Configure Edges with New Orchestrator UI

1. In the Enterprise portal, select Configure > Edges .
2. Select the Device icon next to an Edge, or select the link to the Edge, and then select the Device tab.
3. Scroll down to the Device Settings section and select the DOWN arrow to view the Interface Settings for the Edge.
4. The Interface Settings section displays the existing interfaces available in the Edge.
5. Select the Edit option for the Routed interface that you want to configure DHCP settings.

   

6. In the IPv4 Settings section, select the Addressing Type as Static and enter the IP addresses for the Edge Interface and the Gateway.
   Note: 31-bit prefixes are supported for IPv4 as per RFC 3021.
7. In the DHCP Server section, choose one of the following DHCP settings:
   • Enabled – Allows the DHCP with the Edge as the DHCP server. Configure the following details:
     • DHCP Start – Enter a valid IP address available within the subnet.
     • Num. Addresses – Enter the number of IP addresses available on a subnet in the DHCP Server.
     • Lease Time – Select the period of time from the drop-down menu. This is the duration the VLAN is allowed to use an IP address dynamically assigned by the DHCP Server.
     • Options – Add pre-defined or custom DHCP options from the drop-down menu. The DHCP option is a network service passed to the clients from the DHCP server. For a custom option, enter the code, data type, and value. The table below lists the DHCP options for IPv4 and IPv6:

       Table 18. DHCP Options for IPv4

       Option	Code	Description
       Time offset	2	Specifies the offset of the client's subnet in seconds, from Coordinated Universal Time (UTC).
       DNS server	6	Lists Domain Name System (RFC 1035) servers available to the client. Servers are listed in order of preference. Note: This value must be entered as a single entry. In case where both primary and secondary servers are needed, enter the values separated by a comma (Example: 8.8.8.8,8.8.4.4). If two separate values are entered without a comma, the client is configured with only one value.
       Domain name	15	Specifies the domain name that the client must use when resolving host names using the Domain Name System.
       NTP servers	42	Lists the NTP servers in order of preference, used for time synchronization of the client.
       TFTP server	66	Configures the address or name of the TFTP server available to the client.
       Boot file name	67	Specifies a boot image to be used by the client.
       Domain search	119	Specifies the DNS domain search list that is used to perform DNS requests, based on short name using the suffixes provided in this list.
       custom	-	Clients may need specific custom options.

        

       Table 19. DHCP Options for IPv6

       DHCP Option Name	Code	Description
       SIP server names	21	Lists the domain names of the SIP outbound proxy servers that the client can use.
       SIP server addresses	22	Lists the IPv6 addresses of the SIP outbound proxy servers that the client can use.
       DNS Recursive Name Servers	23	Lists IPv6 addresses of DNS recursive name servers to which DNS queries may be sent by the client resolver in order of preference.
       Domain list	24	Provides a domain search list for the client, to be used when resolving hostnames through DNS.
       NIS servers list	27	Provides an ordered list of NIS servers with IPv6 addresses available to the client.
       NIS Domain name	29	Provides the NIS domain name to be used by the client.
       SNTP server	31	Provides an ordered list of SNTP servers with IPv6 addresses available to the client.
       Information refresh time	32	Specifies the upper bound of the number of seconds from the current time that a client should wait before refreshing information received from the DHCPv6 server, particularly for stateless DHCPv6 scenarios.
       Client FGDN	39	Indicates whether the client or the DHCP server should update DNS with the AAAA record corresponding to the assigned IPv6 address and the FQDN provided in this option. The DHCP server always updates the PTR record.
       custom	-	Clients may need specific custom options.

   • Relay – Allows DHCP with the DHCP Relay Agent installed at a remote location. If you choose this option, configure the following:
     • Relay Agent IP(s) – Specify the IP address of Relay Agent. Select the Plus ( +) icon to add additional IP addresses.
   • Not Enabled – Deactivates DHCP.

   For additional information on other options in the Interface Settings window, see Configure Interface Settings for Profile.

   Also, see Tunnel Overhead and MTU for additional information.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select and expand Interfaces.
4. The Interfaces section displays the different types of Interfaces available for the selected Edge.
5. Select the link to the routed interface that you want to configure RADIUS authentication.

   

6. Deactivate the Enable WAN Link check box to configure RADIUS authentication.
7. Select the RADIUS Authentication check box.
8. Select +Add and configure the allowed list of devices that are pre-authenticated and should not be forwarded to RADIUS for re-authentication. You can add devices by using individual MAC addresses (e.g. 8c:ae:4c:fd:67:d5) or by using OUI (Organizationally Unique Identifier [e.g. 8c:ae:4c:00:00:00]).
   Note: The interface will use the server that has already been assigned to the Edge. In an Edge, two interfaces cannot use two different RADIUS servers.

   For additional information on other options in the Interface Settings window, see Configure Interface Settings for Edges.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select and expand Interfaces.
4. The Interfaces section displays the different types of Interfaces available for the selected Edge.
5. Select the link to the switched interface (for example GE2 as shown in the following screenshot) that you want to configure RADIUS authentication.

   

6. The Interface settings dialog appears. Add the VLAN where RADIUS authentication will be used to the switched interfaces list of VLANs and select Save.

   

7. On the Device page, under the Connectivity category select the VLAN section and select the VLAN you want to use for RADIUS authentication.
8. On the Edit VLAN screen, select the RADIUS Authentication check box.

