Advanced Configuration
To configure some security, authentication, time and routing and cloud access parameters, select Network -> Advanced Configuration from the Orchestrator main menu.
Note: the values displayed in the forms are default values.
Local Breakout
According to your deployment, you may deactivate the Local Breakout rule, i.e. the capacity of Branch Office Sites to access directly to the Internet.
By default, Local Breakout is activated if at least one Branch Office Site in your network has a direct Internet Access. To change this behavior and, for example, specify that all the Internet traffic must be routed through MPLS, select MPLS from the Transport Network stack of values.
You can also totally deactivate the function by disabling it .
Overlay Routing
|
•
|
Overlay IP Network: subnet where the Orchestrator selects the addresses of the appliance internal interfaces. |
|
•
|
AS Number Range: the Orchestrator uses this range of values to configure Site autonomous systems automatically (refer to "Configuring the LAN"). |
|
•
|
AS Number Exclusion: values or range of values you want to exclude from the AS Number Range; reserved values. Authorized separators are ",|;" |
|
•
|
Simple values: N where 1<= N <= 65535 |
|
•
|
Value ranges: N-M where N<M and 1 <= N, M <= 65535 |
Multi-format example: 65002,65012-65024|65042;65122
Validate your input by hitting the Create button. To modify any advanced configuration data, click the Update button. The last modification date and owner are specified in the right top corner of the form.
Routing Loop Prevention
To prevent OSPF routing loops (refer to "Configuring OSPF") from a Hybrid Data Center to a Hybrid Site, define a BGP Community and an OSPF Tag.
|
•
|
BGP Community: four bytes value split in half by '.' |
|
•
|
The first half of the value corresponds to 0001 - FFFE (FFFE is the default). 0000 and FFFF are forbidden. |
|
•
|
The second half of the value corresponds to 0000 - FFFF (FF01 is the default). |
|
•
|
OSPF Tag: the authorized value range is [1 - 65535]. The default value is 6976. |
For example, in "Use Case 1", the MPLS CE router (10.1.4.254) will probably re-route the traffic to the hybrid Data Center appliance router (10.1.4.4) and use the Internet route towards B02 instead of using the MPLS route towards the same appliance. To avoid this behavior:
|
•
|
The B02 appliance router sets the BGP Community you define on the routes exported into the overlay BGP, which enables the Data Center appliance router to identify these routes, tag them with the tag you define and redistribute them into OSPF. |
|
•
|
After you have manually configured the MPLS CE router accordingly, it will be able to reject any tagged routes coming from the Data Center, or not redistribute them into MPLS VPN's BGP. |
Overlay Security
The following parameters only apply to the tunnels
|
•
|
between SD-WAN appliances |
|
•
|
between SD-WAN appliances and external gateways |
|
•
|
between SD-WAN appliances and cloud gateways |
IKE policy
Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). Refer to RFC 5996.
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory): AES-128 CBC, AES-192 CBC, AES-256 CBC, AES-128 GCM, AES-192 GCM, AES-256 GCM, AES-128 GMAC, AES-192 GMAC, AES-256 GMAC and 3DES, |
|
•
|
Integrity drop-down list to choose the data integrity hash method: SHA1, SHA-256, SHA-384, SHA-512 and MD5, |
|
•
|
DH Group drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit), 5 (1536-bit), 14, 19, 20, 21 and 24, |
|
•
|
SA lifetime (seconds) Security Association lifetime (86,400 (= 24 h) by default). The authorized range of values is [120 -172800]. |
IPsec policy
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory). The available options are the same as for IKE policy encryption plus NULL, |
|
•
|
Integrity drop-down list to choose the data integrity hash method (mandatory); see IKE policy integrity, |
|
•
|
DH Group (PFS only): drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit) or 5 (1536-bit), 14, 19, 20, 21, 24 and PFS disabled (PFS ensures that the same key will not be generated again, so forces a new Diffie-Hellman key exchange. Both sides of VPN should support PFS in order for PFS to work. Therefore using PFS provides a more secure VPN connection), |
|
•
|
SA lifetime (seconds) Security Association lifetime (86,400 s that is: 24 hours by default; mandatory). The authorized range of values is [120 -172800], |
|
•
|
Lifebytes (kbytes): number of kilobytes sent through the tunnel before it is renewed; the tunnel is renewed after the SA lifetime period of after the Lifebytes period, whichever expires first. Valid values are in the range [5120 - 2147483648 kbytes], |
|
•
|
MTU (bytes): maximum number of bytes loaded in the Payload. The default value is 1400. This value applies to all IPsec tunnels. |
IPsec Concentrator authentication
If a Pre-Shared key is already configured, this field is displayed in green and may remain empty.
