01-05 Best Practice For The Enterprise Multi-DC + Branch Solution (Multi-Hub Networking)

SD-WAN 5 Best Practice for the Enterprise Multi-DC + Branch
Best Practices (AR600/AR6000, NCE-WAN) Solution (Multi-Hub Networking)
5 Best Practice for the Enterprise Multi-DC

+ Branch Solution (Multi-Hub Networking)
5.1 Customer Requirement Analysis

5.2 Networking and Service Solution Design
5.3 Recommended Products
5.4 Data Plan
5.5 Deployment Guide
Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 204

5.1 Customer Requirement Analysis

Enterprise Networking
Figure 5-1 Networking diagram
Customer Requirements
The customer has multiple data centers (DCs) that provide different services. All
branches can directly access services in the DCs. Some DCs can provide the same
services and back up each other.
● WAN-side requirements
a. Reducing traffic bottlenecks: An enterprise has one HQ, multiple DCs,
several branches, and multiple sub-branches. DC 1 is deployed in the HQ,
and DC 2 is deployed independently. Sub-branches communicate with the

HQ and DCs through branches, causing a heavy burden to the branch

network. The enterprise wants to reconstruct the current network to
reduce traffic bottlenecks and deployment costs.
b. Reducing private line costs: Sub-branches are interconnected with
branches through MPLS private lines, which are expensive. The enterprise
wants to reduce the private line costs.
c. High reliability: The reliability of the HQ and DC sites must be ensured,
and the bandwidth capacity and forwarding capability must be improved.
● LAN-side requirements
a. Layer 3 switches are deployed on the customer's LAN and are connected
to LAN-side hosts. The customer requires that site gateways can
communicate with Layer 3 switches.
b. Terminals at branch sites need to obtain IP addresses from DHCP servers,
with the gateways functioning as DHCP relay agents.
c. The reliability on the LAN side needs to be improved.
● Service requirements
a. Ensure data security of Internet access for unified data management and
control, and perform centralized log management, filtering, and cleaning
for all traffic.
b. To ensure the openness of internal services and security of external
access, port 445 needs to be enabled for specified network segments to
access shared services; for security purposes, external access to port 445
needs to be denied.
c. Ensure network stability and implement centralized traffic statistics
collection without increasing network investment.
d. The customer has multiple services, such as Internet access, OA, voice,
email, and video services, and requires the following capabilities:
i. Key service assurance: Key services (voice services) are not affected.
ii. Traffic limiting for some services: The bandwidth for video services of
branches cannot exceed 10 Mbps.
e. Legacy sites on the live network can communicate with some SD-WAN
sites.
● Controller deployment requirements
a. The customer can advertise the same IP address as the southbound IP
address of the controller on all networks for all devices to register with
the controller.
b. The enterprise has multiple DCs and requires geographic redundancy, so
it requires that services can run properly if the active DC is faulty.
NOTE
If the customer has a single DC or does not have geographic redundancy

requirements in multi-DC scenarios, geographic redundancy is not required.
5.2 Networking and Service Solution Design

5.2.1 WAN Network Design

Reducing Traffic Bottlenecks
In multi-DC scenarios, the DCs function as hub sites, and servers are deployed in
each DC to provide services for branches. When branches need to communicate
with each other, you can enable the traffic diversion function on two hub sites for
inter-branch service access. The overlay network uses the hub-spoke topology
model. For example, in Figure 5-2, Hub1 to Hub4 are deployed in DC1 to DC4 as
hub sites, and the traffic diversion function can be enabled on two hub sites (for
example, Hub1 and Hub2) for inter-branch service access.
Figure 5-2 SD-WAN networking diagram
1. In the hub-spoke networking, the enterprise HQ and DCs function as hub

sites; branches function as spoke sites and centrally access server applications
deployed at the HQ and DC sites through WANs. If branches need to
communicate with each other, traffic between them is transmitted through
the hub sites.
2. To reduce device and link costs, it is recommended that the RR function be
enabled for two RR sites.
3. Different DCs (hub sites) can provide different services for different branches.
4. When branches need to communicate with each other, enable the traffic
diversion function on two hub sites for inter-branch service access and
configure the two hub sites to work in active/standby mode.
5. In practice, it is recommended that interfaces on SRUs be preferentially used
as WAN interfaces. If interfaces on interface cards are used as WAN
interfaces, ensure that the device is not overloaded.
Reducing Private Line Costs

In some areas, Internet links of branches have good quality and can replace
private lines. Therefore, branches and some sub-branches can use both Internet
links and private lines. Traffic can be transmitted through both the MPLS and
Internet links, which back up each other, improving reliability.

Ensuring Reliability
Dual gateways can be deployed to ensure the reliability of important sites.
Clock Synchronization
The NTP clock synchronization mechanism is used to synchronize clocks on
devices. Edge-RR sites have NTP clock synchronization configured to synchronize
their clocks with that of the NTP server while edge sites synchronize their clocks
with that of the edge-RR sites.
5.2.2 LAN Network Design

● Gateways and Layer 3 switches are assigned in the same VLAN and belong to
the same network segment. In this way, the gateways and Layer 3 switches
can communicate with each other.
● The branch sites require that the gateways can function as DHCP relay agents
and obtain IP addresses from DHCP servers.
● VRRP needs to be configured on the LAN side of a dual-gateway branch site
to improve the reliability.
5.2.3 Service Design
5.2.3.1 QoS Policy Design

To ensure the transmission of key service traffic in the case of network congestion,
you can configure QoS policies to limit the bandwidth of non-key service traffic.
● Production service traffic such as office software traffic is key service traffic,
and video traffic is non-key service traffic. Therefore, perform bandwidth
control for such non-key service traffic.
● Configure the bandwidth limit for traffic based on the upstream bandwidth
and link usage in the case of network congestion.
● Bind QoS policies to spoke sites based on the actual situation and user
requirements.
5.2.3.2 Intelligent Traffic Steering Policy Design

The bandwidth of MPLS links is lower than that of Internet links. For network
stability and centralized traffic statistics collection, traffic destined for specified
network segments is preferentially transmitted over Internet links. An intelligent
traffic steering policy can be configured to meet this requirement. That is, in
scenarios where multiple uplinks are available, you can configure an intelligent
traffic steering policy to control paths for traffic of specific services, facilitating
traffic monitoring and limiting the traffic passing through gateways.
● Configure an intelligent traffic steering policy for a site deployed with
multiple uplinks or dual gateways.
● Bind a traffic classifier to the intelligent traffic steering policy, set the primary
transmission link, and determine the traffic transmission mode and switchover
condition.

5.2.3.3 Internet Access Policy Design

To implement online traffic statistics collection and management on a firewall,
you can deploy the firewall at a hub site, and configure policies for centralized
Internet access in an area and local Internet access at the hub site. In this way,
Internet access traffic of spoke sites can be aggregated to the hub site and then
transmitted to the Internet.
● Configure centralized Internet access and configure two hub sites as the
active and standby gateways.
● Configure local Internet access at the hub sites.
A maximum of three Internet links can be deployed for local Internet access.
When multiple Internet links are enabled for Internet access, multiple Internet
links of a single CPE can only be used for load balancing, and inter-CPE load
balancing is not supported.
5.2.3.4 Site-to-Legacy Site Access Design

Both legacy sites and SD-WAN sites are deployed on the live network, and these
legacy sites need to communicate with the SD-WAN sites. In this case, you can
configure mutual access between these sites on the controller.
● Configure local mutual access for sites that need to communicate with each
other.
5.2.4 Controller Deployment Design
5.2.4.1 Southbound IP Address Deployment Design
Table 5-1 Southbound IP address deployment scenarios and recommended

deployment modes
Scenario Recommended Deployment Mode
Scenario 1: A single In standard NAT scenarios, plan the IP address in

southbound IP address is advance and then advertise it to all networks.
configured. An enterprise
can advertise the same IP
address as the southbound
IP address of the controller
on all networks for all
devices to register with the
controller.

Scenario Recommended Deployment Mode
Scenario 2: Multiple In NAT scenarios, configure multiple southbound

southbound IP addresses access IP addresses for the controller. An
are configured. An enterprise needs to advertise different IP
enterprise has multiple addresses on different networks as southbound IP
networks and cannot addresses of the controller and configure different
advertise the same IP IP addresses on the controller for different
address of the controller southbound access services. Devices can register
on these networks for with the controller using different southbound
device registration. access IP addresses based on the link type.
Scenario 1 is suitable based on the customer's requirements, so the deployment

mode in standard NAT scenarios can be used.
5.2.4.2 Geographic Redundancy Design

In a scenario where an enterprise has multiple DCs and requires geographic
redundancy, you can deploy a controller in each DC to implement geographic
redundancy. If the active controller is faulty, all services are switched to the
standby controller. This ensures normal service running and improves network
reliability. Figure 5-3 shows the networking of the geographic redundancy system.
An IP address is advertised as the southbound IP address of the controller on all
networks. The active and standby controllers share the same southbound IP
address. During an active/standby switchover, the southbound IP address is
advertised from one DC to another one based on route priorities.
NOTE
In DR scenarios, the active and standby controllers can advertise different southbound IP
addresses. Alternatively, the active controller can advertise multiple southbound IP
addresses, and the standby controller can advertise other southbound IP addresses.
Figure 5-3 Networking of the geographic redundancy system

5.2.5 Communication Matrix

Before the deployment, you need to enable the ports listed in the following tables
on the firewall.
Northbound Ports Required by the Controller
Table 5-2 Northbound ports required by the controller
So So Desti Destina Pro Port Description

urc urc natio tion toc
e e n Port ol
De Por Devic (Listeni
vic t e ng)
e Nu
mb
er
Bro An iMast 80, 443, TCP Port used to log in to the service plane of
ws y er or the controller.
er NCE- 18008
WAN
18001 Port used by the browser to display a
window during reverse SSH login to the
service plane of the controller.
18102 Port used to log in to the management

plane of the controller.
Up 18002 Port used to invoke APIs for establishing

per northbound interconnection.
-
lay
er
OS
S
Southbound Ports Required by the Controller
Table 5-3 Southbound ports required by the controller
So Sou Desti Destina Prot Port Description

urc rce natio tion ocol
e Por n Port
De t Devic (Listeni
vic Nu e ng)
e mb
er
Ed Any iMast 10020 TCP Port used to establish a NETCONF channel

ge er for device registration.


e Por n Port
De t Devic (Listeni
vic Nu e ng)
e mb
er
de NCE- 10022 Port used to establish a reverse SSH

vic WAN or channel. Port 10022 is used when the
e 10024 edge device uses a legacy device
certificate, and port 10024 is used when
the edge device uses a new device
certificate.
10031 Port used to establish an HTTP/2 channel

or for transmitting performance data. Port
10032 10031 is used when the edge device uses
a legacy device certificate, and port 10032
is used when the edge device uses a new
device certificate.
18020 Port used to establish a file download

or channel for device patch and version
18021 upgrade, SA signature database upgrade,
fault information collection, and RDB file
backup and upload.
Port 18021 is used when the edge device
uses a legacy device certificate, and port
18020 is used when the edge device uses
a new device certificate.
31922 SFTP service listening port. This port is

used to back up device configurations.
Ports Required for Communication Between Devices
Table 5-4 Ports required for communication between devices

e Por n Port
De t Devic (Listeni
vic Nu e ng)
e mb
er
Ed 450 RR 4500 UD Both source and destination port numbers

ge 0 P are 4500 when NAT traversal is configured
de on IPsec links.


e Por n Port
De t Devic (Listeni
vic Nu e ng)
e mb
er
vic 123 123 Port used to establish NTP sessions for

e clock synchronization between the edge
device and RR.
450 1024– Port used to send STUN detection packets

0 65535 and receive response packets in NAT
(default traversal scenarios.
port:
3478)
Any 10000– Port used to establish a DTLS connection.

65535
(default
port:
55100)
Any Any ESP Port used to establish an ESP-encrypted

(50) IPsec tunnel.
Any Any GRE Port used to establish a GRE tunnel on an

(47) MPLS link without IPsec encryption.
450 Edge 4500 UD Both source and destination port numbers

0 devic P are 4500 when NAT traversal is configured
e on IPsec links.
Any Any ESP Port used to establish an ESP-encrypted

(50) IPsec tunnel.
Any Any GRE Port used to establish a GRE tunnel on an

(47) MPLS link without IPsec encryption.
Any NTP 123 UD Port used to establish NTP sessions for

server P clock synchronization between the edge
device and a third-party NTP server.
Geographic Redundancy and Other Ports Between the Active and Standby
Controller Clusters
For details, see the Geographic Redundancy sheet in the iMaster NCE-WAN
V100R020C10 Communication Matrix.
5.3 Recommended Products

In the single-layer hub-spoke networking where the RR site is co-deployed with
the hub site, the CPE at the hub site functions as both the gateway and RR.

Therefore, a high-performance CPE is required. You can select CPEs at a spoke site
based on the service scale of the site. For details about device selection, see
Network Deployment, Key Specifications, and Device Selection. In actual
projects, other device models can be selected based on factors such as networking
and services.
5.4 Data Plan
5.4.1 Preconfigurations
In the data plan tables, the data in italics needs to be confirmed with the
customer in advance. For details about parameter planning, see GUI Reference in
the SD-WAN V100R020C10 Product Documentation.
5.4.1.1 Administrators
The admin administrator on iMaster NCE-WAN needs to create an MSP
administrator account to manage SD-WAN networks of all enterprises in a unified
manner. The MSP administrator creates a tenant administrator, and the tenant
administrator then authorizes the MSP administrator to implement tenant
network maintenance and management.
Table 5-5 MSP administrator information

Parameter Data Modifiable or Remarks
Not After Being
Configured
MSP name mspA Yes MSP administrator

name, which is
displayed on the
controller.
Account mspA@test.com No Account used by the

MSP administrator to
log in to the controller.
Password Manual creation - -

creation
mode
Initial Changeme_123 - -
Password
Password PassA@1234 Yes Password used by the


Table 5-6 Tenant administrator information

Parameter Data 1 Data 2 Mo Remarks
difi
able
or
Not
Afte
r
Bei
ng
Conf
igur
ed
Tenant name tenant1 tenant2 Yes Tenant name.
Account tenant1@test. tenant2@test. No Account used by the

com com tenant administrator to
Password Manual Manual - -

creation creation creation
mode
Initial Changeme_12 Changeme_12 - -

Password 3 3
Password Pass1@1234 Pass1@1234 Yes Password used by the

tenant administrator to
Authorize Enabled Enabled No If Authorize MSP is

MSP disabled for a new
tenant administrator,
the MSP administrator
cannot directly modify
the configuration.
Instead, the MSP
administrator must
apply to the tenant
administrator for
authorization first.
5.4.1.2 Email Server

If iMaster NCE-WAN needs to send emails to users, you need to configure an
email server first.

Table 5-7 Certificate parameters

Parameter Data Modifiable Remarks
or Not After
Being
Configured
Certificate alias 163 Mailbox Yes -
Certificate PEM(.pem/.de Yes -

format r/.cer/.crt)
Certificate file 163.cer Yes -
Table 5-8 Email server parameters

or Not After
Being
Configured
SMTP address smtp.163.com Yes SMTP address of the

mailbox from which emails
are sent. The address must
be an IP address or in the
smtp.mail.com format.
Port 25 Yes Port used by the email

server to provide the SMTP
service for external systems.
You can obtain the port
number from the email
service provider. In most
cases, the port number is 25.
Encrypted TLSv1.2 Yes Protocol used for encrypted

connection type communication between
iMaster NCE-WAN and the
SMTP server.
Certificate file 163 Mailbox Yes -
Sender Email testmail@163 Yes Sender email address, which

.com must have been registered
on the email server. During
an email test, this address is
used as a recipient email
address. After the
connectivity test succeeds
and the configurations are
saved, this address is used
as the sender email address.


or Not After
Being
Configured
Account testmail Yes Account and password of

the sender email.
Password testmail Yes
5.4.1.3 File Server

You can obtain required system software packages and patches from a third-party
file server to upgrade the system software or install patches on devices. Before the
upgrade, you need to upload the required system software packages and patches
to the file server, and configure interconnection between iMaster NCE-WAN and
the file server.
Table 5-9 Data plan

Not After
Being
Configured
Name File server Yes Name of the file server.
Protocol SFTP Yes File transmission protocol

type. The options are SFTP
and HTTPS.
Username root Yes User name for accessing the

file server.
Password Huawei123 Yes Password of the file server.
IP Type IPv4 Yes Type of the IP address of the

file server.
IP address 192.126.17 Yes IP address of the file server.

2.15
Port 22 Yes SFTP or HTTPS port number.
5.4.1.4 (Optional) Syslog Server

To use the syslog server (syslog service module of the NMS) to receive and
manage logs and alarms, you need to configure the syslog server.

