SD-WAN - Broadview Networks SD-WAN PERMISSIONS 1.1 SETTING SD-WAN PERMISSION LEVELS Administrator...

SD-WANPERMISSIONS, MONITORING & CONFIGURATION FOR WINDSTREAM SD-WAN

Administrator User Guide

2

Table of ContentsSD-WAN Network Management Tool in Windstream Online (WOL)

SD-WAN Permissions

1.1 SD-WAN Permission Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Permission Level Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Confirmation of Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SD-WAN Monitor

2.1. Monitoring Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Monitoring Quality of Experience (QoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Monitoring Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.4 Monitoring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.5 Monitoring Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.6 Monitoring Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.7 Monitoring Business Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

SD-WAN Configuration

3.1 Configure Edges Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2 Configure Edges Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.3 Configure Edges Business Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.4 Configure Edges Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5 Configure Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.6 Configure Profile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.7 Configure Profile Business Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.8 Configure Profile Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.9 Configure Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.10 Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

NEED HELP?CONTACT SUPPORT

[email protected]://community.broadviewnet.com

3

SD-WAN PERMISSIONS

1.1 SETTING SD-WAN PERMISSION LEVELSAdministrator grants permissions for SD-WAN to others in their company via the “Admin” area of the Windstream Online (WOL) portal. There are four (4) Levels of permission access defined for SD-WAN as shown below:

Note: These permission levels are not cumulative, so only those checked are applicable.

1.2 PERMISSION LEVEL NOTIFICATIONSUsers are informed if they do not have the level of permission to make changes for certain areas:

1.3 CONFIRMATION OF CONFIGURATION CHANGESReminder: Administrators that are reluctant to make their own changes can always rely on the Windstream SD-WAN Concierge™ support team to implement changes.

Note: It is recommended that a qualified network technician manage network configuration changes, as these updates may cause service interruptions, network issues, or security risks if not properly implemented.

Product & Service ToolsAllow this user to access the online tools to manageyour Windstream services. You can provide access toonly select tools by choosing ‘Advanced’.

SD-WANConfiguration changes may cause, but are notlimited to, service interruptions, networkingissues, or security risks. Misconfigurations orservice interruptions that result from Customerinitiated configuration change are solely theresponsibility of the Customer and are notcovered as a part of the SD-WAN service levelagreement.

None

View SD-WAN Monitor

View Manage Advanced

View SD-WAN Configure

Manage (Limited) SD-WAN ConfigureBusiness Policy and Firewall only

Manage (All) SD-WAN ConfigureFull access to manage configuration settings

Note: You do not have permission to save any changes on this page.!

Are you sure you want to save these configuration changes?

YES NO

Configuration changes may cause, but are not limited to, service interruptions, networking issues, or securityrisks. Misconfigurations or service interruptions that result from Customer initiated configuration change aresolely the responsibility of the Customer and are not covered as a part of the SD-WAN service level agreement.

4

SD-WAN MONITOR

2.1 MONITORING OVERVIEW

1. Overview displays information about your Edge WAN links, application bandwidth, and network usage for top operating systems, top categories, and the top sources. The Overview tab consists of two (2) areas: Link Status and Bandwidth Usage.

2. The Link Status area (WAN/LAN) is updated in real-time and displays a list of your links and their data (Cloud and VPN status, Interface, and Throughput Capacity). Cloud Status and VPN Status can display the following statuses: Green=Active, Yellow=Degraded, Red=Offline/Disconnected, Grey=Not Enabled. The Link Status area can also display the status of Backup links depending upon the WAN settings.

LINK

AT&T U-verse

Verizon Wireless

INTERFACE (WAN TYPE)

INTERNET 2 (ETHERNET)


NAME

VeloCloud Control

VeloCloud Management

VOLUME

9.01 MB

1.85 MB

THROUGHPUT | BANDWIDTH

9.32 Kbps ↑ 753.00 Kbps10.03 Kbps ↓ 6.96 Mbps

2.91 Kbps ↑ 2.09 Kbps2.58 Kbps ↓ 5.21 Mbps

LATENCY

18 msec ↑ 18 msec20 msec ↓ 20 msec


JITTER



PACKET LOSS

0% ↑ 0%0% ↓ 0%

0% ↑ 0%0% ↓ 0%

STATUS

Past 60 Minutes

Previous Next

Link Status

Bandwidth UsageTop Applications Top Categories

Top Operating Systems

VeloCloud VeloCloud Edge0.0.0.0

Top Sources

Overview QoE Transport Applications Sources Destinations Business Priority

Site 01

1

Previous Next1

Previous Next1

Previous Next1

5

3. The Bandwidth Usage area displays your top applications, categories, operating systems and Sources along with their volume for a historical period of time. You can change the time frame by clicking the Time Duration drop down menu. Clicking on one of the arrow icons will allow you to drill down further into the details for each usage category.

4. The Top Applications area displays historical usage data for top applications and is connected to the Applications tab. To access the Applications tab, click the View Details arrow () on the right side.

5. The Top Categories area displays categories as a color-coded Pie chart (with a corresponding Legend). The Top Categories area is also connected to the Applications tab. To access the Applications tab, click the View Details arrow () on the right side.

6. The Top Operating Systems area displays top operating systems as a bar graph. Hover over a bar in the graph to display usage data for that system. The Top Operating Systems area is connected to the Sources tab. To access the Sources tab, click the View Details arrow () on the right side.

7. The Top Sources section of the Bandwidth Usage area displays top sources as a bar graph. The Top Sources section is also connected to the Sources tab. You can access the Sources tab. To access the Sources tab, click the View Details arrow () on the right side.

2.2 MONITORING QUALITY OF EXPERIENCE (QOE)

1. The SD-WAN Quality of Experience (QoE) tab shows the SD-WAN Quality Score (SQS) for different applications. The QS rates an application’s quality of experience that a network can deliver for a period of time.

2. There are three different traffic types that you can monitor (Voice, Video, and Transactional) in the QoE tab. You can hover over a WAN network link, or the aggregate link provided by the SD-WAN to display a summary of Latency, Jitter, and Packet Loss.

Past 60 Minutes

Network Enhancements

9.98

Test Communications

QoE Score


Site 01

Voice

Afte

rBe

fore

9.61Thurs Aug 17 2016 13:05

Latency Fair

Jitter Good

Pocket Loss Good

Downstream latency reported at 26 msec.

6

3. The SD-WAN Quality Score (SQS) rates an application’s quality of experience that a network can deliver for a given time frame. Some examples of applications are: video, voice, and transactional. QoE rating options are shown in the table below.

4. Link Steering and Remediation enables dynamic, application aware per-packet link steering that is performed automatically based on the business priority of the application, embedded knowledge of network requirements of the application, and the real-time capacity and performance of each link. On-demand mitigation of individual link degradation through forward error correction, jitter buffering and negative acknowledgment proxy also protects the performance of priority and network sensitive applications. Both the dynamic per-packet link steering and on-demand mitigation combine to deliver robust, sub-second blackout and even brownout protection to improve application availability, performance and end user experience.

