Configure Device Settings for Edges

1. Select Configure Edges, in the SD-WAN Service of the Enterprise portal.
2. Select Interfaces, scroll down and select LAG Interface.

   Table 19. LAG Interface Settings

3. Select LAG1 and enter the following details. Sub-interfaces are supported on a LAG.

   Table 20. LAG1 Option Descriptions

   Option	Description
   Select Interfaces	From the drop-down menu, select a required interface. Note: Only routed interfaces are supported. Note: Only ports of the same speed and type can co-exist in the same LAG.
   Description	Enter a general description.
   Timeout	In the Timeout option, select either the Slow or Fast option. Fast Timeout: 3 seconds (3 x 1 second) Slow Timeout: 90 seconds (3 x 30 seconds)
   Mode	Select the Active mode option. Note: Only Active mode is currently available.
   Priority	LACP system priority range is 1 to 65535 Default: 65535
   LAG INTERFACE SETTINGS
   Interface Enabled	Select the Interface Enable checkbox.
   Capability	It displays the status of the interface and for the LAG interface it is always routed.
   Segments	By default, the configuration settings are applicable to all the segments.
   Radius Authentication	Deactivate the Enable WAN Overlay check box to configure Radius Authentication. Select the Radius Authentication check box and add the MAC addresses of pre-authenticated devices.
   ICMP Echo Response	This check box is selected by default. This helps the interface to respond to ICMP echo messages. You can deactivate this option for security purposes.
   Underlay Accounting	This check box is selected by default. If a private WAN overlay is defined on the interface, all underlay traffic traversing the interface are counted against the measured rate of the WAN link to prevent over-subscription. Deactivate this option to avoid this behavior. Note: Underlay Accounting is supported for both, IPv4 and IPv6 addresses.
   Enable WAN Link	Select the check box to activate WAN overlay for the interface.
   Edge To Edge Encryption	Edge-to-edge encryption secures data both during transit and at rest.
   DNS Proxy	The DNS Proxy feature provides additional support for Local DNS entries on the Edge, to point certain device traffic to specific domains. You can activate or deactivate this option, irrespective of IPv4 or IPv6 DHCP Server setting. Note: This check box is available only for a Routed Interface and a Routed Subinterface.
   VLAN	VLAN-tagging on the LAG interface is supported, Trunk ports are not supported.
   EVDSL Modem Attached	Select this check box to activate an EVDSL Modem which is connected to one of the Ethernet ports on the Edge.
   IPv4 Settings	Select the Enable check box and configure the IPv4 settings. For more information, see IPv4 Settings section below. Note: It does not support PPPoE settings.
   Addressing Type	Select an addressing type: DHCP: Assigns an IPv4 address dynamically. PPPoE: You must configure the authentication details for each Edge. PPPoE requires authentication to get a dynamically assigned IP address. Static: You must enter the IP address, CIDR Prefix, and Gateway for the selected routed interface. 31-bit prefixes are supported for IPv4 as per RFC 3021.
   WAN Link	WAN link connects two or more local area networks (LANs) to form a wide area network (WAN).
   OSPF	This option is available only when you have configured OSPF at the Profile level for the selected Segment. Select the check box and choose an OSPF area from the drop-down menu. Select Advanced settings to configure the advanced interface settings for the selected OSPF area. Note: When configuring advanced OSPF area settings for a routed interface, the BFD configuration is supported only for Global segments The OSPFv2 configuration supports only IPv4. The OSPFv3 configuration supports only IPv6. OSFPv3 is only available in the 5.2 release.
   Multicast	This option is available only when you have configured multicast settings for the selected Segment. You can configure the following multicast settings for the selected interface. IGMP- Select the check box to activate Internet Group Management Protocol (IGMP). Only IGMP v2 is supported. PIM – Select the check box to activate Protocol Independent Multicast. Only PIM Sparse Mode (PIM-SM) is supported. Select toggle advanced multicast settings to configure the following timers: PIM Hello Timer – The time interval at which a PIM interface sends out Hello messages to discover PIM neighbors. The range is from 1 to 180 seconds and the default value is 30 seconds. IGMP Host Query Interval – The time interval at which the IGMP querier sends out host-query messages to discover the multicast groups with members, on the attached network. The range is from 1 to 1800 seconds and the default value is 125 seconds. IGMP Max Query Response Value – The maximum time that the host has to respond to an IGMP query. The range is from 10 to 250 deciseconds and the default value is 100 deciseconds. Note: Currently, Multicast Listener Discovery (MLD) is deactivated. Hence, Edge does not send the multicast listener report when IPv6 address is assigned to interface. If there is a snooping switch in the network then not sending MLD report may result in Edge not receiving multicast packets which are used in Duplicate Address Detection (DAD). This results in DAD success even with duplicate address
   Advertise	Select the check box to advertise the interface to other branches in the network.
   NAT Direct Traffic	Select the check box to apply NAT for IPv4 to network traffic sent from the interface.
   Trusted Source	Select the check box to set the interface as a trusted source.
   Reverse Path Forwarding	You can choose an option for Reverse Path Forwarding (RPF) only when you have selected the Trusted Source check box. This option allows traffic on the interface only if return traffic can be forwarded on the same interface. This helps to prevent traffic from unknown sources like malicious traffic on an Enterprise network. If the incoming source is unknown, then the packet is dropped at ingress without creating flows. Select one of the following options from the drop-down menu: Not Enabled – Allows incoming traffic even if there is no matching route in the route table. Specific – This option is selected by default, even when the Trusted Source option is deactivated. The incoming traffic should match a specific return route on the incoming interface. If a specific match is not found, then the incoming packet is dropped. This is a commonly used mode on interfaces configured with public overlays and NAT. Loose – The incoming traffic should match any route (Connected/Static/Routed) in the routing table. This allows asymmetrical routing and is commonly used on interfaces that are configured without next hop.
   IPv6 Settings
   Addressing Type	Select an addressing type: DHCP Stateless: DHCP Stateful: Static: You must enter the IP address, CIDR Prefix, and Gateway for the selected routed interface.
   DHCPv6 Client Prefix Delegation	Select Add to assign prefixes chosen from a global pool to DHCP clients. Enter the prefix pool name along with the prefix start and end details.
   WAN Link	WAN link connects two or more local area networks (LANs) to form a wide area network (WAN).
   OSPF	This option is available only when you have configured OSPF at the Profile level for the selected Segment. Select the check box and choose an OSPF area from the drop-down menu. Select Advanced settings to configure the advanced interface settings for the selected OSPF area Note: When configuring advanced OSPF area settings for a routed interface, the BFD configuration is supported only for global segments .
   Advertise	Select the check box to advertise the interface to other branches in the network.
   NAT Direct Traffic	Select the check box to apply NAT for IPv6 to network traffic sent from the interface.
   Trusted Source	Select the check box to set the interface as a trusted source.
   Reverse Path Forwarding	You can choose an option for Reverse Path Forwarding (RPF) only when you have selected the Trusted Source check box. This option allows traffic on the interface only if return traffic can be forwarded on the same interface. This helps to prevent traffic from unknown sources like malicious traffic on an Enterprise network. If the incoming source is unknown, then the packet is dropped at ingress without creating flows. Select one of the following options from the drop-down menu: Not Enabled – Allows incoming traffic even if there is no matching route in the route table. Specific – This option is selected by default, even when the Trusted Source option is deactivated. The incoming traffic should match a specific return route on the incoming interface. If a specific match is not found, then the incoming packet is dropped. This is a commonly used mode on interfaces configured with public overlays and NAT. Loose – The incoming traffic should match any route (Connected/Static/Routed) in the routing table. This allows asymmetrical routing and is commonly used on interfaces that are configured without next hop.
   Router Advertisement Host Settings	Routers send Router Advertisement (RA) messages to hosts to inform them about the default gateway IPv6 address and other router-related parameters.
   L2 Settings
   Autonegotiate	Auto-negotiate is not supported for Fiber SFPs. Changing auto-negotiation is not supported for Copper SFPs.
   MTU	Accepts the MTU value received through Route Advertisement. If you turn off this option, the MTU configuration of the interface is considered.
   HA Loss of Signal Detection	The HA Loss of Signal (LoS) detection enables an Edge to detect reachability failures in HA deployments on routed Interfaces.