Table 5-10 Data plan

or Not After
Being
Configured
Protoc Channel ID Syslog Yes Unique ID of the server.

ol
Config IP address IPv4 Yes IP address type or
uration type/Domain domain name of the
name Syslog server.
IP address/ 10.9.1.1 Yes IP address or domain

Domain name name of the Syslog
server, which can be
obtained from the
primary Syslog server.
Port number 6514 Yes In the Source field in the

Syslog.conf file of the
primary server,
udp(ip()port()) or
tcp(ip()port()) is
included. Numbers in the
brackets to the right of
port indicate the port
number for receiving
logs.
Enable ON Yes -
reporting
Communicatio TLS Yes If TLS is configured on

n protocol the Syslog server, enable
TLS. If UDP is configured
on the Syslog server,
disable TLS. Before
enabling TLS, ensure
that the log collection
server supports TLS.
Syslog RFC5424 Yes Protocol used to report

protocol Syslogs. The options are
RFC5424 and RFC3164.
Encoding UTF-8 Yes UTF-8 and GBK encoding

format formats are supported.
Service Data Report Enable Yes -

Config Enable
uration Configuration


or Not After
Being
Configured
Select the type Operation Yes -

of audit logs Logs,
to be reported. Security
Logs, and
System
Logs
Alarm Report Enable Yes -
Alarm Report ON Yes -
5.4.1.5 (Optional) SNMP Alarm Interface

To report the alarm information collected by the controller to a third-party system,
you need to configure an SNMP alarm interface.

or Not
After
Being
Configured
Basic Address for 192.126.1 Yes IP address used by the

Setting receiving 72.14 SNMP agent to receive
s requests requests from the upper-
layer NMS. It can be used
to communicate with the
upper-layer NMS properly.
You are advised to use the
ER floating IP address.
IP address for 192.126.1 Yes IP address used by the

sending traps 72.14 SNMP agent to send traps
to the upper-layer NMS. It
can be used to
communicate with the


or Not
After
Being
Configured
Port for 9812 Yes Port of the SNMP service.

receiving It is used to receive
requests requests from the upper-
layer NMS. The default
value 9812 is
recommended.
Port for 6666 Yes Port for sending traps. The

sending traps default value 6666 is
recommended.
SNMP MIB type MIB1 Yes MIB type for sending traps
Agent and Inform notifications to
Setting the third-party system. The
s default value is MIB1.
● MIB1
● MIB2
● MIB3
Alarm 0 Yes Interval for reporting

reporting alarms, in milliseconds.
interval (ms) The default value is 0.
Time type UTC time Yes Type of the alarm

reporting time. The default
value is UTC time.
● UTC time
● EMS time
● NE system time


or Not
After
Being
Configured
Time format UTC time Yes Time format of the VB

in the field that identifies alarm
format of time. The options are as
yyyy/MM/ follows:
dd - ● UTC time in the format
HH:mm:ss of yyyy/MM/dd -
Z HH:mm:ssZ
● Local time without time
zone in the format of
yyyy/MM/dd -
HH:mm:ss
● Local time with time
yyyy/MM/dd -
HH:mm:ss TZ[DST]
● UTC time in the format
of yyyy-MM-dd
HH:mm:ss
● Local time in the
format of yyyy-MM-dd
HH:mm:ss + hh:mm TZ
+ hh:mm DST
● Local time (without a
time zone) in the
format of yyyy-MM-
dd,HH:mm:ss.0
Maximum 4096 Yes Maximum length of a

length of character string that is
alarm fields supported in the VB. The
default value is 4096.
Query active Yes Yes Whether active alarms are

alarms queried. The default value
is Yes.
● Yes: Queries active
alarms.
● No: Queries current
alarms.


or Not
After
Being
Configured
Alarm UTF-8 Yes Encoding format for

encoding reported alarm traps. The
format default value is UTF-8.
● ISO-8859-1
● UTF-8
● GBK
Record PDU in No Yes Whether the PDU

logs information sent to third-
party systems is recorded
in run logs. The default
value is No.
● Yes: The PDU
information is recorded
in logs.
● No: The PDU
information is not
recorded in logs.
Filter No Yes Whether correlative alarms

correlative can be filtered. The default
alarms value is No.
● Yes: Reports only
common alarms and
root alarms.
● No: Reports common
alarms, root alarms,
and correlative alarms.
Number of 10000 Yes Maximum number of

cached alarms alarms in the cache. If this
limit is exceeded, alarms
will no longer reported.
The default value is 10000.
Inform/ Alarm Trap Yes The default value is Trap.

Trap reporting ● Inform: Reports alarms
Setting mode through Inform
s messages.
● Trap: Reports alarms
through traps.


or Not
After
Being
Configured
SNMPv Security level Authentic Yes Security level. The options

3 ated and are as follows:
Parame encrypted ● Authenticated and
ter encrypted
Setting
s ● Authenticated but not
encrypted
● Not authenticated nor
encrypted
The default value is
Authenticated and
encrypted.
Authentication SHA2-512 Yes Authentication protocol.

protocol The default value is
SHA2-51.
● SHA2-512
● SHA2-384
● SHA2-256
● SHA2-224
● SHA
● MD5
Encryption AES-256 Yes Encryption protocol for

protocol SNMPv3. The default value
is AES-256.
● AES-256
● AES-192
● AES-128
● DES


or Not
After
Being
Configured
RFC Yes Yes Whether the engine ID

specifications needs to comply with the
specifications of requests
for comments (RFC). The
default value is Yes.
● Yes: Converts the
engine ID into a value
that complies with the
RFC specifications to
report to the third-party
system.
● No: Directly reports the
engine ID to the third-
party system.
Engine ID 192.126.1 Yes Engine ID, which can be

71.14 configured as required. It is
the unique ID of the SNMP
entity.
Heartb Report Enable Yes This parameter is enabled

eat heartbeat by default.
Period notifications ● Enable: Heartbeat
Setting notifications will be
s reported.
● Disable: Heartbeat
notifications will not be
reported.
Heartbeat 60 Yes Interval for sending

period heartbeat notifications, in
seconds. The default value
is 60.
Heartbeat ID SNMP Yes ID of the heartbeat trap.

Agent
SNMP Parameter EmsName Yes NMS name.

NBI
Advanc Value Huawei/N Yes The gateway name is set
ed CE to Huawei/NCE.
Parame
ter
Setting
s


or Not
After
Being
Configured
MIB NEName Selected Yes NE name.

Alarm
Reporti NEType Selected Yes NE type.
ng ObjectInstanc Selected Yes Object instance.
Setting e
s
EventType Selected Yes Event type.
EventTime Selected Yes Time when an alarm is

generated.
ProbableCause Selected Yes Possible cause of an alarm.
Severity Selected Yes Alarm severity. The options

are as follows:
● 1: critical
● 2: major
● 3: minor
● 4: warning
EventDetail Selected Yes Alarm details.
AdditionalInfo Selected Yes Additional alarm

information.
FaultFlag Selected Yes Alarm category ID.
FaultFunction Selected Yes Alarm type.
DeviceIP Selected Yes Device IP address.
SerialNo Selected Yes Alarm serial number.
ProbableRepai Selected Yes Alarm troubleshooting

r suggestion.
ResourceIDs Selected Yes Resource ID.
EventName Selected Yes Event name.
ReasonID Selected Yes Alarm cause ID.
FaultID Selected Yes Alarm ID, which is used for

identifying alarm
categories for NEs of the
same type.
DeviceType Selected Yes Device type.


or Not
After
Being
Configured
TrailName Selected Yes Name of the trail affected

by an alarm.
RootAlarm Selected Yes Root alarm.
GroupID Selected Yes Alarm group ID.
MaintainAlmS Selected Yes Engineering alarm status.

tatus
RootAlarmSeri Selected Yes Root alarm serial number.

alNo
ConfirmStatus Selected Yes Alarm acknowledgement

status.
RestoreStatus Selected Yes Alarm clearance status.
AdditionalVB1 Not Yes Additional alarm

selected information.








5.4.1.6 Southbound Access IP Addresses
Table 5-12 Southbound access IP address
Parameter Data Modifiable or Not After Remarks

Being Configured
Service UniSouthIP Yes Name of the

Name southbound access IP
address service.
Primary IP 192.168.10.2 No. It cannot be Southbound IP address.

Address modified after being
referenced by a site link.
5.4.2 Deployment
5.4.2.1 Network Design

You need to plan global parameters involved in a tenant network.
Table 5-13 Network design parameters
Parameter Data Modifia Remarks

ble or
Not
After
Being
Configur
ed
Select the source of Tenant RR - -

RR
Transpo Transport MPLS Internet No It can be modified

rt Network only after being
Networ created and cannot
k be modified after
being applied to a
site.
Routing MPLS Internet No It can be modified

Domain only after being
created and cannot
be modified after
being applied to a
site.
IPSec OFF ON - -
Encryptio
n


ble or
Not
After
Being
Configur
ed
IPSec Authentic SHA2-256 Yes Modifying these

Encrypt ation parameters is
ion algorithm allowed but is not
Parame recommended. This
ters Encryptio AES256 is because any
n modification after
algorithm service provisioning
is complete will
trigger re-
establishment of
IPsec tunnels,
causing service
interruption.
Life time 1440 - -
Device URL 123abc Yes The customer

Activati encryptio needs to provide a
on n key secure login
Securit password.
y
Setting URL 7 - -
s opening
validity
period
(day)


ble or
Not
After
Being
Configur
ed
Link Detection 2000 Yes Interval at which

Failure packet the master device
Detecti sending of an overlay
on interval tunnel sends
Parame (ms) Keepalive packets.
ter The value is an
Configu integer in the
ration range from 10 to
10000, in
milliseconds, and
must be a multiple
of 10.
You are advised to
set the interval for
sending detection
packets to 2000 ms
and the number of
detection failures
to 10 for link
connectivity
detection. The
reasons for the
setting are as
follows:
Link detection is
periodically
performed
between gateways
at WAN sites of
the same tenant
based on the
modified detection
parameters.
Detection packets
are sent at a
specified interval. If
the number of
detection failures
exceeds the default
value, the link is
considered faulty
and the EVPN
tunnel is
disconnected. In


ble or
Not
After
Being
Configur
ed
addition, the EVPN

Down alarm (that
is, ALM-15795185
hwConnectionDow
nReport) is
triggered and the
EVPN tunnel is
reestablished.
According to the
experience of
multiple sites, it
takes about 1
minute from the
time when the
EVPN Down alarm
is generated to the
time when the
EVPN tunnel is
reestablished.
Most link
congestion on the
live network is
caused by packet
loss due to
temporary link
congestion.
Generally, the link
recovers within
several to dozens
of seconds. If the
default values are
used (the detection
packet sending
interval is 1000 ms
and the number of
detection failures is
6), the system
considers the link
faulty before the
link recovers and
sends a large
number of EVPN
Down alarms. On
the live network,


ble or
Not
After
Being
Configur
ed
this alarm
accounts for more
than 95% of all
alarms. In addition,
frequent EVPN
tunnel
reestablishment
prolongs the
service interruption
time. After the
recommended
values are used,
these problems can
be effectively
avoided.
Number 10 Yes Number of

of failed detection failures
detections permitted before
an AR
automatically
switches the link.
Priority of 7 Yes Priority in the IP

detection header of a
packets Keepalive packet. A
larger value
indicates a higher
priority.
Password of User test@123 Yes The customer

Admin needs to provide a
secure login
password.
NTP Time zone (UTC Yes The customer

+08:00)Beijing,Chongqin needs to provide
g,Hong Kong,Urumqi the IP address of
the NTP server,
NTP client Manual Configuration which must be
mode reachable to the
NTP 10.10.1.1 controller and
server IP CPEs.
address


ble or
Not
After
Being
Configur
ed
Authentic HMAC-SHA256
ation
mode
Authentic ntp123
ation
password
Authentic 123456
ation key
ID
Routing AS 65001 No Each tenant uses a

number unique internal
BGP AS number.
All sites deployed
through iMaster
NCE-WAN using
the same tenant
account belong to
this AS. This AS
number is used by
BGP EVPN routes
in the SD-WAN
network and
cannot be
modified.
IPv4 OSPF - -
Dual-
Gateway
Interconn
ection
Protocol


ble or
Not
After
Being
Configur
ed
IP Pool IPv4 Pool 172.172.0.0/16 No You can configure

one or more IP
address pools. IP
addresses in the IP
address pools are
automatically
divided into
multiple segments,
which can be used
by the following
interfaces:
● Loopback
interfaces of
CPEs
● Interfaces of
interworking
tunnels
● Interfaces of
interlinks
● Tunnel
interfaces
An IP address pool
can be modified
after it is created,
but cannot be
modified after
being referenced
by a site. If all IP
addresses in an IP
address pool have
been allocated, you
can create another
IP address pool.
5.4.2.2 Devices
Administrators can configure and manage devices at each SD-WAN site only after
they are added to iMaster NCE-WAN.

Table 5-14 Device information

ESN Devic Device Modifiable Remarks
e Model or Not
Nam After
e Being
Configure
d
2102115641 Hub1 AR6280 Yes The device names can be

DMK8001208 _1 modified.
2102115641 Hub1 AR6280

DMK8000814 _2
2102115640 Hub2 AR6300
DML7000109 _1
2102115640 Hub2 AR6300
DML7000108 _2
2102115641 Hub3 AR6280
DMK8000027 _1
2102115641 Hub3 AR6280
DMK8000026 _2
2102115641 Hub4 AR6280
DMK8000028 _1
2102115641 Hub4 AR6280
DMK8000029 _2
1002352RLG1 Site1_ AR651C
980099348 1
980099349 1
980099350 2
1002352MQ Site3_ AR6140-
U209014467 1 16G4XG
8
5.4.2.3 Sites and ZTP

To facilitate device management and improve service deployment efficiency, you
can add devices on the same network of the same tenant to the same site.

Table 5-15 Site and ZTP Configuration (1) (The RR function does not need to be
enabled for Hub3 and Hub4. Other data plan is similar to that for Hub3 and Hub4
and is not provided here.)
Para Data Modifi Remar
mete able or ks
r Not
After
Being
Config
ured
Site Hub1 Hub2 Yes The

name value
can be
modifie
d after
being
set.
RR ON ON - -
Gate Dual Gateways Dual Gateways - -

way
Devic Hub1_1 Hub1_2 Hub2_1 Hub2_2 - -

e
Multi OFF OFF OFF OFF No -

ple
sub-
interf
aces
Adva OFF OFF OFF OFF No If the

nced WAN
mode links
need to
be
modifie
d
subsequ
ently,
enable
Advanc
ed
mode.
WAN Hub_Dual_N1g1_N2g2 Hub_Dual_N1g1_N2g2 - -

link
temp
late


mete able or ks
r Not
After
Being
Config
ured
Link inte mpls inte mpls inte mpls inte mpl No The
name rnet rnet 1 rnet rne s1 value
1 t1 cannot
be
modifie
d after
being
set.
VN und unde und unde und und und und No The

insta erla rlay_ erla rlay_ erla erla erla erla value
nce y_1 2 y_3 4 y_1 y_2 y_3 y_4 cannot
be
modifie
d after
being
set.
Interf IPoE IPoE IPo IPoE IPoE IPoE IPo IPo - -

ace E E E
proto
col
IP Stat Stati Stat Stati Stat Stati Stat Stat - -

addre ic c ic c ic c ic ic
ss
acces
s
mode
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
addre . 1.1.1 . 1.2.1 . 1.1.1 1.2. 1.2. value
ss/ 1.1/ /24 2.1/ /24 1.1/ /24 1/2 1/2 cannot
Subn 24 24 24 4 4 be
et modifie
mask d after
being
set.


mete able or ks
r Not
After
Being
Config
ured
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
gate .1.2 1.1.2 .2.2 1.2.2 .1.2 1.1.2 1.2. 1.2. value
way 2 2 cannot
be
modifie
d after
being
set.


mete able or ks
r Not
After
Being
Config
ured
Publi 20.1 - 20.1 - 30.1 120. 30. 120. Yes The

c IP .1.1 .2.1 .1.1 1.1.1 1.2. 1.2. value
addre 1 1 can be
ss modifie
d after
being
set. The
public
IP
address
of an
RR's
MPLS
link
does
not
need to
be
planned
. After
iMaster
NCE-
WAN
delivers
the
configu
ration,
the
public
IP
address
of an
RR's
MPLS
link is
the
value of
the
parame
ter IPv4
address
. The
values
of


mete able or ks
r Not
After
Being
Config
ured
Public
IP
address
and
IPv4
address
can be
differen
t.
Uplin 100 1000 100 1000 100 100 100 100 - Set this
k 0 0 0 0 0 0 parame
band ter
width based
(Mbit on the
/s) actual
link
Dow 100 1000 100 1000 100 100 100 100 - bandwi
nlink 0 0 0 0 0 0 dth
band purchas
width ed by
(Mbit the
/s) custom
er.


mete able or ks
r Not
After
Being
Config
ured
URL- ON ON ON ON ON ON ON ON No After
base the
d configu
deplo ration is
ymen complet
t e, links
configu
red
during
deploy
ment
cannot
be
modifie
d and
other
links
can be
deleted
or
added.


mete able or ks
r Not
After
Being
Config
ured
Sout Uni UniS Uni UniS Uni UniS Uni Uni No This
hbou Sou outh Sou outh Sou outh Sou Sou parame
nd thIP IP thIP IP thIP IP thIP thIP ter
interf corresp
ace onds to
servic the
e configu
red IP
address
of the
iMaster
NCE-
WAN
southbo
und
access
service.
By
default,
all
WAN
links
use the
default
southbo
und
access
service.
You can
also
select
other
customi
zed
access
services.
The
value
cannot
be
modifie
d after
deploy
ment.

