Professional Documents
Culture Documents
Customer Requirements
The customer has multiple data centers (DCs) that provide different services. All
branches can directly access services in the DCs. Some DCs can provide the same
services and back up each other.
● WAN-side requirements
a. Reducing traffic bottlenecks: An enterprise has one HQ, multiple DCs,
several branches, and multiple sub-branches. DC 1 is deployed in the HQ,
and DC 2 is deployed independently. Sub-branches communicate with the
Ensuring Reliability
Dual gateways can be deployed to ensure the reliability of important sites.
Clock Synchronization
The NTP clock synchronization mechanism is used to synchronize clocks on
devices. Edge-RR sites have NTP clock synchronization configured to synchronize
their clocks with that of the NTP server while edge sites synchronize their clocks
with that of the edge-RR sites.
NOTE
In DR scenarios, the active and standby controllers can advertise different southbound IP
addresses. Alternatively, the active controller can advertise multiple southbound IP
addresses, and the standby controller can advertise other southbound IP addresses.
Bro An iMast 80, 443, TCP Port used to log in to the service plane of
ws y er or the controller.
er NCE- 18008
WAN
18001 Port used by the browser to display a
window during reverse SSH login to the
service plane of the controller.
Geographic Redundancy and Other Ports Between the Active and Standby
Controller Clusters
For details, see the Geographic Redundancy sheet in the iMaster NCE-WAN
V100R020C10 Communication Matrix.
Therefore, a high-performance CPE is required. You can select CPEs at a spoke site
based on the service scale of the site. For details about device selection, see
Network Deployment, Key Specifications, and Device Selection. In actual
projects, other device models can be selected based on factors such as networking
and services.
5.4.1 Preconfigurations
In the data plan tables, the data in italics needs to be confirmed with the
customer in advance. For details about parameter planning, see GUI Reference in
the SD-WAN V100R020C10 Product Documentation.
5.4.1.1 Administrators
The admin administrator on iMaster NCE-WAN needs to create an MSP
administrator account to manage SD-WAN networks of all enterprises in a unified
manner. The MSP administrator creates a tenant administrator, and the tenant
administrator then authorizes the MSP administrator to implement tenant
network maintenance and management.
Initial Changeme_123 - -
Password
Enable ON Yes -
reporting
SNMP MIB type MIB1 Yes MIB type for sending traps
Agent and Inform notifications to
Setting the third-party system. The
s default value is MIB1.
● MIB1
● MIB2
● MIB3
5.4.2 Deployment
IPSec OFF ON - -
Encryptio
n
this alarm
accounts for more
than 95% of all
alarms. In addition,
frequent EVPN
tunnel
reestablishment
prolongs the
service interruption
time. After the
recommended
values are used,
these problems can
be effectively
avoided.
Authentic HMAC-SHA256
ation
mode
Authentic ntp123
ation
password
Authentic 123456
ation key
ID
IPv4 OSPF - -
Dual-
Gateway
Interconn
ection
Protocol
5.4.2.2 Devices
Administrators can configure and manage devices at each SD-WAN site only after
they are added to iMaster NCE-WAN.
Table 5-15 Site and ZTP Configuration (1) (The RR function does not need to be
enabled for Hub3 and Hub4. Other data plan is similar to that for Hub3 and Hub4
and is not provided here.)
Para Data Modifi Remar
mete able or ks
r Not
After
Being
Config
ured
RR ON ON - -
Link inte mpls inte mpls inte mpls inte mpl No The
name rnet rnet 1 rnet rne s1 value
1 t1 cannot
be
modifie
d after
being
set.
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
addre . 1.1.1 . 1.2.1 . 1.1.1 1.2. 1.2. value
ss/ 1.1/ /24 2.1/ /24 1.1/ /24 1/2 1/2 cannot
Subn 24 24 24 4 4 be
et modifie
mask d after
being
set.
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
gate .1.2 1.1.2 .2.2 1.2.2 .1.2 1.1.2 1.2. 1.2. value
way 2 2 cannot
be
modifie
d after
being
set.
Public
IP
address
and
IPv4
address
can be
differen
t.
Uplin 100 1000 100 1000 100 100 100 100 - Set this
k 0 0 0 0 0 0 parame
band ter
width based
(Mbit on the
/s) actual
link
Dow 100 1000 100 1000 100 100 100 100 - bandwi
nlink 0 0 0 0 0 0 dth
band purchas
width ed by
(Mbit the
/s) custom
er.
URL- ON ON ON ON ON ON ON ON No After
base the
d configu
deplo ration is
ymen complet
t e, links
configu
red
during
deploy
ment
cannot
be
modifie
d and
other
links
can be
deleted
or
added.
Sout Uni UniS Uni UniS Uni UniS Uni Uni No This
hbou Sou outh Sou outh Sou outh Sou Sou parame
nd thIP IP thIP IP thIP IP thIP thIP ter
interf corresp
ace onds to
servic the
e configu
red IP
address
of the
iMaster
NCE-
WAN
southbo
und
access
service.
By
default,
all
WAN
links
use the
default
southbo
und
access
service.
You can
also
select
other
customi
zed
access
services.
The
value
cannot
be
modifie
d after
deploy
ment.
Paramet Data
er
Uplink 20 20 20 20 20
bandwidt
h
(Mbit/s)
URL- ON ON ON ON ON
based
deploym
ent
When adding multiple sites, generally, you need to configure the same gateway
type, the same number of WAN links, and the same transport network for them.
By customizing a link template, you can modularize repeated configuration
information.
You must configure WAN-side physical links before deploying sites. After a site is
configured or activated, you can add or delete WAN-side links.