   

9. Configure the allowed list of devices that are pre-authenticated and should not be forwarded to RADIUS for re-authentication. You can add devices by using individual MAC addresses (e.g. 8c:ae:4c:fd:67:d5) or by using OUI (Organizationally Unique Identifier [e.g. 8c:ae:4c:00:00:00]).
10. Select Done.
11. Finally, select Save Changes in the bottom right corner to apply your configurations.
    Note: The switched interface will use the server that has already been assigned to the Edge. In an Edge, two interfaces cannot use two different RADIUS servers.

1. In the SD-WAN service of the Enterprise portal, click Configure > Edges .
2. Click the link to an Edge or click the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, click and expand Interfaces.
   The Interfaces section displays the different types of Interfaces available for the selected Edge.

   

4. Click the Interface to edit the Routed interface that is configured for RADIUS authentication.

   

5. On the Interfaces Edit screen confirm that RADIUS Authentication is configured and then select the check box for Enable RADIUS based MAB (MAC Address Authentication Bypass).
6. Click Save and return to the Device page.
7. Click Save Changes in the bottom right corner to apply your configuration.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces.
   The different types of Interfaces available for the selected Edge are displayed.
4. Select the link to a LAN Interface to edit the settings. The LAN Interface settings screen as shown below appears.

   

5. To override the LAN settings inherited from the Profile, select the Override check box and modify the LAN settings for the Edge and select Save.
   For additional information about the LAN interface configuration parameters, see Configure Interface Settings for Profile.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces.
4. The different types of Interfaces available for the selected Edge are displayed. Select the link to a WLAN Interface to edit the settings.
   The WLAN Interface settings screen as shown below appears.

   

5. To override the WLAN settings inherited from the Profile, select the Override check box and modify the WLAN settings for the Edge and select Save.
   For additional information about the WLAN interface configuration parameters, see Configure Interface Settings for Profile.

1. In the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select Interfaces.
   The WAN Link Configuration section displays the existing Overlays.

   

4. You can select the Name of the Overlay to modify the settings. To create a new Public or Private WAN overlay, select Add User Defined WAN Link.
   The Virtual Edge: new link window appears.

   

5. In the User Defined WAN Overlay section, choose the Link Type from the following available options:
   • Public overlay is used over the Internet where SD-WAN cloud Gateways, that are on the Internet, are reachable. The user-defined overlay must be attached to an Interface. The public overlay instructs the Edge to assign primary and secondary gateways over the interface it is attached, to help determine the outside global NAT address. This outside global address is reported to the Orchestrator so that all the other Edges use this outside global address, if configured to build VCMP tunnels to the currently selected Edge.
     Note: By default, all routed interfaces will attempt to Auto Detect, that is build VCMP tunnels to, pre-assigned cloud Gateways over the Internet. If the attempt is successful, an Auto Detect Public overlay is created. A User Defined Public overlay is only needed if your Internet service requires a VLAN tag or you want to use a different public IP address from the one that the Edge has learned through DHCP on the public facing interface.
   • Private overlay is used on private networks such as an MPLS network or point-to-point link. A private overlay is attached to an interface like any user defined overlay and assumes that the IP address on the interface it is attached is routable for all other Edges on the same private network. This means that there is no NAT on the WAN side of the interface. When you attach a private overlay to an interface, the Edge advises the Orchestrator that the IP address on the interface should be used for any remote Edges configured to build tunnels to it.
6. You can configure the following Overlay settings:

   Table 20. Overlay Settings - Options and Descriptions

   Option	Description
   Address Type	Choose the WAN overlay link to use either IPv4 or IPv6 address. You can also select IPv4 and IPv6, which enables to configure both IPv4 and IPv6 user-defined overlay towards the same ISP as a single link. This option helps preventing oversubscription of a link towards an ISP. Note: When you choose IPv6 address, the Duplicate Address Detection (DAD) is not supported for IP steered overlay. The overlay network is steered when you configure the source IP address in the Optional Configuration.
   Name	Enter a descriptive WAN overlay name for the public or private link. Note: WAN overlay name should only consist of ASCII characters. Non-ASCII characters are not supported. You can reference this name while choosing a WAN link in a Business Policy. See the topic Configure Link Steering Modes.
   Operator Alerts	Sends alerts related to the Overlay network to the Operator. Ensure that you have enabled the Link alerts in the Configure > Alerts & Notifications page to receive the alerts.
   Alerts	Sends alerts related to the Overlay network to the Customer. Ensure that you have enabled the Link alerts in the Configure > Alerts & Notifications page to receive the alerts.
   Select Interfaces	The Routed Interfaces enabled with IPv4 WAN Overlay or IPv6 WAN Overlay and set to User Defined Overlay are displayed as check boxes. The Interfaces displayed are based on the selected Address Type. Note: If the WAN Overlay link uses a static IPv4 address then you can select one or more routed interfaces and the current user-defined overlay is attached to the selected interface. If a static IPv6 address is configured then you cannot select one or more routed interfaces. For the 610-LTE and Edge 710 5G, you can add User Defined WAN overlay on CELL1 or CELL2. The Orchestrator displays both CELL1 and CELL2, irrespective of SIM presence. Therefore, you must be aware of which SIM slot is enabled (Active) and choose that SIM.

   Table 21. Overlay Settings - Options and Descriptions

   Option	Description
   Public IP Address	Displays the discovered public IP address for a public Overlay. This field is populated once the outside global NAT address is discovered using the Gateway method.