Table 5-16 Site and ZTP configurations (2)

Paramet Data
er
Site Site1 Site2 Site3

name
RR OFF OFF OFF
Connect Hub1, Hub2 Hub1, Hub2 Hub1, Hub2

to RR
Gateway Single Gateway Dual Gateways Single Gateway
Multiple OFF OFF OFF

sub-
interface
s
Advance OFF OFF OFF

d mode
Site Spoke_Single_N1g1_N2 Spoke_dual_N1g8_N2g8 Spoke_Single_

template g2 N1g12
Device Site1_1 Site2_1 Site2_2 Site3_1

Link internet mpls internet mpls internet
name
VN underlay_1 underlay_ underlay_1 underlay_ underlay_1

instance 2 2
Interface IPoE IPoE IPoE IPoE IPoE

protocol
IP Static Static Static Static DHCP

address
access
mode
IPv4 40.1.1.1/24 130.1.1.1/ 50.1.1.1/24 140.1.1.1/ -

address/ 24 24
Subnet
mask
IPv4 40.1.1.2 130.1.1.2 50.1.1.2 140.1.1.2 -

gateway
NAT ON OFF ON OFF ON

traversal

Paramet Data
er
Uplink 20 20 20 20 20
bandwidt
h
(Mbit/s)
Downlin 100 100 100 100 100

k
bandwidt
h
(Mbit/s)
URL- ON ON ON ON ON
based
deploym
ent
Southbo UniSouthIP UniSouthI UniSouthIP UniSouthI UniSouthIP

und P P
interface
service
When adding multiple sites, generally, you need to configure the same gateway
type, the same number of WAN links, and the same transport network for them.
By customizing a link template, you can modularize repeated configuration
information.
You must configure WAN-side physical links before deploying sites. After a site is
configured or activated, you can add or delete WAN-side links.
Table 5-17 Site template for hub sites

Parameter Data
Template name Hub_Dual_N1g1_N2g2
Gateway Dual Gateways
WAN Name Device1_i Device1_m Device2_in Device2

Link nternet pls ternet _mpls
Device Device1 Device1 Device2 Device2
Interface GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/

2
Overlay Tunnel ON ON ON ON
Transport Internet MPLS Internet MPLS

Network(Routing
Domain)

Parameter Data
Role Active Active Active Active
Inter-CPE Use LAN-side L2 OFF

Link interface
VLAN ID 1001-1009
Device1 Interface GE0/0/8 GE0/0/8
Table 5-18 Site template for spoke sites

Parameter Data
Template name Spoke_Single_N1g1_ Spoke_dual_N1g8_N2g Spoke_Sin

N2g2 8 gle_N1g12
Gateway Single Gateway Dual Gateways Single

Gateway
WAN Name Device_in Device_ Device1_i Device2_m Device_int

Link ternet mpls nternet pls ernet
Device Device1 Device1 Device1 Device2 Device1
Interface GE0/0/1 GE0/0/2 GE0/0/8 GE0/0/8 GE0/0/12
Overlay ON ON ON ON ON
Tunnel
Transport Internet MPLS Internet MPLS Internet

Network(R
outing
Domain)
Role Active Active Active Active Active
Inter- Use LAN- - - OFF -

CPE side L2
Link interface
VLAN ID - - 1101-1109 -
Device1 - - GE0/0/4 GE0/0/5 -

Interface
Device2 - - GE0/0/4 GE0/0/5 -

Interface
5.4.2.4 NTP
When an AR router reports performance data, it carries timestamps in packets. If
the time of the AR router is inconsistent with that of iMaster NCE-WAN, the time

in performance data is inconsistent with the actual time. As a result, the site
traffic and quality data cannot be displayed. Therefore, you need to configure NTP
on iMaster NCE-WAN to ensure that the time of devices at sites is the same as
that of iMaster NCE-WAN.
Table 5-19 NTP information about edge sites
Param Data Remarks

eter
Time (UTC -
zone +08:00)Beijing,Chongqing,
Hong Kong,Urumqi
NTP OFF -
authen
tication
NTP Automatic Synchronization For hub sites that also function as RR

client with Parent Node sites, set this parameter to Manual
mode Configuration; for hub sites that do not
function as RR sites, set this parameter
to Automatic Synchronization with
Parent Node or Manual Configuration;
for edge sites, set this parameter to
Automatic Synchronization with
Parent Node.
5.4.3 Site-to-Site Access
5.4.3.1 VNs
If services of multiple departments (VNs) of an enterprise need to be isolated
from each other, multiple overlay networks need to be constructed through VNs.
In this manner, traffic of different departments is forwarded independently and
departments cannot access each other. This implements secure isolation of
services of different departments on the network forwarding plane.
Table 5-20 Basic information about VNs on the overlay network
Para Data Modifiable or Not Remarks

met After Being Configured
er
Nam VPN1 Yes The value is displayed on

e the controller's GUI.
VN VPN1 No The VRF instance name will

insta be delivered to devices.
nce


er
IPSe ON - -
c
Encr
yptio
n
Sites Hub1, Hub2, - -

Hub3, Hub4,
Site1, Site2,
Site3
Topo Hub-spoke Yes You are advised not to
logy change the value. Changing
mod the value will cause re-
e orchestration of network-
wide routes and interrupt
services.
Hub Active: Hub1 - -

sites Standby: Hub2
5.4.3.2 LAN-side Access

To enable site gateways to connect to the LAN, you need to set interconnection
parameters.
Table 5-21 LAN interface information (The data plan for Hub3 and Hub4 is
similar to that for Hub1 and Hub2 and is not provided here.)
Paramet Data Modif Remarks
er iable
or
Not
After
Bein
g
Confi
gure
d
Site Hub1 Hub2 Sit Site2 Site - -

e1 3
Device Hub Hu Hu Hu Sit Sit Sit Site - -
1_1 b1 b2 b2_ e1 e2 e2 3_1
_2 _1 2 _1 _1 _2


er iable
or
Not
After
Bein
g
Confi
gure
d
Gateway L3 L3 L3 L3 L3 L2 L2 L2 - -
interface
VLAN ID - - - - - 30 30 200 Yes The VLAN ID

0 0 of the sub-
interface
cannot be the
same as that
of the interlink.
Interface GE0 GE GE GE0 GE GE G GE Yes It is

/0/5 0/ 0/0 /0/5 0/ 0/0 E0 0/0 recommended
0/ /5 0/ /6 /0 /6 that the
5 5 /6 interfaces be
allocated by
the HQ in a
unified manner
to facilitate
preconfiguratio
n of online
sites as well as
subsequent
batch
deployment
and service
cutover.
Mode - - - - - Un U Unt - -
tag nt ag
ag
Trust Trus Tru Tru Trus Tr Tru Tr Tru - -

mode t st st t ust st us st
t
IPv4 170. 17 18 180 33. 22. 22 11. - Interface IP

address 1.1. 0.1 0.1 . 1.1 1.1 . 1.1. address.
10/ . . 1.1. . . 1. 10/
30 1.2 1.1 21/ 10 10/ 1. 24
1/ 0/3 30 /2 24 20
30 0 4 /2
4


er iable
or
Not
After
Bein
g
Confi
gure
d
VR VR - - - - - 1 1 - - -
RP RP
ID
Vir - - - - - 22. 22 - - -
tua 1.1 .
l IP .1 1.
1.
1
De - - - - - Ma Ba - - -
fau ste ck
lt r up
Rol
e
Pre - - - - - 0 0 - - -
em
pt
Del
ay
(s)
DH DH - - - - Se - - - - -
CP CP rve
typ r
e
Ser - - - - - - - - - -
ver
IP
Le - - - - 1 - - - - -
ase da
tim y
e
5.4.3.3 LAN-side Routes

To enable site gateways to communicate with the LAN, you need to configure
overlay LAN routes.

Table 5-22 LAN-side EBGP route information (The data plan for Hub3 and Hub4
is similar to that for Hub1 and is not provided here.)
Parameter Data
Device Hub1_1 Hub1_2 Hub2_1 Hub2_2

Peer IP Address 170.1.1.9 170.1.1.22 180.1.1.9 180.1.1.22
Peer AS 63001 63001 63001 63001
Local AS 65401 65401 65401 65401

Local AS repeated - - - -
times
Max. EBGP hops - - - -
Keepalive time 20 20 20 20
(seconds)
Hold time 60 60 60 60
(seconds)
Session isolation OFF OFF OFF OFF
Advertise OFF OFF OFF OFF

community
Authentication MD5 Encrypt MD5 Encrypt MD5 Encrypt MD5

type Encrypt
MD5 encryption ******** ******** ******** ********
Routin Export ON ON ON ON
g
Policy Type IP-prefix IP-prefix IP-prefix IP-prefix
IP 172.172.0.0/1 172.172.0.0/1 172.172.0.0/ 172.172.0.0

Address/ 6 6 16 /16
Mask
Greater- 16 16 16 16
equal
Less- 32 32 32 32
equal
Apply Blacklist Blacklist Blacklist Blacklist

Filter
Type
Import OFF OFF OFF OFF

Advanc External 30 30 30 30
ed preferen
Setting ce
s

Parameter Data
Default OFF OFF OFF OFF

route
redistrib
ution
Route Direct, Static, Direct, Static, Direct, Direct,

redistrib UNR UNR Static, UNR Static, UNR
ution
Summar - - - -
y route
Table 5-23 LAN-side static route information

Paramet Data
er
Site Site1 Site2

Device Site1_1 Site2_1 Site2_2
Priority 60 60 60
Destinati 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0

on
Address/
Mask
Next- IP address IP address IP address

hop type
IP 33.1.1.1 22.1.1.1 22.1.1.1

address
Track ON ON ON
Target 33.1.1.1 22.1.1.1 22.1.1.1
Table 5-24 LAN-side OSPF route information (OSPF is not used together with
VRRP)
Parameter Data Remarks
Device Site3_1 -
Process ID 1001 -

Router ID 11.1.1.10 It is recommended

that this parameter
be set to the IP
address of an
interface.
Common Default route advertisement Enable -

Parameter
Default route cost 1 -
Internal preference 10 -
ASE preference 150 -
Interface Area ID 0 -
Parameter
Interface Name Vlanif300 -
Authentication Mode None -
Hello interval 10 -
DR Priority 0 -
Route Protocol - -
Redistribut
e Process ID - -
Cost - -
Routing Export OFF -

Policy
Import OFF -
5.4.4 Application Management

Table 5-25 Application group of video traffic
Parameter Data
Name test_app_video
SA signature database SA_H30071000 (6000+)
Pre-defined PFI -
applications

Parameter Data
SA Internet_Conferencing
Media_Sharing
Social_Networks
VoIP
Web_Browsing
Electronic_Business
Online_Media
Customized Applications -
5.4.5 Service Experience Optimization
5.4.5.1 ACL Policy on the Overlay Network

To block service packets from LAN-side inbound interfaces of sites, you need to
configure an ACL policy on the overlay network.
Table 5-26 Traffic classifier information
Parameter Data
Traffic classifier name test_permit_445_inner test_deny_445_all
Operator And And
ACL Type IPv4 IPv4
L3 ACL Priority 10 10
Destination 10.1.0.0/16 -
IP Address
Protocol TCP TCP

Destination 445-445 445-445
Port
Application groups - -
Table 5-27 Overlay ACL policy information
Parameter Data
Policy name test_permit_445_inner test_deny_445_all
Traffic classifier test_permit_445_inner test_deny_445_all

template

Parameter Data
Interface LAN LAN
Policy priority 10 20
Traffic filter Permit Deny

Traffic direction Outbound Outbound
Effective time template -
Site Hub1, Hub2, Hub3, Hub4, Site1, Site2, Site3
5.4.5.2 QoS Policy

To limit the bandwidth of applications or traffic, you need to configure a QoS
policy.
A traffic classifier defines a group of traffic matching rules to classify packets. This
ensures that a device identically processes packets matching the same traffic
classifier.
Parameter Data
Traffic classifier name test_traffic_video
Operator And
ACL Type IPv4
L3 ACL -
Application groups test_app_video
You need to create policy behavior templates, including the redirection and QoS
policy templates. QoS policy templates are classified into WAN policy behavior
templates and LAN policy behavior templates on different interfaces based on
their functions.
Table 5-29 Policy behavior template information
Parameter Data
Policy behavior name test_behavior_video
Behavior type QoS
Type WAN
Traffic Direction Outbound

Parameter Data
Queue priority OFF
Bandwidth Limit type CAR

limit
Limit Value 10 Mbps
bandwidth
Re-mark DSCP OFF
Queue length OFF
Re-mark 8021P OFF
Enable Statistic ON
Enable Remark Mpls Exp OFF
To limit the bandwidth of applications or traffic, you need to configure a QoS

policy.
Table 5-30 QoS policy information
Parameter Data
VN/VPN QoS Group VPN1

Policy name test_qos_video
Policy priority 10
Traffic classifier template test_traffic_video
WAN policy behavior template test_behavior_video
Site Site1, Site2, Site3
5.4.5.3 Intelligent Traffic Steering

If multiple types of service packets are transmitted on the same link, traffic of
high-priority applications is preferentially processed in the case of congestion,
ensuring user experience of high-priority applications. In this case, application
priority-based traffic steering can be used.
Parameter Data
Traffic classifier name test_traffic_ip_dest

Parameter Data
Operator And
ACL Type IPv4
L3 ACL Priority 10
Type Subnet Mask
Destination 135.1.1.0/24
IP Address
Application groups -
Table 5-32 Intelligent traffic steering policy information.

VN/VPN QoS VPN1 -

Group
Policy name test_spr_internet -
Traffic classifier test_traffic_ip_de -

template st
Policy priority 10 -
Switchover Bulk Data -

condition
Switc Delay 300 -

hover (ms)
condi
tion Jitter 40 -
(ms)
Packet 50 This parameter indicates the packet loss

loss rate rate threshold.
(‰) CAUTION
The unit of the packet loss rate is ‰.
Trans Primary ● Transport -

port transport Network:
Netw network Internet;
ork list Priority: 1
Priori ● Transport
ty Network:
MPLS; Priority:
2

Secondar - -
y
transport
network
Traffi Inter-TN Preference -

c Policy
beha
vior Packet OFF -
duplicatio
n
Action Optimal link -

when
condition
s not met
Switchov Pre-emptive -
er mode
Site Hub1, Site1 -
5.4.5.4 Site-to-Internet Access

Sites can access the Internet through the hub site. Hub1 is the active gateway.
Table 5-33 Site-to-Internet access information
Parameter Data

Centralized Area ALL
Internet access
Active Internet Hub1
GW
Standby Internet Hub2

GW
Local Internet Site Name Hub1 Hub2

access
Policy All All
Traffic Classifier - -
Template
Link Priority Internet1: 1 Internet1: 1

Internet2: 1 Internet2: 1
NAT ON ON

5.4.5.5 Site-to-Legacy Site Access

SD-WAN sites communicate with legacy sites in local access mode.
Table 5-34 Inter-site access information
Parameter Data

Local access Site Name Site1 Site2
IGW OFF OFF
Link Priority MPLS: 1 MPLS: 1
5.5 Deployment Guide

This document uses SD-WAN V100R020C10 as an example.
5.5.1 Deployment Process
Table 5-35 Deployment process
Deployment Task Subtask
Software installation 5.5.2 Software Installation
iMaster NCE-WAN 5.5.3.1 System Administrator

preconfigurations
5.5.3.2 MSP Administrator
5.5.3.3 Tenant Administrator
5.5.3.4 Management Plane (Configuring iMaster

NCE-WAN Functions)
Deployment 5.5.4.1 Logging In to iMaster NCE-WAN as an MSP

Administrator and Entering the MSP-Managed View
5.5.4.2 Configuring Network Design Parameters
5.5.4.3 Adding Devices
5.5.4.4 Creating Sites
5.5.4.5 Configuring Site Templates
5.5.4.6 Creating Physical Interfaces
5.5.4.7 Configuring Links for Sites to Connect to the

WAN
5.5.4.8 Configuring NTP

Deployment Task Subtask
5.5.4.9 Configuring Email-based Deployment
5.5.4.10 Confirming Deployment Success
Site interconnection 5.5.5.1 Configuring the Underlay Network

configurations
5.5.5.2 Creating an Overlay Network
5.5.5.3 Verifying the Configuration
Application 5.5.6.1 Checking Predefined Applications

management
5.5.6.2 Creating a Customized Application
5.5.6.3 Creating an Application Group
5.5.6.4 Using Applications and Application Groups
Service experience 5.5.7.1 Configuring Overlay ACL Policies

optimization policies
5.5.7.2 Configuring a QoS Policy
5.5.7.3 Configuring an Intelligent Traffic Steering

Policy
5.5.7.4 Configuring Internet Access Policies for Sites
5.5.7.5 Configuring a Site-to-Legacy Site Access

Policy
Network-wide data 5.5.8 Network-Wide Data Monitoring

monitoring
O&M and inspection 5.5.9.1 O&M and Monitoring Configuration
5.5.9.2 Maintenance and Inspection
5.5.2 Software Installation

For details about how to install iMaster NCE-WAN, see Software Installation in
the iMaster NCE-WAN Product Documentation.
5.5.3 iMaster NCE-WAN Preconfigurations
5.5.3.1 System Administrator
5.5.3.1.1 Logging In to the System as the System Administrator
Procedure
Step 1 Open a browser. Google Chrome 73 or later is recommended.

Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box,
and press Enter.
Step 3 Ignore the security certificate warning and access the login page.
Step 4 Enter the username and password of the system administrator, and click Log In.
Step 5 Change the password as prompted upon the first login. Skip this step if it is not
your first login.
----End
5.5.3.1.2 Creating an MSP and an MSP Administrator
Data Plan
Table 5-36 MSP administrator information

Not After Being
Configured
MSP name mspA Yes MSP administrator

name, which is
displayed on the
controller.
Account mspA@test.com No Account used by the

Password Manual creation - -

creation
mode
Initial Changeme_123 - -
Password
Password PassA@1234 Yes Password used by the

Procedure
Step 1 Log in to iMaster NCE-WAN as the system administrator.
Step 2 Choose MSP Management > MSP Management > MSP Management to access
the MSP management page.
Step 3 Click Create. On the MSP Information page, set MSP name to mspA.
Step 4 Click Next and configure administrator information.

Step 5 Click OK.
----End
5.5.3.1.3 Loading a License
Context
After logging in to the newly deployed controller for the first time, you need to
load the license as the admin user.
Procedure
Step 1 Choose Administration > Administration > License from the main menu.
Step 2 Click Upload License.

Step 3 Click OK. The license is successfully loaded.
----End
5.5.3.1.4 Configuring an Email Server
Context
An email server needs to be configured for new device deployment (through
email-based deployment), tenant password retrieval, and alarm email notification.
Data Plan
Table 5-37 Certificate parameters

or Not After
Being
Configured
Certificate alias 163 Mailbox Yes -
Certificate PEM(.pem/.de Yes -

format r/.cer/.crt)
Certificate file 163.cer Yes -
Table 5-38 Email server parameters

or Not After
Being
Configured
SMTP address smtp.163.com Yes SMTP address of the

mailbox from which emails
are sent. The address must
be an IP address or in the
smtp.mail.com format.
Port 25 Yes Port used by the email

server to provide the SMTP
service for external systems.
You can obtain the port
number from the email
service provider. In most
cases, the port number is 25.
Encrypted TLSv1.2 Yes Protocol used for encrypted

connection type communication between
iMaster NCE-WAN and the
SMTP server.


or Not After
Being
Configured
Certificate file 163 Mailbox Yes -
Sender Email testmail@163 Yes Sender email address, which

.com must have been registered
on the email server. During
an email test, this address is
used as a recipient email
address. After the
connectivity test succeeds
and the configurations are
saved, this address is used
as the sender email address.
Account testmail Yes Account and password of

the sender email.
Password testmail Yes
Procedure
Step 1 Log in to the controller as the system administrator.
Step 2 Import an email server certificate.

1. Contact the email server provider to obtain a certificate file.
2. Choose Administration > Certificate Management > Certificate
Management from the main menu.
3. Choose Service Certificate Management from the navigation pane. On the
Services page, click CampusBaseServiceServerConfigMoudle.
4. Click the Trust Certificate tab, and then click Import. On the displayed page,
enter the certificate information, select the certificate file to be uploaded, and
click Submit.
Step 3 Configure the email server.

1. Choose Administration > Third Party Service > Email Server from the main
menu.
2. Set parameters for connecting to the email server.

Step 4 Click Test to verify the email sending function.

Step 5 After the test is successful, click Save.
----End

5.5.3.1.5 Configuring a File Server
Context
To obtain required system software packages and patches from a third-party file
server to upgrade the system software or install patches on devices through the
controller, you need to configure a file server.
Data Plan

Not After
Being
Configured
Name File server Yes Name of the file server.
Protocol SFTP Yes File transmission protocol

type. The options are SFTP
and HTTPS.
Username root Yes User name for accessing the

file server.
Password Huawei123 Yes Password of the file server.
IP Type IPv4 Yes Type of the IP address of the

file server.
IP address 192.126.17 Yes IP address of the file server.

2.15
Port 22 Yes SFTP or HTTPS port number.
Procedure
Step 1 Choose Administration > Third Party Service > File Server from the main menu.
Step 2 Click Add and configure a third-party file server.

Step 3 Click OK.
----End
5.5.3.1.6 (Optional) Configuring s Syslog Server
Context
To use a Syslog server (Syslog service module of the NMS) to receive and manage
logs and alarms, you need to configure the Syslog server.
Data Plan

or Not After
Being
Configured
Protoc Channel ID Syslog Yes Unique ID of the server.

ol
Config IP address IPv4 Yes IP address type or
uration type/Domain domain name of the
name Syslog server.


or Not After
Being
Configured
IP address/ 10.9.1.1 Yes IP address or domain

Domain name name of the Syslog
server, which can be
obtained from the
primary Syslog server.
Port number 6514 Yes In the Source field in the

Syslog.conf file of the
primary server,
udp(ip()port()) or
tcp(ip()port()) is
included. Numbers in the
brackets to the right of
port indicate the port
number for receiving
logs.
Enable ON Yes -
reporting
Communicatio TLS Yes If TLS is configured on

n protocol the Syslog server, enable
TLS. If UDP is configured
on the Syslog server,
disable TLS. Before
enabling TLS, ensure
that the log collection
server supports TLS.
Syslog RFC5424 Yes Protocol used to report

protocol Syslogs. The options are
RFC5424 and RFC3164.
Encoding UTF-8 Yes UTF-8 and GBK encoding

format formats are supported.
Service Data Report Enable Yes -

Config Enable
uration Configuration
Select the type Operation Yes -

of audit logs Logs,
to be reported. Security
Logs, and
System
Logs
Alarm Report Enable Yes -
Alarm Report ON Yes -

Procedure
Step 1 Choose Administration > Third Party Service > Syslog Configuration from the
main menu.
Step 2 On the Interconnection Management page, click Add, set interconnection
parameters as planned, enable the data reporting and alarm reporting functions,
and select alarms by severity. You can select all critical alarms or all alarms.
Step 3 Click Check Connectivity at the bottom of the page. If the system displays a
message indicating that the test is successful, the Syslog configuration succeeds.
Then click Confirm.
Step 4 Click Save.
----End

5.5.3.1.7 (Optional) Configuring an SNMP Alarm Interface
Context
To report the alarm information collected by the controller to a third-party system,
you need to configure an SNMP alarm interface.
Data Plan

or Not
After
Being
Configured
Basic Address for 192.126.1 Yes IP address used by the

Setting receiving 72.14 SNMP agent to receive
s requests requests from the upper-
layer NMS. It can be used
to communicate with the
IP address for 192.126.1 Yes IP address used by the

sending traps 72.14 SNMP agent to send traps
to the upper-layer NMS. It
can be used to
communicate with the
Port for 9812 Yes Port of the SNMP service.

receiving It is used to receive
requests requests from the upper-
layer NMS. The default
value 9812 is
recommended.
Port for 6666 Yes Port for sending traps. The

sending traps default value 6666 is
recommended.


or Not
After
Being
Configured
SNMP MIB type MIB1 Yes MIB type for sending traps
Agent and Inform notifications to
Setting the third-party system. The
s default value is MIB1.
● MIB1
● MIB2
● MIB3
Alarm 0 Yes Interval for reporting

reporting alarms, in milliseconds.
interval (ms) The default value is 0.
Time type UTC time Yes Type of the alarm

reporting time. The default
value is UTC time.
● UTC time
● EMS time
● NE system time


or Not
After
Being
Configured
Time format UTC time Yes Time format of the VB

in the field that identifies alarm
format of time. The options are as
yyyy/MM/ follows:
dd - ● UTC time in the format
HH:mm:ss of yyyy/MM/dd -
Z HH:mm:ssZ
● Local time without time
yyyy/MM/dd -
HH:mm:ss
● Local time with time
yyyy/MM/dd -
HH:mm:ss TZ[DST]
● UTC time in the format
of yyyy-MM-dd
HH:mm:ss
● Local time in the
format of yyyy-MM-dd
HH:mm:ss + hh:mm TZ
+ hh:mm DST
● Local time (without a
time zone) in the
format of yyyy-MM-
dd,HH:mm:ss.0
Maximum 4096 Yes Maximum length of a

length of character string that is
alarm fields supported in the VB. The
default value is 4096.
Query active Yes Yes Whether active alarms are

alarms queried. The default value
is Yes.
● Yes: Queries active
alarms.
● No: Queries current
alarms.


or Not
After
Being
Configured
Alarm UTF-8 Yes Encoding format for

encoding reported alarm traps. The
format default value is UTF-8.
● ISO-8859-1
● UTF-8
● GBK
Record PDU in No Yes Whether the PDU

logs information sent to third-
party systems is recorded
in run logs. The default
value is No.
● Yes: The PDU
information is recorded
in logs.
● No: The PDU
information is not
recorded in logs.
Filter No Yes Whether correlative alarms

correlative can be filtered. The default
alarms value is No.
● Yes: Reports only
common alarms and
root alarms.
● No: Reports common
alarms, root alarms,
and correlative alarms.
Number of 10000 Yes Maximum number of

cached alarms alarms in the cache. If this
limit is exceeded, alarms
will no longer reported.
The default value is 10000.
Inform/ Alarm Trap Yes The default value is Trap.

Trap reporting ● Inform: Reports alarms
Setting mode through Inform
s messages.
● Trap: Reports alarms
through traps.


or Not
After
Being
Configured
SNMPv Security level Authentic Yes Security level. The options

3 ated and are as follows:
Parame encrypted ● Authenticated and
ter encrypted
Setting
s ● Authenticated but not
encrypted
● Not authenticated nor
encrypted
The default value is
Authenticated and
encrypted.
Authentication SHA2-512 Yes Authentication protocol.

protocol The default value is
SHA2-51.
● SHA2-512
● SHA2-384
● SHA2-256
● SHA2-224
● SHA
● MD5
Encryption AES-256 Yes Encryption protocol for

protocol SNMPv3. The default value
is AES-256.
● AES-256
● AES-192
● AES-128
● DES


or Not
After
Being
Configured
RFC Yes Yes Whether the engine ID

specifications needs to comply with the
specifications of requests
for comments (RFC). The
default value is Yes.
● Yes: Converts the
engine ID into a value
that complies with the
RFC specifications to
report to the third-party
system.
● No: Directly reports the
engine ID to the third-
party system.
Engine ID 192.126.1 Yes Engine ID, which can be

71.14 configured as required. It is
the unique ID of the SNMP
entity.
Heartb Report Enable Yes This parameter is enabled

eat heartbeat by default.
Period notifications ● Enable: Heartbeat
Setting notifications will be
s reported.
● Disable: Heartbeat
notifications will not be
reported.
Heartbeat 60 Yes Interval for sending

period heartbeat notifications, in
seconds. The default value
is 60.
Heartbeat ID SNMP Yes ID of the heartbeat trap.

Agent
SNMP Parameter EmsName Yes NMS name.

NBI
Advanc Value Huawei/N Yes The gateway name is set
ed CE to Huawei/NCE.
Parame
ter
Setting
s


or Not
After
Being
Configured
MIB NEName Selected Yes NE name.

Alarm
Reporti NEType Selected Yes NE type.
ng ObjectInstanc Selected Yes Object instance.
Setting e
s
EventType Selected Yes Event type.
EventTime Selected Yes Time when an alarm is

generated.
ProbableCause Selected Yes Possible cause of an alarm.
Severity Selected Yes Alarm severity. The options

are as follows:
● 1: critical
● 2: major
● 3: minor
● 4: warning
EventDetail Selected Yes Alarm details.
AdditionalInfo Selected Yes Additional alarm

information.
FaultFlag Selected Yes Alarm category ID.
FaultFunction Selected Yes Alarm type.
DeviceIP Selected Yes Device IP address.
SerialNo Selected Yes Alarm serial number.
ProbableRepai Selected Yes Alarm troubleshooting

r suggestion.
ResourceIDs Selected Yes Resource ID.
EventName Selected Yes Event name.
ReasonID Selected Yes Alarm cause ID.
FaultID Selected Yes Alarm ID, which is used for

identifying alarm
categories for NEs of the
same type.
DeviceType Selected Yes Device type.


or Not
After
Being
Configured
TrailName Selected Yes Name of the trail affected

by an alarm.
RootAlarm Selected Yes Root alarm.
GroupID Selected Yes Alarm group ID.
MaintainAlmS Selected Yes Engineering alarm status.

tatus
RootAlarmSeri Selected Yes Root alarm serial number.

alNo
ConfirmStatus Selected Yes Alarm acknowledgement

status.
RestoreStatus Selected Yes Alarm clearance status.








Procedure
Step 1 Choose Administration > Northbound Interface > SNMP Alarm API from the
main menu.
Step 2 Choose Basic Settings from the navigation pane.
Step 3 On the Basic Settings page, set the IP address and port number, expand
Advanced Settings, and set other parameters based on the data plan.


Step 4 Click Save.
----End
5.5.3.1.8 (Optional) Configuring a Map URL
Context
If the HQ and branches are deployed in different places and there are many
branches, you are advised to configure a map to monitor devices.
Procedure
Step 1 Choose Administration > Third Party Service > Map URL Settings from the main
menu.
Step 2 Click Edit corresponding to the map. In the Edit map URL configuration dialog
box, set API address and Key, and select Instructions for Use.

Step 3 Click OK.
----End
5.5.3.1.9 Enabling or Disabling Default Configurations on iMaster NCE-WAN

To better monitor, operate, maintain, and manage devices, you are advised to
enable or disable default configurations on the service plane of iMaster NCE-WAN.
Enabling Alarm and Log Dump

You can configure iMaster NCE-WAN to dump alarms and logs to a third-party
server.
Step 1 Choose Maintenance > Maintenance > Dump Configuration from the main
menu.
Step 2 Set basic information about the server where alarms and logs will be dumped.

Step 3 Enable alarm dump.
Step 4 Enable log dump.
----End
5.5.3.1.10 (Optional) Configuring a Southbound Access IP Address

In the NAT scenario, tenant devices can connect to iMaster NCE-WAN through
multiple WAN links. Different WAN links correspond to different IP addresses. The
system administrator can configure a southbound access IP address for each WAN

link. When configuring services, MSPs and tenants can select a southbound access
IP address as needed.
NOTE
If multiple southbound access IP addresses are not required or you want to use the default
public IP address of the system in the standard NAT scenario, skip this section.
Data Plan
Table 5-42 Southbound access IP address
Parameter Data Modifiable or Not After Remarks

Being Configured
Service UniSouthIP Yes Name of the

Name southbound access IP
address service.
Primary IP 192.168.10.2 No. It cannot be Southbound IP address.

Address modified after being
referenced by a site link.
Procedure
Step 1 Choose Administration > Southbound Interface > Southbound Interface
Configuration from the main menu.
Step 2 Create a southbound access service and enable it.

Step 3 Record the service name, which will be used when you configure ZTP for a tenant
site.
----End
5.5.3.2 MSP Administrator
5.5.3.2.1 Logging In to the System as an MSP Administrator
Procedure
and press Enter.
Step 4 Enter the username and password of the MSP administrator, and click Log In.
your first login.
----End

5.5.3.2.2 Creating Tenants and Tenant Administrators
Data plan
Table 5-43 Tenant administrator information
Parameter Data 1 Data 2 Mo Remarks

difi
able
or
Not
Afte
r
Bei
ng
Conf
igur
ed
Tenant name tenant1 tenant2 Yes Tenant name.
Account tenant1@test. tenant2@test. No Account used by the

com com tenant administrator to
Password Manual Manual - -

creation creation creation
mode
Initial Changeme_12 Changeme_12 - -

Password 3 3
Password Pass1@1234 Pass1@1234 Yes Password used by the

tenant administrator to
Authorize Enabled Enabled No If Authorize MSP is

MSP disabled for a new
tenant administrator,
the MSP administrator
cannot directly modify
the configuration.
Instead, the MSP
administrator must
apply to the tenant
administrator for
authorization first.
Procedure
Step 1 Choose Tenant Management > Tenant Management > Tenant Management
from the main menu.

Step 2 Create a tenant named tenant1 and an administrator account.

1. Click Create. On the Tenant Information page, set Tenant name to tenant1.
2. Click Next and configure tenant administrator information.
3. Click OK.
Step 3 Use the same method to create a tenant named tenant2 and an administrator
account.
----End

Enabling Data Collection (Traffic Statistics on WAN Links)

After this function is enabled, the controller can monitor traffic over inter-site links
at newly created sites in real time.
Step 1 Choose Design > Network Design > Network Settings from the main menu.
Step 2 Click the Collection Configuration tab and enable WAN link traffic.

----End
Enabling Security Access (Preventing CPEs from Accessing Unauthorized

Controllers)
After this function is enabled, CPEs can verify whether the controller certificate is
issued by a specified authority and the certificate entity name.
NOTE
This function applies only to devices running V300R019C10 or later.
Step 1 Choose Maintenance > Device Management > Secure Access from the main
menu.
Step 2 Toggle on Prevent CPEs from accessing unauthorized controllers.
----End
Disabling Security Access

Security access involves the following aspects:
● Prevent unauthorized CPEs from accessing the controller: After this

function is enabled, the controller can check whether the device certificate is
valid and whether the entity name in the certificate is the actual ESN of the
device.
NOTE
If the device version is earlier than V300R019C10, you need to disable this function.
Otherwise, the device cannot go online.
● Prevent unauthorized branches from accessing enterprise networks: After
this function is enabled, RRs can check whether the CPE certificate is valid and
whether the ESN in the certificate is in the whitelist.
NOTE
Otherwise, the device cannot connect to RRs.
● Prevent authorized branches from accessing unauthorized networks: After
this function is enabled, CPEs can check whether the RR certificate is issued by
a specified authority and the entity name in the RR certificate.