Overlay Tunnel ON ON ON ON
Parameter Data
VLAN ID 1001-1009
Overlay ON ON ON ON ON
Tunnel
VLAN ID - - 1101-1109 -
5.4.2.4 NTP
When an AR router reports performance data, it carries timestamps in packets. If
the time of the AR router is inconsistent with that of iMaster NCE-WAN, the time
in performance data is inconsistent with the actual time. As a result, the site
traffic and quality data cannot be displayed. Therefore, you need to configure NTP
on iMaster NCE-WAN to ensure that the time of devices at sites is the same as
that of iMaster NCE-WAN.
Time (UTC -
zone +08:00)Beijing,Chongqing,
Hong Kong,Urumqi
NTP OFF -
authen
tication
5.4.3.1 VNs
If services of multiple departments (VNs) of an enterprise need to be isolated
from each other, multiple overlay networks need to be constructed through VNs.
In this manner, traffic of different departments is forwarded independently and
departments cannot access each other. This implements secure isolation of
services of different departments on the network forwarding plane.
IPSe ON - -
c
Encr
yptio
n
Table 5-21 LAN interface information (The data plan for Hub3 and Hub4 is
similar to that for Hub1 and Hub2 and is not provided here.)
Paramet Data Modif Remarks
er iable
or
Not
After
Bein
g
Confi
gure
d
Gateway L3 L3 L3 L3 L3 L2 L2 L2 - -
interface
Mode - - - - - Un U Unt - -
tag nt ag
ag
VR VR - - - - - 1 1 - - -
RP RP
ID
Vir - - - - - 22. 22 - - -
tua 1.1 .
l IP .1 1.
1.
1
De - - - - - Ma Ba - - -
fau ste ck
lt r up
Rol
e
Pre - - - - - 0 0 - - -
em
pt
Del
ay
(s)
DH DH - - - - Se - - - - -
CP CP rve
typ r
e
Ser - - - - - - - - - -
ver
IP
Le - - - - 1 - - - - -
ase da
tim y
e
Table 5-22 LAN-side EBGP route information (The data plan for Hub3 and Hub4
is similar to that for Hub1 and is not provided here.)
Parameter Data
Keepalive time 20 20 20 20
(seconds)
Hold time 60 60 60 60
(seconds)
Routin Export ON ON ON ON
g
Policy Type IP-prefix IP-prefix IP-prefix IP-prefix
Greater- 16 16 16 16
equal
Less- 32 32 32 32
equal
Parameter Data
Summar - - - -
y route
Track ON ON ON
Target 33.1.1.1 22.1.1.1 22.1.1.1
Table 5-24 LAN-side OSPF route information (OSPF is not used together with
VRRP)
Parameter Data Remarks
Device Site3_1 -
Process ID 1001 -
Internal preference 10 -
Interface Area ID 0 -
Parameter
Interface Name Vlanif300 -
Hello interval 10 -
DR Priority 0 -
Route Protocol - -
Redistribut
e Process ID - -
Cost - -
Name test_app_video
Pre-defined PFI -
applications
Parameter Data
SA Internet_Conferencing
Media_Sharing
Social_Networks
VoIP
Web_Browsing
Electronic_Business
Online_Media
Customized Applications -
Parameter Data
L3 ACL Priority 10 10
Destination 10.1.0.0/16 -
IP Address
Application groups - -
Parameter Data
Parameter Data
Policy priority 10 20
A traffic classifier defines a group of traffic matching rules to classify packets. This
ensures that a device identically processes packets matching the same traffic
classifier.
Parameter Data
Operator And
L3 ACL -
You need to create policy behavior templates, including the redirection and QoS
policy templates. QoS policy templates are classified into WAN policy behavior
templates and LAN policy behavior templates on different interfaces based on
their functions.
Parameter Data
Type WAN
Parameter Data
Enable Statistic ON
Parameter Data
Policy priority 10
Parameter Data
Parameter Data
Operator And
L3 ACL Priority 10
Destination 135.1.1.0/24
IP Address
Application groups -
Policy priority 10 -
Secondar - -
y
transport
network
Switchov Pre-emptive -
er mode
Parameter Data
Traffic Classifier - -
Template
Parameter Data
Procedure
Step 1 Open a browser. Google Chrome 73 or later is recommended.
Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box,
and press Enter.
Step 3 Ignore the security certificate warning and access the login page.
Step 4 Enter the username and password of the system administrator, and click Log In.
Step 5 Change the password as prompted upon the first login. Skip this step if it is not
your first login.
----End
Data Plan
Initial Changeme_123 - -
Password
Procedure
Step 1 Log in to iMaster NCE-WAN as the system administrator.
Step 2 Choose MSP Management > MSP Management > MSP Management to access
the MSP management page.
Step 3 Click Create. On the MSP Information page, set MSP name to mspA.
----End
Context
After logging in to the newly deployed controller for the first time, you need to
load the license as the admin user.
Procedure
Step 1 Choose Administration > Administration > License from the main menu.
Step 2 Click Upload License.
----End
Context
An email server needs to be configured for new device deployment (through
email-based deployment), tenant password retrieval, and alarm email notification.
Data Plan
Procedure
Step 1 Log in to the controller as the system administrator.
----End
Context
To obtain required system software packages and patches from a third-party file
server to upgrade the system software or install patches on devices through the
controller, you need to configure a file server.
Data Plan
Procedure
Step 1 Choose Administration > Third Party Service > File Server from the main menu.
Step 2 Click Add and configure a third-party file server.
----End
Context
To use a Syslog server (Syslog service module of the NMS) to receive and manage
logs and alarms, you need to configure the Syslog server.
Data Plan
Enable ON Yes -
reporting
Procedure
Step 1 Choose Administration > Third Party Service > Syslog Configuration from the
main menu.
Step 2 On the Interconnection Management page, click Add, set interconnection
parameters as planned, enable the data reporting and alarm reporting functions,
and select alarms by severity. You can select all critical alarms or all alarms.
