click Site-to-Legacy Site. On the Site-to-Legacy Site tab page, click Centralized
access to configure the access mode.
3. Click Create, select Site2 and click IGW to enable the gateway function for
4. Click in the Operation column to activate the egress link. Configure the link priority
and click Apply Changes on the main page.

SD-WAN
----End
2.1.10.3 Configuring Communication Between SD-WAN Sites and the Legacy

Site in Hybrid Access Mode
Related Products
AR: V300R003C00

SD-WAN
Solution Design
The tenant administrator has completed SD-WAN network configurations. The active and
standby hub site are each connected to the MPLS network through an MPLS link. Site1 is
also connected to the MPLS network. Site2 and Site3 are connected to the MPLS network,
whereas Site4 is connected only to the Internet. Therefore, Site2 and Site3 communicate with
Site1 through local MPLS links in local access mode, while Site4 communicates with Site1
through the hub sites in centralized access mode.
Data Plan
Item Value
Centralized access Hub1, Hub2
Link WAN MPLS 3

Priority links at 1
Hub1
WAN MPLS 3
links at 1
Hub2
Local access Site2, Site3
Link WAN MPLS 3

Priority links at 1
Site2

SD-WAN
Item Value
MPLS 2
2
WAN MPLS 3
links of 1
Site3
Procedure
Step 3 Configure a site-to-legacy site policy at hub sites on the overlay network to enable
2. Click Site-to-Legacy Site.
3. Configure centralized access mode.
a. On the Site-to-Legacy Site tab page, enable Centralized access.
b. Click Create, select hub sites and click IGW to enable the gateway function for

SD-WAN
c. Click in the Operation column to activate the egress link and configure the link
priority.

SD-WAN
4. Configure local access mode.

a. On the Site-to-Legacy Site tab page, enable Local access.
b. Click Create and select a site.

SD-WAN
c. Click in the Operation column to activate the egress link. Configure the link
priority and click Apply Changes on the main page.

SD-WAN
----End
2.1.11 Configuring a QoS Policy
2.1.11.1 Configuring Preferential Transmission of HTTP Services from Branch

Sites to Hub Sites
Related Products
AR: V300R003C00
Figure 2-25 shows the SD-WAN networking of Enterprise A. The enterprise requires that
HTTP services transmitted between Site4 and hub sites (using TCP port 8080) be
preferentially transmitted.

SD-WAN
Solution Design
QoS queue priorities are configured at Site4 and hub sites, and high-priority queues are
configured to ensure that HTTP services are preferentially forwarded.
Data Plan

Item Value
Traffic classifier name test_traffic_http
Source IP -
Destination IP -
DSCP -
Type L4
Protocol TCP
Source Port -
Destination Port 8080

SD-WAN
Table 2-70 QoS policy information

Item Value
Policy name test_traffic_QoS
Traffic Classifier test_traffic_http

Template
Policy Priority 1
Queue Priority Highest

Priority Level
Guaranteed Value: 3 Mbit/s

bandwidth
Site Site4, Hub1, Hub2
Procedure

Step 4 Configure a QoS policy for the overlay network.

SD-WAN

2. Click QoS. On the QoS tab page, click Create and configure QoS policy.
3. Bind the sites to the policy.
a. On the QoS tab page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the policy.

SD-WAN
b. Select the policy to be submitted, click Commit, and select Commit Selected.
c. In the Commit dialog box that is displayed, set Effective time to Immediately and
click OK.
----End
2.1.12 Configuring an ACL Policy (Overlay Network)

SD-WAN
2.1.12.1 Forbidding Access to YouTube During Working Hours
Related Products
AR: V300R003C00
Figure 2-26 shows the SD-WAN networking of an enterprise. Employees need to be denied
access to YouTube during working hours from 09:00 to 17:00.
Solution Design
Configure an ACL policy on the overlay network to meet the enterprise requirements:
Configure a traffic classifier template to identify the YouTube service, configure the effective
time template to specify the working time, and associate the ACL policy with the site that
forbids employees to access the YouTube service.
Data Plan
Item Value
Name App_Group_Youtube
Description -

SD-WAN
Item Value
Predefined SA signature database SA_H30071000 (6000+)

Applications
Add Predefined Applications YouTube_Downloader
Youtube
Item Value
Traffic classifier name test_traffic_YouTube
Source IP -
Destination IP -
DSCP -
Type L7
Application App_Group_Youtube
Table 2-73 Effective time template information
Item Value
Template name WorkingTime
Time type Weekly
Every Week Monday to Friday
Start time 09:00:00
End time 17:00:00
Table 2-74 ACL policy information
Item Value
Policy name test_traffic_ACL
Traffic classifier template test_traffic_YouTube
Policy priority 1
Interface LAN
Traffic filter Deny
Traffic direction Inbound

SD-WAN
Item Value
Effective time template WorkingTime
Select Site Hub1, Hub2, Site2, Site3, Site4
Procedure

Create.
3. Enter information about the application group. In the DPI area, click Add Predefined
Applications and select an application.
4. Click OK on the Application Group page.


SD-WAN
Step 5 Configure an effective time template.

2. Click Validity Period Template, and click Create.
3. Configure the effective time.
Step 6 Configure an ACL policy on the overlay network.

2. On the Overlay page, select the VPN to which the sites to be configured belong.
3. Click ACL. In the dialog box that is displayed, click Create to configure an ACL policy.

SD-WAN
4. On the ACL tab page, click in the Operation column of the policy. In the Attach
Sites dialog box that is displayed, select a site to be bound to the policy. Click and
then click OK.

SD-WAN
OK.
Step 7 Check the ACL policy configuration.

1. Choose Maintenance > Provisioning Result.
2. Click Generate Configuration to view the configuration result. The status is
Succeeded.
3. Click Deploy to Device. In the list on the left, click the configured ACL policy to view
the configuration deployment result. The status is Succeeded.
----End
2.1.13 Configuring a Security Policy

SD-WAN
2.1.13.1 Configuring a Security Policy for Hub Sites
Related Products
AR: V300R003C00
Figure 2-27 shows the SD-WAN networking of Enterprise A. To ensure security of network
services at hub sites, intranet users must be restricted from accessing social media and video
sharing websites.
Solution Design
Configure a URL filtering security policy at hub sites. Use predefined categories on the Agile
Controller-Campus, set the filtering level to high and deny accesses to social media and video
sharing websites.
Data Plan
Table 2-75 Security policy information
Item Value
Policy name test_security_policy1

SD-WAN
Item Value
Enable Default action Permit

URL
filter Exception list -
Use predefine url ON

classification
Predefined URL High

filter level
Site Hub1, Hub2
Procedure
Step 3 Configure a security policy.

1. Choose Configuration > Security Policy > URL.
2. Select the VPN to which the sites to be configured belong.
3. Click Create and set related parameters.
Step 4 Bind the sites to the policy.
1. On the Security Policy page, click in the Operation column of the policy. In the
Attach Sites dialog box that is displayed, select a site to be bound to the policy. Click
and then click OK.

SD-WAN
OK.
----End
2.1.14 Configuration Examples

SD-WAN
2.1.14.1 Example for Building an SD-WAN Network for an Enterprise Tenant
Related Products
AR: V300R003C00
Enterprise A has a headquarters network and multiple branch networks. A Layer 3 MPLS
network is used on the WAN side. Aiming to rebuild its own networks, the enterprise submits
a network construction application to a service provider (SP) to use both a Layer 3 MPLS
network and the Internet on the WAN side. To reduce network costs, the enterprise requires
that services be primarily transmitted over the Internet. If a fault occurs on the Internet,
service traffic can automatically move to the MPLS network. Figure 2-28 shows the
enterprise networking.