7. The following image shows an example of settings for Public Overlay:

   

8. You can configure the following Public Overlay settings:

   Table 22. Public Overlay Settings - Options and Descriptions

   Option	Description
   SD-WAN Service Reachable	When creating a private overlay and attaching it to a private WAN like MPLS network, you may also be able to reach the internet over the same WAN, usually through a firewall in the data center. In this case, it is recommended to enable SD-WAN Service Reachable as it provides the following: A secondary path to the internet for access to internet hosted Gateways. This is used if all the direct links to the internet from this Edge fail. A secondary path to the Orchestrator, when all the direct links to the internet from this Edge fail. The management IP address the Edge uses to communicate must be routable within MPLS, otherwise NAT Direct would need to be checked on the private interface for the Orchestrator traffic to come back properly. Note: The Edge always prefers the VCMP tunnel created over a local internet link (short path), compared to the VCMP tunnel created over the private network using a remote firewall to the internet (long path). Per-packet or round-robin load balancing will not be performed between the short and long paths. In a site with no direct public internet access, the SD-WAN Service Reachable option allows the private WAN to be used for private site-to-site VCMP tunnels and as a path to communicate with an internet hosted VeloCloud SD-WAN service.
   Public SD-WAN Addresses	When you select the SD-WAN Service Reachable check box, a list of public IPv4 and IPv6 addresses of Gateways and Orchestrator is displayed, which may need to be advertised across the private network, if a default route has not been already advertised across the same private network from the firewall. Note: Some IP addresses in the list, such as Gateways, may change over time.

9. The following image shows an example of settings for Private Overlay:

   

   Table 23. Private Overlay Settings- Options and Descriptions

   Option	Description
   Source IP Address	This is the raw socket source IP address used for VCMP tunnel packets that originate from the interface to which the current overlay is attached. Source IP address does not have to be pre-configured anywhere but must be routable to and from the selected interface. You can enter IPv4 or IPv6 address in the respective fields to establish WAN overlay with the peer.
   Next-Hop IP Address	Enter the next hop IP address to which the packets, which come from the raw socket source IP address specified in the Source IP Address field, are to be routed. You can enter IPv4 or IPv6 address in the respective fields.
   Custom VLAN	Select this check box to enable custom VLAN and enter the VLAN ID. The range is 2 to 4094. This option applies the VLAN tag to the packets originated from the Source IP Address of a VCMP tunnel from the interface to which the current overlay is attached.
   Enable Per Link DSCP	Select this check box to add a DSCP tag to a specific overlay link. The DSCP tag will be applied at the outer header of the VCMP packet going over this overlay link. This will provide the ability to leverage the private network underlay DSCP tag mechanism to treat each overlay uniquely via QoS setting defined at the upstream router.
   802.1P Setting	Select this check box to set 802.1p PCP bits on frames leaving the interface to which the current overlay is attached. This setting is only available for a specific VLAN. PCP priority values are a 3-digit binary number. The range is from 000 to 111 and default is 000. This check box is available only when the system property session.options.enable8021PConfiguration must be set to True. By default, this value is False. If this option is not available for you, contact the Arista Support of your operations team to enable the setting.