    

   

    

   

   Note:

   • LAG member cannot be a member of another LAG.
   • Once an interface is configured as part of LAG, that interface will not be available for any config change. Member interface would inherit the LAG properties.
   • An empty LAG cannot be configured with other configurations like biz policy, firewall etc. A routed interface should have not been used anywhere else like biz policy, firewall in order to configure that interface as LAG member. If so Orchestrator would throw a error with details and then user has to make necessary action then orchestrator would allow the interface to be added to LAG If an interface is associated to other configurations at profile level, orchestrator will not validate such configs and it will allow the interface to be configured in LAG. This may lead to unexpected behaviour. Hence users are requested to cleanup all such configs at profile level before adding an interface to LAG
   • If an interface is associated to other configurations at profile level, orchestrator will not validate such configurations and it will allow the interface to be configured in LAG. This may lead to unexpected behaviour. Hence users are requested to cleanup all such configurations at profile level before adding an interface to LAG.

   LAG and Standard HA

   

   The above topology diagram illustrates a LAG created on the LAN side of the network. Customers can apply the same logic to the WAN side.

4. Make the connections as per the diagram.
5. On the Edge side LAG1 will be created with interface P1 and P2 from the Orchestrator.
6. On the peer side (the L2 Switch in this example), two distinct LAGs must be created. The active Edges P1 and P2, connected to the peer's P1 and P2, should be grouped into the same LAG on the peer device. Similarly, the standby edges P1 and P2, connected to the peer's P3 and P4, should be grouped into the same LAG on the peer device.
7. When High Availability is configured, LAGs on both the active and standby devices will remain up and run at all times. This ensures immediate traffic forwarding in the event of an HA failover.
8. LAG will be considered as single logical interface. As long as LAG is up, the interface will be accounted as an active LAN or WAN interface, and it would not trigger HA failover when any of the LAG member ports goes down.
9. When all the LAG members in active Edge goes down, then HA failover may take place, and standby Edge will take over.
10. LAG interface cannot be used as HA interface for back-to-back connection of Active and standby Edges.
11. LAG members cannot be spread across active and standby. That is P1 and P2 must be on same Edge to form LAG.
    Note: LAG port naming is only locally significant, and we do not know the limitations or capabilities of the L2 Switch, we should not assume they can or desire to name the LAGs as LAG1 and LAG2.
    LAG and Enhanced HA

    