SD-WAN
Solution Design
Figure 2-29 SD-WAN networking
Based on the enterprise's networking and requirements, the SP recommends that the enterprise
replaces the existing traditional enterprise network with an SD-WAN network. Network
engineers of enterprise A are not able to deploy an SD-WAN network; therefore, the SP is
authorized as a managed service provider (MSP) to complete network deployment for
enterprise A. Figure 2-29 shows the networking diagram.
In this MSP-managed O&M scenario, the configurations include:
1. The SP creates a tenant for enterprise A and is authorized as an MSP to maintain the
network of enterprise A.
2. The MSP administrator creates a hub site (Hub1) and two branch sites (Site2 and Site3)
and completes the network configuration on the Agile Controller-Campus. Site1 does not
need to be created on and managed by the Agile Controller-Campus because it uses the
traditional network mode and does not need to be upgraded to an SD-WAN network.
3. The MSP administrator sets the IP address of the NTP server to 10.10.1.1, configures the
hub site to synchronize its clock with the NTP server, and configures the branch sites to
automatically synchronize their clocks with the hub site.
4. The WAN-side MPLS and Internet networks support BGP, so these networks can
exchange routes with the underlay networks using BGP. The CPEs of Hub1
communicate with the LAN-side Layer 3 switch through VLANs, and OSPF is deployed
on the LAN-side network of the hub site. The CPEs of the branch sites communicate
with the LAN-side Layer 2 network devices through VLANs.
5. The customer requires VoIP services to be preferentially forwarded over the MPLS
network and other services over the Internet, so the MSP administrator enables
centralized Internet access of the SD-WAN network through the hub site.
Communication between the SD-WAN sites and legacy sites is implemented in
centralized access mode.

SD-WAN
6. The MSP administrator enables URL filtering in a security policy, sets the filtering level
of predefined categories to high, and denies access to social media and video sharing
websites to guarantee secure network usage of employees and improve their working
efficiency.
7. The email-based deployment mode is used for site deployment. After receiving a
deployment email, the deployment engineer goes to the hub and branch sites to install
and deploy the CPEs.
8. After the CPEs are deployed, they automatically obtain configurations from the Agile
Controller-Campus.
Data Plan
Table 2-76 MSP administrator information

Item Value
User name MSPA@tenantA.com
Password PassA@1234

Item Value
Tenant Name UserA
Authorize MSP ON
Account UserA@tenantA.com
Initial password Changeme_123
Password PassA@1234
Table 2-78 Email server parameters

Item Value
SMTP address smtp.mail.com
Port 25
Account testmail
Password testmail
Email testmail@163.com

SD-WAN

Item Value
Encryption AES256
algorithm

key
Token validity 7
period (day)
AS number 65001
Network scale 500

(based CPEs)
IP pool 10.200.0.0/16

2102114484P0GC000030 Hub1_1 AR3670
2102114484P0GC000031 Hub1_2 AR3670
2102351BTJ10H1000020 Site2_1 AR161EW
2102351BTJ10H1000021 Site3_1 AR161EW
2102351BTJ10H1000022 Site3_2 AR161EW

Item Value
Template name Hub1 Branch1 Branch2
Description - - -
Gateway Dual Gateways Single Gateway Dual Gateways

SD-WAN
Item Value
WAN Name MPLS Internet MPLS Internet MP Internet

Link LS
Device Device1 Device2 Device Device De Device2

1 1 vic
e1
Interface GE3/0/0 GE3/0/0 GE0/0/ GE0/0/ GE GE0/0/4

0 4 0/0/
4
Transport MPLS Internet MPLS Internet MP Internet

Network LS
Role Active Active Active Active Act Active

ive
Inter- Reuse OFF - - OFF

CPE LAN-side
Link L2
interface
Device1 GE3/0/1 GE3/0/2 - - GE GE0/0/2

Interface 0/0/
1
Device2 GE3/0/1 GE3/0/2 - - GE GE0/0/2

Interface 0/0/
1
Table 2-82 Email template information

Item Value
Email Template Implementer
Subject How to install a Huawei SD-WAN router
Content To install Huawei SD-WAN routers,

perform the following steps:
Default Template OFF

Item Value
Site Hub Branch1 Branch2

template

SD-WAN
Item Value
Link name MPLS Internet MPLS Internet MPLS Internet
Interface IPoE IPoE IPoE PPPoE IPoE IPoE

protocol
IP address Static Static Static - Static Static

access
mode
IP 172.16.1.1 10.100.1.1 172.16.1.9 - 172.16.1.1 10.100.2.1

address/ /30 /30 /30 3/30 /30
Subnet
mask
Default 172.16.1.2 10.100.1.2 172.16.1.1 - 172.16.1.1 10.100.2.2

gateway 0 4
PPPoE - - - user@web - -
User name .com
PPPoE - - - Pass1234 - -
Password
Public IP 172.16.1.1 10.100.1.1 - - - -
Negotiatio Auto Auto Auto Auto Auto Auto

n mode
Uplink 100 100 100 100 100 100

bandwidth
(Mbps)
Downlink 100 100 100 100 100 100

bandwidth
(Mbps)
Item Value

Kong,Urumqi

SD-WAN
Item Value

Item Value
Table 2-86 Email-based deployment information

Item Value
Email testadmin@163.c testadmin@163.com testadmin@163.com

address om
Email Implementer
Templa
te
Table 2-87 BGP route information about the underlay networks

Item Value
Advance Default ON OFF OFF

d route
Settings redistrib
ution
Device Hub1_1 Hub1_2 Site2_1 Site2_1 Site3_1 Site3_2
Peer IP 172.16.1 10.100.1 172.16.1 10.100.3 172.16.1 10.100.2

.2 .2 .10 .1 .14 .2
Peer AS 100 200 100 200 100 200
Local AS 101 102 104 104 105 106
Keepalive time (s) 60 60 60 60 60 60

SD-WAN
Item Value
Hold time (s) 180 180 180 180 180 180
MD5 encrypt admin12 admin12 admin12 admin12 admin12 admin12

3 3 3 3 3 3
WAN link MPLS Internet MPLS Internet MPLS Internet
Routing Export OFF OFF OFF OFF OFF OFF

Policy
Import OFF OFF OFF OFF OFF OFF
Table 2-88 Basic site information about the overlay network
Item Value
VPN VPN- VPN- VPN-Default

Default Default
Site Name Hub1 Site2 Site3
Topology mode Full-mesh - -
Table 2-89 Site VLAN information about the overlay network
Item Value
VPN VPN- VPN- VPN-Default VPN- VPN-

Default Default Default Default
VLAN ID 10 10 10 20 10 10
Mode Untag Untag Untag Tag Untag Untag
Physical GE8/0/2 GE8/0/2 GE0/0/1 GE0/0/2 GE0/0/2 GE0/0/2

interfaces
IP address 10.1.1.1/2 10.1.1.2/2 10.3.1.254 10.4.1.254 10.5.1.252 10.5.1.253

4 4 /24 /24 /24 /24

mode
Item Value

SD-WAN
Item Value
WAN link Default route ON ON

Common Parameter advertisement
Default route cost 1 1
Internal preference 10 10
ASE preference 150 150
Interface Parameter Area ID 0 0
Interface Name Vlanif10 Vlanif10
Authentication None None

Mode
Hello Timer 10 10
DR Priority 0 0
Route Redistribute Protocol - -
Process ID - -
Cost - -
Router Filter Export filter OFF OFF
Import filter OFF OFF
Item Value
Name test_app_group_VoIP
Description -
Predefined Applications VoIP
Custom Applications -
Item Value
Traffic classifier name test_traffic_VoIP test_traffic_service
Source IP Any Any
Destination IP Any Any

SD-WAN
Item Value
DSCP - -
Type L7 Any
Application test_app_group_V -
oIP
Table 2-93 Intelligent traffic steering information about the overlay network
Item Value
Policy name test_policy_steeri test_policy_steering2

ng1
Traffic Classifier Template test_traffic_VoIP test_traffic_service
Policy Priority 1 2
Switchover Delay (ms) 50 50

Condition
Jitter (ms) 50 50
Packet loss rate 50 50

(‰)
Steering Primary MPLS Internet

Strategy Transport
Network
Secondary Internet MPLS

Transport
Network
Site Hub1, Site1, and Hub1, Site1, and Site2

Site2

Item Value
Centralized Internet GW Hub1

Internet
access

Item Value
Access mode Centralized access

SD-WAN
Item Value
Site Hub1
Link Priority MPLS: 1
IGW ON
Table 2-96 Security policy information

Item Value
Policy name test_security_policy1
Enable URL Default action Permit

filter
Exception list -
Use predefine url ON

classification
Predefined URL High

filter level
Site Hub1, Site2, and Site3
Procedure
Step 1 Log in to the Agile Controller-Campus as an MSP administrator.
Step 2 Create a tenant and a tenant administrator.