10. Select View advanced settings to configure the following settings:

    Table 24. Advanced Settings - Options and Descriptions

    Option	Description
    Bandwidth Measurement	Choose a method to measure the bandwidth from the following options: Measure Bandwidth (Slow Start): When measuring the default bandwidth reports incorrect results, it may be due to ISP throttling. To overcome this behavior, choose this option for a sustained slow burst of UDP traffic followed by a larger burst. Measure Bandwidth (Burst Mode): Choose this option to perform short bursts of UDP traffic to an Gateway for public links or to the peer for private links, to assess the bandwidth of the link. Do Not Measure (define manually): Choose this option to configure the bandwidth manually. This is recommended for the Hub sites because: Hub sites can usually only measure against remote branches which have slower links than the hub. If a hub Edge fails and is using a dynamic bandwidth measurement mode, it may add delay in the hub Edge coming back online while it re-measures the available bandwidth. For additional information, see Bandwidth Measurement Modes.
    Upstream Bandwidth	Enter the upstream bandwidth in Mbps. This option is available only when you choose Do Not Measure (define manually).
    Downstream Bandwidth	Enter the downstream bandwidth in Mbps. This option is available only when you choose Do Not Measure (define manually).
    Dynamic Bandwidth Adjustment	Dynamic Bandwidth Adjustment attempts to dynamically adjust the available link bandwidth based on packet loss and intended for use with Wireless broadband services where bandwidth can suddenly decrease. Note: This configuration is not recommended for Edges with software release 3.3.x or earlier. You can configure this option for Edges with release 3.4 or later. This configuration is not supported with public link CoS.
    Link Mode	Select the mode of the WAN link from the drop-down. The following options are available: Active: This option is selected by default. The interface is used as a primary mode to send traffic. Backup: This option puts the interface that this WAN Overlay is attached to into Backup Mode. This means that the management tunnels are torn down for this interface, and the attached WAN link receives no data traffic. The Backup link would only be used if all paths from a number of Active links go down, which also drops the number of Active links below the number of Minimum Active Links configured. When this condition is met, management tunnels would be rebuilt for the interface and the Backup Link would become Active and pass traffic. Only one interface on an Edge can be put into backup mode. When enabled, the interface will be displayed in Monitor > Edges page as Cloud Status: Standby. Note: Use this option to reduce user data and SD-WAN performance measurement bandwidth consumption on a 4G or LTE service. However, failover times will be slower when compared to a link that is configured as either Hot Standby or as Active and uses a business policy to regulate bandwidth consumption. Do not use this feature if the Edge is configured as a Hub or is part of a Cluster. Hot Standby: When you configure the WAN link for Hot Standby mode, the management tunnels are built, which enables a rapid switchover in case of a failure. The Hot Standby link receives no data traffic except for heartbeats, which are sent every 5 seconds. When all paths from a number of Active links go down, which also drops the number of Active links below the number of Minimum Active Links configured, the Hot Standby link would come up. The traffic is sent through the Hot Standby path. When the path to the Primary Gateway comes up on Active links such that the number of Active links exceeds the number of Minimum Active Links configured, the Hot Standby link returns to Standby mode and the traffic flow switches over to the Active link(s). For additional information, see the topic Configure Hot Standby Link. Once you activate the Backup or Hot Standby link option on an Interface, you cannot configure additional Interfaces of that Edge as either a Backup or Hot Standby Link, as an Edge can have only one WAN link as a Backup or Hot Standby at a time.
    Minimum Active Links	This option is available only when you choose Backup or Hot Standby as Link Mode. Select the number of active links that can be present in the network at a time, from the drop-down list. When the number of current active links that are UP goes below the selected number, then the Backup or the Hot Standby link comes up. The range is 1 to 3, with the default being 1.
    MTU	The Edge performs path MTU discovery and the discovered MTU value is updated in this field. Most wired networks support 1500 Bytes while 4G networks supporting VoLTE typically only allow up to 1358 Bytes. It is not recommended to set the MTU below 1300 Bytes as it may introduce framing overhead. There is no need to set MTU unless path MTU discovery has failed. You can find if the MTU is large from the Remote Diagnostics > List Paths page, as the VCMP tunnels (paths) for the interface never become stable and repeatedly reach an UNUSABLE state with greater than 25% packet loss. As the MTU slowly increases during bandwidth testing on each path, if the configured MTU is greater than the network MTU, all packets greater than the network MTU are dropped, causing severe packet loss on the path. For additional information, see the topic Tunnel Overhead and MTU.
    Overhead Bytes	Enter a value for the Overhead bandwidth in bytes. This is an option to indicate the additional L2 framing overhead that exists in the WAN path. When you configure the Overhead Bytes, the bytes are additionally accounted for by the QoS scheduler for each packet, in addition to the actual packet length. This ensures that the link bandwidth is not oversubscribed due to any upstream L2-framing overhead.
    Path MTU Discovery	Select this check box to enable the discovery of Path MTU. After determining the Overhead bandwidth to be applied, the Edge performs Path MTU Discovery to find the maximum permissible MTU to calculate the effective MTU for customer packets. For additional information, see the topic Tunnel Overhead and MTU.
    Configure Class of Service	Edges can prioritize traffic and provide a 3x3 QoS class matrix over both Internet and Private networks alike. However, some public or private (MPLS) networks include their own quality of service (QoS) classes, each with specific characteristics such as rate guarantees, rate limits, packet loss probability etc. This option allows the Edge to understand the public or private network QoS bandwidth available and policing for the public or private Overlay on a specific interface. Note: Outer DSCP tags must be set in business policy per application/rule and in this feature, each Class of Service line is matching on those DSCP tags set in the business policy. After you select this check box, configure the following: Class of Service: Enter a descriptive name for the class of service. You can reference this name while choosing a WAN link in a Business Policy. See the topic Configure Link Steering Modes. DSCP Tags: Class of service will match on the DSCP tags defined here. DSCP tags are assigned to each application using business policy. Bandwidth: Percentage of interface transmit/upload bandwidth available for this class as determined by the public or private network QoS class bandwidth guaranteed. Policing: This option monitors the bandwidth used by the traffic flow in the class of service and when the traffic exceeds the bandwidth, it rate-limits the traffic. Default Class: If the traffic does not fall under any of the defined classes, the traffic is associated with the default CoS. Note: The Dynamic Bandwidth Adjustment configuration is not supported with public link CoS. For additional information about how to configure CoS, see the topic Configure Class of Service.
    Strict IP precedence	This check box is available when you select the Configure Class of Service check box. When you enable this option, 8 VCMP sub-paths corresponding to the 8 IP precedence bits are created. Use this option when you want to combine the Classes of Service into less number of classes in the network of your Service Provider. By default, this option is deactivated and the VCMP sub-paths are created for the exact number of classes of service that are configured. The grouping is not applied.

    Table 25. Advanced Settings - Options and Descriptions

    Option	Description
    UDP Hole Punching	If a Branch to Branch SD-WAN overlay is required and branch Edges are deployed behind NAT devices, that is NAT device is WAN side of the Edge, the direct VCMP tunnel on UDP/2426 will not likely come up if the NAT devices have not been configured to allow incoming VCMP tunnels on UDP port 2426 from other Edges. Use Branch to Branch VPN to enable branch to branch tunnels. See the topics, Configure a Tunnel Between a Branch and a Branch VPN and Configure Cloud VPN and Tunnel Parameters for Edges. Use Remote Diagnostics > List Paths to check that one Edge has built a tunnel to another Edge. UDP hole punching attempts to work around NAT devices blocking incoming connections. However, this technique is not applicable in all scenarios or with all types of NATs, as NAT operating characteristics are not standardized. Enabling UDP hole punching on an Edge overlay interface, instructs all remote Edges to use the discovered NAT public IP and NAT dynamic source port discovered through Gateway as destination IP and destination port for creating a VCMP tunnel to this Edge overlay interface. Note: Before enabling UDP hole punching, configure the branch NAT device to allow UDP/2426 inbound with port forwarding to the Edge private IP address or put the NAT device, which is usually a router or modem, into bridge mode. Use UDP hole punching only as a last resort as it will not work with firewalls, symmetric NAT devices, 4G/LTE networks due to CGNAT, and most modern NAT devices. UDP hole punching may introduce additional connectivity issues as remote sites try to use the new UDP dynamic port for VCMP tunnels.
    Type	When configuring a business policy for an Edge, you can choose the Link Steering to prefer a Transport Group as: Public Wired, Public Wireless or Private Wired. See the topic Configure Link Steering Modes. Choose Wired or Wireless, to put the overlay into a public wired or wireless transport group.