This Pre-Shared key is used for all the tunnels between appliances. Though it is automatically generated by the Orchestrator for each Customer, you may also enter a new Pre-Shared key as a string of 32 characters at least. Use the icon different statuses to either display or hide the key.
CloudMesh
The information of the CloudMesh Overlay Routing section is for consultation only.
|
•
|
Overlay IP Network: subnet where the Orchestrator selects the addresses of the appliance internal interfaces to connect to CloudMesh Edges. You cannot use this range in your network. |
|
•
|
AS Number: CloudMesh Core uses this AS number. You cannot reuse or modify this parameter. |
Syslog Servers
To enable log export by SD-WAN appliances about NATted DTI connections, you must define one (or several) Syslog Server(s) in your network.
After you have clicked 'Add Server', enter the server Name, type its IP Address (preferably in your private network) or FQDN, Protocol (TCP or UDP) and Port. When NAT entries are created, logs are sent to the Syslog Server in syslog
format.
Warning: log export is not available on VRRP backups (with unmounted tunnels).
Time Synchronization
|
•
|
Define the Time Server by entering an IP address. |
Using a Time Server located inside the Customer private network is recommended.
|
•
|
Then select from the stack up to 5 hub appliances to be used as Synchronization Servers. |
These appliances are synchronized with the Time Server; they are used as synchronization references for all the other appliances of the Customer network.
Transport Network Settings
You may activate eligibility to DTI globally by selecting the appropriate Transport Network. If you select 'Internet', all Internet L3 WAN interfaces of all the appliances in your network will be eligible to DTI.
VRRP
Warning: only VRRP Version 2 is supported. Delays can only be defined in seconds or in milliseconds divisible by 1000.
General
|
•
|
Advertising Interval (seconds): the virtual router (master) sends VRRP advertisements to other VRRP routers in the same group. The priority and group ID of the virtual router master are carried in the advertisements. Advertisements are sent every second by default. |
|
•
|
Priorities - Master, Backup and Failed Check: priority values for the VRRP preemption mechanism. The device with the highest priority within the group becomes the master. |
|
•
|
If Preemption is activated (by default), the following rules apply by decreasing order of preference: |
|
•
|
the virtual router backup that is elected to become the master remains the master until the original virtual router master recovers and becomes the master again (master/backup deployment). |
Mechanism:
if the LAN interface is down, it is in FAULT state
with the And logical operator, any health checked WAN interface that goes down degrades the priority by the specified Failed Check
with the Or logical operator, the priority is not degraded until all health checked interfaces are down
|
•
|
If preemption is disabled: |
|
•
|
the virtual router backup that is elected to become the master remains the master until the original virtual router master recovers and becomes the master again (master/backup deployment) |
|
•
|
the virtual router backup that is elected to become the master remains the master until it is in FAULT state. The other backup virtual router becomes the master and remains the master until it is in FAULT state; if both virtual routers are down, traffic stops. When the first backup virtual router recovers (from FAULT state to Backup state), it becomes the master again (backup/backup deployment). |
Mechanism:
if the LAN interface is down, it is in FAULT state
with the And logical operator, any health checked WAN interface that goes down triggers a router switch to FAULT state
with the Or logical operator, the virtual router switches to FAULT state if all health checked WAN interfaces are down
Warning: when preemption is disabled, there is no progressive health degradation. This can lead to a Site being isolated even if there is still a working WAN interface. For this reason, activating preemption is strongly recommended.
|
•
|
Delay (seconds): delays VRRP transition to the master by the number of seconds specified (1 by default). This delay prevents the backup from becoming the master very frequently, in cases of network flapping. |
|
•
|
Health Check Interfaces: |
|
•
|
Interval (milliseconds): by default, health check on interfaces is executed every second |
|
•
|
Fall: number of failed health checks before the device is considered in bad health |
|
•
|
Rise: number of successful health checks before the device is considered in good health again |
Gratuitous ARP
A Gratuitous ARP is an ARP Response that was not prompted by an ARP Request. The Gratuitous ARP is sent as a broadcast, as a way for a node to announce or update its IP to MAC mapping to the entire network.