1. Click Dashboard.
2. Click Create under Tenants List. In the displayed dialog box, enter tenant information
and administrator information.
3. Under Tenants List, check the created tenant administrator account.
Step 3 Configure an email server.

1. Choose Administration > Email Server to access the Email Server page.
2. Configure parameters for interworking with the email server.

SD-WAN
3. Click Test to test email sending. If the system displays the message indicating that the
test is successful and the test email can be received, the configuration is successful. Click
Save to complete the configuration.
Step 4 Access the tenant managed service view.

1. Click Dashboard.
2. In Tenants List, select the tenant that requires maintenance and click the tenant name to
access the tenant managed service view.

.

SD-WAN


Step 6 Add devices in a batch based on the ESN.



SD-WAN
Step 7 Create two site templates to create the hub site and branch sites separately.
click Create.
2. Enter template information and click OK.
l Hub site template

SD-WAN

3. Create a hub site and two branch sites.
4. Under Add Device, select the devices added in the above.
5. Click OK.

SD-WAN
Step 9 Create an email template.

1. Choose Configuration > Site > Template > Email Template.
2. On the Email Template page that is displayed, click Create. Enter the template
information.
Step 10 Complete the ZTP configuration for the sites and send a deployment email.
1. Configure the WAN links for the hub site.
page is displayed.
b. In the Not Activated list, click a created site. The WAN Link page displays link
information.
c. Click in the Operation column in the right pane..

d. In the Set WAN Link dialog box that is displayed, set WAN link parameters.

SD-WAN

SD-WAN
2. Complete the NTP configuration for the hub site.

a. Click NTP.
b. On the NTP page that is displayed, select a time zone. Enter NTP information and

Perform the same operations as those for the hub site to complete WAN link parameter
configuration for the branch sites and click Apply Changes.

SD-WAN

SD-WAN

SD-WAN

SD-WAN
4. Complete the NTP configuration for the branch sites.

5. After completing the ZTP configuration, click Send Email.
a. In the displayed Send Email dialog box, select the site to deploy and click .
b. Enter the recipient email address and CC email address, select the created email
template, modify the email content, and click OK.

SD-WAN
Step 11 Configure BGP routes for the underlay network of the hub site.
and select BGP.
4. On the BGP page, click Advanced Settings, and enable Default route redistribution.

SD-WAN
Step 12 Configure BGP routes for the underlay networks of the branch sites.

SD-WAN
2. Select Site2 from the left list and click WAN Route.
and select BGP.

6. Select Site3 from the left list and perform the same operations as those for Site2 to
complete the BGP route configuration for Site3.

SD-WAN

Step 13 Complete the overlay network configuration for the sites.
1. Configure basic information about the hub site.
a. Choose Configuration > Overlay Network > Site Configuration.
b. Select the hub site, click Basic in the right pane, and set Topology mode.

SD-WAN
2. Configure VLAN information about the hub site.

a. Choose Configuration > Overlay Network > Site Configuration.
b. Select the hub site and click VLAN in the right pane.
c. Click Create and set related parameters.

SD-WAN
d. Click Apply Changes.

3. Perform the same operations to configure VLAN information for the branch sites.
l VLAN configuration for Site2

SD-WAN
l VLAN configuration for Site3

SD-WAN
Step 14 Configure LAN-side OSPF routes for Hub1.

2. Select Hub1 and click LAN Route in the right pane.
3. Click Click Here to Add Routing Protocol and select OSPF.
4. In the displayed OSPF dialog box, click Create and set related parameters.

SD-WAN

Create.
3. Enter the application group information and select the predefined application VoIP.

SD-WAN

2. Click Traffic Classifier Template and click Create to create a traffic classifier template.
3. Configure a traffic classifier template.

SD-WAN
Step 17 Configure intelligent traffic steering policies for the overlay networks.
2. Click Traffic Steering. On the Traffic Steering tab page, click Create and configure
intelligent traffic steering policies.

SD-WAN
3. On the Traffic Steering tab page, click in the Operation column of the policy. In
the Attach Sites dialog box that is displayed, select a site to be bound to the policy.

SD-WAN
OK.

2. Click Site-to-Internet to access the Site-to-Internet page.

b. In the displayed Select Site dialog box, select the site that provides the Internet
access gateway and click .
c. Click OK.
Step 19 Configure a mutual-access policy for the overlay network of the legacy site.

SD-WAN

2. Click Site-to-Legacy Site.
3. Configure centralized access.
a. Enable Centralized access and click Create. In the displayed dialog box, select the
hub site and click .
b. Click Next, click in the Operation column to activate the egress link, configure
the link priority, and click Apply Changes.
Step 20 Configure security policies.

1. Choose Configuration > Security Policy > URL.
2. Select the VPN to which the sites to be configured belong.
3. Click Create and set related parameters.
Attach Sites dialog box that is displayed, select a site to be bound to the policy, click
and then click OK.

SD-WAN
OK.
Step 21 Install the CPEs at the sites based on the site networking requirements and connect the WAN
ports of the CPEs to the WAN.
Step 22 Deploy the CPEs at the sites using email-based deployment.
1. Power on the CPEs.
2. Wait for a moment until the SYS indicator on the CPEs is blinking green slowly,
indicating that the CPEs have started successfully.
3. Perform email-based deployment according to section 2.2.2 Email-based Deployment.
Step 23 After the deployment is successful, enable all CPEs to register with the Agile Controller-
Campus again to obtain the configurations of the new branch sites.
----End
2.2 Site Deployment

SD-WAN
2.2.1 USB-based Deployment

Related Products
AR: V300R003C00
An enterprise wants to deploy several branch sites, as shown in Figure 2-30. Information
about CPEs that serve as gateways of the branch sites is ready. It is time-consuming and
labor-intensive if software engineers go to the branch sites to deploy the CPEs site by site.
The enterprise requires a method to quickly deploy the branch sites in a batch through easy
operations without requiring high software commissioning skills.
Solution Design
If multiple CPEs need to be deployed and the CPE model and ESN information are available,
you can deploy the CPEs in a batch using USB-based deployment at a location where most
CPEs are located, and then assign the CPEs to the sites for installation and deployment. The
following example describes how to use USB-based deployment to deploy Site2.

SD-WAN
1. The tenant administrator creates a branch site, Site2, on the Agile Controller-Campus,
completes the ZTP configuration for Site2, and downloads the ZTP file.
2. The tenant administrator uses the IniConverter.exe tool to convert the ZTP file into a
configuration file suffixed with .ini, creates the index file USB_AR.ini, and sends the
configuration file and index file to the deployment engineer.
3. The deployment engineer saves the received configuration file and index file to the root
directory of the USB flash drive and starts the CPEs for USB-based deployment.
Data Plan
Item Value
Table 2-98 Site template for new branch sites
Item Value
Template name Site2
Description -
Gateway Single Gateway
WAN Link Name Internet
Device Device1
Interface GE0/0/1
Transport Internet
Network
Role Active
Table 2-99 Basic device information
Device ESN Device Name
2102351BTJ10H1000015 Site2_1
2102351BTJ10H1000008 Site3_1
2102351BTJ10H1000022 Site3_2
2102351BTJ10H1000013 Site4_1
2102351BTJ10H1000014 Site4_2

SD-WAN
Table 2-100 ZTP configuration for new branch sites

Item Value
Link name Internet
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet mask
Default 10.100.12.254
gateway
Negotiation Auto
mode
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
Procedure
Step 1 Create branch sites and complete the ZTP configuration on the Agile Controller-Campus as a
tenant administrator.
1. Log in to the Agile Controller-Campus as a tenant administrator.
2. Choose Configuration > Global Parameters and set global network parameters.
3. If no required site template is available in the system, create a site template for creating
branch sites.
a. Choose Configuration > Site > Template. On the Site Template page that is
displayed, click Create.
b. Enter the template information.