11. The following image shows Advanced settings for a Public Overlay:

    

    Table 26. Advanced Settings for a Public Overlay - Options and Descriptions

    Option	Description
    Private Network Name	If you have more than one private network and want to differentiate between them to ensure that the Edges try to tunnel only to Edges on the same private network then define a Private Network Name and attach the Overlay to it. This prevents tunneling to Edges on a different private network they cannot reach. In addition, configure the Edges in other locations on this private network to use the same private network name. For example: Edge1 GE1 is attached to private network A. Use private network A for the private overlay attached to GE1. Edge1 GE2 is attached to private network B. Use private network B for the private overlay attached to GE2. Repeat the same attachment and naming for Edge2. When you enable branch to branch or when Edge2 is a hub site: Edge1 GE1 attempts to connect to Edge2 GE1 and not GE2. Edge1 GE2 attempts to connect to Edge2 GE2 and not GE1.
    Configure Static SLA	Forces the overlay to assume that the SLA parameters being set are the actual SLA values for the path. No dynamic measurement of packet loss, latency or jitter will be done on this overlay. The QoE report use these values for its Green/Yellow/Red coloring against thresholds. Note: Static SLA configuration is not supported from release 3.4. It is recommended not to use this option, as dynamic measurement of packet loss, latency and jitter will provide a better outcome.

12. The following image shows Advanced settings for a Private Overlay:

    

13. Select Add Link to save the configuration.

Support for DSCP Value Tag Per User Defined Overlay

With the 5.0.0 release, network administrators will have the ability to add a DSCP tag to a specific overlay link. The DSCP tag would be applied at the outer header of the VCMP packet going over the overlay link, and will leverage the private network underlay DSCP tag to treat each overlay uniquely via the QoS setting defined on the WAN underlay network.

Enable Per link DSCP Check box

Select this check box to add a DSCP tag to a specific overlay link. The DSCP tag will be applied at the outer header of the VCMP packet going over this overlay link. This will provide the ability to leverage the private network underlay DSCP tag mechanism to treat each overlay uniquely via QoS setting defined at the upstream router.

Use Case: DSCP Value Per User Defined Overlay

In this use case, the requirement is to apply the WAN overlay DSCP tag value configured on the WAN link to all traffic egressing from this link, for the tunnel originating Edge. The configured DSCP value should apply to the VCMP outer header so that the MPLS network can read the DSCP value and apply differentiated services to the VCMP encapsulated packet. The inner DSCP tag value, coming from the LAN side of the edge network, should be kept unmodified. Requirements on the tunnel destination side: The hub or peer edge that is receiving the tunnel creation request must respond with the same DSCP overlay tag value sent by the tunnel originator on the VCMP outer header. The hub or peer edge terminating the overlay tunnel should not modify the inner DSCP tag destined for the LAN.

In the image below, the Enterprise is using DSCP values on their underlay network to provide differentiated services based on source WAN overlay link/tunnel.

An Edge with only Private MPLS links can reach the Orchestrator and Gateways located in public cloud, by using the SD-WAN Service Reachable option.

In a site with no direct public internet access, the SD-WAN Service Reachable option allows the private WAN to be used for private site-to-site VCMP tunnels and as a path to communicate with an internet hosted Arista service.

For hybrid environments that have MPLS-only links or require failover to MPLS links, you can enable the SD-WAN Service Reachable option.

CAUTION: You should be careful when you turn on SD-WAN Reachable. This feature means that the Edge can connect to both the Orchestrator and Gateways over that link. But if you use it on a private WAN link that does not have this connection, it can cause two problems:

1. If the Edge is a Hub, and Spoke Edges are using that Hub Edge as the internet breakout, their tunnels to the Gateway may not come up because the Hub Edge may forward those flows back out the private link.
2. An Edge with this incorrect setting may appear offline in the Orchestrator. This is because it may try to use the private link to contact the Orchestrator.

MPLS-only Sites

Arista supports private WAN deployments with a hosted Arista service for customers with hybrid environments who deploy in sites with only a private WAN link.

In a site with no public overlays, the private WAN can be used as the primary means of communication with the Arista service, including the following:

• Enabled SD-WAN service reachability through private link
• Enabled NTP override using private NTP servers

The following image shows a Regional Hub with Internet connection and Edge with only MPLS connection.

The traffic from the Edge with MPLS-only links is routed to the Orchestrator and Gateway through a Regional Hub, which is able to break out to the public cloud. SD-WAN Service Reachable option allows the Edge to remain online and manageable from the Orchestrator, and allows public internet connectivity through the Gateway irrespective of whether or not there is public link connectivity.

Dynamic Failover via MPLS

If all the public Internet links fail, you can failover critical Internet traffic to a private WAN link. The following image illustrates Resiliency of Orchestrator and Non SD-WAN Destination, Zscaler.

• Orchestrator Resiliency – The Orchestrator connects to the Internet. If the Internet fails, the Orchestrator will connect through MPLS. The Orchestrator connection is established using the IP Address which is advertised over MPLS. The connectivity leverages the public Internet link in the Regional Hub.
• Zscaler Resiliency – The Zscaler connectivity is established through Internet. If the public link fails, then Zscaler connects through MPLS.

Configure SD-WAN Service Reachable

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces.
4. The different types of Interfaces available for the selected Edge are displayed. Select the link to an Interface connected to the MPLS link.
5. In the Interface window, select the Override check box and from the WAN Link drop-down menu, select User Defined and select Save.