    The above topology diagram illustrates enhanced HA, where a LAG is created on the WAN side of the network.
    1. LAG1 is active with members P1 and P2 and LAG2 is in standby with members P3 and P4. Peer LAGs on the L2 Switch must be created accordingly with the P1/P2 connections in one LAG and the P3/P4 connections in a separate LAG.
    2. It is recommended to use high speed interface as HA interface in case LAG is configured in standby in eHA.
    3. The LAG members cannot be spread across active and standby. That is P1 and P2 must be on same Edge to form a LAG.
    4. The LAG interface cannot be used as HA interface for back-to-back connection of Active and standby Edges.
    Limitations

    1. When LAG is used for underlay traffic forwarding either on LAN or WAN side, fair load sharing can be expected. When LAG is used for overlay traffic, hashing will happen based on outer header of the traffic, which will be fixed between two SDWAN end points. When there are multiple SDWAN edge points, then fair load sharing can be expected on WAN side.
    2. As hashing happens based on outer header, BW measurements on WAN side will be carried out using any one of the LAG members. If ISP Bandwidth is higher than single interface speed, then it is expected to configure the BW manually on WAN interface of LAG through an Orchestrator.
    3. It is recommended not to disable auto negotiation on LAG interface. Turning off autoneg settings on LAG may not work as expected.

1. In the Enterprise portal, select Configure Edges.
2. Select the Device Icon next to an Edge, or select the link to the Edge, and then select the Device tab.
3. Scroll down to the Device Settings section and select the DOWN arrow to view the Interface Settings for the Edge.
   The Interface Settings section displays the existing interfaces available in the Edge.
4. Select the Edit option for the Routed interface that you want to configure DHCP settings.

   

5. In the IPv4 Settings section, select the Addressing Type as Static and enter the IP addresses for the Edge Interface and the Gateway.
   Note: 31-bit prefixes are supported for IPv4 as per RFC 3021.
6. In the DHCP Server section, choose one of the following DHCP settings:
   • Enabled – Allows the DHCP with the Edge as the DHCP server. Configure the following details:
     • DHCP Start – Enter a valid IP address available within the subnet.
     • Lease Time – Select the period of time from the drop-down menu. This is the duration the VLAN is allowed to use an IP address dynamically assigned by the DHCP Server.
     • Options – Add pre-defined or custom DHCP options from the drop-down menu. The DHCP option is a network service passed to the clients from the DHCP server. For a custom option, enter the code, data type, and value. The table below lists the DHCP options for IPv4 and IPv6:

   Table 21. DHCP Options for IPv4

   Option	Code	Description
   Time offset	2	Specifies the offset of the client's subnet in seconds, from Coordinated Universal Time (UTC).
   DNS Server	6	Lists Domain Name System (RFC 1035) servers available to the client. Servers are listed in order of preference. Note: This value must be entered as a single entry. In case where both primary and secondary servers are needed, enter the values separated by a comma (Example: 8.8.8.8,8.8.4.4). If two separate values are entered without a comma, the client is configured with only one value.
   Domain Name	15	Specifies the domain name that the client must use when resolving host names using the Domain Name System.
   NTP servers	42	Lists the NTP servers in order of preference, used for time synchronization of the client.
   TFTP server	66	Configures the address or name of the TFTP server available to the client.
   Boot file name	67	Specifies a boot image to be used by the client.
   Domain search	119	Specifies the DNS domain search list that is used to perform DNS requests, based on short name using the suffixes provided in this list.
   custom	-	Clients may need specific custom options.

    

   Table 22. DHCP Options for IPv6

   DHCP Option Name	Code	Description
   SIP server names	21	Lists the domain names of the SIP outbound proxy servers that the client can use.
   SIP server addresses	22	Lists the IPv6 addresses of the SIP outbound proxy servers that the client can use.
   DNS Recursive Name Servers	23	Lists IPv6 addresses of DNS recursive name servers to which DNS queries may be sent by the client resolver in order of preference.
   Domain list	24	Provides a domain search list for the client, to be used when resolving hostnames through DNS.
   NIS servers list	27	Provides an ordered list of NIS servers with IPv6 addresses available to the client.
   NIS Domain name	29	Provides the NIS domain name to be used by the client.
   SNTP server	31	Provides an ordered list of SNTP servers with IPv6 addresses available to the client.
   Information refresh time	32	Specifies the upper bound of the number of seconds from the current time that a client should wait before refreshing information received from the DHCPv6 server, particularly for stateless DHCPv6 scenarios.
   Client FGDN	39	Indicates whether the client or the DHCP server should update DNS with the AAAA record corresponding to the assigned IPv6 address and the FQDN provided in this option. The DHCP server always updates the PTR record.
   custom	-	Clients may need specific custom options.

   • Relay – Allows DHCP with the DHCP Relay Agent installed at a remote location. If you choose this option, configure the following:
     • Relay Agent IP(s) – Specify the IP address of Relay Agent. Select the Plus(+) Icon to add more IP addresses.
   • Not Enabled – Deactivates DHCP.
   For more information on other options in the Interface Settings window, see Configure Interface Settings for Profiles.
   Note: See also Tunnel Overhead and MTU for more information.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. Select an Edge or select View in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
3. Under Connectivity, select and expand Interfaces.
4. Interfaces displays the different types of Interfaces available for the selected Edge.
5. Select the link to the switched interface, for example GE2, you want to configure for RADIUS authentication.

   

6. The Interface settings dialog appears. Add the VLAN to use for RADIUS authentication to the switched interfaces list of VLANs and select Save.