SD-WAN
4. Add devices in a batch based on their ESNs and use them as the CPE gateways for the
new branch sites.
a. Choose Device Management > Device List. The Device List page is displayed.
b. Click Add Device and set Addition method to Batch import.
c. Click Template to download the template file.
d. Fill in the template with required information and save the file.
e. Click , select the configured template file, and click Upload.

f. Confirm the imported data, select the data to be created for CPEs, and click OK.
5. Create a branch site.

a. Choose Configuration > Site.
b. Enter the site information, and select the site template configured in the previous
step. For a branch site, you need to select the hub site to which it connects.
c. Under Add Device, select the devices added in the above.
d. Click OK.
6. Complete the ZTP configuration for the new branch site and download the ZTP file.
a. Configure the WAN links.
i. Choose Configuration > Site > ZTP Configuration. The ZTP
Configuration page is displayed.
ii. In the Not Activated list, click a created site. The WAN Link page displays
link information.
iii. Click in the Operation column in the right pane. In the displayed dialog
box, set WAN link parameters and then click Apply Changes on the main
page.

SD-WAN
7. Complete the NTP configuration.

Select the time zone used by the old branch site, and click Apply Changes.
8. After completing the ZTP configuration, click Download ZTP File and save the file as a
ZTP_xxx.csv file.
9. Complete the underlay and overlay network configurations for the branch site. For
details, see section 2.1.14.1 Example for Building an SD-WAN Network for an
Enterprise Tenant.
Step 2 Make a configuration file and an index file as a tenant administrator.

1. Drag the downloaded ZTP_xxx.csv file to the IniConverter.exe tool.

SD-WAN
2. Set Password to the value of URL encryption key, which has been set on the Global
Parameters page.
3. Click Generate ini file, and save the configuration file as ZTP.ini.
4. Create a text file named USB_AR.ini and edit the index file.
During USB-based deployment, the device where the USB flash drive is installed
matches the ESN field of CONFIG in the index file. If a match is found, the
configuration file in the USB flash drive is copied.
BEGIN AR
[USB CONFIG]
SN=20180408.070632
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=DEFAULT
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-CONFIG
FILENAME1=ZTP.ini
END AR
Step 3 Perform USB-based deployment as a deployment engineer.

1. Save the received configuration file and index file to the root directory of the USB flash
drive.
2. Power on the CPEs. After the CPEs are started successfully, retain their factory settings.
3. Insert the prepared USB flash drive to the USB port on a CPE. The CPE automatically
starts the USB-based deployment process.
During the deployment, a CPE obtains the configuration file from the USB flash drive
based on the description in the index file and saves it to the default storage medium. The
CPE then determines whether its ESN is the same as that in the index file. If so, it saves
the configuration to the configuration file for next startup. If not, this CPE does not
replace its configuration file.
4. Observe the USB indicator on the device to determine the progress of USB-based
deployment. After USB-based deployment is successful, remove the USB flash drive.
The USB-based deployment ends.
– If the indicator is steady green, USB-based deployment is successful.
– If the indicator is blinking green, USB-based deployment is ongoing.
– If the indicator is steady red, USB-based deployment fails.
Step 4 Verify the deployment result.
l The tenant administrator checks whether the CPE status is Normal on the Agile
Controller-Campus.
Choose Device Management > Device List. On the Device List page that is displayed,
find the target CPE. If Status displays Normal, the CPE has been deployed successfully
and registered with the Agile Controller-Campus.
l If an AR650 or AR1600 series router is deployed as a CPE, check the CTRL indicator
status on the AR. If the indicator is steady on, the AR has been successfully deployed
and registered with the Agile Controller-Campus.
----End

SD-WAN
Precautions
l During USB-based deployment, the SN in the index file used to deploy a CPE must be
different from the default USB-based deployment flag of the CPE.
The SN in an index file is a unique flag for USB-based deployment. A device has a
default USB-based deployment flag. If there is the USB_AR.ini file in the USB flash
drive, the device checks whether the default USB-based deployment flag and the SN in
the USB_AR.ini file are the same. If they are the same, the device does not start USB-
based deployment. If they are different, the device starts USB-based deployment and
starts with the deployment files specified in the USB flash drive. If the deployment
succeeds, the default USB-based deployment flag on the device is changed to the SN in
the USB_AR.ini file.
2.2.2 Email-based Deployment

Related Products
AR: V300R003C00
An enterprise wants to add a branch site, Site2, deploy a CPE as the gateway, and connect
Site2 to the WAN through an Internet link, as shown in Figure 2-31. No professional software
commissioning engineer is available at Site2. The hardware installation test engineer needs to
complete the CPE deployment after installing the CPE.

SD-WAN
Solution Design
Hardware installation test engineers usually have limited skills in commissioning router
software. However, they have a basic understanding of the operations, for example,
connecting terminals such as mobile phones, tablets, and laptops to the network and browsing
web pages. Therefore, they can deploy the CPE at Site2 using email-based deployment in the
following ways:
1. The tenant administrator creates Site2 on the Agile Controller-Campus, completes the
ZTP configuration for Site2, and sends a deployment email to the specified email
address.
2. The hardware installation test engineer confirms that the mobile phone, tablet, or laptop
that is used as the deployment terminal receives the deployment email.
3. After installing the CPE at the site, the hardware installation test engineer connects the
deployment terminal to the CPE in wired or wireless mode and starts the deployment
process by accessing the URL in the deployment email. The CPE is automatically
deployed after receiving the URL access request.

SD-WAN
Data Plan

Item Value

Item Value
Template name Site2
Description -
Device Device1
Interface GE0/0/1
Transport Internet
Network
Role Active
Table 2-103 Email template information

Item Value
Email Template Implementer
Subject How to install a Huawei SD-WAN router
Content To install Huawei SD-WAN routers,

perform the following steps:
Default Template OFF
Table 2-104 Email-based deployment information

Item Value

SD-WAN
Item Value
Email testadmin@163.c testadmin@163.com testadmin@163.com

address om
Email Implementer
Templa
te
Item Value
Link name Internet
Interface IPoE
protocol
IP address Static
access mode
IP address/ 10.100.12.1/24
Subnet mask
Default 10.100.12.254
gateway
Negotiation Auto
mode
Uplink 100
bandwidth
(Mbps)
Downlink 100
bandwidth
(Mbps)
Procedure
Step 1 Create a branch site, complete the ZTP configuration, and send a deployment email on the
Agile Controller-Campus as a tenant administrator.
1. Log in to the Agile Controller-Campus as a tenant administrator.
2. Choose Configuration > Global Parameters and set global network parameters.
3. If no required site template is available in the system, create a site template for creating a
branch site.
a. Choose Configuration > Site > Template. On the Site Template page that is
displayed, click Create.
b. Enter the template information.

SD-WAN
4. Create an email template.

a. Choose Configuration > Site > Template > Email Template.
b. On the Email Template page that is displayed, click Create. Enter the template
information.
5. Add devices in a batch based on the device models and use them as the CPE gateways
for the new branch site.
a. Choose Device Management > Device List. The Device List page is displayed.
b. Click Add Device and set Addition method to Manually create.
c. Set Mode to Device Model, and click Add.
d. On the page that is displayed, set Type, Device Model, and Quantity, and click
OK.
e. Click Edit, change the value of Device Name, and click Submit.
f. Click OK.
6. Create a branch site.

a. Choose Configuration > Site.
b. On the Site page that is displayed, click Create. Set Creation mode to Single.
c. Enter the site information, and select the site template configured in the previous
step. For a branch site, you need to select the hub site to which it connects.
d. Under Add Device, select the devices added in the previous step.
e. Click OK.

SD-WAN
7. Complete the ZTP configuration for the new branch site and send a deployment email.
a. Configure the WAN links.
i. Choose Configuration > Site > ZTP Configuration. The ZTP
Configuration page is displayed.
ii. In the Not Activated list, click the new branch site. The WAN Link page
displays link information.
iii. Click in the Operation column in the right pane.

iv. In the Set WAN Link dialog box that is displayed, set WAN link parameters.
v. Click Apply Changes.

SD-WAN
b. Complete the NTP configuration.

On the NTP page that is displayed, select a time zone for the devices. Enter NTP
information and click Apply Changes.
c. After completing the ZTP configuration, click Send Email.

i. In the displayed Send Email dialog box, select the site to deploy and click
.
ii. Enter the recipient email address and CC email address, select the created
email template, modify the email content, and click OK.