   

   Note: The SD-WAN Service Reachable is available only for a User Defined network.
6. In the WAN Link Configuration section, select the Interface activated with User Defined WAN link. The User Defined WAN Link window appears.

   

7. In the User Defined WAN Link window, select the SD-WAN Service Reachable check box to deploy sites which only have a private WAN link and/or activate the capability to failover critical Internet traffic to a private WAN link.

   When you select the SD-WAN Service Reachable checkbox, a list of public IP addresses of Gateways and Orchestrator is displayed, which may need to be advertised across the private network, if a default route has not been already advertised across the same private network from the firewall.

   When you select the SD-WAN Service Reachable Backup check box, the Private SD-WAN reachable link is used as the backup link for Internet and as an active link for Enterprise destinations, if Public WAN overlays are present. When this option is deactivated, the Private link is used as an active link.

8. Configure other options as required, and then select Update Link to save the settings.

   For additional information on other options in the WAN Overlay window, see Configure Edge WAN Overlay Settings.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, select and expand Interfaces.
   The Interfaces section displays the different types of Interfaces available for the selected Edge.
4. In the WAN Link Configuration section, select Add User Defined WAN Link.

   

5. In the User Defined WAN Link window, enter the name for the new WAN link and choose the Link Type as required, that is Public or Private.
6. To configure CoS for the new link, scroll down and select View advanced settings.

   

7. Select the Configure Class of Service check box and configure the following settings:
   • Strict IP precedence: Select this check box to enforce strict IP precedence.

     When you enable this option, 8 VCMP sub-paths corresponding to the 8 IP precedence bits are created. Use this option when you want to combine the Classes of Service into less number of classes in the network of your Service Provider.

     By default, this option is deactivated and the VCMP sub-paths are created for the exact number of classes of service that are configured. The grouping is not applied.

   • Class of Service: You an add multiple class of services. Select +Add and enter a descriptive name for the class of service. The name can be a combination of alphanumeric and special characters.
   • DSCP Tags: You can assign multiple DSCP tags to the class of service by selecting DSCP tags from the available list.
     Note: You should map DSCP tags of same IP precedence to the same class of service. A CoS queue can be an aggregate of many classes but DSCP values of same class cannot be part of multiple class queues.

     For example, the following set of DSCP tags cannot be spread across multiple queues:

     • CS1 and AF11 to AF14
     • CS2 and AF21 to AF24
     • CS3 and AF31 to AF34
     • CS4 and AF41 to AF44
   • Bandwidth: Enter a value in percentage for the traffic designated to the CoS. This value allocates a weight to the class. The incoming traffic is processed based on the associated weight. If you have multiple class of services, the total value of the bandwidth should add up to 100.
   • Policing: Select the checkbox to enable the class-based policing. This option monitors the bandwidth used by the traffic flow in the class of service and when the traffic exceeds the bandwidth, it polices the traffic.
   • Default Class: Select to set the corresponding class of service as default. If the incoming traffic does not fall under any of the defined classes, the traffic is associated with the default CoS.
8. Select Add Link to save the settings.
9. Select Save Changes on the Device page.
   Note: You can also define the CoS for an existing link by selecting the existing WAN links and performing the Step 9.

   For additional information on the Edge WAN Overlay Settings, see Configure Edge WAN Overlay Settings.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
   The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Connectivity category, expand Interfaces.
   The Interfaces section displays the different types of Interfaces available for the selected Edge.
4. In the WAN Link Configuration section, you can configure Hot Standby link mode for existing auto-detected or user-defined WAN links or you can create a new WAN link by selecting the Add User Define WAN Link and configure Hot Standby link mode. For steps on how to add a new user defined WAN link, see Configure Edge WAN Overlay Settings.

   

5. To configure Hot Standby link mode for an existing link, select the existing WAN link and modify the settings.

   

6. In the User Defined WAN Link window, scroll down and select View advanced settings.
7. From the Link Mode drop-down menu, select Hot Standby.
8. From the Minimum Active Links from the drop-down menu, select the number of active links that can be present in the network at a time. When the number of current active links that are UP goes below the selected number, then the Hot Standby link comes up. The range is 1 to 3, with the default value being 1.
9. Configure other options as required and select Update Link to save the settings. For additional information on other options in the WAN Overlay window, see Configure Edge WAN Overlay Settings.

   Once you configure the Hot Standby link, the tunnels are setup, which enables a quick switchover in case of a failure. The Hot Standby link receives no data traffic except the heartbeats, which are sent every 5 seconds.

   When the path from Edge to Primary Gateway on Active links goes down and when the number of Active links that are UP is below the number of Minimum Active Links configured, the Hot Standby link will come up. The traffic is sent through the Hot Standby path.

   When the path to Primary Gateway comes up on Active links and the number of Active links exceeds the number of Minimum Active Links configured, the Hot Standby link goes to the STANDBY mode. The traffic flow switches over to the Active links.

   You can monitor the Hot Standby links in the monitoring dashboard. See Monitor Hot Standby Links.

DHCPv6 Prefix Delegation feature allows packet exchange between a DHCP Client and a DHCP Server. The Edge requests the server to provide prefixes over the WAN interfaces to delegate to clients on the LAN side. The server provides a prefix to the Edge in response. The Edge then configures an IP address on the LAN interface using this delegated prefix. The Edge starts sending out router advertisements with this prefix.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges . The Edges page displays the existing Edges.
2. Select the link to an Edge or select the View link in the Device column of the Edge. The configuration options for the selected Edge display on the Device tab.
3. DHCPv6 Prefix Delegation can be configured on WAN, LAN, and VLAN interfaces. See the following sections for additional details:
   1. DHCPv6 Prefix Delegation on a WAN Interface
      Note: For a WAN interface, the Enable WAN Link option must be selected.