Step 3 Click Check Connectivity at the bottom of the page. If the system displays a
message indicating that the test is successful, the Syslog configuration succeeds.
Then click Confirm.
Step 4 Click Save.
----End
Context
To report the alarm information collected by the controller to a third-party system,
you need to configure an SNMP alarm interface.
Data Plan
SNMP MIB type MIB1 Yes MIB type for sending traps
Agent and Inform notifications to
Setting the third-party system. The
s default value is MIB1.
● MIB1
● MIB2
● MIB3
Procedure
Step 1 Choose Administration > Northbound Interface > SNMP Alarm API from the
main menu.
Step 2 Choose Basic Settings from the navigation pane.
Step 3 On the Basic Settings page, set the IP address and port number, expand
Advanced Settings, and set other parameters based on the data plan.
----End
Context
If the HQ and branches are deployed in different places and there are many
branches, you are advised to configure a map to monitor devices.
Procedure
Step 1 Choose Administration > Third Party Service > Map URL Settings from the main
menu.
Step 2 Click Edit corresponding to the map. In the Edit map URL configuration dialog
box, set API address and Key, and select Instructions for Use.
----End
Step 1 Choose Maintenance > Maintenance > Dump Configuration from the main
menu.
Step 2 Set basic information about the server where alarms and logs will be dumped.
----End
link. When configuring services, MSPs and tenants can select a southbound access
IP address as needed.
NOTE
If multiple southbound access IP addresses are not required or you want to use the default
public IP address of the system in the standard NAT scenario, skip this section.
Data Plan
Procedure
Step 1 Choose Administration > Southbound Interface > Southbound Interface
Configuration from the main menu.
Step 2 Create a southbound access service and enable it.
Step 3 Record the service name, which will be used when you configure ZTP for a tenant
site.
----End
Procedure
Step 1 Open a browser. Google Chrome 73 or later is recommended.
Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box,
and press Enter.
Step 3 Ignore the security certificate warning and access the login page.
Step 4 Enter the username and password of the MSP administrator, and click Log In.
Step 5 Change the password as prompted upon the first login. Skip this step if it is not
your first login.
----End
Data plan
Procedure
Step 1 Choose Tenant Management > Tenant Management > Tenant Management
from the main menu.
3. Click OK.
Step 3 Use the same method to create a tenant named tenant2 and an administrator
account.
----End
Step 1 Choose Design > Network Design > Network Settings from the main menu.
Step 2 Click the Collection Configuration tab and enable WAN link traffic.
----End
NOTE
Step 1 Choose Maintenance > Device Management > Secure Access from the main
menu.
----End
If the device version is earlier than V300R019C10, you need to disable this function.
Otherwise, the device cannot go online.
● Prevent unauthorized branches from accessing enterprise networks: After
this function is enabled, RRs can check whether the CPE certificate is valid and
whether the ESN in the certificate is in the whitelist.
NOTE
If the device version is earlier than V300R019C10, you need to disable this function.
Otherwise, the device cannot connect to RRs.
● Prevent authorized branches from accessing unauthorized networks: After
this function is enabled, CPEs can check whether the RR certificate is issued by
a specified authority and the entity name in the RR certificate.
NOTE
If the RR version is earlier than V300R019C10, you need to disable this function.
Otherwise, all devices connected to the RR cannot access the network.
Step 1 Choose Maintenance > Device Management > Secure Access from the main
menu.
Step 2 Toggle off Prevent unauthorized CPEs from accessing the controller, Prevent
unauthorized branches from accessing enterprise networks, and Prevent
authorized branches from accessing unauthorized networks.
----End
Procedure
Step 1 Open a browser. Google Chrome 73 or later is recommended.
Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box,
and press Enter.
Step 3 Ignore the security certificate warning and access the login page.
Step 4 Enter the username and password of the tenant administrator, and click Log In.
Step 5 Change the password as prompted upon the first login. Skip this step if it is not
your first login.
----End
Context
After a tenant applies for managed services from an MSP, the MSP can directly
maintain services of this tenant.
Data Plan
For details, see the data plan of Authorize MSP in Table 5-43.
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Choose Administration > Administration > Tenant Information from the main
menu.
Step 3 Toggle on Authorize MSP, click the By Role tab, grant maintenance permissions
to the MSP, and click Apply.
----End
Procedure
Step 1 Choose Administration > Administration > User Policy from the main menu. The
User Policies page is displayed.
Step 2 Set or modify parameters related to account and password policies as required.
----End
NOTE
If FPI is enabled at the headquarters and there are a large number of users, DNS
packet parsing will fail, affecting services.
Step 2 Enable collection of application traffic, application quality, and WAN link traffic
statistics.
● Application traffic: After application traffic statistics collection is enabled, the
controller monitors the application quality trend of new sites.
● Application quality: After application quality statistics collection is enabled,
the controller monitors the application quality trend of new sites.
● WAN link traffic: After WAN link traffic statistics collection is enabled, the
controller monitors the traffic trend of WAN links at new sites.
1. Choose Design > Network Design > Network Settings from the main menu.
2. Click the Collection Configuration tab and enable Application traffic,
Application quality, and WAN link traffic.
Step 3 Enable performance monitoring data collection. After this function is enabled, the
controller can monitor the application traffic, application quality, and WAN link
traffic of devices at the selected sites.
1. Choose Monitoring > Monitor Configuration > Collection Configuration
from the main menu.
2. Click Batch Setting, select all sites, and toggle on Application traffic, WAN
link traffic, and Application quality.
3. Click OK.
----End
----End
NOTE
Step 1 Choose Maintenance > Device Management > Secure Access from the main
menu.
Step 2 Toggle on Prevent CPEs from accessing unauthorized controllers.
----End
If the device version is earlier than V300R019C10, you need to disable this function.
Otherwise, the device cannot go online.