SD-WAN
8. Complete the underlay and overlay network configurations for the branch site. The
configuration details are not mentioned here.
Step 2 Perform email-based deployment as a deployment engineer.

1. Check the deployment email.
2. Install a CPE onsite and connect the deployment terminal that receives the email to the
CPE.
a. Install the CPE, connect cables, and power on the CPE.
b. Connect the deployment terminal to the CPE.
l Wireless access
In the device's factory settings, the deployment Wi-Fi network SSID is a character string
that consists of PnP_ and the last six digits of the device's ESN, in the PnP_xxxxxx
format. The deployment Wi-Fi password is a character string that consists of AR and the
last six digits of the network SSID, in the ARxxxxxx format.
The deployment engineer uses a deployment terminal to search for the deployment Wi-Fi
network SSID and enters the deployment Wi-Fi password to access the device. When the
deployment terminal has been connected to the specified deployment Wi-Fi network and
obtained an IP address, this deployment terminal has been connected to the device.

SD-WAN
Only the devices with the default WLAN mode as the AP mode support wireless access
of deployment terminals.
1. Wired access (the following example uses a PC with Windows 7 installed).
a. Use an Ethernet cable to connect the PC to the management interface of the CPE.
The CPE's management interface is often marked with the Management or MGMT
silkscreen. Management interfaces of some device models do not have this
silkscreen. You can check the position of the management interface by referring to
the product documentation.
b. Configure the PC to obtain an IP address dynamically.

In factory settings, the IP address of the management interface is 192.168.1.1, the
subnet mask is 255.255.255.0, and the DHCP server function is enabled so that the
PC can automatically obtain an IP address through DHCP. If the PC can ping the IP
address of the management interface, the PC has successfully connected to the CPE.

SD-WAN
2. Perform email-based deployment.

NOTE
If two gateways are deployed at a site, disconnect the cable between them before deployment, and then
reconnect it after deployment. If the cable is not disconnected, deployment may fail.
1. On the deployment terminal, open the deployment email, click the URL in the email or
copy the URL to the browser's address bar to execute it. The deployment Portal page is
then displayed in the browser.
2. On the page that is displayed, enter the password and click GO. The system uses the
password to decrypt the encrypted URL.

SD-WAN
NOTE
The entered password must be the same as the value of URL encryption key specified in set
global network parameters.
3. Click Check Parameters to check the automatically parsed parameters and click
Confirm Deployment to start the deployment process.

SD-WAN
4. After the CPE completes deployment and registers with the Agile Controller-Campus,
the following page is displayed on the deployment terminal, indicating that the

SD-WAN
Step 3 Verify the deployment result.

l Check whether the CPE status is Normal on the Agile Controller-Campus as a tenant
administrator.
Choose Device Management > Device List. On the Device List page that is displayed,
find the target CPE. If Status displays Normal, the AR has successfully registered with
the Agile Controller-Campus and gone online.
l If an AR650 or AR1600 series router is deployed as a CPE, check the CTRL indicator
status on the AR. If the indicator is steady on, the AR has successfully registered with
----End
2.3 Configuration Change of the Hub Site
2.3.1 Changing Single-CPE Single-Link (MPLS) Networking to

Dual-CPE Dual-Link (MPLS and Internet) Networking
Related Products

SD-WAN
AR: V300R003C00
One CPE is deployed at the hub site (Hub1) of an enterprise as the gateway and it connects to
a WAN through an MPLS link, as shown in Figure 2-32. The enterprise wants to add an
Internet link to change the single-device single-link (MPLS uplink) networking to dual-device
dual-link (MPLS and Internet Uplinks) networking. Figure 2-33 shows the networking
diagram after the change.
Figure 2-32 Networking before the change

SD-WAN
Figure 2-33 Networking after the change
Solution Design
The configuration roadmap is as follows:
1. Delete the branch sites and then the hub site.
2. Add a new CPE, create a hub site and two branch sites, and complete the service
configuration.
3. Perform the deployment operations for the site to which a new CPE is added. After the
new CPE is deployed, the CPE automatically obtains the modified configuration from
the Agile Controller-Campus. CPEs at other sites automatically obtain the modified
configuration from the Agile Controller-Campus after going online.
Figure 2-34 shows the detailed operation flowchart.

SD-WAN
Figure 2-34 Operation flowchart
Procedure
Step 2 Delete the service configurations of the hub and branch sites.
The sites to be deleted cannot be associated with any traffic distribution policy, Internet access
policy, or legacy site mutual access policy and cannot be added to any VPN. Otherwise, the
deletion fails.

SD-WAN
1. Delete the Internet access policy configured for the sites.

a. Choose Configuration > Traffic Policy.
b. Choose Overlay > Site-to-Internet and disable Centralized Internet access and
Local Internet access.
2. Delete the legacy site mutual access policy configured for the sites.
a. Choose Configuration > Traffic Policy.
b. Choose Overlay > Site-to-Legacy Site and disable Centralized access and Local
access.
3. Delete the traffic distribution policies bound to the sites.
a. Choose Configuration > Overlay Network > Traffic Distribution.
b. Select all traffic distribution policies and click Delete.
4. Delete the sites from a custom VPN.
a. Choose Configuration > Overlay Network > VPN.
b. On the VPN page that is displayed, click in the Operation column next to each
VPN. In the displayed dialog box, select all the sites and click to remove the
sites from the VPN.
c. Click OK.
Step 3 Delete the hub site and branch sites.

2. Select all the sites and click Delete.
3. Click OK.
Step 4 Add a CPE and recreate a hub site and two branch sites. For details, see section 2.1.14.1
Example for Building an SD-WAN Network for an Enterprise Tenant.
Step 5 Install the CPEs at the hub site based on the site networking requirements and connect the
WAN ports of the CPEs to the networks.
In this example, the CPE deployment configurations of the hub site and Site2 are changed.
Therefore, you need to re-deploy the CPEs at the two sites. For the branch sites where the
deployment configuration remains unchanged, the CPEs automatically register with the Agile
Controller-Campus using the original deployment configuration. Then, the Agile Controller-
Campus can manage these CPEs.
Step 6 Deploy the CPEs at the hub site and Site2 using email-based deployment.
1. Power on the CPEs.
2. Wait for a moment until the SYS indicator on the CPEs is blinking green slowly,
indicating that the CPEs have started successfully.
----End

SD-WAN
2.4 Configuration Changes in Different Branch Site

Networking Modes
2.4.1 Overview of Configuration Changes in Different Branch Site
Networking Modes
Common branch site networking modes include single-CPE single-link, single-CPE dual-link,
dual-CPE dual-link, and dual-CPE multi-link (rarely used). The uplinks of a branch can be
MPLS links, Internet links, or both MPLS and Internet links.
Table 2-106 Common branch site networking modes

Networking Sample Diagram Networking Sample Diagram
Mode Mode
Single-CPE Single-CPE
single-link single-link
(Internet) (MPLS)
Single-CPE dual- Single-CPE

link (MPLS) dual-link
(Internet)
Single-CPE dual- Dual-CPE dual-

link (MPLS and link (MPLS)
Internet)
Dual-CPE dual- Dual-CPE dual-

link (Internet) link (MPLS and
Internet)

SD-WAN

1. Create a branch site based on the new networking requirements and complete site
configuration.
2. Replace the old branch site with the new one.
3. Deploy and register CPEs at the new site with the Agile Controller-Campus.
The major focuses of network configuration changes of branch sites are creating a new site
and completing the service configuration for the site. This section provides several typical
examples of configuration change scenarios. The other configuration change scenarios may
differ slightly from the typical examples documented in this section. Table 2-107 lists the
configuration differences for reference.
Table 2-107 Configuration change scenarios of branch sites

No Networking Mode Networking Reference Configuration
. Before the Change Mode After the Case Notes
Change
1 Single-CPE single-link Single-CPE dual- 2.4.2 Changing Unlike the

(Internet) link (Internet) Single-CPE reference case,
Single-Link the branch site
(MPLS) after the change
Networking to uses two
Single-CPE Internet links
Dual-Link for connecting
(MPLS and to the upstream
Internet) network. In this
situation, you
need to
configure two
Internet links as
the WAN links
when creating a
site template
(Step 3) and
completing the
ZTP
configuration
(Step 6).