      1. On the Edge Device settings page, go to the Connectivity category, and then expand Interfaces.
      2. The Interfaces section displays the different types of Interfaces available for the selected Edge. Select the link to a Routed WAN interface.
      3. On the Routed Interface Settings screen, navigate to IPv6 Settings.

         

      4. Activate the DHCPv6 Client Prefix Delegation feature by selecting the Enabled check box.
      5. You can either select a pre-defined tag from the drop-down menu or create a new tag by selecting the New Tag option. You can also define tags on the Network Services screen. For additional information, see Configure Prefix Delegation Tags.
         Note: Each WAN interface must have a unique tag.
      6. Select Save.
   2. DHCPv6 Prefix Delegation on a LAN Interface
      Note: For a LAN interface, do not select the Enable WAN Link option.

      1. On the Edge Device settings page, go to the Connectivity category, and then expand Interfaces.
      2. The Interfaces section displays the different types of Interfaces available for the selected Edge. Select the link to a Routed LAN interface.
      3. On the Routed Interface settings screen, navigate to IPv6 Settings.

         

      4. To configure Prefix Delegation for a LAN interface, you must select the Addressing Type as DHCPv6 Prefix Delegation from the drop-down menu.
      5. The following additional options appear on the screen:

         Table 27. Addressing Type option Descriptions

         Option	Description
         Prefix Length	This field auto-populates. The value displays as 64. This indicates a configuration of a 64 bits netmask for the interface address.
         Interface Address	Enter a valid interface address. The new address is formed by combining the prefix provided by the server and the interface address that is configured. If 'n' bits prefix is received from the server, then the first 'n' bits of the interface address overwrites to form a new address.
         Tag	Select the tag from the drop-down menu to associate the configured interface address with the corresponding WAN interface. Note: The same tag can be used by multiple LAN interfaces.

         Warning: Ensure that the same combination of Interface Address and Tag is not used on any two LAN/VLAN interfaces on the same Edge. This could lead to duplicate addresses getting assigned on those interfaces.
      6. Select Save. For information on the other settings on this screen, see Configure Interface Settings for Edges.
   3. DHCPv6 Prefix Delegation on a VLAN Interface
      1. On the Edge Device settings page, go to the Connectivity category, and then expand VLAN.
      2. Select on a VLAN interface.
      3. In the Edit VLAN dialog, navigate to the IPv6 Settings section.

         

      4. To configure Prefix Delegation for a VLAN interface, you must select the Addressing Type as DHCPv6 Prefix Delegation from the drop-down menu.
      5. Select a tag from the drop-down menu.
      6. Enter a valid interface address.
      7. Select Done.

1. In the SD-WAN service of the Enterprise portal, go to Configure > Network Services , and then under Edge Services area, expand VNFs.

   

2. To configure a new VNF, select + New or + Configure VNF option.
   Note: The Configure VNF option appears only when there are no items in the table.
3. In the Configure VNF window, enter a descriptive name for the security VNF service and select a VNF Type from the drop-down menu.

   

4. Configure the required settings based on the selected VNF Type. For additional information on configuration settings for VNF types, see Configure Edge Services.
5. Select Save Changes.
   The VNFs section displays the created VNF services.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. On the Edges page, select either the link to an Edge you want to configure or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. In the Device tab, scroll down to the Security VNF section and select + Configure Security VNF.
   The Configure Security VNF window appears.

   

4. In the Configure Security VNF window, select the Deploy check box.
5. Under VM Configuration, configure the following settings:
   1. VLAN – Choose a VLAN, to be used for the VNF management, from the drop-down list.
   2. VM-1 IP – Enter the IP address of the VM and ensure that the IP address is in the subnet range of the chosen VLAN.
   3. VM-1 Hostname – Enter a name for the VM host.
   4. Deployment State – Choose one of the following options:
      • Image Downloaded and Powered On – This option powers up the VM after building the firewall VNF on the Edge. The traffic transits the VNF only when this option is chosen, which requires at least one VLAN or routed interface be configured for VNF insertion.
      • Image Downloaded and Powered Off – This option keeps the VM powered down after building the firewall VNF on the Edge. Do not select this option if you intend to send traffic through the VNF.
6. Under Security VNF, choose a pre-defined VNF management service from the drop-down menu. You can also select + Add to create a new VNF management service. For additional information, see Configure VNF Management Service.
   1. The following image shows an example of Fortinet Firewall as the Security VNF type. If you choose Fortinet Firewall, configure the following additional settings:

      

      • VM Cores – Select the number of cores from the drop-down list. The VM License is based on the VM cores. Ensure that your VM License is compatible with the number of cores selected.
      • Inspection Mode – Choose one of the following modes:
        • Proxy – This option is selected by default. Proxy-based inspection involves buffering traffic and examining the data as a whole for analysis.
        • Flow – Flow-based inspection examines the traffic data as it passes through the FortiGate unit without any buffering.
      • License – Drag and drop the VM License or paste your license content in the text box.
   2. The following image shows an example of Check Point Firewall as the Security VNF type.