● Prevent unauthorized branches from accessing enterprise networks: After
this function is enabled, RRs can check whether the CPE certificate is valid and
whether the ESN in the certificate is in the whitelist.
NOTE
If the device version is earlier than V300R019C10, you need to disable this function.
Otherwise, the device cannot connect to RRs.
● Prevent authorized branches from accessing unauthorized networks: After
this function is enabled, CPEs can check whether the RR certificate is issued by
a specified authority and the entity name in the RR certificate.
NOTE
If the RR version is earlier than V300R019C10, you need to disable this function.
Otherwise, all devices connected to the RR cannot access the network.
Step 1 Choose Maintenance > Device Management > Secure Access from the main
menu.
Step 2 Toggle off Prevent unauthorized CPEs from accessing the controller, Prevent
unauthorized branches from accessing enterprise networks, and Prevent
authorized branches from accessing unauthorized networks.
----End
RSA_ENABLE
You can enable RSA and CBC algorithms so that devices can normally upload and
download files.
NOTE
This function needs to be enabled if devices running a version earlier than V300R019C00
are deployed on the network.
Step 1 Choose Product > Software Management > Deploy Product Software from the
main menu.
Step 2 Click More and choose Modify Configuration from the drop-down list box.
----End
Step 1 Choose Maintenance > O&M Management > Monitor from the main menu.
Step 2 Click Risk Threshold Setting on the right and click the HA Settings tab.
Step 3 Configure northbound NIC packet loss detection.
----End
Step 3 On the management plane, choose Backup and Restore > Configuration >
Configure Scheduled Backup Task from the main menu.
Step 4 Enable scheduled product data backup. This function is enabled by default.
----End
Procedure
Step 1 Open a browser. Google Chrome 73 or later is recommended.
Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box
and press Enter.
Step 3 Log in to the iMaster NCE-WAN home page as an MSP administrator.
Step 4 In the Tenant List, click a tenant name to enter the MSP-managed view for tenant
network maintenance.
----End
Data Plan
IPSec OFF ON - -
Encryptio
n
this alarm
accounts for more
than 95% of all
alarms. In addition,
frequent EVPN
tunnel
reestablishment
prolongs the
service interruption
time. After the
recommended
values are used,
these problems can
be effectively
avoided.
Authentic HMAC-SHA256
ation
mode
Authentic ntp123
ation
password
Authentic 123456
ation key
ID
IPv4 OSPF - -
Dual-
Gateway
Interconn
ection
Protocol
Procedure
Step 1 Choose Design > Network Design > Network Settings from the main menu.
Step 2 On the Physical Network tab page, set Select the source of RR to Tenant RR.
Step 3 Retain the system defaults MPLS and Internet for the routing domain and
transport network. No additional configuration is required.
Set Encryption algorithm. You can also retain the default setting of this
parameter.
Enable Encryption, and set URL encryption key and URL opening validity
period (day).
Step 7 Configure the password of the admin user for managed devices.
----End
Data Plan
Procedure
Step 1 Choose Design > Site Design > Device Management from the main menu. The
Device Management page is displayed.
Step 2 Click Add Device and set Addition Method to Import in batches.
Step 3 Click Template to download the template file.
Step 4 Fill in the template with device information and save the file.
Step 5 Click the folder icon and select the saved template file. Click Upload.
Step 6 Confirm the imported data, select the devices to be added, and click OK.
Step 7 After the devices are added, check the device information in the Result area, as
shown in the following figure.
----End
Data Plan
For details about the data plan for sites, see Table 5-48 and Table 5-49.
Procedure
Step 1 Choose Design > Site Design > Site Management from the main menu.
Step 3 Configure site information. In the Add Device area, select previously added
devices and click OK.
1. Create DC sites as edge sites.
a. Information about Hub1
c. Create Hub3 and Hub4 in the same way for creating Hub1 and Hub2, but
toggle off RR for Hub3 and Hub4.
2. Create edge sites.
a. Information about Site1
----End
Data Plan
Parameter Data
Parameter Data
Overlay Tunnel ON ON ON ON
VLAN ID 1001-1009
Overlay ON ON ON ON ON
Tunnel
VLAN ID - - 1101-1109 -
Parameter Data
Procedure
Step 1 Choose Design > Network Design > Network Template from the main menu.
On the Site Template page, click Create.
Step 2 Set template information and click OK.
1. Create a template for hub sites.
Create site template Hub_Dual_N1g1_N2g2 for Hub1 to Hub4.
----End
Data Plan
For details about the data plan, see the parameter Interface under WAN Link in
Table 5-46 and Table 5-47.
Procedure
Step 1 Choose Provision > Physical Network > Physical Interface from the main menu.
Select a device from the device list in the left pane. On the Physical Interface
page displayed in the right pane, click Create.
Step 2 Create physical interfaces for each device and click OK.
1. Create physical interfaces for Hub1_1.
Create physical interfaces for Hub1_2 to Hub4_2 and Site1_1 in the same way.
----End
Data Plan
Table 5-48 Site and ZTP Configuration (1) (The RR function does not need to be
enabled for Hub3 and Hub4. Other data plan is similar to that for Hub3 and Hub4
and is not provided here.)
Para Data Modifi Remar
mete able or ks
r Not
After
Being
Config
ured
RR ON ON - -
Link inte mpls inte mpls inte mpls inte mpl No The
name rnet rnet 1 rnet rne s1 value
1 t1 cannot
be
modifie
d after
being
set.
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
addre . 1.1.1 . 1.2.1 . 1.1.1 1.2. 1.2. value
ss/ 1.1/ /24 2.1/ /24 1.1/ /24 1/2 1/2 cannot
Subn 24 24 24 4 4 be
et modifie
mask d after
being
set.
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
gate .1.2 1.1.2 .2.2 1.2.2 .1.2 1.1.2 1.2. 1.2. value
way 2 2 cannot
be
modifie
d after
being
set.