NOTE
If the RR version is earlier than V300R019C10, you need to disable this function.
Otherwise, all devices connected to the RR cannot access the network.
menu.
Step 2 Toggle off Prevent unauthorized CPEs from accessing the controller, Prevent
unauthorized branches from accessing enterprise networks, and Prevent
authorized branches from accessing unauthorized networks.
----End
5.5.3.3 Tenant Administrator
5.5.3.3.1 Logging In to the System as a Tenant Administrator
Procedure
and press Enter.
Step 4 Enter the username and password of the tenant administrator, and click Log In.
your first login.

----End
5.5.3.3.2 Authorizing an MSP to Maintain Tenant Services
Context
After a tenant applies for managed services from an MSP, the MSP can directly
maintain services of this tenant.
Data Plan
For details, see the data plan of Authorize MSP in Table 5-43.
Procedure
Step 1 Log in to the controller as a tenant administrator.
Step 2 Choose Administration > Administration > Tenant Information from the main
menu.
Step 3 Toggle on Authorize MSP, click the By Role tab, grant maintenance permissions
to the MSP, and click Apply.
----End

5.5.3.3.3 Configuring Account and Password Policies
Procedure
Step 1 Choose Administration > Administration > User Policy from the main menu. The
User Policies page is displayed.
Step 2 Set or modify parameters related to account and password policies as required.
----End

Enabling Data Collection

Step 1 Enable the Smart Application Control (SAC) function. After this function is
enabled, devices can identify applications, collect application-related performance
data, and report the data to the controller.
1. Choose Policy > Application Management > Application Management
from the main menu.
2. Click the SAC Configuration tab, enable Application identification, and
retain the default setting (Disable) for FPI.

NOTE
If FPI is enabled at the headquarters and there are a large number of users, DNS
packet parsing will fail, affecting services.
Step 2 Enable collection of application traffic, application quality, and WAN link traffic
statistics.
● Application traffic: After application traffic statistics collection is enabled, the
controller monitors the application quality trend of new sites.
● Application quality: After application quality statistics collection is enabled,
the controller monitors the application quality trend of new sites.
● WAN link traffic: After WAN link traffic statistics collection is enabled, the
controller monitors the traffic trend of WAN links at new sites.
1. Choose Design > Network Design > Network Settings from the main menu.
2. Click the Collection Configuration tab and enable Application traffic,
Application quality, and WAN link traffic.
Step 3 Enable performance monitoring data collection. After this function is enabled, the
controller can monitor the application traffic, application quality, and WAN link
traffic of devices at the selected sites.
1. Choose Monitoring > Monitor Configuration > Collection Configuration
from the main menu.
2. Click Batch Setting, select all sites, and toggle on Application traffic, WAN
link traffic, and Application quality.

3. Click OK.
----End
Enabling Device Configuration File Backup

You can periodically back up RDB files of devices to the controller. If the devices
fail to register with the controller or the controller fails to deliver configurations to
the devices, you can use the backup RDB files for quick configuration restoration
on these devices.
Step 1 Choose Maintenance > Device Maintenance > Device Config Backup from the
main menu.
Step 2 Toggle on Device configuration file backup, and set the scheduled backup time.
----End
Enabling Security Access (Preventing CPEs from Accessing Unauthorized

Controllers)
After this function is enabled, CPEs can verify whether the controller certificate is
issued by a specified authority and the certificate entity name.
NOTE
This function applies only to devices running V300R019C10 or later.

menu.
Step 2 Toggle on Prevent CPEs from accessing unauthorized controllers.
----End
Disabling Security Access

Security access involves the following aspects:
● Prevent unauthorized CPEs from accessing the controller: After this
function is enabled, the controller can check whether the device certificate is
valid and whether the entity name in the certificate is the actual ESN of the
device.
NOTE
Otherwise, the device cannot go online.
● Prevent unauthorized branches from accessing enterprise networks: After
this function is enabled, RRs can check whether the CPE certificate is valid and
whether the ESN in the certificate is in the whitelist.
NOTE
Otherwise, the device cannot connect to RRs.
● Prevent authorized branches from accessing unauthorized networks: After
this function is enabled, CPEs can check whether the RR certificate is issued by
a specified authority and the entity name in the RR certificate.
NOTE
If the RR version is earlier than V300R019C10, you need to disable this function.
Otherwise, all devices connected to the RR cannot access the network.
menu.
Step 2 Toggle off Prevent unauthorized CPEs from accessing the controller, Prevent
unauthorized branches from accessing enterprise networks, and Prevent
authorized branches from accessing unauthorized networks.

----End
5.5.3.4 Management Plane (Configuring iMaster NCE-WAN Functions)

enable or disable default configurations on the management plane of iMaster
NCE-WAN.
RSA_ENABLE
You can enable RSA and CBC algorithms so that devices can normally upload and
download files.
NOTE
This function needs to be enabled if devices running a version earlier than V300R019C00
are deployed on the network.
Step 1 Choose Product > Software Management > Deploy Product Software from the
main menu.
Step 2 Click More and choose Modify Configuration from the drop-down list box.

Step 3 Enable RSA_ENABLE.
----End
Northbound NIC Packet Loss Detection

You can configure northbound NIC packet loss detection, including the detection
times, detection period, and number of detection packets in each detection period.
When the packet loss rate of a node reaches the specified threshold, services on
the node are suspended and switched to other normal nodes to ensure that
controller services can run properly.
Step 1 Choose Maintenance > O&M Management > Monitor from the main menu.
Step 2 Click Risk Threshold Setting on the right and click the HA Settings tab.
Step 3 Configure northbound NIC packet loss detection.

----End
Scheduled Product Data Backup

You can configure periodic product data backup. If the controller service data is
abnormal or the controller cluster recovers after a failure, you can use the backup
data for quick data restoration.
Step 1 On the management plane, choose Backup and Restore > Configuration >
Configure Backup Parameters from the main menu.
Step 2 Click Add Backup Server and configure a backup server.

Step 3 On the management plane, choose Backup and Restore > Configuration >
Configure Scheduled Backup Task from the main menu.
Step 4 Enable scheduled product data backup. This function is enabled by default.
----End
5.5.4 Deployment Configurations
5.5.4.1 Logging In to iMaster NCE-WAN as an MSP Administrator and

Entering the MSP-Managed View
Procedure
Step 2 Enter https://iMaster NCE-WAN server IP address:Port number in the address box
and press Enter.
Step 3 Log in to the iMaster NCE-WAN home page as an MSP administrator.
Step 4 In the Tenant List, click a tenant name to enter the MSP-managed view for tenant
network maintenance.
----End

5.5.4.2 Configuring Network Design Parameters
Data Plan
Table 5-44 Network design parameters

ble or
Not
After
Being
Configur
ed
Select the source of Tenant RR - -

RR
Transpo Transport MPLS Internet No It can be modified

rt Network only after being
Networ created and cannot
k be modified after
being applied to a
site.
Routing MPLS Internet No It can be modified

Domain only after being
created and cannot
be modified after
being applied to a
site.
IPSec OFF ON - -
Encryptio
n
IPSec Authentic SHA2-256 Yes Modifying these

Encrypt ation parameters is
ion algorithm allowed but is not
Parame recommended. This
ters Encryptio AES256 is because any
n modification after
algorithm service provisioning
is complete will
trigger re-
establishment of
IPsec tunnels,
causing service
interruption.
Life time 1440 - -


ble or
Not
After
Being
Configur
ed
Device URL 123abc Yes The customer

Activati encryptio needs to provide a
on n key secure login
Securit password.
y
Setting URL 7 - -
s opening
validity
period
(day)


ble or
Not
After
Being
Configur
ed
Link Detection 2000 Yes Interval at which

Failure packet the master device
Detecti sending of an overlay
on interval tunnel sends
Parame (ms) Keepalive packets.
ter The value is an
Configu integer in the
ration range from 10 to
10000, in
milliseconds, and
must be a multiple
of 10.
You are advised to
set the interval for
sending detection
packets to 2000 ms
and the number of
detection failures
to 10 for link
connectivity
detection. The
reasons for the
setting are as
follows:
Link detection is
periodically
performed
between gateways
at WAN sites of
the same tenant
based on the
modified detection
parameters.
Detection packets
are sent at a
specified interval. If
the number of
detection failures
exceeds the default
value, the link is
considered faulty
and the EVPN
tunnel is
disconnected. In


ble or
Not
After
Being
Configur
ed
addition, the EVPN

Down alarm (that
is, ALM-15795185
hwConnectionDow
nReport) is
triggered and the
EVPN tunnel is
reestablished.
According to the
experience of
multiple sites, it
takes about 1
minute from the
time when the
EVPN Down alarm
is generated to the
time when the
EVPN tunnel is
reestablished.
Most link
congestion on the
live network is
caused by packet
loss due to
temporary link
congestion.
Generally, the link
recovers within
several to dozens
of seconds. If the
default values are
used (the detection
packet sending
interval is 1000 ms
and the number of
detection failures is
6), the system
considers the link
faulty before the
link recovers and
sends a large
number of EVPN
Down alarms. On
the live network,


ble or
Not
After
Being
Configur
ed
this alarm
accounts for more
than 95% of all
alarms. In addition,
frequent EVPN
tunnel
reestablishment
prolongs the
service interruption
time. After the
recommended
values are used,
these problems can
be effectively
avoided.
Number 10 Yes Number of

of failed detection failures
detections permitted before
an AR
automatically
switches the link.
Priority of 7 Yes Priority in the IP

detection header of a
packets Keepalive packet. A
larger value
indicates a higher
priority.
Password of User test@123 Yes The customer

Admin needs to provide a
secure login
password.
NTP Time zone (UTC Yes The customer

+08:00)Beijing,Chongqin needs to provide
g,Hong Kong,Urumqi the IP address of
the NTP server,
NTP client Manual Configuration which must be
mode reachable to the
NTP 10.10.1.1 controller and
server IP CPEs.
address


ble or
Not
After
Being
Configur
ed
Authentic HMAC-SHA256
ation
mode
Authentic ntp123
ation
password
Authentic 123456
ation key
ID
Routing AS 65001 No Each tenant uses a

number unique internal
BGP AS number.
All sites deployed
through iMaster
NCE-WAN using
the same tenant
account belong to
this AS. This AS
number is used by
BGP EVPN routes
in the SD-WAN
network and
cannot be
modified.
IPv4 OSPF - -
Dual-
Gateway
Interconn
ection
Protocol


ble or
Not
After
Being
Configur
ed
IP Pool IPv4 Pool 172.172.0.0/16 No You can configure

one or more IP
address pools. IP
addresses in the IP
address pools are
automatically
divided into
multiple segments,
which can be used
by the following
interfaces:
● Loopback
interfaces of
CPEs
● Interfaces of
interworking
tunnels
● Interfaces of
interlinks
● Tunnel
interfaces
An IP address pool
can be modified
after it is created,
but cannot be
modified after
being referenced
by a site. If all IP
addresses in an IP
address pool have
been allocated, you
can create another
IP address pool.
Procedure
Step 1 Choose Design > Network Design > Network Settings from the main menu.
Step 2 On the Physical Network tab page, set Select the source of RR to Tenant RR.

Step 3 Retain the system defaults MPLS and Internet for the routing domain and
transport network. No additional configuration is required.
Step 4 Set IPsec encryption parameters.
Set Encryption algorithm. You can also retain the default setting of this
parameter.
Step 5 Perform security configurations for activating devices.
Enable Encryption, and set URL encryption key and URL opening validity
period (day).
Step 6 Set link connectivity detection parameters.

Step 7 Configure the password of the admin user for managed devices.
Step 8 Configure the default NTP server.
Step 9 Click OK.

Step 10 Click Virtual Network. The Virtual Network page is displayed.
Step 11 Configure routing parameters.
You can retain the default settings of AS number and IPv4 Dual-Gateway
Interconnection Protocol.

Step 12 Configure the network scale and IP address pool.
Step 13 Click OK.
----End
5.5.4.3 Adding Devices
Data Plan
Table 5-45 Device information

e Model or Not
Nam After
e Being
Configure
d
2102115641 Hub1 AR6280 Yes The device names can be

DMK8001208 _1 modified.
2102115641 Hub1 AR6280

DMK8000814 _2
2102115640 Hub2 AR6300
DML7000109 _1
2102115640 Hub2 AR6300
DML7000108 _2
2102115641 Hub3 AR6280
DMK8000027 _1


e Model or Not
Nam After
e Being
Configure
d
2102115641 Hub3 AR6280

DMK8000026 _2
2102115641 Hub4 AR6280
DMK8000028 _1
2102115641 Hub4 AR6280
DMK8000029 _2
980099348 1
980099349 1
980099350 2
1002352MQ Site3_ AR6140-
U209014467 1 16G4XG
8
Procedure
Step 1 Choose Design > Site Design > Device Management from the main menu. The
Device Management page is displayed.
Step 2 Click Add Device and set Addition Method to Import in batches.
Step 3 Click Template to download the template file.
Step 4 Fill in the template with device information and save the file.
Step 5 Click the folder icon and select the saved template file. Click Upload.
Step 6 Confirm the imported data, select the devices to be added, and click OK.
Step 7 After the devices are added, check the device information in the Result area, as
shown in the following figure.

----End
5.5.4.4 Creating Sites
Data Plan
For details about the data plan for sites, see Table 5-48 and Table 5-49.
Procedure
Step 1 Choose Design > Site Design > Site Management from the main menu.
Step 2 On the Site Management page that is displayed, click Create.
Step 3 Configure site information. In the Add Device area, select previously added
devices and click OK.
1. Create DC sites as edge sites.
a. Information about Hub1
b. Information about Hub2

c. Create Hub3 and Hub4 in the same way for creating Hub1 and Hub2, but
toggle off RR for Hub3 and Hub4.
2. Create edge sites.
a. Information about Site1
b. Information about Site2

c. Information about Site3
----End
5.5.4.5 Configuring Site Templates
Data Plan
Table 5-46 Site template for hub sites
Parameter Data
Template name Hub_Dual_N1g1_N2g2
Gateway Dual Gateways
WAN Name Device1_i Device1_m Device2_in Device2

Link nternet pls ternet _mpls
Device Device1 Device1 Device2 Device2

Parameter Data
Interface GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/

2
Overlay Tunnel ON ON ON ON
Transport Internet MPLS Internet MPLS

Network(Routing
Domain)
Role Active Active Active Active
Inter-CPE Use LAN-side L2 OFF

Link interface
VLAN ID 1001-1009
Table 5-47 Site template for spoke sites

Parameter Data
Template name Spoke_Single_N1g1_ Spoke_dual_N1g8_N2g Spoke_Sin

N2g2 8 gle_N1g12
Gateway Single Gateway Dual Gateways Single

Gateway
WAN Name Device_in Device_ Device1_i Device2_m Device_int

Link ternet mpls nternet pls ernet
Device Device1 Device1 Device1 Device2 Device1
Interface GE0/0/1 GE0/0/2 GE0/0/8 GE0/0/8 GE0/0/12
Overlay ON ON ON ON ON
Tunnel
Transport Internet MPLS Internet MPLS Internet

Network(R
outing
Domain)
Role Active Active Active Active Active
Inter- Use LAN- - - OFF -

CPE side L2
Link interface
VLAN ID - - 1101-1109 -

Parameter Data
Device1 - - GE0/0/4 GE0/0/5 -

Interface
Device2 - - GE0/0/4 GE0/0/5 -

Interface
Procedure
Step 1 Choose Design > Network Design > Network Template from the main menu.
On the Site Template page, click Create.
Step 2 Set template information and click OK.
1. Create a template for hub sites.
Create site template Hub_Dual_N1g1_N2g2 for Hub1 to Hub4.
2. Create templates for edge sites.

a. Create template Spoke_Single_N1g1_N2g2 for Site1.
b. Create template Spoke_dual_N1g8_N2g8 for Site2.

c. Create template Spoke_Single_N1g12 for Site3.
----End
5.5.4.6 Creating Physical Interfaces
Data Plan
For details about the data plan, see the parameter Interface under WAN Link in
Table 5-46 and Table 5-47.
Procedure
Step 1 Choose Provision > Physical Network > Physical Interface from the main menu.
Select a device from the device list in the left pane. On the Physical Interface
page displayed in the right pane, click Create.
Step 2 Create physical interfaces for each device and click OK.
1. Create physical interfaces for Hub1_1.
Create physical interfaces for Hub1_2 to Hub4_2 and Site1_1 in the same way.
2. Create a physical interface for Site2_1.