2.3 MONITORING TRANSPORT

RATING COLOR

Green

Yellow

Red

Good

Fair

Poor

All metrics are better than the objective thresholds. Application performance at or above SLA.

Some or all metrics are between the objective and maximum values. Application performance may be impacted.

Some or all metrics have reached or exceeded the maximum value. Application performance may be impacted.

RATING OPTION DEFINITION

Past 60 Minutes

Downstream

Bps


Site 01

Average Throughout Links

60

45

36

24

12

0

April 8

3:59 p

mApri

l 8

4:03 p

mApri

l 8

4:24 p

mApri

l 8

4:48 p

mApri

l 8

4:53 p

mApri

l 8

5:02 p

m

AT&T U-verse

Verizon Wireless

CLOUD STATUS NAME

AT&T U-verse108.507.435.396

Verizon Wireless106.646.365.125




TOTAL BYTES

13.59 MB

2.39 MB

DOWNSTREAM (BPS)

16.38 Kbps

2.37 Kbsp

UPSTREAM (BPS)

14.28 Kbps

2.56 Kbsp

VPN STATUS

Previous Next1

Download as Excel (.csv) GO

7

1. The Transport tab provides an overview of the bandwidth used across all of the WAN links. For any period of time including historical timeframes, you can view which Link or Transport Group was used for the traffic and how much data was sent. You can filter on the data by drilling down into various utilization types.

2. Using the chart tools you can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.

3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart.

4. The Cloud Status represents the ability for the Edge device to communicate to the gateway over the Internet cloud. The status values for both Cloud and VPN are (green: connected, red: disabled, gray: unavailable)

5. Descriptions for the options of Links Stats listed in the Links Stats drop menu are listed in the table below.

LINK STAT ITEM

Bandwidth

Jitter

Latency

Packet Loss

This parameter denotes the desired bandwidth allocation in Mbps for each flow. Based on these parameters, the total capacity is allocated in proportion to the bandwidth values of various flows.

Jitter is calculated using the RFC 3550 Formula for calculating jitter that is used by RTP. Jitter metrics are measured between the edged device and the SD-WAN core gateway. Application performance may be impacted.

For each packet, the latency is measured by subtracting the network send time (packet is time stamped immediately before being sent) from the network receive time (packet is time stamped immediately after being received).

A lost packet is calculated when a path sequence number is missed and doesn’t arrive within the re-sequencing window. A “very late” packet is counted as a lost packet in this regard.

DEFINITION

Past 60 Minutes

Downstream

Bps


Site 01

Average Throughout Links

60

45

36

24

12

0

April 8

3:59 p

mApri

l 8

4:03 p

mApri

l 8

4:24 p

mApri

l 8

4:48 p

mApri

l 8

4:53 p

mApri

l 8

5:02 p

m

AT&T U-verse

Verizon Wireless

CLOUD STATUS NAME

AT&T U-verse108.507.435.396

Verizon Wireless106.646.365.125




TOTAL BYTES

13.59 MB

2.39 MB

DOWNSTREAM (BPS)

16.38 Kbps

2.37 Kbsp

UPSTREAM (BPS)

14.28 Kbps

2.56 Kbsp

VPN STATUS

Previous Next1


8

2.4 MONITORING APPLICATIONS

Past 60 Minutes

Received

Byte

s


Site 01

Bytes Received / Sent Applications

5.200M

9.60M

7.20M

4.50M

2.40M

Aug 1

Aug 2

Aug 3

Aug 4

Aug 5

Aug 6

Aug 7

Aug 8

Aug 9

Aug 10

Aug 11

Aug 12

Aug 13

Aug 14

Aug 15

Aug 16

Aug 17

Aug 18

GoogleHTTPHTTPSLDAPYouTubeWindows LiveYahooMicrosfot Office 365Background Intelligent Transfer Services (BITS)VeloCloud Control

APPLICATION

VeloCloud Control

Google

Microsoft Office 365

TOTAL BYTES

15.41 GB

5.78 GB

5.81 GB

BYTES RECEIVED

5.95 GB

5.46 GB

4.56 GB

BYTES SENT

9.46 GB

311.40 MB

1.28 GB

CATEGORY

VeloCloud

Web

Business Collaboration

Previous Next1

Top Applications by Bytes Received / Sent

VeloCloud Management

Top Destinations velocloud.net

CLOSE �

Top Source Devices VeloCloud Edge

OK

9

1. The Applications tab displays network usage information about your applications or your application categories. You can hover over a segment of the graph to display network usage data for that segment. You can also choose which type of data is displayed from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent).

2. You can also click an application in the Applications column to open a dialog box, which displays the Top Destinations and Top Source Devices for the application.

3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data.

4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart.


2.5 MONITORING SOURCES

Past 30 Minutes

Received

Byte

s


Site 01

Bytes Received / SentDevices

90M

72M

54M

36M

18M

0

Aug 1

7:37 p

mAug

7

9:24 p

mAug

10

11:34

am Aug 13

3:44 p

mAug

19

9:25 a

mAug

23

8:35 p

m

Andrew’s PhoneLauren’s PhoneMark’s PhoneApril’s AppleWatch

APPLICATION

Andrew’s Phone

Lauren’s Phone

Mark’s Phone

OPERATING SYSTEM

EDGE

IOS

IOS

TYPE

n/a

Smart Phone/Tablet

Smart Phone/Tablet

TOTAL BYTES

5.51 GB

38.89 MB

821.92 KB

BYTES RECEIVED

2.79 GB

36.55 MB

774.87 KB

BYTES SENT

2.72 GB

2.34 MB

73.56 KB

IP ADDRESS

0.0.0.0108.507.435.396

10.0.0.231106.646.365.125

10.0.0.211135.646.365.467

Previous Next1

Top Sources by Bytes Received / Sent

VeloCloud

Top Applications Facebook

Instagram

Twitter

LinkedIn

CLOSE �

Top Destinations facebook.com

fbcdn.net

yimg.com

yahoo.com

OK

Active Edges Only


10

Past 30 Minutes

Received

Byte

s


Site 01

Bytes Received / SentDevices

90M

72M

54M

36M

18M

0

Aug 1

7:37 p

mAug

7

9:24 p

mAug

10

11:34

am Aug 13

3:44 p

mAug

19

9:25 a

mAug

23

8:35 p

m

Andrew’s PhoneLauren’s PhoneMark’s PhoneApril’s AppleWatch

APPLICATION

Andrew’s Phone

Lauren’s Phone

Mark’s Phone

OPERATING SYSTEM

EDGE

IOS

IOS

TYPE

n/a

Smart Phone/Tablet

Smart Phone/Tablet

TOTAL BYTES

5.51 GB

38.89 MB

821.92 KB

BYTES RECEIVED

2.79 GB

36.55 MB

774.87 KB

BYTES SENT

2.72 GB

2.34 MB

73.56 KB

IP ADDRESS

0.0.0.0108.507.435.396

10.0.0.231106.646.365.125

10.0.0.211135.646.365.467

Previous Next1

Top Sources by Bytes Received / Sent

VeloCloud


Instagram

Twitter

LinkedIn

CLOSE �

Top Destinations facebook.com

fbcdn.net

yimg.com

yahoo.com

OK

Active Edges Only


1. The Sources tab screen displays network usage data (operating system, device type) over a historical period of time. The data is displayed as two line graphs. You can change the data that is displayed in the graphs from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent). You can also hover over a segment of the graph to display the source and its associated network usage.