Public
IP
address
and
IPv4
address
can be
differen
t.
Uplin 100 1000 100 1000 100 100 100 100 - Set this
k 0 0 0 0 0 0 parame
band ter
width based
(Mbit on the
/s) actual
link
Dow 100 1000 100 1000 100 100 100 100 - bandwi
nlink 0 0 0 0 0 0 dth
band purchas
width ed by
(Mbit the
/s) custom
er.
URL- ON ON ON ON ON ON ON ON No After
base the
d configu
deplo ration is
ymen complet
t e, links
configu
red
during
deploy
ment
cannot
be
modifie
d and
other
links
can be
deleted
or
added.
Sout Uni UniS Uni UniS Uni UniS Uni Uni No This
hbou Sou outh Sou outh Sou outh Sou Sou parame
nd thIP IP thIP IP thIP IP thIP thIP ter
interf corresp
ace onds to
servic the
e configu
red IP
address
of the
iMaster
NCE-
WAN
southbo
und
access
service.
By
default,
all
WAN
links
use the
default
southbo
und
access
service.
You can
also
select
other
customi
zed
access
services.
The
value
cannot
be
modifie
d after
deploy
ment.
Paramet Data
er
Uplink 20 20 20 20 20
bandwidt
h
(Mbit/s)
URL- ON ON ON ON ON
based
deploym
ent
Procedure
Step 1 Configure WAN links and southbound access services for hub sites.
1. Choose Provision > Physical Network > ZTP from the main menu. The ZTP
page is displayed.
2. Select a site from the site list in the left pane. If the site is deployed through
ZTP for the first time, click Click to Deploy.
Configure the ZTP mode.
NOTE
After Advanced mode is enabled, network parameters of the IPv4 links used for URL-
based deployment can be updated online and the site does not need to be re-
deployed. The device version must be V300R019C13 or later. Otherwise, the advanced
mode does not take effect.
3. Click Select Template and select a created WAN link template.
The following example configures WAN links for Hub1. In this example, the
WAN link template Hub_Dual_N1g1_N2g2 is selected.
4. Click the gear icon in the Operation column of the right pane.
5. In the Set WAN Link dialog box that is displayed, configure all WAN links
and click OK.
CAUTION
Among the links for which URL-based deployment has been enabled, at least
one link must be connected to the network so that the device can register
with iMaster NCE-WAN.
ii. Configure an MPLS link and southbound access service for Hub1_1.
iii. Configure an Internet link and southbound access service for Hub1_2.
iv. Configure an MPLS link and southbound access service for Hub1_2.
ii. Configure an MPLS link and southbound access service for Hub2_1.
iii. Configure an Internet link and southbound access service for Hub2_2.
iv. Configure an MPLS link and southbound access service for Hub2_2.
c. Configure WAN links and southbound access services for Hub3 and Hub4
in the same way.
Step 2 Configure WAN links and southbound access services for spoke sites.
Configure WAN links and southbound access services for spoke sites in the same
way for hub sites. Then click OK.
1. Configure WAN links and southbound access services for Site1.
a. Configure an Internet link and southbound access service.
----End
Data Plan
Time (UTC -
zone +08:00)Beijing,Chongqing,
Hong Kong,Urumqi
NTP OFF -
authen
tication
Procedure
Step 1 Choose Provision > Physical Network > ZTP from the main menu.
Step 2 Select a site to be configured and click NTP. The NTP page is displayed. Adjust the
NTP configuration of each link based on the network connectivity and then click
OK.
1. For RR sites (Hub1 and Hub2), set NTP client mode to Manual
Configuration.
2. Configure NTP for hub sites that do not function as RR sites, that is, Hub3 and
Hub4.
For hub sites that do not function as RR sites, set NTP client mode to
Automatic Synchronization with Parent Node or Manual Configuration.
The following example sets NTP client mode to Automatic Synchronization
with Parent Node.
3. For spoke sites (Site1 to Site3), set NTP client mode to Automatic
Synchronization with Parent Node.
----End
Procedure
Step 1 Choose Provision > Physical Network > ZTP from the main menu.
Step 2 Click Send Email. In the dialog box that is displayed, select the site to be
deployed.
Step 3 Enter the recipient email address and CC email addresses, select the created email
template, modify the email content, and click OK.
----End
Procedure
Step 1 Choose Maintenance > Provisioning Result > Site Configuration Status from
the main menu. Click the Configuration Result tab and select a site.
Step 2 If Success is displayed in the Device Configuration Status column, the site
deployment is successful.
NOTE
----End
the Maximum Transmission Unit (MTU) and maximum segment size (MSS) of the
WAN interfaces.
Procedure
Step 1 Choose Provision > Physical Network > Site Configuration from the main menu.
Click the WAN Interface tab.
Step 2 Modify WAN interface configurations based on the actual network situation. You
can also retain the default settings saved during ZTP.
----End
Data Plan
Table 5-51 WAN-side static route information (1) (The data plan for Hub3 and
Hub4 is similar and not provided here.)
Para Data
met
er
Priori 60 60 60 60 60 60 60 60
ty
Next IP IP IP IP IP IP IP IP
-hop addres addres address addres addres addres addres addres
type s s s s s s s
Para Data
met
er
Procedure
Step 1 Choose Provision > Physical Network > Site Configuration from the main menu.
Select a site from the site list in the left pane and click WAN Route.
Step 2 On the WAN Route tab page, click Click Here to Add Routing Protocol and
select IPv4 Static from the Protocol drop-down list box.
Step 3 On the IPv4 Static tab page, click Create. Complete static route configuration and
click OK.
1. Configure static routes for Hub1.
3. Configure static routes for Hub3 and Hub4 in the same way.
4. Configure static routes for Site1.
----End
Procedure
Step 1 Choose Provision > Physical Network > Connect to RR from the main menu.