   

7. In the Device page, under Connectivity, select the VLAN section and select on the VLAN you want to use for RADIUS authentication.
8. On Edit VLAN, select RADIUS Authentication.

   

9. Configure the allowed list of pre-authenticated devices that should not forward to RADIUS for re-authentication. You can add devices by using individual MAC addresses, for example, 8c:ae:4c:fd:67:d5 or by using an OUI (Organizationally Unique Identifier, for example,.8c:ae:4c:00:00:00
10. Select Done.
11. Finally, select on Save Changes in the bottom right corner to apply your configurations.
    Note: The switched interface uses the server already assigned to the Edge. In an Edge, two interfaces cannot use two different RADIUS servers.

On routed interfaces customers can check MAC addresses against a RADIUS server to bypass 802.1x for LAN devices that do not support 802.1x authentication. MAB simplifies IT operations, saves time, and enhances scalability by no longer requiring customers to manually configure every MAC address that may need authentication.

1. In the SD-WAN Service of the Enterprise portal, click Configure > Edges . The Edges page displays the existing Edges.
2. Click an Edge or click View in the Device column of the Edge. The configuration options for the selected Edge display in the Device tab.
3. In Connectivity category, expand Interfaces to display the interfaces available for the selected Edge.
4. Click the link to a LAN Interface to edit the settings. The LAN Interface settings screen appears.

   

5. To override the LAN settings inherited from the Profile, select Override and modify the LAN settings for the Edge and click Save. For more information about the LAN interface configuration parameters, see Configure Interface Settings for Profiles.

1. In the SD-WAN Service of the Enterprise portal, click Configure > Edges .
   The Edges page displays the existing Edges.
2. Click the link to an Edge or click the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces.
4. The different types of Interfaces available for the selected Edge are displayed. Click the link to a WLAN Interface to edit the settings. The WLAN Interface settings screen appears:

   

5. To override the WLAN settings inherited from the Profile, select the Override check box and modify the WLAN settings for the Edge.
6. Click Save. For more information about the WLAN interface configuration parameters, see Configure Interface Settings for Profiles.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select Interfaces.
   The WAN Link Configuration section displays the existing Overlays.

   

4. Select the name of the Overlay to modify the settings. To create a new Public or Private WAN overlay, select Add User Defined WAN Link. The Virtual Edge: new link window appears.

   

5. In the User Defined WAN Overlay section, choose the Link Type from the following available options:
   • Public Overlay: Public Overlay is used over the Internet where SD-WAN cloud Gateways, that are on the Internet, are reachable. The user-defined overlay must be attached to an Interface. The public overlay instructs the Edge to assign primary and secondary Gateways over the interface it is attached to, to help determine the outside global NAT address. This outside global address is reported to the Orchestrator so that all the other Edges use this address, if configured to build VCMP tunnels to the currently selected Edge.
     Note: By default, all routed interfaces attempt to Auto Detect pre-assigned cloud Gateways over the Internet. If the attempt is successful, an Auto Detect Public overlay is created. A User Defined Public overlay is only needed if your Internet service requires a VLAN tag or you want to use a different public IP address from the one that the Edge has learned through DHCP on the public facing interface.
     The following image shows an example of Public Overlay settings:

     

     Table 23. Public Overlay Option Descriptions

     Option	Description
     Public IP Address	Displays the discovered public IP address for a public Overlay. This field is populated once the outside global NAT address is discovered using the Gateway method.

   • Private Overlay: Private Overlay is used on private networks such as an MPLS network or point-to-point link. A private overlay is attached to an interface like any user defined overlay and assumes that the IP address on the interface it is attached to, is routable for all other Edges on the same private network. This means that there is no NAT on the WAN side of the interface. When you attach a private overlay to an interface, the Edge advises the Orchestrator that the IP address on the interface should be used for any remote Edges configured to build tunnels to it.
     The following image shows an example of Private Overlay settings:

     

     Table 24. Private Overlay Option Description

     Option	Description
     SD-WAN Service Reachable	When creating a private overlay and attaching it to a private WAN like MPLS network, you may also be able to reach the internet over the same WAN, usually through a firewall in the data center. In this case, it is recommended to enable SD-WAN Service Reachable as it provides the following: A secondary path to the internet for access to internet hosted Gateways. This is used if all the direct links to the internet from this Edge fail. A secondary path to the Orchestrator, when all the direct links to the internet from this Edge fail. The management IP address the Edge uses to communicate must be routable within MPLS, otherwise NAT Direct would need to be checked on the private interface for the Orchestrator traffic to come back properly. Note: The Edge always prefers the VCMP tunnel created over a local internet link (short path), compared to the VCMP tunnel created over the private network using a remote firewall to the internet (long path). Per-packet or round-robin load balancing will not be performed between the short and long paths. In a site with no direct public internet access, the SD-WAN Service Reachable option allows the private WAN to be used for private site-to-site VCMP tunnels and as a path to communicate with an internet hosted VeloCloud SD-WAN service.
     Public SD-WAN Addresses	When you select the SD-WAN Service Reachable check box, a list of public IPv4 and IPv6 addresses of Gateways and Orchestrator is displayed, which may need to be advertised across the private network, if a default route has not been already advertised across the same private network from the firewall. Note: Some IP addresses in the list, such as Gateways, may change over time.