2. You can also click a source in the Source column to open a dialog box, which displays the Top Destinations and Top applications. Friendly Name capability for Sources by clicking the pencil icon next to the source device in the grid view allows you to rename a source device for in portal reporting.




11

2.6 MONITORING DESTINATIONS

Past 30 Minutes

Received

Byte

s


Site 01

Bytes Received / SentDomains

900M

720M

540M

360M

180M

0

Aug 1

7:37 p

mAug

7

9:24 p

mAug

10

11:34

am Aug 13

3:44 p

mAug

19

9:25 a

mAug

23

8:35 p

m

sunn.edw.netpen.local1e100.netgoogle.comtechnologies.comexpertcity.com204.506.332windstream.comyahoo.comfacebook.com

DESTINATION

velocloud.net

expertcity.com

google.com

technologies.com

TOTAL BYTES

17.43 GB

5.39 GB

5.94 GB

2.38 GB

BYTES RECEIVED

7.04 GB

4.31 GB

4.04 GB

2.55 GB

BYTES SENT

10.43 GB

1.46 GB

1.66 GB

130.62 MB

Previous Next1

Top Destinations by Bytes Received / Sent

velocloud.net


Instagram

Twitter

LinkedIn

CLOSE �

Top Operating System Other/Unidentified

OK

12

1. The Edge Destinations tab screen displays network usage data (operating system, device type) over a historical period of time by the destination of the network traffic. If you hover over a segment of the graph, the destination and its associated network usage displays. There are three destination types (Domain, FQDN, IP) located on the right side of the screen.

2. For each type (Domain, FQDN, and IP), the Top Destinations dialog box displays by type when you click a destination from the Destination column. You can open the Applications and Sources tabs from the Top Destinations dialog box. Click the arrows next to the Top Applications and Top Operating sections of the dialog boxes (respectively) to open these tabs.




2.7 MONITORING BUSINESS PRIORITY

Past 60 Minutes

Downstream

Byte

s


Site 01

Average ThroughputDomains

5K

4K

3K

2K

1K

0

Aug 1

7:37 p

mAug

7

9:24 p

mAug

10

11:34

am Aug 13

3:44 p

mAug

19

9:25 a

mAug

23

8:35 p

mAug

29

1:50 p

m

HighNormalLowControl

PRIORITY

High

Normal

Low

Control

DOWNSTREAM (BPS)

33.43 Mbps

86.43 Mbps

0 Bps

14.18 Mbps

UPSTEAM (BPS)

32.81 Mbps

29.51 Mbps

0 Bps

23.08 Mbps

Previous Next1

2.46K

130.26

18.33

Aug 1611:26 am

13

1. The Business Priority tab page displays the priority (High, Normal, and Low) of the network traffic over a historical period of time. If you mouse over a segment of the graph, the Business Policy characteristics and its associated Network usage displays.



4. Quality of Experience (QoE), resource allocations, link/path steering, and error correction are automatically applied based on business policies and application priorities. Orchestrate traffic based on transport groups defined by private and public links, policy definition, and link characteristics.

SD-WAN CONFIGURATION

3.1 CONFIGURE EDGES OVERVIEW

1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile” settings, any other color means at least one rule override is in place.

2. The Edge device settings are inherited from the Profile selected for the Edge and can be simple if the network configuration defined in the profile is used without modification. Overrides can be made to Network and Network Service configuration as part of Edge configuration but should be used sparingly and for scenarios that are temporary.

NAME

TestEdge 01

TestEdge 02

TestEdge 03

TestEdge 04

PROFILE

Default Internet Network

Default VPN Network

VPN Network - Adtran 5355

VPN Network - Adtran 6355

STATUS

Activated

Activated

Activated

Activated

MODEL

Edge500

Edge1000

Edge500

Edge 340

SERIAL NUMBER

VC00002008

VC00003948

VC00003958

VC00002954

HA DEVICE BIZ. POL FIREWALL

Previous Next1

ASSIGN PROFILE

14

3.2 CONFIGURE EDGES DEVICE

Edge Overview Business Policy FirewallDevice

VLAN

1 - Corporate

3 - Management

7 - Corp Office

Network: VPN Network

SETTINGS

NetworkIP AddressMgmt IPInterfacesDHCP



10.0.0.010.0.0.110.0.0.2

10.0.0.010.0.0.310.0.0.4

10.0.0.010.0.0.510.0.0.6

ACTIONS

Network Settings

EnabledThis option is not available when the LAN1 interface is set to “Routed”

High Availability

Corporate Network:1 - Corporate3 - Management14 - Office-West13 - Office-East

Guest Network:64 - Guest80 - GuestBackup

Assignable VLANs

VLAN Settings

Management VLANs:All VLANs

Management VLANs

Device Settings: Edge 500

LAN2

LAN2

LAN3 LAN4

15

LAN2

LAN3

LAN4

INTERNET1

INTERNET2

SIFP

USB1

WLAN1

INTERFACEOVERRIDE INTERFACE

Subnet

MODE VLANS ADDRESSING WAN OVERLAY ACTIONS

Static Route Settings

Interface Settings

LAN1

ADD WIFI SSID

SWITCH PORT SETTINGS ROUTED INTERFACE SETTINGS

This interface is being used for High Availability

Trunk 7 - Corp Offsite3 - Management

1 - Corporate

1 - Corporate

DHCP Auto Detect

Auto Detect

User Defined

Disabled

DHCP

DHCP

PPP0E

7 - Corp Offsite

Access

Access

Wifi

192.235.1.0/7

Source IP

10.0.1.1

Description

Common

Cost

0

Next Hop Interface VLAN

10.0.4.1 INTERNET1 1

Preferred Advertise

192.235.2.0/7 10.0.3.55 VPN010.0.4.120 INTERNET1 1

192.235.3.0/7 N/A Web010.0.3.1 INTERNET2 1

192.235.4.0/7 10.0.2.33 Backup010.0.8.9 USB1 1

United States

2.4 GHz

149

Radio Enabled:

Country:

Band:

Channel:

Wi-Fi Radio Settings Enable Edge Override

5 GHz

DNS Internal PrimaryPrivate DNS:

Public DNS:

DNS Settings Enable Edge Override

-DNS Internal Secondary

DNS Public

- +

16

1. Network settings are inherited from the Profile selected for the Edge and can only be changed in the associated profile. In addition, Configuration overrides can be made to some settings that were configured in the Network, Network Services, and Profile assigned to an Edge. In most cases, an override must first be enabled then changes can be made. Overrides can be made to Interfaces and DNS.

2. Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA) support. The HA configuration can be achieved with using L2 switches only or using a combination of L2 and L3 switches. The HA configuration is only for wired WAN connections.

3. VLAN Settings can be chosen for your LAN interfaces. The Edge LAN IP address, the Edge Management IP address, and CIDR Prefix. You can also specify Fixed IP addresses tied to specific MAC Addresses. The list of LAN interfaces and the SSID of any Wi-Fi interfaces that are configured for this VLAN are listed. Finally, a block for configuring DHCP is shown. DHCP can be enabled (where a start address, the number of addresses, the lease time, and optional parameters are entered), the address of one or more relay agents can be enabled, or DHCP can be disabled.

4. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background.

5. Static Route Settings are useful for special cases where statics routes are needed for existing network attached devices (such as printers). The ‘+’ icon on the right of the dialog box can be used to add additional Static Route Settings.

Perform these steps to specify the Static Route settings: • Enter the subnet for the route. • Enter the IP address for the route. • Select the WAN interface where the Static Route will be bound.

10.0.0.1

10.0.0.2

10.0.0.0

8

10

Enabled

Select

1 day

integer

Edge LAN IP Address:

Edge LAN Mangement IPAddress:

Cldr Prefix:

Network:

LAN Interfaces:

Type:

Static Addresses:

Lease Time:

DHCP Options:

Option

2

Code

5

ValueData Type

VLAN

VLAN: Corporate CLOSE �

Select Text5 207.536.75.24.065

Select

DHCP

OKCANCEL

LAN3 LAN4

Enable Edge Override

17

This option enables Edge specific edits to the displayed settings, and discontinues further automatic updates from the configuration profile for this module.

For ongoing consistency and ease of updates it is recommended to set configurations at the Profile rather than Edge exception level.

!

!

Enable Edge Override

• Select the Broadcast checkbox to advertise this route over VPN and allow other Edges in the network to have access to this resource. • Optionally, add a description for the route.

6. DNS is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service or a private DNS service provided by your company. A Primary and Backup server can be specified. The service is preconfigured to use Google and Open DNS servers.

7. The management IP address is used as the source address for local services (e.g. DNS) and as a destination for diagnostic tests (e.g. pinging from another edge).

8. Dynamic Host Configuration Protocol (DHCP) dynamically assigns unique IP addresses to network devices. As a network device joins or leaves an IP-based network, DHCP automatically renews or releases an IP address. DHCP allows network administrators to centrally manage and automate the assignment of the IP addresses making network

administration a lot easier to manage.

9. Refer to the snapshot below for hover text to appear at EACH “Enable Edge Override” field. The following text should appear with icon next to each occurrence of the “Enable Edge Override” field option:

10. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.

11. DHCP can be configured on a Routed Interface. The routed interface must be configured with a STATIC address at the Edge level. The usual DHCP Server settings can be specified, including Disabled (the default), Relay (configure as DHCP relay), and Enabled (configure as a DHCP server, with options). If an Edge Override is enabled, the DHCP Start IP must be a valid available IP within undefined/24 subnet.

18

3.3 CONFIGURE EDGES BUSINESS POLICY


Ports: 5800�1

�2

�3

4

5

6

ADD RULE IMPORT DELETE RULE

Enlarge �

Match

Rule Source

Action

Net. Service Link PriorityDestination Application

Direct Mandatory:Local ISPWireless

High

High

Ports: 5800 Any

VLAN: 7 - CorpOffsite

Direct Preferred:INTERNET3,VLAN: 9

Normal

Normal

Any Any

Direct

Multi-Path

Available:Private Wired

LowHostname:backup.us

Any ftp (File Sharing)46 - EF

Protocol: TCPAny Autospeedtest (File Sharing)

DirectAny Any AutoAll VeloCloud

WAN Override

Offsite remote

Local apps

Speedtest

VeloCloud

LogMain RemoteNormalDirectAny Any AutoLogMn (Remote

Desktops)

Edge

Ove

rrid

eR

ules

from

Pro

file

x+

Local appsRule Name:

Source:

Edit Rule CLOSE �

Match

SAVECANCEL

Any Define...

Destination: Any Define...

Application: Any Define...

None

VLAN:

VLAN IP Address

Priority:

Action

High

Rate Limit

Normal Low

Select

Operating System: None

Ports: undefined

Any Application

Anonymizers and Proxies

All VeloCloud

VeloCloud Control

Ports: undefined

IP Address:

Protocol: Select

Hostname: Ex: domain.com

Edit Rule CLOSE �

SAVECANCEL

Network Service: Direct Multi-Path

Link Steering: Auto Transport Group Interface

Mandatory

Preferred

Available

WAN Link

NAT: Disabled Enabled

NAT: Real Time Transactional Bulk

DSCP: Select

0 % Link bandwidth

0 % Link bandwidth

Local ISP Wireless

19

1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior, the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the mitigation of network errors.

2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence.

3. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the x (cross) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.

4. If the Match Source Define option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a Port, an Operating System or any combination of the selections.

5. If the Match Destination Define option is chosen, the destination can be first narrowed to a type (Any, Internet, Edge, or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or UDP), and a port.

6. The Action section allows traffic to categorize Priority as High, Normal, or Low. Percentage Rate Limits can also be applied in both the Outbound and Inbound direction. Link Steering provides for

a. Mandatory where traffic will be sent over the WAN link or link Service-group specified. If the link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is unavailable, the corresponding packet will be dropped.

b. Preferred indicates the traffic should preferably be sent over the WAN link or link Service-group specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route chosen is unstable or if the link Service Level Objective (SLO) is not being met, the corresponding packet will be steered on the next best available link. If the preferred link becomes available again, traffic will be steered back to the preferred link.

c. Available indicates the traffic should preferably be sent over the WAN link or link Service-group specified as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen service group) are not available or if multi-path gateway route chosen is unavailable, the corresponding packet will be steered to the next best available link. If the preferred link becomes available again, traffic will be steered back to the available link.