SD-WAN

Change
2 Single-CPE single-link Single-CPE dual- Unlike the

(MPLS) link (MPLS) reference case,
the branch site
after the change
uses two MPLS
links for
connecting to
the upstream
network. In this
situation, you
need to
configure two
MPLS links as
the WAN links
when creating a
site template
(Step 3) and
completing the
ZTP
configuration
(Step 6).
3 Single-CPE single-link Single-CPE dual- -

(Internet) link (Internet and
MPLS)
4 Single-CPE dual-link -
(MPLS)
5 Single-CPE single-link Dual-CPE dual-link 2.4.3 Changing Unlike the

(Internet) (Internet) Single-CPE reference case,
Single-Link the branch site
(MPLS) after the change
Networking to uses two
Dual-CPE Internet links
Dual-Link for connecting
(MPLS and to the upstream
Internet) network. In this
Networking situation, you
need to
configure two
Internet links as
the WAN links
when creating a
site template
(Step 3) and
completing the
ZTP
configuration
(Step 6).

SD-WAN

Change
6 Single-CPE single-link Dual-CPE dual-link Unlike the

(MPLS) (MPLS) reference case,
the branch site
after the change
uses two MPLS
links for
connecting to
the upstream
network. In this
situation, you
need to
configure two
MPLS links as
the WAN links
when creating a
site template
(Step 3) and
completing the
ZTP
configuration
(Step 6).
7 Single-CPE single-link Dual-CPE dual-link -

(Internet) (Internet and
MPLS)
(Internet and MPLS)
(MPLS)
10 Dual-CPE dual-link -
(MPLS)
11 Single-CPE dual-link Single-CPE single- 2.4.4 Changing -

(Internet) link (Internet) Dual-CPE
Dual-Link
12 Dual-CPE dual-link (MPLS and -
(Internet and MPLS) Internet)
Networking to
Single-CPE
Single-Link
(Internet)
Networking

SD-WAN

Single-CPE Dual-Link (MPLS and Internet)
Related Products
AR: V300R003C00
One CPE is deployed at the branch site, Site1, of an enterprise as the gateway and it connects
to the WAN through an MPLS link, as shown in Figure 2-35. The enterprise wants to add an
Internet link to change the single-CPE single-link (MPLS) networking to single-CPE dual-
link (MPLS and Internet) networking. Figure 2-36 shows the networking diagram after the
change.

SD-WAN
Figure 2-36 Networking diagram after the change
Solution Design
1. On the Agile Controller-Campus, create a new branch site according to the networking
requirements and complete the service configuration for the new branch site based on the
services configured at the old branch site. Unbind the service configuration from the old
site, delete the old site, and change the name of the new site to that of the old site.
2. At the new branch site, re-deploy the CPE, connect it to the WAN, and complete the CPE
deployment.
3. After the CPE is deployed, it automatically obtains the modified configuration from the

SD-WAN
Data Plan
An Internet link needs to be added. In this example, static routes are used as the underlay
network routes for interworking with the WAN-side network. The following tables list
required data. The configuration of other services is the same as that of the old branch site,
and is not mentioned here.

Item Value
Template name Site1_new
Description -

SD-WAN
Item Value
WAN Link Name MPLS Internet
Device Device1 Device1
Interface GE0/0/1 GE0/0/2
Role Active Active

Item Value
Link name MPLS Internet
Interface protocol IPoE IPoE
IP address access mode Static Static
IP address/Subnet mask 172.16.1.1/24 10.100.13.1/24
Default gateway 172.16.1.254 10.100.13.254
Negotiation mode Auto Auto
Uplink bandwidth (Mbps) 100 100
Downlink bandwidth 100 100

(Mbps)
Table 2-110 Static route information about the underlay network

Item Value
Priority 60 60
WAN link MPLS Internet
Destination address/mask 0.0.0.0/0 0.0.0.0/0
Next-hop type IP address IP address
IP address 172.16.1.254 10.100.13.254
Track OFF OFF

SD-WAN

Device ESN Device Device Description
Name Model
2102351BTJ10H100001 Site1_1 AR161E CPE used at Site1.

5 W
2102351BTJ10H100001 Site1_1_temp AR161E CPE that uses a virtual ESN. It is

3 W used to delete the CPE from the
old site so that the CPE that is in
use can be successfully
registered with the new site.
Procedure
Step 2 (Optional) Create transport networks.
The system provides two default transport networks, Internet and Internet1, for which
Routing Domain is set to Internet. This configuration case uses the default transport
networks.
Step 3 Create a site template for branch site creation.

click Create.
Step 4 Add a device based on the device model and use it as the CPE gateway for the new branch
site.
2. Click Add Device and set Addition method to Manually create.
3. Set Mode to Device Model, and click Add.
4. On the page that is displayed, set Type, Device Model, and Quantity, and click OK.

SD-WAN
5. Click Edit, change the value of Device Name, and click Submit.
6. Click OK.
Step 5 Create a branch site.

4. Under Add Device, select the device added in the previous step.
5. Click OK.
Step 6 Complete the ZTP configuration for the new branch site and send a deployment email.
1. Change the WAN link IP address of the old branch site.
page is displayed.
b. In the site list on the left, click the old branch site. The WAN Link page displays
link information.
c. Click next to the WAN link that will use the IP address of the new site in the
Operation column in the right pane.
d. In the Set WAN Link dialog box that is displayed, set the IP address to a value that
does not conflict with those of the other sites.

SD-WAN

2. Configure the WAN link of the new branch site.
page is displayed.
b. In the Not Activated list, click the new branch site. The WAN Link page displays
link information.
c. Click in the Operation column in the right pane.


SD-WAN

SD-WAN


SD-WAN
Step 7 Configure WAN routes for the underlay network of the new branch site. The following
describes how to configure static routes.
2. Select the new branch site with ZTP settings completed from the list on the left.
and select Static.
4. On the Static page, click Create and configure static routes for WAN link access. Then,
click Apply Changes on the main page.

SD-WAN
Step 8 Complete the site configuration for the overlay network of the new branch site, including the
interface connecting to the LAN, LAN-side routes, and WAN routing policies. The following
describes how to configure VLANs.
2. On the Site Configuration page, select the VPN to which the site to be configured
belongs.
3. Select the new branch site and click VLAN in the right pane.
5. (Optional) If multiple VPNs are configured for the old branch site, repeat the preceding
steps to configure all VPN services for the new branch site.

SD-WAN
Step 9 (Optional) If a custom VPN is configured for the old branch site, add the new branch site to
this custom VPN.
2. On the VPN page, click in the Operation column of the VPN to bemodified. On the
page that is displayed, select the new branch site and click to add it to the VPN.
3. Click OK.
Step 10 (Optional) If a traffic distribution policy is configured for the old branch site, unbind this
policy from the old branch site and bind it to the new branch site.
1. Choose Configuration > Overlay Network > Traffic Distribution.
2. On the Traffic Distribution page, click in the Operation column next to a traffic
distribution policy and click Next. On the page that is displayed, select the new branch
site and click to associate the policy with it. Then, select the old branch site and click
to unbind the policy from it.
3. Click OK.
Step 11 (Optional) If a traffic policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site. The following uses a QoS policy as an example. The
operations are the same for an ACL policy or an intelligent traffic steering policy.

SD-WAN
3. Click QoS. On the QoS page that is displayed, click Site View.
4. Select the branch site from which you want to unbind policies, select all policies in the
policy list, and click Unbind. In the Confirm dialog box that is displayed, click OK.
5. Select the new branch site to which you want to bind policies and click Bind New
Policy. In the Bind New Policy dialog box that is displayed, select all the required
policies and click OK.
6. Click Commit All. In the Commit dialog box that is displayed, set Effective time and
click OK.
Step 12 (Optional) If a security policy is bound to the old branch site, unbind the policy from the old
site and bind it to the new branch site.
1. Choose Configuration > Security Policy.
2. On the Security Policy page, select the VPN to which the site to be configured belongs.
Attach Sites dialog box that is displayed, select the new branch site and click to
bindthe policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
4. Select the policy to be submitted, click Commit, and select Commit Selected. In the
Commit dialog box that is displayed, set Effective time and click OK.
Step 13 Add a new CPE using a virtual ESN. The virtual ESN is used to remove the existing CPE
from the old branch site, so that the existing CPE can register with the new branch site after
deployment.
When setting the virtual ESN, change the last six digits in the ESN of the CPE at the old site
to random digits to ensure that the new ESN does not exist in the system.
3. Set Mode to ESN and click Add.
4. Set ESN, Device Name, and Description and click Submit.
5. Click OK.
Step 14 Replace the CPE.