   The following table describes the settings that are common to Public and Private Overlay:

   Table 25. Public and Private Overlay Option Descriptions

   Option	Description
   Address Type	Choose the WAN overlay link to use either IPv4 or IPv6 address. You can also select IPv4 and IPv6, which enables to configure both IPv4 and IPv6 user-defined overlay towards the same ISP as a single link. This option helps preventing over subscription of a link towards an ISP. Note: When you choose IPv6 address, the Duplicate Address Detection (DAD) is not supported for IP steered overlay. The overlay network is steered when you configure the source IP address in the Optional Configuration.
   Name	Enter a descriptive WAN overlay name for the public or private link. Note: WAN overlay name should only consist of ASCII characters. Non-ASCII characters are not supported. You can reference this name while choosing a WAN link in a Business Policy.
   Operator Alerts	Sends alerts related to the Overlay network to the Operator. Ensure that you have enabled the Link alerts in the Configure > Alerts & Notifications page to receive the alerts.
   Alerts	Sends alerts related to the Overlay network to the Customer. Ensure that you have enabled the Link alerts in the Configure Alerts & Notifications page to receive the alerts.
   Select Interfaces	The Routed Interfaces enabled with IPv4 WAN Overlay or IPv6 WAN Overlay and set to User Defined Overlay are displayed as check boxes. The Interfaces displayed are based on the selected Address Type. Note: If the WAN Overlay link uses a static IPv4 address then you can select one or more routed interfaces and the current user-defined overlay is attached to the selected interface. If a static IPv6 address is configured then you cannot select one or more routed interfaces. For the 610-LTE and Edge 710 5G, you can add User Defined WAN overlay on CELL1 or CELL2. The Orchestrator displays both CELL1 and CELL2, irrespective of SIM presence. Therefore, you must be aware of which SIM slot is enabled (Active) and choose that SIM.

   The following table describes optional configuration settings:

   Table 26. Optional Configuration Option Descriptions

   Option	Description
   Source IP Address	This is the raw socket source IP address used for VCMP tunnel packets that originate from the interface to which the current overlay is attached. Source IP address does not have to be pre-configured anywhere but must be routable to and from the selected interface. You can enter IPv4 or IPv6 address in the respective fields to establish WAN overlay with the peer.
   Next-Hop IP Address	Enter the next hop IP address to which the packets, which come from the raw socket source IP address specified in the Source IP Address field, are to be routed. You can enter IPv4 or IPv6 address in the respective fields.
   Custom VLAN	Select this check box to enable custom VLAN and enter the VLAN ID. The range is 2 to 4094.This option applies the VLAN tag to the packets originated from the Source IP Address of a VCMP tunnel from the interface to which the current overlay is attached.
   Enable Per Link DSCP	Select this check box to add a DSCP tag to a specific overlay link. The DSCP tag will be applied at the outer header of the VCMP packet going over this overlay link. This will provide the ability to leverage the private network underlay DSCP tag mechanism to treat each overlay uniquely via QoS setting defined at the upstream router.
   802.1P Setting	Select this check box to set 802.1p PCP bits on frames leaving the interface to which the current overlay is attached. This setting is only available for a specific VLAN. PCP priority values are a 3-digit binary number. The range is from 000 to 111 and default is 000.This check box is available only when the system property session.options.enable8021PConfiguration must be set to True. By default, this value is False. If this option is not available for you, contact the Arista support of your operations team to enable the setting.