Step 2 Select an edge site and click Connect. In the Connect dialog box that is displayed,
select the RR site to be connected and click Detect.
----End
Data Plan
IPSe ON - -
c
Encr
yptio
n
Procedure
Step 1 Choose Provision > Virtual Network > Overlay Network from the main menu.
Step 2 On the Virtual Network tab page, click Create.
Step 3 Set the VN name and select the sites to be added to the VN.
----End
Procedure
Step 1 Choose Provision > Virtual Network > Overlay Network from the main menu.
Step 2 On the Topology tab page, select the VN to be configured.
Step 3 On the Predefine Topology tab page, set Mode and Topology mode
Step 4 The default topology mode is Full-Mesh. Click Hub-Spoke to switch the topology
mode, and then set hub sites and branch sites.
----End
Data Plan
Table 5-54 LAN interface information (The data plan for Hub3 and Hub4 is
similar to that for Hub1 and Hub2 and is not provided here.)
Paramet Data Modif Remarks
er iable
or
Not
After
Bein
g
Confi
gure
d
Mode - - - - - Un U Unt - -
tag nt ag
ag
Vir - - - - - 22. 22 - - -
tua 1.1 .
l IP .1 1.
1.
1
De - - - - - Ma Ba - - -
fau ste ck
lt r up
Rol
e
Pre - - - - - 0 0 - - -
em
pt
Del
ay
(s)
DH DH - - - - Se - - - - -
CP CP rve
typ r
e
Ser - - - - - - - - - -
ver
IP
Le - - - - 1 - - - - -
ase da
tim y
e
Procedure
Ensure that LAN interfaces have been created on physical interfaces. If the
physical interfaces have not been added, add them by referring to 5.5.4.6
Creating Physical Interfaces.
----End
Data Plan
Table 5-55 LAN-side EBGP route information (The data plan for Hub3 and Hub4
is similar to that for Hub1 and is not provided here.)
Parameter Data
Keepalive time 20 20 20 20
(seconds)
Hold time 60 60 60 60
(seconds)
Parameter Data
Routin Export ON ON ON ON
g
Policy Type IP-prefix IP-prefix IP-prefix IP-prefix
Greater- 16 16 16 16
equal
Less- 32 32 32 32
equal
Summar - - - -
y route
Paramet Data
er
Priority 60 60 60
Track ON ON ON
Target 33.1.1.1 22.1.1.1 22.1.1.1
Table 5-57 LAN-side OSPF route information (OSPF is not used together with
VRRP)
Parameter Data Remarks
Device Site3_1 -
Process ID 1001 -
Internal preference 10 -
Interface Area ID 0 -
Parameter
Interface Name Vlanif300 -
Hello interval 10 -
DR Priority 0 -
Route Protocol - -
Redistribut
e Process ID - -
Cost - -
Procedure
Step 1 Choose Provision > Virtual Network > Overlay Network from the main menu.
Step 3 Select a site, and click LAN Route in the right pane.
Step 4 Click Click Here to Add Routing Protocol and select a routing protocol.
2. Configure static routes for Site1 and Site2. The following uses Site1 as an
example.
----End
Procedure
Step 1 Check the configuration delivery status.
1. Choose Maintenance > Provisioning Result > Site Configuration Status
from the main menu. Click the Configuration Result tab and select a site.
2. If Success is displayed in the Device Configuration Status column, the
configuration is successful.
NOTE
Only the current device configuration status (success or failure) is displayed, and the
status is displayed after a certain delay.
3. (Optional) Click the Total Site Result Statistics tab to view the device
configuration status of all sites.
Step 2 Check EVPN connections.
1. Choose Design > Site Design > Device Management from the main menu,
select the device to be checked, and click the device name. On the device
management page that is displayed, click the Entry Query tab.
2. Select VPN from the Device Table Item drop-down list box and display evpn
connection from the Command drop-down list box. Modify parameters as
needed in the Command Input text box, and click Execute In Device.
3. In the Table Item Query Result area, check whether the number of EVPN
connections meets the expectation and whether all EVPN connections are up.
Check EVPN connections on each gateway. The following uses Site1_1 as an
example.
Connection ID Site ID Source IP Destination IP Source TNP Destination TNP
State
-----------------------------------------------------------------------------------------------------------------------
-------
7 22 130.1.1.1 110.1.1.1 109 89 UP
8 22 40.1.1.1 20.1.1.1 110 90 UP
5 22 130.1.1.1 110.1.2.1 109 87 UP
6 22 40.1.1.1 20.1.2.1 110 88 UP
3 24 40.1.1.1 30.1.2.1 110 104 UP
4 24 130.1.1.1 120.1.2.1 109 103 UP
1 24 130.1.1.1 120.1.1.1 109 105 UP
2 24 40.1.1.1 30.1.1.1 110 106 UP
9 28 40.1.1.1 60.1.2.1 110 118 UP
10 28 130.1.1.1 150.1.2.1 109 117 UP
11 28 130.1.1.1 150.1.1.1 109 119 UP
12 28 40.1.1.1 60.1.1.1 110 120 UP
-----------------------------------------------------------------------------------------------------------------------
-------
Number of connection : 12
Status Codes: *-Diagnose Status
Destinations : 11 Routes : 11
----End
Procedure
Step 1 Choose Policy > Application Management > Application Management from the
main menu.
Step 2 Click the Pre-defined Application tab.
Step 3 In the navigation tree, select an SA signature database, and click a category. All
predefined applications in the category are displayed in the right pane.
NOTE
----End
Procedure
Step 1 Choose Policy > Application Management > Application Management from the
main menu.
Step 2 Click the Customized Application tab.
Step 3 Click Create to create a customized application.
Step 4 Set Name to a customized application name.
Step 5 Select the application group to which the customized application belongs.
Step 6 Click Create to configure a matching rule for the customized application.