3. Create a physical interface for Site3_1.
----End
5.5.4.7 Configuring Links for Sites to Connect to the WAN
Data Plan
Table 5-48 Site and ZTP Configuration (1) (The RR function does not need to be
enabled for Hub3 and Hub4. Other data plan is similar to that for Hub3 and Hub4
and is not provided here.)
mete able or ks
r Not
After
Being
Config
ured
Site Hub1 Hub2 Yes The

name value
can be
modifie
d after
being
set.
RR ON ON - -
Gate Dual Gateways Dual Gateways - -

way
Devic Hub1_1 Hub1_2 Hub2_1 Hub2_2 - -

e


mete able or ks
r Not
After
Being
Config
ured
Multi OFF OFF OFF OFF No -

ple
sub-
interf
aces
Adva OFF OFF OFF OFF No If the

nced WAN
mode links
need to
be
modifie
d
subsequ
ently,
enable
Advanc
ed
mode.
WAN Hub_Dual_N1g1_N2g2 Hub_Dual_N1g1_N2g2 - -

link
temp
late
Link inte mpls inte mpls inte mpls inte mpl No The
name rnet rnet 1 rnet rne s1 value
1 t1 cannot
be
modifie
d after
being
set.
VN und unde und unde und und und und No The

insta erla rlay_ erla rlay_ erla erla erla erla value
nce y_1 2 y_3 4 y_1 y_2 y_3 y_4 cannot
be
modifie
d after
being
set.


mete able or ks
r Not
After
Being
Config
ured
Interf IPoE IPoE IPo IPoE IPoE IPoE IPo IPo - -

ace E E E
proto
col
IP Stat Stati Stat Stati Stat Stati Stat Stat - -

addre ic c ic c ic c ic ic
ss
acces
s
mode
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
addre . 1.1.1 . 1.2.1 . 1.1.1 1.2. 1.2. value
ss/ 1.1/ /24 2.1/ /24 1.1/ /24 1/2 1/2 cannot
Subn 24 24 24 4 4 be
et modifie
mask d after
being
set.
IPv4 20.1 110. 20.1 110. 30.1 120. 30. 120. No The
gate .1.2 1.1.2 .2.2 1.2.2 .1.2 1.1.2 1.2. 1.2. value
way 2 2 cannot
be
modifie
d after
being
set.


mete able or ks
r Not
After
Being
Config
ured
Publi 20.1 - 20.1 - 30.1 120. 30. 120. Yes The

c IP .1.1 .2.1 .1.1 1.1.1 1.2. 1.2. value
addre 1 1 can be
ss modifie
d after
being
set. The
public
IP
address
of an
RR's
MPLS
link
does
not
need to
be
planned
. After
iMaster
NCE-
WAN
delivers
the
configu
ration,
the
public
IP
address
of an
RR's
MPLS
link is
the
value of
the
parame
ter IPv4
address
. The
values
of


mete able or ks
r Not
After
Being
Config
ured
Public
IP
address
and
IPv4
address
can be
differen
t.
Uplin 100 1000 100 1000 100 100 100 100 - Set this
k 0 0 0 0 0 0 parame
band ter
width based
(Mbit on the
/s) actual
link
Dow 100 1000 100 1000 100 100 100 100 - bandwi
nlink 0 0 0 0 0 0 dth
band purchas
width ed by
(Mbit the
/s) custom
er.


mete able or ks
r Not
After
Being
Config
ured
URL- ON ON ON ON ON ON ON ON No After
base the
d configu
deplo ration is
ymen complet
t e, links
configu
red
during
deploy
ment
cannot
be
modifie
d and
other
links
can be
deleted
or
added.


mete able or ks
r Not
After
Being
Config
ured
Sout Uni UniS Uni UniS Uni UniS Uni Uni No This
hbou Sou outh Sou outh Sou outh Sou Sou parame
nd thIP IP thIP IP thIP IP thIP thIP ter
interf corresp
ace onds to
servic the
e configu
red IP
address
of the
iMaster
NCE-
WAN
southbo
und
access
service.
By
default,
all
WAN
links
use the
default
southbo
und
access
service.
You can
also
select
other
customi
zed
access
services.
The
value
cannot
be
modifie
d after
deploy
ment.

Table 5-49 Site and ZTP configurations (2)

Paramet Data
er

name
RR OFF OFF OFF
Connect Hub1, Hub2 Hub1, Hub2 Hub1, Hub2

to RR
Gateway Single Gateway Dual Gateways Single Gateway
Multiple OFF OFF OFF

sub-
interface
s
Advance OFF OFF OFF

d mode
Site Spoke_Single_N1g1_N2 Spoke_dual_N1g8_N2g8 Spoke_Single_

template g2 N1g12

Link internet mpls internet mpls internet
name
VN underlay_1 underlay_ underlay_1 underlay_ underlay_1

instance 2 2
Interface IPoE IPoE IPoE IPoE IPoE

protocol
IP Static Static Static Static DHCP

address
access
mode
IPv4 40.1.1.1/24 130.1.1.1/ 50.1.1.1/24 140.1.1.1/ -

address/ 24 24
Subnet
mask
IPv4 40.1.1.2 130.1.1.2 50.1.1.2 140.1.1.2 -

gateway
NAT ON OFF ON OFF ON

traversal

Paramet Data
er
Uplink 20 20 20 20 20
bandwidt
h
(Mbit/s)
Downlin 100 100 100 100 100

k
bandwidt
h
(Mbit/s)
URL- ON ON ON ON ON
based
deploym
ent
Southbo UniSouthIP UniSouthI UniSouthIP UniSouthI UniSouthIP

und P P
interface
service
Procedure
Step 1 Configure WAN links and southbound access services for hub sites.
1. Choose Provision > Physical Network > ZTP from the main menu. The ZTP
page is displayed.
2. Select a site from the site list in the left pane. If the site is deployed through
ZTP for the first time, click Click to Deploy.
Configure the ZTP mode.
NOTE
After Advanced mode is enabled, network parameters of the IPv4 links used for URL-
based deployment can be updated online and the site does not need to be re-
deployed. The device version must be V300R019C13 or later. Otherwise, the advanced
mode does not take effect.
3. Click Select Template and select a created WAN link template.
The following example configures WAN links for Hub1. In this example, the
WAN link template Hub_Dual_N1g1_N2g2 is selected.

4. Click the gear icon in the Operation column of the right pane.
5. In the Set WAN Link dialog box that is displayed, configure all WAN links
and click OK.
CAUTION
Among the links for which URL-based deployment has been enabled, at least
one link must be connected to the network so that the device can register
with iMaster NCE-WAN.
a. Configure WAN links and southbound access services for Hub1.

i. Configure an Internet link and southbound access service for Hub1_1.


ii. Configure an MPLS link and southbound access service for Hub1_1.


iii. Configure an Internet link and southbound access service for Hub1_2.


iv. Configure an MPLS link and southbound access service for Hub1_2.


b. Configure WAN links and southbound access service for Hub2.

i. Configure an Internet link and southbound access service for Hub2_1.


ii. Configure an MPLS link and southbound access service for Hub2_1.


iii. Configure an Internet link and southbound access service for Hub2_2.


iv. Configure an MPLS link and southbound access service for Hub2_2.


c. Configure WAN links and southbound access services for Hub3 and Hub4
in the same way.
Step 2 Configure WAN links and southbound access services for spoke sites.
Configure WAN links and southbound access services for spoke sites in the same
way for hub sites. Then click OK.
1. Configure WAN links and southbound access services for Site1.
a. Configure an Internet link and southbound access service.


b. Configure an MPLS link and southbound access service.


2. Configure WAN links and southbound access services for Site2.

a. Configure an Internet link and southbound access service.


b. Configure an MPLS link and southbound access service.


3. Configure a WAN link and southbound access service for Site3.
----End

5.5.4.8 Configuring NTP
Data Plan
Table 5-50 NTP information about edge sites

Param Data Remarks
eter
Time (UTC -
zone +08:00)Beijing,Chongqing,
Hong Kong,Urumqi
NTP OFF -
authen
tication
NTP Automatic Synchronization For hub sites that also function as RR

client with Parent Node sites, set this parameter to Manual
mode Configuration; for hub sites that do not
function as RR sites, set this parameter
to Automatic Synchronization with
Parent Node or Manual Configuration;
for edge sites, set this parameter to
Automatic Synchronization with
Parent Node.
Procedure
Step 1 Choose Provision > Physical Network > ZTP from the main menu.
Step 2 Select a site to be configured and click NTP. The NTP page is displayed. Adjust the
NTP configuration of each link based on the network connectivity and then click
OK.
1. For RR sites (Hub1 and Hub2), set NTP client mode to Manual
Configuration.

2. Configure NTP for hub sites that do not function as RR sites, that is, Hub3 and
Hub4.
For hub sites that do not function as RR sites, set NTP client mode to
Automatic Synchronization with Parent Node or Manual Configuration.
The following example sets NTP client mode to Automatic Synchronization
with Parent Node.
3. For spoke sites (Site1 to Site3), set NTP client mode to Automatic
Synchronization with Parent Node.
----End
5.5.4.9 Configuring Email-based Deployment
Procedure
Step 1 Choose Provision > Physical Network > ZTP from the main menu.
Step 2 Click Send Email. In the dialog box that is displayed, select the site to be
deployed.
Step 3 Enter the recipient email address and CC email addresses, select the created email
template, modify the email content, and click OK.

----End
5.5.4.10 Confirming Deployment Success
Procedure
Step 1 Choose Maintenance > Provisioning Result > Site Configuration Status from
the main menu. Click the Configuration Result tab and select a site.
Step 2 If Success is displayed in the Device Configuration Status column, the site
deployment is successful.
NOTE
After email-based deployment is complete, iMaster NCE-WAN delivers the site

configuration data to CPEs at the site. If the network flaps during the configuration data
delivery, the configuration data delivered to CPEs may be lost. In this case, you are advised
to click Re-deliver if Failed to re-deliver the configuration data to the CPEs.
----End
5.5.5 Site Interconnection Configurations
5.5.5.1 Configuring the Underlay Network
5.5.5.1.1 Configuring WAN Interfaces

WAN interfaces of sites have been specified during WAN link configuration. After
site deployment, you can modify parameter settings of WAN interfaces and set

the Maximum Transmission Unit (MTU) and maximum segment size (MSS) of the
WAN interfaces.
Procedure
Step 1 Choose Provision > Physical Network > Site Configuration from the main menu.
Click the WAN Interface tab.
Step 2 Modify WAN interface configurations based on the actual network situation. You
can also retain the default settings saved during ZTP.
----End
5.5.5.1.2 Configuring Underlay Routes
Data Plan
Table 5-51 WAN-side static route information (1) (The data plan for Hub3 and
Hub4 is similar and not provided here.)
Para Data
met
er
Site Hub1 Hub2

Devic Hub1_1 Hub1_2 Hub2_1 Hub2_2
e
Priori 60 60 60 60 60 60 60 60
ty
WAN interne mpls interne mpls1 intern mpls interne mpls1

link t t1 et t1
Desti 0.0.0.0 0.0.0.0 0.0.0.0/ 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

natio /0 /0 0 0 /0 /0 /0 /0
n
addr
ess/
mask
Next IP IP IP IP IP IP IP IP
-hop addres addres address addres addres addres addres addres
type s s s s s s s

Para Data
met
er
IP 20.1.1. 110.1. 20.1.2. 110.1.2 30.1.1. 120.1. 30.1.2. 120.1.

addr 2 1.2 2 .2 2 1.2 2 2.2
ess
Track OFF OFF OFF OFF OFF OFF OFF OFF
Table 5-52 WAN-side static route information (2)

Paramete Data
r

Priority 60 60 60 60 60
WAN link internet mpls internet mpls internet
Destinatio 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0

n address/
mask
Next-hop IP address IP address IP address IP address Outbou

type nd
interfac
e
IP address 130.1.1.2 40.1.1.2 140.1.1.2 50.1.1.2 -

Track ON ON ON ON OFF
Target 130.1.1.2 40.1.1.2 140.1.1.2 50.1.1.2 -
Procedure
Step 1 Choose Provision > Physical Network > Site Configuration from the main menu.
Select a site from the site list in the left pane and click WAN Route.
Step 2 On the WAN Route tab page, click Click Here to Add Routing Protocol and
select IPv4 Static from the Protocol drop-down list box.
Step 3 On the IPv4 Static tab page, click Create. Complete static route configuration and
click OK.
1. Configure static routes for Hub1.

2. Configure static routes for Hub2.
3. Configure static routes for Hub3 and Hub4 in the same way.
4. Configure static routes for Site1.
----End
5.5.5.1.3 Configuring Sites to Connect to RR Sites
Procedure
Step 1 Choose Provision > Physical Network > Connect to RR from the main menu.
Step 2 Select an edge site and click Connect. In the Connect dialog box that is displayed,
select the RR site to be connected and click Detect.
Step 3 After the detection is successful, click OK.
Step 4 After the configuration is complete, check the configuration result.

----End
5.5.5.2 Creating an Overlay Network

5.5.5.2.1 Creating VNs (Multi-Department Isolation)
Data Plan
Table 5-53 Basic information about VNs on the overlay network

er
Nam VPN1 Yes The value is displayed on

e the controller's GUI.
VN VPN1 No The VRF instance name will

insta be delivered to devices.
nce
IPSe ON - -
c
Encr
yptio
n
Sites Hub1, Hub2, - -

Hub3, Hub4,
Site1, Site2,
Site3
Topo Hub-spoke Yes You are advised not to
logy change the value. Changing
mod the value will cause re-
e orchestration of network-
wide routes and interrupt
services.
Hub Active: Hub1 - -

sites Standby: Hub2
Procedure
Step 1 Choose Provision > Virtual Network > Overlay Network from the main menu.
Step 2 On the Virtual Network tab page, click Create.
Step 3 Set the VN name and select the sites to be added to the VN.

Step 4 Click OK.
----End
5.5.5.2.2 Configuring the Overlay Topology
Procedure
Step 2 On the Topology tab page, select the VN to be configured.
Step 3 On the Predefine Topology tab page, set Mode and Topology mode
Step 4 The default topology mode is Full-Mesh. Click Hub-Spoke to switch the topology
mode, and then set hub sites and branch sites.
Step 5 Click OK.
----End

5.5.5.2.3 Creating Overlay LAN Interfaces
Data Plan
Table 5-54 LAN interface information (The data plan for Hub3 and Hub4 is
similar to that for Hub1 and Hub2 and is not provided here.)
er iable
or
Not
After
Bein
g
Confi
gure
d
Site Hub1 Hub2 Sit Site2 Site - -

e1 3
Device Hub Hu Hu Hu Sit Sit Sit Site - -
1_1 b1 b2 b2_ e1 e2 e2 3_1
_2 _1 2 _1 _1 _2
Gateway L3 L3 L3 L3 L3 L2 L2 L2 - -
interface
VLAN ID - - - - - 30 30 200 Yes The VLAN ID

0 0 of the sub-
interface
cannot be the
same as that
of the interlink.
Interface GE0 GE GE GE0 GE GE G GE Yes It is

/0/5 0/ 0/0 /0/5 0/ 0/0 E0 0/0 recommended
0/ /5 0/ /6 /0 /6 that the
5 5 /6 interfaces be
allocated by
the HQ in a
unified manner
to facilitate
preconfiguratio
n of online
sites as well as
subsequent
batch
deployment
and service
cutover.


er iable
or
Not
After
Bein
g
Confi
gure
d
Mode - - - - - Un U Unt - -
tag nt ag
ag
Trust Trus Tru Tru Trus Tr Tru Tr Tru - -

mode t st st t ust st us st
t
IPv4 170. 17 18 180 33. 22. 22 11. - Interface IP

address 1.1. 0.1 0.1 . 1.1 1.1 . 1.1. address.
10/ . . 1.1. . . 1. 10/
30 1.2 1.1 21/ 10 10/ 1. 24
1/ 0/3 30 /2 24 20
30 0 4 /2
4
VR VR - - - - - 1 1 - - -
RP RP
ID
Vir - - - - - 22. 22 - - -
tua 1.1 .
l IP .1 1.
1.
1
De - - - - - Ma Ba - - -
fau ste ck
lt r up
Rol
e
Pre - - - - - 0 0 - - -
em
pt
Del
ay
(s)
DH DH - - - - Se - - - - -
CP CP rve
typ r
e


er iable
or
Not
After
Bein
g
Confi
gure
d
Ser - - - - - - - - - -
ver
IP
Le - - - - 1 - - - - -
ase da
tim y
e
Procedure
Ensure that LAN interfaces have been created on physical interfaces. If the
physical interfaces have not been added, add them by referring to 5.5.4.6
Creating Physical Interfaces.
Step 1 Create LAN interfaces for hub sites.

1. Choose Provision > Virtual Network > Overlay Network from the main
menu.
2. Click the Overlay Service tab.
3. Select the VN to be configured, select a site from the site list in the left pane,
and click Create in the window displayed on the right.
4. After the interface configuration is complete, click OK.
a. Create a LAN interface for Hub1_1.

b. Create a LAN interface for Hub1_2.
c. Create a LAN interface for Hub2_1.

d. Create a LAN interface for Hub2_2.
e. Create LAN interfaces of Hub3_1 to Hub4_2 in the same way.

Step 2 Create LAN interfaces for spoke sites.
1. Choose Provision > Virtual Network > Overlay Network from the main
menu.

2. Click the Overlay Service tab.

3. Select the VN to be configured, select a site from the site list in the left pane,
and click Create in the window displayed on the right.
4. After the interface configuration is complete, click OK.
a. Create a LAN interface for Site1_1.
b. Create a LAN interface for Site2_1.

c. Create a LAN interface for Site2_2.

d. Create a LAN interface for Site3_1.