6. Select View advanced settings to configure the following:

   Table 27. Advanced Settings common to Public and Private Overlay

   Option	Description
   Bandwidth Measurement	Choose a method to measure the bandwidth from the following options: Measure Bandwidth (Slow Start): When measuring the default bandwidth reports incorrect results, it may be due to ISP throttling. To overcome this behavior, choose this option for a sustained slow burst of UDP traffic followed by a larger burst. Measure Bandwidth (Burst Mode): Choose this option to perform short bursts of UDP traffic to an Gateway for public links or to the peer for private links, to assess the bandwidth of the link. Do Not Measure (define manually): Choose this option to configure the bandwidth manually. This is recommended for the Hub sites because: Hub sites can usually only measure against remote branches which have slower links than the hub. If a hub Edge fails and is using a dynamic bandwidth measurement mode, it may add delay in the hub Edge coming back online while it re-measures the available bandwidth. For more information, see Bandwidth Measurement Modes.
   Upstream Bandwidth	Enter the upstream bandwidth in Mbps. This option is available only when you choose Do Not Measure (define manually).
   Downstream Bandwidth	Enter the downstream bandwidth in Mbps. This option is available only when you choose Do Not Measure (define manually).
   Dynamic Bandwidth Adjustment	Dynamic Bandwidth Adjustment attempts to dynamically adjust the available link bandwidth based on packet loss and intended for use with Wireless broadband services where bandwidth can suddenly decrease. Note: This configuration is not recommended for Edges with software release 3.3.x or earlier. You can configure this option for Edges with release 3.4 or later. This configuration is not supported with public link CoS.
   Link Mode	Select the mode of the WAN link from the drop-down. The following options are available: Active: This option is selected by default. The interface is used as a primary mode to send traffic. Backup: This option puts the interface that this WAN Overlay is attached to into Backup Mode. This means that the management tunnels are torn down for this interface, and the attached WAN link receives no data traffic. The Backup link would only be used if all paths from a number of Active links go down, which also drops the number of Active links below the number of Minimum Active Links configured. When this condition is met, management tunnels would be rebuilt for the interface and the Backup Link would become Active and pass traffic. Only one interface on an Edge can be put into backup mode. When enabled, the interface will be displayed in Monitor > Edges page as Cloud Status: Standby. Note: Use this option to reduce user data and SD-WAN performance measurement bandwidth consumption on a 4G or LTE service. However, failover times will be slower when compared to a link that is configured as either Hot Standby or as Active and uses a business policy to regulate bandwidth consumption. Do not use this feature if the Edge is configured as a Hub or is part of a Cluster. Hot Standby: When you configure the WAN link for Hot Standby mode, the management tunnels are built, which enables a rapid switchover in case of a failure. The Hot Standby link receives no data traffic except for heartbeats, which are sent every 5 seconds. When all paths from a number of Active links go down, which also drops the number of Active links below the number of Minimum Active Links configured, the Hot Standby link would come up. The traffic is sent through the Hot Standby path. When the path to the Primary Gateway comes up on Active links such that the number of Active links exceeds the number of Minimum Active Links configured, the Hot Standby link returns to Standby mode and the traffic flow switches over to the Active link(s). For more information, see the topic Configure Hot Standby Link. Once you activate the Backup or Hot Standby link option on an Interface, you cannot configure additional Interfaces of that Edge as either a Backup or Hot Standby Link, as an Edge can have only one WAN link as a Backup or Hot Standby at a time.
   Minimum Active Links	This option is available only when you choose Backup or Hot Standby as Link Mode. Select the number of active links that can be present in the network at a time, from the drop-down list. When the number of current active links that are UP goes below the selected number, then the Backup or the Hot Standby link comes up. The range is 1 to 3, with the default being 1.
   MTU	The Edge performs path MTU discovery and the discovered MTU value is updated in this field. Most wired networks support 1500 Bytes while 4G networks supporting VoLTE typically only allow up to 1358 Bytes. It is not recommended to set the MTU below 1300 Bytes as it may introduce framing overhead. There is no need to set MTU unless path MTU discovery has failed. You can find if the MTU is large from the Remote Diagnostics > List Paths page, as the VCMP tunnels (paths) for the interface never become stable and repeatedly reach an UNUSABLE state with greater than 25% packet loss. As the MTU slowly increases during bandwidth testing on each path, if the configured MTU is greater than the network MTU, all packets greater than the network MTU are dropped, causing severe packet loss on the path. For more information, see the topic Tunnel Overhead and MTU.
   Overhead Bytes	Enter a value for the Overhead bandwidth in bytes. This is an option to indicate the additional L2 framing overhead that exists in the WAN path. When you configure the Overhead Bytes, the bytes are additionally accounted for by the QoS scheduler for each packet, in addition to the actual packet length. This ensures that the link bandwidth is not oversubscribed due to any upstream L2-framing overhead.
   Path MTU Discovery	Select this check box to enable the discovery of Path MTU. After determining the Overhead bandwidth to be applied, the Edge performs Path MTU Discovery to find the maximum permissible MTU to calculate the effective MTU for customer packets. For more information, see the topic Tunnel Overhead and MTU.
   Configure Class of Service	Edges can prioritize traffic and provide a 3x3 QoS class matrix over both Internet and Private networks alike. However, some public or private (MPLS) networks include their own quality of service (QoS) classes, each with specific characteristics such as rate guarantees, rate limits, packet loss probability etc. This option allows the Edge to understand the public or private network QoS bandwidth available and policing for the public or private Overlay on a specific interface. Note: Outer DSCP tags must be set in business policy per application/rule and in this feature, each Class of Service line is matching on those DSCP tags set in the business policy. After you select this check box, configure the following: Class of Service: Enter a descriptive name for the class of service. You can reference this name while choosing a WAN link in a Business Policy. See the topic Configure Link Steering Modes. DSCP Tags: Class of service will match on the DSCP tags defined here. DSCP tags are assigned to each application using business policy. Bandwidth: Percentage of interface transmit/upload bandwidth available for this class as determined by the public or private network QoS class bandwidth guaranteed. Policing: This option monitors the bandwidth used by the traffic flow in the class of service and when the traffic exceeds the bandwidth, it rate-limits the traffic. Default Class: If the traffic does not fall under any of the defined classes, the traffic is associated with the default CoS. Note: The Dynamic Bandwidth Adjustment configuration is not supported with public link CoS. For more information about how to configure CoS, see the topic Configure Class of Service.
   Strict IP precedence	This check box is available when you select the Configure Class of Service check box. When you enable this option, 8 VCMP sub-paths corresponding to the 8 IP precedence bits are created. Use this option when you want to combine the Classes of Service into less number of classes in the network of your Service Provider. By default, this option is deactivated and the VCMP sub-paths are created for the exact number of classes of service that are configured. The grouping is not applied.