      

   3. If you choose Palo Alto Networks Firewall as Security VNF, configure the following additional settings:

      

      • License – Select the VNF License from the drop-down list.
      • Device Group Name – Enter the device group name pre-configured on the Panorama Server.
      • Config Template Name – Enter the configuration template name pre-configured on the Panorama Server.
      Note: If you want to remove the deployment of Palo Alto Networks Firewall configuration from a VNF type, ensure that you have deactivated the VNF License of Palo Alto Networks before removing the configuration.
7. Select Update.
   The configuration details are displayed in the Security VNF section.

   

   If you want to redirect multiple traffic segments to the VNF, define mapping between Segments and service VLANs. See Define Mapping Segments with Service VLANs.

   You can insert the security VNF into both the VLAN as well as routed interface to redirect the traffic from the VLAN or the routed interface to the VNF. See Configure VLAN with VNF Insertion.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. In the Edges page, select either the link to an Edge you want to configure or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. Scroll down to the High Availability section and from the Select Type options, choose the Active Standby Pair.

   

4. Navigate to the Security VNF section and select + Configure Security VNF.
   The Configure Security VNF window appears.

   

5. In the Configure Security VNF window, select the Deploy check box.
6. Under VM Configuration, configure the following settings:
   1. VLAN – Choose a VLAN, to be used for the VNF management, from the drop-down list.
   2. VM-1 IP – Enter the IP address of the VM and ensure that the IP address is in the subnet range of the chosen VLAN.
   3. VM-1 Hostname – Enter a name for the VM host.
   4. Deployment State – Choose one of the following options:
      • Image Downloaded and Powered On – This option powers up the VM after building the firewall VNF on the Edge. The traffic transits the VNF only when this option is chosen, which requires at least one VLAN or routed interface be configured for VNF insertion.
      • Image Downloaded and Powered Off – This option keeps the VM powered down after building the firewall VNF on the Edge. Do not select this option if you intend to send traffic through the VNF.
7. Under Security VNF, choose a pre-defined Check Point Firewall VNF Management service from the drop-down list. You can also select New VNF Service to create a new VNF management service. For additional information, see Configure VNF Management Service.

   

8. Select Update.
   The Security VNF section displays the configured details for the Check Point Firewall Security VNF.

   Wait till the Edge assumes the Active role and then connect the Standby Edge to the same interface of the Active Edge. The Standby Edge receives all the configuration details, including the VNF settings, from the Active Edge. For additional information on HA configuration, see Activate High Availability.

   When the VNF is down or not responding in the Active Edge, the VNF in the Standby Edge takes over the active role.

   Note: When you want to turn off the HA in an Edge configured with VNF, turn off the VNF first and then turn off the HA.

   If you want to redirect multiple traffic segments to the VNF, define mapping between Segments and service VLANs. See Define Mapping Segments with Service VLANs.

   You can insert the security VNF into both the VLAN as well as routed interface to redirect the traffic from the VLAN or the routed interface to the VNF. See Configure VLAN with VNF Insertion.

1. In the SD-WAN service of the Enterprise portal, select Configure > Segments .
   The Segments page displays the configured segments.
2. Define mapping between the segments and service VLANs by entering an unique Service VLAN ID for each segment.

   

3. Select Save Changes.

   The segment in which the VNF is inserted is assigned with a unique VLAN ID. The Firewall policy on the VNF is defined using these VLAN IDs. The traffic from VLANs and interfaces within these segments is tagged with the VLAN ID allocated for the specified segment.

1. In the SD-WAN service of the Enterprise portal, select Configure > Edges .
2. On the Edges page, select either the link to an Edge you want to configure or select the View link in the Device column of the Edge.
   The configuration options for the selected Edge are displayed in the Device tab.
3. On the Device tab, under Connectivity, expand the VLAN section.

   

4. Select the VLAN to which you want to insert the VNF and select the link under the VLAN column.
5. In the Edit VLAN window, select the VNF Insertion check box to insert the VNF into VLAN. This option redirects traffic from a specific VLAN to the VNF.

   

6. Select Done.
   The VLAN section displays the status of the VNF insertion.

   

   You can also insert the VNF into Layer 3 interfaces or sub-interfaces. This insertion redirects traffic from the Layer 3 interfaces or subinterfaces to the VNF.

   If you choose to use the routed interface, ensure that the trusted source is checked and WAN overlay is turned off on that interface. For additional information, see Configure Interface Settings for Edges.

1. In the SD-WAN service of the Enterprise portal, select Monitor > Edges .
   The list of Edges along with the details of configured VNFs appears as shown below.

   

2. With mouse pointer, hover-over the VNF type (for example CheckPoint) in the VNF column to view additional details of the VNF type.
3. With mouse pointer, hover-over the link in the VNF VM Status column to view VNF Virtual Machine Status for the Edge. Selecting the link in the VNF VM Status column opens the VNF Virtual Machine Status window, where you can view the deployment status for the Edge.
4. For the VNFs configured on Edge with HA, the VNF Virtual Machine Status window consists of an additional column that displays the serial number of the Edges, as shown below.

   

5. To monitor the status of VNFs and VMs:
   1. In the SD-WAN service of the Enterprise portal, select Monitor > Network Services > Edge VNFs .
      The list of Edges along with the details of configured VNFs is displayed.

      

1. In the SD-WAN service of the Enterprise portal, select Service Settings > Alerts & Notifications .
   The Alert Configuration screen appears.

   

2. Under Incidents, select and expand VNF Configuration and turn on the toggle button.

   

3. You can configure to send notification for the following VNF events:
   • VNF VM Event – Receive an alert when there is a change in the Edge VNF virtual machine deployment state.
   • Edge VNF Insertion – Receive an alert when there is a change in the Edge VNF deployment state.
   • Edge VNF Image Download Event – Receive an alert when there is a change in the Edge VNF image download state.
4. Select Save Changes.