----End
5.5.5.2.4 Configuring Overlay LAN-side Routes
Data Plan
Table 5-55 LAN-side EBGP route information (The data plan for Hub3 and Hub4
is similar to that for Hub1 and is not provided here.)
Parameter Data
Device Hub1_1 Hub1_2 Hub2_1 Hub2_2

Peer IP Address 170.1.1.9 170.1.1.22 180.1.1.9 180.1.1.22
Peer AS 63001 63001 63001 63001
Local AS 65401 65401 65401 65401

Local AS repeated - - - -
times
Max. EBGP hops - - - -
Keepalive time 20 20 20 20
(seconds)
Hold time 60 60 60 60
(seconds)
Session isolation OFF OFF OFF OFF

Parameter Data
Advertise OFF OFF OFF OFF

community
Authentication MD5 Encrypt MD5 Encrypt MD5 Encrypt MD5

type Encrypt
MD5 encryption ******** ******** ******** ********
Routin Export ON ON ON ON
g
Policy Type IP-prefix IP-prefix IP-prefix IP-prefix
IP 172.172.0.0/1 172.172.0.0/1 172.172.0.0/ 172.172.0.0

Address/ 6 6 16 /16
Mask
Greater- 16 16 16 16
equal
Less- 32 32 32 32
equal
Apply Blacklist Blacklist Blacklist Blacklist

Filter
Type
Import OFF OFF OFF OFF

Advanc External 30 30 30 30
ed preferen
Setting ce
s
Default OFF OFF OFF OFF
route
redistrib
ution
Route Direct, Static, Direct, Static, Direct, Direct,

redistrib UNR UNR Static, UNR Static, UNR
ution
Summar - - - -
y route
Table 5-56 LAN-side static route information

Paramet Data
er
Site Site1 Site2

Device Site1_1 Site2_1 Site2_2

Paramet Data
er
Priority 60 60 60
Destinati 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0

on
Address/
Mask
Next- IP address IP address IP address

hop type
IP 33.1.1.1 22.1.1.1 22.1.1.1

address
Track ON ON ON
Target 33.1.1.1 22.1.1.1 22.1.1.1
Table 5-57 LAN-side OSPF route information (OSPF is not used together with
VRRP)
Device Site3_1 -
Process ID 1001 -
Router ID 11.1.1.10 It is recommended

that this parameter
be set to the IP
address of an
interface.
Common Default route advertisement Enable -

Parameter
Default route cost 1 -
Internal preference 10 -
ASE preference 150 -
Interface Area ID 0 -
Parameter
Interface Name Vlanif300 -
Authentication Mode None -
Hello interval 10 -
DR Priority 0 -
Route Protocol - -
Redistribut
e Process ID - -

Cost - -
Routing Export OFF -

Policy
Import OFF -
Procedure
Step 2 Click the Overlay Service tab.
Step 3 Select a site, and click LAN Route in the right pane.
Step 4 Click Click Here to Add Routing Protocol and select a routing protocol.
Step 5 On the routing protocol page, click Create.

1. Configure EBGP routes for devices at hub sites. The following example
configures EBGP routes for Hub_1.
2. Configure static routes for Site1 and Site2. The following uses Site1 as an
example.

3. Configure OSPF routes for Site3.
----End
5.5.5.3 Verifying the Configuration
Procedure
Step 1 Check the configuration delivery status.
1. Choose Maintenance > Provisioning Result > Site Configuration Status
from the main menu. Click the Configuration Result tab and select a site.
2. If Success is displayed in the Device Configuration Status column, the
configuration is successful.

NOTE
Only the current device configuration status (success or failure) is displayed, and the
status is displayed after a certain delay.
3. (Optional) Click the Total Site Result Statistics tab to view the device
configuration status of all sites.
Step 2 Check EVPN connections.
1. Choose Design > Site Design > Device Management from the main menu,
select the device to be checked, and click the device name. On the device
management page that is displayed, click the Entry Query tab.
2. Select VPN from the Device Table Item drop-down list box and display evpn
connection from the Command drop-down list box. Modify parameters as
needed in the Command Input text box, and click Execute In Device.
3. In the Table Item Query Result area, check whether the number of EVPN
connections meets the expectation and whether all EVPN connections are up.
Check EVPN connections on each gateway. The following uses Site1_1 as an
example.
Connection ID Site ID Source IP Destination IP Source TNP Destination TNP
State
-----------------------------------------------------------------------------------------------------------------------
-------
7 22 130.1.1.1 110.1.1.1 109 89 UP
8 22 40.1.1.1 20.1.1.1 110 90 UP
5 22 130.1.1.1 110.1.2.1 109 87 UP
6 22 40.1.1.1 20.1.2.1 110 88 UP
3 24 40.1.1.1 30.1.2.1 110 104 UP
4 24 130.1.1.1 120.1.2.1 109 103 UP
1 24 130.1.1.1 120.1.1.1 109 105 UP
2 24 40.1.1.1 30.1.1.1 110 106 UP
9 28 40.1.1.1 60.1.2.1 110 118 UP
10 28 130.1.1.1 150.1.2.1 109 117 UP
11 28 130.1.1.1 150.1.1.1 109 119 UP
12 28 40.1.1.1 60.1.1.1 110 120 UP
-----------------------------------------------------------------------------------------------------------------------
-------
Number of connection : 12
Status Codes: *-Diagnose Status
Step 3 Check routing tables of devices.

2. Select IP Routing from the Device Table Item drop-down list box and
display ip routing-table from the Command drop-down list box. Modify
parameters as needed in the Command Input text box, for example, change
the command to display ip routing-table vpn-instance vpn1, and then click
Execute In Device.
3. In the Table Item Query Result area, check whether the routing table entries
are as expected.
Check LAN-side and WAN-side routes on each gateway. The following uses
Site1_1 as an example.
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: vpn1

Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
11.1.1.0/24 IBGP 170 0 RD 172.172.0.19 SDWAN

33.1.1.0/24 Direct 0 0 D 33.1.1.10 GE0/0/5
33.1.1.10/32 Direct 0 0 D 127.0.0.1 GE0/0/5
33.1.1.255/32 Direct 0 0 D 127.0.0.1 GE0/0/5
172.172.0.21/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601
172.172.0.23/32 IBGP 170 20 RD 172.172.0.6 SDWAN
172.172.0.28/32 IBGP 170 10 RD 172.172.0.1 SDWAN
172.172.0.29/32 IBGP 170 10 RD 172.172.0.1 SDWAN
172.172.0.30/32 IBGP 170 0 RD 172.172.0.19 SDWAN
172.172.0.31/32 IBGP 170 30 RD 172.172.0.14 SDWAN
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
----End
5.5.6 Application Management
5.5.6.1 Checking Predefined Applications

iMaster NCE-WAN can identify common predefined applications using the built-in
application signature database. Perform the following operations to view the
applications predefined on iMaster NCE-WAN.
Procedure
Step 1 Choose Policy > Application Management > Application Management from the
main menu.
Step 2 Click the Pre-defined Application tab.
Step 3 In the navigation tree, select an SA signature database, and click a category. All
predefined applications in the category are displayed in the right pane.
NOTE
● Applications in the SA signature databases SA_H30071000 (6000+) or SA_H30071002

(500+) can be delivered to all devices.
● Predefined applications include two categories: SA and FPI.

----End
5.5.6.2 Creating a Customized Application
Procedure
main menu.
Step 2 Click the Customized Application tab.
Step 3 Click Create to create a customized application.
Step 4 Set Name to a customized application name.
Step 5 Select the application group to which the customized application belongs.
Step 6 Click Create to configure a matching rule for the customized application.

Step 7 Click OK. The matching rule is created.

Step 8 Click OK. The customized application is configured.
----End
5.5.6.3 Creating an Application Group
Data Plan
Table 5-58 Application group of video traffic
Parameter Data
Name test_app_video
SA signature database SA_H30071000 (6000+)
Pre-defined PFI -
applications
SA Internet_Conferencing
Media_Sharing
Social_Networks
VoIP
Web_Browsing
Electronic_Business
Online_Media
Customized Applications -

Procedure
main menu.
Step 2 Click the Application Group tab. Click Create to create an application group.
Step 3 Set the application group name, select the SA signature database SA_H30071000
(6000+), and click Add Pre-defined Applications in the SA area.
Step 4 In the Edit Predefined Applications window that is displayed, search for video in
the Available Applications area and select all the displayed video applications.
Step 5 Click OK.

----End
5.5.6.4 Using Applications and Application Groups
Application-based Monitoring
Application monitoring is based on applications instead of application groups.
After a customized application is created, you can view the customized application
as well as pre-defined applications on the Monitoring > Monitoring >
Application page. However, application groups are not displayed on this page.
Application Group-based Policy

Policies are configured based on application groups instead of applications, and
can be executed based on application identification results. For details, see 5.5.7.2
Configuring a QoS Policy.
5.5.7 Service Experience Optimization Policies
5.5.7.1 Configuring Overlay ACL Policies

To ensure the openness of internal services and security of external access, port
445 needs to be enabled for specified network segments to access shared services;
for security purposes, external access to port 445 needs to be denied.
Data Plan
Parameter Data
Traffic classifier name test_permit_445_inner test_deny_445_all
Operator And And

Parameter Data
ACL Type IPv4 IPv4
L3 ACL Priority 10 10
Destination 10.1.0.0/16 -
IP Address
Protocol TCP TCP

Destination 445-445 445-445
Port
Application groups - -
Table 5-60 Overlay ACL policy information

Parameter Data
Policy name test_permit_445_inner test_deny_445_all
Traffic classifier test_permit_445_inner test_deny_445_all

template
Interface LAN LAN
Policy priority 10 20
Traffic filter Permit Deny

Traffic direction Outbound Outbound
Effective time template -
Site Hub1, Hub2, Hub3, Hub4, Site1, Site2, Site3
Procedure
Step 2 Create traffic classifiers.
1. Choose Policy > WAN Policy > Policy Template Management from the main
menu.
2. Click the Traffic Classifier Template tab. Click Create to create a traffic
classifier.
3. Create a traffic classifier to identify internal traffic destined for port 445, and
click OK.

4. Create another traffic classifier to identify all traffic destined for port 445, and
click OK.
Step 3 Create ACL policies.

1. Choose Policy > WAN Policy > Traffic Policy from the main menu.
2. Click the Overlay tab. In the VN/VPN QoS Group area, select the VN to be
configured.
If there is only one VN, the system selects the VN by default.
3. Click the ACL tab. On the ACL tab page, click Create to create an ACL policy
to permit internal access to port 445. Then click OK.
4. Click Create to create an ACL policy to deny other external access to port 445.
Then click OK.

5. After the ACL policies are configured, click in the Operation column of
the policy list to apply the two ACL policies to all sites, and click OK.
6. Select the policy to be delivered, click Commit, and then click Commit
Selected.
7. In the Commit window that is displayed, set Effective time to Immediately,

and click OK.
Step 4 Check the policy delivery status.

2. If Success is displayed in the Device Configuration Status column, the policy
----End
Verifying Service Deployment

Step 1 Obtain the names of delivered ACL policies.


from the main menu. Click the Configuration Result tab and select the site
to be checked, for example, Site3.
2. Expand the filter criteria, set Policy type to ACL, and click OK.
3. Click next to a device to expand the feature list. Click For Details
corresponding to ACL in the Operation column to view the ACLs delivered to
this device.
Step 2 Check the ACL policies delivered to a device.

2. Select ACL from the Device Table Item drop-down list box, enter display acl
acl name acl_1_f3 and display acl acl name acl_1_f5 in the Command
Input text box, and click Execute In Device. The ACL rule information is
displayed as follows:
# Information about the ACL rule acl_1_f3
Advanced ACL acl_1_f3 3998, 1 rule
Acl's step is 5
rule 10 permit tcp vpn-instance vpn1 destination 10.1.0.0 0.0.255.255 destination-port eq 445 //
Traffic with the destination IP address 10.1.0.0 and port number 445 is permitted.
# Information about the ACL rule acl_1_f5

Advanced ACL acl_1_f5 3997, 1 rule
Acl's step is 5
rule 10 permit tcp vpn-instance vpn1 destination-port eq 445 // Traffic with the destination port
number 445 is permitted.
3. Select Customize from the Device Table Item drop-down list box, enter
display traffic classifier user-defined in the Command Input text box, and
click Execute In Device. The traffic classifier information is displayed as
follows:
User Defined Classifier Information:
Classifier: Permit_1_f3_noapp
Operator: AND
Rule(s) :
if-match acl name acl_1_f3 // Match the ACL rule acl_1_f3.
Classifier: Deny_1_f5_noapp
Operator: AND
Rule(s) :
if-match acl name acl_1_f5 // Match the ACL rule acl_1_f5.

display traffic policy user-defined in the Command Input text box, and click
Execute In Device. The traffic policy information is displayed as follows:
User Defined Traffic Policy Information:
Policy: mqcinAcl_outbound1 // The traffic policy mqcinAcl_outbound1 permits the traffic
matching the ACL rule acl_1_f3 and denies the traffic matching the ACL rule acl_1_f5.
Classifier: Permit_1_f3_noapp
Operator: AND
Behavior: Permit_1_f3_noapp
Precedence: 10
Classifier: Deny_1_f5_noapp
Operator: AND
Behavior: Deny_1_f5_noapp
Deny
Precedence: 20
display traffic-policy applied-record mqcinAcl_outbound1 in the Command
Input text box, and click Execute In Device. The traffic policy application
information is displayed as follows:
-------------------------------------------------
Policy Name: mqcinAcl_outbound1
Policy Index: 3
Classifier:Permit_1_f3_noapp Behavior:Permit_1_f3_noapp Precedence:10
Classifier:Deny_1_f5_noapp Behavior:Deny_1_f5_noapp Precedence:20
-------------------------------------------------
*interface GigabitEthernet0/0/6 // The traffic policy is applied to the outbound direction of
LAN interface GE0/0/6 on Site3_1.
traffic-policy mqcinAcl_outbound1 outbound preprocess
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
Step 3 Verify the configuration by sending traffic.

1. Verify that port 445 has been enabled for specified network segments to
access shared services.
Use a tester to construct traffic with the destination IP address 10.1.0.0/16
and destination port number 445, and send the traffic from the LAN side of
any branch. Verify that the device with the IP address 10.1.0.0/16 can receive
the traffic from the LAN side.
2. Verify that port 445 is disabled for unauthorized external access.
Use a tester to send traffic with the destination IP address on another
network segment (for example, 10.2.0.0/16) and destination port number 445
from the LAN side of any branch. Verify that the device with the IP address
10.2.0.0/16 cannot receive the traffic from the LAN side.
If the preceding tests are passed, the policy has been successfully applied.
----End
5.5.7.2 Configuring a QoS Policy

If the customer wants to limit the bandwidth of video traffic to ensure the
transmission of other key service traffic, you can configure a QoS policy.

Data Plan
Parameter Data
Traffic classifier name test_traffic_video
Operator And
ACL Type IPv4
L3 ACL -
Application groups test_app_video
Table 5-62 Policy behavior template information
Parameter Data
Policy behavior name test_behavior_video
Behavior type QoS
Type WAN
Queue priority OFF
Bandwidth Limit type CAR

limit
Limit Value 10 Mbps
bandwidth
Re-mark DSCP OFF
Queue length OFF
Re-mark 8021P OFF
Enable Statistic ON
Enable Remark Mpls Exp OFF
Table 5-63 QoS policy information
Parameter Data

Policy name test_qos_video

Parameter Data
Policy priority 10
Traffic classifier template test_traffic_video
WAN policy behavior template test_behavior_video
Site Site1, Site2, Site3
Procedure
Step 2 Enable SAC and create an application group for video traffic that contains all
video applications.
1. Enable SAC. For details, see Step 1.
2. Create an application group for video traffic. For details, see 5.5.6.3 Creating
an Application Group.
Step 3 Configure a traffic classifier.

menu.
classifier. Bind the traffic classifier to the created application group to identify
all video traffic.
Step 4 Configure a policy behavior template.

menu.
2. Click the Policy Behavior Template tab. Click Create to create a policy
behavior template and set the outbound traffic bandwidth limit to 10 Mbps.

Step 5 Configure a QoS policy and apply it to Site1, Site2, and Site3.
2. Click the Overlay tab. In the VN/VPN QoS Group area, select the VN for
which you want to configure a QoS policy.
3. Click the QoS tab. Click Create to create a QoS policy, and bind the traffic
classifier and traffic behavior template to the QoS policy to limit the
bandwidth of video traffic.
4. After the QoS policy is configured, click in the Operation column to apply
the QoS policy to Site1, Site2, and Site3, and then click Finish.
Selected.

and click OK.