|
•
|
Delay (seconds): delay for a second set of Gratuitous ARP messages after transition to Master. Default: 5. Enter 0 for no second set. |
|
•
|
Repeat (count): number of Gratuitous ARP messages to send at a time after transition to Master. Default: 5 |
|
•
|
Refresh delay (seconds): minimum time interval for refreshing Gratuitous ARP messages while Master. Default: 0 |
|
•
|
Refresh repeat (count): number of Gratuitous ARP messages to send at a time while Master. Default: 5 |
|
•
|
Delay (seconds): delay for a second set of Gratuitous ARP messages after a lower priority advert has been received when Master. Default: 5. Enter 0 for no second set. |
|
•
|
Repeat (count): number of Gratuitous ARP messages to send at a time after a lower priority advert has been received when Master. Default: 5. |
Tuning
|
•
|
VRRP multicast group: IPv4 address of the group that corresponds to the abstract representation of the master and backup routers. |
|
•
|
Strict RFC adherence: check this option to ignore any customized settings and strictly adhere to VRRP rules. |
|
•
|
When master, do not send advert after receiving lower priority advert: optional |
|
•
|
When master, send advert after receiving higher priority advert: optional |
|
•
|
Do not send second GARP burst of packets: optional |
|
•
|
GARP Interval (microseconds): default interval between Gratuitous ARP messages sent on an interface |
|
•
|
ARP NA Interval (microseconds): default interval between unsolicited NA messages sent on an interface |
IHAP
The following parameters identify the IHAP Profile you create or update.
Note: A Default IHAP Profile with predefined configuration parameters is available.
|
•
|
Name: name of the IHAP profile which is applied to both the nominal appliance and backup appliance of the Site. |
|
•
|
Engine bad health criteria for recognizing a failover condition: |
|
•
|
any (default): failover condition is confirmed when any monitored interface is down |
|
•
|
all: failover condition is confirmed when all the monitored interfaces are down |
|
•
|
Interfaces to monitor: select the interfaces you want to monitor by moving them from the left pane to the right pane. |
|
•
|
Keep alive: keep alive time in milliseconds. The authorized range is [50 - 10000]. The default value is 100 ms. |
|
•
|
Peer dead factor: used to tune up the waiting time of the backup appliance before acknowledging the unresponsive active peer as down. The authorized range is [3 - 10]. The default value is 5. |
|
•
|
Tunnel persistence: by default, this option is disabled, i.e. there are no mounted tunnels on the standby appliance. |
|
•
|
Preemption: this option is enabled by default. It means that the nominal standby appliance can preempt the backup active engine and become active again. |
Cloud Access
This section lists all the defined Cloud Access objects (AWS or Azure) and enables you to select related Regions and define tunnel parameters.
Sync Period
By default, the SD-WAN Orchestrator checks the configuration of VPN connections in AWS or Azure every 60 minutes. The Sync Period minimum value is 15 minutes; its maximum value is 1 day. This parameter applies to all Cloud Access objects, whichever the Cloud Provider may be.
Cloud Access Configuration
This window section enables you to modify the default configuration of any Cloud access object. Click on the Cloud Access object to be modified.
|
•
|
Name: Cloud Access name. This name identifies the Cloud account in the ExtremeCloud SD-WAN Orchestrator. |
|
•
|
Provider: Cloud Provider (AWS, Azure). |
|
•
|
No of available regions: by default, all the regions enabled on the AWS or Azure account are selected. |
|
•
|
No of selected regions: |
|
•
|
with AWS, this field specifies the number of regions you selected if you disabled some regions from the default list. Note that the SD-WAN Orchestrator will not discover any gateways in disabled regions. |
|
•
|
with Azure, this field specifies all the regions of the default list; you cannot disable any regions. |
|
•
|
Tunnel parameters: you can customize VPN Tunnel Parameters values instead of using the default ones. Refer to "Overlay Security" |
AWS
Azure