    

   Table 28. Advanced Settings for Public Overlay

   Option	Description
   UDP Hole Punching	If a Branch to Branch SD-WAN overlay is required and branch Edges are deployed behind NAT devices, that is NAT device is WAN side of the Edge, the direct VCMP tunnel on UDP/2426 will not likely come up if the NAT devices have not been configured to allow incoming VCMP tunnels on UDP port 2426 from other Edges. Use Branch to Branch VPN to enable branch to branch tunnels. See the topics, Configure a Tunnel Between a Branch and a Branch VPN and Configure Cloud VPN and Tunnel Parameters at Edge level. Use Remote Diagnostics List Paths to check that one Edge has built a tunnel to another Edge. UDP hole punching attempts to work around NAT devices blocking incoming connections. However, this technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized. Enabling UDP hole punching on an Edge overlay interface, instructs all remote Edges to use the discovered NAT public IP and NAT dynamic source port discovered through Gateway as destination IP and destination port for creating a VCMP tunnel to this Edge overlay interface. Note: Before enabling UDP hole punching, configure the branch NAT device to allow UDP/2426 inbound with port forwarding to the Edge private IP address or put the NAT device, which is usually a router or modem, into bridge mode. Use UDP hole punching only as a last resort as it will not work with firewalls, symmetric NAT devices, 4G/LTE networks due to CGNAT, and most modern NAT devices. UDP hole punching may introduce additional connectivity issues as remote sites try to use the new UDP dynamic port for VCMP tunnels.
   Type	When configuring a business policy for an Edge, you can choose the Link Steering to prefer a Transport Group as: Public Wired, Public Wireless or Private Wired. See the topic Configure Link steering Modes. Choose Wired or Wireless, to put the overlay into a public wired or wireless transport group.

    

   Table 29. Advanced Settings for Private Overlay

   Option	Description
   Private Network Name	If you have more than one private network and want to differentiate between them to ensure that the Edges try to tunnel only to Edges on the same private network then define a Private Network Name and attach the Overlay to it. This prevents tunneling to Edges on a different private network they cannot reach. In addition, configure the Edges in other locations on this private network to use the same private network name. For example: Edge1 GE1 is attached to private network A. Use private network A for the private overlay attached to GE1. Edge1 GE2 is attached to private network B. Use private network B for the private overlay attached to GE2.Repeat the same attachment and naming for Edge2.When you enable branch to branch or when Edge2 is a hub site: Edge1 GE1 attempts to connect to Edge2 GE1 and not GE2. Edge1 GE2 attempts to connect to Edge2 GE2 and not GE1.
   Configure Static SLA	Forces the overlay to assume that the SLA parameters being set are the actual SLA values for the path. No dynamic measurement of packet loss, latency or jitter will be done on this overlay. The QoE report use these values for its Green/Yellow/Red coloring against thresholds. Note: Static SLA configuration is not supported from release 3.4. It is recommended not to use this option, as dynamic measurement of packet loss, latency and jitter will provide a better outcome.

    

7. Select Add Link to save the configuration.

Support for DSCP Value Tag Per User Defined Overlay

With the 5.0.0 release, network administrators now have the ability to add a DSCP tag to a specific overlay link. The DSCP tag is applied at the outer header of the VCMP packet going over the overlay link, and it leverages the private network underlay DSCP tag to treat each overlay uniquely via the QoS setting defined on the WAN underlay network.

Enable Per link DSCP Check box

Select this check box to add a DSCP tag to a specific overlay link. The DSCP tag is applied at the outer header of the VCMP packet going over this overlay link. This provides the ability to leverage the private network underlay DSCP tag mechanism to treat each overlay uniquely via QoS setting defined at the upstream router.

Use Case: DSCP Value Per User Defined Overlay

In this use case, the requirement is to apply the WAN overlay DSCP tag value configured on the WAN link to all traffic egressing from this link, for the tunnel originating Edge. The configured DSCP value should apply to the VCMP outer header so that the MPLS network can read the DSCP value and apply differentiated services to the VCMP encapsulated packet. The inner DSCP tag value, coming from the LAN side of the Edge network, should be kept unmodified. Requirements on the tunnel destination side: The Hub or peer Edge that is receiving the tunnel creation request must respond with the same DSCP overlay tag value sent by the tunnel originator on the VCMP outer header. The hub or peer Edge terminating the overlay tunnel should not modify the inner DSCP tag destined for the LAN.

In the image below, the Enterprise is using DSCP values on their underlay network to provide differentiated services based on source WAN overlay link/tunnel.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. Select the link to an Edge or select the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select and expand Interfaces.
4. The Interfaces section displays the different types of Interfaces available for the selected Edge.
5. In the WAN Link Configuration section, select Add User Defined WAN Link.

   

6. In the User Defined WAN Link window, enter the name for the new WAN link and choose the Link Type as required, that is Public or Private.
7. To configure CoS for the new link, scroll down and select View advanced settings.

   

8. Select the Configure Class of Service check box and configure the following settings:
   1. Strict IP Precedence: Select this check box to enforce strict IP precedence. When you enable this option, 8 VCMP sub-paths corresponding to the 8 IP precedence bits are created. Use this option when you want to combine the Classes of Service into less number of classes in the network of your Service Provider. By default, this option is deactivated and the VCMP sub-paths are created for the exact number of classes of service that are configured. The grouping is not applied.
   2. Class of Service: You an add multiple class of services. Select +Add and enter a descriptive name for the class of service. The name can be a combination of alphanumeric and special characters.
   3. DSCP Tags: You can assign multiple DSCP tags to the class of service by selecting DSCP tags from the available list. You should map DSCP tags of same IP precedence to the same class of service. A CoS queue can be an aggregate of many classes but DSCP values of same class cannot be part of multiple class queues. For example, the following set of DSCP tags cannot be spread across multiple queues:
      • CS1 and AF11 to AF14
      • CS2 and AF21 to AF24
      • CS3 and AF31 to AF34
      • CS4 and AF41 to AF44
   4. Bandwidth: Enter a value in percentage for the traffic designated to the CoS. This value allocates a weight to the class. The incoming traffic is processed based on the associated weight. If you have multiple class of services, the total value of the bandwidth should add up to 100.
   5. Policing: Select the checkbox to enable the class-based policing. This option monitors the bandwidth used by the traffic flow in the class of service and when the traffic exceeds the bandwidth, it polices the traffic.
   6. Default Class: Select to set the corresponding class of service as default. If the incoming traffic does not fall under any of the defined classes, the traffic is associated with the default CoS.
9. Select Add Link to save the settings.
10. Select Save Changes in the Device page.
11. You can also define the CoS for an existing link by selecting the existing WAN links and performing the Step 9.