----End

Step 1 Choose Design > Site Design > Device Management from the main menu, select
the device to be checked, and click the device name. On the device management
page that is displayed, click the Entry Query tab.
Step 2 Select Customize from the Device Table Item drop-down list box, enter display
traffic-policy applied-record in the Command Input text box, and click Execute
In Device. The policy application result is displayed as follows:
# Policy application record on Site3_1
-------------------------------------------------
Policy Name: mqcout_28c
Policy Index: 1
Classifier:overlay1_28c Behavior:overlay1_28c Precedence:
1
-------------------------------------------------
*interface GigabitEthernet0/0/3 # GigabitEthernet0/0/3 is the WAN interface that connects
Site3_1 to the Internet.
traffic-policy mqcout_28c outbound
slot 0 : success
nest Policy : subqos1
slot 0 : success
-------------------------------------------------
Step 3 Enter display traffic-policy applied-record mqcout_28c in the Command Input

text box and click Execute In Device. View the mqcout_28c policy application
record to check whether the QoS policy is correct.
# Policy application record on Site3_1
-------------------------------------------------
Policy Name: mqcout_28c
Policy Index: 1
Classifier:overlay1_28c Behavior:overlay1_28c Precedence:1
-------------------------------------------------
*interface GigabitEthernet0/0/3
traffic-policy mqcout_28c outbound // The policy is applied to the outbound direction of the WAN
interface.
slot 0 : success
nest Policy : subqos1
slot 0 : success
Classifier: overlay1_28c
Operator: OR
Rule(s) :

if-match qos-group 1
Behavior: overlay1_28c
Assured Forwarding:
Bandwidth 100 (%)
Bandwidth 1024000 (Kbps)
Drop Method: Tail
Queue Length: 64 (Packets) 131072 (Bytes)
Nest Policy : subqos1
Classifier: qos_1_ef_1
Operator: AND
Rule(s) :
if-match app-group name test_app_video
Behavior: qos_1_ef_1
General Traffic Shape:
CIR 10240 (Kbps), CBS 256000 (byte)
Queue length 64 (Packets)
Committed Access Rate:
CIR 10240 (Kbps), PIR 0 (Kbps), CBS 1925120 (byte), PBS 3205120 (byte) // The bandwidth limit is 10
Mbps.
Color Mode: color Blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
statistic: enable
Behavior: Be
Assured Forwarding:
Bandwidth 1137 (Kbps)

1. Verify that video traffic is not rate-limited when the traffic bandwidth is less
than or equal to 10 Mbps.
Use a tester to construct video traffic destined for a LAN-side IP address of
the HQ site and at a rate less than or equal to 10 Mbps. Send the traffic from
the LAN side of any branch site. Verify that the hub site can receive the traffic
from the LAN side.
2. Verify that video traffic at a rate greater than 10 Mbps is rate-limited to 10
Mbps.
Use a tester to construct video traffic destined for a LAN-side IP address of
the HQ site and at a rate greater than 10 Mbps. Send the traffic from the LAN
side of any branch site. Verify that the bandwidth of traffic received by the
HQ site from the LAN side is 10 Mbps and excess traffic is discarded.
If the preceding tests are passed, the policy has been successfully applied.
----End
5.5.7.3 Configuring an Intelligent Traffic Steering Policy

The customer requires that traffic destined for specific network segments be
preferentially transmitted over Internet links to ensure network stability and
facilitate centralized traffic statistics collection. You can configure an intelligent
traffic steering policy to meet this requirement.

Data Plan

Parameter Data
Traffic classifier name test_traffic_ip_dest
Operator And
ACL Type IPv4
L3 ACL Priority 10
Type Subnet Mask
Destination 135.1.1.0/24
IP Address
Application groups -
Table 5-65 Intelligent traffic steering policy information.

VN/VPN QoS VPN1 -

Group
Policy name test_spr_internet -
Traffic classifier test_traffic_ip_de -

template st
Policy priority 10 -
Switchover Bulk Data -

condition
Switc Delay 300 -

hover (ms)
condi
tion Jitter 40 -
(ms)
Packet 50 This parameter indicates the packet loss

loss rate rate threshold.
(‰) CAUTION
The unit of the packet loss rate is ‰.

Trans Primary ● Transport -

port transport Network:
Netw network Internet;
ork list Priority: 1
Priori ● Transport
ty Network:
MPLS; Priority:
2
Secondar - -
y
transport
network
Traffi Inter-TN Preference -

c Policy
beha
vior Packet OFF -
duplicatio
n
Action Optimal link -

when
condition
s not met
Switchov Pre-emptive -
er mode
Site Hub1, Site1 -
Procedure
Step 2 Configure a traffic classifier.
menu.
classifier to identify traffic destined for specific destination IP addresses.

Step 3 Configure an intelligent traffic steering policy.

which you want to configure an intelligent traffic steering policy.
3. Click the Intelligent Traffic Steering tab. Click Create to configure an
intelligent traffic steering policy, and bind the traffic classifier to it. Set
Priority of the transport network Internet to 1 and Switchover mode to Pre-
emptive.
4. After the intelligent traffic steering policy is configured, click in the

Operation column to apply the intelligent traffic steering policy to Site1 and
Hub1, and click OK.
Selected.


and click OK.

----End

Step 2 Select SPR from the Device Table Item drop-down list box and display smart-
policy-route spr-index-table all from the Command drop-down list box, and
click Execute In Device. The entry query result is displayed as follows:
# Intelligent traffic steering policy of Site1_1
--------------------------------------------------------------------------------
SPR Index Info:
SiteList:site:132,pri:0,VpnId:0(public),SPRIndex:2,GID:105,VNI:0
IP Mask Info:
IP: 10.1.0.1 Mask: 255.255.255.255
IP: 10.1.0.2 Mask: 255.255.255.255
SPR Index Info:
SiteList:site:132,pri:6,VpnId:4(vpn1),SPRIndex:1,GID:116,VNI:25 // 132 is the site ID of Hub1, and 4 is
the VPN ID of vpn1.
IP Mask Info:
IP: 0.0.0.0 Mask: 0.0.0.0
IP: 10.1.0.28 Mask: 255.255.255.255
IP: 10.1.0.29 Mask: 255.255.255.255
IP: 1.2.3.0 Mask: 255.255.255.0
--------------------------------------------------------------------------------
Step 3 Enter display smart-policy-route spr-index-table dest-site 132 vpn-index 4

verbose in the Command Input text box and click Execute In Device. Check
whether the configuration of the intelligent traffic steering policy is correct.
# Detailed information about the intelligent traffic steering policy of Site1_1
--------------------------------------------------------------------------------
SPR Index Info:
SiteList:site:132,pri:6,VpnId:4(vpn1),SPRIndex:1,GID:116,VNI:25
IP Mask Info:
IP: 10.1.0.28 Mask: 255.255.255.255
IP: 10.1.0.29 Mask: 255.255.255.255
IP: 1.2.3.0 Mask: 255.255.255.0
AppPolicy Info:

AppPolicyIndex : 241
localVpnIndex : 4 (vpn1)
Priority : 4087
AppPriority : 1
ScheduleMode: PF # Inter-TN policy: Preference
SwitchOver : true # Switchover mode: Pre-emptive
DefaultAction : prefer
ForwardType : direct-priority
Threshold Info:
Loss : 50 # Packet loss rate: 50‰
Delay : 300 # Delay: 300 ms
Jitter : 40 # Jitter: 40 ms
CMI : 390
UpperBand : -
LowerBand : -
Match Acl Info:
MatchType : OnlyAcl AclName : spr_acl_vpn1_241 # Traffic only needs to match the ACL
spr_acl_vpn1_241.
ServiceMap Info:
DualGwCnt : 0 DualGwSel : 0
DualGwBestCon : 0 DualGwLessCon : 0
MasterIndex : - BackupIndex : -
LinkPath Site:132 Info:
MasterLink(1):
ConId : 2 TnId : 43
Index : - Loss : 0
Priority : 8 Delay : 1
Status : Available Jitter : 0
Mode : Master CMI : 1
BandRatio : 0
InBand : 1.00Gbit/s InRate : 4Kbit/s
OutBand : 1.00Gbit/s InUti : 0.00%
UpperBand : - OutRate : 3Kbit/s
LowerBand : - OutUti : 0.00%
AppUpperBand : - AppRate : 0Kbit/s
AppLowerBand : - AppUti : 0.00%
BackupLink(0):
Chosen Path Info:
BestConId :2
LessBestConId : None
----------------------------------------------------------------------------

Verify that traffic from Site1 to Hub1 is preferentially transmitted through the
Internet link. Use a tester to construct traffic destined for a LAN-side IP address at
Hub1 and send the traffic from the LAN side of Site1. Check the traffic path. If the
traffic only goes through the Internet link, the policy has been successfully applied.
----End
5.5.7.4 Configuring Internet Access Policies for Sites

The customer requires that the Internet access traffic of spoke sites be aggregated
to hub sites and then centrally sent to the Internet, and a firewall be configured
on the WAN side of the hub sites to collect statistics on and manage Internet
access traffic. You can configure a centralized Internet access policy for specified
areas and a local Internet access policy for hub sites to meet such requirements.

Data Plan
Table 5-66 Site-to-Internet access information

Parameter Data

Centralized Area ALL
Internet access
Active Internet Hub1
GW
Standby Internet Hub2

GW
Local Internet Site Name Hub1 Hub2

access
Policy All All
Traffic Classifier - -
Template
Link Priority Internet1: 1 Internet1: 1

Internet2: 1 Internet2: 1
NAT ON ON
Procedure
Step 2 Configure centralized and local Internet access policies.
which you want to configure Internet access policies.
3. Click the Site-to-Internet tab. In the Centralized Internet access area,
specify Hub1 as Active Internet GW and Hub2 as Standby Internet GW.
4. In the Local Internet access area, select Hub1 and Hub2 for local Internet
access, and click Next.
5. Click in the Operation column to activate the corresponding Internet link,

enable NAT for the Internet link, set Link Priority for different links, and click
Finish.


----End

Step 2 Select IP Routing from the Device Table Item drop-down list box and display ip
routing-table from the Command drop-down list box, enter display ip routing-
table vpn-instance vpn1 in the Command Input text box, and click Execute In
Device.
Step 3 Check the routing tables of the hub and spoke sites. After Internet access is
enabled for the sites, the default route 0.0.0.0/0 is displayed in the routing table of
vpn1. The next hop of the default route of a spoke site points to the hub site, and
the next hop of the default route of the hub site points to the local Internet access
interface.
# Routing table of Site1_1
------------------------------------------------------------------------------
0.0.0.0/0 IBGP 200 60 RD 10.1.0.2 SDWAN // The next hop of the default route points
to the hub site.
1.2.3.0/24 IBGP 170 10 RD 10.1.0.1 SDWAN
10.1.0.23/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601
10.1.0.28/32 IBGP 170 10 RD 10.1.0.1 SDWAN
10.1.0.29/32 IBGP 170 10 RD 10.1.0.1 SDWAN

60.1.1.0/24 Direct 0 0 D 60.1.1.1 GigabitEthernet0/0/2

# Routing table of Hub1_1

------------------------------------------------------------------------------
0.0.0.0/0 O_ASE 190 30 D 10.1.0.36 Tunnel0/0/1 The next hop of the default route points
to the local Internet access interface.
10.1.0.16/30 Direct 0 0 D 10.1.0.17 Vlanif4087
10.1.0.17/32 Direct 0 0 D 127.0.0.1 Vlanif4087
10.1.0.19/32 Direct 0 0 D 127.0.0.1 Vlanif4087
10.1.0.23/32 IBGP 170 0 RD 10.1.0.21 SDWAN
10.1.0.28/32 O_ASE 160 1 D 10.1.0.18 Vlanif4087
10.1.0.29/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601
10.1.0.32/29 Direct 0 0 D 10.1.0.35 Tunnel0/0/1
10.1.0.33/32 Direct 0 0 D 127.0.0.1 LoopBack101
10.1.0.35/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
10.1.0.39/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
60.1.1.0/24 IBGP 170 0 RD 10.1.0.21 SDWAN
Step 4 Verify Internet access.
Verify that Internet access at spoke and hub sites is successful. Use LAN-side PCs
at the spoke and hub sites to access web pages. If the web pages are opened
normally, the policies have been successfully applied.
----End
5.5.7.5 Configuring a Site-to-Legacy Site Access Policy

When the customer requires that SD-WAN sites can communicate with legacy
sites, you can configure a local inter-site access policy to meet this requirement.
Data Plan
Table 5-67 Inter-site access information
Parameter Data

Local access Site Name Site1 Site2
IGW OFF OFF
Link Priority MPLS: 1 MPLS: 1

Procedure
Step 2 Configure a local inter-site access policy.

which you want to configure a local inter-site access policy.
3. Click the Site-to-Legacy Site tab. In the Local access area, select Site1 and
Site2 that need to access legacy sites and click Next.
4. Set the sites as IGWs or not, and then click Next.
5. Select an outbound interface link, click in the Operation column to

activate the link. Set Link Priority for different links, and click Finish.

----End


Step 2 Select IP Routing from the Device Table Item drop-down list box and display ip
routing-table from the Command drop-down list box, enter display ip routing-
table vpn-instance vpn1 in the Command Input text box, and click Execute In
Device.
Step 3 Check the routing table. The command output shows that specific routes on the
underlay network have been imported to the overlay network. This indicates that
the policy has been successfully applied.
# Routing table of Site1_1

------------------------------------------------------------------------------
10.1.0.23/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/601

10.1.0.32/29 Direct 0 0 D 10.1.0.35 Tunnel0/0/1
10.1.0.35/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
10.1.0.39/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
59.20.1.6/32 O_ASE 190 30 D 10.1.0.36 Tunnel0/0/1
170.10.1.32/30 O_ASE 190 30 D 10.1.0.36 Tunnel0/0/1
Step 4 Verify that SD-WAN sites can communicate with legacy sites.
Ping the LAN-side IP address of a legacy site from the LAN side of Site1 or Site2. If
the ping operation succeeds, the policy has been successfully applied.
----End
5.5.8 Network-Wide Data Monitoring

You can view network-wide data on the home page.
Procedure
Step 2 Choose Monitoring > Overview > Dashboard from the main menu.
Step 3 View the site overview on the controller, including resource statistics, alarm
statistics, alarm trend in the last 24 hours, top applications by traffic, top
applications by packet loss rate, top inter-site links by traffic, top inter-site links by
packet loss rate, and the map.

----End
5.5.9 O&M and Inspection
5.5.9.1 O&M and Monitoring Configuration

Sites and devices can be monitored. For details about other monitoring content,
see Tenant Administrator O&M in the SD-WAN Product Documentation.
Site Monitoring
Step 2 Choose Monitoring > Monitoring > Site from the main menu.
Step 3 View the health score and link quality of a site.
----End
Device Monitoring
Step 2 Choose Design > Site Design > Device Management from the main menu.
Step 3 Click the device to be checked. On the Device Management page, click the
Resource tab to view the resource usage of the device, such as the CPU usage,
memory usage, and storage usage.

----End
5.5.9.2 Maintenance and Inspection

For details about routine maintenance, emergency maintenance, and
troubleshooting, see the SD-WAN Maintenance Guide.

01-05 Best Practice For The Enterprise Multi-DC + Branch Solution (Multi-Hub Networking)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-05 Best Practice For The Enterprise Multi-DC + Branch Solution (Multi-Hub Networking)

Uploaded by

Copyright:

Available Formats

SD-WAN 5 Best Practice for the Enterprise Multi-DC + Branch

Best Practices (AR600/AR6000, NCE-WAN) Solution (Multi-Hub Networking)

5 Best Practice for the Enterprise Multi-DC

5.1 Customer Requirement Analysis

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 204

5.1 Customer Requirement Analysis

Figure 5-1 Networking diagram

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 205

HQ and DCs through branches, causing a heavy burden to the branch

If the customer has a single DC or does not have geographic redundancy

5.2 Networking and Service Solution Design

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 206

5.2.1 WAN Network Design

Figure 5-2 SD-WAN networking diagram

1. In the hub-spoke networking, the enterprise HQ and DCs function as hub

Reducing Private Line Costs

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 207

5.2.2 LAN Network Design

5.2.3 Service Design

5.2.3.1 QoS Policy Design

5.2.3.2 Intelligent Traffic Steering Policy Design

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 208

5.2.3.3 Internet Access Policy Design

5.2.3.4 Site-to-Legacy Site Access Design

5.2.4 Controller Deployment Design

5.2.4.1 Southbound IP Address Deployment Design

Table 5-1 Southbound IP address deployment scenarios and recommended

Scenario 1: A single In standard NAT scenarios, plan the IP address in

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 209

Scenario Recommended Deployment Mode

Scenario 2: Multiple In NAT scenarios, configure multiple southbound

Scenario 1 is suitable based on the customer's requirements, so the deployment

5.2.4.2 Geographic Redundancy Design

Figure 5-3 Networking of the geographic redundancy system

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 210

5.2.5 Communication Matrix

Northbound Ports Required by the Controller

Table 5-2 Northbound ports required by the controller

So So Desti Destina Pro Port Description

18102 Port used to log in to the management

Up 18002 Port used to invoke APIs for establishing

Southbound Ports Required by the Controller

Table 5-3 Southbound ports required by the controller

So Sou Desti Destina Prot Port Description

Ed Any iMast 10020 TCP Port used to establish a NETCONF channel

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 211

So Sou Desti Destina Prot Port Description

de NCE- 10022 Port used to establish a reverse SSH

10031 Port used to establish an HTTP/2 channel

18020 Port used to establish a file download

31922 SFTP service listening port. This port is

Ports Required for Communication Between Devices

Table 5-4 Ports required for communication between devices

Ed 450 RR 4500 UD Both source and destination port numbers

Issue 03 (2022-06-28) Copyright © Huawei Technologies Co., Ltd. 212

So Sou Desti Destina Prot Port Description

vic 123 123 Port used to establish NTP sessions for

450 1024– Port used to send STUN detection packets

Any 10000– Port used to establish a DTLS connection.

Any Any ESP Port used to establish an ESP-encrypted

Any Any GRE Port used to establish a GRE tunnel on an

450 Edge 4500 UD Both source and destination port numbers

Any Any ESP Port used to establish an ESP-encrypted