20

3.4 CONFIGURE EDGES FIREWALL


Ports: 40-049�1

�2

�3

4

5

6

7


Enlarge �

Match

Rule Source

Action

ActionDestination Application

AllowGoogle App Engine(Business Application)

Ports: 754 VLAN 1 - CorpProtocol - TCP

IP: 294.54.24.5Protocol - TCP

All Tunneling and VPN32 - CS4

Firewall Enabled

Outbound Firewall Rules

Allow

Any

Any Any

Deny

Deny

Any

Any

AllMusic (Media)VLAN 1 - Corp

Any

Any AnyAny

Any All Business Application

All Email

Any

Deny and log

App Engine

VPN Traffic

Streaming Music

AllowAny

DenyAll

Business Apps

Email

Allow

Allow

Edge

Ove

rrid

eR

ules

from

Pro

file

Enlarge �

Port Forward Rule

RuleName

Allowed Traffic Source

Remote IP/Subnet Log

Inbound Port Forwarding

Logging Enabled

Internal Web1

WAN Port(s)

80

LAN IP

129.05.3.1 129.05.335.3/03

LAN PORT

34576TCP

Interface

INTERNET1

Secure Web1 334 129.05.8.2 129.05.463.3/0254676TCP INTERNET1

Local Storage 3546 129.46.2.0 255.05.75.8/024968UCP USB3

Enlarge �

1:1 NAT Rule

Outside IPName

Allowed Traffic Source

Remote IP Log

Inbound NAT Rules

VPN Traffic

Inside IP

129.57.35.1 129.05.335.3/03

Interface

INTERNET2

Video Stream 129.57.35.2 129.05.463.3/02INTERNET3

Remote Access 129.57.35.3

129.05.3.1

129.05.8.2

129.46.2.0 255.05.75.8/02INTERNET3

Traffic Out Protocol

TCP

ICMP

TCP

Port(s)

3546

77543

3367

SAVE CHANGES

21

1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence.

2. Adding a new Firewall rule using the dialog, you can select Source, Destination, and Application characteristics to match. Given a match, the Firewall action defined in the rule will be applied.

3. When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using Monitor -> Events. When a Deny and Log action is detected, the Firewall logs the event locally.

4. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.

5. Mac Address Filtering is another Source option available in the Match area of the dialog box shown below. You can use the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is associated with. (The filtering rule is independent of the client’s subnet).

6. The Inbound Firewall Rules section provides Port Forwarding and 1:1 NAT rules that define how Internet traffic is filtered or routed to an Edge via the Gateway. Configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally restrict the inbound traffic by IP or subnet. Port Forwarding Rules are used to forward requests made on specific TCP or UDP ports to specific LAN IP addresses and ports on an Edge. The ‘+’ icon on the right can be used to add additional Port Forwarding Rules.

7. 1:1 NAT Settings are used to map a public IP address to an Inside (LAN) IP address. A 1:1 NAT mapping can only be configured with IP addresses that do not belong to the Edge. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the Edge. Each mapping is between one IP address outside the firewall and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The ‘+’ icon on the right can be used to add additional 1:1 NAT settings.

Streaming MusicRule Name:

Source:

Add Rule CLOSE �

Match

SAVECANCEL

Any Define...



None

VLAN:

VLAN IP Address

1 - Corporate

Media

Network Service

Peer to Peer

Remote Desktop

All Music

Amazon MP3

Amazon Video

AOL On

Ports: Ex. 10.0.2.0.24

Protocol: None

Any Define...

None

Ports

VLAN

IP Address

Mac Address

Ex. 10.0.2.0.24

Ex: aa:bb:cc:dd

Ex: 2224-4456

22

3.5 CONFIGURE PROFILE OVERVIEW

Previous Next1

NAME

Default Internet NetworkDefault Internet Network

Default VPN NetworkDUNNEDWARD 1068.32

VPN Network - Adtran 5355Profile to support Adtran 5355 when used as a Voice switch

USED BY

5 Edges

0

0

JUMP TO

Device Settings

Previous Next1

Business Policy Firewall

ADD PROFILE

ADD PROFILE

DUPLICATE PROFILE DELETE PROFILE

Profile Overview Business Policy FirewallDevice

Name

Name

Addressing Type

Corporate Addresses & VLANs

Network

Assignable VLANs

Edges

Quest Addresses & VLANs

Network

Assignable VLANs

Edges

Dynamic Multi-Path Optimization

Business Policy

Firewall

BGP

OSPF

Cloud VPN

Application Recognition

Identity

Wireless

B02 1x

SNMP

Neoflow

Off

TBD rules

TBD outbound rules

On

On

On

Off

Off

On

Off

Off

Off

VPN Network

Non Overlapping Addresses

10.0.0.0.8

6

16

192.564.4.2.64

5

32

Default Internet Network

Description Default Internet Network

Profile Overview

Networks Services

23

1. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of “Gray” in one of the configuration columns, indicates all the rules in place are based on the “Default Profile” settings, any other color means at least one rule override is in place

2. A Profile Overview page is display that provides a quick summary of all Networks and Services that are defined in the profile. The overview is divided into two categories (Networks and Services). After all settings have been entered for the Profile Device, Business Policy, and Firewall pages, the Profile Overview page should reflect the configurations you have performed.

3. Networks has the name of the Network configuration used, the type of addressing, and the Network addresses and VLANs assigned to the Corporate and Guest networks.

4. Services has a summary of the services provided by the Windstream SD-WAN system.

3.6 CONFIGURE PROFILE DEVICE


Network

Assignable VLANs

Management VLANs

VPN Network

Change...

Change...

Network Settings

Select Management VLANs

HELP OK Cancel

All VLANs (Recommended)All VLANs will be assigned a management IP address

CustomizeOnly selected VLANs will be assigned a management IP address

Select Management VLANs

HELP OK Cancel

All VLANs (Recommended)All VLANs will be assigned a management IP address

Available Corporate VLANs

CustomizeOnly selected VLANs will be assigned a management IP address

Selected VLANs Max 8

1 - Corporate ><

>><<

Virtual Edge

Device Settings

Edge 1000 Edge 5X6 Edge 560

24

Actions

Switch Port Settings

Interface

LAN1

LAN2

INTERNET1

INTERNET2

USB1

WifiSSID (disabled)

Mode

Trunk

Access

Wifi

VLANs

All

7 - Corp Office

1 - Corporate

1 - Corporate

7 - Corporate Office

Addressing

DHCP

DHCP

DHCP

WAN Overlay

Auto Detect

Auto Detect

Disabled

Routed Interface Settings

Interface Settings

Edge500

Wi-Fi Radio Settings

ADD WIFI SSID

United States

2.4 GHz

149

Radio Enabled:

Country:

Band:

Channel:

5 GHz

DNS Internal PrimaryPrivate DNS:

Public DNS:

DNS Settings

-DNS Internal Secondary

DNS Public

- +

Interface Enabled:

Capability:

Mode:

VLANs:

Untagged VLAN:

Switched

All

Edge500: LAN1 CLOSE �

Interface: LAN1

Autonegotiate:

Speed:

Duplex:

MTU:

L2 Settings

SAVECANCEL

Trunk Post

100 Mbps

1500

Drop Untagged

Full duplex

Any

7 - Corporate Offsite19 - Corp Failover1 - Corporate1 Corporate

25

1. The device settings tab is used to select a Network, assign VLANs, configure Wired and Wired LAN connections and configure DNS settings. Device configuration allows you to associate a Network configuration with a Profile, configure Interfaces, and choose Network Services to be associated with a Profile. Choosing a Network and selecting Network Services can be performed from drop-down lists on this tab page.