1. In the SD-WAN Service of the Enterprise portal, select Configure > Edges . The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces. The Interfaces section displays the different types of Interfaces available for the selected Edge.
4. In the WAN Link Configuration section, you can configure Hot Standby link mode for existing auto-detected or user-defined WAN links or you can create a new WAN link by selecting the Add User Define WAN Link and configure Hot Standby link mode.
   For steps on how to add a new user defined WAN link, see Configure Edge WAN Overlay Settings with New Orchestrator UI.

   

5. To configure Hot Standby link mode for an existing link, select the existing WAN link and modify the settings.

   

6. In the User Defined WAN Link window, scroll down and select View advanced settings.
7. From the Link Mode drop-down menu, select Hot Standby.
8. From the Minimum Active Links from the drop-down menu, select the number of active links that can be present in the network at a time. When the number of current active links that are UP goes below the selected number, then the Hot Standby link comes up. The range is 1 to 3, with the default value being 1.
9. Configure other options as required and select Update Link to save the settings.
   For more information on other options in the WAN Overlay window, see Configure Edge WAN Overlay Settings with New Orchestrator UI.

DHCPv6 Prefix Delegation feature allows packet exchange between a DHCP Client and a DHCP Server. The Edge requests the server to provide prefixes over the WAN interfaces to delegate to clients on the LAN side. The server provides a prefix to the Edge in response. The Edge then configures an IP address on the LAN interface using this delegated prefix. The Edge starts sending out router advertisements with this prefix.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges . The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge. The configuration options for the selected Edge display on the Device tab.
3. DHCPv6 Prefix Delegation can be configured on WAN, LAN, and VLAN interfaces. See the following sections for more details:
   • Configuring DHCPv6 Prefix Delegation on an Edge WAN Interface
   • Configuring DHCPv6 Prefix Delegation on an Edge LAN Interface
   • Configuring DHCPv6 Prefix Delegation on an Edge VLAN Interface

You can configure Virtual Router Redundancy Protocol (VRRP) on an Edge to enable next-hop redundancy in the Orchestrator network by peering with third-party CE router. You can configure an Edge to be a primary VRRP device and pair the device with a third-party router.

Consider the following guidelines before configuring VRRP:

• You can enable VRRP only between the Edge and third party router connected to the same subnet through an L2 switch.
• You can add only one Edge to the VRRP HA group in a branch.
• You cannot enable both Active-Standby HA and VRRP HA at the same time.
• VRRP is supported on primary routed port, sub-interface, and VLAN interfaces.
• Edge must be configured as the primary VRRP device, by setting higher priority, in order to steer the traffic through SD-WAN.
• If the Edge is configured as the DHCP server, then virtual IP addresses are set as the default Gateway address for the clients. When you use a separate DHCP server relay for the LAN, then the admin must configure the VRRP virtual IP address as the default Gateway address.
• When DHCP server is enabled in both the Edge and third-party router, then split the DHCP pool between the Edge and third party router, to avoid the overlapping of IP addresses.
• VRRP is not supported on an interface enabled with WAN Overlay, that is on the WAN link. If you want to use the same link for LAN, then create a sub-interface and configure VRRP on the sub-interface.
• You can configure only one VRRP group in a broadcast domain in a VLAN. You cannot add additional VRRP group for the secondary IP addresses.
• Do not add WI-FI link to the VRRP enabled VLAN. As the link failure would never happen, the Edge always remains as the primary device.

The following illustration shows a network configured with VRRP:

1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges . The Edges page displays the existing Edges.
2. Select the link to an Edge you want to configure VRRP settings or select the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
3. Scroll down to the High Availability category, and from the Select Type options choose VRRP with 3rd Party Router.
4. In the VRRP Settings, select +Add and configure the following:

   

   Table 44. VRRP with 3rd Party Router Field Descriptions

   Field	Description
   VRID	Enter the VRRP group ID. The range is from 1 to 255.
   Segment Name	Displays the current Segment selected for Edge configuration. Note: The VRRP settings apply only to the current Segment that is selected.
   Interface	Select a physical or VLAN Interface from the list. The VRRP is configured on the selected Interface.
   Virtual IP	Enter a virtual IP address to identify the VRRP pair. Ensure that the virtual IP address is not the same as the IP address of the Edge Interface or the third-party router.
   Advertise Interval	Enter the time interval with which the primary VRRP device sends VRRP advertisement packets to other members in the VRRP group.
   Priority	To configure the Edge as primary VRRP device, enter a value that exceeds the priority value of the third-party router. The default is 100.
   Preempt Delay	Select the check box and enter the preempt delay value so that Edge can preempt the third-party router which is currently the primary device, after the specified preempt delay.

5. Click Save Changes.