SD-WAN
2. In the device list, find the CPE of the old branch site. Click in the Operation column
of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select the device with the virtual ESN added in
the previous step and click OK.
Step 15 Delete the replaced CPE.

2. In the device list, find the replaced CPE and click in the Operation column of this
CPE. In the High Risk dialog box that is displayed, click Yes to delete the device
information.
Step 16 Change the name of the new site to that of the old site.
2. On the Site page, click in the Operation column next to the old site, change the site
name to any value, and click OK.
3. On the Site page, click in the Operation column next to the new site, change the site
name to that of the old site, and click OK.
Step 17 Install the CPE at the new branch site based on the site networking requirements and connect
the WAN port of the CPE to the WAN.
Step 18 Deploy the CPE at the branch site using email-based deployment.
1. Press and hold the Reset button on the CPE for 5 seconds or longer to restore the factory
settings of the CPE.
2. Wait for a moment until the SYS indicator on the CPE is blinking green slowly,
indicating that the CPE has started successfully.
Step 19 After the deployment is successful, verify that the CPE registers with the Agile Controller-
Campus again to obtain the configuration of the new branch site.
Step 20 After the successful change operation, observe the site running status for a period of time. If
the site runs properly, go to the next step. Otherwise, refer to 2.4.5 Rolling Back from
Single-CPE Single-Link (Internet) Networking to Dual-CPE Dual-Link (MPLS and
Internet) Networking to roll back the change operation.
Step 21 (Optional) Delete the old site.

SD-WAN

2. On the Site page, select the old branch site to be deleted and click Delete. In the
Warning dialog box that is displayed, enable Forcible deletion, enter yes and click OK.
----End

Dual-CPE Dual-Link (MPLS and Internet) Networking
Related Products
AR: V300R003C00
One CPE is deployed at the branch site, Site1, of an enterprise as the gateway and it connects
to the WAN through an MPLS link, as shown in Figure 2-38. The enterprise wants to add one
CPE and one Internet link to change the single-CPE single-link (MPLS) networking to dual-
CPE dual-link (MPLS and Internet) networking. Figure 2-39 shows the networking diagram
after the change.

SD-WAN

SD-WAN
Solution Design
requirements and complete the service configuration for the new branch site based on the
2. At the new branch site, re-deploy the CPEs, connect them to the WAN, and complete the
CPE deployment.
3. After the CPEs are deployed, they automatically obtain the modified configuration from
Figure 2-40 shows the operation flowchart.

SD-WAN
Data Plan
One CPE and one Internet link need to be added. In this example, static routes are used as the
underlay network routes for interworking with the WAN-side networks. The following tables
list required data. The configuration of other services is the same as that of the old branch site,
and is not mentioned here.

Item Value
Description -

SD-WAN
Item Value
Gateway Dual Gateways
WAN Link Name MPLS Internet
Interface GE0/0/1 GE0/0/1
Role Active Active
Inter-CPE Link Reuse LAN-side L2 OFF

interface
Device1 Interface GE0/0/2
Device2 Interface GE0/0/2
Item Value
Link name MPLS Internet
Interface protocol IPoE IPoE
IP address access mode Static Static
IP address/Subnet mask 172.16.1.1/24 10.100.13.1/24
Default gateway 172.16.1.254 10.100.13.254
Negotiation mode Auto Auto
Uplink bandwidth (Mbps) 100 100
Downlink bandwidth 100 100

(Mbps)
Table 2-114 Static route information about the underlay network
Item Value
Priority 60 60
WAN link MPLS Internet
Destination address/mask 0.0.0.0/0 0.0.0.0/0
Next-hop type IP address IP address

SD-WAN
Item Value
IP address 172.16.1.254 10.100.13.254
Track OFF OFF

Name Model

5 W
2102351BTJ10H100001 Site1_1_temp AR161E CPE that uses a virtual ESN. It is

3 W used to delete the CPE from the
Procedure
networks.
Step 3 Create a site template to be used for branch site creation.

click Create.

SD-WAN
site.
4. On the page that is displayed, set Type, Device Model, and Quantity.
6. Click OK.

5. Click OK.
page is displayed.
link information.

SD-WAN

page is displayed.
link information.


SD-WAN

SD-WAN

5. In the displayed Send Email dialog box, select the site to deploy and click .
6. Enter the recipient email address and CC email address, select the created email

SD-WAN
and select Static.

SD-WAN
belongs.

SD-WAN

SD-WAN
this custom VPN.
2. On the VPN page, click in the Operation column of the VPN to be modified. On the
3. Click OK.
3. Click OK.

SD-WAN
click OK.
bind the policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
deployment.
5. Click OK.

SD-WAN

information.

SD-WAN

----End
2.4.4 Changing Dual-CPE Dual-Link (MPLS and Internet)

Networking to Single-CPE Single-Link (Internet) Networking
Related Products
AR: V300R003C00
Two CPEs are deployed at the branch site, Site1, of an enterprise as the gateways and they
connect to the WAN through an MPLS link and an Internet link, as shown in Figure 2-41.
The enterprise wants to remove one CPE and the MPLS link connecting to it. This changes
the dual-CPE dual-link (MPLS and Internet) networking to single-CPE single-link (Internet)
networking. Figure 2-42 shows the networking diagram after the change.

SD-WAN

SD-WAN
Solution Design
requirements, complete the service configuration for the new branch site based on the
2. At the new branch site, re-deploy the CPE, connect it to the WAN, and complete the CPE
deployment.
3. After the CPE is deployed, it automatically obtains the modified configuration from the

SD-WAN
Data Plan
You need to delete the MPLS link. The following tables list required data. The configuration
of other services is the same as that of the old branch site, and is not mentioned here.
Item Value
Description -

SD-WAN
Item Value
Device Device1
Interface GE0/0/1
Transport Network Internet
Role Active

Item Value
Site Site1_new
Site template Site1_new
Link name Internet
Interface protocol IPoE
IP address access mode Static
IP address/Subnet mask 10.100.13.1/24
Default gateway 10.100.13.254
Negotiation mode Auto
Uplink bandwidth (Mbps) 100
Downlink bandwidth (Mbps) 100

Name Model

6 W
- Site1_2_new AR161E CPE used when creating the new

W site.
2102351BTJ10H100001 Site1_2_dum AR161E CPE that uses a virtual ESN. It is

3 my1 W used to replace the CPE from the

SD-WAN
Procedure
networks.
Step 3 Create a site template for branch site creation.
click Create.
site.
2. Click Add Device. Set Addition method to Manually create.
4. On the page that is displayed, set Type, Device Model, and Quantity, and click OK.
6. Click OK.


SD-WAN
5. Click OK.
page is displayed.
link information.

SD-WAN

page is displayed.
link information.


SD-WAN


SD-WAN
and select Static.
belongs.
4. Click Create, enter VLAN information, and click Apply Changes.

SD-WAN
this custom VPN.
2. On the VPN page, click in the Operation column of the VPN to be modified. On the
3. Click OK.
3. Click OK.

SD-WAN
click OK.
bind the policy to it. Select the old branch site and click to unbind the policy from it.
Then, click OK.
deployment.
5. Click OK.

SD-WAN

information.