2. This is the Network associated with the Profile, the list of Assignable VLANs, and the list of Management VLANs using the Network Settings section of the Device tab page.

3. The Select Assignable VLANs dialog is used to select the VLANs that will be supported by this Profile.

4. For the Management VLANs in a typical corporate VLAN definition, two IP addresses are preallocated. The first IP address in the subnet is assigned to address the subnet and the second IP address is used for a management function (such as Ping). These values can be seen and modified in the Subnet Addressing section of the Edge device tab. The default is “All VLANs will be assigned a management IP address.”

5. For VLAN definitions where the number of IP addresses must be tightly controlled, the creation of the Management IP address can be suppressed by customizing which VLANs have a Management IP address. The Select Management VLANs dialog is used to select which of the available corporate VLANs will be assigned a Management IP address (all VLANs in the Selected VLANs) list in the screen capture below. If you customize the list of VLANs, new VLANs that you add are not given a Management IP address. If you want a new VLAN to have a Management IP address, you will need to add the new VLAN to the list of Selected VLANs via the Select Management VLANs dialog.

6. Device Settings allows you configure the Interface Settings for one or more Edge models in a profile. Depending on the Edge Model, each interface can be a Switch Port (LAN) interface or a Routed (WAN) Interface. Depending on the Branch Model, a connection port is a dedicated LAN or WAN port, or ports can be configured to be either a LAN or WAN port. Branch ports can be Ethernet or SFP ports. Some Edge models may also support wireless LAN interfaces. It is assumed that a single public WAN link is attached to a single interface that only serves WAN traffic. If no WAN link is configured for a routed interface that is WAN capable, it is assumed that a single public WAN link should be automatically discovered. If one is discovered, it will be reported back and this auto-discovered WAN link can then be modified and the new configuration pushed back to the branch.

7. Actions you can perform on the network interface, such as Edit or Delete.

8. The Interface name. This name matches the Edge port label on the Edge device or is predetermined for wireless LANs.

Edge 500: INTERNET 1

Update INTERNET1 Cancel

Interface: INTERNET1Interface Enabled

Capability

Addressing Type

WAN Overlay

OSPF

NAT Direct Traffic

L2 SettingsAutonegotiate

MTU

Routed

OSPF Not Enabled

Static/PPPoE addressing details must be configured individually per edge.

DHCP

1500

Auto-Detect Overlay

*

Edge 500: WLAN1

Update WLAN1 Cancel

Interface: WLAN1Interface Enabled

VLAN

SSID

Security

Passphrase

1 - Corporate

vc-wifi

WPA2 / Personal

••••••••••

Broadcast

Use Captive Web Portal (disclaimer only)

26

9. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background.

10. The list of Routed Interfaces with a summary of their settings (such as the addressing type and if the interface was auto-detected or has an Auto Detected or User Defined WAN overlay). Routed Interfaces are highlighted with a light blue background.

11. The list of Wireless Interfaces (if available on the Edge device). You can add additional wireless networks by clicking the Add Wi-Fi SSID button. Wireless Interfaces are highlighted with a light gray background. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.

12. You can configure Edge device LAN interfaces as Access Ports where you can choose a VLAN for the port and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500). You can also configure Edge device LAN interfaces as Trunk Ports where you can choose VLANs for the port, how Untagged VLAN data is handled (routed to a specific VLAN or Dropped) and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500).

13. WAN interfaces can be “Routed” (where the routing process is done between two networks using IP addresses) or “Switched” (In switching packets are transferred from source to destination using MAC address. Switching is done within the network). You can also choose Addressing Type (DHCP, PPPoE, or static), a WAN Overlay (Auto-detect, or User Defined), enable OSPF, enable NAT Direct Traffic, and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 1500).

14. Initially two Wi-Fi networks are defined for the Edge; one as a “Corporate” network and one as a “Guest” network that is initially disabled. Additional wireless networks can be defined, each with a specific VLAN, SSID, and security configuration. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.

15. Security for your Wi-Fi connections can be one of three types:• Open: No security is enforced.• WPA2 / Personal: A password is used to authenticate a user.• WPA2 / Enterprise: A server is used to authenticate a user. In this scenario, a Server must be configured in Network Services and the Server must be selected in the Profile Authentication Settings on the Device page. The default settings for Security can also be overridden on the Edge Device page.

16. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.

17. The Device DNS Settings allow you to specify which Network Services DNS Service will be used.

27

3.7 CONFIGURE PROFILE BUSINESS POLICY


�1

�2

�3

�4

�5

�6


Enlarge �

Match

Rule Source

Action

Net. Service Link PriorityDestination Application

Multi-Path HighProtocol: TCP

VLAN: 7 - CorpOffsite

Direct Normal

Normal

Normal

Normal

IP:192.456.2.0/34

Any

Direct

Multi-Path

Any Any

Any Any

Any

LogMain (RemoteDesktop)

Auto

Auto

Auto

Auto

Cusco NetFlow(Mangement)

Ports: 5800 Protocol: UDP All Web

speedtest (File Sharing)

Multi-Path

Any Any

Manadatory:Private Wired

All VeloCloud

Speed test

VeloCloud

LogMain Remote

Netflow Management

Default-Internet-UDP

ManagementLowDirect Auto

x+

Rule NameRule Name:

Source:

Match

Any Define...



None

VLAN

Any Application


All VeloCloud

VeloCloud Control

Operating System

Ports:

IP Address: Ex. 10.0.2.0.24

IP Address Ex. 10.0.2.0.24

Ports Ex. 10.0.2.0.24

Ex. 10.0.2.0.24

Protocol: Select

Hostname: Ex: domain.com

SAVE CHANGES

OKHelp Cancel

Rule NameRule Name:

Source:

Destination:

Application:

Match

Action

Any Define...

Any Define...

Any Define...

Priority:

Network Service:

Link Steering:

NAT:

Service Class:

High

Rate Limit

Normal Low

T Time Transactional Bulk

Direct Multi-Path

Auto

Inner Packet DSCP Tag:

Outer Packet DSCP Tag:

Leave as is

0 - CS0/DF

Transport Group Interface WAN Link

Disabled Enabled

OKHelp Cancel

28

1. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior, the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the mitigation of network errors.