----End
Data Plan
Parameter Data
Name test_app_video
Pre-defined PFI -
applications
SA Internet_Conferencing
Media_Sharing
Social_Networks
VoIP
Web_Browsing
Electronic_Business
Online_Media
Customized Applications -
Procedure
Step 1 Choose Policy > Application Management > Application Management from the
main menu.
Step 2 Click the Application Group tab. Click Create to create an application group.
Step 3 Set the application group name, select the SA signature database SA_H30071000
(6000+), and click Add Pre-defined Applications in the SA area.
Step 4 In the Edit Predefined Applications window that is displayed, search for video in
the Available Applications area and select all the displayed video applications.
----End
Application-based Monitoring
Application monitoring is based on applications instead of application groups.
After a customized application is created, you can view the customized application
as well as pre-defined applications on the Monitoring > Monitoring >
Application page. However, application groups are not displayed on this page.
Data Plan
Parameter Data
Parameter Data
L3 ACL Priority 10 10
Destination 10.1.0.0/16 -
IP Address
Application groups - -
Policy priority 10 20
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Create traffic classifiers.
1. Choose Policy > WAN Policy > Policy Template Management from the main
menu.
2. Click the Traffic Classifier Template tab. Click Create to create a traffic
classifier.
3. Create a traffic classifier to identify internal traffic destined for port 445, and
click OK.
4. Create another traffic classifier to identify all traffic destined for port 445, and
click OK.
4. Click Create to create an ACL policy to deny other external access to port 445.
Then click OK.
5. After the ACL policies are configured, click in the Operation column of
the policy list to apply the two ACL policies to all sites, and click OK.
6. Select the policy to be delivered, click Commit, and then click Commit
Selected.
----End
3. Click next to a device to expand the feature list. Click For Details
corresponding to ACL in the Operation column to view the ACLs delivered to
this device.
3. Select Customize from the Device Table Item drop-down list box, enter
display traffic classifier user-defined in the Command Input text box, and
click Execute In Device. The traffic classifier information is displayed as
follows:
User Defined Classifier Information:
Classifier: Permit_1_f3_noapp
Operator: AND
Rule(s) :
if-match acl name acl_1_f3 // Match the ACL rule acl_1_f3.
Classifier: Deny_1_f5_noapp
Operator: AND
Rule(s) :
if-match acl name acl_1_f5 // Match the ACL rule acl_1_f5.
4. Select Customize from the Device Table Item drop-down list box, enter
display traffic policy user-defined in the Command Input text box, and click
Execute In Device. The traffic policy information is displayed as follows:
User Defined Traffic Policy Information:
Policy: mqcinAcl_outbound1 // The traffic policy mqcinAcl_outbound1 permits the traffic
matching the ACL rule acl_1_f3 and denies the traffic matching the ACL rule acl_1_f5.
Classifier: Permit_1_f3_noapp
Operator: AND
Behavior: Permit_1_f3_noapp
Precedence: 10
Classifier: Deny_1_f5_noapp
Operator: AND
Behavior: Deny_1_f5_noapp
Deny
Precedence: 20
5. Select Customize from the Device Table Item drop-down list box, enter
display traffic-policy applied-record mqcinAcl_outbound1 in the Command
Input text box, and click Execute In Device. The traffic policy application
information is displayed as follows:
-------------------------------------------------
Policy Name: mqcinAcl_outbound1
Policy Index: 3
Classifier:Permit_1_f3_noapp Behavior:Permit_1_f3_noapp Precedence:10
Classifier:Deny_1_f5_noapp Behavior:Deny_1_f5_noapp Precedence:20
-------------------------------------------------
*interface GigabitEthernet0/0/6 // The traffic policy is applied to the outbound direction of
LAN interface GE0/0/6 on Site3_1.
traffic-policy mqcinAcl_outbound1 outbound preprocess
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
----End
Data Plan
Parameter Data
Operator And
L3 ACL -
Parameter Data
Type WAN
Enable Statistic ON
Parameter Data
Parameter Data
Policy priority 10
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Enable SAC and create an application group for video traffic that contains all
video applications.
1. Enable SAC. For details, see Step 1.
2. Create an application group for video traffic. For details, see 5.5.6.3 Creating
an Application Group.
Step 5 Configure a QoS policy and apply it to Site1, Site2, and Site3.
1. Choose Policy > WAN Policy > Traffic Policy from the main menu.
2. Click the Overlay tab. In the VN/VPN QoS Group area, select the VN for
which you want to configure a QoS policy.
3. Click the QoS tab. Click Create to create a QoS policy, and bind the traffic
classifier and traffic behavior template to the QoS policy to limit the
bandwidth of video traffic.
4. After the QoS policy is configured, click in the Operation column to apply
the QoS policy to Site1, Site2, and Site3, and then click Finish.
5. Select the policy to be delivered, click Commit, and then click Commit
Selected.
----End
if-match qos-group 1
Behavior: overlay1_28c
Assured Forwarding:
Bandwidth 100 (%)
Bandwidth 1024000 (Kbps)
Drop Method: Tail
Queue Length: 64 (Packets) 131072 (Bytes)
Nest Policy : subqos1
Classifier: qos_1_ef_1
Operator: AND
Rule(s) :
if-match app-group name test_app_video
Behavior: qos_1_ef_1
General Traffic Shape:
CIR 10240 (Kbps), CBS 256000 (byte)
Queue length 64 (Packets)
Committed Access Rate:
CIR 10240 (Kbps), PIR 0 (Kbps), CBS 1925120 (byte), PBS 3205120 (byte) // The bandwidth limit is 10
Mbps.
Color Mode: color Blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
statistic: enable
Behavior: Be
Assured Forwarding:
Bandwidth 1137 (Kbps)
----End
Data Plan
Operator And
L3 ACL Priority 10
Destination 135.1.1.0/24
IP Address
Application groups -
Policy priority 10 -
Switchov Pre-emptive -
er mode
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Configure a traffic classifier.