SD-WAN

----End
2.4.5 Rolling Back from Single-CPE Single-Link (Internet)

Networking to Dual-CPE Dual-Link (MPLS and Internet)
Networking
Related Products
AR: V300R003C00
The branch site, Site1, of an enterprise originally uses two CPEs as the gateways and connects
to the WAN through an MPLS link and an Internet link. After the site change operation, Site1
only uses the Internet link to connect to the WAN. However, a fault occurs during the trial
running phase after the change. Site1 needs to roll back to the dual-CPE dual-link networking
(MPLS and Internet).
In the trial running phase, the old site configured on the Agile Controller-Campus has not
been deleted. To facilitate site change, you are not advised to delete the new site from the

SD-WAN
Figure 2-44 Networking to be rolled back
Solution Design
1. On the Agile Controller-Campus, check the old and new branch sites.
– Both the old and new branch sites exist on the Agile Controller-Campus.
– The new site uses the CPE Site1_2, which has a real ESN.
– The old site uses two CPEs: Site1_1 and Site1_2_dummy1, which have a real ESN
and a virtual ESN, respectively.
2. Perform the rollback on the Agile Controller-Campus.
– Use Site1_2 (real ESN) of the new site to replace Site1_2_dummy1 (virtual ESN)
of the old site so that the old site can use Site1_2.

SD-WAN
– Change the WAN link IP address of the old site to the actual IP address.
3. At the branch site, deploy the physical connections for the CPEs to connect to the WAN
and perform deployment for the CPEs again.
Data Plan
Table 2-119 Information about device

Device ESN Device Device Model Description
Name
2102351BTJ10H1000113 Site1_2_dum AR161EW a virtual ESN

my2
Procedure
Step 2 Add the new device Site1_2_dummy2 that uses a virtual ESN in ESN mode to replace the
CPE of the new site so that the CPE can register with the old site after the deployment.
When setting the virtual ESN, you can change any of the last six digits of the ESN
corresponding to the CPE at the old site to use the new ESN as the ESN of the CPE at the new
site. The new ESN must be unique in the system.
2. Click Add Device. Set Addition method to Manually create.

SD-WAN
3. Set Mode to ESN, and click Add.

4. On the page that is displayed, set Type, Device Name, and Description, and click
Submit.
5. Click OK.
Step 3 Use Site1_2_dummy2 (virtual ESN) to replace the CPE at the new site.
2. In the device list, find the CPE of the new branch site. Click in the Operation
column of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select Site1_2_dummy2 (virtual ESN) and click
OK.
4. Check the ESNs of the two CPEs. The ESN of Site1_2_dummy2 changes to a real ESN,
and the ESN of Site1_2 changes to a virtual ESN.
Step 4 Use Site1_2_dummy2 (real ESN) to replace Site1_2_dummy1 (virtual ESN) at the old site.
2. In the device list, find the CPE of the new branch site. Click in the Operation
column of the CPE record. The Device Replacement page is displayed.
3. In the new device list that is displayed, select Site1_2_dummy2 (real ESN) and click
OK.

SD-WAN
NOTE
If a registered device with a real ESN is used to replace a device with a virtual ESN, the configuration of
the old site will be delivered to the device with a real ESN, conflicting with the original configuration on
the device. As a result, the configuration fails and an alarm is generated. In this case, you can ignore the
related alarms generated on the device. To prevent the configuration failure alarm, disable the WAN
interface on the device with a real ESN or restore the factory default settings for the CPE by holding
down the Reset button for at least 5 seconds before the replacement.
Step 5 Change the WAN link IP address of the new site to a virtual IP address and that of the old site
to a real IP address.
In the system, two sites cannot use the same WAN link IP address. During the rollback, you
need to change the WAN link IP address of the new site to a value that does not conflict with
those of the other sites and that of the old site to a real IP address.
1. Change the WAN link IP address of the old site. In this example, you only need to
change the IP address of the Internet link.
page is displayed.
link information.

SD-WAN
e. Click Apply Changes on the main page.

2. Change the Internet link IP address of the old site to a real IP address, and click Apply
Changes on the main page.

SD-WAN
Step 6 At the branch site, connect the CPEs according to the networking of the old site. Connect the
two CPEs to the MPLS and Internet, respectively. Restore the connections between the CPEs
and the connections between the CPEs and the LAN side.
Campus again to obtain the configuration of the old branch site.
Step 9 Change the site and device names to facilitate maintenance.
----End
2.5 Faulty CPE Replacement

SD-WAN
2.5.1 Replacing Dual Faulty CPE Gateways

Related Products
AR: V300R003C00
A hardware fault occurs on two CPEs at the hub site of an enterprise. The enterprise wants to
replace them with new CPEs to restore network services.
Solution Design
1. Add the new CPEs to the device management system of the Agile Controller-Campus.
Ensure that the model of the new CPEs is the same as that of the CPEs to be replaced.
2. Perform device replacement on the Agile Controller-Campus, select the site at which
CPEs need to be replaced, and send a deployment email.
3. At the site, use the new CPEs to replace the faulty CPEs and connect them to the WAN.
Then, deploy the CPEs again.

SD-WAN
Data Plan
Table 2-120 New device information
2102114484P0GC000720 Hub1_1_new AR3670
2102114484P0GC000730 Hub1_2_new AR3670
Procedure
Step 2 Add devices in a batch based on the ESN.


Step 3 Replace the CPEs.

2. In the device list, find the faulty CPEs. Click in the Operation column of the CPE
records.The Device Replacement page is displayed.
3. In the new device list, select the new CPEs after the replacement and click OK.

SD-WAN
4. After the replacement is successful, the device ESNs are the ESNs of the new CPEs.
Step 4 Send a deployment email or USB-based deployment files.

l In email-based deployment, perform the following operations:
page is displayed.
b. Click Send Email. In the displayed Send Email dialog box, select the site to
deploy and click .
c. (Optional) If the mailbox information is not configured when the site is created,
specify a recipient email address after you select the site.
d. Enter the recipient email address and CC email address, select the created email
l In email-based deployment, perform the following operations:
page is displayed.
b. Click Download ZTP File to save the file as a ZTP_xxx.csv file.
c. Make an index file and a configuration file and send them to the deployment
engineer. For details, see Step 2 in section 2.2.1 USB-based Deployment.
Step 5 Deploy the new CPEs as a deployment engineer.
l For details about the onsite deployment operations in email-based deployment, see Step
2 in section 2.2.2 Email-based Deployment.
l For details about the onsite deployment operations in USB-based deployment, see Step 3
in section 2.2.1 USB-based Deployment.
Step 6 After the new CPEs are deployed, verify that the CPEs register with the Agile Controller-
Campus to automatically obtain service configurations for restoring services.
----End

SD-WAN Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SD-WAN Configuration Guide

Uploaded by

Copyright:

Available Formats

SD-WAN

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. i

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. ii

1.4.5 Site Deployment........................................................................................................................................................ 88

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. iii

1.8.3 Network Deployment.............................................................................................................................................. 174

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. iv

1.8.5.5 Configuring a Traffic Policy.................................................................................................................................296

2 Typical Configuration Examples............................................................................................346

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. v

2.1.10 Configuring a Site-to-Legacy Site Policy..............................................................................................................553

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. vi

1.1 SD-WAN Network Architecture

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 1

Figure 1-1 SD-WAN network architecture

1. SD-WAN@AC-Campus: core component in the control system, which implements

1.2 Typical Application Scenarios

1.2.1 Carrier Scenario

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 2

Figure 1-2 Carrier deployment scenario

1.2.2 Enterprise Self-Construction Scenario

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 3

Figure 1-3 SME scenario

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 4

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 5

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 6

Figure 1-6 Multinational enterprise scenario

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 7

1.3 SD-WAN Network Deployment Overview

Figure 1-7 Logical architecture of SD-WAN networks

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 8

d. Plan the topology mode of the overlay network.

1.4 Feature Configuration Planning

1.4.1.1 Network Model

Introduction to Network Models

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 9

Hierarchical Network Model

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 10

vRR Deployment Solution

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 11

Data Planning and Design

DSVPN Tunnel Mode

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 12

EVPN Tunnel Mode

1.4.1.2 Site Models

Table 1-1 Site categories

Small site < 50 < 20 Mbit/s No professional IT

Medium site 50 to 100 100 Mbit/s Independent

Large site > 100 1 Gbit/s Independent

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 13

1.4.1.2.1 Site WAN Model

Table 1-2 WAN site models

Single gateway One MPLS link

Single gateway One Internet link

Single gateway One MPLS link and one

Issue 01 (2019-03-13) Copyright © Huawei Technologies Co., Ltd. 14

WAN Access WAN Link Link Diagram

Single gateway One MPLS link and one LTE

Single gateway Two Internet links

Single gateway Two MPLS links

Single gateway One MPLS link, one Internet