2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.

3. You can select Match choices for network traffic based on the Source of the traffic, the Destination of the traffic, and or the type of Application that generated the traffic. Given a match, the Actions defined in the lower part of the dialog for the rule will be applied. For each of the Match selections, the option “Any” is used to designate any traffic from a source, destination, or application. If the Match Source “Define” option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a Port, an Operating System or any combination of the selections.

4. If the Match Destination Define option is chosen, additional parameters can be specified to identify traffic destination (see the following screen capture). The destination can be first narrowed to a type (Any, Internet, Edge, or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or UDP), and a port. Match Destination options are particularly useful if the same traffic match pattern needs to be assigned different QoS values depending on the route taken. As an example, you may want to assign a higher priority to traffic destined to a SD-WAN Site versus regular cloud-based internet traffic. This can be easily achieved using the Destination configuration value.

5. If the Match Application Define option is chosen, applications can be chosen first by category then by specific application. In addition, a DSCP value can be specified to match traffic coming in with a preset DSCP/TOS tag. Depending on your Match choices, some Actions may not be available. For example, if All Applications is chosen, Network Service and Link Actions are grayed out and are not available for selection.

6. The Action “Priority” parameter allows traffic to categorize as High, Normal, or Low. Percentage Rate Limits can also be applied in both the Outbound and Inbound direction.

7. The Action “Network Service” parameter can be set to Direct or Internet Multi-path. The Direct option explicitly sets the traffic to be sent to the destination directly, bypassing the SD-WAN Gateway - this option is only applicable for Destination = Internet. The Internet Multi-path option explicitly marks the traffic to be sent over the SD-WAN Gateway utilizing the benefits of per packet link steering, multipath redundancy, and error-correction.

8. The Action “Link Steering” parameter can be set to by Service Group, by Interface, or by WAN Link. A Transport Group represents WAN links bundled together based on similar characteristics and functionality. Defining a Transport Group allows business abstraction so that similar policy can apply across different Hardware types. For the “Transport Group” option, you select the Transport Group type of All, Public Wired, Public Wireless, or Private Wired. This option is allowed at both the Edge override level and Profile level.

• “Mandatory” indicates that traffic will be sent over the WAN link or link Service-group specified. If the link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is unavailable, the corresponding packet will be dropped.

• “Preferred” indicates the traffic should preferably be sent over the WAN link or link Service-group specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route

29

chosen is unstable or if the link Service Level Objective (SLO) is not being met, the corresponding packet will be steered on the next best available link. If the preferred link becomes available again, traffic will be steered back to the preferred link.

• “Available” indicates the traffic should preferably be sent over the WAN link or link Transport group specified as long as it is available (irrespective of link SLO). If the link specified (or all links within chosen service group) are not available or if multi-path gateway route chosen is unavailable, the corresponding packet will be steered to the next best available link. If the preferred link becomes available again, traffic will be steered back to the available link.

9. You can configure Policy Based NAT for both Source and Destination. The NAT can be applied to either Non-SD-WAN Site traffic or Internet traffic using Multi-Path. When configuring NAT, you must define which traffic to NAT and the action you want to perform. There are two types of NAT configuration: Many to One and One-to-One.

10. The Service Class parameter can be set to Real-time (time sensitive traffic), Transactional, or Bulk. This option is only for custom application. SD-WAN Apps/Categories fall in one of these categories.

3.8 CONFIGURE PROFILE FIREWALL


�1

�2

�3

�4

�5

�6


Enlarge �

Match

Rule Source

Action

ActionDestination Application

Allow

Allow

Allow

Allow and log

Ports: 754

VLAN 1 - Corp

VLAN 1 - CorpProtocol - TCP

Firewall Enabled

Outbound Firewall Rules

AnyAny Any

Deny

All Business Application

All Email

IP: 192.345.1.0/21Protocol - TCP

SSL (Tunneling and VPN)

MAC: 32.34.afPorts: 8948

Cisco NetFlow (Management)30 + AF33

AllowAny

DenyAll

Business Apps

Email

CorpVPN

Netflow

AnyAny Any

Any

Any

Any

Logging Enabled

x+

Allow and log x+

30

1. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. Note that Firewall function can be disabled using the Firewall Enabled switch. This page allows you to define Outbound Firewall Rules and Edge Access. Inbound rules must be defined at each Edge.

2. Using the dialog, you can select Source, Destination, and Application characteristics to match. You can use the parameters to finely select where you want the Firewall rule to be applied. Given a match, the Firewall action defined in the rule will be applied. Note: When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using Monitor>Events. When a Deny and Log action is detected, the Firewall logs the event locally.

3. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the – (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule.

4. Mac Address Filtering is a Source option available in the Match area of the dialog box shown below. You can use the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is associated with. (The filtering rule is independent of the client’s subnet). To enable this filter, choose the Mac Address radio button, type in the Mac address, and click the OK button.

Rule NameRule Name:

Source:

Match

Any Define...



None

VLAN

Any Application


All VeloCloud

VeloCloud Control


Ports Ex. 10.0.2.0.24

None

VLAN


Protocol

Ports Ex. 10.0.2.0.24

OKHelp Cancel

31

3.9 CONFIGURE NETWORK

Guest Networks (addresses and VLANS)

NEW NETWORK DELETE NETWORK DUPLICATE NETWORK

NAME USED BY ADDRESS SPACE VLANSADDRESS TYPE

VPN Network

Internet Network

VPN Network-VOIPThis is a description for a network. There can be more here.

3 edges2 profiles

1 edge0 profiles

2 edges1 profile

65

11

11

Non OverlappingAddresses

Overlapping Addresses


10.0.0.0/8193.432.5.3/64

10.0.0.0/8194.567.3.5/32

10.0.0.0/8354.432.4.6/32

SAVE CHANGES

Address Space:

Edges:

Address/Edge:

Edge Prefix:

VLANs/EDGE:

Name:

Description:

Address Type:

VPN Network

10.0.0.0/8

1048576

12

16

8


Corporate Networks (addresses and VLANS)

VLANS

Name

Corporate

Management

Corp Offsite

Office-East

Office-West

Corp Failover

VLAN ID

1

3

7

13

14

19

DHCPType

enabled

enabled

enabled

enabled

enabled

enabled

StaticAddresses

10

10

10

10

10

10

DHCPAddresses

245

245

245

245

245

245

DHCPOptions

2

2

2

2

2

2

NEW DELETE

Address Space:

Edges:

Address/Edge:

Edge Prefix:

VLANs/EDGE:

192.567.2.6/22

32

27

32

4

VLANS

Name

Guest

Visitor-1

Visitor-2

GuestBackup

VLAN ID

64

65

66

67

DHCPType

enabled

enabled

enabled

enabled

StaticAddresses

10

10

10

10

DHCPAddresses

245

245

245

245

DHCPOptions

1

0

0

0

NEW DELETE

New VLAN...