1. Choose Policy > WAN Policy > Policy Template Management from the main
menu.
2. Click the Traffic Classifier Template tab. Click Create to create a traffic
classifier to identify traffic destined for specific destination IP addresses.
----End
AppPolicyIndex : 241
localVpnIndex : 4 (vpn1)
Priority : 4087
AppPriority : 1
ScheduleMode: PF # Inter-TN policy: Preference
SwitchOver : true # Switchover mode: Pre-emptive
DefaultAction : prefer
ForwardType : direct-priority
Threshold Info:
Loss : 50 # Packet loss rate: 50‰
Delay : 300 # Delay: 300 ms
Jitter : 40 # Jitter: 40 ms
CMI : 390
UpperBand : -
LowerBand : -
Match Acl Info:
MatchType : OnlyAcl AclName : spr_acl_vpn1_241 # Traffic only needs to match the ACL
spr_acl_vpn1_241.
ServiceMap Info:
DualGwCnt : 0 DualGwSel : 0
DualGwBestCon : 0 DualGwLessCon : 0
MasterIndex : - BackupIndex : -
LinkPath Site:132 Info:
MasterLink(1):
ConId : 2 TnId : 43
Index : - Loss : 0
Priority : 8 Delay : 1
Status : Available Jitter : 0
Mode : Master CMI : 1
BandRatio : 0
InBand : 1.00Gbit/s InRate : 4Kbit/s
OutBand : 1.00Gbit/s InUti : 0.00%
UpperBand : - OutRate : 3Kbit/s
LowerBand : - OutUti : 0.00%
AppUpperBand : - AppRate : 0Kbit/s
AppLowerBand : - AppUti : 0.00%
BackupLink(0):
Chosen Path Info:
BestConId :2
LessBestConId : None
----------------------------------------------------------------------------
----End
Data Plan
Traffic Classifier - -
Template
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Configure centralized and local Internet access policies.
1. Choose Policy > WAN Policy > Traffic Policy from the main menu.
2. Click the Overlay tab. In the VN/VPN QoS Group area, select the VN for
which you want to configure Internet access policies.
3. Click the Site-to-Internet tab. In the Centralized Internet access area,
specify Hub1 as Active Internet GW and Hub2 as Standby Internet GW.
4. In the Local Internet access area, select Hub1 and Hub2 for local Internet
access, and click Next.
----End
0.0.0.0/0 IBGP 200 60 RD 10.1.0.2 SDWAN // The next hop of the default route points
to the hub site.
1.2.3.0/24 IBGP 170 10 RD 10.1.0.1 SDWAN
10.1.0.23/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601
10.1.0.28/32 IBGP 170 10 RD 10.1.0.1 SDWAN
10.1.0.29/32 IBGP 170 10 RD 10.1.0.1 SDWAN
0.0.0.0/0 O_ASE 190 30 D 10.1.0.36 Tunnel0/0/1 The next hop of the default route points
to the local Internet access interface.
1.2.3.0/24 Direct 0 0 D 1.2.3.4 GigabitEthernet0/0/3
1.2.3.4/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
1.2.3.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/3
10.1.0.16/30 Direct 0 0 D 10.1.0.17 Vlanif4087
10.1.0.17/32 Direct 0 0 D 127.0.0.1 Vlanif4087
10.1.0.19/32 Direct 0 0 D 127.0.0.1 Vlanif4087
10.1.0.23/32 IBGP 170 0 RD 10.1.0.21 SDWAN
10.1.0.28/32 O_ASE 160 1 D 10.1.0.18 Vlanif4087
10.1.0.29/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601
10.1.0.32/29 Direct 0 0 D 10.1.0.35 Tunnel0/0/1
10.1.0.33/32 Direct 0 0 D 127.0.0.1 LoopBack101
10.1.0.34/32 Direct 0 0 D 127.0.0.1 LoopBack102
10.1.0.35/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
10.1.0.39/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
60.1.1.0/24 IBGP 170 0 RD 10.1.0.21 SDWAN
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Verify that Internet access at spoke and hub sites is successful. Use LAN-side PCs
at the spoke and hub sites to access web pages. If the web pages are opened
normally, the policies have been successfully applied.
----End
Data Plan
Parameter Data
Procedure
Step 1 Log in to the controller as a tenant administrator.
----End
Step 2 Select IP Routing from the Device Table Item drop-down list box and display ip
routing-table from the Command drop-down list box, enter display ip routing-
table vpn-instance vpn1 in the Command Input text box, and click Execute In
Device.
Step 3 Check the routing table. The command output shows that specific routes on the
underlay network have been imported to the overlay network. This indicates that
the policy has been successfully applied.
Step 4 Verify that SD-WAN sites can communicate with legacy sites.
Ping the LAN-side IP address of a legacy site from the LAN side of Site1 or Site2. If
the ping operation succeeds, the policy has been successfully applied.
----End
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Choose Monitoring > Overview > Dashboard from the main menu.
Step 3 View the site overview on the controller, including resource statistics, alarm
statistics, alarm trend in the last 24 hours, top applications by traffic, top
applications by packet loss rate, top inter-site links by traffic, top inter-site links by
packet loss rate, and the map.
----End
Site Monitoring
Step 1 Log in to the controller as a tenant administrator.
Step 2 Choose Monitoring > Monitoring > Site from the main menu.
Step 3 View the health score and link quality of a site.
----End
Device Monitoring
Step 1 Log in to the controller as a tenant administrator.
Step 2 Choose Design > Site Design > Device Management from the main menu.
Step 3 Click the device to be checked. On the Device Management page, click the
Resource tab to view the resource usage of the device, such as the CPU usage,
memory usage, and storage usage.
----End