HELP Add VLAN Cancel

VLAN* VLAN Name

* VLAN ID

DHCPType

Static Addresses:

Lease Time:

DHCP Options:

2

10

Enabled

Option

Relay Disabled

1 hour

add an optionCode Data Type Value

32

Guest Networks (addresses and VLANS)

NEW NETWORK DELETE NETWORK DUPLICATE NETWORK

NAME USED BY ADDRESS SPACE VLANSADDRESS TYPE

VPN Network

Internet Network

VPN Network-VOIPThis is a description for a network. There can be more here.

3 edges2 profiles

1 edge0 profiles

2 edges1 profile

65

11

11


Overlapping Addresses


10.0.0.0/8193.432.5.3/64

10.0.0.0/8194.567.3.5/32

10.0.0.0/8354.432.4.6/32

SAVE CHANGES

Address Space:

Edges:

Address/Edge:

Edge Prefix:

VLANs/EDGE:

Name:

Description:

Address Type:

VPN Network

10.0.0.0/8

1048576

12

16

8


Corporate Networks (addresses and VLANS)

VLANS

Name

Corporate

Management

Corp Offsite

Office-East

Office-West

Corp Failover

VLAN ID

1

3

7

13

14

19

DHCPType

enabled

enabled

enabled

enabled

enabled

enabled

StaticAddresses

10

10

10

10

10

10

DHCPAddresses

245

245

245

245

245

245

DHCPOptions

2

2

2

2

2

2

NEW DELETE

Address Space:

Edges:

Address/Edge:

Edge Prefix:

VLANs/EDGE:

192.567.2.6/22

32

27

32

4

VLANS

Name

Guest

Visitor-1

Visitor-2

GuestBackup

VLAN ID

64

65

66

67

DHCPType

enabled

enabled

enabled

enabled

StaticAddresses

10

10

10

10

DHCPAddresses

245

245

245

245

DHCPOptions

1

0

0

0

NEW DELETE

New VLAN...

HELP Add VLAN Cancel

VLAN* VLAN Name

* VLAN ID

DHCPType

Static Addresses:

Lease Time:

DHCP Options:

2

10

Enabled

Option

Relay Disabled

1 hour

add an optionCode Data Type Value

1. Networks are standard configurations that define network address spaces and VLAN assignments for Edges. Networks configure two network types: Corporate (or trusted networks) and Guest (or untrusted networks). Multiple Corporate and Guest Networks can be defined. VLANs can be assigned to both Corporate and Guest Networks.

2. Corporate Networks can be configured with either Overlapping Addresses or Non-overlapping Addresses. With overlapping addresses, all Edges using the Network have the same address space. Overlapping addresses are associated with non-VPN configurations. Guest networks always use overlapping addresses.

3. With non-overlapping addresses, an address space is divided into blocks of an equal number of addresses. Non-overlapping addresses are associated with VPN configurations. The address blocks are assigned to Edges that use the Network so that each Edge has a unique set of addresses. When using non-overlapping addressing, SD-WAN automatically allocates blocks of addresses based on the maximum number of Edges you predict will use the Network configuration.

4. For Corporate Networks the address space was set in a previous step when you create the network space and will be distributed across the number of Edges chosen using the Allocation slider. You can specify the number of Edges, the Addresses/Edge, and the Edge Prefix. The Allocation slider help you choose these values by calculating the values when all addresses are assigned across the number of Edges. This is the built-in IPAM IP address management for Edges to allocate LAN side subnet behind the Edge. Once a Network is assigned to an Edge, it is not possible to change the Address Space Allocation. The number of Edges is the maximum number of Edges that will ever be deployed using this Network. The Addresses/Edge defines the size of the address space for each Edge.

5. You can define as many VLANs as you like for the Corporate Network but the Max VLANs value specifies the maximum number you can specify for use in a Profile or Edge. Click the New button to create a new VLAN where you can configure the VLAN Name, VLAN ID, and the DHCP configuration.

6. After you configure the VLAN Name and VLAN ID you choose DHCP type of Enabled, Relay, or Disabled:

• Enabled: the Edge is the DHCP server - when choosing Enabled, you can add one or more DHCP options where you specify predefined options or add custom options.

• Relay: the DHCP is at a remote location - If you choose DHCP type of Relay, you can specify the IP address of one or more Relay Agents.

33

• Disabled: the DHCP is incapacitated - If the DHCP type of Disabled is chosen, IP addresses are not provided by DHCP for this VLAN.

7. The Guest Network is an untrusted network that always uses an overlapping address space. It is completely segmented and on separate VRF as compared to corporate network. The Guest Network section (see screen capture below) defines the Address Space. You can define as many VLANs as you like for the Guest Network, but the Max VLANs value specifies the maximum number you can use in a Profile or Edge.

3.10 CONFIGURE NETWORK SERVICES

NAME TYPE ADDRESS TYPE

DNS Private

DNS Public

Google DNS

DNS Internal Primary

Private

Public

Public

Public

USED BY

0

0

0

0

Primary: 193.543.1.1Backup: none

Primary: 129.446.1.2Backup: 129.34.2.5

Primary: 8.8.8.8Backup: 8.8.4.4

Primary: 16.3.5.1Backup: none

NEW DELETEDNS Services

PrivateType:

DNS PrivateName:

192.158.1.1Primary Server:

Ex: 54.124.5.789Primary Server:

DNS Private �

Server Details

sub.dd.com Description

Private Domains

SAVECANCEL

34

1. Network Services for SD-WAN allows you to define your Enterprise Network Services. These definitions can be used across all Profiles. This includes services for DNS. The possible services are defined in Network Services but are not used unless they are assigned in a Profile.

2. Domain Name Server (DNS) translates domain names into IP addresses. With the DNS service we can access websites by only typing their alpha-numeric names (domain names) in the browser instead of their IP addresses. The DNS services is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service or a private DNS service provided by your company. A Primary and Backup server can be specified. The recommended practice is to configure the primary and secondary DNS servers on separate machines, on separate Internet connections, and in separate geographic locations (for the purpose of redundancy). The service is preconfigured to use Google and Open DNS servers. For a private service, you can also specify one or more Private Domains.

SD-WAN - Broadview Networks SD-WAN PERMISSIONS 1.1 SETTING SD-WAN PERMISSION LEVELS Administrator...

Documents

Transcript of SD-WAN - Broadview Networks SD-WAN PERMISSIONS 1.1 SETTING SD-WAN PERMISSION LEVELS Administrator...